Merge remote-tracking branch 'origin/master' into feat-settings-ui

feat-settings-ui
James Elliott 2023-05-20 10:26:42 +10:00
commit b4083df061
No known key found for this signature in database
GPG Key ID: 0F1C4A096E857E49
47 changed files with 144 additions and 117 deletions

View File

@ -31,14 +31,14 @@ with all major proxies supported excluding Microsoft IIS.
[Envoy]: https://www.envoyproxy.io/
[Istio]: https://istio.io/
## OpenID Connect Improvements
## OpenID Connect 1.0 Improvements
Several items from the [OpenID Connect Roadmap](../../roadmap/active/openid-connect.md) are being checked off in this
Several items from the [OpenID Connect 1.0 Roadmap](../../roadmap/active/openid-connect.md) are being checked off in this
release.
### Hashed Client Secrets
We'll be supporting hashed OpenID Connect client secrets in this release. People will still be able to use plaintext
We'll be supporting hashed OpenID Connect 1.0 client secrets in this release. People will still be able to use plaintext
secrets if they wish however we'll be recommending people utilize PBKDF2, BCrypt or SHA512 SHA2CRYPT (see
[Password Algorithms](#password-algorithms) for a full compatibility list). This doesn't change anything for OpenID
Connect Relying Parties, it only requires a change in the Authelia configuration.

View File

@ -14,6 +14,6 @@ aliases:
- /docs/configuration/identity-providers/
---
## OpenID Connect
## OpenID Connect 1.0
The only identity provider implementation supported at this time is [OpenID Connect 1.0](openid-connect/provider.md).

View File

@ -16,8 +16,8 @@ This section covers specifics regarding configuring the providers registered cli
provider specific configuration and information not related to clients see the [OpenID Connect 1.0 Provider](provider.md)
documentation.
More information about OpenID Connect can be found in the [roadmap](../../../roadmap/active/openid-connect.md) and in the
[integration](../../../integration/openid-connect/introduction.md) documentation.
More information about OpenID Connect 1.0 can be found in the [roadmap](../../../roadmap/active/openid-connect.md) and
in the [integration](../../../integration/openid-connect/introduction.md) documentation.
## Configuration

View File

@ -299,9 +299,9 @@ Allows additional debug messages to be sent to the clients.
This controls the minimum length of the `nonce` and `state` parameters.
*__Security Notice:__* Changing this value is generally discouraged, reducing it from the default can theoretically
make certain scenarios less secure. It is highly encouraged that if your OpenID Connect RP does not send these
parameters or sends parameters with a lower length than the default that they implement a change rather than changing
this value.
make certain scenarios less secure. It is highly encouraged that if your OpenID Connect 1.0 Relying Party does not send
these parameters or sends parameters with a lower length than the default that they implement a change rather than
changing this value.
### enforce_pkce

View File

@ -16,7 +16,7 @@ Environment variables are applied after the configuration file meaning anything
overrides the configuration files.
*__Please Note:__ It is not possible to configure several sections at this time, these include but may not be
limited to the rules section in access control, the clients section in the OpenID Connect identity provider, the cookies
limited to the rules section in access control, the clients section in the OpenID Connect 1.0 Provider, the cookies
section of in session, and the authz section in the server endpoints.*
## Prefix

View File

@ -63,9 +63,9 @@ authelia --config configuration.yml,config-acl.yml,config-other.yml
Authelia's configuration files use the YAML format. A template with all possible options can be found at the root of the
repository {{< github-link name="here" path="config.template.yml" >}}.
*__Important Note:__ You should not have configuration sections such as Access Control Rules or OpenID Connect clients
configured in multiple files. If you wish to split these into their own files that is fine, but if you have two files that
specify these sections and expect them to merge properly you are asking for trouble.*
*__Important Note:__ You should not have configuration sections such as Access Control Rules or OpenID Connect 1.0
clients configured in multiple files. If you wish to split these into their own files that is fine, but if you have two
files that specify these sections and expect them to merge properly you are asking for trouble.*
### Container

View File

@ -24,16 +24,24 @@ server:
authz:
forward-auth:
implementation: 'ForwardAuth'
authn_strategies: []
authn_strategies:
- name: 'HeaderProxyAuthorization'
- name: 'CookieSession'
ext-authz:
implementation: 'ExtAuthz'
authn_strategies: []
authn_strategies:
- name: 'HeaderProxyAuthorization'
- name: 'CookieSession'
auth-request:
implementation: 'AuthRequest'
authn_strategies: []
authn_strategies:
- name: 'HeaderAuthRequestProxyAuthorization'
- name: 'CookieSession'
legacy:
implementation: 'Legacy'
authn_strategies: []
authn_strategies:
- name: 'HeaderLegacy'
- name: 'CookieSession'
```
## Name

View File

@ -89,6 +89,6 @@ Please see the [documentation](../prologue/common.md#duration) on this format fo
This adjusts the requested timeout for a WebAuthn interaction.
## FAQ
## Frequently Asked Questions
See the [Security Key FAQ](../../overview/authentication/security-key/index.md#faq) for the FAQ.
See the [Security Key FAQ](../../overview/authentication/security-key/index.md#frequently-asked-questions) for the FAQ.

View File

@ -32,9 +32,9 @@ this instance if you wanted to downgrade to pre1 you would need to use an Authel
| 1 | 4.33.0 | Initial migration managed version |
| 2 | 4.34.0 | WebAuthn - added webauthn_devices table, altered totp_config to include device created/used dates |
| 3 | 4.34.2 | WebAuthn - fix V2 migration kid column length and provide migration path for anyone on V2 |
| 4 | 4.35.0 | Added OpenID Connect storage tables and opaque user identifier tables |
| 4 | 4.35.0 | Added OpenID Connect 1.0 storage tables and opaque user identifier tables |
| 5 | 4.35.1 | Fixed the oauth2_consent_session table to accept NULL subjects for users who are not yet signed in |
| 6 | 4.37.0 | Adjusted the OpenID Connect tables to allow pre-configured consent improvements |
| 6 | 4.37.0 | Adjusted the OpenID Connect 1.0 tables to allow pre-configured consent improvements |
| 7 | 4.37.3 | Fixed some schema inconsistencies most notably the MySQL/MariaDB Engine and Collation |
| 8 | 4.38.0 | OpenID Connect 1.0 Pushed Authorization Requests |
| 9 | 4.38.0 | Fix a PostgreSQL NOT NULL constraint issue on the `aaguid` column of the `webauthn_devices` table |

View File

@ -62,7 +62,7 @@ There is a scripting context provided with __Authelia__ which can easily be conf
[suites] and various other tasks. Read more about it in the [authelia-scripts](reference-authelia-scripts.md) reference
guide.
## FAQ
## Frequently Asked Questions
### Do you support development under Windows or OSX?

View File

@ -210,7 +210,7 @@ running the following command:
grep -Eo '"https://.*" ' ./authelia/notification.txt.
```
## FAQ
## Frequently Asked Questions
#### Running the Proxy on the Host Instead of in a Container

