oidc dynamic registration

testbed/integration/docker-compose.yml

@@ -48,9 +48,11 @@ services:
     depends_on:
       - directory
       - reverse-proxy
+      - database
     networks:
       - reverse-proxy
       - idp
+      - backend
     volumes:
       - ../directory/certs/ca.crt:/opt/shibboleth-idp/credentials/ldap-server.crt
       - dynamic_metadata:/opt/shibboleth-idp/metadata/dynamic
@@ -86,6 +88,8 @@ services:
       - backend
     volumes:
       - database_data:/var/lib/postgresql/data
+      - ./shibboleth-idp/db/oidc_dynreg.sql:/docker-entrypoint-initdb.d/oidc_dynreg.sql
+
 networks:
   reverse-proxy:
   idp:

testbed/integration/shibboleth-idp/Dockerfile

@@ -17,6 +17,7 @@ ARG TOMREWRITE=config/tomcat/rewrite.config
 ADD ${SHBCREDS} /opt/shibboleth-idp/credentials
 RUN /opt/shibboleth-idp/bin/plugin.sh -i https://shibboleth.net/downloads/identity-provider/plugins/oidc-common/2.1.0/oidc-common-dist-2.1.0.tar.gz --noPrompt
 RUN /opt/shibboleth-idp/bin/plugin.sh -i https://shibboleth.net/downloads/identity-provider/plugins/oidc-op/3.2.1/idp-plugin-oidc-op-distribution-3.2.1.tar.gz --noPrompt
+RUN /opt/shibboleth-idp/bin/module.sh -e idp.authn.RemoteUserInternal
 RUN /opt/shibboleth-idp/bin/jwtgen.sh -t RSA -s 2048 -u sig -i defaultRSASign | tail -n +2 > /opt/shibboleth-idp/credentials/idp-signing-rs.jwk
 RUN /opt/shibboleth-idp/bin/jwtgen.sh	-t EC -c P-256 -u sig -i defaultECSign | tail -n +2 > /opt/shibboleth-idp/credentials/idp-signing-es.jwk
 RUN /opt/shibboleth-idp/bin/jwtgen.sh	-t RSA -s 2048 -u enc -i defaultRSAEnc | tail -n +2 > /opt/shibboleth-idp/credentials/idp-encryption-rsa.jwk
@@ -27,7 +28,7 @@ ADD ${TOMCERT} /opt/certs
 ADD ${TOMWWWROOT} /usr/local/tomcat/webapps/ROOT
 ADD ${SHBCFG} /opt/shibboleth-idp/conf
 #ADD ${SHBVIEWS} /opt/shibboleth-idp/views
-#ADD ${SHBEDWAPP} /opt/shibboleth-idp/edit-webapp
+ADD ${SHBEDWAPP} /opt/shibboleth-idp/edit-webapp
 #ADD ${SHBMSGS} /opt/shibboleth-idp/messages
 ADD ${SHBMD} /opt/shibboleth-idp/metadata
 ADD ${OIDCREG} /opt/shibboleth-idp/static

testbed/integration/shibboleth-idp/config/shib-idp/conf/access-control.xml

@@ -28,20 +28,18 @@
 
     <util:map id="shibboleth.AccessControlPolicies">
 
-        <entry key="AccessByIPAddress">
-            <bean id="AccessByIPAddress" parent="shibboleth.IPRangeAccessControl"
-                  p:allowedRanges="#{ {'127.0.0.1/32', '::1/128', '172.16.0.0/12'} }" />
-        </entry>
-
-        <!--
         <entry key="AccessByAdminUser">
             <bean parent="shibboleth.PredicateAccessControl">
                 <constructor-arg>
-                    <bean parent="shibboleth.Conditions.SubjectName" c:collection="#{'jdoe'}" />
+                    <bean parent="shibboleth.Conditions.SubjectName" c:collection="#{'banderson'}" />
                 </constructor-arg>
             </bean>
         </entry>
-        -->
+
+        <entry key="AccessByIPAddress">
+            <bean id="AccessByIPAddress" parent="shibboleth.IPRangeAccessControl"
+                  p:allowedRanges="#{ {'127.0.0.1/32', '::1/128', '172.16.0.0/12'} }" />
+        </entry>
 
