SHIBUI-2380

Adding OIDC/OAUTH specific Relying party overrides
TIER · Oct 18, 2022 · 279c2b7 · 279c2b7
1 parent 535fd5c
commit 279c2b7
Show file tree

Hide file tree

Showing 2 changed files with 344 additions and 1 deletion.
diff --git a/backend/src/main/resources/application.yml b/backend/src/main/resources/application.yml
@@ -163,4 +163,264 @@ custom:
       displayType: boolean
       helpText: tooltip.ignore-request-signatures
       attributeName: http://shibboleth.net/ns/profiles/ignoreRequestSignatures
-      attributeFriendlyName: ignoreRequestSignatures
+      attributeFriendlyName: ignoreRequestSignatures
+    - name: disallowedFeatures
+      displayName: label.disallowedFeatures
+      helpText: tooltip.disallowedFeatures
+      displayType: string
+      attributeName: http://shibboleth.net/ns/profiles/disallowedFeatures
+      protocol: oidc
+    - name: inboundInterceptorFlows
+      displayName: label.inboundInterceptorFlows
+      helpText: tooltip.inboundInterceptorFlows
+      displayType: list
+      attributeName: http://shibboleth.net/ns/profiles/inboundInterceptorFlows
+      protocol: oidc
+    - name: outboundInterceptorFlows
+      displayName: label.outboundInterceptorFlows
+      helpText: tooltip.outboundInterceptorFlows
+      displayType: list
+      attributeName: http://shibboleth.net/ns/profiles/outboundInterceptorFlows
+      protocol: oidc
+    - name: securityConfiguration
+      displayName: label.securityConfiguration
+      helpText: tooltip.securityConfiguration
+      displayType: string
+      defaultValue: shibboleth.DefaultSecurityConfiguration
+      attributeName: http://shibboleth.net/ns/profiles/securityConfiguration
+      protocol: oidc
+    - name: tokenEndpointAuthMethods
+      displayName: label.tokenEndpointAuthMethods
+      helpText: tooltip.tokenEndpointAuthMethods
+      displayType: list
+      defaultValue: client_secret_basic, client_secret_post, client_secret_jwt, private_key_jwt
+      attributeName: http://shibboleth.net/ns/profiles/tokenEndpointAuthMethods
+      protocol: oidc
+    - name: defaultAuthenticationMethods
+      displayName: label.defaultAuthenticationMethods
+      helpText: tooltip.defaultAuthenticationMethods
+      displayType: list
+      attributeName: http://shibboleth.net/ns/profiles/defaultAuthenticationMethods
+      protocol: oidc
+    - name: postAuthenticationFlows
+      displayName: label.postAuthenticationFlows
+      helpText: tooltip.postAuthenticationFlows
+      displayType: list
+      attributeName: http://shibboleth.net/ns/profiles/postAuthenticationFlows
+      protocol: oidc
+    - name: proxyCount
+      displayName: label.proxyCount
+      helpText: tooltip.proxyCount
+      displayType: integer
+      attributeName: http://shibboleth.net/ns/profiles/proxyCount
+      protocol: oidc
+    - name: revocationLifetime
+      displayName: label.revocationLifetime
+      helpText: tooltip.revocationLifetime
+      displayType: string
+      defaultValue: PT6H
+      attributeName: http://shibboleth.net/ns/profiles/oauth2/revocation/revocationLifetime
+      protocol: oidc
+    - name: revocationMethod
+      displayName: label.revocationMethod
+      helpText: tooltip.revocationMethod
+      displayType: selection_list
+      defaultValues:
+        - CHAIN
+        - TOKEN
+      defaultValue: CHAIN
+      attributeName: http://shibboleth.net/ns/profiles/oauth2/revocation/revocationMethod
+      protocol: oidc
+    - name: accessTokenLifetime
+      displayName: label.accessTokenLifetime
+      helpText: tooltip.accessTokenLifetime
+      displayType: string
+      defaultValue: PT10M
+      attributeName: http://shibboleth.net/ns/profiles/oauth2/token/accessTokenLifetime
+      protocol: oidc
+    - name: accessTokenType
+      displayName: label.accessTokenType
+      helpText: tooltip.accessTokenType
+      displayType: string
+      attributeName: http://shibboleth.net/ns/profiles/oauth2/token/accessTokenType
+      protocol: oidc
+    - name: allowPKCEPlainOauth
