Shibboleth IDP for OAuth2

[Ritterhoff, Florian]

Hi together,

 

I’m currently playing around with the new OIDC Plugin. As far as I have seen there are several options to utilize/enable some OAuth2 functionality and “trigger” the generation of an JWT encoded access_token. Sadly until now I did not manage to figure out how to configure a OAuth2 Client that is able to receive an access_token that I can pass to an resource server. 

In detail I have two questions:

1.	In case I add the (incorrect) openid scope to the client configuration a access_token for the idp is generated, in case I add an “artificial” scope (e.g. foo) to the config the login/generation of the access_token fails.

    {

        "scope": "foo",

        "redirect_uris": [

             <http://localhost:3000/oidc-callback> http://localhost:3000/oidc-callback

        ],

        "client_id": "portal-frontend-dev",

        "subject_type": "public",

        "token_endpoint_auth_method": "none",

        "response_types": [

            "code"

        ],

        "grant_types": [

            "authorization_code"

        ]

    }

 

According to the log the error is that no further audience is allowed. (Profile Action ValidateAudience: No allowed audience for client portal-frontend-dev) How can I configure one? 😉  

2.	Is there an option/example how to extend the access_token so I can include further claims like the email, firstname or affiliation? I stumbled over the accessTokenClaimsSetManipulationStrategy but did not figure out if that is possible at all? 

 

Thanks!

Florian Ritterhoff

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20220809/40c836d4/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 7162 bytes
Desc: not available
URL: <http://shibboleth.net/pipermail/users/attachments/20220809/40c836d4/attachment.p7s>