diff --git a/docs/content/en/blog/pre-release-notes-4.37/index.md b/docs/content/en/blog/pre-release-notes-4.37/index.md index 4880cd459..bf7345601 100644 --- a/docs/content/en/blog/pre-release-notes-4.37/index.md +++ b/docs/content/en/blog/pre-release-notes-4.37/index.md @@ -31,14 +31,14 @@ with all major proxies supported excluding Microsoft IIS. [Envoy]: https://www.envoyproxy.io/ [Istio]: https://istio.io/ -## OpenID Connect Improvements +## OpenID Connect 1.0 Improvements -Several items from the [OpenID Connect Roadmap](../../roadmap/active/openid-connect.md) are being checked off in this +Several items from the [OpenID Connect 1.0 Roadmap](../../roadmap/active/openid-connect.md) are being checked off in this release. ### Hashed Client Secrets -We'll be supporting hashed OpenID Connect client secrets in this release. People will still be able to use plaintext +We'll be supporting hashed OpenID Connect 1.0 client secrets in this release. People will still be able to use plaintext secrets if they wish however we'll be recommending people utilize PBKDF2, BCrypt or SHA512 SHA2CRYPT (see [Password Algorithms](#password-algorithms) for a full compatibility list). This doesn't change anything for OpenID Connect Relying Parties, it only requires a change in the Authelia configuration. diff --git a/docs/content/en/configuration/identity-providers/introduction.md b/docs/content/en/configuration/identity-providers/introduction.md index 87ba9dbc4..0909e74fc 100644 --- a/docs/content/en/configuration/identity-providers/introduction.md +++ b/docs/content/en/configuration/identity-providers/introduction.md @@ -14,6 +14,6 @@ aliases: - /docs/configuration/identity-providers/ --- -## OpenID Connect +## OpenID Connect 1.0 The only identity provider implementation supported at this time is [OpenID Connect 1.0](openid-connect/provider.md). diff --git a/docs/content/en/configuration/identity-providers/openid-connect/clients.md b/docs/content/en/configuration/identity-providers/openid-connect/clients.md index adec6ca20..97f9345aa 100644 --- a/docs/content/en/configuration/identity-providers/openid-connect/clients.md +++ b/docs/content/en/configuration/identity-providers/openid-connect/clients.md @@ -16,8 +16,8 @@ This section covers specifics regarding configuring the providers registered cli provider specific configuration and information not related to clients see the [OpenID Connect 1.0 Provider](provider.md) documentation. -More information about OpenID Connect can be found in the [roadmap](../../../roadmap/active/openid-connect.md) and in the -[integration](../../../integration/openid-connect/introduction.md) documentation. +More information about OpenID Connect 1.0 can be found in the [roadmap](../../../roadmap/active/openid-connect.md) and +in the [integration](../../../integration/openid-connect/introduction.md) documentation. ## Configuration diff --git a/docs/content/en/configuration/identity-providers/openid-connect/provider.md b/docs/content/en/configuration/identity-providers/openid-connect/provider.md index 0aee8a2e7..df773bcdb 100644 --- a/docs/content/en/configuration/identity-providers/openid-connect/provider.md +++ b/docs/content/en/configuration/identity-providers/openid-connect/provider.md @@ -299,9 +299,9 @@ Allows additional debug messages to be sent to the clients. This controls the minimum length of the `nonce` and `state` parameters. *__Security Notice:__* Changing this value is generally discouraged, reducing it from the default can theoretically -make certain scenarios less secure. It is highly encouraged that if your OpenID Connect RP does not send these -parameters or sends parameters with a lower length than the default that they implement a change rather than changing -this value. +make certain scenarios less secure. It is highly encouraged that if your OpenID Connect 1.0 Relying Party does not send +these parameters or sends parameters with a lower length than the default that they implement a change rather than +changing this value. ### enforce_pkce diff --git a/docs/content/en/configuration/methods/environment.md b/docs/content/en/configuration/methods/environment.md index 0019382fc..e0b3ab20d 100644 --- a/docs/content/en/configuration/methods/environment.md +++ b/docs/content/en/configuration/methods/environment.md @@ -16,7 +16,7 @@ Environment variables are applied after the configuration file meaning anything overrides the configuration files. *__Please Note:__ It is not possible to configure several sections at this time, these include but may not be -limited to the rules section in access control, the clients section in the OpenID Connect identity provider, the cookies +limited to the rules section in access control, the clients section in the OpenID Connect 1.0 Provider, the cookies section of in session, and the authz section in the server endpoints.* ## Prefix diff --git a/docs/content/en/configuration/methods/files.md b/docs/content/en/configuration/methods/files.md index 8793cf889..51acc7197 100644 --- a/docs/content/en/configuration/methods/files.md +++ b/docs/content/en/configuration/methods/files.md @@ -63,9 +63,9 @@ authelia --config configuration.yml,config-acl.yml,config-other.yml Authelia's configuration files use the YAML format. A template with all possible options can be found at the root of the repository {{< github-link name="here" path="config.template.yml" >}}. -*__Important Note:__ You should not have configuration sections such as Access Control Rules or OpenID Connect clients -configured in multiple files. If you wish to split these into their own files that is fine, but if you have two files that -specify these sections and expect them to merge properly you are asking for trouble.