View File

@ -63,7 +63,7 @@ spec:
...
```
## FAQ
## Frequently Asked Questions
### RAM usage

View File

@ -1,6 +1,6 @@
---
title: "OpenID Connect"
description: "OpenID Connect Integration"
title: "OpenID Connect 1.0"
description: "OpenID Connect 1.0 Integration"
lead: ""
date: 2022-06-15T17:51:47+10:00
draft: false

View File

@ -1,6 +1,6 @@
---
title: "Apache Guacamole"
description: "Integrating Apache Guacamole with the Authelia OpenID Connect Provider."
description: "Integrating Apache Guacamole with the Authelia OpenID Connect 1.0 Provider."
lead: ""
date: 2022-07-31T13:09:05+10:00
draft: false

View File

@ -1,6 +1,6 @@
---
title: "Argo CD"
description: "Integrating Argo CD with the Authelia OpenID Connect Provider."
description: "Integrating Argo CD with the Authelia OpenID Connect 1.0 Provider."
lead: ""
date: 2022-07-13T04:27:30+10:00
draft: false

View File

@ -1,6 +1,6 @@
---
title: "BookStack"
description: "Integrating BookStack with the Authelia OpenID Connect Provider."
description: "Integrating BookStack with the Authelia OpenID Connect 1.0 Provider."
lead: ""
date: 2022-06-15T17:51:47+10:00
draft: false

View File

@ -1,6 +1,6 @@
---
title: "Cloudflare Zero Trust"
description: "Integrating Cloudflare Zero Trust with the Authelia OpenID Connect Provider."
description: "Integrating Cloudflare Zero Trust with the Authelia OpenID Connect 1.0 Provider."
lead: ""
date: 2022-06-15T17:51:47+10:00
draft: false

View File

@ -1,6 +1,6 @@
---
title: "Firezone"
description: "Integrating Firezone with the Authelia OpenID Connect Provider."
description: "Integrating Firezone with the Authelia OpenID Connect 1.0 Provider."
lead: ""
date: 2023-03-28T20:29:13+11:00
draft: false

View File

@ -1,7 +1,7 @@
---
title: "Frequently Asked Questions"
description: "Frequently Asked Questions regarding integrating the Authelia OpenID Connect Provider with an OpenID Connect relying party"
lead: "Frequently Asked Questions regarding integrating the Authelia OpenID Connect Provider with an OpenID Connect relying party."
description: "Frequently Asked Questions regarding integrating the Authelia OpenID Connect 1.0 Provider with an OpenID Connect 1.0 Relying Party"
lead: "Frequently Asked Questions regarding integrating the Authelia OpenID Connect 1.0 Provider with an OpenID Connect 1.0 Relying Party."
date: 2022-10-20T15:27:09+11:00
draft: false
images: []

View File

@ -1,6 +1,6 @@
---
title: "Gitea"
description: "Integrating Gitea with the Authelia OpenID Connect Provider."
description: "Integrating Gitea with the Authelia OpenID Connect 1.0 Provider."
lead: ""
date: 2022-07-01T13:07:02+10:00
draft: false

View File

@ -1,6 +1,6 @@
---
title: "GitLab"
description: "Integrating GitLab with the Authelia OpenID Connect Provider."
description: "Integrating GitLab with the Authelia OpenID Connect 1.0 Provider."
lead: ""
date: 2022-06-15T17:51:47+10:00
draft: false

View File

@ -1,6 +1,6 @@
---
title: "Grafana"
description: "Integrating Grafana with the Authelia OpenID Connect Provider."
description: "Integrating Grafana with the Authelia OpenID Connect 1.0 Provider."
lead: ""
date: 2022-06-15T17:51:47+10:00
draft: false

View File

@ -1,6 +1,6 @@
---
title: "Harbor"
description: "Integrating Harbor with the Authelia OpenID Connect Provider."
description: "Integrating Harbor with the Authelia OpenID Connect 1.0 Provider."
lead: ""
date: 2022-06-15T17:51:47+10:00
draft: false

View File

@ -1,6 +1,6 @@
---
title: "HashiCorp Vault"
description: "Integrating HashiCorp Vault with the Authelia OpenID Connect Provider."
description: "Integrating HashiCorp Vault with the Authelia OpenID Connect 1.0 Provider."
lead: ""
date: 2022-06-15T17:51:47+10:00
draft: false

View File

@ -1,7 +1,7 @@
---
title: "OpenID Connect"
description: "An introduction into integrating the Authelia OpenID Connect Provider with an OpenID Connect relying party"
