[NOTASK]

oidc updates

pom.xml

@@ -105,6 +105,13 @@
             <artifactId>pac4j-oidc</artifactId>
             <version>${pac4j.version}</version>
         </dependency>
+        <!-- override version from grouper -->
+        <!-- TODO: see if there's a better way of doing this. doesn't look like exclusions work for import scopes -->
+        <dependency>
+            <groupId>com.nimbusds</groupId>
+            <artifactId>oauth2-oidc-sdk</artifactId>
+            <version>10.1</version>
+        </dependency>
 
         <dependency>
             <groupId>org.osgi</groupId>

src/main/java/edu/internet2/middleware/grouper/authentication/plugin/config/OidcClientProvider.java

@@ -3,12 +3,10 @@
 import edu.internet2.middleware.grouper.authentication.plugin.ConfigUtils;
 import edu.internet2.middleware.grouper.authentication.plugin.ExternalAuthenticationServletContainerInitializer;
 import edu.internet2.middleware.grouper.authentication.plugin.GrouperAuthentication;
-import edu.internet2.middleware.grouper.authentication.plugin.Pac4jConfigFactory;
 import edu.internet2.middleware.grouper.authentication.plugin.oidc.client.ClaimAsUsernameOidcClient;
 import edu.internet2.middleware.grouper.authentication.plugin.oidc.config.ClaimAsUsernameOidcConfiguration;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
-import org.apache.log4j.Logger;
 import org.osgi.framework.BundleContext;
 import org.osgi.framework.FrameworkUtil;
 import org.osgi.framework.InvalidSyntaxException;

src/test/docker/grouper/config/grouper-ui.properties

@@ -1,11 +1,11 @@
 grouper.is.extAuth.enabled = true
 external.authentication.grouperContextUrl = https://grouper-ui.unicon.local/grouper
 
-#external.authentication.provider = oidc
-#external.authentication.oidc.clientId = *****
-#external.authentication.oidc.discoveryURI = https://unicon.okta.com/.well-known/openid-configuration
-#external.authentication.oidc.secret = *****
-#external.authentication.oidc.claimAsUsername = preferred_username
+external.authentication.provider = oidc
+external.authentication.oidc.clientId = grouper
+external.authentication.oidc.discoveryURI = https://idp.unicon.local/idp/profile/oidc/configuration
+external.authentication.oidc.secret = thisisverysecret
+external.authentication.oidc.claimAsUsername = preferred_username
 
 #external.authentication.provider = saml
 #external.authentication.saml.identityProviderEntityId = https://idp.unicon.local/idp/shibboleth

src/test/docker/shibboleth-idp/opt-shibboleth-idp/conf/attribute-filter.xml

@@ -12,13 +12,29 @@
 <AttributeFilterPolicyGroup id="ShibbolethFilterPolicy"
         xmlns="urn:mace:shibboleth:2.0:afp"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-        xsi:schemaLocation="urn:mace:shibboleth:2.0:afp http://shibboleth.net/schema/idp/shibboleth-afp.xsd">
+        xmlns:oidc="urn:mace:shibboleth:2.0:afp:oidc"
+        xsi:schemaLocation="urn:mace:shibboleth:2.0:afp http://shibboleth.net/schema/idp/shibboleth-afp.xsd
+                            urn:mace:shibboleth:2.0:afp:oidc http://shibboleth.net/schema/oidc/shibboleth-afp-oidc.xsd">
 
     <AttributeFilterPolicy>
         <PolicyRequirementRule xsi:type="ANY" />
         <AttributeRule attributeID="uid">
             <PermitValueRule xsi:type="ANY" />
         </AttributeRule>
     </AttributeFilterPolicy>
+
+    <AttributeFilterPolicy id="OPENID_SCOPE">
+        <PolicyRequirementRule xsi:type="oidc:OIDCScope" value="openid" />
+        <!-- May adjust to taste depending on strategy used to produce sub claim. -->
+        <AttributeRule attributeID="subject">
+            <PermitValueRule xsi:type="ANY" />
+        </AttributeRule>
+        <AttributeRule attributeID="subject-public">
+            <PermitValueRule xsi:type="ANY" />
+        </AttributeRule>
+        <AttributeRule attributeID="subject-pairwise">
+            <PermitValueRule xsi:type="ANY" />
+        </AttributeRule>
+    </AttributeFilterPolicy>
 