+      displayName: label.allowPKCEPlain.oauth
+      helpText: tooltip.allowPKCEPlain.oauth
+      displayType: boolean
+      attributeName: http://shibboleth.net/ns/profiles/oauth2/token/allowPKCEPlain
+      protocol: oidc
+    - name: enforceRefreshTokenRotation
+      displayName: label.enforceRefreshTokenRotation
+      helpText: tooltip.enforceRefreshTokenRotation
+      displayType: boolean
+      attributeName: http://shibboleth.net/ns/profiles/oauth2/token/enforceRefreshTokenRotation
+      protocol: oidc
+    - name: forcePKCEOauth
+      displayName: label.forcePKCE.oauth
+      helpText: tooltip.forcePKCE.oauth
+      displayType: boolean
+      attributeName: http://shibboleth.net/ns/profiles/oauth2/token/forcePKCE
+      protocol: oidc
+    - name: grantTypes
+      displayName: label.grantTypes
+      helpText: tooltip.grantTypes
+      displayType: list
+      defaultValue: authorization_code, refresh_token
+      attributeName: http://shibboleth.net/ns/profiles/oauth2/token/grantTypes
+      protocol: oidc
+    - name: refreshTokenLifetime
+      displayName: label.refreshTokenLifetime
+      helpText: tooltip.refreshTokenLifetime
+      displayType: string
+      defaultValue: PT2H
+      attributeName: http://shibboleth.net/ns/profiles/oauth2/token/refreshTokenLifetime
+      protocol: oidc
+    - name: resolveAttributesOauth
+      displayName: label.resolveAttributes.oauth
+      helpText: tooltip.resolveAttributes.oauth
+      displayType: boolean
+      defaultValue: TRUE
+      attributeName: http://shibboleth.net/ns/profiles/oauth2/token/resolveAttributes
+      protocol: oidc
+    - name: authorizationCodeFlowEnabled
+      displayName: label.authorizationCodeFlowEnabled
+      helpText: tooltip.authorizationCodeFlowEnabled
+      displayType: boolean
+      defaultValue: TRUE
+      attributeName: http://shibboleth.net/ns/profiles/authorizationCodeFlowEnabled
+      protocol: oidc
+    - name: hybridFlowEnabled
+      displayName: label.hybridFlowEnabled
+      helpText: tooltip.hybridFlowEnabled
+      displayType: boolean
+      defaultValue: TRUE
+      attributeName: http://shibboleth.net/ns/profiles/hybridFlowEnabled
+      protocol: oidc
+    - name: implicitFlowEnabled
+      displayName: label.implicitFlowEnabled
+      helpText: tooltip.implicitFlowEnabled
+      displayType: boolean
+      defaultValue: TRUE
+      attributeName: http://shibboleth.net/ns/profiles/implicitFlowEnabled
+      protocol: oidc
+    - name: refreshTokensEnabled
+      displayName: label.refreshTokensEnabled
+      helpText: tooltip.refreshTokensEnabled
+      displayType: boolean
+      defaultValue: TRUE
+      attributeName: http://shibboleth.net/ns/profiles/refreshTokensEnabled
+      protocol: oidc
+    - name: accessTokenLifetime
+      displayName: label.accessTokenLifetime
+      helpText: tooltip.accessTokenLifetime
+      displayType: string
+      defaultValue: PT10M
+      attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/accessTokenLifetime
+      protocol: oidc
+    - name: accessTokenType
+      displayName: label.accessTokenType
+      helpText: tooltip.accessTokenType
+      displayType: string
+      attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/accessTokenType
+      protocol: oidc
+    - name: acrRequestAlwaysEssential
+      displayName: label.acrRequestAlwaysEssential
+      helpText: tooltip.acrRequestAlwaysEssential
+      displayType: boolean
+      attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/acrRequestAlwaysEssential
+      protocol: oidc
+    - name: allowPKCEPlainOidc
+      displayName: label.allowPKCEPlain.oidc
+      helpText: tooltip.allowPKCEPlain.oidc
+      displayType: boolean
+      attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/allowPKCEPlain
+      protocol: oidc
+    - name: alwaysIncludedAttributes
+      displayName: label.alwaysIncludedAttributes
+      helpText: tooltip.alwaysIncludedAttributes
+      displayType: list