lead: "An introduction into integrating the Authelia OpenID Connect Provider with an OpenID Connect relying party."
description: "An introduction into integrating the Authelia OpenID Connect 1.0 Provider with an OpenID Connect 1.0 Relying Party"
lead: "An introduction into integrating the Authelia OpenID Connect 1.0 Provider with an OpenID Connect 1.0 Relying Party."
date: 2022-06-15T17:51:47+10:00
draft: false
images: []
@ -265,7 +265,7 @@ The following table describes the response from the [UserInfo] endpoint dependin
## Endpoint Implementations
The following section documents the endpoints we implement and their respective paths. This information can
traditionally be discovered by relying parties that utilize [OpenID Connect Discovery], however this information may be
traditionally be discovered by relying parties that utilize [OpenID Connect Discovery 1.0], however this information may be
useful for clients which do not implement this.
The endpoints can be discovered easily by visiting the Discovery and Metadata endpoints. It is recommended regardless
@ -275,7 +275,7 @@ below.
These tables document the endpoints we currently support and their paths in the most recent version of Authelia. The
paths are appended to the end of the primary URL used to access Authelia. The tables use the url
https://auth.example.com as an example of the Authelia root URL which is also the OpenID Connect issuer.
https://auth.example.com as an example of the Authelia root URL which is also the OpenID Connect 1.0 Issuer.
### Well Known Discovery Endpoints
@ -283,12 +283,12 @@ These endpoints can be utilized to discover other endpoints and metadata about t
| Endpoint | Path |
|:-----------------------------------------:|:---------------------------------------------------------------:|
| [OpenID Connect Discovery] | https://auth.example.com/.well-known/openid-configuration |
| [OpenID Connect Discovery 1.0] | https://auth.example.com/.well-known/openid-configuration |
| [OAuth 2.0 Authorization Server Metadata] | https://auth.example.com/.well-known/oauth-authorization-server |
### Discoverable Endpoints
These endpoints implement OpenID Connect elements.
These endpoints implement OpenID Connect 1.0 Provider specifications.
| Endpoint | Path | Discovery Attribute |
|:-------------------------------:|:--------------------------------------------------------------:|:-------------------------------------:|
@ -365,7 +365,7 @@ The advantages of this approach are as follows:
[OpenID Connect 1.0]: https://openid.net/connect/
[OpenID Connect Discovery]: https://openid.net/specs/openid-connect-discovery-1_0.html
[OpenID Connect Discovery 1.0]: https://openid.net/specs/openid-connect-discovery-1_0.html
[OAuth 2.0 Authorization Server Metadata]: https://datatracker.ietf.org/doc/html/rfc8414
[JSON Web Key Set]: https://datatracker.ietf.org/doc/html/rfc7517#section-5

View File

@ -1,6 +1,6 @@
---
title: "Kasm Workspaces"
description: "Integrating Kasm Workspaces with the Authelia OpenID Connect Provider."
description: "Integrating Kasm Workspaces with the Authelia OpenID Connect 1.0 Provider."
lead: ""
date: 2023-04-27T18:40:06+10:00
draft: false

View File

@ -1,6 +1,6 @@
---
title: "Komga"
description: "Integrating Komga with the Authelia OpenID Connect Provider."
description: "Integrating Komga with the Authelia OpenID Connect 1.0 Provider."
lead: ""
date: 2022-08-26T11:39:00+10:00
draft: false

View File

@ -1,6 +1,6 @@
---
title: "MinIO"
description: "Integrating MinIO with the Authelia OpenID Connect Provider."
description: "Integrating MinIO with the Authelia OpenID Connect 1.0 Provider."
lead: ""
date: 2023-03-21T11:21:23+11:00
draft: false

View File

@ -1,6 +1,6 @@
---
title: "Misago"
description: "Integrating Misago with the Authelia OpenID Connect Provider."
