Protecting my OIDC dynamic client registration endpoint in Tomcat

Wessel, Keith kwessel at illinois.edu
Fri Sep 18 16:57:46 UTC 2020


All,

Hoping someone's come up wit a creative solution to this or, at the least, and obvious one that I'm overlooking.

We currently have our IdP's OIDC dynamic client registration endpoint protected behind HTTP basic auth. A user must authenticate against Active Directory (using Apache's mod_auth_krb) as well as be in the allowed list of users. This was all relatively easy to configure using Apache directives in a <Location> block for the registration endpoint URL. I'm not sure if I'm keeping with the spec by putting basic auth in front of the dynamic client registration endpoint, and I did have to do some header manipulation post-authentication in Apache to drop the authorization header. Otherwise, the registration endpoint rejects the request because of an invalid authorization type.

The problem is we're now moving to a Docker container based on the I2 Trusted Access Platform packaging, and it obviously doesn't have Apache. It just has Tomcat. I'd rather not add Apache to the mix just for this.

THE OIDC extension doesn't yet seem to have any functionality built in for somehow protecting this endpoint from being open to the world. I started down the JAAS route of telling Tomcat to protect it with Kerberos, but I can't figure out how to tell Tomcat what JAAS context to use. That is, what outer block do I put in my jaas.config and how do I associate it with the block that I add to my web.xml that includes the /idp/profile/oidc/register URL pattern?

Even if I can get this working, I'm then going to have to hard code a list of allowed principals inside my web.xml so that client registration isn't open to anyone who can authenticate. Is there some way to do this externally?

If there's a simpler or different approach here, I'm open to that, too. I'd even be willing to let go of this authentication against Active Directory approach if something else will offer similar security. So, I'd be interested to hear how others are protecting their dynamic client registration endpoint.

Thanks,
Keith



More information about the users mailing list