+      attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/alwaysIncludedAttributes
+      protocol: oidc
+    - name: authorizeCodeLifetime
+      displayName: label.authorizeCodeLifetime
+      helpText: tooltip.authorizeCodeLifetime
+      displayType: string
+      defaultValue: PT5M
+      attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/authorizeCodeLifetime
+      protocol: oidc
+    - name: deniedUserInfoAttributes
+      displayName: label.deniedUserInfoAttributes
+      helpText: tooltip.deniedUserInfoAttributes
+      displayType: list
+      attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/deniedUserInfoAttributes
+      protocol: oidc
+    - name: encodeConsentInTokens
+      displayName: label.encodeConsentInTokens
+      helpText: tooltip.encodeConsentInTokens
+      displayType: boolean
+      attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/encodeConsentInTokens
+      protocol: oidc
+    - name: encodedAttributes
+      displayName: label.encodedAttributes
+      helpText: tooltip.encodedAttributes
+      displayType: list
+      attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/encodedAttributes
+      protocol: oidc
+    - name: forcePKCEOidc
+      displayName: label.forcePKCE.oidc
+      helpText: tooltip.forcePKCE.oidc
+      displayType: boolean
+      attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/forcePKCE
+      protocol: oidc
+    - name: IDTokenLifetime
+      displayName: label.IDTokenLifetime.browser
+      helpText: tooltip.IDTokenLifetime.broswer
+      displayType: string
+      defaultValue: PT1H
+      attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/IDTokenLifetime
+      protocol: oidc
+    - name: includeIssuerInResponse
+      displayName: label.includeIssuerInResponse
+      helpText: tooltip.includeIssuerInResponse
+      displayType: boolean
+      attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/includeIssuerInResponse
+      protocol: oidc
+    - name: refreshTokenLifetime
+      displayName: label.refreshTokenLifetime
+      helpText: tooltip.refreshTokenLifetime
+      displayType: string
+      defaultValue: PT2H
+      attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/refreshTokenLifetime
+      protocol: oidc
+    - name: alwaysIncludedAttributes
+      displayName: label.alwaysIncludedAttributes
+      helpText: tooltip.alwaysIncludedAttributes
+      displayType: list
+      attributeName: http://shibboleth.net/ns/profiles/oidc/token/alwaysIncludedAttributes
+      protocol: oidc
+    - name: encryptionOptional
+      displayName: label.encryptionOptional
+      helpText: tooltip.encryptionOptional
+      displayType: boolean
+      defaultValue: TRUE
+      attributeName: http://shibboleth.net/ns/profiles/oidc/token/encryptionOptional
+      protocol: oidc
+    - name: IDTokenLifetime
+      displayName: label.IDTokenLifetime
+      helpText: tooltip.IDTokenLifetime
+      displayType: string
+      defaultValue: PT1H
+      attributeName: http://shibboleth.net/ns/profiles/oidc/token/IDTokenLifetime
+      protocol: oidc
+    - name: deniedUserInfoAttributes
+      displayName: label.deniedUserInfoAttributes
+      helpText: tooltip.deniedUserInfoAttributes
+      displayType: list
+      attributeName: http://shibboleth.net/ns/profiles/oidc/userinfo/deniedUserInfoAttributes
+      protocol: oidc
+    - name: resolveAttributesOIDC
+      displayName: label.resolveAttributes.oidc
+      helpText: tooltip.resolveAttributes.oidc
+      displayType: boolean
+      attributeName: http://shibboleth.net/ns/profiles/oidc/userinfo/resolveAttributes
diff --git a/backend/src/main/resources/i18n/messages.properties b/backend/src/main/resources/i18n/messages.properties
@@ -865,3 +865,86 @@ label.software-version=Software Version
 tooltip.software-version=Version of Software
 label.default-max-age=Default Max Age
 tooltip.default-max-age=Specifies that the End-User MUST be actively authenticated if the End-User was authenticated longer ago than the specified number of seconds.