description: "Integrating Misago with the Authelia OpenID Connect 1.0 Provider."
lead: ""
date: 2023-03-14T08:51:13+11:00
draft: false

View File

@ -1,6 +1,6 @@
---
title: "Nextcloud"
description: "Integrating Nextcloud with the Authelia OpenID Connect Provider."
description: "Integrating Nextcloud with the Authelia OpenID Connect 1.0 Provider."
lead: ""
date: 2022-06-15T17:51:47+10:00
draft: false

View File

@ -1,6 +1,6 @@
---
title: "Outline"
description: "Integrating Outline with the Authelia OpenID Connect Provider."
description: "Integrating Outline with the Authelia OpenID Connect 1.0 Provider."
lead: ""
date: 2022-08-12T09:11:42+10:00
draft: false

View File

@ -1,6 +1,6 @@
---
title: "Portainer"
description: "Integrating Portainer with the Authelia OpenID Connect Provider."
description: "Integrating Portainer with the Authelia OpenID Connect 1.0 Provider."
lead: ""
date: 2022-06-15T17:51:47+10:00
draft: false

View File

@ -1,6 +1,6 @@
---
title: "Proxmox"
description: "Integrating Proxmox with the Authelia OpenID Connect Provider."
description: "Integrating Proxmox with the Authelia OpenID Connect 1.0 Provider."
lead: ""
date: 2022-06-15T17:51:47+10:00
draft: false

View File

@ -1,6 +1,6 @@
---
title: "Seafile"
description: "Integrating Seafile with the Authelia OpenID Connect Provider."
description: "Integrating Seafile with the Authelia OpenID Connect 1.0 Provider."
lead: ""
date: 2022-06-15T17:51:47+10:00
draft: false

View File

@ -1,6 +1,6 @@
---
title: "Synapse"
description: "Integrating Synapse with the Authelia OpenID Connect Provider."
description: "Integrating Synapse with the Authelia OpenID Connect 1.0 Provider."
lead: ""
date: 2022-06-15T17:51:47+10:00
draft: false

View File

@ -1,6 +1,6 @@
---
title: "Synology DSM"
description: "Integrating Synology DSM with the Authelia OpenID Connect Provider."
description: "Integrating Synology DSM with the Authelia OpenID Connect 1.0 Provider."
lead: ""
date: 2022-10-18T21:22:13+11:00
draft: false

View File

@ -1,6 +1,6 @@
---
title: "Tailscale"
description: "Using Authelia as the Tailscale OpenID Connect Provider."
description: "Integrating Tailscale with the Authelia OpenID Connect 1.0 Provider."
lead: ""
date: 2023-04-23T10:06:28+10:00
draft: false

View File

@ -466,14 +466,6 @@ and is paired with [authelia-location.conf](#authelia-locationconf).*
## Send a subrequest to Authelia to verify if the user is authenticated and has permission to access the resource.
auth_request /internal/authelia/authz;
## Save the upstream authorization response headers from Authelia to variables.
auth_request_set $authorization $upstream_http_authorization;
auth_request_set $proxy_authorization $upstream_http_proxy_authorization;
## Inject the authorization response headers from the variables into the request made to the backend.
proxy_set_header Authorization $authorization;
proxy_set_header Proxy-Authorization $proxy_authorization;
## Save the upstream metadata response headers from Authelia to variables.
auth_request_set $user $upstream_http_remote_user;
auth_request_set $groups $upstream_http_remote_groups;
@ -486,10 +478,6 @@ proxy_set_header Remote-Groups $groups;
proxy_set_header Remote-Email $email;
proxy_set_header Remote-Name $name;
## Include the Set-Cookie header if present.
auth_request_set $cookie $upstream_http_set_cookie;
add_header Set-Cookie $cookie;
## Configure the redirection when the authz failure occurs. Lines starting with 'Modern Method' and 'Legacy Method'
## should be commented / uncommented as pairs. The modern method uses the session cookies configuration's authelia_url
## value to determine the redirection URL here. It's much simpler and compatible with the mutli-cookie domain easily.

View File

@ -517,7 +517,7 @@ http:
```
{{< /details >}}
## FAQ
## Frequently Asked Questions
### Basic Authentication

