Merge remote-tracking branch 'origin/master' into feat-settings-ui
commit
b4083df061
|
@ -31,14 +31,14 @@ with all major proxies supported excluding Microsoft IIS.
|
||||||
[Envoy]: https://www.envoyproxy.io/
|
[Envoy]: https://www.envoyproxy.io/
|
||||||
[Istio]: https://istio.io/
|
[Istio]: https://istio.io/
|
||||||
|
|
||||||
## OpenID Connect Improvements
|
## OpenID Connect 1.0 Improvements
|
||||||
|
|
||||||
Several items from the [OpenID Connect Roadmap](../../roadmap/active/openid-connect.md) are being checked off in this
|
Several items from the [OpenID Connect 1.0 Roadmap](../../roadmap/active/openid-connect.md) are being checked off in this
|
||||||
release.
|
release.
|
||||||
|
|
||||||
### Hashed Client Secrets
|
### Hashed Client Secrets
|
||||||
|
|
||||||
We'll be supporting hashed OpenID Connect client secrets in this release. People will still be able to use plaintext
|
We'll be supporting hashed OpenID Connect 1.0 client secrets in this release. People will still be able to use plaintext
|
||||||
secrets if they wish however we'll be recommending people utilize PBKDF2, BCrypt or SHA512 SHA2CRYPT (see
|
secrets if they wish however we'll be recommending people utilize PBKDF2, BCrypt or SHA512 SHA2CRYPT (see
|
||||||
[Password Algorithms](#password-algorithms) for a full compatibility list). This doesn't change anything for OpenID
|
[Password Algorithms](#password-algorithms) for a full compatibility list). This doesn't change anything for OpenID
|
||||||
Connect Relying Parties, it only requires a change in the Authelia configuration.
|
Connect Relying Parties, it only requires a change in the Authelia configuration.
|
||||||
|
|
|
@ -14,6 +14,6 @@ aliases:
|
||||||
- /docs/configuration/identity-providers/
|
- /docs/configuration/identity-providers/
|
||||||
---
|
---
|
||||||
|
|
||||||
## OpenID Connect
|
## OpenID Connect 1.0
|
||||||
|
|
||||||
The only identity provider implementation supported at this time is [OpenID Connect 1.0](openid-connect/provider.md).
|
The only identity provider implementation supported at this time is [OpenID Connect 1.0](openid-connect/provider.md).
|
||||||
|
|
|
@ -16,8 +16,8 @@ This section covers specifics regarding configuring the providers registered cli
|
||||||
provider specific configuration and information not related to clients see the [OpenID Connect 1.0 Provider](provider.md)
|
provider specific configuration and information not related to clients see the [OpenID Connect 1.0 Provider](provider.md)
|
||||||
documentation.
|
documentation.
|
||||||
|
|
||||||
More information about OpenID Connect can be found in the [roadmap](../../../roadmap/active/openid-connect.md) and in the
|
More information about OpenID Connect 1.0 can be found in the [roadmap](../../../roadmap/active/openid-connect.md) and
|
||||||
[integration](../../../integration/openid-connect/introduction.md) documentation.
|
in the [integration](../../../integration/openid-connect/introduction.md) documentation.
|
||||||
|
|
||||||
## Configuration
|
## Configuration
|
||||||
|
|
||||||
|
|
|
@ -299,9 +299,9 @@ Allows additional debug messages to be sent to the clients.
|
||||||
This controls the minimum length of the `nonce` and `state` parameters.
|
This controls the minimum length of the `nonce` and `state` parameters.
|
||||||
|
|
||||||
*__Security Notice:__* Changing this value is generally discouraged, reducing it from the default can theoretically
|
*__Security Notice:__* Changing this value is generally discouraged, reducing it from the default can theoretically
|
||||||
make certain scenarios less secure. It is highly encouraged that if your OpenID Connect RP does not send these
|
make certain scenarios less secure. It is highly encouraged that if your OpenID Connect 1.0 Relying Party does not send
|
||||||
parameters or sends parameters with a lower length than the default that they implement a change rather than changing
|
these parameters or sends parameters with a lower length than the default that they implement a change rather than
|
||||||
this value.
|
changing this value.
|
||||||
|
|
||||||
### enforce_pkce
|
### enforce_pkce
|
||||||
|
|
||||||
|
|
|
@ -16,7 +16,7 @@ Environment variables are applied after the configuration file meaning anything
|
||||||
overrides the configuration files.
|
overrides the configuration files.
|
||||||
|
|
||||||
*__Please Note:__ It is not possible to configure several sections at this time, these include but may not be
|
*__Please Note:__ It is not possible to configure several sections at this time, these include but may not be
|
||||||
limited to the rules section in access control, the clients section in the OpenID Connect identity provider, the cookies
|
limited to the rules section in access control, the clients section in the OpenID Connect 1.0 Provider, the cookies
|
||||||
section of in session, and the authz section in the server endpoints.*
|
section of in session, and the authz section in the server endpoints.*
|
||||||
|
|
||||||
## Prefix
|
## Prefix
|
||||||
|
|
|
@ -63,9 +63,9 @@ authelia --config configuration.yml,config-acl.yml,config-other.yml
|
||||||
Authelia's configuration files use the YAML format. A template with all possible options can be found at the root of the
|
Authelia's configuration files use the YAML format. A template with all possible options can be found at the root of the
|
||||||
repository {{< github-link name="here" path="config.template.yml" >}}.
|
repository {{< github-link name="here" path="config.template.yml" >}}.
|
||||||
|
|
||||||
*__Important Note:__ You should not have configuration sections such as Access Control Rules or OpenID Connect clients
|
*__Important Note:__ You should not have configuration sections such as Access Control Rules or OpenID Connect 1.0
|
||||||
configured in multiple files. If you wish to split these into their own files that is fine, but if you have two files that
|
clients configured in multiple files. If you wish to split these into their own files that is fine, but if you have two
|
||||||
specify these sections and expect them to merge properly you are asking for trouble.*
|
files that specify these sections and expect them to merge properly you are asking for trouble.*
|
||||||
|
|
||||||
### Container
|
### Container
|
||||||
|
|
||||||
|
|
|
@ -24,16 +24,24 @@ server:
|
||||||
authz:
|
authz:
|
||||||
forward-auth:
|
forward-auth:
|
||||||
implementation: 'ForwardAuth'
|
implementation: 'ForwardAuth'
|
||||||
authn_strategies: []
|
authn_strategies:
|
||||||
|
- name: 'HeaderProxyAuthorization'
|
||||||
|
- name: 'CookieSession'
|
||||||
ext-authz:
|
ext-authz:
|
||||||
implementation: 'ExtAuthz'
|
implementation: 'ExtAuthz'
|
||||||
authn_strategies: []
|
authn_strategies:
|
||||||
|
- name: 'HeaderProxyAuthorization'
|
||||||
|
- name: 'CookieSession'
|
||||||
auth-request:
|
auth-request:
|
||||||
implementation: 'AuthRequest'
|
implementation: 'AuthRequest'
|
||||||
authn_strategies: []
|
authn_strategies:
|
||||||
|
- name: 'HeaderAuthRequestProxyAuthorization'
|
||||||
|
- name: 'CookieSession'
|
||||||
legacy:
|
legacy:
|
||||||
implementation: 'Legacy'
|
implementation: 'Legacy'
|
||||||
authn_strategies: []
|
authn_strategies:
|
||||||
|
- name: 'HeaderLegacy'
|
||||||
|
- name: 'CookieSession'
|
||||||
```
|
```
|
||||||
|
|
||||||
## Name
|
## Name
|
||||||
|
|
|
@ -89,6 +89,6 @@ Please see the [documentation](../prologue/common.md#duration) on this format fo
|
||||||
|
|
||||||
This adjusts the requested timeout for a WebAuthn interaction.
