THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
...
Fediz OIDC provides an implementation of OIDC Core by integrating CXF OIDC IDP with Fediz Authentication System.
It is available starting from Fediz 1.3.0 .This project and is a work in progress.
Please review CXF OIDC IDP, CXF OAuth2 and CXF JOSE to get a better understanding of how Fediz OIDC has been implemented.
User Authentication
Fediz OIDC is currently implemented as a Fediz WS-Federation RP web application. When Fediz OIDC is accessed by a user, Fediz WS-Fed Authenticator will redirect a user to Fediz WS-Fed IDP to complete the authentication process. The fact WS-Fed is used during this process is transparent to the user. Note Fediz OIDC itself is completely agnostic to the way the authentication is done - all it needs is for Fediz to provide it an authenticated principal for it to support its OIDC flows.
Future major Fediz releases of Fediz will optimize and improve this process by bringing Fediz OIDC much closer to the core Fediz Authentication System thus avoiding an internal WS-Fed flow completely.
...
Fediz provides a comprehensive support for delegating the user authentication to trusted providers. Such providers can support SAML, WS-Fed or OpenId Connect protocols. Thus Fediz OIDC users can be authenticated locally or redirected further to registered authentication providers. This is achieved by assigning home realms to Fediz OIDC client registrations.
Data Persistence
Client Registration
...
Client Registration
OIDC Services
Effectively Fediz OIDC is a complete OAuth2 server which supports all standard OIDC Core flows. It has JAX-RS service endpoints for supporting Authorization Code, Implicit and Hybrid flows and all OIDC response types.
Services for supporting UserInfo requests and returning IdToken signature verification keys are also enabled.
OAuth2 AccessTokenService is also required to complete Authorization Code or Hybrid flows.
Note even though Fediz OIDC is an OpenId Connect server, the availability of OAuth2 AccessTokenService allows for supporting of non-OIDC OAuth2 grants such as Client Credentials or other custom grants.
To provide all these service endpoints Fediz OIDC simply registers OIDC Services implemented by CXF OIDC in this context.
IdToken
IdToken is populated in this SubjectCreator where an existing SAML assertion representing an authenticated user is converted to IdToken. The token is signed at the moment it is returned to the client, either in OAuth2 IdTokenResponseFilter (used by AccessTokenService) or in OidcImplicitService.
Data Persistence
Fediz OIDC needs to persist client registrations, user subjects, grants, access token and refresh tokens. Currently it uses CXF DefaultEHCacheCodeDataProvider and as such it does not have its own code for managing the data persistence.
Deployment
Drop fediz-oidc.war into a Tomcat container hosting the core Fediz IDP service.
...