View File

@ -39,7 +39,7 @@ Now that Authelia is configured, pass the first factor and select the Push notif
You should now receive a notification on your mobile phone with all the details about the authentication request. In
case you have multiple devices available, you will be asked to select your preferred device.
## FAQ
## Frequently Asked Questions
### Why don't I have access to the *Push Notification* option?

View File

@ -43,7 +43,7 @@ requested:
Easy, right?!
## FAQ
## Frequently Asked Questions
### Can I register multiple FIDO2 WebAuthn credentials?

View File

@ -86,5 +86,5 @@ It's important to note that Authelia is considered running in a trusted environm
transmitted unsigned to the backends, meaning a malicious user within the network could pretend to be
Authelia and send those headers to bypass authentication and gain access to the service. This could be mitigated by
transmitting those headers with a digital signature which could be verified by the backend however, many backends
just won't support it. It has therefore been decided to invest in OpenID Connect instead to solve that authentication
delegation problem.
just won't support it. It has therefore been decided to invest in OpenID Connect 1.0 instead to solve that
authentication delegation problem.

View File

@ -12,6 +12,24 @@ weight: 220
toc: true
---
## Miscellaneous
- [Docker](../../integration/deployment/docker.md#frequently-asked-questions)
- [Development](../../contributing/development/environment.md#frequently-asked-questions)
## Authentication
- [WebAuthn](../../overview/authentication/security-key/index.md#frequently-asked-questions)
- [Duo](../../overview/authentication/push-notification/index.md#frequently-asked-questions)
## Proxies
- [Traefik](../../integration/proxies/traefik.md#frequently-asked-questions)
## Kubernetes
- [General](../../integration/kubernetes/introduction.md#frequently-asked-questions)
## Identity Providers
- [OpenID Connect 1.0 Integration](../../integration/openid-connect/frequently-asked-questions.md)

View File

@ -14,8 +14,8 @@ aliases:
- /r/dashboard
---
This feature has several major impacts on other roadmap items. For example several OpenID Connect features would greatly
benefit from a dashboard. It would also be important when we implement WebAuthn features like passwordless
This feature has several major impacts on other roadmap items. For example several OpenID Connect 1.0 features would
greatly benefit from a dashboard. It would also be important when we implement WebAuthn features like passwordless
authentication allowing users to intentionally register a passwordless credential.
## Stages