         <!--
         <entry key="AccessByAttribute">

testbed/integration/shibboleth-idp/config/shib-idp/conf/global.xml

@@ -0,0 +1,80 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<beans xmlns="http://www.springframework.org/schema/beans"
+       xmlns:context="http://www.springframework.org/schema/context"
+       xmlns:util="http://www.springframework.org/schema/util"
+       xmlns:p="http://www.springframework.org/schema/p"
+       xmlns:c="http://www.springframework.org/schema/c"
+       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
+                           http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
+                           http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
+
+       default-init-method="initialize"
+       default-destroy-method="destroy">
+
+    <!-- Use this file to define any custom beans needed globally. -->
+
+    <!-- Postgres configuration -->
+    <bean id="shibboleth.JPAStorageService"
+        class="org.opensaml.storage.impl.JPAStorageService"
+        p:cleanupInterval="%{idp.storage.cleanupInterval:PT10M}"
+        c:factory-ref="shibboleth.JPAStorageService.EntityManagerFactory" />
+
+    <bean id="shibboleth.JPAStorageService.EntityManagerFactory"
+        class="org.springframework.orm.jpa.LocalContainerEntityManagerFactoryBean">
+        <property name="persistenceUnitName" value="storageservice" />
+        <property name="packagesToScan" value="org.opensaml.storage.impl" />
+        <property name="dataSource" ref="shibboleth.JPAStorageService.DataSource" />
+        <property name="jpaVendorAdapter" ref="shibboleth.JPAStorageService.JPAVendorAdapter" />
+        <property name="jpaDialect">
+            <bean class="org.springframework.orm.jpa.vendor.HibernateJpaDialect" />
+        </property>
+    </bean>
+
+    <bean id="shibboleth.JPAStorageService.JPAVendorAdapter"
+        class="org.springframework.orm.jpa.vendor.HibernateJpaVendorAdapter">
+        <property name="database" value="POSTGRESQL" />
+    </bean> 
+    <bean id="shibboleth.JPAStorageService.DataSource"
+        class="com.zaxxer.hikari.HikariDataSource" destroy-method="close" lazy-init="true"
+        p:driverClassName="org.postgresql.Driver"
+        p:jdbcUrl="jdbc:postgresql://database:5432/oidc_dynreg"
+        p:username="shibui"
+        p:password="shibui" />
+
+    <!--
+    Algorithm include/exclude sets that override or merge with library defaults. Normally you can leave these
+    empty or commented and use the system defaults, but you can override those defaults using these beans.
+    Each <value> element is an algorithm URI; you can also use <util:constant> elements in place of literal values.
+    -->
+
+    <!--
+    <util:set id="shibboleth.IncludedSignatureAlgorithms">
+    </util:set>
+
+    <util:set id="shibboleth.ExcludedSignatureAlgorithms">
+    </util:set>
+
+    <util:set id="shibboleth.IncludedEncryptionAlgorithms">
+    </util:set>
+
+    <util:set id="shibboleth.ExcludedEncryptionAlgorithms">
+    </util:set>
+    -->
+
+    <!--
+    If you need to define and inject custom Java object(s) into the various views used throughout the
+    system (errors, login, logout, etc.), you can uncomment and define the bean below to be of any
+    type required. It will appear in the view scope as a variable named "custom".
+    
+    The example below defines the bean as a map, which allows you to inject multiple objects under
+    named keys to expand the feature to support multiple injected objects.
+    -->
+
+    <!--
+    <util:map id="shibboleth.CustomViewContext">
+        <entry key="foo" value="bar"/>
+    </util:map>
+    -->
+
+</beans>

testbed/integration/shibboleth-idp/config/shib-idp/conf/idp.properties

@@ -225,4 +225,4 @@ idp.ui.fallbackLanguages=en,fr,de
 # Set false if you want SAML bindings "spelled out" in audit log
 idp.audit.shortenBindings=true
 
-#idp.loglevel.idp=DEBUG
+#idp.loglevel.idp=DEBUG

testbed/integration/shibboleth-idp/config/shib-idp/conf/oidc-clientinfo-resolvers.xml

