github
/
OpenID-Connect-Java-Spring-Server
mirror of https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Updated Client configuration (markdown)

master
Justin Richer 2013-06-28 13:28:07 -07:00
parent b5704dfd03
commit 0ae4fc364c
1 changed files with 60 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

60
Client-configuration.md

@ -96,6 +96,29 @@ Allows an issuer to be passed in following the format of the OpenID Connect [thi
<property name="accountChooserUrl" value="http://login.example.net/account-chooser/" />
</bean>
```
This service supports setting of a `whitelist` or a `blacklist` property. If the whitelist is active, only issuers listed in the whitelist will be allowed. If the whitelist is inactive and the blacklist is active, issuers listed in the blacklist will not be allowed.
The whitelist is a set of strings:
```
<property name="whitelist">
<set>
<value>http://good-idp.com/</value>
<value>http://other-idp.com/</value>
</set>
</property>
```
The blacklist is a set of a strings:
```
<property name="blacklist">
<set>
<value>http://bad-idp.com/</value>
<value>http://evil-idp.com/</value>
</set>
</property>
```
### Webfinger Discovery Issuer Service
@ -107,6 +130,31 @@ Takes in input from a user form and does discovery based on the Webfinger protoc
</bean>
```
This service supports setting of a `whitelist` or a `blacklist` property. If the whitelist is active, only issuers listed in the whitelist will be allowed. If the whitelist is inactive and the blacklist is active, issuers listed in the blacklist will not be allowed.
The whitelist is a set of strings:
```
<property name="whitelist">
<set>
<value>http://good-idp.com/</value>
<value>http://other-idp.com/</value>
</set>
</property>
```
The blacklist is a set of a strings:
```
<property name="blacklist">
<set>
<value>http://bad-idp.com/</value>
<value>http://evil-idp.com/</value>
</set>
</property>
```
## Server Configuration
The client must know things about the server such as its authorization endpoint URL and token endpoint URL. Since these will vary from issuer to issuer, the server configuration objects are indexed by issuer URL.
@ -212,6 +260,18 @@ Dynamically registers the client for each issuer based on the template of client
All properties set in the template object are passed in to the dynamic registration endpoint's input and the dynamically registered client information is held in an in-memory cache.
This service has a `registeredClientService` property which optionally allows for a service to be configured to save a client's registration information. If the registration information is not saved somewhere, then a client application will re-register itself with the server every time it starts. By default, the service is configured with an `InMemoryRegisteredClientService` which, as the name suggests, does not use persistent storage. The library also contains a `JsonFileRegisteredClientService` which saves the registered client's registration_client_uri and registration_access_token out to disk in a plaintext (non-encrypted) JSON file. This file contains sensitive information and it must be readable and writeable by whatever process is running the client application. As such, this method should only be used with caution and is mostly intended for testing implementations.
```
<property name="registeredClientService">
<bean class="org.mitre.openid.connect.client.service.impl.JsonFileRegisteredClientService">
<constructor-arg name="filename" value="/tmp/swa-clients.json" />
</bean>
</property>
```
It would be greatly preferable for a client to have its own implementation of the `RegisteredClientService` interface to store the client registration information in a secure location, such a the client application's database store.
## Authorization Request URL Builder
### Plain Authorization Request