From 279c2b712801851c24e061f20846f8db9fefd541 Mon Sep 17 00:00:00 2001 From: chasegawa Date: Tue, 18 Oct 2022 11:45:18 -0700 Subject: [PATCH] SHIBUI-2380 Adding OIDC/OAUTH specific Relying party overrides --- backend/src/main/resources/application.yml | 262 +++++++++++++++++- .../main/resources/i18n/messages.properties | 83 ++++++ 2 files changed, 344 insertions(+), 1 deletion(-) diff --git a/backend/src/main/resources/application.yml b/backend/src/main/resources/application.yml index 46042589e..de3a1eba5 100644 --- a/backend/src/main/resources/application.yml +++ b/backend/src/main/resources/application.yml @@ -163,4 +163,264 @@ custom: displayType: boolean helpText: tooltip.ignore-request-signatures attributeName: http://shibboleth.net/ns/profiles/ignoreRequestSignatures - attributeFriendlyName: ignoreRequestSignatures \ No newline at end of file + attributeFriendlyName: ignoreRequestSignatures + - name: disallowedFeatures + displayName: label.disallowedFeatures + helpText: tooltip.disallowedFeatures + displayType: string + attributeName: http://shibboleth.net/ns/profiles/disallowedFeatures + protocol: oidc + - name: inboundInterceptorFlows + displayName: label.inboundInterceptorFlows + helpText: tooltip.inboundInterceptorFlows + displayType: list + attributeName: http://shibboleth.net/ns/profiles/inboundInterceptorFlows + protocol: oidc + - name: outboundInterceptorFlows + displayName: label.outboundInterceptorFlows + helpText: tooltip.outboundInterceptorFlows + displayType: list + attributeName: http://shibboleth.net/ns/profiles/outboundInterceptorFlows + protocol: oidc + - name: securityConfiguration + displayName: label.securityConfiguration + helpText: tooltip.securityConfiguration + displayType: string + defaultValue: shibboleth.DefaultSecurityConfiguration + attributeName: http://shibboleth.net/ns/profiles/securityConfiguration + protocol: oidc + - name: tokenEndpointAuthMethods + displayName: label.tokenEndpointAuthMethods + helpText: tooltip.tokenEndpointAuthMethods + displayType: list + defaultValue: client_secret_basic, client_secret_post, client_secret_jwt, private_key_jwt + attributeName: http://shibboleth.net/ns/profiles/tokenEndpointAuthMethods + protocol: oidc + - name: defaultAuthenticationMethods + displayName: label.defaultAuthenticationMethods + helpText: tooltip.defaultAuthenticationMethods + displayType: list + attributeName: http://shibboleth.net/ns/profiles/defaultAuthenticationMethods + protocol: oidc + - name: postAuthenticationFlows + displayName: label.postAuthenticationFlows + helpText: tooltip.postAuthenticationFlows + displayType: list + attributeName: http://shibboleth.net/ns/profiles/postAuthenticationFlows + protocol: oidc + - name: proxyCount + displayName: label.proxyCount + helpText: tooltip.proxyCount + displayType: integer + attributeName: http://shibboleth.net/ns/profiles/proxyCount + protocol: oidc + - name: revocationLifetime + displayName: label.revocationLifetime + helpText: tooltip.revocationLifetime + displayType: string + defaultValue: PT6H + attributeName: http://shibboleth.net/ns/profiles/oauth2/revocation/revocationLifetime + protocol: oidc + - name: revocationMethod + displayName: label.revocationMethod + helpText: tooltip.revocationMethod + displayType: selection_list + defaultValues: + - CHAIN + - TOKEN + defaultValue: CHAIN + attributeName: http://shibboleth.net/ns/profiles/oauth2/revocation/revocationMethod + protocol: oidc + - name: accessTokenLifetime + displayName: label.accessTokenLifetime + helpText: tooltip.accessTokenLifetime + displayType: string + defaultValue: PT10M + attributeName: http://shibboleth.net/ns/profiles/oauth2/token/accessTokenLifetime + protocol: oidc + - name: accessTokenType + displayName: label.accessTokenType + helpText: tooltip.accessTokenType + displayType: string + attributeName: http://shibboleth.net/ns/profiles/oauth2/token/accessTokenType + protocol: oidc + - name: allowPKCEPlainOauth + displayName: label.allowPKCEPlain.oauth + helpText: tooltip.allowPKCEPlain.oauth + displayType: boolean + attributeName: http://shibboleth.net/ns/profiles/oauth2/token/allowPKCEPlain + protocol: oidc + - name: enforceRefreshTokenRotation + displayName: label.enforceRefreshTokenRotation + helpText: tooltip.enforceRefreshTokenRotation + displayType: boolean + attributeName: http://shibboleth.net/ns/profiles/oauth2/token/enforceRefreshTokenRotation + protocol: oidc + - name: forcePKCEOauth + displayName: label.forcePKCE.oauth + helpText: tooltip.forcePKCE.oauth + displayType: boolean + attributeName: http://shibboleth.net/ns/profiles/oauth2/token/forcePKCE + protocol: oidc + - name: grantTypes + displayName: label.grantTypes + helpText: tooltip.grantTypes + displayType: list + defaultValue: authorization_code, refresh_token + attributeName: http://shibboleth.net/ns/profiles/oauth2/token/grantTypes + protocol: oidc + - name: refreshTokenLifetime + displayName: label.refreshTokenLifetime + helpText: tooltip.refreshTokenLifetime + displayType: string + defaultValue: PT2H + attributeName: http://shibboleth.net/ns/profiles/oauth2/token/refreshTokenLifetime + protocol: oidc + - name: resolveAttributesOauth + displayName: label.resolveAttributes.oauth + helpText: tooltip.resolveAttributes.oauth + displayType: boolean + defaultValue: TRUE + attributeName: http://shibboleth.net/ns/profiles/oauth2/token/resolveAttributes + protocol: oidc + - name: authorizationCodeFlowEnabled + displayName: label.authorizationCodeFlowEnabled + helpText: tooltip.authorizationCodeFlowEnabled + displayType: boolean + defaultValue: TRUE + attributeName: http://shibboleth.net/ns/profiles/authorizationCodeFlowEnabled + protocol: oidc + - name: hybridFlowEnabled + displayName: label.hybridFlowEnabled + helpText: tooltip.hybridFlowEnabled + displayType: boolean + defaultValue: TRUE + attributeName: http://shibboleth.net/ns/profiles/hybridFlowEnabled + protocol: oidc + - name: implicitFlowEnabled + displayName: label.implicitFlowEnabled + helpText: tooltip.implicitFlowEnabled + displayType: boolean + defaultValue: TRUE + attributeName: http://shibboleth.net/ns/profiles/implicitFlowEnabled + protocol: oidc + - name: refreshTokensEnabled + displayName: label.refreshTokensEnabled + helpText: tooltip.refreshTokensEnabled + displayType: boolean + defaultValue: TRUE + attributeName: http://shibboleth.net/ns/profiles/refreshTokensEnabled + protocol: oidc + - name: accessTokenLifetime + displayName: label.accessTokenLifetime + helpText: tooltip.accessTokenLifetime + displayType: string + defaultValue: PT10M + attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/accessTokenLifetime + protocol: oidc + - name: accessTokenType + displayName: label.accessTokenType + helpText: tooltip.accessTokenType + displayType: string + attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/accessTokenType + protocol: oidc + - name: acrRequestAlwaysEssential + displayName: label.acrRequestAlwaysEssential + helpText: tooltip.acrRequestAlwaysEssential + displayType: boolean + attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/acrRequestAlwaysEssential + protocol: oidc + - name: allowPKCEPlainOidc + displayName: label.allowPKCEPlain.oidc + helpText: tooltip.allowPKCEPlain.oidc + displayType: boolean + attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/allowPKCEPlain + protocol: oidc + - name: alwaysIncludedAttributes + displayName: label.alwaysIncludedAttributes + helpText: tooltip.alwaysIncludedAttributes + displayType: list + attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/alwaysIncludedAttributes + protocol: oidc + - name: authorizeCodeLifetime + displayName: label.authorizeCodeLifetime + helpText: tooltip.authorizeCodeLifetime + displayType: string + defaultValue: PT5M + attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/authorizeCodeLifetime + protocol: oidc + - name: deniedUserInfoAttributes + displayName: label.deniedUserInfoAttributes + helpText: tooltip.deniedUserInfoAttributes + displayType: list + attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/deniedUserInfoAttributes + protocol: oidc + - name: encodeConsentInTokens + displayName: label.encodeConsentInTokens + helpText: tooltip.encodeConsentInTokens + displayType: boolean + attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/encodeConsentInTokens + protocol: oidc + - name: encodedAttributes + displayName: label.encodedAttributes + helpText: tooltip.encodedAttributes + displayType: list + attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/encodedAttributes + protocol: oidc + - name: forcePKCEOidc + displayName: label.forcePKCE.oidc + helpText: tooltip.forcePKCE.oidc + displayType: boolean + attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/forcePKCE + protocol: oidc + - name: IDTokenLifetime + displayName: label.IDTokenLifetime.browser + helpText: tooltip.IDTokenLifetime.broswer + displayType: string + defaultValue: PT1H + attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/IDTokenLifetime + protocol: oidc + - name: includeIssuerInResponse + displayName: label.includeIssuerInResponse + helpText: tooltip.includeIssuerInResponse + displayType: boolean + attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/includeIssuerInResponse + protocol: oidc + - name: refreshTokenLifetime + displayName: label.refreshTokenLifetime + helpText: tooltip.refreshTokenLifetime + displayType: string + defaultValue: PT2H + attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/refreshTokenLifetime + protocol: oidc + - name: alwaysIncludedAttributes + displayName: label.alwaysIncludedAttributes + helpText: tooltip.alwaysIncludedAttributes + displayType: list + attributeName: http://shibboleth.net/ns/profiles/oidc/token/alwaysIncludedAttributes + protocol: oidc + - name: encryptionOptional + displayName: label.encryptionOptional + helpText: tooltip.encryptionOptional + displayType: boolean + defaultValue: TRUE + attributeName: http://shibboleth.net/ns/profiles/oidc/token/encryptionOptional + protocol: oidc + - name: IDTokenLifetime + displayName: label.IDTokenLifetime + helpText: tooltip.IDTokenLifetime + displayType: string + defaultValue: PT1H + attributeName: http://shibboleth.net/ns/profiles/oidc/token/IDTokenLifetime + protocol: oidc + - name: deniedUserInfoAttributes + displayName: label.deniedUserInfoAttributes + helpText: tooltip.deniedUserInfoAttributes + displayType: list + attributeName: http://shibboleth.net/ns/profiles/oidc/userinfo/deniedUserInfoAttributes + protocol: oidc + - name: resolveAttributesOIDC + displayName: label.resolveAttributes.oidc + helpText: tooltip.resolveAttributes.oidc + displayType: boolean + attributeName: http://shibboleth.net/ns/profiles/oidc/userinfo/resolveAttributes \ No newline at end of file diff --git a/backend/src/main/resources/i18n/messages.properties b/backend/src/main/resources/i18n/messages.properties index bb76787d6..69571640b 100644 --- a/backend/src/main/resources/i18n/messages.properties +++ b/backend/src/main/resources/i18n/messages.properties @@ -865,3 +865,86 @@ label.software-version=Software Version tooltip.software-version=Version of Software label.default-max-age=Default Max Age tooltip.default-max-age=Specifies that the End-User MUST be actively authenticated if the End-User was authenticated longer ago than the specified number of seconds. + +# OIDC/OAUTH Relaying Party Overrides +label.disallowedFeatures=Disallowed Features +label.inboundInterceptorFlows=Inbound Interceptor Flows +label.outboundInterceptorFlows=Outbound Interceptor Flows +label.securityConfiguration=Security Configuration +label.tokenEndpointAuthMethods=Token Endpoint Authentication Methods +label.defaultAuthenticationMethods=Default Authentication Methods +label.postAuthenticationFlows=Post Authentication Flows +label.proxyCount=Proxy Count +label.revocationLifetime=Revocation Lifetime +label.revocationMethod=Revocation Method +label.accessTokenLifetime=Access Token Lifetime +label.accessTokenType=Access Token Type +label.allowPKCEPlain.oidc=Allow PKCE Plain (OIDC) +label.enforceRefreshTokenRotation=Enforce Refresh Token Rotation +label.forcePKCE.oidc=Force PKCE (OIDC) +label.grantTypes=Grant Types +label.refreshTokenLifetime=Refresh Token Lifetime +label.resolveAttributes.oauth=Resolve Attributes (Oauth) +label.authorizationCodeFlowEnabled=Authorization Code Flow Enabled +label.hybridFlowEnabled=Hybrid Flow Enabled +label.implicitFlowEnabled=Implicit Flow Enabled +label.refreshTokensEnabled=Refresh Tokens Enabled +label.accessTokenLifetime=Access Token Lifetime +label.accessTokenType=Access Token Type +label.acrRequestAlwaysEssential=Acr Request Always Essential +label.allowPKCEPlain.oauth=Allow PKCE Plain (OAUTH) +label.alwaysIncludedAttributes=Always Included Attributes +label.authorizeCodeLifetime=Authorize Code Lifetime +label.deniedUserInfoAttributes=Denied User Info Attributes +label.encodeConsentInTokens=Encode Consent In Tokens +label.encodedAttributes=Encoded Attributes +label.forcePKCE.oauth=Force PKCE (OAUTH) +label.IDTokenLifetime.browser=IDToken Lifetime (browser) +label.includeIssuerInResponse=Include Issuer In Response +label.refreshTokenLifetime=Refresh Token Lifetime +label.alwaysIncludedAttributes=Always Included Attributes +label.encryptionOptional=Encryption Optional +label.IDTokenLifetime=IDToken