Feature Wiki

Information about planned and released features

Tabs

Customisable additional Scopes for openID Connect

Page Overview

1 Initial Problem
2 Conceptual Summary
3 User Interface Modifications
- 3.1 List of Affected Views
- 3.2 User Interface Details
- 3.3 New User Interface Concepts
4 Technical Information
5 Privacy Information
6 Security Implications
7 Contact
8 Funding
9 Discussion
10 Implementation

1 Initial Problem

When logging in through openID Connect, you have a hardcoded set of scopes that can be accessed by ILIAS (e.g.: openid, roles, email, profile). It is however very much possible that one or more of the scopes do not exist or are named differently.
If this happens, openID will throw an error while trying to log in and subsequently fail the process.

2 Conceptual Summary

An admin can add the scopes ILIAS should access manually through a Multi-Textinput in the Settings for openID. Since the scope "openid" is standard for every type of openID Connect, that one can stay as a default and is non-changeable. Every other Scope can then be manually added through the input.
After trying to save the newly added Scopes, a request to the openID Configuration will be made to check the input against the actually available scopes. If it turns out that there is a typo or a scope that doesn't exist, the user will be informed which one of the inputs is wrong.
Should it not be possible to connect to the openID Configuration, the validation for scope availability will simply be skipped.

3 User Interface Modifications

3.1 List of Affected Views

Administration -> Users and Roles -> Authentication and Registration -> OpenID Connect -> Server Settings

3.2 User Interface Details

Final implementation of additional scopes Feature

3.3 New User Interface Concepts

none

4 Technical Information

For validation request cURL will be used

5 Privacy Information

none

6 Security Implications

{ Does the feature include any special security relevant changes, e.g. the introducion of new endpoints or other new possible attack vectors. If yes, please explain these implications and include a commitment to deliver a written security concept as part of the feature development. This concept will need an additional approvement by the JourFixe. }

7 Contact

Author of the Request:
Maintainer: Meyer, Stefan [smeyer]
Implementation of the feature is done by: {The maintainer must add the name of the implementing developer.}

8 Funding

If you are interest in funding this feature, please add your name and institution to this list.

9 Discussion

JourFixe, ILIAS [jourfixe], 30 MAR 2020 : We highly appreciate this suggestion and accept the feature for ILIAS 7.

Schmitt, Pascal [pascal.schmitt], 08.06.2020 Please also provide a solution for organisations already using Open ID Connect to log in: It must be ensured that all scopes that are defined in the code today are retained. E.g. as defaults in the new screen

10 Implementation

Test Cases

Test cases completed at 12. Nov 2020 by Meyer, Stefan [smeyer]

OpenID-Scopes bearbeiten

Approval

Approved at {31.03.2020} by

Last edited: 5. Aug 2024, 11:14, Mela, Alix [ILIAS_LM]