|
This adjusts the requested timeout for a WebAuthn interaction.
|
||||||
|
|
||||||
## FAQ
|
## Frequently Asked Questions
|
||||||
|
|
||||||
See the [Security Key FAQ](../../overview/authentication/security-key/index.md#faq) for the FAQ.
|
See the [Security Key FAQ](../../overview/authentication/security-key/index.md#frequently-asked-questions) for the FAQ.
|
||||||
|
|
|
@ -32,9 +32,9 @@ this instance if you wanted to downgrade to pre1 you would need to use an Authel
|
||||||
| 1 | 4.33.0 | Initial migration managed version |
|
| 1 | 4.33.0 | Initial migration managed version |
|
||||||
| 2 | 4.34.0 | WebAuthn - added webauthn_devices table, altered totp_config to include device created/used dates |
|
| 2 | 4.34.0 | WebAuthn - added webauthn_devices table, altered totp_config to include device created/used dates |
|
||||||
| 3 | 4.34.2 | WebAuthn - fix V2 migration kid column length and provide migration path for anyone on V2 |
|
| 3 | 4.34.2 | WebAuthn - fix V2 migration kid column length and provide migration path for anyone on V2 |
|
||||||
| 4 | 4.35.0 | Added OpenID Connect storage tables and opaque user identifier tables |
|
| 4 | 4.35.0 | Added OpenID Connect 1.0 storage tables and opaque user identifier tables |
|
||||||
| 5 | 4.35.1 | Fixed the oauth2_consent_session table to accept NULL subjects for users who are not yet signed in |
|
| 5 | 4.35.1 | Fixed the oauth2_consent_session table to accept NULL subjects for users who are not yet signed in |
|
||||||
| 6 | 4.37.0 | Adjusted the OpenID Connect tables to allow pre-configured consent improvements |
|
| 6 | 4.37.0 | Adjusted the OpenID Connect 1.0 tables to allow pre-configured consent improvements |
|
||||||
| 7 | 4.37.3 | Fixed some schema inconsistencies most notably the MySQL/MariaDB Engine and Collation |
|
| 7 | 4.37.3 | Fixed some schema inconsistencies most notably the MySQL/MariaDB Engine and Collation |
|
||||||
| 8 | 4.38.0 | OpenID Connect 1.0 Pushed Authorization Requests |
|
| 8 | 4.38.0 | OpenID Connect 1.0 Pushed Authorization Requests |
|
||||||
| 9 | 4.38.0 | Fix a PostgreSQL NOT NULL constraint issue on the `aaguid` column of the `webauthn_devices` table |
|
| 9 | 4.38.0 | Fix a PostgreSQL NOT NULL constraint issue on the `aaguid` column of the `webauthn_devices` table |
|
||||||
|
|
|
@ -62,7 +62,7 @@ There is a scripting context provided with __Authelia__ which can easily be conf
|
||||||
[suites] and various other tasks. Read more about it in the [authelia-scripts](reference-authelia-scripts.md) reference
|
[suites] and various other tasks. Read more about it in the [authelia-scripts](reference-authelia-scripts.md) reference
|
||||||
guide.
|
guide.
|
||||||
|
|
||||||
## FAQ
|
## Frequently Asked Questions
|
||||||
|
|
||||||
### Do you support development under Windows or OSX?
|
### Do you support development under Windows or OSX?
|
||||||
|
|
||||||
|
|
|
@ -210,7 +210,7 @@ running the following command:
|
||||||
grep -Eo '"https://.*" ' ./authelia/notification.txt.
|
grep -Eo '"https://.*" ' ./authelia/notification.txt.
|
||||||
```
|
```
|
||||||
|
|
||||||
## FAQ
|
## Frequently Asked Questions
|
||||||
|
|
||||||
#### Running the Proxy on the Host Instead of in a Container
|
#### Running the Proxy on the Host Instead of in a Container
|
||||||
|
|
||||||
|
|
|
@ -63,7 +63,7 @@ spec:
|
||||||
...
|
...
|
||||||
```
|
```
|
||||||
|
|
||||||
## FAQ
|
## Frequently Asked Questions
|
||||||
|
|
||||||
### RAM usage
|
### RAM usage
|
||||||
|
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
---
|
---
|
||||||
title: "OpenID Connect"
|
title: "OpenID Connect 1.0"
|
||||||
description: "OpenID Connect Integration"
|
description: "OpenID Connect 1.0 Integration"
|
||||||
lead: ""
|
lead: ""
|
||||||
date: 2022-06-15T17:51:47+10:00
|
date: 2022-06-15T17:51:47+10:00
|
||||||
draft: false
|
draft: false
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
---
|
---
|
||||||
title: "Apache Guacamole"
|
title: "Apache Guacamole"
|
||||||
description: "Integrating Apache Guacamole with the Authelia OpenID Connect Provider."
|
description: "Integrating Apache Guacamole with the Authelia OpenID Connect 1.0 Provider."
|
||||||
lead: ""
|
lead: ""
|
||||||
date: 2022-07-31T13:09:05+10:00
|
date: 2022-07-31T13:09:05+10:00
|
||||||
draft: false
|
draft: false
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
---
|
---
|
||||||
title: "Argo CD"
|
title: "Argo CD"
|
||||||
description: "Integrating Argo CD with the Authelia OpenID Connect Provider."
|
description: "Integrating Argo CD with the Authelia OpenID Connect 1.0 Provider."
|
||||||
lead: ""
|
lead: ""
|
||||||
date: 2022-07-13T04:27:30+10:00
|
date: 2022-07-13T04:27:30+10:00
|
||||||
draft: false
|
draft: false
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
---
|
---
|
||||||
title: "BookStack"
|
title: "BookStack"
|
||||||
description: "Integrating BookStack with the Authelia OpenID Connect Provider."
|
description: "Integrating BookStack with the Authelia OpenID Connect 1.0 Provider."
