Quality improvement based on implementation knowledge.

[daisukenishino2]

Requirement

Issue for consideration

Token management

List

Currently, do not manage issued tokens.
→ Changed to persist the issued token.

Revoke

Web API exists, but there is no administrator tool.

Update of token information

There is possibility that the expiration date and scope need to be updated.

However, this implementation needs to be changed to the implementation
which takes out expiration date and scope from store using "jti" of access_token.

Scope control

Hybrid flow token

Add a feature to narrow the scope of tokens
that is passed to the front-end per each client.

Currently, the can only narrow by implement code per IdP.

Use RequestObject

Managed by client using RequestObject.

Reference

• 汎用認証サイトの独自仕様 - Open 棟梁 Wiki > 参考 > 比較
  https://opentouryo.osscons.jp/index.php?%E6%B1%8E%E7%94%A8%E8%AA%8D%E8%A8%BC%E3%82%B5%E3%82%A4%E3%83%88%E3%81%AE%E7%8B%AC%E8%87%AA%E4%BB%95%E6%A7%98#lfead2af

[daisukenishino2]

Additional requirements

AuthZ metadata

Userinfo

• × userinfo_signing_alg_values_supported : ["RS256"]
• × userinfo_encryption_alg_values_supported
• × userinfo_encryption_enc_values_supported

JAR

• request_parameter_supported : "false"
• request_uri_parameter_supported : "true"
• request_object_endpoint : "http://xxxxxx"
• request_object_signing_alg_values_supported : ["RS256"]
• × request_object_encryption_alg_values_supported
• × request_object_encryption_enc_values_supported

JARM

• response_modes_supported" :
  ["query", "fragment", "form_post", "query.jwt", "fragment.jwt", "form_post.jwt"]
• authorization_signing_alg_values_supported : ["RS256"]
• × authorization_encryption_alg_values_supported
• × authorization_encryption_enc_values_supported

Claims

Respond appropriately with JAR support.

• claims_parameter_supported : true
• claims_supported : ["XXX", "YYY", "ZZZ"]
• scopes_supported : ["XXX", "YYY", "ZZZ"]

Endpoints

The endpoint URL is not an array, but a single string.

• revocation_endpoint : "https://..."
• introspection_endpoint : "https://..."

subject_type

• subject_types_supported : ["public"]

• × sector_identifier_uri

• Calculate pairwise sub with the following algorithm.

sub = SHA-256 ( redirect_uri || local_account_id || salt )

Others

• display_values_supported : ["page"]

Client metadata

Select settings when registering.

Cryptographic algorithm

Enabule to configure enc algorithms within the same key management.

Userinfo

• × userinfo_signed_response_alg : ["RS256"]
• × userinfo_encrypted_response_alg
• × userinfo_encrypted_response_enc

JAR

• × request_object_signing_alg : ["RS256"]
• × request_object_encryption_alg
• × request_object_encryption_enc

JARM

• × authorization_signed_response_alg : ["RS256"]
• × authorization_encrypted_response_alg
• × authorization_encrypted_response_enc

max_age, auth_time

• × default_max_age
• × require_auth_time

subject_type

• × subject_types : "public" or "pairwise"

Reference

• Review of "https://.../.well-known/openid-configuration.". #94

• マイクロソフト系技術情報 Wiki

  • OpenID Connect - Discovery
  • OpenID Connect - Dynamic Client Registration