Lifetime +label.deniedUserInfoAttributes=Denied User Info Attributes +label.resolveAttributes.oidc=Resolve Attributes (OIDC) + +tooltip.disallowedFeatures=A bitmask of features to disallow. the mask values being specific to individual profiles +tooltip.inboundInterceptorFlows=Ordered list of profile interceptor flows to run prior to message processing +tooltip.outboundInterceptorFlows=Ordered list of profile interceptor flows to run prior to outbound message handling +tooltip.securityConfiguration=An object containing all of the default security-related objects needed for peer authentication and encryption. See SecurityConfiguration for complete details. +tooltip.tokenEndpointAuthMethods=Enabled endpoint client authentication methods +tooltip.defaultAuthenticationMethods=Ordered list of Java Principals to be used to select appropriate login flow(s) to attempt in the event that a relying party does not signal a preference. See AuthenticationFlowSelection. +tooltip.postAuthenticationFlows=Ordered list of profile interceptor flows to run after successful authentication +tooltip.proxyCount=Limits use of proxying either to service providers downstream or when requesting authentication from identity providers upstream. This will generally depend on whether a particular protocol supports the feature. +tooltip.revocationLifetime=The revocation lifetime used when revoking the full chain (see CHAIN above). +tooltip.revocationMethod=The revocation method: CHAIN refers to revoking whole chain of tokens (from authorization code to all access/refresh tokens) and TOKEN refers to revoking single token +tooltip.accessTokenLifetime=Lifetime of access token issued to client +tooltip.accessTokenType=Format of access token. Supported values are ?JWT? or nothing/empty/null implying opaque tokens. +tooltip.allowPKCEPlain=Whether client is allowed to use PKCE code challenge method plain +tooltip.enforceRefreshTokenRotation=Whether to enforce refresh token rotation. If enabled the refresh token is revoked whenever it is used for issuing a new refresh token. +tooltip.forcePKCE=Whether client is required to use PKCE +tooltip.grantTypes=OAuth grant types to allow +tooltip.refreshTokenLifetime=Lifetime of refresh token issued to client +tooltip.resolveAttributes.oidc=Whether to resolve attributes during the token issuance process +tooltip.authorizationCodeFlowEnabled=Whether to enable the authorization code flow +tooltip.hybridFlowEnabled=Whether to enable the hybrid flow +tooltip.implicitFlowEnabled=Whether to enable the implicit flow +tooltip.refreshTokensEnabled=Whether to enable refresh token support +tooltip.accessTokenLifetime=Lifetime of access token +tooltip.accessTokenType=Format of access token. Supported values are ?JWT? or nothing/empty/null implying opaque tokens. +tooltip.acrRequestAlwaysEssential=Whether to treat "acr" claim requests as essential regardless of request +tooltip.allowPKCEPlain=Whether client is allowed to use PKCE code challenge method plain +tooltip.alwaysIncludedAttributes=Specifies IdPAttributes to always include in ID token regardless of response_type +tooltip.authorizeCodeLifetime=Lifetime of authorization code +tooltip.deniedUserInfoAttributes=Specifies IdPAttributes to omit from UserInfo token +tooltip.encodeConsentInTokens=Whether to embed consent decision(s) in access/refresh tokens and authorization code to allow for client-side consent storage +tooltip.encodedAttributes=Specifies IdPAttributes to encode into tokens for recovery on back-channel token requests +tooltip.forcePKCE=Whether client is required to use PKCE +tooltip.IDTokenLifetime.browser=Lifetime of ID token (browser) +tooltip.includeIssuerInResponse=Whether to include issuer -parameter in the responses as specified by RFC 9207. If set to true also consider including authorization_response_iss_parameter_supported to the OP metadata. +tooltip.refreshTokenLifetime=Lifetime of refresh token +tooltip.alwaysIncludedAttributes=Specifies IdPAttributes to always include in ID token regardless of response_type +tooltip.encryptionOptional=Whether the absence of encryption details in a client?s metadata should fail when issuing an ID token +tooltip.IDTokenLifetime=Lifetime of ID token issued to client +tooltip.deniedUserInfoAttributes=Specifies IdPAttributes to omit from UserInfo token +tooltip.resolveAttributes.oauth=Whether to run the attribute resolution/filtering step \ No newline at end of file