@@ -0,0 +1,39 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<beans xmlns="http://www.springframework.org/schema/beans"
+       xmlns:context="http://www.springframework.org/schema/context"
+       xmlns:util="http://www.springframework.org/schema/util"
+       xmlns:p="http://www.springframework.org/schema/p"
+       xmlns:c="http://www.springframework.org/schema/c"
+       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
+                           http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
+                           http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
+
+       default-init-method="initialize"
+       default-destroy-method="destroy"
+       default-lazy-init="true">
+
+    <!--
+    The following example contains two OIDC client information resolvers:
+        - first one reading a single client's information from a JSON file
+        - second one fetching client information from a configured StorageService
+    -->
+
+    <util:list id="shibboleth.oidc.ClientInformationResolvers">
+        <!-- <ref bean="ExampleFileResolver" /> -->
+        <ref bean="dynreg" />
+    </util:list>
+
+    <!--
+    <bean id="ExampleFileResolver" parent="shibboleth.oidc.FilesystemClientInformationResolver"
+        c:metadata="%{idp.home}/metadata/oidc-client.json" />
+    -->
+
+    <bean id="dynreg" parent="shibboleth.oidc.StorageClientInformationResolver"
+		    p:storageService-ref="shibboleth.JPAStorageService" />
+
+  <!--
+    <bean id="ExampleStorageClientInformationResolver" parent="shibboleth.oidc.StorageClientInformationResolver"
+        p:storageService-ref="#{'%{idp.oidc.dynreg.StorageService:shibboleth.StorageService}'.trim()}" />
+  -->  
+</beans>

testbed/integration/shibboleth-idp/config/shib-idp/conf/oidc.properties

@@ -2,6 +2,8 @@
 idp.oidc.issuer = https://idp.unicon.local
 
 #Dynamic registration properties
+idp.oidc.dynreg.StorageService=shibboleth.JPAStorageService
+
 # The validity of registration before a new one is required.
 #idp.oidc.dynreg.defaultRegistrationValidity = PT24H
 # The validity of client secret registered  
@@ -101,16 +103,19 @@ idp.oidc.subject.salt = eezien3iteit0gaiciiweayohxahmai6
 
 # Settings for issue-registration-access-token flow
 #idp.oidc.admin.registration.logging = IssueRegistrationAccessToken
-#idp.oidc.admin.registration.nonBrowserSupported = true
-#idp.oidc.admin.registration.authenticated = false
+idp.oidc.admin.registration.nonBrowserSupported = true
+idp.oidc.admin.registration.authenticated = true
 #idp.oidc.admin.registration.resolveAttributes = false
 #idp.oidc.admin.registration.lookup.policy = shibboleth.oidc.admin.DefaultMetadataPolicyLookupStrategy
 #idp.oidc.admin.registration.defaultTokenLifetime = P1D
-#idp.oidc.admin.registration.accessPolicy = AccessByIPAddress
+idp.oidc.admin.registration.accessPolicy = AccessByAdminUser
 #idp.oidc.admin.registration.policyLocationPolicy = AccessByAdmin
-#idp.oidc.admin.registration.policyIdPolicy = AccessByAdmin
+idp.oidc.admin.registration.policyIdPolicy = AccessByAdminUser
 #idp.oidc.admin.registration.clientIdPolicy = AccessByAdmin
 
+idp.oidc.admin.clients.authenticated = true
+idp.oidc.admin.clients.accessPolicy = AccessByAdminUser
+
 #
 # OAuth2 Settings - these typically involve generic OAuth 2.0 use cases
 #

testbed/integration/shibboleth-idp/config/shib-idp/conf/relying-party.xml

@@ -57,6 +57,7 @@
 			          <ref bean="OIDC.UserInfo"/>
 			          <ref bean="OAUTH2.Revocation"/>
 			          <ref bean="OAUTH2.Introspection" />
+                <bean parent="OIDC.Registration" />
             </list>
         </property>
     </bean>

testbed/integration/shibboleth-idp/db/oidc_dynreg.sql

@@ -0,0 +1,10 @@
+CREATE DATABASE oidc_dynreg;
+\c oidc_dynreg
+CREATE TABLE storagerecords (
+  context varchar(255) NOT NULL,
+  id varchar(255) NOT NULL,
+  expires bigint DEFAULT NULL,
+  value text NOT NULL,
+  version bigint NOT NULL,
+  PRIMARY KEY (context, id)
+);