|
||||||
lead: ""
|
lead: ""
|
||||||
date: 2022-06-15T17:51:47+10:00
|
date: 2022-06-15T17:51:47+10:00
|
||||||
draft: false
|
draft: false
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
---
|
---
|
||||||
title: "Cloudflare Zero Trust"
|
title: "Cloudflare Zero Trust"
|
||||||
description: "Integrating Cloudflare Zero Trust with the Authelia OpenID Connect Provider."
|
description: "Integrating Cloudflare Zero Trust with the Authelia OpenID Connect 1.0 Provider."
|
||||||
lead: ""
|
lead: ""
|
||||||
date: 2022-06-15T17:51:47+10:00
|
date: 2022-06-15T17:51:47+10:00
|
||||||
draft: false
|
draft: false
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
---
|
---
|
||||||
title: "Firezone"
|
title: "Firezone"
|
||||||
description: "Integrating Firezone with the Authelia OpenID Connect Provider."
|
description: "Integrating Firezone with the Authelia OpenID Connect 1.0 Provider."
|
||||||
lead: ""
|
lead: ""
|
||||||
date: 2023-03-28T20:29:13+11:00
|
date: 2023-03-28T20:29:13+11:00
|
||||||
draft: false
|
draft: false
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
---
|
---
|
||||||
title: "Frequently Asked Questions"
|
title: "Frequently Asked Questions"
|
||||||
description: "Frequently Asked Questions regarding integrating the Authelia OpenID Connect Provider with an OpenID Connect relying party"
|
description: "Frequently Asked Questions regarding integrating the Authelia OpenID Connect 1.0 Provider with an OpenID Connect 1.0 Relying Party"
|
||||||
lead: "Frequently Asked Questions regarding integrating the Authelia OpenID Connect Provider with an OpenID Connect relying party."
|
lead: "Frequently Asked Questions regarding integrating the Authelia OpenID Connect 1.0 Provider with an OpenID Connect 1.0 Relying Party."
|
||||||
date: 2022-10-20T15:27:09+11:00
|
date: 2022-10-20T15:27:09+11:00
|
||||||
draft: false
|
draft: false
|
||||||
images: []
|
images: []
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
---
|
---
|
||||||
title: "Gitea"
|
title: "Gitea"
|
||||||
description: "Integrating Gitea with the Authelia OpenID Connect Provider."
|
description: "Integrating Gitea with the Authelia OpenID Connect 1.0 Provider."
|
||||||
lead: ""
|
lead: ""
|
||||||
date: 2022-07-01T13:07:02+10:00
|
date: 2022-07-01T13:07:02+10:00
|
||||||
draft: false
|
draft: false
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
---
|
---
|
||||||
title: "GitLab"
|
title: "GitLab"
|
||||||
description: "Integrating GitLab with the Authelia OpenID Connect Provider."
|
description: "Integrating GitLab with the Authelia OpenID Connect 1.0 Provider."
|
||||||
lead: ""
|
lead: ""
|
||||||
date: 2022-06-15T17:51:47+10:00
|
date: 2022-06-15T17:51:47+10:00
|
||||||
draft: false
|
draft: false
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
---
|
---
|
||||||
title: "Grafana"
|
title: "Grafana"
|
||||||
description: "Integrating Grafana with the Authelia OpenID Connect Provider."
|
description: "Integrating Grafana with the Authelia OpenID Connect 1.0 Provider."
|
||||||
lead: ""
|
lead: ""
|
||||||
date: 2022-06-15T17:51:47+10:00
|
date: 2022-06-15T17:51:47+10:00
|
||||||
draft: false
|
draft: false
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
---
|
---
|
||||||
title: "Harbor"
|
title: "Harbor"
|
||||||
description: "Integrating Harbor with the Authelia OpenID Connect Provider."
|
description: "Integrating Harbor with the Authelia OpenID Connect 1.0 Provider."
|
||||||
lead: ""
|
lead: ""
|
||||||
date: 2022-06-15T17:51:47+10:00
|
date: 2022-06-15T17:51:47+10:00
|
||||||
draft: false
|
draft: false
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
---
|
---
|
||||||
title: "HashiCorp Vault"
|
title: "HashiCorp Vault"
|
||||||
description: "Integrating HashiCorp Vault with the Authelia OpenID Connect Provider."
|
description: "Integrating HashiCorp Vault with the Authelia OpenID Connect 1.0 Provider."
|
||||||
lead: ""
|
lead: ""
|
||||||
date: 2022-06-15T17:51:47+10:00
|
date: 2022-06-15T17:51:47+10:00
|
||||||
draft: false
|
draft: false
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
---
|
---
|
||||||
title: "OpenID Connect"
|
title: "OpenID Connect"
|
||||||
description: "An introduction into integrating the Authelia OpenID Connect Provider with an OpenID Connect relying party"
|
description: "An introduction into integrating the Authelia OpenID Connect 1.0 Provider with an OpenID Connect 1.0 Relying Party"
|
||||||
lead: "An introduction into integrating the Authelia OpenID Connect Provider with an OpenID Connect relying party."
|
lead: "An introduction into integrating the Authelia OpenID Connect 1.0 Provider with an OpenID Connect 1.0 Relying Party."
|
||||||
date: 2022-06-15T17:51:47+10:00
|
date: 2022-06-15T17:51:47+10:00
|
||||||
draft: false
|
draft: false
|
||||||
images: []
|
images: []
|
||||||
|
@ -265,7 +265,7 @@ The following table describes the response from the [UserInfo] endpoint dependin
|
||||||
## Endpoint Implementations
|
## Endpoint Implementations
|
||||||
|
|
||||||
The following section documents the endpoints we implement and their respective paths. This information can
|
The following section documents the endpoints we implement and their respective paths. This information can
|
||||||
traditionally be discovered by relying parties that utilize [OpenID Connect Discovery], however this information may be
|
traditionally be discovered by relying parties that utilize [OpenID Connect Discovery 1.0], however this information may be
|
||||||
useful for clients which do not implement this.
|
useful for clients which do not implement this.
|
||||||
|
|
||||||
The endpoints can be discovered easily by visiting the Discovery and Metadata endpoints. It is recommended regardless
|
The endpoints can be discovered easily by visiting the Discovery and Metadata endpoints. It is recommended regardless
|
||||||
|
@ -275,7 +275,7 @@ below.
|
||||||
|
|
||||||
These tables document the endpoints we currently support and their paths in the most recent version of Authelia. The
|
These tables document the endpoints we currently support and their paths in the most recent version of Authelia. The
|
||||||
paths are appended to the end of the primary URL used to access Authelia. The tables use the url
|
paths are appended to the end of the primary URL used to access Authelia. The tables use the url
|
||||||
https://auth.example.com as an example of the Authelia root URL which is also the OpenID Connect issuer.
|
https://auth.example.com as an example of the Authelia root URL which is also the OpenID Connect 1.0 Issuer.