 </AttributeFilterPolicyGroup>

src/test/docker/shibboleth-idp/opt-shibboleth-idp/conf/attribute-resolver.xml

@@ -14,24 +14,10 @@ list of possible components and their options.
 -->
 <AttributeResolver
         xmlns="urn:mace:shibboleth:2.0:resolver" 
-        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
-        xsi:schemaLocation="urn:mace:shibboleth:2.0:resolver http://shibboleth.net/schema/idp/shibboleth-attribute-resolver.xsd">
-
-
-    <!-- ========================================== -->
-    <!--      Attribute Definitions                 -->
-    <!-- ========================================== -->
-
-    <!--
-    The EPPN is the "standard" federated username in higher ed.
-    For guidelines on the implementation of this attribute, refer
-    to the Shibboleth and eduPerson documentation. Above all, do
-    not expose a value for this attribute without considering the
-    long term implications. 
-    -->
-    <AttributeDefinition id="eduPersonPrincipalName" xsi:type="Scoped" scope="%{idp.scope}">
-        <InputAttributeDefinition ref="uid" />
-    </AttributeDefinition>
+        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+        xmlns:oidc="urn:mace:shibboleth:2.0:resolver:oidc"
+        xsi:schemaLocation="urn:mace:shibboleth:2.0:resolver http://shibboleth.net/schema/idp/shibboleth-attribute-resolver.xsd
+                            urn:mace:shibboleth:2.0:resolver:oidc http://shibboleth.net/schema/oidc/shibboleth-attribute-encoder-oidc.xsd">
 
     <!--
     The uid is the closest thing to a "standard" LDAP attribute
@@ -40,39 +26,10 @@ list of possible components and their options.
     -->
     <AttributeDefinition id="uid" xsi:type="PrincipalName" />
 
-    <!--
-    In the rest of the world, the email address is the standard identifier,
-    despite the problems with that practice. Consider making the EPPN
-    value the same as your official email addresses whenever possible.
-    -->
-    <AttributeDefinition id="mail" xsi:type="Template">
+    <AttributeDefinition id="subject-public" xsi:type="Scoped" scope="%{idp.scope}"
+                         activationConditionRef="shibboleth.oidc.Conditions.PublicRequired">
         <InputAttributeDefinition ref="uid" />
-        <Template>
-          <![CDATA[
-               ${uid}@example.org
-          ]]>
-        </Template>
-    </AttributeDefinition>
-
-    <!--
-    This is an example of an attribute sourced from a data connector.
-    -->
-    <AttributeDefinition id="eduPersonScopedAffiliation" xsi:type="Scoped" scope="%{idp.scope}">
-        <InputDataConnector ref="staticAttributes" attributeNames="affiliation" />
+        <AttributeEncoder xsi:type="oidc:OIDCScopedString" name="sub" />
     </AttributeDefinition>
 
-
-    <!-- ========================================== -->
-    <!--      Data Connectors                       -->
-    <!-- ========================================== -->
-
-    <DataConnector id="staticAttributes" xsi:type="Static" exportAttributes="schacHomeOrganization">
-        <Attribute id="schacHomeOrganization">
-            <Value>%{idp.scope}</Value>
-        </Attribute>
-        <Attribute id="affiliation">
-            <Value>member</Value>
-        </Attribute>
-    </DataConnector>
-
 </AttributeResolver>

src/test/docker/shibboleth-idp/opt-shibboleth-idp/conf/oidc-clientinfo-resolvers.xml

@@ -20,16 +20,8 @@
     -->
 
     <util:list id="shibboleth.oidc.ClientInformationResolvers">
-        <!-- <ref bean="ExampleFileResolver" /> -->
-        <ref bean="ExampleStorageClientInformationResolver" />
+        <bean id="grouperResolver" parent="shibboleth.oidc.FilesystemClientInformationResolver"
+              c:_0="%{idp.home}/metadata/oidc-grouper.json" />
     </util:list>
 
-    <!--
-    <bean id="ExampleFileResolver" parent="shibboleth.oidc.FilesystemClientInformationResolver"
-        c:metadata="%{idp.home}/metadata/oidc-client.json" />
-    -->
-
-    <bean id="ExampleStorageClientInformationResolver" parent="shibboleth.oidc.StorageClientInformationResolver"
-        p:storageService-ref="#{'%{idp.oidc.dynreg.StorageService:shibboleth.StorageService}'.trim()}" />
-
 </beans>

src/test/docker/shibboleth-idp/opt-shibboleth-idp/conf/relying-party.xml

@@ -24,6 +24,7 @@
             <list>
             <!-- <bean parent="SAML2.SSO" p:encryptAssertions="false" /> -->
                 <ref bean="OIDC.Keyset" />
+                <bean parent="OIDC.Configuration" />
             </list>
         </property>
     </bean>

src/test/docker/shibboleth-idp/opt-shibboleth-idp/metadata/oidc-grouper.json

@@ -0,0 +1,7 @@
+{
+  "client_id": "grouper",
+  "client_secret": "thisisverysecret",
+  "response_types": ["code"],
+  "scope": "openid info profile email address phone",
+  "redirect_uris": ["https://grouper-ui.unicon.local/grouper/callback?client_name=client"]
+}