+
+# OIDC/OAUTH Relaying Party Overrides
+label.disallowedFeatures=Disallowed Features
+label.inboundInterceptorFlows=Inbound Interceptor Flows
+label.outboundInterceptorFlows=Outbound Interceptor Flows
+label.securityConfiguration=Security Configuration
+label.tokenEndpointAuthMethods=Token Endpoint Authentication Methods
+label.defaultAuthenticationMethods=Default Authentication Methods
+label.postAuthenticationFlows=Post Authentication Flows
+label.proxyCount=Proxy Count
+label.revocationLifetime=Revocation Lifetime
+label.revocationMethod=Revocation Method
+label.accessTokenLifetime=Access Token Lifetime
+label.accessTokenType=Access Token Type
+label.allowPKCEPlain.oidc=Allow PKCE Plain (OIDC)
+label.enforceRefreshTokenRotation=Enforce Refresh Token Rotation
+label.forcePKCE.oidc=Force PKCE (OIDC)
+label.grantTypes=Grant Types
+label.refreshTokenLifetime=Refresh Token Lifetime
+label.resolveAttributes.oauth=Resolve Attributes (Oauth)
+label.authorizationCodeFlowEnabled=Authorization Code Flow Enabled
+label.hybridFlowEnabled=Hybrid Flow Enabled
+label.implicitFlowEnabled=Implicit Flow Enabled
+label.refreshTokensEnabled=Refresh Tokens Enabled
+label.accessTokenLifetime=Access Token Lifetime
+label.accessTokenType=Access Token Type
+label.acrRequestAlwaysEssential=Acr Request Always Essential
+label.allowPKCEPlain.oauth=Allow PKCE Plain (OAUTH)
+label.alwaysIncludedAttributes=Always Included Attributes
+label.authorizeCodeLifetime=Authorize Code Lifetime
+label.deniedUserInfoAttributes=Denied User Info Attributes
+label.encodeConsentInTokens=Encode Consent In Tokens
+label.encodedAttributes=Encoded Attributes
+label.forcePKCE.oauth=Force PKCE (OAUTH)
+label.IDTokenLifetime.browser=IDToken Lifetime (browser)
+label.includeIssuerInResponse=Include Issuer In Response
+label.refreshTokenLifetime=Refresh Token Lifetime
+label.alwaysIncludedAttributes=Always Included Attributes
+label.encryptionOptional=Encryption Optional
+label.IDTokenLifetime=IDToken Lifetime
+label.deniedUserInfoAttributes=Denied User Info Attributes
+label.resolveAttributes.oidc=Resolve Attributes (OIDC)
+
+tooltip.disallowedFeatures=A bitmask of features to disallow. the mask values being specific to individual profiles
+tooltip.inboundInterceptorFlows=Ordered list of profile interceptor flows to run prior to message processing
+tooltip.outboundInterceptorFlows=Ordered list of profile interceptor flows to run prior to outbound message handling
+tooltip.securityConfiguration=An object containing all of the default security-related objects needed for peer authentication and encryption. See SecurityConfiguration for complete details.
