Server configuration
The MITREid Connect server can function as an OpenID Connect Identity Provider (IdP) and an OAuth 2.0 Authorization Server (AS) simultaneously. The server is a Spring application and its configuration files are found in openid-connect-server-webapp/src/main/webapp/WEB-INF/ and end in .xml. The configuration has been split into multiple .xml files to facilitate overrides and custom configuration. As such, application-context.xml and spring-servlet.xml should never be edited or overridden by a local configuration. Rather, each of the remaining files contains aspects that can be configured independently:
-
user-context.xml: Defines how user information is stored and accessed within the system, which users map to administrators, and how the site's default access controls will work. -
server-config.xml: Defines the server's ConfigurationPropertiesBean class which defines the server'sIssuerURL, from which all other URLs in the system are based. This also defines the display title and titlebar icon. -
data-context.xml: Data connection information used by the JPA storage layers. The beans defined here will include database connection credentials and any other components that need to be defined for storage. -
crypto-config.xml: Cryptographic configuration, defines the server's signing and validation service. this requires parameters such as location of the server's private key file and the server's default signing key and algorithm. -
task-config.xml: Defines scheduled tasks that should be run repeatedly with a fixed-delay. In our master branch, we have 2 tasks defined: clear out expired tokens, and clear out expired ApprovedSite definitions. -
local-config.xml: Any remaining new bean definitions that don't fit existing categories but need to be added to the configuration. This is loaded last.
If you override this file, be sure to include the promptFilter in your configured filters stack for handling prompt=login, prompt=consent, prompt=none, and max_auth_age functions. Ensure that the primary authentication filter references authenticationTimeStamper as its authenticationSuccessHandler in order for the server to keep track of the end user's authentication time.
An example of a custom configuration follows:
<bean id="ssoFilter" class="org.mitre.openid.connect.mitreadaptor.filter.X509LoginUrlFilter">
<property name="authenticationSuccessHandler" ref="authenticationTimeStamper" />
<property name="authenticationManager" ref="authenticationManager" />
<property name="principalExtractor" ref="principalExtractor" />
</bean>
<security:http entry-point-ref="authenticationEntryPoint" use-expressions="true" disable-url-rewriting="true"
authentication-manager-ref="authenticationManager" pattern="/**">
<security:intercept-url pattern="/**" access="permitAll" />
<security:custom-filter ref="authRequestFilter" after="SECURITY_CONTEXT_FILTER" />
<security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
<security:custom-filter ref="ssoFilter" before="BASIC_AUTH_FILTER" />
<security:expression-handler ref="oauthWebExpressionHandler" />
<security:logout logout-url="/logout" />
<security:anonymous />
</security:http>
This file defines the ConfigurationPropertiesBean that holds basic, static configuration information about the server. Many classes throughout the project inject the ConfigurationPropertiesBean in order to get at important values that can't be otherwise discovered, such as the server's issuer. By default, issuer is set to http://localhost:8080/openid-connect-server-webapp/, but if the system is to be accessed on anything other than this URL, the value must be overridden and changed to the full root URL of the server.
The OAuth2 and OpenID Connect endpoints are currently set to the following values, appended to the issuer URL:
- Authorization endpoint: /authorize
- Token endpoint: /token
- Token introspection: /introspect
- Token revocation: /revoke
- JSON Web Key Set (public key): /jwk
- User info: /userinfo
- Provider configuration: /.well-known/openid-configuration
The server's display strings can be translated into other languages or customized for specific deployments as show in the language files documentation.