* +*__Important Note:__ You should not have configuration sections such as Access Control Rules or OpenID Connect 1.0 +clients configured in multiple files. If you wish to split these into their own files that is fine, but if you have two +files that specify these sections and expect them to merge properly you are asking for trouble.* ### Container diff --git a/docs/content/en/configuration/miscellaneous/server-endpoints-authz.md b/docs/content/en/configuration/miscellaneous/server-endpoints-authz.md index f62bebd93..daa4864dc 100644 --- a/docs/content/en/configuration/miscellaneous/server-endpoints-authz.md +++ b/docs/content/en/configuration/miscellaneous/server-endpoints-authz.md @@ -24,16 +24,24 @@ server: authz: forward-auth: implementation: 'ForwardAuth' - authn_strategies: [] + authn_strategies: + - name: 'HeaderProxyAuthorization' + - name: 'CookieSession' ext-authz: implementation: 'ExtAuthz' - authn_strategies: [] + authn_strategies: + - name: 'HeaderProxyAuthorization' + - name: 'CookieSession' auth-request: implementation: 'AuthRequest' - authn_strategies: [] + authn_strategies: + - name: 'HeaderAuthRequestProxyAuthorization' + - name: 'CookieSession' legacy: implementation: 'Legacy' - authn_strategies: [] + authn_strategies: + - name: 'HeaderLegacy' + - name: 'CookieSession' ``` ## Name diff --git a/docs/content/en/configuration/second-factor/webauthn.md b/docs/content/en/configuration/second-factor/webauthn.md index fd8966a71..9d006c730 100644 --- a/docs/content/en/configuration/second-factor/webauthn.md +++ b/docs/content/en/configuration/second-factor/webauthn.md @@ -89,6 +89,6 @@ Please see the [documentation](../prologue/common.md#duration) on this format fo This adjusts the requested timeout for a WebAuthn interaction. -## FAQ +## Frequently Asked Questions -See the [Security Key FAQ](../../overview/authentication/security-key/index.md#faq) for the FAQ. +See the [Security Key FAQ](../../overview/authentication/security-key/index.md#frequently-asked-questions) for the FAQ. diff --git a/docs/content/en/configuration/storage/migrations.md b/docs/content/en/configuration/storage/migrations.md index 2e3d8d5ac..3f5c515c9 100644 --- a/docs/content/en/configuration/storage/migrations.md +++ b/docs/content/en/configuration/storage/migrations.md @@ -32,9 +32,9 @@ this instance if you wanted to downgrade to pre1 you would need to use an Authel | 1 | 4.33.0 | Initial migration managed version | | 2 | 4.34.0 | WebAuthn - added webauthn_devices table, altered totp_config to include device created/used dates | | 3 | 4.34.2 | WebAuthn - fix V2 migration kid column length and provide migration path for anyone on V2 | -| 4 | 4.35.0 | Added OpenID Connect storage tables and opaque user identifier tables | +| 4 | 4.35.0 | Added OpenID Connect 1.0 storage tables and opaque user identifier tables | | 5 | 4.35.1 | Fixed the oauth2_consent_session table to accept NULL subjects for users who are not yet signed in | -| 6 | 4.37.0 | Adjusted the OpenID Connect tables to allow pre-configured consent improvements | +| 6 | 4.37.0 | Adjusted the OpenID Connect 1.0 tables to allow pre-configured consent improvements | | 7 | 4.37.3 | Fixed some schema inconsistencies most notably the MySQL/MariaDB Engine and Collation | | 8 | 4.38.0 | OpenID Connect 1.0 Pushed Authorization Requests | | 9 | 4.38.0 | Fix a PostgreSQL NOT NULL constraint issue on the `aaguid` column of the `webauthn_devices` table | diff --git a/docs/content/en/contributing/development/environment.md b/docs/content/en/contributing/development/environment.md index 356ea2e42..32141d6e6 100644 --- a/docs/content/en/contributing/development/environment.md +++ b/docs/content/en/contributing/development/environment.md @@ -62,7 +62,7 @@ There is a scripting context provided with __Authelia__ which can easily be conf [suites] and various other tasks. Read more about it in the [authelia-scripts](reference-authelia-scripts.md) reference guide. -## FAQ +## Frequently Asked Questions ### Do you support development under Windows or OSX? diff --git a/docs/content/en/integration/deployment/docker.md b/docs/content/en/integration/deployment/docker.md index b063d057c..cba48efce 100644 --- a/docs/content/en/integration/deployment/docker.md +++ b/docs/content/en/integration/deployment/docker.md @@ -210,7 +210,7 @@ running the following command: grep -Eo '"https://.*" ' ./authelia/notification.txt. ``` -## FAQ +## Frequently Asked Questions #### Running the Proxy on the Host Instead of in a Container diff --git a/docs/content/en/integration/kubernetes/introduction.md b/docs/content/en/integration/kubernetes/introduction.md index 71027e218..62325e7fc 100644 --- a/docs/content/en/integration/kubernetes/introduction.md +++ b/docs/content/en/integration/kubernetes/introduction.md @@ -63,7 +63,7 @@ spec: ... ``` -## FAQ +## Frequently Asked Questions ### RAM usage diff --git a/docs/content/en/integration/openid-connect/_index.md b/docs/content/en/integration/openid-connect/_index.md index 2a92610d8..35c8227e5 100644 --- a/docs/content/en/integration/openid-connect/_index.md +++ b/docs/content/en/integration/openid-connect/_index.md @@ -1,6 +1,6 @@ --- -title: "OpenID Connect" -description: "OpenID Connect Integration" +title: "OpenID Connect 1.0" +description: "OpenID Connect 1.0 Integration" lead: "" date: 2022-06-15T17:51:47+10:00 draft: false diff --git a/docs/content/en/integration/openid-connect/apache-guacamole/index.md b/docs/content/en/integration/openid-connect/apache-guacamole/index.md index 748d6144f..49755b78c 100644 --- a/docs/content/en/integration/openid-connect/apache-guacamole/index.md +++ b/docs/content/en/integration/openid-connect/apache-guacamole/index.md @@ -1,6 +1,6 @@ --- title: "Apache Guacamole" -description: "Integrating Apache Guacamole with the Authelia OpenID Connect Provider." +description: "Integrating Apache Guacamole with the Authelia OpenID Connect 