+tooltip.tokenEndpointAuthMethods=Enabled endpoint client authentication methods
+tooltip.defaultAuthenticationMethods=Ordered list of Java Principals to be used to select appropriate login flow(s) to attempt in the event that a relying party does not signal a preference. See AuthenticationFlowSelection.
+tooltip.postAuthenticationFlows=Ordered list of profile interceptor flows to run after successful authentication
+tooltip.proxyCount=Limits use of proxying either to service providers downstream or when requesting authentication from identity providers upstream. This will generally depend on whether a particular protocol supports the feature.
+tooltip.revocationLifetime=The revocation lifetime used when revoking the full chain (see CHAIN above).
+tooltip.revocationMethod=The revocation method: CHAIN refers to revoking whole chain of tokens (from authorization code to all access/refresh tokens) and TOKEN refers to revoking single token
+tooltip.accessTokenLifetime=Lifetime of access token issued to client
+tooltip.accessTokenType=Format of access token. Supported values are ?JWT? or nothing/empty/null implying opaque tokens.
+tooltip.allowPKCEPlain=Whether client is allowed to use PKCE code challenge method plain
+tooltip.enforceRefreshTokenRotation=Whether to enforce refresh token rotation. If enabled the refresh token is revoked whenever it is used for issuing a new refresh token.
+tooltip.forcePKCE=Whether client is required to use PKCE
+tooltip.grantTypes=OAuth grant types to allow
+tooltip.refreshTokenLifetime=Lifetime of refresh token issued to client
+tooltip.resolveAttributes.oidc=Whether to resolve attributes during the token issuance process
+tooltip.authorizationCodeFlowEnabled=Whether to enable the authorization code flow
+tooltip.hybridFlowEnabled=Whether to enable the hybrid flow
+tooltip.implicitFlowEnabled=Whether to enable the implicit flow
+tooltip.refreshTokensEnabled=Whether to enable refresh token support
+tooltip.accessTokenLifetime=Lifetime of access token
+tooltip.accessTokenType=Format of access token. Supported values are ?JWT? or nothing/empty/null implying opaque tokens.
+tooltip.acrRequestAlwaysEssential=Whether to treat "acr" claim requests as essential regardless of request
+tooltip.allowPKCEPlain=Whether client is allowed to use PKCE code challenge method plain
+tooltip.alwaysIncludedAttributes=Specifies IdPAttributes to always include in ID token regardless of response_type
+tooltip.authorizeCodeLifetime=Lifetime of authorization code
+tooltip.deniedUserInfoAttributes=Specifies IdPAttributes to omit from UserInfo token
+tooltip.encodeConsentInTokens=Whether to embed consent decision(s) in access/refresh tokens and authorization code to allow for client-side consent storage
+tooltip.encodedAttributes=Specifies IdPAttributes to encode into tokens for recovery on back-channel token requests
+tooltip.forcePKCE=Whether client is required to use PKCE
+tooltip.IDTokenLifetime.browser=Lifetime of ID token (browser)
+tooltip.includeIssuerInResponse=Whether to include issuer -parameter in the responses as specified by RFC 9207. If set to true also consider including authorization_response_iss_parameter_supported to the OP metadata.
+tooltip.refreshTokenLifetime=Lifetime of refresh token
+tooltip.alwaysIncludedAttributes=Specifies IdPAttributes to always include in ID token regardless of response_type
+tooltip.encryptionOptional=Whether the absence of encryption details in a client?s metadata should fail when issuing an ID token
+tooltip.IDTokenLifetime=Lifetime of ID token issued to client
+tooltip.deniedUserInfoAttributes=Specifies IdPAttributes to omit from UserInfo token
+tooltip.resolveAttributes.oauth=Whether to run the attribute resolution/filtering step