Gap Analysisy for SSP Module authoauth2

Repo URL: https://github.com/cirrusidentity/simplesamlphp-module-authoauth2

Documentation for the module is available in the readme file in the repository root.

Current state

Module authoauth2 has core OIDC RP funnctionality, meaning it can authenticate against OIDC OP by setting specific configuration options, which will in turn use specific authentication source which are available in the module. It also supports fetching OP metadata from the OP discovery URL.

Sample config which uses authentication source 'OpenIDConnect' is shown below (taken from readme):

 'openidconnect' => array(
              'authoauth2:OpenIDConnect',
              // *** Required for all integrations ***
              'issuer' => 'https://www.example.com', # e.g https://accounts.google.com
              'clientId' => '133972730583345',
              'clientSecret' => '36aefb235314bad5df075363b79cbbcd',

              // Most Optional settings for OAuth2 above can be used
              // *** Optional ***
              // Customize post logout redirect, if you don't want to use the standard /module.php/authoauth2/loggedout.php
              'postLogoutRedirectUri' => 'https://myapp.example.com/loggedout'

              // Set a specific discovery url. Default is $issuer/.well-known/openid-configuration
              'discoveryUrl' => 'https://login.microsoftonline.com/common/.well-known/openid-configuration',
              // Check if the issuer in the ID token matches the one from discovery. Default true. For some multi-tenant
              // applications (for example cross tenant Azure logins) the token issuer varies with tenant
              'validateIssuer' => false,

              // Earlier version OpenIDConnect authsource doesn't support using `scopes` for overriding scope
              //'urlAuthorizeOptions' => [
              //    'scope' => 'openid'
              //]
          ),

Desired state

The goal is to have an ability to configure OIDC Federation capable authentication source. In general, that would mean extending
the functionalities with OIDC federation related features.

Missing OIDC Federation features

* ablity to use Private / Public key pair and generating JWKS
* abbility to issue singed entity configuration (RP leaf entity statement), that is self-signed JWT including
    * iss and sub claims containg RP idedntifier
    * RPs public key in a form of JWKS
    * authority hints with IDs of direct intermediate IAs / TAs
    * RP metadata (redirect URIs, response types, client registration types...)
* ability to serve entity configuration at URL in form:  "Leaf Entity's Identifier" + /.well-known/openid-federation (example: https://rp.example.com/.well-known/openid-federation)
* ability to resolve OP metadata from the OPs entity configuration available at .well-known/openid-federation URL (to find authorization / token / userinfo endpoints)
* ability to authenticate client (proove possesion of private key) in authentication request flow
    * since authorization code flow is prevailing, this would probably be using 'request_object' parameter
    * this has to be in line with 'request_authentication_methods_supported' in OPs metadata
    * in essence, this enables automatic client registration functionality
* optional ability to cache entity statements / trust chain per exp claim, with minimum value being the expiration time
* optional ability to resolve trust chain related to itself in order to supply it as a hint when doing authentication requests

Steps to take

Take advantage of existing PHP class library to add OIDC fed functionality, and / or implement other required functionality.

PHP Library candidate: https://github.com/italia/spid-cie-oidc-php

  • No labels