1.0 Provider." lead: "" date: 2022-07-31T13:09:05+10:00 draft: false diff --git a/docs/content/en/integration/openid-connect/argocd/index.md b/docs/content/en/integration/openid-connect/argocd/index.md index 6beaec647..6ad85cf0f 100644 --- a/docs/content/en/integration/openid-connect/argocd/index.md +++ b/docs/content/en/integration/openid-connect/argocd/index.md @@ -1,6 +1,6 @@ --- title: "Argo CD" -description: "Integrating Argo CD with the Authelia OpenID Connect Provider." +description: "Integrating Argo CD with the Authelia OpenID Connect 1.0 Provider." lead: "" date: 2022-07-13T04:27:30+10:00 draft: false diff --git a/docs/content/en/integration/openid-connect/bookstack/index.md b/docs/content/en/integration/openid-connect/bookstack/index.md index ea8f76aaa..b7f8585ca 100644 --- a/docs/content/en/integration/openid-connect/bookstack/index.md +++ b/docs/content/en/integration/openid-connect/bookstack/index.md @@ -1,6 +1,6 @@ --- title: "BookStack" -description: "Integrating BookStack with the Authelia OpenID Connect Provider." +description: "Integrating BookStack with the Authelia OpenID Connect 1.0 Provider." lead: "" date: 2022-06-15T17:51:47+10:00 draft: false diff --git a/docs/content/en/integration/openid-connect/cloudflare-zerotrust/index.md b/docs/content/en/integration/openid-connect/cloudflare-zerotrust/index.md index e3b7b5217..f5b8037f5 100644 --- a/docs/content/en/integration/openid-connect/cloudflare-zerotrust/index.md +++ b/docs/content/en/integration/openid-connect/cloudflare-zerotrust/index.md @@ -1,6 +1,6 @@ --- title: "Cloudflare Zero Trust" -description: "Integrating Cloudflare Zero Trust with the Authelia OpenID Connect Provider." +description: "Integrating Cloudflare Zero Trust with the Authelia OpenID Connect 1.0 Provider." lead: "" date: 2022-06-15T17:51:47+10:00 draft: false diff --git a/docs/content/en/integration/openid-connect/firezone/index.md b/docs/content/en/integration/openid-connect/firezone/index.md index b562d6c78..4b11071a2 100644 --- a/docs/content/en/integration/openid-connect/firezone/index.md +++ b/docs/content/en/integration/openid-connect/firezone/index.md @@ -1,6 +1,6 @@ --- title: "Firezone" -description: "Integrating Firezone with the Authelia OpenID Connect Provider." +description: "Integrating Firezone with the Authelia OpenID Connect 1.0 Provider." lead: "" date: 2023-03-28T20:29:13+11:00 draft: false diff --git a/docs/content/en/integration/openid-connect/frequently-asked-questions.md b/docs/content/en/integration/openid-connect/frequently-asked-questions.md index e7557003c..f99227cba 100644 --- a/docs/content/en/integration/openid-connect/frequently-asked-questions.md +++ b/docs/content/en/integration/openid-connect/frequently-asked-questions.md @@ -1,7 +1,7 @@ --- title: "Frequently Asked Questions" -description: "Frequently Asked Questions regarding integrating the Authelia OpenID Connect Provider with an OpenID Connect relying party" -lead: "Frequently Asked Questions regarding integrating the Authelia OpenID Connect Provider with an OpenID Connect relying party." +description: "Frequently Asked Questions regarding integrating the Authelia OpenID Connect 1.0 Provider with an OpenID Connect 1.0 Relying Party" +lead: "Frequently Asked Questions regarding integrating the Authelia OpenID Connect 1.0 Provider with an OpenID Connect 1.0 Relying Party." date: 2022-10-20T15:27:09+11:00 draft: false images: [] diff --git a/docs/content/en/integration/openid-connect/gitea/index.md b/docs/content/en/integration/openid-connect/gitea/index.md index 2b31c12d6..202c9112e 100644 --- a/docs/content/en/integration/openid-connect/gitea/index.md +++ b/docs/content/en/integration/openid-connect/gitea/index.md @@ -1,6 +1,6 @@ --- title: "Gitea" -description: "Integrating Gitea with the Authelia OpenID Connect Provider." +description: "Integrating Gitea with the Authelia OpenID Connect 1.0 Provider." lead: "" date: 2022-07-01T13:07:02+10:00 draft: false diff --git a/docs/content/en/integration/openid-connect/gitlab/index.md b/docs/content/en/integration/openid-connect/gitlab/index.md index 2038a5797..797b4e34f 100644 --- a/docs/content/en/integration/openid-connect/gitlab/index.md +++ b/docs/content/en/integration/openid-connect/gitlab/index.md @@ -1,6 +1,6 @@ --- title: "GitLab" -description: "Integrating GitLab with the Authelia OpenID Connect Provider." +description: "Integrating GitLab with the Authelia OpenID Connect 1.0 Provider." lead: "" date: 2022-06-15T17:51:47+10:00 draft: false diff --git a/docs/content/en/integration/openid-connect/grafana/index.md b/docs/content/en/integration/openid-connect/grafana/index.md index 7c361281e..2b4f5d256 100644 --- a/docs/content/en/integration/openid-connect/grafana/index.md +++ b/docs/content/en/integration/openid-connect/grafana/index.md @@ -1,6 +1,6 @@ --- title: "Grafana" -description: "Integrating Grafana with the Authelia OpenID Connect Provider." +description: "Integrating Grafana with the Authelia OpenID Connect 1.0 Provider." lead: "" date: 2022-06-15T17:51:47+10:00 draft: false diff --git a/docs/content/en/integration/openid-connect/harbor/index.md b/docs/content/en/integration/openid-connect/harbor/index.md index 75e8d1986..54071dc36 100644 --- a/docs/content/en/integration/openid-connect/harbor/index.md +++ b/docs/content/en/integration/openid-connect/harbor/index.md @@ -1,6 +1,6 @@ --- title: "Harbor" -description: "Integrating Harbor with the Authelia OpenID Connect Provider." +description: "Integrating Harbor with the Authelia OpenID Connect 1.0 Provider." lead: "" date: 2022-06-15T17:51:47+10:00 draft: false diff --git a/docs/content/en/integration/openid-connect/hashicorp-vault/index.md b/docs/content/en/integration/openid-connect/hashicorp-vault/index.md index 4f7bb544a..4a5ee2a05 100644 --- a/docs/content/en/integration/openid-connect/hashicorp-vault/index.md +++ b/docs/content/en/integration/openid-connect/hashicorp-vault/index.md @@ -1,6 +1,6 @@ --- title: "HashiCorp Vault" -description: "Integrating HashiCorp Vault with the Authelia OpenID Connect Provider." +description: "Integrating HashiCorp Vault with the Authelia OpenID Connect 1.0 Provider." lead: "" date: 2022-06-15T17:51:47+10:00 draft: false diff --git a/docs/content/en/integration/openid-connect/introduction.md b/docs/content/en/integration/openid-connect/introduction.md index b9c092386..4c3b4383d 100644 --- a/docs/content/en/integration/openid-connect/introduction.md +++ b/docs/content/en/integration/openid-connect/introduction.md @@ -1,7 +1,7 @@ --- title: "OpenID Connect" -description: "An introduction into integrating the Authelia OpenID Connect Provider with an OpenID Connect relying party" -lead: "An introduction into integrating the Authelia OpenID Connect Provider with an OpenID Connect relying party." +description: "An introduction into integrating the Authelia OpenID Connect 1.0 Provider with an OpenID Connect 1.0 Relying Party" +lead: "An introduction into integrating the Authelia OpenID Connect 1.0 Provider with an OpenID Connect 1.0 Relying Party." date: 2022-06-15T17:51:47+10:00 draft: false images: [] @@ -265,7 +265,7 @@ The following table describes the response from the [UserInfo] endpoint dependin ## Endpoint Implementations The following section documents the endpoints we implement and their respective paths. This information can -traditionally be discovered by relying parties that utilize [OpenID Connect Discovery], however this information may be +traditionally be discovered by relying parties that utilize [OpenID Connect Discovery 1.0], however this information may be useful for clients which do not implement this. The endpoints can be discovered easily by visiting the Discovery and Metadata endpoints. It is recommended regardless @@ -275,7 +275,7 @@ below. These tables document the endpoints we currently support and their paths in the most recent version of Authelia. The paths are appended to the end of the primary URL used to access Authelia. The tables use the url -https://auth.example.com as an example of the Authelia root URL which is also the OpenID Connect issuer. +https://auth.example.com as an example of the Authelia root URL which is also the OpenID Connect 1.0 Issuer. ### Well Known Discovery Endpoints @@ -283,12 +283,12 @@ These endpoints can be utilized to discover other endpoints and metadata about t | Endpoint | Path | |:-----------------------------------------:|:---------------------------------------------------------------:| -| [OpenID Connect Discovery] | https://auth.example.com/.well-known/openid-configuration | +| [OpenID Connect Discovery 1.0] | https://auth.example.com/.well-known/openid-configuration | | [OAuth 2.0 Authorization Server Metadata] | https://auth.example.com/.well-known/oauth-authorization-server | ### Discoverable Endpoints -These endpoints implement OpenID Connect elements. +These endpoints implement OpenID Connect 1.0 Provider specifications. | Endpoint | Path | Discovery Attribute | |:-------------------------------:|:--------------------------------------------------------------:|:-------------------------------------:| @@ -365,7 +365,7 @@ The advantages of this approach are as follows: [OpenID Connect 1.0]: https://openid.net/connect/ -[OpenID Connect Discovery]: https://openid.net/specs/openid-connect-discovery-1_0.html +[OpenID Connect Discovery 1.0]: https://openid.net/specs/openid-connect-discovery-1_0.html [OAuth 2.0 Authorization Server Metadata]: https://datatracker.ietf.org/doc/html/rfc8414 [JSON Web Key Set]: https://datatracker.ietf.org/doc/html/rfc7517#section-5 diff --git a/docs/content/en/integration/openid-connect/kasm-workspaces/index.md b/docs/content/en/integration/openid-connect/kasm-workspaces/index.md index a0d4628a4..9ec291778 100644 --- a/docs/content/en/integration/openid-connect/kasm-workspaces/index.md +++ b/docs/content/en/integration/openid-connect/kasm-workspaces/index.md @@ -1,6 +1,6 @@ --- title: "Kasm Workspaces" -description: "Integrating Kasm Workspaces with the Authelia OpenID Connect Provider." +description: "Integrating Kasm Workspaces with the Authelia OpenID Connect 1.0 Provider." lead: "" date: 2023-04-27T18:40:06+10:00 draft: false diff --git a/docs/content/en/integration/openid-connect/komga/index.md b/docs/content/en/integration/openid-connect/komga/index.md index 666131506..14c42f497 100644 --- a/docs/content/en/integration/openid-connect/komga/index.md +++ b/docs/content/en/integration/openid-connect/komga/index.md @@ -1,6 +1,6 @@ --- title: "Komga" -description: "Integrating Komga with the Authelia OpenID Connect Provider." +description: "Integrating Komga with the Authelia OpenID Connect 1.0 Provider." lead: "" date: 2022-08-26T11:39:00+10:00 draft: false diff --git a/docs/content/en/integration/openid-connect/minio/index.md b/docs/content/en/integration/openid-connect/minio/index.md index 77d637329..4b0360026 100644 --- a/docs/content/en/integration/openid-connect/minio/index.md +++ b/docs/content/en/integration/openid-connect/minio/index.md @@ -1,6 +1,6 @@ --- title: "MinIO" -description: "Integrating MinIO with the Authelia OpenID Connect Provider." +description: "Integrating MinIO with the Authelia OpenID Connect 1.0 Provider." lead: "" date: 2023-03-21T11:21:23+11:00 draft: false diff --git a/docs/content/en/integration/openid-connect/misago/index.md b/docs/content/en/integration/openid-connect/misago/index.md index c6e3c96b3..446445423 100644 --- a/docs/content/en/integration/openid-connect/misago/index.md +++ b/docs/content/en/integration/openid-connect/misago/index.md @@ -1,6 +1,6 @@ --- title: "Misago" -description: "Integrating Misago with