Developer Portal
There is customer demand for a developer portal that allows developers to self-service their clients in the Gluu OP. This would enable developers to perform basic CRUD operations for their clients. They could also request additional scopes. For example, by default, dynamically registered clients only get the
openidanduma_protectionscope. The developer may want to request theprofilescope as well. The only process for this currently is to manually request the OP admin to grant the client additional scopes. A streamlined and repeatable process for handling this type of developer request to the OP admin would be very useful.
The design is really important, with very thorough consideration of approvals and auditing
https://github.com/GluuFederation/casa-ee-plugins
- Developer - An authenticated person who can register clients and request additional scopes.
- Administrator - A person who can manage scope requests on behalf of an organization.
The scope and claim which convey the Casa Role should be configurable.
The Gluu Server admin would have to make sure that this scope existed, the claim was associated with it, and that Casa was authorized to request this scope.
Casa should display the client expiration date in red if it is less then 30 days. Admins should also get a request to approve client extensions requests.
The database layer should be abstracted, with different implementations possible.
The first persistence implementation should be LDAP.
-
We should update gluuPerson objectclass to add the attribute "oxAssociatedClient", which should reference the DN of the client. Casa should then lookup the respective client.
-
We could add an attribute called
casaPendingRequeststo theoxAuthClientthat contains a JSON object that contains the details of the request. For example:{"sub":"user@spam.com", "scopes":["profile","email"]}or{"sub":"user@spam.com", "expiration":"12/31/19"}for an extension request. Casa could then searchou=clients,o=(org-inum),o=gluuforcasaPendingRequests=*
As Casa is the portal for approval of requests (originally I was thinking oxTrust), we can handle everything internally. I don't think we need messaging after all.
| Name | Actor | Use Case |
|---|---|---|
| Create OP client | Developer | 1. Developer logs into Gluu Casa 2. Developer clicks Developer portal tab 2. Developer fills client form 3. Developer saves client 4. Client is created in OP |
| View OP client list | Developer | 1. Developer logs into Gluu Casa 2. Developer clicks Developer portal tab 2. By default Developer sees list of owned clients |
| View OP client details | Developer | 1. Developer logs into Gluu Casa 2. Developer clicks Developer portal tab 2. Developer clicks on client name 3. Developer can see details about client (Should it contain the same data as OP Client view from CE?) |
| Edit OP client | Developer | 1. Developer logs into Gluu Casa 2. Developer clicks Developer portal tab 2. Developer clicks on client edit icon 3. Developer can change the client data (should it be the same as in CE?) 3. Data is changed in CE |
| Delete OP client | Developer | 1. Developer logs into Gluu Casa 2. Developer clicks Developer portal tab 2. Developer clicks on client edit icon 3. Client is deleted in CE |
| Scope requesting | Developer | 1. Developer logs into Gluu Casa 2. Developer clicks Developer portal tab 2. Developer clicks on client edit icon 3. Developer clicks on scope request button 4. Developer selects scopes from list and accepts 5. Request appears in pending request list, Administrator is notified (all of Administrators?) 5. After approval client gets the scopes |
| Scope manual approval | Administrator | 1. Administrator logs into Gluu Casa 2. Administrator clicks Developer portal tab 2. Administrator clicks on pending requests 3. Administrator sees requests list with client details, Developer details and requested scopes and buttons to accept/reject. 4. In case of rejection Administrator has to fill reason field which is forwarded to Developer 5.Request disappears form list, Developer is notified (email) |
| Admin scope accept script | Administrator | 1. Administrator logs into Gluu Casa 2. Administrator clicks Developer portal tab 2. Administrator clicks on accepting scripts list 3. Administrator can enter custom script (language?), per scope (group of scopes) which returns True/False 4. Script is executed each time assigned scope is requested. |
| Client field | Access | Updatable |
|---|---|---|
| Inum | READ | No |
| Client Name: | WRITE | YES |
| Client Description: | WRITE | YES |
| Client Secret: | WRITE | YES |
| Application Type: | WRITE | YES |
| Pre-Authorization: | WRITE | YES |
| Persist Client Authorizations: | WRITE | YES |
| Logo URI: | WRITE | YES |
| Client URI: | WRITE | YES |
| Policy URI: | WRITE | YES |
| Terms of Service URI: | WRITE | YES |
| JWKS URI: | WRITE | YES |
| JWKS: | WRITE | YES |
| Sector Identifier URI: | WRITE | YES |
| Subject Type: | WRITE | Approval |
| JWS alg Algorithm for signing the ID Token: | WRITE | YES |
| JWE alg Algorithm for encrypting the ID Token: | WRITE | YES |
| JWE enc Algorithm for encrypting the ID Token: | WRITE | YES |
| JWS alg Algorithm for signing the UserInfo Responses: | WRITE | YES |
| JWE alg Algorithm for encrypting the UserInfo Responses: | WRITE | YES |
| JWE enc Algorithm for encrypting the UserInfo Responses: | WRITE | YES |
| JWS alg Algorithm for signing Request Objects: | WRITE | YES |
| JWE alg Algorithm for encrypting Request Objects: | WRITE | YES |
| JWE enc Algorithm for encrypting Request Objects: | WRITE | YES |
| Authentication method for the Token Endpoint: | WRITE | YES |
| JWS alg Algorithm for Authentication method to Token Endpoint: | WRITE | YES |
| Default Maximum Authentication Age: | WRITE | YES |
| Require Auth Time: | WRITE | YES |
| Redirect Login URIs: | WRITE | YES |
| Post Logout Redirect URIs: | WRITE | YES |
| Claim Redirect URIs: | WRITE | YES |
| Scopes: | WRITE | Approval |
| Individually Requested Claims: | WRITE | Approval |
| Response Types: | WRITE | YES |
| Grant Types: | WRITE | YES |
| Contacts: | WRITE | YES |
| Request URIs: | WRITE | YES |
| Authorized JavaScript Origins: | WRITE | YES |
| Front Channel Logout URI: | WRITE | YES |
| Logout Session Required: | WRITE | YES |
| Include Claims In Id Token: | WRITE | YES |
| Refresh Token Lifetime: | WRITE | Approval |
| oxd Id: | READ | No |
| Disabled: | Write | Approval |
| Client's Registration Expires: | Write | Approval |