Fork me on GitHub

OpenID Connect / Advanced configuration (v6.4)

See also:

  ▸ Basic configuration and OIDC clients

  ▸ OIDC federation support

The advanced configuration options are available:

1) Client authentication method

a) client_secret_basic / client_secret_post

You can define how the client credentials (clientId and secret) are passed to the token endpoint with the setClientAuthenticationMethod method:

config.setClientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC); // or CLIENT_SECRET_POST

b) client_secret_jwt

You can use the CLIENT_SECRET_JWT authentication method by providing the ClientSecretJwtClientAuthnMethodConfig component:

oidcConfiguration.setClientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_JWT);

val clientSecretJwtConfig = new ClientSecretJwtClientAuthnMethodConfig(new URI("http://audience"), JWSAlgorithm.HS256);
oidcConfiguration.setClientSecretJwtClientAuthnMethodConfig(clientSecretJwtConfig);

c) private_key_jwt

You can also use the PRIVATE_KEY_JWT authentication method by providing the PrivateKeyJWTClientAuthnMethodConfig component:

Example:

oidcConfiguration.setClientAuthenticationMethod(ClientAuthenticationMethod.PRIVATE_KEY_JWT);

val jwksProperties = new JwksProperties();
jwksProperties.setJwksPath("classpath:/static/op/keystore.jwks");
jwksProperties.setKid("cas-qGcosGMN");
val signingKey = JwkHelper.loadJwkFromOrCreateJwks(jwksProperties);

val privateKeyJwtConfig = new PrivateKeyJWTClientAuthnMethodConfig(JWSAlgorithm.RS256, ((RSAKey) signingKey).toKeyPair().getPrivate(), "12345");
oidcConfiguration.setPrivateKeyJWTClientAuthnMethodConfig(privateKeyJwtConfig);

Since v6.4.0, this component is deprecated in favor of PrivateKeyJwtClientAuthnMethodConfig (notice Jwt instead of JWT) which is mandatory for federation.

It uses a JWKS built on the fly:

config.setClientAuthenticationMethod(ClientAuthenticationMethod.PRIVATE_KEY_JWT);
val privateKeyJwtConfig = new PrivateKeyJwtClientAuthnMethodConfig(new JwksProperties());
privateKeyJwtConfig.getJwks().setJwksPath("file:./metadata/clientauthprivatekeyjwt.jwks");
privateKeyJwtConfig.getJwks().setKid("myprivatekeyjwt");
config.setPrivateKeyJWTClientAuthnMethodConfig(privateKeyJwtConfig);

Or it can use the default RP JWKS (this should be the right option in most cases):

val rpJwks = config.getRpJwks();
rpJwks.setJwksPath("file:./metadata/rpjwks.jwks");
rpJwks.setKid("defaultjwks0326");
config.setClientAuthenticationMethod(ClientAuthenticationMethod.PRIVATE_KEY_JWT);
val privateKeyJwtConfig = new PrivateKeyJwtClientAuthnMethodConfig(rpJwks);
config.setPrivateKeyJWTClientAuthnMethodConfig(privateKeyJwtConfig);

Since version 6.3.2, the privateKeyJWT is recreated when expired, and expiration can be tuned :

    /** Default JWT token expiration time in seconds */
    privateKeyJwtConfig.setValidity(60);
    /** Clock skew used to not reuse a token to close to expire */
    privateKeyJwtConfig.setKeyClockSkew(10);

PrivateKeyJWT expiration mechanism can be disabled by setting :

    privateKeyJwtConfig.setUseExpiration(false);

Notice that you can define a set of client authentication methods instead of just one via the setSupportedClientAuthenticationMethods method.

2) State/Nonce

Custom state values may be defined in the configuration using the below methods:

config.setWithState(true);
config.setStateData("custom-state-value");

The nonce for ID tokens can be ignored on refresh. This can be done using:

config.setUseNonceOnRefresh(false);

3) Algorithms

You can choose the algorithm (matched against the OP metadata) to verify the ID token signatures:

config.setIdTokenSigningAlgorithm(JWSAlgorithm.RS256);

This replaces the deprecated setPreferredJwsAlgorithm method.

You can also choose the algorithm (matched against the OP metadata) to sign the request objects:

config.setRequestObjectSigningAlgorithm(JWSAlgorithm.RS256);

The key used is the one stored in the RP JWKS (config.getRpJwks) so it must be defined.

4) Tokens

When validating the IDToken in the login process, you can set a clock skew:

// 1 minute
config.setMaxClockSkew(60);

By default, the local session expires when the access token does, but this can be disabled using:

config.setExpireSessionWithToken(false);

The additional param TokenExpirationAdvance allows to set the time in seconds, previous to the token expiration, in which the expiration is advanced. By default it is 0 seconds.

config.setTokenExpirationAdvance(10);

To reinforce security, the none alogithm for ID tokens (meaning no signature validation) must be explicitly accepted by using:

config.setAllowUnsignedIdTokens(true);

5) Other settings

You can finally set additional parameters by using the addCustomParam(String key, String value) method:

// select display mode: page, popup, touch, and wap
config.addCustomParam("display", "popup");
// select prompt mode: none, consent, select_account
config.addCustomParam("prompt", "none");

You can disable the call to the user info endpoint using:

config.setCallUserInfoEndpoint(false);

For security, the logout requests are validated. This can be disabled using:

config.setLogoutValidation(false);

You can enable the PAR mechanism via:

config.setPushedAuthorizationRequest(true);