the Authelia OpenID Connect Provider." +description: "Integrating Misago with the Authelia OpenID Connect 1.0 Provider." lead: "" date: 2023-03-14T08:51:13+11:00 draft: false diff --git a/docs/content/en/integration/openid-connect/nextcloud/index.md b/docs/content/en/integration/openid-connect/nextcloud/index.md index aec1cb971..4e28783a5 100644 --- a/docs/content/en/integration/openid-connect/nextcloud/index.md +++ b/docs/content/en/integration/openid-connect/nextcloud/index.md @@ -1,6 +1,6 @@ --- title: "Nextcloud" -description: "Integrating Nextcloud with the Authelia OpenID Connect Provider." +description: "Integrating Nextcloud with the Authelia OpenID Connect 1.0 Provider." lead: "" date: 2022-06-15T17:51:47+10:00 draft: false diff --git a/docs/content/en/integration/openid-connect/outline/index.md b/docs/content/en/integration/openid-connect/outline/index.md index f5e8a9109..f467f859f 100644 --- a/docs/content/en/integration/openid-connect/outline/index.md +++ b/docs/content/en/integration/openid-connect/outline/index.md @@ -1,6 +1,6 @@ --- title: "Outline" -description: "Integrating Outline with the Authelia OpenID Connect Provider." +description: "Integrating Outline with the Authelia OpenID Connect 1.0 Provider." lead: "" date: 2022-08-12T09:11:42+10:00 draft: false diff --git a/docs/content/en/integration/openid-connect/portainer/index.md b/docs/content/en/integration/openid-connect/portainer/index.md index 1dee69eb5..7160be3e5 100644 --- a/docs/content/en/integration/openid-connect/portainer/index.md +++ b/docs/content/en/integration/openid-connect/portainer/index.md @@ -1,6 +1,6 @@ --- title: "Portainer" -description: "Integrating Portainer with the Authelia OpenID Connect Provider." +description: "Integrating Portainer with the Authelia OpenID Connect 1.0 Provider." lead: "" date: 2022-06-15T17:51:47+10:00 draft: false diff --git a/docs/content/en/integration/openid-connect/proxmox/index.md b/docs/content/en/integration/openid-connect/proxmox/index.md index 0771e34fb..d83834e23 100644 --- a/docs/content/en/integration/openid-connect/proxmox/index.md +++ b/docs/content/en/integration/openid-connect/proxmox/index.md @@ -1,6 +1,6 @@ --- title: "Proxmox" -description: "Integrating Proxmox with the Authelia OpenID Connect Provider." +description: "Integrating Proxmox with the Authelia OpenID Connect 1.0 Provider." lead: "" date: 2022-06-15T17:51:47+10:00 draft: false diff --git a/docs/content/en/integration/openid-connect/seafile/index.md b/docs/content/en/integration/openid-connect/seafile/index.md index 5486f17d4..f68dc0100 100644 --- a/docs/content/en/integration/openid-connect/seafile/index.md +++ b/docs/content/en/integration/openid-connect/seafile/index.md @@ -1,6 +1,6 @@ --- title: "Seafile" -description: "Integrating Seafile with the Authelia OpenID Connect Provider." +description: "Integrating Seafile with the Authelia OpenID Connect 1.0 Provider." lead: "" date: 2022-06-15T17:51:47+10:00 draft: false diff --git a/docs/content/en/integration/openid-connect/synapse/index.md b/docs/content/en/integration/openid-connect/synapse/index.md index 76d6f90d3..7a87e40fb 100644 --- a/docs/content/en/integration/openid-connect/synapse/index.md +++ b/docs/content/en/integration/openid-connect/synapse/index.md @@ -1,6 +1,6 @@ --- title: "Synapse" -description: "Integrating Synapse with the Authelia OpenID Connect Provider." +description: "Integrating Synapse with the Authelia OpenID Connect 1.0 Provider." lead: "" date: 2022-06-15T17:51:47+10:00 draft: false diff --git a/docs/content/en/integration/openid-connect/synology-dsm/index.md b/docs/content/en/integration/openid-connect/synology-dsm/index.md index a433b3ec5..62e91bc0f 100644 --- a/docs/content/en/integration/openid-connect/synology-dsm/index.md +++ b/docs/content/en/integration/openid-connect/synology-dsm/index.md @@ -1,6 +1,6 @@ --- title: "Synology DSM" -description: "Integrating Synology DSM with the Authelia OpenID Connect Provider." +description: "Integrating Synology DSM with the Authelia OpenID Connect 1.0 Provider." lead: "" date: 2022-10-18T21:22:13+11:00 draft: false diff --git a/docs/content/en/integration/openid-connect/tailscale/index.md b/docs/content/en/integration/openid-connect/tailscale/index.md index 3a3f927dd..0dc1f9056 100644 --- a/docs/content/en/integration/openid-connect/tailscale/index.md +++ b/docs/content/en/integration/openid-connect/tailscale/index.md @@ -1,6 +1,6 @@ --- title: "Tailscale" -description: "Using Authelia as the Tailscale OpenID Connect Provider." +description: "Integrating Tailscale with the Authelia OpenID Connect 1.0 Provider." lead: "" date: 2023-04-23T10:06:28+10:00 draft: false diff --git a/docs/content/en/integration/proxies/nginx.md b/docs/content/en/integration/proxies/nginx.md index c8419f909..540ebe542 100644 --- a/docs/content/en/integration/proxies/nginx.md +++ b/docs/content/en/integration/proxies/nginx.md @@ -466,14 +466,6 @@ and is paired with [authelia-location.conf](#authelia-locationconf).* ## Send a subrequest to Authelia to verify if the user is authenticated and has permission to access the resource. auth_request /internal/authelia/authz; -## Save the upstream authorization response headers from Authelia to variables. -auth_request_set $authorization $upstream_http_authorization; -auth_request_set $proxy_authorization $upstream_http_proxy_authorization; - -## Inject the authorization response headers from the variables into the request made to the backend. -proxy_set_header Authorization $authorization; -proxy_set_header Proxy-Authorization $proxy_authorization; - ## Save the upstream metadata response headers from Authelia to variables. auth_request_set $user $upstream_http_remote_user; auth_request_set $groups $upstream_http_remote_groups; @@ -486,10 +478,6 @@ proxy_set_header Remote-Groups $groups; proxy_set_header Remote-Email $email; proxy_set_header Remote-Name $name; -## Include the Set-Cookie header if present. -auth_request_set $cookie $upstream_http_set_cookie; -add_header Set-Cookie $cookie; - ## Configure the redirection when the authz failure occurs. Lines starting with 'Modern Method' and 'Legacy Method' ## should be commented / uncommented as pairs. The modern method uses the session cookies configuration's authelia_url ## value to determine the redirection URL here. It's much simpler and compatible with the mutli-cookie domain easily. diff --git a/docs/content/en/integration/proxies/traefik.md b/docs/content/en/integration/proxies/traefik.md index 8d6b084aa..de53f7eeb 100644 --- a/docs/content/en/integration/proxies/traefik.md +++ b/docs/content/en/integration/proxies/traefik.md @@ -517,7 +517,7 @@ http: ``` {{< /details >}} -## FAQ +## Frequently Asked Questions ### Basic Authentication diff --git a/docs/content/en/overview/authentication/push-notification/index.md b/docs/content/en/overview/authentication/push-notification/index.md index bc6013c45..531c55c32 100644 --- a/docs/content/en/overview/authentication/push-notification/index.md +++ b/docs/content/en/overview/authentication/push-notification/index.md @@ -39,7 +39,7 @@ Now that Authelia is configured, pass the first factor and select the Push notif You should now receive a notification on your mobile phone with all the details about the authentication request. In case you have multiple devices available, you will be asked to select your preferred device. -## FAQ +## Frequently Asked Questions ### Why don't I have access to the *Push Notification* option? diff --git a/docs/content/en/overview/authentication/security-key/index.md b/docs/content/en/overview/authentication/security-key/index.md index 110bdcb76..bbb8f1328 100644 --- a/docs/content/en/overview/authentication/security-key/index.md +++ b/docs/content/en/overview/authentication/security-key/index.md @@ -43,7 +43,7 @@ requested: Easy, right?! -## FAQ +## Frequently Asked Questions ### Can I register multiple FIDO2 WebAuthn devices? diff --git a/docs/content/en/overview/security/threat-model.md b/docs/content/en/overview/security/threat-model.md index 812ee3045..ea58779b2 100644 --- a/docs/content/en/overview/security/threat-model.md +++ b/docs/content/en/overview/security/threat-model.md @@ -86,5 +86,5 @@ It's important to note that Authelia is considered running in a trusted environm transmitted unsigned to the backends, meaning a malicious user within the network could pretend to be Authelia and send those headers to bypass authentication and gain access to the service. This could be mitigated by transmitting those headers with a digital signature which could be verified by the backend however, many backends - just won't support it. It has therefore been decided to invest in OpenID Connect instead to solve that authentication - delegation problem. + just won't support it. It has therefore been decided to invest in OpenID Connect 1.0 instead to solve that + authentication delegation problem. diff --git a/docs/content/en/reference/guides/frequently-asked-questions.md b/docs/content/en/reference/guides/frequently-asked-questions.md index 2ce131a3c..077015baa 100644 --- a/docs/content/en/reference/guides/frequently-asked-questions.md +++ b/docs/content/en/reference/guides/frequently-asked-questions.md @@ -12,6 +12,24 @@ weight: 220 toc: true --- +## Miscellaneous + +- [Docker](../../integration/deployment/docker.md#frequently-asked-questions) +- [Development](../../contributing/development/environment.md#frequently-asked-questions) + +## Authentication + +- [WebAuthn](../../overview/authentication/security-key/index.md#frequently-asked-questions) +- [Duo](../../overview/authentication/push-notification/index.md#frequently-asked-questions) + +## Proxies + +- [Traefik](../../integration/proxies/traefik.md#frequently-asked-questions) + +## Kubernetes + +- [General](../../integration/kubernetes/introduction.md#frequently-asked-questions) + ## Identity Providers - [OpenID Connect 1.0 Integration](../../integration/openid-connect/frequently-asked-questions.md) diff --git a/docs/content/en/roadmap/active/dashboard-control-panel.md b/docs/content/en/roadmap/active/dashboard-control-panel.md index 4ea61c4c8..4f5087b1c 100644 --- a/docs/content/en/roadmap/active/dashboard-control-panel.md +++ b/docs/content/en/roadmap/active/dashboard-control-panel.md @@ -14,8 +14,8 @@ aliases: - /r/dashboard --- -This feature has several major impacts on other roadmap items. For example several OpenID Connect features would greatly -benefit from a dashboard. It would also be important when we implement WebAuthn features like passwordless +This feature has several major impacts on other roadmap items. For example several OpenID Connect 1.0 features would +greatly benefit from a dashboard. It would also be important when we implement WebAuthn features like passwordless authentication allowing users to intentionally register a passwordless credential. ## Stages diff --git a/docs/content/en/roadmap/active/openid-connect.md b/docs/content/en/roadmap/active/openid-connect.md index fd1b02b19..658bc0acf 100644 --- a/docs/content/en/roadmap/active/openid-connect.md +++ b/docs/content/en/roadmap/active/openid-connect.md @@ -1,7 +1,7 @@ --- -title: "OpenID Connect" -description: "Authelia OpenID Connect Implementation" -lead: "The OpenID Connect Provider role is a very useful but complex feature to enhance interoperability of Authelia with other products. " +title: "OpenID Connect 1.0" +description: "Authelia OpenID Connect 1.0 Provider Implementation" +lead: "The OpenID Connect 1.0 Provider role is a very useful but complex feature to enhance interoperability of Authelia with other products. " date: 