Implement automatic client registration #1069
Open
+1,656
−189
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
by moving AuthZRequestFilter from MITREid to IAM
in particular, support for automatic client registration and no support for authentication requests with request_uri
and add url validation
with IamClientRepository and other fixes
and remove unused method parameter
and add tests
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
iam-login-service/src/main/java/it/infn/mw/iam/core/oidc/IamAuthorizationRequestFilter.java
Fixed
Show fixed
Hide fixed
Contributor
|
Remember also to run the disableExpiredClients task only when |
Contributor
Author
Done :) |
to the maximum allowed by TEXT
and send client id and secret url-encoded in basic auth header
also during client update
after trust chain re-validation. Previously, if the client was expired, it was re-created by violating the unique constraint on client_id, which corresponds to the entity_id (URL) of the RP.
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR implements one of the client/Relying Party registration mechanisms defined by OpenID Federation.
Automatic Registration allows an RP to send Authentication Requests without a prior registration step with the OP. When the RP reaches the OP’s Authorization Endpoint, the OP automatically registers the RP if it can build and validate a trust chain for the RP - either by resolving the RP’s Entity Configuration from its
entity_idor by using a providedtrust_chain- and a common Trust Anchor exists.At the Authorization Endpoint, in fact, the RP can use a Request Object by sending the
requestparameter, a signed JWT containing some required claims (aud,client_id,iss,jti) and optionallyiatandtrust_chain.Note that the OP assigns the
client_idto the RP, which must correspond to itsentity_id(URL).Reference: https://openid.net/specs/openid-federation-1_0.html#name-automatic-registration