|
||||||
|
|
||||||
### Well Known Discovery Endpoints
|
### Well Known Discovery Endpoints
|
||||||
|
|
||||||
|
@ -283,12 +283,12 @@ These endpoints can be utilized to discover other endpoints and metadata about t
|
||||||
|
|
||||||
| Endpoint | Path |
|
| Endpoint | Path |
|
||||||
|:-----------------------------------------:|:---------------------------------------------------------------:|
|
|:-----------------------------------------:|:---------------------------------------------------------------:|
|
||||||
| [OpenID Connect Discovery] | https://auth.example.com/.well-known/openid-configuration |
|
| [OpenID Connect Discovery 1.0] | https://auth.example.com/.well-known/openid-configuration |
|
||||||
| [OAuth 2.0 Authorization Server Metadata] | https://auth.example.com/.well-known/oauth-authorization-server |
|
| [OAuth 2.0 Authorization Server Metadata] | https://auth.example.com/.well-known/oauth-authorization-server |
|
||||||
|
|
||||||
### Discoverable Endpoints
|
### Discoverable Endpoints
|
||||||
|
|
||||||
These endpoints implement OpenID Connect elements.
|
These endpoints implement OpenID Connect 1.0 Provider specifications.
|
||||||
|
|
||||||
| Endpoint | Path | Discovery Attribute |
|
| Endpoint | Path | Discovery Attribute |
|
||||||
|:-------------------------------:|:--------------------------------------------------------------:|:-------------------------------------:|
|
|:-------------------------------:|:--------------------------------------------------------------:|:-------------------------------------:|
|
||||||
|
@ -365,7 +365,7 @@ The advantages of this approach are as follows:
|
||||||
|
|
||||||
[OpenID Connect 1.0]: https://openid.net/connect/
|
[OpenID Connect 1.0]: https://openid.net/connect/
|
||||||
|
|
||||||
[OpenID Connect Discovery]: https://openid.net/specs/openid-connect-discovery-1_0.html
|
[OpenID Connect Discovery 1.0]: https://openid.net/specs/openid-connect-discovery-1_0.html
|
||||||
[OAuth 2.0 Authorization Server Metadata]: https://datatracker.ietf.org/doc/html/rfc8414
|
[OAuth 2.0 Authorization Server Metadata]: https://datatracker.ietf.org/doc/html/rfc8414
|
||||||
|
|
||||||
[JSON Web Key Set]: https://datatracker.ietf.org/doc/html/rfc7517#section-5
|
[JSON Web Key Set]: https://datatracker.ietf.org/doc/html/rfc7517#section-5
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
---
|
---
|
||||||
title: "Kasm Workspaces"
|
title: "Kasm Workspaces"
|
||||||
description: "Integrating Kasm Workspaces with the Authelia OpenID Connect Provider."
|
description: "Integrating Kasm Workspaces with the Authelia OpenID Connect 1.0 Provider."
|
||||||
lead: ""
|
lead: ""
|
||||||
date: 2023-04-27T18:40:06+10:00
|
date: 2023-04-27T18:40:06+10:00
|
||||||
draft: false
|
draft: false
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
---
|
---
|
||||||
title: "Komga"
|
title: "Komga"
|
||||||
description: "Integrating Komga with the Authelia OpenID Connect Provider."
|
description: "Integrating Komga with the Authelia OpenID Connect 1.0 Provider."
|
||||||
lead: ""
|
lead: ""
|
||||||
date: 2022-08-26T11:39:00+10:00
|
date: 2022-08-26T11:39:00+10:00
|
||||||
draft: false
|
draft: false
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
---
|
---
|
||||||
title: "MinIO"
|
title: "MinIO"
|
||||||
description: "Integrating MinIO with the Authelia OpenID Connect Provider."
|
description: "Integrating MinIO with the Authelia OpenID Connect 1.0 Provider."
|
||||||
lead: ""
|
lead: ""
|
||||||
date: 2023-03-21T11:21:23+11:00
|
date: 2023-03-21T11:21:23+11:00
|
||||||
draft: false
|
draft: false
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
---
|
---
|
||||||
title: "Misago"
|
title: "Misago"
|
||||||
description: "Integrating Misago with the Authelia OpenID Connect Provider."
|
description: "Integrating Misago with the Authelia OpenID Connect 1.0 Provider."
|
||||||
lead: ""
|
lead: ""
|
||||||
date: 2023-03-14T08:51:13+11:00
|
date: 2023-03-14T08:51:13+11:00
|
||||||
draft: false
|
draft: false
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
---
|
---
|
||||||
title: "Nextcloud"
|
title: "Nextcloud"
|
||||||
description: "Integrating Nextcloud with the Authelia OpenID Connect Provider."
|
description: "Integrating Nextcloud with the Authelia OpenID Connect 1.0 Provider."
|
||||||
lead: ""
|
lead: ""
|
||||||
date: 2022-06-15T17:51:47+10:00
|
date: 2022-06-15T17:51:47+10:00
|
||||||
draft: false
|
draft: false
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
---
|
---
|
||||||
title: "Outline"
|
title: "Outline"
|
||||||
description: "Integrating Outline with the Authelia OpenID Connect Provider."
|
description: "Integrating Outline with the Authelia OpenID Connect 1.0 Provider."
|
||||||
lead: ""
|
lead: ""
|
||||||
date: 2022-08-12T09:11:42+10:00
|
date: 2022-08-12T09:11:42+10:00
|
||||||
draft: false
|
draft: false
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
---
|
---
|
||||||
title: "Portainer"
|
title: "Portainer"
|
||||||
description: "Integrating Portainer with the Authelia OpenID Connect Provider."
|
description: "Integrating Portainer with the Authelia OpenID Connect 1.0 Provider."
|
||||||
lead: ""
|
lead: ""
|
||||||
date: 2022-06-15T17:51:47+10:00
|
date: 2022-06-15T17:51:47+10:00
|
||||||
draft: false
|
draft: false
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
---
|
---
|
||||||
title: "Proxmox"
|
title: "Proxmox"
|
||||||
description: "Integrating Proxmox with the Authelia OpenID Connect Provider."
|
description: "Integrating Proxmox with the Authelia OpenID Connect 1.0 Provider."
|
||||||
lead: ""
|
lead: ""
|
||||||
date: 2022-06-15T17:51:47+10:00
|
date: 2022-06-15T17:51:47+10:00
|
||||||
draft: false
|
draft: false
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
---
|
---
|
||||||
title: "Seafile"
|
title: "Seafile"
|
||||||
description: "Integrating Seafile with the Authelia OpenID Connect Provider."
|
description: "Integrating Seafile with the Authelia OpenID Connect 1.0 Provider."
|
||||||
lead: ""
|
lead: ""
|
||||||
date: 2022-06-15T17:51:47+10:00
|
date: 2022-06-15T17:51:47+10:00
|
||||||
draft: false
|
draft: false
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
---
|
---
|
||||||
title: "Synapse"
|
title: "Synapse"
|
||||||
description: "Integrating Synapse with the Authelia OpenID Connect Provider."
|
description: "Integrating Synapse with the Authelia OpenID Connect 1.0 Provider."
|
||||||
lead: ""
|
lead: ""
|
||||||
date: 2022-06-15T17:51:47+10:00
|
date: 2022-06-15T17:51:47+10:00
|
||||||
draft: false
|
draft: false
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
---
|
---
|
||||||
title: "Synology DSM"
|
title: "Synology DSM"
|
||||||
description: "Integrating Synology DSM with the Authelia OpenID Connect Provider."
|
description: "Integrating Synology DSM with the Authelia OpenID Connect 1.0 Provider."
|
||||||
lead: ""
|
lead: ""
|
||||||
date: 2022-10-18T21:22:13+11:00
|
date: 2022-10-18T21:22:13+11:00
|
||||||
draft: false
|
draft: false
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
---
|
---
|
||||||
title: "Tailscale"
|
title: "Tailscale"
|
||||||
description: "Using Authelia as the Tailscale OpenID Connect Provider."
|
description: "Integrating Tailscale with the Authelia OpenID Connect 1.0 Provider."
|
||||||
lead: ""
|
lead: ""
|
||||||
date: 2023-04-23T10:06:28+10:00
|
date: 2023-04-23T10:06:28+10:00
|
||||||
draft: false
|
draft: false
|
||||||
|
|
|
@ -466,14 +466,6 @@ and is paired with [authelia-location.conf](#authelia-locationconf).*
|
||||||
## Send a subrequest to Authelia to verify if the user is authenticated and has permission to access the resource.
|
## Send a subrequest to Authelia to verify if the user is authenticated and has permission to access the resource.
|
||||||
auth_request /internal/authelia/authz;
|
auth_request /internal/authelia/authz;
|
||||||
|
|
||||||
## Save the upstream authorization response headers from Authelia to variables.
|
|
||||||
auth_request_set $authorization $upstream_http_authorization;
|
|
||||||
auth_request_set $proxy_authorization $upstream_http_proxy_authorization;
|
|
||||||
|
|
||||||
## Inject the authorization response headers from the variables into the request made to the backend.
|
|
||||||
proxy_set_header Authorization $authorization;
|
|
||||||
proxy_set_header Proxy-Authorization $proxy_authorization;
|
|
||||||
|
|
||||||
## Save the upstream metadata response headers from Authelia to variables.
|
## Save the upstream metadata response headers from Authelia to variables.
|
||||||
auth_request_set $user $upstream_http_remote_user;
|
auth_request_set $user $upstream_http_remote_user;
|
||||||
auth_request_set $groups $upstream_http_remote_groups;
|
auth_request_set $groups $upstream_http_remote_groups;
|
||||||
|
@ -486,10 +478,6 @@ proxy_set_header Remote-Groups $groups;
|
||||||
proxy_set_header Remote-Email $email;
|
proxy_set_header Remote-Email $email;
|
||||||
proxy_set_header Remote-Name $name;
|
proxy_set_header Remote-Name $name;
|
||||||
|
|
||||||
## Include the Set-Cookie header if present.
|
|
||||||
auth_request_set $cookie $upstream_http_set_cookie;
|
|
||||||
add_header Set-Cookie $cookie;
|
|
||||||
|
|
||||||
## Configure the redirection when the authz failure occurs. Lines starting with 'Modern Method' and 'Legacy Method'
|
## Configure the redirection when the authz failure occurs. Lines starting with 'Modern Method' and 'Legacy Method'
|
||||||
## should be commented / uncommented as pairs. The modern method uses the session cookies configuration's authelia_url
|
## should be commented / uncommented as pairs. The modern method uses the session cookies configuration's authelia_url
|
||||||
## value to determine the redirection URL here. It's much simpler and compatible with the mutli-cookie domain easily.
|
## value to determine the redirection URL here. It's much simpler and compatible with the mutli-cookie domain easily.
|
||||||
|
|
|
@ -517,7 +517,7 @@ http:
|
||||||
```
|
```
|
||||||
{{< /details >}}
|
{{< /details >}}
|
||||||
|
|
||||||
## FAQ
|
## Frequently Asked Questions
|
||||||
|
|
||||||
### Basic Authentication
|
### Basic Authentication
|
||||||
|
|
||||||
|
|
|
@ -39,7 +39,7 @@ Now that Authelia is configured, pass the first factor and select the Push notif
|
||||||
You should now receive a notification on your mobile phone with all the details about the authentication request. In
|
You should now receive a notification on your mobile phone with all the details about the authentication request. In
|
||||||
case you have multiple devices available, you will be asked to select your preferred device.
|
case you have multiple devices available, you will be asked to select your preferred device.
|
||||||
|
|
||||||
## FAQ
|
## Frequently Asked Questions
|
||||||
|
|
||||||
### Why don't I have access to the *Push Notification* option?
|
### Why don't I have access to the *Push Notification* option?
|
||||||
|
|
||||||
|
|
|
@ -43,7 +43,7 @@ requested:
|
||||||
|
|
||||||
Easy, right?!
|
Easy, right?!
|
||||||
|
|
||||||
## FAQ
|
## Frequently Asked Questions
|
||||||
|
|
||||||
### Can I register multiple FIDO2 WebAuthn credentials?
|
### Can I register multiple FIDO2 WebAuthn credentials?
|
||||||
|
|
||||||
|
|
|
@ -86,5 +86,5 @@ It's important to note that Authelia is considered running in a trusted environm
|
||||||
transmitted unsigned to the backends, meaning a malicious user within the network could pretend to be
|
transmitted unsigned to the backends, meaning a malicious user within the network could pretend to be
|
||||||
Authelia and send those headers to bypass authentication and gain access to the service. This could be mitigated by
|
Authelia and send those headers to bypass authentication and gain access to the service. This could be mitigated by
|
||||||
transmitting those headers with a digital signature which could be verified by the backend however, many backends
|
transmitting those headers with a digital signature which could be verified by the backend however, many backends
|
||||||
just won't support it. It has therefore been decided to invest in OpenID Connect instead to solve that authentication
|
just won't support it. It has therefore been decided to invest in OpenID Connect 1.0 instead to solve that
|
||||||
delegation problem.
|
authentication delegation problem.
|
||||||
|
|
|
@ -12,6 +12,24 @@ weight: 220
|
||||||
toc: true
|
toc: true
|
||||||
---
|
---
|
||||||
|
|
||||||
|
## Miscellaneous
|
||||||
|
|
||||||
|
- [Docker](../../integration/deployment/docker.md#frequently-asked-questions)
|
||||||
|
- [Development](../../contributing/development/environment.md#frequently-asked-questions)
|
||||||
|
|
||||||
|
## Authentication
|
||||||
|
|
||||||
|
- [WebAuthn](../../overview/authentication/security-key/index.md#frequently-asked-questions)
|
||||||
|
- [Duo](../../overview/authentication/push-notification/index.md#frequently-asked-questions)
|
||||||
|
|
||||||
|
## Proxies
|
||||||
|
|
||||||
|
- [Traefik](../../integration/proxies/traefik.md#frequently-asked-questions)
|
||||||
|
|
||||||
|
## Kubernetes
|
||||||
|
|
||||||
|
- [General](../../integration/kubernetes/introduction.md#frequently-asked-questions)
|
||||||
|
|
||||||
## Identity Providers
|
## Identity Providers
|
||||||
|
|
||||||
- [OpenID Connect 1.0 Integration](../../integration/openid-connect/frequently-asked-questions.md)
|
- [OpenID Connect 1.0 Integration](../../integration/openid-connect/frequently-asked-questions.md)
|
||||||
|
|
|
@ -14,8 +14,8 @@ aliases:
|
||||||
- /r/dashboard
|
- /r/dashboard
|
||||||
---
|
---
|
||||||
|
|
||||||
This feature has several major impacts on other roadmap items. For example several OpenID Connect features would greatly
|
This feature has several major impacts on other roadmap items. For example several OpenID Connect 1.0 features would
|
||||||
benefit from a dashboard. It would also be important when we implement WebAuthn features like passwordless
|
greatly benefit from a dashboard. It would also be important when we implement WebAuthn features like passwordless
|
||||||
authentication allowing users to intentionally register a passwordless credential.
|
authentication allowing users to intentionally register a passwordless credential.
|
||||||
|
|
||||||
## Stages
|
## Stages
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
---
|
---
|
||||||
title: "OpenID Connect"
|
title: "OpenID Connect 1.0"
|
||||||
description: "Authelia OpenID Connect Implementation"
|
description: "Authelia OpenID Connect 1.0 Provider Implementation"
|
||||||
lead: "The OpenID Connect Provider role is a very useful but complex feature to enhance interoperability of Authelia with other products. "
|
lead: "The OpenID Connect 1.0 Provider role is a very useful but complex feature to enhance interoperability of Authelia with other products. "
|
||||||
date: 2022-06-15T17:51:47+10:00
|
date: 2022-06-15T17:51:47+10:00
|
||||||
draft: false
|
draft: false
|
||||||
images: []
|
images: []
|
||||||
|
@ -15,14 +15,15 @@ aliases:
|
||||||
- /docs/roadmap/oidc.html
|
- /docs/roadmap/oidc.html
|
||||||
---
|
---
|
||||||
|
|
||||||
We have decided to implement [OpenID Connect] as a beta feature, it's suggested you only utilize it for testing and
|
We have decided to implement [OpenID Connect 1.0] as a beta feature, it's suggested you only utilize it for testing and
|
||||||
providing feedback, and should take caution in relying on it in production as of now. [OpenID Connect] and it's related
|
providing feedback, and should take caution in relying on it in production as of now. [OpenID Connect 1.0] and it's
|
||||||
endpoints are not enabled by default unless you specifically configure the [OpenID Connect] section.
|
related endpoints are not enabled by default unless you specifically configure the [OpenID Connect 1.0] section.
|
||||||
|
|
||||||
As [OpenID Connect] is fairly complex (the [OpenID Connect] Provider role especially so) it's intentional that it is
|
As [OpenID Connect 1.0] is fairly complex (the [OpenID Connect 1.0] Provider role especially so) it's intentional that
|
||||||
both a beta and that the implemented features are part of a thoughtful roadmap. Items that are not immediately obvious
|
it is both a beta and that the implemented features are part of a thoughtful roadmap. Items that are not immediately
|
||||||
as required (i.e. bug fixes or spec features), will likely be discussed in team meetings or on GitHub issues before
|
obvious as required (i.e. bug fixes or spec features), will likely be discussed in team meetings or on GitHub issues
|
||||||
being added to the list. We want to implement this feature in a very thoughtful way in order to avoid security issues.
|
before being added to the list. We want to implement this feature in a very thoughtful way in order to avoid security
|
||||||
|
issues.
|
||||||
|
|
||||||
## Stages
|
## Stages
|
||||||
|
|
||||||
|
@ -38,7 +39,7 @@ Feature List:
|
||||||
|
|
||||||
* [User Consent](https://openid.net/specs/openid-connect-core-1_0.html#Consent)
|
* [User Consent](https://openid.net/specs/openid-connect-core-1_0.html#Consent)
|
||||||
* [Authorization Code Flow](https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowSteps)
|
* [Authorization Code Flow](https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowSteps)
|
||||||
* [OpenID Connect Discovery](https://openid.net/specs/openid-connect-discovery-1_0.html)
|
* [OpenID Connect Discovery 1.0](https://openid.net/specs/openid-connect-discovery-1_0.html)
|
||||||
* [RS256 Signature Strategy](https://datatracker.ietf.org/doc/html/rfc7518#section-3.1)
|
* [RS256 Signature Strategy](https://datatracker.ietf.org/doc/html/rfc7518#section-3.1)
|
||||||
* Per Client Scope/Grant Type/Response Type Restriction
|
* Per Client Scope/Grant Type/Response Type Restriction
|
||||||
* Per Client Authorization Policy (1FA/2FA)
|
* Per Client Authorization Policy (1FA/2FA)
|
||||||
|
@ -64,7 +65,7 @@ Feature List:
|
||||||
|
|
||||||
Feature List:
|
Feature List:
|
||||||
|
|
||||||
* [Proof Key Code Exchange (PKCE)] for Authorization Code Flow
|
* [RFC7636: Proof Key for Code Exchange (PKCE)] for Authorization Code Flow
|
||||||
* Claims:
|
* Claims:
|
||||||
* `preferred_username` - sending the username in this claim instead of the `sub` claim.
|
* `preferred_username` - sending the username in this claim instead of the `sub` claim.
|
||||||
|
|
||||||
|
@ -79,12 +80,12 @@ Feature List:
|
||||||
* Auditable Information
|
* Auditable Information
|
||||||
* Subject to User Mapping
|
* Subject to User Mapping
|
||||||
* Opaque [RFC4122] UUID v4's for subject identifiers
|
* Opaque [RFC4122] UUID v4's for subject identifiers
|
||||||
* Support for Pairwise and Plain subject identifier types as per [OpenID Connect Core (Subject Identifier Types)]
|
* Support for Pairwise and Plain subject identifier types as per [OpenID Connect Core 1.0 (Subject Identifier Types)]
|
||||||
* Utilize the pairwise example method 3 as per [OpenID Connect Core (Pairwise Identifier Algorithm)]
|
* Utilize the pairwise example method 3 as per [OpenID Connect Core 1.0 (Pairwise Identifier Algorithm)]
|
||||||
* Claims:
|
* Claims:
|
||||||
* `sub` - replace username with opaque random [RFC4122] UUID v4
|
* `sub` - replace username with opaque random [RFC4122] UUID v4
|
||||||
* `amr` - authentication method references as per [RFC8176]
|
* `amr` - authentication method references as per [RFC8176]
|
||||||
* `azp` - authorized party as per [OpenID Connect Core (ID Token)]
|
* `azp` - authorized party as per [OpenID Connect Core 1.0 (ID Token)]
|
||||||
* `client_id` - the Client ID as per [RFC8693 Section 4.3]
|
* `client_id` - the Client ID as per [RFC8693 Section 4.3]
|
||||||
* [Cross Origin Resource Sharing] (CORS):
|
* [Cross Origin Resource Sharing] (CORS):
|
||||||
* Automatically allow all cross-origin requests to the discovery endpoints
|
* Automatically allow all cross-origin requests to the discovery endpoints
|
||||||
|
@ -106,7 +107,7 @@ Feature List:
|
||||||
* Implicit:
|
* Implicit:
|
||||||
* Not expressly standards compliant
|
* Not expressly standards compliant
|
||||||
* Never asks for end-user consent
|
* Never asks for end-user consent
|
||||||
* Not compatible with the consent prompt type
|
* Not compatible with the `consent` prompt type
|
||||||
* Pre-Configured:
|
* Pre-Configured:
|
||||||
* Allows users to save consent sessions for a duration configured by the administrator
|
* Allows users to save consent sessions for a duration configured by the administrator
|
||||||
* Operates nearly identically to the explicit consent mode
|
* Operates nearly identically to the explicit consent mode
|
||||||
|
@ -115,15 +116,15 @@ Feature List:
|
||||||
|
|
||||||
{{< roadmap-status stage="in-progress" version="v4.38.0" >}}
|
{{< roadmap-status stage="in-progress" version="v4.38.0" >}}
|
||||||
|
|
||||||
* [RFC9126: OAuth 2.0 Pushed Authorization Requests](https://datatracker.ietf.org/doc/html/rfc9126)
|
* [RFC9126: OAuth 2.0 Pushed Authorization Requests]
|
||||||
* [RFC7523: JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants](https://datatracker.ietf.org/doc/html/rfc7523):
|
* [RFC7523: JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants]:
|
||||||
* Client Auth Method `client_secret_jwt`
|
* Client Auth Method `client_secret_jwt`
|
||||||
* Client Auth Method `private_key_jwt`
|
* Client Auth Method `private_key_jwt`
|
||||||
* Per-Client [Proof Key Code Exchange (PKCE)] Policy
|
* Per-Client [RFC7636: Proof Key for Code Exchange (PKCE)] Policy
|
||||||
* Multiple Issuer JWKs:
|
* Multiple Issuer JWKs:
|
||||||
* RS256, RS384, RS512
|
* `RS256`, `RS384`, `RS512`
|
||||||
* PS256, PS384, PS512
|
* `PS256`, `PS384`, `PS512`
|
||||||
* ES256, ES384, ES512
|
* `ES256`, `ES384`, `ES512`
|
||||||
|
|
||||||
### Beta 7
|
### Beta 7
|
||||||
|
|
||||||
|
@ -134,7 +135,7 @@ Feature List:
|
||||||
* Prompt Handling
|
* Prompt Handling
|
||||||
* Display Handling
|
* Display Handling
|
||||||
|
|
||||||
See [OpenID Connect Core (Mandatory to Implement Features for All OpenID Providers)].
|
See [OpenID Connect Core 1.0 (Mandatory to Implement Features for All OpenID Providers)].
|
||||||
|
|
||||||
### Beta 8
|
### Beta 8
|
||||||
|
|
||||||
|
@ -144,6 +145,15 @@ Feature List:
|
||||||
|
|
||||||
* Revoke Tokens on User Logout or Expiration
|
* Revoke Tokens on User Logout or Expiration
|
||||||
* [JSON Web Key Rotation](https://openid.net/specs/openid-connect-messages-1_0-20.html#rotate.sig.keys)
|
* [JSON Web Key Rotation](https://openid.net/specs/openid-connect-messages-1_0-20.html#rotate.sig.keys)
|
||||||
|
* In-Storage Configuration:
|
||||||
|
* Multi-Issuer Configuration (require one per Issuer URL)
|
||||||
|
* Dynamically Configured via CLI
|
||||||
|
* Import from YAML:
|
||||||
|
* Manual method
|
||||||
|
* Bootstrap method:
|
||||||
|
* Defaults to one time only
|
||||||
|
* Can optionally override the database configuration
|
||||||
|
* Salt (random) and/or Peppered (storage encryption) Client Credentials
|
||||||
|
|
||||||
### General Availability
|
### General Availability
|
||||||
|
|
||||||
|
@ -151,7 +161,7 @@ Feature List:
|
||||||
|
|
||||||
Feature List:
|
Feature List:
|
||||||
|
|
||||||
* Enable by Default
|
* ~~Enable by Default~~
|
||||||
* Only after all previous stages are checked for bugs
|
* Only after all previous stages are checked for bugs
|
||||||
|
|
||||||
### Miscellaneous
|
### Miscellaneous
|
||||||
|
@ -162,13 +172,13 @@ This stage lists features which individually do not fit into a specific stage an
|
||||||
|
|
||||||
{{< roadmap-status >}}
|
{{< roadmap-status >}}
|
||||||
|
|
||||||
See the [OpenID Connect] website for the [OpenID Connect Dynamic Client Registration] specification.
|
See the [OpenID Connect 1.0] website for the [OpenID Connect Dynamic Client Registration 1.0] specification.
|
||||||
|
|
||||||
#### OpenID Connect Back-Channel Logout
|
#### OpenID Connect Back-Channel Logout
|
||||||
|
|
||||||
{{< roadmap-status >}}
|
{{< roadmap-status >}}
|
||||||
|
|
||||||
See the [OpenID Connect] website for the [OpenID Connect Back-Channel Logout] specification.
|
See the [OpenID Connect 1.0] website for the [OpenID Connect Back-Channel Logout 1.0] specification.
|
||||||
|
|
||||||
Should be implemented alongside [Dynamic Client Registration](#openid-connect-dynamic-client-registration).
|
Should be implemented alongside [Dynamic Client Registration](#openid-connect-dynamic-client-registration).
|
||||||
|
|
||||||
|
@ -176,7 +186,7 @@ Should be implemented alongside [Dynamic Client Registration](#openid-connect-dy
|
||||||
|
|
||||||
{{< roadmap-status >}}
|
{{< roadmap-status >}}
|
||||||
|
|
||||||
See the [OpenID Connect] website for the [OpenID Connect Front-Channel Logout] specification.
|
See the [OpenID Connect 1.0] website for the [OpenID Connect Front-Channel Logout 1.0] specification.
|
||||||
|
|
||||||
Should be implemented alongside [Dynamic Client Registration](#openid-connect-dynamic-client-registration).
|
Should be implemented alongside [Dynamic Client Registration](#openid-connect-dynamic-client-registration).
|
||||||
|
|
||||||
|
@ -190,7 +200,7 @@ See the [IETF Specification RFC8414](https://datatracker.ietf.org/doc/html/rfc84
|
||||||
|
|
||||||
{{< roadmap-status >}}
|
{{< roadmap-status >}}
|
||||||
|
|
||||||
See the [OpenID Connect] website for the [OpenID Connect Session Management] specification.
|
See the [OpenID Connect 1.0] website for the [OpenID Connect Session Management 1.0] specification.
|
||||||
|
|
||||||
#### End-User Scope Grants
|
#### End-User Scope Grants
|
||||||
|
|
||||||
|
@ -216,14 +226,17 @@ The `preferred_username` claim was missing and was fixed.
|
||||||
[RFC8693 Section 4.3]: https://datatracker.ietf.org/doc/html/rfc8693/#section-4.3
|
[RFC8693 Section 4.3]: https://datatracker.ietf.org/doc/html/rfc8693/#section-4.3
|
||||||
[RFC4122]: https://datatracker.ietf.org/doc/html/rfc4122
|
[RFC4122]: https://datatracker.ietf.org/doc/html/rfc4122
|
||||||
|
|
||||||
[OpenID Connect]: https://openid.net/connect/
|
[OpenID Connect 1.0]: https://openid.net/connect/
|
||||||
[OpenID Connect Front-Channel Logout]: https://openid.net/specs/openid-connect-frontchannel-1_0.html
|
[OpenID Connect Front-Channel Logout 1.0]: https://openid.net/specs/openid-connect-frontchannel-1_0.html
|
||||||
[OpenID Connect Back-Channel Logout]: https://openid.net/specs/openid-connect-backchannel-1_0.html
|
[OpenID Connect Back-Channel Logout 1.0]: https://openid.net/specs/openid-connect-backchannel-1_0.html
|
||||||
[OpenID Connect Session Management]: https://openid.net/specs/openid-connect-session-1_0.html
|
[OpenID Connect Session Management 1.0]: https://openid.net/specs/openid-connect-session-1_0.html
|
||||||
[OpenID Connect Dynamic Client Registration]: https://openid.net/specs/openid-connect-registration-1_0.html
|
[OpenID Connect Dynamic Client Registration 1.0]: https://openid.net/specs/openid-connect-registration-1_0.html
|
||||||
|
|
||||||
[OpenID Connect Core (ID Token)]: https://openid.net/specs/openid-connect-core-1_0.html#IDToken
|
[OpenID Connect Core 1.0 (ID Token)]: https://openid.net/specs/openid-connect-core-1_0.html#IDToken
|
||||||
[OpenID Connect Core (Subject Identifier Types)]: https://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes
|
[OpenID Connect Core 1.0 (Subject Identifier Types)]: https://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes
|
||||||
[OpenID Connect Core (Pairwise Identifier Algorithm)]: https://openid.net/specs/openid-connect-core-1_0.html#PairwiseAlg
|
[OpenID Connect Core 1.0 (Pairwise Identifier Algorithm)]: https://openid.net/specs/openid-connect-core-1_0.html#PairwiseAlg
|
||||||
[OpenID Connect Core (Mandatory to Implement Features for All OpenID Providers)]: https://openid.net/specs/openid-connect-core-1_0.html#ServerMTI
|
[OpenID Connect Core 1.0 (Mandatory to Implement Features for All OpenID Providers)]: https://openid.net/specs/openid-connect-core-1_0.html#ServerMTI
|
||||||
[Proof Key Code Exchange (PKCE)]: https://datatracker.ietf.org/doc/html/rfc7636
|
|
||||||
|
[RFC7636: Proof Key for Code Exchange (PKCE)]: https://datatracker.ietf.org/doc/html/rfc7636
|
||||||
|
[RFC7523: JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants]: https://datatracker.ietf.org/doc/html/rfc7523
|
||||||
|
[RFC9126: OAuth 2.0 Pushed Authorization Requests]: https://datatracker.ietf.org/doc/html/rfc9126
|
||||||
|
|
|
@ -25,7 +25,7 @@ be glad to share ideas and plans with you.
|
||||||
This is a summary of the features which are currently on the roadmap with links to further details:
|
This is a summary of the features which are currently on the roadmap with links to further details:
|
||||||
|
|
||||||
1. [WebAuthn](../active/webauthn.md)
|
1. [WebAuthn](../active/webauthn.md)
|
||||||
2. [OpenID Connect Provider](../active/openid-connect.md)
|
2. [OpenID Connect 1.0 Provider](../active/openid-connect.md)
|
||||||
3. [Internationalization or Multilingual Support](../active/internationalization.md)
|
3. [Internationalization or Multilingual Support](../active/internationalization.md)
|
||||||
4. [Multiple Domain Protection](../active/multi-domain-protection.md)
|
4. [Multiple Domain Protection](../active/multi-domain-protection.md)
|
||||||
5. [Control Panel / Dashboard for User / Administration Settings](../active/dashboard-control-panel.md)
|
5. [Control Panel / Dashboard for User / Administration Settings](../active/dashboard-control-panel.md)
|
||||||
|
|
|
@ -244,8 +244,8 @@ func (s *Store) GetPKCERequestSession(ctx context.Context, signature string, ses
|
||||||
return s.loadRequesterBySignature(ctx, storage.OAuth2SessionTypePKCEChallenge, signature, session)
|
return s.loadRequesterBySignature(ctx, storage.OAuth2SessionTypePKCEChallenge, signature, session)
|
||||||
}
|
}
|
||||||
|
|
||||||
// CreateOpenIDConnectSession creates an open id connect session for a given authorize code.
|
// CreateOpenIDConnectSession creates an OpenID Connect 1.0 connect session for a given authorize code.
|
||||||
// This is relevant for explicit open id connect flow.
|
// This is relevant for explicit OpenID Connect 1.0 flow.
|
||||||
// This implements a portion of openid.OpenIDConnectRequestStorage.
|
// This implements a portion of openid.OpenIDConnectRequestStorage.
|
||||||
func (s *Store) CreateOpenIDConnectSession(ctx context.Context, authorizeCode string, request fosite.Requester) (err error) {
|
func (s *Store) CreateOpenIDConnectSession(ctx context.Context, authorizeCode string, request fosite.Requester) (err error) {
|
||||||
return s.saveSession(ctx, storage.OAuth2SessionTypeOpenIDConnect, authorizeCode, request)
|
return s.saveSession(ctx, storage.OAuth2SessionTypeOpenIDConnect, authorizeCode, request)
|
||||||
|
|
Loading…
Reference in New Issue