2022-06-15T17:51:47+10:00 draft: false images: [] @@ -15,14 +15,15 @@ aliases: - /docs/roadmap/oidc.html --- -We have decided to implement [OpenID Connect] as a beta feature, it's suggested you only utilize it for testing and -providing feedback, and should take caution in relying on it in production as of now. [OpenID Connect] and it's related -endpoints are not enabled by default unless you specifically configure the [OpenID Connect] section. +We have decided to implement [OpenID Connect 1.0] as a beta feature, it's suggested you only utilize it for testing and +providing feedback, and should take caution in relying on it in production as of now. [OpenID Connect 1.0] and it's +related endpoints are not enabled by default unless you specifically configure the [OpenID Connect 1.0] section. -As [OpenID Connect] is fairly complex (the [OpenID Connect] Provider role especially so) it's intentional that it is -both a beta and that the implemented features are part of a thoughtful roadmap. Items that are not immediately obvious -as required (i.e. bug fixes or spec features), will likely be discussed in team meetings or on GitHub issues before -being added to the list. We want to implement this feature in a very thoughtful way in order to avoid security issues. +As [OpenID Connect 1.0] is fairly complex (the [OpenID Connect 1.0] Provider role especially so) it's intentional that +it is both a beta and that the implemented features are part of a thoughtful roadmap. Items that are not immediately +obvious as required (i.e. bug fixes or spec features), will likely be discussed in team meetings or on GitHub issues +before being added to the list. We want to implement this feature in a very thoughtful way in order to avoid security +issues. ## Stages @@ -38,7 +39,7 @@ Feature List: * [User Consent](https://openid.net/specs/openid-connect-core-1_0.html#Consent) * [Authorization Code Flow](https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowSteps) -* [OpenID Connect Discovery](https://openid.net/specs/openid-connect-discovery-1_0.html) +* [OpenID Connect Discovery 1.0](https://openid.net/specs/openid-connect-discovery-1_0.html) * [RS256 Signature Strategy](https://datatracker.ietf.org/doc/html/rfc7518#section-3.1) * Per Client Scope/Grant Type/Response Type Restriction * Per Client Authorization Policy (1FA/2FA) @@ -64,7 +65,7 @@ Feature List: Feature List: -* [Proof Key Code Exchange (PKCE)] for Authorization Code Flow +* [RFC7636: Proof Key for Code Exchange (PKCE)] for Authorization Code Flow * Claims: * `preferred_username` - sending the username in this claim instead of the `sub` claim. @@ -79,12 +80,12 @@ Feature List: * Auditable Information * Subject to User Mapping * Opaque [RFC4122] UUID v4's for subject identifiers -* Support for Pairwise and Plain subject identifier types as per [OpenID Connect Core (Subject Identifier Types)] - * Utilize the pairwise example method 3 as per [OpenID Connect Core (Pairwise Identifier Algorithm)] +* Support for Pairwise and Plain subject identifier types as per [OpenID Connect Core 1.0 (Subject Identifier Types)] + * Utilize the pairwise example method 3 as per [OpenID Connect Core 1.0 (Pairwise Identifier Algorithm)] * Claims: * `sub` - replace username with opaque random [RFC4122] UUID v4 * `amr` - authentication method references as per [RFC8176] - * `azp` - authorized party as per [OpenID Connect Core (ID Token)] + * `azp` - authorized party as per [OpenID Connect Core 1.0 (ID Token)] * `client_id` - the Client ID as per [RFC8693 Section 4.3] * [Cross Origin Resource Sharing] (CORS): * Automatically allow all cross-origin requests to the discovery endpoints @@ -106,7 +107,7 @@ Feature List: * Implicit: * Not expressly standards compliant * Never asks for end-user consent - * Not compatible with the consent prompt type + * Not compatible with the `consent` prompt type * Pre-Configured: * Allows users to save consent sessions for a duration configured by the administrator * Operates nearly identically to the explicit consent mode @@ -115,15 +116,15 @@ Feature List: {{< roadmap-status stage="in-progress" version="v4.38.0" >}} -* [RFC9126: OAuth 2.0 Pushed Authorization Requests](https://datatracker.ietf.org/doc/html/rfc9126) -* [RFC7523: JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants](https://datatracker.ietf.org/doc/html/rfc7523): +* [RFC9126: OAuth 2.0 Pushed Authorization Requests] +* [RFC7523: JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants]: * Client Auth Method `client_secret_jwt` * Client Auth Method `private_key_jwt` -* Per-Client [Proof Key Code Exchange (PKCE)] Policy +* Per-Client [RFC7636: Proof Key for Code Exchange (PKCE)] Policy * Multiple Issuer JWKs: - * RS256, RS384, RS512 - * PS256, PS384, PS512 - * ES256, ES384, ES512 + * `RS256`, `RS384`, `RS512` + * `PS256`, `PS384`, `PS512` + * `ES256`, `ES384`, `ES512` ### Beta 7 @@ -134,7 +135,7 @@ Feature List: * Prompt Handling * Display Handling -See [OpenID Connect Core (Mandatory to Implement Features for All OpenID Providers)]. +See [OpenID Connect Core 1.0 (Mandatory to Implement Features for All OpenID Providers)]. ### Beta 8 @@ -144,6 +145,15 @@ Feature List: * Revoke Tokens on User Logout or Expiration * [JSON Web Key Rotation](https://openid.net/specs/openid-connect-messages-1_0-20.html#rotate.sig.keys) +* In-Storage Configuration: + * Multi-Issuer Configuration (require one per Issuer URL) + * Dynamically Configured via CLI + * Import from YAML: + * Manual method + * Bootstrap method: + * Defaults to one time only + * Can optionally override the database configuration + * Salt (random) and/or Peppered (storage encryption) Client Credentials ### General Availability @@ -151,7 +161,7 @@ Feature List: Feature List: -* Enable by Default +* ~~Enable by Default~~ * Only after all previous stages are checked for bugs ### Miscellaneous @@ -162,13 +172,13 @@ This stage lists features which individually do not fit into a specific stage an {{< roadmap-status >}} -See the [OpenID Connect] website for the [OpenID Connect Dynamic Client Registration] specification. +See the [OpenID Connect 1.0] website for the [OpenID Connect Dynamic Client Registration 1.0] specification. #### OpenID Connect Back-Channel Logout {{< roadmap-status >}} -See the [OpenID Connect] website for the [OpenID Connect Back-Channel Logout] specification. +See the [OpenID Connect 1.0] website for the [OpenID Connect Back-Channel Logout 1.0] specification. Should be implemented alongside [Dynamic Client Registration](#openid-connect-dynamic-client-registration). @@ -176,7 +186,7 @@ Should be implemented alongside [Dynamic Client Registration](#openid-connect-dy {{< roadmap-status >}} -See the [OpenID Connect] website for the [OpenID Connect Front-Channel Logout] specification. +See the [OpenID Connect 1.0] website for the [OpenID Connect Front-Channel Logout 1.0] specification. Should be implemented alongside [Dynamic Client Registration](#openid-connect-dynamic-client-registration). @@ -190,7 +200,7 @@ See the [IETF Specification RFC8414](https://datatracker.ietf.org/doc/html/rfc84 {{< roadmap-status >}} -See the [OpenID Connect] website for the [OpenID Connect Session Management] specification. +See the [OpenID Connect 1.0] website for the [OpenID Connect Session Management 1.0] specification. #### End-User Scope Grants @@ -216,14 +226,17 @@ The `preferred_username` claim was missing and was fixed. [RFC8693 Section 4.3]: https://datatracker.ietf.org/doc/html/rfc8693/#section-4.3 [RFC4122]: https://datatracker.ietf.org/doc/html/rfc4122 -[OpenID Connect]: https://openid.net/connect/ -[OpenID Connect Front-Channel Logout]: https://openid.net/specs/openid-connect-frontchannel-1_0.html -[OpenID Connect Back-Channel Logout]: https://openid.net/specs/openid-connect-backchannel-1_0.html -[OpenID Connect Session Management]: https://openid.net/specs/openid-connect-session-1_0.html -[OpenID Connect Dynamic Client Registration]: https://openid.net/specs/openid-connect-registration-1_0.html +[OpenID Connect 1.0]: https://openid.net/connect/ +[OpenID Connect Front-Channel Logout 1.0]: https://openid.net/specs/openid-connect-frontchannel-1_0.html +[OpenID Connect Back-Channel Logout 1.0]: https://openid.net/specs/openid-connect-backchannel-1_0.html +[OpenID Connect Session Management 1.0]: https://openid.net/specs/openid-connect-session-1_0.html +[OpenID Connect Dynamic Client Registration 1.0]: https://openid.net/specs/openid-connect-registration-1_0.html -[OpenID Connect Core (ID Token)]: https://openid.net/specs/openid-connect-core-1_0.html#IDToken -[OpenID Connect Core (Subject Identifier Types)]: https://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes -[OpenID Connect Core (Pairwise Identifier Algorithm)]: https://openid.net/specs/openid-connect-core-1_0.html#PairwiseAlg -[OpenID Connect Core (Mandatory to Implement Features for All OpenID Providers)]: https://openid.net/specs/openid-connect-core-1_0.html#ServerMTI -[Proof Key Code Exchange (PKCE)]: https://datatracker.ietf.org/doc/html/rfc7636 +[OpenID Connect Core 1.0 (ID Token)]: https://openid.net/specs/openid-connect-core-1_0.html#IDToken +[OpenID Connect Core 1.0 (Subject Identifier Types)]: https://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes +[OpenID Connect Core 1.0 (Pairwise Identifier Algorithm)]: https://openid.net/specs/openid-connect-core-1_0.html#PairwiseAlg +[OpenID Connect Core 1.0 (Mandatory to Implement Features for All OpenID Providers)]: https://openid.net/specs/openid-connect-core-1_0.html#ServerMTI + +[RFC7636: Proof Key for Code Exchange (PKCE)]: https://datatracker.ietf.org/doc/html/rfc7636 +[RFC7523: JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants]: https://datatracker.ietf.org/doc/html/rfc7523 +[RFC9126: OAuth 2.0 Pushed Authorization Requests]: https://datatracker.ietf.org/doc/html/rfc9126 diff --git a/docs/content/en/roadmap/prologue/introduction.md b/docs/content/en/roadmap/prologue/introduction.md index 10c2dbe7c..68dcbc56b 100644 --- a/docs/content/en/roadmap/prologue/introduction.md +++ b/docs/content/en/roadmap/prologue/introduction.md @@ -25,7 +25,7 @@ be glad to share ideas and plans with you. This is a summary of the features which are currently on the roadmap with links to further details: 1. [WebAuthn](../active/webauthn.md) -2. [OpenID Connect Provider](../active/openid-connect.md) +2. [OpenID Connect 1.0 Provider](../active/openid-connect.md) 3. [Internationalization or Multilingual Support](../active/internationalization.md) 4. [Multiple Domain Protection](../active/multi-domain-protection.md) 5. [Control Panel / Dashboard for User / Administration Settings](../active/dashboard-control-panel.md) diff --git a/internal/oidc/store.go b/internal/oidc/store.go index 23a591ea0..788de40ab 100644 --- a/internal/oidc/store.go +++ b/internal/oidc/store.go @@ -244,8 +244,8 @@ func (s *Store) GetPKCERequestSession(ctx context.Context, signature string, ses return s.loadRequesterBySignature(ctx, storage.OAuth2SessionTypePKCEChallenge, signature, session) } -// CreateOpenIDConnectSession creates an open id connect session for a given authorize code. -// This is relevant for explicit open id connect flow. +// CreateOpenIDConnectSession creates an OpenID Connect 1.0 connect session for a given authorize code. +// This is relevant for explicit OpenID Connect 1.0 flow. // This implements a portion of openid.OpenIDConnectRequestStorage. func (s *Store) CreateOpenIDConnectSession(ctx context.Context, authorizeCode string, request fosite.Requester) (err error) { return s.saveSession(ctx, storage.OAuth2SessionTypeOpenIDConnect, authorizeCode, request)