Uploaded image for project: 'Identity Gateway'
  1. Identity Gateway
  2. OPENIG-586

Static client registration should support pattern matching to resolve the provider

    Details

    • Type: New Feature
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 4.0.0
    • Fix Version/s: 4.0.0
    • Component/s: OAuth 2.0
    • Labels:
      None
    • Sprint:
      OpenIG Sprint 64, OpenIG Sprint 65

      Description

      Matthew Swift says: (http://sources.forgerock.org/cru/CR-7428#c88341)

      As a user I would still like to be able to type in my gmail.com address even if Google don't support discovery and registration. The same applies to other common providers. I suggest that we support these use cases by allowing administrations to configure static client registrations for providers like Google and then use pattern matching to resolve the provider, e.g:

      • "*@google.com" -> use Google OIDC
      • "*@yahoo.com" -> use Yahoo OIDC
      • "*" -> use discovery.

      Note that OIDC auth allows clients to provide "hints" in order to bypass some authentication steps. In particular, if a user types in their GMail email address then, not only can we determine that we should use Google, but we can also pass in the GMail address as a hint in order to skip the step where Google asks the user to select an account and/or type in their email address.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                violette Violette Roche Montane
                Reporter:
                violette Violette Roche Montane
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: