Merge remote-tracking branch 'origin/master' into feat-settings-ui

feat-settings-ui
James Elliott 2023-05-20 10:26:42 +10:00
commit b4083df061
No known key found for this signature in database
GPG Key ID: 0F1C4A096E857E49
47 changed files with 144 additions and 117 deletions

View File

@ -31,14 +31,14 @@ with all major proxies supported excluding Microsoft IIS.
[Envoy]: https://www.envoyproxy.io/ [Envoy]: https://www.envoyproxy.io/
[Istio]: https://istio.io/ [Istio]: https://istio.io/
## OpenID Connect Improvements ## OpenID Connect 1.0 Improvements
Several items from the [OpenID Connect Roadmap](../../roadmap/active/openid-connect.md) are being checked off in this Several items from the [OpenID Connect 1.0 Roadmap](../../roadmap/active/openid-connect.md) are being checked off in this
release. release.
### Hashed Client Secrets ### Hashed Client Secrets
We'll be supporting hashed OpenID Connect client secrets in this release. People will still be able to use plaintext We'll be supporting hashed OpenID Connect 1.0 client secrets in this release. People will still be able to use plaintext
secrets if they wish however we'll be recommending people utilize PBKDF2, BCrypt or SHA512 SHA2CRYPT (see secrets if they wish however we'll be recommending people utilize PBKDF2, BCrypt or SHA512 SHA2CRYPT (see
[Password Algorithms](#password-algorithms) for a full compatibility list). This doesn't change anything for OpenID [Password Algorithms](#password-algorithms) for a full compatibility list). This doesn't change anything for OpenID
Connect Relying Parties, it only requires a change in the Authelia configuration. Connect Relying Parties, it only requires a change in the Authelia configuration.

View File

@ -14,6 +14,6 @@ aliases:
- /docs/configuration/identity-providers/ - /docs/configuration/identity-providers/
--- ---
## OpenID Connect ## OpenID Connect 1.0
The only identity provider implementation supported at this time is [OpenID Connect 1.0](openid-connect/provider.md). The only identity provider implementation supported at this time is [OpenID Connect 1.0](openid-connect/provider.md).

View File

@ -16,8 +16,8 @@ This section covers specifics regarding configuring the providers registered cli
provider specific configuration and information not related to clients see the [OpenID Connect 1.0 Provider](provider.md) provider specific configuration and information not related to clients see the [OpenID Connect 1.0 Provider](provider.md)
documentation. documentation.
More information about OpenID Connect can be found in the [roadmap](../../../roadmap/active/openid-connect.md) and in the More information about OpenID Connect 1.0 can be found in the [roadmap](../../../roadmap/active/openid-connect.md) and
[integration](../../../integration/openid-connect/introduction.md) documentation. in the [integration](../../../integration/openid-connect/introduction.md) documentation.
## Configuration ## Configuration

View File

@ -299,9 +299,9 @@ Allows additional debug messages to be sent to the clients.
This controls the minimum length of the `nonce` and `state` parameters. This controls the minimum length of the `nonce` and `state` parameters.
*__Security Notice:__* Changing this value is generally discouraged, reducing it from the default can theoretically *__Security Notice:__* Changing this value is generally discouraged, reducing it from the default can theoretically
make certain scenarios less secure. It is highly encouraged that if your OpenID Connect RP does not send these make certain scenarios less secure. It is highly encouraged that if your OpenID Connect 1.0 Relying Party does not send
parameters or sends parameters with a lower length than the default that they implement a change rather than changing these parameters or sends parameters with a lower length than the default that they implement a change rather than
this value. changing this value.
### enforce_pkce ### enforce_pkce

View File

@ -16,7 +16,7 @@ Environment variables are applied after the configuration file meaning anything
overrides the configuration files. overrides the configuration files.
*__Please Note:__ It is not possible to configure several sections at this time, these include but may not be *__Please Note:__ It is not possible to configure several sections at this time, these include but may not be
limited to the rules section in access control, the clients section in the OpenID Connect identity provider, the cookies limited to the rules section in access control, the clients section in the OpenID Connect 1.0 Provider, the cookies
section of in session, and the authz section in the server endpoints.* section of in session, and the authz section in the server endpoints.*
## Prefix ## Prefix

View File

@ -63,9 +63,9 @@ authelia --config configuration.yml,config-acl.yml,config-other.yml
Authelia's configuration files use the YAML format. A template with all possible options can be found at the root of the Authelia's configuration files use the YAML format. A template with all possible options can be found at the root of the
repository {{< github-link name="here" path="config.template.yml" >}}. repository {{< github-link name="here" path="config.template.yml" >}}.
*__Important Note:__ You should not have configuration sections such as Access Control Rules or OpenID Connect clients *__Important Note:__ You should not have configuration sections such as Access Control Rules or OpenID Connect 1.0
configured in multiple files. If you wish to split these into their own files that is fine, but if you have two files that clients configured in multiple files. If you wish to split these into their own files that is fine, but if you have two
specify these sections and expect them to merge properly you are asking for trouble.* files that specify these sections and expect them to merge properly you are asking for trouble.*
### Container ### Container

View File

@ -24,16 +24,24 @@ server:
authz: authz:
forward-auth: forward-auth:
implementation: 'ForwardAuth' implementation: 'ForwardAuth'
authn_strategies: [] authn_strategies:
- name: 'HeaderProxyAuthorization'
- name: 'CookieSession'
ext-authz: ext-authz:
implementation: 'ExtAuthz' implementation: 'ExtAuthz'
authn_strategies: [] authn_strategies:
- name: 'HeaderProxyAuthorization'
- name: 'CookieSession'
auth-request: auth-request:
implementation: 'AuthRequest' implementation: 'AuthRequest'
authn_strategies: [] authn_strategies:
- name: 'HeaderAuthRequestProxyAuthorization'
- name: 'CookieSession'
legacy: legacy:
implementation: 'Legacy' implementation: 'Legacy'
authn_strategies: [] authn_strategies:
- name: 'HeaderLegacy'
- name: 'CookieSession'
``` ```
## Name ## Name

View File

@ -89,6 +89,6 @@ Please see the [documentation](../prologue/common.md#duration) on this format fo
This adjusts the requested timeout for a WebAuthn interaction. This adjusts the requested timeout for a WebAuthn interaction.
## FAQ ## Frequently Asked Questions
See the [Security Key FAQ](../../overview/authentication/security-key/index.md#faq) for the FAQ. See the [Security Key FAQ](../../overview/authentication/security-key/index.md#frequently-asked-questions) for the FAQ.

View File

@ -32,9 +32,9 @@ this instance if you wanted to downgrade to pre1 you would need to use an Authel
| 1 | 4.33.0 | Initial migration managed version | | 1 | 4.33.0 | Initial migration managed version |
| 2 | 4.34.0 | WebAuthn - added webauthn_devices table, altered totp_config to include device created/used dates | | 2 | 4.34.0 | WebAuthn - added webauthn_devices table, altered totp_config to include device created/used dates |
| 3 | 4.34.2 | WebAuthn - fix V2 migration kid column length and provide migration path for anyone on V2 | | 3 | 4.34.2 | WebAuthn - fix V2 migration kid column length and provide migration path for anyone on V2 |
| 4 | 4.35.0 | Added OpenID Connect storage tables and opaque user identifier tables | | 4 | 4.35.0 | Added OpenID Connect 1.0 storage tables and opaque user identifier tables |
| 5 | 4.35.1 | Fixed the oauth2_consent_session table to accept NULL subjects for users who are not yet signed in | | 5 | 4.35.1 | Fixed the oauth2_consent_session table to accept NULL subjects for users who are not yet signed in |
| 6 | 4.37.0 | Adjusted the OpenID Connect tables to allow pre-configured consent improvements | | 6 | 4.37.0 | Adjusted the OpenID Connect 1.0 tables to allow pre-configured consent improvements |
| 7 | 4.37.3 | Fixed some schema inconsistencies most notably the MySQL/MariaDB Engine and Collation | | 7 | 4.37.3 | Fixed some schema inconsistencies most notably the MySQL/MariaDB Engine and Collation |
| 8 | 4.38.0 | OpenID Connect 1.0 Pushed Authorization Requests | | 8 | 4.38.0 | OpenID Connect 1.0 Pushed Authorization Requests |
| 9 | 4.38.0 | Fix a PostgreSQL NOT NULL constraint issue on the `aaguid` column of the `webauthn_devices` table | | 9 | 4.38.0 | Fix a PostgreSQL NOT NULL constraint issue on the `aaguid` column of the `webauthn_devices` table |

View File

@ -62,7 +62,7 @@ There is a scripting context provided with __Authelia__ which can easily be conf
[suites] and various other tasks. Read more about it in the [authelia-scripts](reference-authelia-scripts.md) reference [suites] and various other tasks. Read more about it in the [authelia-scripts](reference-authelia-scripts.md) reference
guide. guide.
## FAQ ## Frequently Asked Questions
### Do you support development under Windows or OSX? ### Do you support development under Windows or OSX?

View File

@ -210,7 +210,7 @@ running the following command:
grep -Eo '"https://.*" ' ./authelia/notification.txt. grep -Eo '"https://.*" ' ./authelia/notification.txt.
``` ```
## FAQ ## Frequently Asked Questions
#### Running the Proxy on the Host Instead of in a Container #### Running the Proxy on the Host Instead of in a Container

View File

@ -63,7 +63,7 @@ spec:
... ...
``` ```
## FAQ ## Frequently Asked Questions
### RAM usage ### RAM usage

View File

@ -1,6 +1,6 @@
--- ---
title: "OpenID Connect" title: "OpenID Connect 1.0"
description: "OpenID Connect Integration" description: "OpenID Connect 1.0 Integration"
lead: "" lead: ""
date: 2022-06-15T17:51:47+10:00 date: 2022-06-15T17:51:47+10:00
draft: false draft: false

View File

@ -1,6 +1,6 @@
--- ---
title: "Apache Guacamole" title: "Apache Guacamole"
description: "Integrating Apache Guacamole with the Authelia OpenID Connect Provider." description: "Integrating Apache Guacamole with the Authelia OpenID Connect 1.0 Provider."
lead: "" lead: ""
date: 2022-07-31T13:09:05+10:00 date: 2022-07-31T13:09:05+10:00
draft: false draft: false

View File

@ -1,6 +1,6 @@
--- ---
title: "Argo CD" title: "Argo CD"
description: "Integrating Argo CD with the Authelia OpenID Connect Provider." description: "Integrating Argo CD with the Authelia OpenID Connect 1.0 Provider."
lead: "" lead: ""
date: 2022-07-13T04:27:30+10:00 date: 2022-07-13T04:27:30+10:00
draft: false draft: false

View File

@ -1,6 +1,6 @@
--- ---
title: "BookStack" title: "BookStack"
description: "Integrating BookStack with the Authelia OpenID Connect Provider." description: "Integrating BookStack with the Authelia OpenID Connect 1.0 Provider."
lead: "" lead: ""
date: 2022-06-15T17:51:47+10:00 date: 2022-06-15T17:51:47+10:00
draft: false draft: false

View File

@ -1,6 +1,6 @@
--- ---
title: "Cloudflare Zero Trust" title: "Cloudflare Zero Trust"
description: "Integrating Cloudflare Zero Trust with the Authelia OpenID Connect Provider." description: "Integrating Cloudflare Zero Trust with the Authelia OpenID Connect 1.0 Provider."
lead: "" lead: ""
date: 2022-06-15T17:51:47+10:00 date: 2022-06-15T17:51:47+10:00
draft: false draft: false

View File

@ -1,6 +1,6 @@
--- ---
title: "Firezone" title: "Firezone"
description: "Integrating Firezone with the Authelia OpenID Connect Provider." description: "Integrating Firezone with the Authelia OpenID Connect 1.0 Provider."
lead: "" lead: ""
date: 2023-03-28T20:29:13+11:00 date: 2023-03-28T20:29:13+11:00
draft: false draft: false

View File

@ -1,7 +1,7 @@
--- ---
title: "Frequently Asked Questions" title: "Frequently Asked Questions"
description: "Frequently Asked Questions regarding integrating the Authelia OpenID Connect Provider with an OpenID Connect relying party" description: "Frequently Asked Questions regarding integrating the Authelia OpenID Connect 1.0 Provider with an OpenID Connect 1.0 Relying Party"
lead: "Frequently Asked Questions regarding integrating the Authelia OpenID Connect Provider with an OpenID Connect relying party." lead: "Frequently Asked Questions regarding integrating the Authelia OpenID Connect 1.0 Provider with an OpenID Connect 1.0 Relying Party."
date: 2022-10-20T15:27:09+11:00 date: 2022-10-20T15:27:09+11:00
draft: false draft: false
images: [] images: []

View File

@ -1,6 +1,6 @@
--- ---
title: "Gitea" title: "Gitea"
description: "Integrating Gitea with the Authelia OpenID Connect Provider." description: "Integrating Gitea with the Authelia OpenID Connect 1.0 Provider."
lead: "" lead: ""
date: 2022-07-01T13:07:02+10:00 date: 2022-07-01T13:07:02+10:00
draft: false draft: false

View File

@ -1,6 +1,6 @@
--- ---
title: "GitLab" title: "GitLab"
description: "Integrating GitLab with the Authelia OpenID Connect Provider." description: "Integrating GitLab with the Authelia OpenID Connect 1.0 Provider."
lead: "" lead: ""
date: 2022-06-15T17:51:47+10:00 date: 2022-06-15T17:51:47+10:00
draft: false draft: false

View File

@ -1,6 +1,6 @@
--- ---
title: "Grafana" title: "Grafana"
description: "Integrating Grafana with the Authelia OpenID Connect Provider." description: "Integrating Grafana with the Authelia OpenID Connect 1.0 Provider."
lead: "" lead: ""
date: 2022-06-15T17:51:47+10:00 date: 2022-06-15T17:51:47+10:00
draft: false draft: false

View File

@ -1,6 +1,6 @@
--- ---
title: "Harbor" title: "Harbor"
description: "Integrating Harbor with the Authelia OpenID Connect Provider." description: "Integrating Harbor with the Authelia OpenID Connect 1.0 Provider."
lead: "" lead: ""
date: 2022-06-15T17:51:47+10:00 date: 2022-06-15T17:51:47+10:00
draft: false draft: false

View File

@ -1,6 +1,6 @@
--- ---
title: "HashiCorp Vault" title: "HashiCorp Vault"
description: "Integrating HashiCorp Vault with the Authelia OpenID Connect Provider." description: "Integrating HashiCorp Vault with the Authelia OpenID Connect 1.0 Provider."
lead: "" lead: ""
date: 2022-06-15T17:51:47+10:00 date: 2022-06-15T17:51:47+10:00
draft: false draft: false

View File

@ -1,7 +1,7 @@
--- ---
title: "OpenID Connect" title: "OpenID Connect"
description: "An introduction into integrating the Authelia OpenID Connect Provider with an OpenID Connect relying party" description: "An introduction into integrating the Authelia OpenID Connect 1.0 Provider with an OpenID Connect 1.0 Relying Party"
lead: "An introduction into integrating the Authelia OpenID Connect Provider with an OpenID Connect relying party." lead: "An introduction into integrating the Authelia OpenID Connect 1.0 Provider with an OpenID Connect 1.0 Relying Party."
date: 2022-06-15T17:51:47+10:00 date: 2022-06-15T17:51:47+10:00
draft: false draft: false
images: [] images: []
@ -265,7 +265,7 @@ The following table describes the response from the [UserInfo] endpoint dependin
## Endpoint Implementations ## Endpoint Implementations
The following section documents the endpoints we implement and their respective paths. This information can The following section documents the endpoints we implement and their respective paths. This information can
traditionally be discovered by relying parties that utilize [OpenID Connect Discovery], however this information may be traditionally be discovered by relying parties that utilize [OpenID Connect Discovery 1.0], however this information may be
useful for clients which do not implement this. useful for clients which do not implement this.
The endpoints can be discovered easily by visiting the Discovery and Metadata endpoints. It is recommended regardless The endpoints can be discovered easily by visiting the Discovery and Metadata endpoints. It is recommended regardless
@ -275,7 +275,7 @@ below.
These tables document the endpoints we currently support and their paths in the most recent version of Authelia. The These tables document the endpoints we currently support and their paths in the most recent version of Authelia. The
paths are appended to the end of the primary URL used to access Authelia. The tables use the url paths are appended to the end of the primary URL used to access Authelia. The tables use the url
https://auth.example.com as an example of the Authelia root URL which is also the OpenID Connect issuer. https://auth.example.com as an example of the Authelia root URL which is also the OpenID Connect 1.0 Issuer.
### Well Known Discovery Endpoints ### Well Known Discovery Endpoints
@ -283,12 +283,12 @@ These endpoints can be utilized to discover other endpoints and metadata about t
| Endpoint | Path | | Endpoint | Path |
|:-----------------------------------------:|:---------------------------------------------------------------:| |:-----------------------------------------:|:---------------------------------------------------------------:|
| [OpenID Connect Discovery] | https://auth.example.com/.well-known/openid-configuration | | [OpenID Connect Discovery 1.0] | https://auth.example.com/.well-known/openid-configuration |
| [OAuth 2.0 Authorization Server Metadata] | https://auth.example.com/.well-known/oauth-authorization-server | | [OAuth 2.0 Authorization Server Metadata] | https://auth.example.com/.well-known/oauth-authorization-server |
### Discoverable Endpoints ### Discoverable Endpoints
These endpoints implement OpenID Connect elements. These endpoints implement OpenID Connect 1.0 Provider specifications.
| Endpoint | Path | Discovery Attribute | | Endpoint | Path | Discovery Attribute |
|:-------------------------------:|:--------------------------------------------------------------:|:-------------------------------------:| |:-------------------------------:|:--------------------------------------------------------------:|:-------------------------------------:|
@ -365,7 +365,7 @@ The advantages of this approach are as follows:
[OpenID Connect 1.0]: https://openid.net/connect/ [OpenID Connect 1.0]: https://openid.net/connect/
[OpenID Connect Discovery]: https://openid.net/specs/openid-connect-discovery-1_0.html [OpenID Connect Discovery 1.0]: https://openid.net/specs/openid-connect-discovery-1_0.html
[OAuth 2.0 Authorization Server Metadata]: https://datatracker.ietf.org/doc/html/rfc8414 [OAuth 2.0 Authorization Server Metadata]: https://datatracker.ietf.org/doc/html/rfc8414
[JSON Web Key Set]: https://datatracker.ietf.org/doc/html/rfc7517#section-5 [JSON Web Key Set]: https://datatracker.ietf.org/doc/html/rfc7517#section-5

View File

@ -1,6 +1,6 @@
--- ---
title: "Kasm Workspaces" title: "Kasm Workspaces"
description: "Integrating Kasm Workspaces with the Authelia OpenID Connect Provider." description: "Integrating Kasm Workspaces with the Authelia OpenID Connect 1.0 Provider."
lead: "" lead: ""
date: 2023-04-27T18:40:06+10:00 date: 2023-04-27T18:40:06+10:00
draft: false draft: false

View File

@ -1,6 +1,6 @@
--- ---
title: "Komga" title: "Komga"
description: "Integrating Komga with the Authelia OpenID Connect Provider." description: "Integrating Komga with the Authelia OpenID Connect 1.0 Provider."
lead: "" lead: ""
date: 2022-08-26T11:39:00+10:00 date: 2022-08-26T11:39:00+10:00
draft: false draft: false

View File

@ -1,6 +1,6 @@
--- ---
title: "MinIO" title: "MinIO"
description: "Integrating MinIO with the Authelia OpenID Connect Provider." description: "Integrating MinIO with the Authelia OpenID Connect 1.0 Provider."
lead: "" lead: ""
date: 2023-03-21T11:21:23+11:00 date: 2023-03-21T11:21:23+11:00
draft: false draft: false

View File

@ -1,6 +1,6 @@
--- ---
title: "Misago" title: "Misago"
description: "Integrating Misago with the Authelia OpenID Connect Provider." description: "Integrating Misago with the Authelia OpenID Connect 1.0 Provider."
lead: "" lead: ""
date: 2023-03-14T08:51:13+11:00 date: 2023-03-14T08:51:13+11:00
draft: false draft: false

View File

@ -1,6 +1,6 @@
--- ---
title: "Nextcloud" title: "Nextcloud"
description: "Integrating Nextcloud with the Authelia OpenID Connect Provider." description: "Integrating Nextcloud with the Authelia OpenID Connect 1.0 Provider."
lead: "" lead: ""
date: 2022-06-15T17:51:47+10:00 date: 2022-06-15T17:51:47+10:00
draft: false draft: false

View File

@ -1,6 +1,6 @@
--- ---
title: "Outline" title: "Outline"
description: "Integrating Outline with the Authelia OpenID Connect Provider." description: "Integrating Outline with the Authelia OpenID Connect 1.0 Provider."
lead: "" lead: ""
date: 2022-08-12T09:11:42+10:00 date: 2022-08-12T09:11:42+10:00
draft: false draft: false

View File

@ -1,6 +1,6 @@
--- ---
title: "Portainer" title: "Portainer"
description: "Integrating Portainer with the Authelia OpenID Connect Provider." description: "Integrating Portainer with the Authelia OpenID Connect 1.0 Provider."
lead: "" lead: ""
date: 2022-06-15T17:51:47+10:00 date: 2022-06-15T17:51:47+10:00
draft: false draft: false

View File

@ -1,6 +1,6 @@
--- ---
title: "Proxmox" title: "Proxmox"
description: "Integrating Proxmox with the Authelia OpenID Connect Provider." description: "Integrating Proxmox with the Authelia OpenID Connect 1.0 Provider."
lead: "" lead: ""
date: 2022-06-15T17:51:47+10:00 date: 2022-06-15T17:51:47+10:00
draft: false draft: false

View File

@ -1,6 +1,6 @@
--- ---
title: "Seafile" title: "Seafile"
description: "Integrating Seafile with the Authelia OpenID Connect Provider." description: "Integrating Seafile with the Authelia OpenID Connect 1.0 Provider."
lead: "" lead: ""
date: 2022-06-15T17:51:47+10:00 date: 2022-06-15T17:51:47+10:00
draft: false draft: false

View File

@ -1,6 +1,6 @@
--- ---
title: "Synapse" title: "Synapse"
description: "Integrating Synapse with the Authelia OpenID Connect Provider." description: "Integrating Synapse with the Authelia OpenID Connect 1.0 Provider."
lead: "" lead: ""
date: 2022-06-15T17:51:47+10:00 date: 2022-06-15T17:51:47+10:00
draft: false draft: false

View File

@ -1,6 +1,6 @@
--- ---
title: "Synology DSM" title: "Synology DSM"
description: "Integrating Synology DSM with the Authelia OpenID Connect Provider." description: "Integrating Synology DSM with the Authelia OpenID Connect 1.0 Provider."
lead: "" lead: ""
date: 2022-10-18T21:22:13+11:00 date: 2022-10-18T21:22:13+11:00
draft: false draft: false

View File

@ -1,6 +1,6 @@
--- ---
title: "Tailscale" title: "Tailscale"
description: "Using Authelia as the Tailscale OpenID Connect Provider." description: "Integrating Tailscale with the Authelia OpenID Connect 1.0 Provider."
lead: "" lead: ""
date: 2023-04-23T10:06:28+10:00 date: 2023-04-23T10:06:28+10:00
draft: false draft: false

View File

@ -466,14 +466,6 @@ and is paired with [authelia-location.conf](#authelia-locationconf).*
## Send a subrequest to Authelia to verify if the user is authenticated and has permission to access the resource. ## Send a subrequest to Authelia to verify if the user is authenticated and has permission to access the resource.
auth_request /internal/authelia/authz; auth_request /internal/authelia/authz;
## Save the upstream authorization response headers from Authelia to variables.
auth_request_set $authorization $upstream_http_authorization;
auth_request_set $proxy_authorization $upstream_http_proxy_authorization;
## Inject the authorization response headers from the variables into the request made to the backend.
proxy_set_header Authorization $authorization;
proxy_set_header Proxy-Authorization $proxy_authorization;
## Save the upstream metadata response headers from Authelia to variables. ## Save the upstream metadata response headers from Authelia to variables.
auth_request_set $user $upstream_http_remote_user; auth_request_set $user $upstream_http_remote_user;
auth_request_set $groups $upstream_http_remote_groups; auth_request_set $groups $upstream_http_remote_groups;
@ -486,10 +478,6 @@ proxy_set_header Remote-Groups $groups;
proxy_set_header Remote-Email $email; proxy_set_header Remote-Email $email;
proxy_set_header Remote-Name $name; proxy_set_header Remote-Name $name;
## Include the Set-Cookie header if present.
auth_request_set $cookie $upstream_http_set_cookie;
add_header Set-Cookie $cookie;
## Configure the redirection when the authz failure occurs. Lines starting with 'Modern Method' and 'Legacy Method' ## Configure the redirection when the authz failure occurs. Lines starting with 'Modern Method' and 'Legacy Method'
## should be commented / uncommented as pairs. The modern method uses the session cookies configuration's authelia_url ## should be commented / uncommented as pairs. The modern method uses the session cookies configuration's authelia_url
## value to determine the redirection URL here. It's much simpler and compatible with the mutli-cookie domain easily. ## value to determine the redirection URL here. It's much simpler and compatible with the mutli-cookie domain easily.

View File

@ -517,7 +517,7 @@ http:
``` ```
{{< /details >}} {{< /details >}}
## FAQ ## Frequently Asked Questions
### Basic Authentication ### Basic Authentication

View File

@ -39,7 +39,7 @@ Now that Authelia is configured, pass the first factor and select the Push notif
You should now receive a notification on your mobile phone with all the details about the authentication request. In You should now receive a notification on your mobile phone with all the details about the authentication request. In
case you have multiple devices available, you will be asked to select your preferred device. case you have multiple devices available, you will be asked to select your preferred device.
## FAQ ## Frequently Asked Questions
### Why don't I have access to the *Push Notification* option? ### Why don't I have access to the *Push Notification* option?

View File

@ -43,7 +43,7 @@ requested:
Easy, right?! Easy, right?!
## FAQ ## Frequently Asked Questions
### Can I register multiple FIDO2 WebAuthn credentials? ### Can I register multiple FIDO2 WebAuthn credentials?

View File

@ -86,5 +86,5 @@ It's important to note that Authelia is considered running in a trusted environm
transmitted unsigned to the backends, meaning a malicious user within the network could pretend to be transmitted unsigned to the backends, meaning a malicious user within the network could pretend to be
Authelia and send those headers to bypass authentication and gain access to the service. This could be mitigated by Authelia and send those headers to bypass authentication and gain access to the service. This could be mitigated by
transmitting those headers with a digital signature which could be verified by the backend however, many backends transmitting those headers with a digital signature which could be verified by the backend however, many backends
just won't support it. It has therefore been decided to invest in OpenID Connect instead to solve that authentication just won't support it. It has therefore been decided to invest in OpenID Connect 1.0 instead to solve that
delegation problem. authentication delegation problem.

View File

@ -12,6 +12,24 @@ weight: 220
toc: true toc: true
--- ---
## Miscellaneous
- [Docker](../../integration/deployment/docker.md#frequently-asked-questions)
- [Development](../../contributing/development/environment.md#frequently-asked-questions)
## Authentication
- [WebAuthn](../../overview/authentication/security-key/index.md#frequently-asked-questions)
- [Duo](../../overview/authentication/push-notification/index.md#frequently-asked-questions)
## Proxies
- [Traefik](../../integration/proxies/traefik.md#frequently-asked-questions)
## Kubernetes
- [General](../../integration/kubernetes/introduction.md#frequently-asked-questions)
## Identity Providers ## Identity Providers
- [OpenID Connect 1.0 Integration](../../integration/openid-connect/frequently-asked-questions.md) - [OpenID Connect 1.0 Integration](../../integration/openid-connect/frequently-asked-questions.md)

View File

@ -14,8 +14,8 @@ aliases:
- /r/dashboard - /r/dashboard
--- ---
This feature has several major impacts on other roadmap items. For example several OpenID Connect features would greatly This feature has several major impacts on other roadmap items. For example several OpenID Connect 1.0 features would
benefit from a dashboard. It would also be important when we implement WebAuthn features like passwordless greatly benefit from a dashboard. It would also be important when we implement WebAuthn features like passwordless
authentication allowing users to intentionally register a passwordless credential. authentication allowing users to intentionally register a passwordless credential.
## Stages ## Stages

View File

@ -1,7 +1,7 @@
--- ---
title: "OpenID Connect" title: "OpenID Connect 1.0"
description: "Authelia OpenID Connect Implementation" description: "Authelia OpenID Connect 1.0 Provider Implementation"
lead: "The OpenID Connect Provider role is a very useful but complex feature to enhance interoperability of Authelia with other products. " lead: "The OpenID Connect 1.0 Provider role is a very useful but complex feature to enhance interoperability of Authelia with other products. "
date: 2022-06-15T17:51:47+10:00 date: 2022-06-15T17:51:47+10:00
draft: false draft: false
images: [] images: []
@ -15,14 +15,15 @@ aliases:
- /docs/roadmap/oidc.html - /docs/roadmap/oidc.html
--- ---
We have decided to implement [OpenID Connect] as a beta feature, it's suggested you only utilize it for testing and We have decided to implement [OpenID Connect 1.0] as a beta feature, it's suggested you only utilize it for testing and
providing feedback, and should take caution in relying on it in production as of now. [OpenID Connect] and it's related providing feedback, and should take caution in relying on it in production as of now. [OpenID Connect 1.0] and it's
endpoints are not enabled by default unless you specifically configure the [OpenID Connect] section. related endpoints are not enabled by default unless you specifically configure the [OpenID Connect 1.0] section.
As [OpenID Connect] is fairly complex (the [OpenID Connect] Provider role especially so) it's intentional that it is As [OpenID Connect 1.0] is fairly complex (the [OpenID Connect 1.0] Provider role especially so) it's intentional that
both a beta and that the implemented features are part of a thoughtful roadmap. Items that are not immediately obvious it is both a beta and that the implemented features are part of a thoughtful roadmap. Items that are not immediately
as required (i.e. bug fixes or spec features), will likely be discussed in team meetings or on GitHub issues before obvious as required (i.e. bug fixes or spec features), will likely be discussed in team meetings or on GitHub issues
being added to the list. We want to implement this feature in a very thoughtful way in order to avoid security issues. before being added to the list. We want to implement this feature in a very thoughtful way in order to avoid security
issues.
## Stages ## Stages
@ -38,7 +39,7 @@ Feature List:
* [User Consent](https://openid.net/specs/openid-connect-core-1_0.html#Consent) * [User Consent](https://openid.net/specs/openid-connect-core-1_0.html#Consent)
* [Authorization Code Flow](https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowSteps) * [Authorization Code Flow](https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowSteps)
* [OpenID Connect Discovery](https://openid.net/specs/openid-connect-discovery-1_0.html) * [OpenID Connect Discovery 1.0](https://openid.net/specs/openid-connect-discovery-1_0.html)
* [RS256 Signature Strategy](https://datatracker.ietf.org/doc/html/rfc7518#section-3.1) * [RS256 Signature Strategy](https://datatracker.ietf.org/doc/html/rfc7518#section-3.1)
* Per Client Scope/Grant Type/Response Type Restriction * Per Client Scope/Grant Type/Response Type Restriction
* Per Client Authorization Policy (1FA/2FA) * Per Client Authorization Policy (1FA/2FA)
@ -64,7 +65,7 @@ Feature List:
Feature List: Feature List:
* [Proof Key Code Exchange (PKCE)] for Authorization Code Flow * [RFC7636: Proof Key for Code Exchange (PKCE)] for Authorization Code Flow
* Claims: * Claims:
* `preferred_username` - sending the username in this claim instead of the `sub` claim. * `preferred_username` - sending the username in this claim instead of the `sub` claim.
@ -79,12 +80,12 @@ Feature List:
* Auditable Information * Auditable Information
* Subject to User Mapping * Subject to User Mapping
* Opaque [RFC4122] UUID v4's for subject identifiers * Opaque [RFC4122] UUID v4's for subject identifiers
* Support for Pairwise and Plain subject identifier types as per [OpenID Connect Core (Subject Identifier Types)] * Support for Pairwise and Plain subject identifier types as per [OpenID Connect Core 1.0 (Subject Identifier Types)]
* Utilize the pairwise example method 3 as per [OpenID Connect Core (Pairwise Identifier Algorithm)] * Utilize the pairwise example method 3 as per [OpenID Connect Core 1.0 (Pairwise Identifier Algorithm)]
* Claims: * Claims:
* `sub` - replace username with opaque random [RFC4122] UUID v4 * `sub` - replace username with opaque random [RFC4122] UUID v4
* `amr` - authentication method references as per [RFC8176] * `amr` - authentication method references as per [RFC8176]
* `azp` - authorized party as per [OpenID Connect Core (ID Token)] * `azp` - authorized party as per [OpenID Connect Core 1.0 (ID Token)]
* `client_id` - the Client ID as per [RFC8693 Section 4.3] * `client_id` - the Client ID as per [RFC8693 Section 4.3]
* [Cross Origin Resource Sharing] (CORS): * [Cross Origin Resource Sharing] (CORS):
* Automatically allow all cross-origin requests to the discovery endpoints * Automatically allow all cross-origin requests to the discovery endpoints
@ -106,7 +107,7 @@ Feature List:
* Implicit: * Implicit:
* Not expressly standards compliant * Not expressly standards compliant
* Never asks for end-user consent * Never asks for end-user consent
* Not compatible with the consent prompt type * Not compatible with the `consent` prompt type
* Pre-Configured: * Pre-Configured:
* Allows users to save consent sessions for a duration configured by the administrator * Allows users to save consent sessions for a duration configured by the administrator
* Operates nearly identically to the explicit consent mode * Operates nearly identically to the explicit consent mode
@ -115,15 +116,15 @@ Feature List:
{{< roadmap-status stage="in-progress" version="v4.38.0" >}} {{< roadmap-status stage="in-progress" version="v4.38.0" >}}
* [RFC9126: OAuth 2.0 Pushed Authorization Requests](https://datatracker.ietf.org/doc/html/rfc9126) * [RFC9126: OAuth 2.0 Pushed Authorization Requests]
* [RFC7523: JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants](https://datatracker.ietf.org/doc/html/rfc7523): * [RFC7523: JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants]:
* Client Auth Method `client_secret_jwt` * Client Auth Method `client_secret_jwt`
* Client Auth Method `private_key_jwt` * Client Auth Method `private_key_jwt`
* Per-Client [Proof Key Code Exchange (PKCE)] Policy * Per-Client [RFC7636: Proof Key for Code Exchange (PKCE)] Policy
* Multiple Issuer JWKs: * Multiple Issuer JWKs:
* RS256, RS384, RS512 * `RS256`, `RS384`, `RS512`
* PS256, PS384, PS512 * `PS256`, `PS384`, `PS512`
* ES256, ES384, ES512 * `ES256`, `ES384`, `ES512`
### Beta 7 ### Beta 7
@ -134,7 +135,7 @@ Feature List:
* Prompt Handling * Prompt Handling
* Display Handling * Display Handling
See [OpenID Connect Core (Mandatory to Implement Features for All OpenID Providers)]. See [OpenID Connect Core 1.0 (Mandatory to Implement Features for All OpenID Providers)].
### Beta 8 ### Beta 8
@ -144,6 +145,15 @@ Feature List:
* Revoke Tokens on User Logout or Expiration * Revoke Tokens on User Logout or Expiration
* [JSON Web Key Rotation](https://openid.net/specs/openid-connect-messages-1_0-20.html#rotate.sig.keys) * [JSON Web Key Rotation](https://openid.net/specs/openid-connect-messages-1_0-20.html#rotate.sig.keys)
* In-Storage Configuration:
* Multi-Issuer Configuration (require one per Issuer URL)
* Dynamically Configured via CLI
* Import from YAML:
* Manual method
* Bootstrap method:
* Defaults to one time only
* Can optionally override the database configuration
* Salt (random) and/or Peppered (storage encryption) Client Credentials
### General Availability ### General Availability
@ -151,7 +161,7 @@ Feature List:
Feature List: Feature List:
* Enable by Default * ~~Enable by Default~~
* Only after all previous stages are checked for bugs * Only after all previous stages are checked for bugs
### Miscellaneous ### Miscellaneous
@ -162,13 +172,13 @@ This stage lists features which individually do not fit into a specific stage an
{{< roadmap-status >}} {{< roadmap-status >}}
See the [OpenID Connect] website for the [OpenID Connect Dynamic Client Registration] specification. See the [OpenID Connect 1.0] website for the [OpenID Connect Dynamic Client Registration 1.0] specification.
#### OpenID Connect Back-Channel Logout #### OpenID Connect Back-Channel Logout
{{< roadmap-status >}} {{< roadmap-status >}}
See the [OpenID Connect] website for the [OpenID Connect Back-Channel Logout] specification. See the [OpenID Connect 1.0] website for the [OpenID Connect Back-Channel Logout 1.0] specification.
Should be implemented alongside [Dynamic Client Registration](#openid-connect-dynamic-client-registration). Should be implemented alongside [Dynamic Client Registration](#openid-connect-dynamic-client-registration).
@ -176,7 +186,7 @@ Should be implemented alongside [Dynamic Client Registration](#openid-connect-dy
{{< roadmap-status >}} {{< roadmap-status >}}
See the [OpenID Connect] website for the [OpenID Connect Front-Channel Logout] specification. See the [OpenID Connect 1.0] website for the [OpenID Connect Front-Channel Logout 1.0] specification.
Should be implemented alongside [Dynamic Client Registration](#openid-connect-dynamic-client-registration). Should be implemented alongside [Dynamic Client Registration](#openid-connect-dynamic-client-registration).
@ -190,7 +200,7 @@ See the [IETF Specification RFC8414](https://datatracker.ietf.org/doc/html/rfc84
{{< roadmap-status >}} {{< roadmap-status >}}
See the [OpenID Connect] website for the [OpenID Connect Session Management] specification. See the [OpenID Connect 1.0] website for the [OpenID Connect Session Management 1.0] specification.
#### End-User Scope Grants #### End-User Scope Grants
@ -216,14 +226,17 @@ The `preferred_username` claim was missing and was fixed.
[RFC8693 Section 4.3]: https://datatracker.ietf.org/doc/html/rfc8693/#section-4.3 [RFC8693 Section 4.3]: https://datatracker.ietf.org/doc/html/rfc8693/#section-4.3
[RFC4122]: https://datatracker.ietf.org/doc/html/rfc4122 [RFC4122]: https://datatracker.ietf.org/doc/html/rfc4122
[OpenID Connect]: https://openid.net/connect/ [OpenID Connect 1.0]: https://openid.net/connect/
[OpenID Connect Front-Channel Logout]: https://openid.net/specs/openid-connect-frontchannel-1_0.html [OpenID Connect Front-Channel Logout 1.0]: https://openid.net/specs/openid-connect-frontchannel-1_0.html
[OpenID Connect Back-Channel Logout]: https://openid.net/specs/openid-connect-backchannel-1_0.html [OpenID Connect Back-Channel Logout 1.0]: https://openid.net/specs/openid-connect-backchannel-1_0.html
[OpenID Connect Session Management]: https://openid.net/specs/openid-connect-session-1_0.html [OpenID Connect Session Management 1.0]: https://openid.net/specs/openid-connect-session-1_0.html
[OpenID Connect Dynamic Client Registration]: https://openid.net/specs/openid-connect-registration-1_0.html [OpenID Connect Dynamic Client Registration 1.0]: https://openid.net/specs/openid-connect-registration-1_0.html
[OpenID Connect Core (ID Token)]: https://openid.net/specs/openid-connect-core-1_0.html#IDToken [OpenID Connect Core 1.0 (ID Token)]: https://openid.net/specs/openid-connect-core-1_0.html#IDToken
[OpenID Connect Core (Subject Identifier Types)]: https://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes [OpenID Connect Core 1.0 (Subject Identifier Types)]: https://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes
[OpenID Connect Core (Pairwise Identifier Algorithm)]: https://openid.net/specs/openid-connect-core-1_0.html#PairwiseAlg [OpenID Connect Core 1.0 (Pairwise Identifier Algorithm)]: https://openid.net/specs/openid-connect-core-1_0.html#PairwiseAlg
[OpenID Connect Core (Mandatory to Implement Features for All OpenID Providers)]: https://openid.net/specs/openid-connect-core-1_0.html#ServerMTI [OpenID Connect Core 1.0 (Mandatory to Implement Features for All OpenID Providers)]: https://openid.net/specs/openid-connect-core-1_0.html#ServerMTI
[Proof Key Code Exchange (PKCE)]: https://datatracker.ietf.org/doc/html/rfc7636
[RFC7636: Proof Key for Code Exchange (PKCE)]: https://datatracker.ietf.org/doc/html/rfc7636
[RFC7523: JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants]: https://datatracker.ietf.org/doc/html/rfc7523
[RFC9126: OAuth 2.0 Pushed Authorization Requests]: https://datatracker.ietf.org/doc/html/rfc9126

View File

@ -25,7 +25,7 @@ be glad to share ideas and plans with you.
This is a summary of the features which are currently on the roadmap with links to further details: This is a summary of the features which are currently on the roadmap with links to further details:
1. [WebAuthn](../active/webauthn.md) 1. [WebAuthn](../active/webauthn.md)
2. [OpenID Connect Provider](../active/openid-connect.md) 2. [OpenID Connect 1.0 Provider](../active/openid-connect.md)
3. [Internationalization or Multilingual Support](../active/internationalization.md) 3. [Internationalization or Multilingual Support](../active/internationalization.md)
4. [Multiple Domain Protection](../active/multi-domain-protection.md) 4. [Multiple Domain Protection](../active/multi-domain-protection.md)
5. [Control Panel / Dashboard for User / Administration Settings](../active/dashboard-control-panel.md) 5. [Control Panel / Dashboard for User / Administration Settings](../active/dashboard-control-panel.md)

View File

@ -244,8 +244,8 @@ func (s *Store) GetPKCERequestSession(ctx context.Context, signature string, ses
return s.loadRequesterBySignature(ctx, storage.OAuth2SessionTypePKCEChallenge, signature, session) return s.loadRequesterBySignature(ctx, storage.OAuth2SessionTypePKCEChallenge, signature, session)
} }
// CreateOpenIDConnectSession creates an open id connect session for a given authorize code. // CreateOpenIDConnectSession creates an OpenID Connect 1.0 connect session for a given authorize code.
// This is relevant for explicit open id connect flow. // This is relevant for explicit OpenID Connect 1.0 flow.
// This implements a portion of openid.OpenIDConnectRequestStorage. // This implements a portion of openid.OpenIDConnectRequestStorage.
func (s *Store) CreateOpenIDConnectSession(ctx context.Context, authorizeCode string, request fosite.Requester) (err error) { func (s *Store) CreateOpenIDConnectSession(ctx context.Context, authorizeCode string, request fosite.Requester) (err error) {
return s.saveSession(ctx, storage.OAuth2SessionTypeOpenIDConnect, authorizeCode, request) return s.saveSession(ctx, storage.OAuth2SessionTypeOpenIDConnect, authorizeCode, request)