Adds OpenID Connect Dynamic Client Registration #908

aeneasr · 2018-06-17T20:00:16Z

Merge Improves how errors are written and reported herodot#13
Merge openid: Adds errors for request and registration parameters fosite#289
Add policy, tos, logo to consent app
Some errors are dispatched directly to the JSON writer, this needs to be fixed because it doesn't wrap errors any more.

Previously, a client's id was sent as field `id`. This patch renames field `id` to `client_id` as mandated by spec: https://openid.net/specs/openid-connect-discovery-1_0.html

Environment variable `OIDC_DYNAMIC_CLIENT_REGISTRATION_DEFAULT_SCOPE` was added in order to better implement the OpenID Connect Dynamic Client Registration protocol. The mentioned protocol does not support the concept of whitelisting OAuth 2.0 Scope on a per-client basis. Therefore, the functionality to define the default OAuth 2.0 Scope has been defined. Keep in mind that exposing the OpenID Connect Dynamic Client Registration functionality to the public effectively disables the OAuth 2.0 Scope whitelisting functionality, as each caller of that API can define which OAuth 2.0 Scope a client may request. If you decide to expose that functionality, you should NEVER assume that the granted OAuth 2.0 Scope has any meaning when handling requests at your consent endpoint, or when validating requests with tokens issued by the client_credentials flow.

Closes #909

Closes #903

arekkas added 12 commits June 16, 2018 11:45

oauth2: Implements dynamic client registration

3191618

client: Renames id to client_id in response payload

1f5d73f

Previously, a client's id was sent as field `id`. This patch renames field `id` to `client_id` as mandated by spec: https://openid.net/specs/openid-connect-discovery-1_0.html

oauth2: Resolves well-known test issues

3d4a6a8

vendor: Includes fosite's id_token bugfix

856c32b

client: Adds sector identifier URL

8f1d914

docs: Updates upgrade instructions

8d24fc0

docs: Updates certification startup script

da3bdf0

cmd: Properly instantiates client handler

8fa2b0a

vendor: Bumps fosite to request error handling

789b3c3

oauth2: Adds parameter broadcast to oidc discovery

d27322b

oauth2: Adds private_key_jwt authentication method

5124820

aeneasr force-pushed the improve-cert branch from 8e64009 to 5124820 Compare June 17, 2018 20:05

arekkas added 6 commits June 18, 2018 15:14

client: Disallow fragments in client's redirect uri

aa05513

vendor: Bumps fosite version

d3f4f10

oauth2: Removes broken instruction

c6508d1

all: Removes nesting from error responses

b2120c4

all: Uses RFC6749 errors everywhere

1315241

all: Enforces proper error layout

f06434d

aeneasr force-pushed the improve-cert branch from 4f6cdd7 to f06434d Compare June 18, 2018 15:43

arekkas added 2 commits June 18, 2018 19:33

oauth2: Support other signing algorithms than RS256

f806fd6

oauth2: Exposes proper oidc configuration

de40595

aeneasr force-pushed the improve-cert branch from 158d081 to de40595 Compare June 18, 2018 17:53

aeneasr added 4 commits June 19, 2018 08:37

oauth2: Declares grant type refresh_token as supported

8bbdcff

client: Keep id as alias to client_id

b105713

pkg: Simplify error helper

ba707f8

jwk: Adds jwk rotation and improves jwk codebase

7458984

aeneasr force-pushed the improve-cert branch from 521d3f6 to 7458984 Compare June 21, 2018 10:08

arekkas added 2 commits June 21, 2018 16:27

client: Improves and DRYies validation in the handler

c8087b3

Closes #909

cmd: Improves key rotation logic

a18a2e5

arekkas added 24 commits June 21, 2018 18:50

cmd: Key rotation does not rename keys

4fdf470

cmd: Refresh signing keys

53387d2

cmd: Do not re-use kid when rotating key

0d64e37

cmd: Do not recreate keys when refreshing

cdea65c

jwk: Implements proper refreshing strategy

5769412

jwk: Removes buggy rotate command and improves jwk refresh

01a3820

jwk: Resolves minor test issues

bed2e5f

oauth2: Implements userinfo response signing

0d6da92

jwk: Resolves MySQL timing issue in tests

5ee1fc2

oauth2: Adds userinfo tests

db8b4bb

oauth2: Implements oidc compliant response_type validation

3d5ff3e

jwk: Better error detection in jwt key strategy

1360605

cmd: Uses proper jwt strategy in oauth2 factory

d352c58

docs: Adds results from oidc self-service test suite

074b2b0

cmd: Improves error response style

01ebdba

docs: Updates error layout

3057afa

all: Improves SQL error handling

83becac

Closes #903

client: Fixes broken SDK test

a5e3fe5

oauth2: Improves oauth2 fallback endpoints

ed34198

vendor: Updates vendored dependencies

9280a96

docs: Updates oidc certification profiles

62f37a6

vendor: Updates vendored dependencies

0024527

pkg: Resolves issue where stack traces can't be recovered

86554cb

oauth2: Properly return errors when resource not found

a6fb9df

aeneasr merged commit 200aa81 into master Jun 24, 2018

aeneasr deleted the improve-cert branch June 24, 2018 15:24

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Adds OpenID Connect Dynamic Client Registration #908

Adds OpenID Connect Dynamic Client Registration #908

aeneasr commented Jun 17, 2018 •

edited

Loading

Adds OpenID Connect Dynamic Client Registration #908

Adds OpenID Connect Dynamic Client Registration #908

Conversation

aeneasr commented Jun 17, 2018 • edited Loading

aeneasr commented Jun 17, 2018 •

edited

Loading