[OPENAM-16314] Create OAuth2/OIDC Node to allow same authentication methods used and supported by our own OpenID Connect provider and clients Created: 02/Jun/20  Updated: 24/Feb/21

Status: Open
Project: OpenAM
Component/s: authentication, oauth2, OpenID Connect
Affects Version/s: None
Fix Version/s: None

Type: New Feature Priority: Major
Reporter: Jochen Raymaekers Assignee: Unassigned
Resolution: Unresolved Votes: 2
Labels: CustomerRFE, NEWTON
Σ Remaining Estimate: Not Specified Remaining Estimate: Not Specified
Σ Time Spent: Not Specified Time Spent: Not Specified
Σ Original Estimate: Not Specified Original Estimate: Not Specified

Issue Links:
depends on OPENAM-17417 OAuth mTLS CA-signed certificates not... In Progress
OPENAM-17380 Social Identity Providers to offer tl... Sub-task Closed Alun Daley  
OPENAM-17381 Establish/setup a TLS with Client Aut... Sub-task Closed Alun Daley  
OPENAM-17382 AM to provide client cert in access a... Sub-task Closed Alun Daley  
OPENAM-17383 Clients must use mtls_endpoint_aliase... Sub-task Closed Alun Daley  
OPENAM-17384 Clients to publish self signed cert a... Sub-task Closed Michael Carter  
OPENAM-17385 Confirmation Method for Token Introsp... Sub-task Closed Alun Daley  
OPENAM-17386 Upgrade rules (if reqd) Sub-task Closed  
OPENAM-17387 Forgeops config updated (if reqd) Sub-task Closed  
OPENAM-17388 Id cloud config updated (if reqd) Sub-task Closed  
OPENAM-17389 Functional Tests Sub-task In Progress Andrew Vinall  
OPENAM-17390 Create docs task Sub-task Open  
OPENAM-17391 Postman collection provided (if reqd) Sub-task Open  
OPENAM-17403 Spike: set up and understand how AM w... Technical task Closed Alun Daley  
OPENAM-17419 Setup tomcat for self-signed client c... Sub-task Closed Michael Carter  
OPENAM-17462 Demo, review and merge mtls base branch Sub-task Open  
OPENAM-17463 DoD Sub-task Open  
Rank: 1|i03f24:
Sprint: AM 2021.02 - Water Turbine, AM 2021.03 - Chess
Story Points: 8
Epic Link: OIDC Client Enhancements
Support Ticket IDs:


When using oauth2/openid connect authentication module/node, the client always authenticates to OpenID Connect provider using client_secret_post.

I was looking into our Social OIDC Node and came across https://bugster.forgerock.org/jira/browse/OPENAM-9779. As I'm aware when we are the OIDC Provider we support the private_key_jwt for our clients but not when we connect towards another provider. So the issue above could be easily included in our OIDC Node normally as we already created something likewise for our own OAuth 2.0 Client configurations.

Acceptance Criteria

  • client_secret_jwt is supported (not needed as part of this story)
  • tls_client_auth is supported
  • self_signed_tls_client_auth is supported

Comment by Andrew Forrest [ 13/Oct/20 ]

Season planning: initial estimate of 8 points

Comment by Andrew Forrest [ 01/Dec/20 ]

Andy Hall the title appears to talk about supporting all authn methods that we support as an OP, and yet the description talks only about private_key_jwt. How should we scope this? Also, just to confirm, we are not looking at the OIDC node, but rather social provider handler node?

Comment by Michael Carter [ 15/Dec/20 ]

Andy Hall Do we need to support tls_client_auth and self_signed_tls_client_auth as well, given that AM as OP supports them? We've assumed yes for the time being.

Comment by Andy Hall [ 25/Jan/21 ]

Michael Carter Yes.

Comment by Michael Carter [ 27/Jan/21 ]

See https://tools.ietf.org/html/rfc8705 for tls client auth stuff.

Comment by Kevin Umebolu [ 27/Jan/21 ]

Link to RFC: https://datatracker.ietf.org/doc/rfc8705/

Generated at Sat Feb 27 03:49:34 UTC 2021 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.