View File

@ -1,7 +1,7 @@
---
title: "OpenID Connect"
description: "Authelia OpenID Connect Implementation"
lead: "The OpenID Connect Provider role is a very useful but complex feature to enhance interoperability of Authelia with other products. "
title: "OpenID Connect 1.0"
description: "Authelia OpenID Connect 1.0 Provider Implementation"
lead: "The OpenID Connect 1.0 Provider role is a very useful but complex feature to enhance interoperability of Authelia with other products. "
date: 2022-06-15T17:51:47+10:00
draft: false
images: []
@ -15,14 +15,15 @@ aliases:
- /docs/roadmap/oidc.html
---
We have decided to implement [OpenID Connect] as a beta feature, it's suggested you only utilize it for testing and
providing feedback, and should take caution in relying on it in production as of now. [OpenID Connect] and it's related
endpoints are not enabled by default unless you specifically configure the [OpenID Connect] section.
We have decided to implement [OpenID Connect 1.0] as a beta feature, it's suggested you only utilize it for testing and
providing feedback, and should take caution in relying on it in production as of now. [OpenID Connect 1.0] and it's
related endpoints are not enabled by default unless you specifically configure the [OpenID Connect 1.0] section.
As [OpenID Connect] is fairly complex (the [OpenID Connect] Provider role especially so) it's intentional that it is
both a beta and that the implemented features are part of a thoughtful roadmap. Items that are not immediately obvious
as required (i.e. bug fixes or spec features), will likely be discussed in team meetings or on GitHub issues before
being added to the list. We want to implement this feature in a very thoughtful way in order to avoid security issues.
As [OpenID Connect 1.0] is fairly complex (the [OpenID Connect 1.0] Provider role especially so) it's intentional that
it is both a beta and that the implemented features are part of a thoughtful roadmap. Items that are not immediately
obvious as required (i.e. bug fixes or spec features), will likely be discussed in team meetings or on GitHub issues
before being added to the list. We want to implement this feature in a very thoughtful way in order to avoid security
issues.
## Stages
@ -38,7 +39,7 @@ Feature List:
* [User Consent](https://openid.net/specs/openid-connect-core-1_0.html#Consent)
* [Authorization Code Flow](https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowSteps)
* [OpenID Connect Discovery](https://openid.net/specs/openid-connect-discovery-1_0.html)
* [OpenID Connect Discovery 1.0](https://openid.net/specs/openid-connect-discovery-1_0.html)
* [RS256 Signature Strategy](https://datatracker.ietf.org/doc/html/rfc7518#section-3.1)
* Per Client Scope/Grant Type/Response Type Restriction
* Per Client Authorization Policy (1FA/2FA)
@ -64,7 +65,7 @@ Feature List:
Feature List:
* [Proof Key Code Exchange (PKCE)] for Authorization Code Flow
* [RFC7636: Proof Key for Code Exchange (PKCE)] for Authorization Code Flow
* Claims:
* `preferred_username` - sending the username in this claim instead of the `sub` claim.
@ -79,12 +80,12 @@ Feature List:
* Auditable Information
* Subject to User Mapping
* Opaque [RFC4122] UUID v4's for subject identifiers
* Support for Pairwise and Plain subject identifier types as per [OpenID Connect Core (Subject Identifier Types)]
* Utilize the pairwise example method 3 as per [OpenID Connect Core (Pairwise Identifier Algorithm)]
* Support for Pairwise and Plain subject identifier types as per [OpenID Connect Core 1.0 (Subject Identifier Types)]
* Utilize the pairwise example method 3 as per [OpenID Connect Core 1.0 (Pairwise Identifier Algorithm)]
* Claims:
* `sub` - replace username with opaque random [RFC4122] UUID v4
* `amr` - authentication method references as per [RFC8176]
* `azp` - authorized party as per [OpenID Connect Core (ID Token)]
* `azp` - authorized party as per [OpenID Connect Core 1.0 (ID Token)]
* `client_id` - the Client ID as per [RFC8693 Section 4.3]
* [Cross Origin Resource Sharing] (CORS):
* Automatically allow all cross-origin requests to the discovery endpoints
@ -106,7 +107,7 @@ Feature List:
* Implicit:
* Not expressly standards compliant
* Never asks for end-user consent
* Not compatible with the consent prompt type
* Not compatible with the `consent` prompt type
* Pre-Configured:
* Allows users to save consent sessions for a duration configured by the administrator
* Operates nearly identically to the explicit consent mode
@ -115,15 +116,15 @@ Feature List:
{{< roadmap-status stage="in-progress" version="v4.38.0" >}}
* [RFC9126: OAuth 2.0 Pushed Authorization Requests](https://datatracker.ietf.org/doc/html/rfc9126)
* [RFC7523: JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants](https://datatracker.ietf.org/doc/html/rfc7523):
* [RFC9126: OAuth 2.0 Pushed Authorization Requests]
* [RFC7523: JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants]:
* Client Auth Method `client_secret_jwt`
* Client Auth Method `private_key_jwt`
* Per-Client [Proof Key Code Exchange (PKCE)] Policy
* Per-Client [RFC7636: Proof Key for Code Exchange (PKCE)] Policy
* Multiple Issuer JWKs:
* RS256, RS384, RS512
* PS256, PS384, PS512
* ES256, ES384, ES512
* `RS256`, `RS384`, `RS512`
* `PS256`, `PS384`, `PS512`
* `ES256`, `ES384`, `ES512`
### Beta 7
@ -134,7 +135,7 @@ Feature List:
* Prompt Handling
* Display Handling
See [OpenID Connect Core (Mandatory to Implement Features for All OpenID Providers)].
See [OpenID Connect Core 1.0 (Mandatory to Implement Features for All OpenID Providers)].
### Beta 8
@ -144,6 +145,15 @@ Feature List:
* Revoke Tokens on User Logout or Expiration
* [JSON Web Key Rotation](https://openid.net/specs/openid-connect-messages-1_0-20.html#rotate.sig.keys)
* In-Storage Configuration:
* Multi-Issuer Configuration (require one per Issuer URL)
* Dynamically Configured via CLI
* Import from YAML:
* Manual method
* Bootstrap method:
* Defaults to one time only
* Can optionally override the database configuration
* Salt (random) and/or Peppered (storage encryption) Client Credentials
### General Availability
@ -151,7 +161,7 @@ Feature List:
Feature List:
* Enable by Default
* ~~Enable by Default~~
* Only after all previous stages are checked for bugs
### Miscellaneous
@ -162,13 +172,13 @@ This stage lists features which individually do not fit into a specific stage an
{{< roadmap-status >}}
See the [OpenID Connect] website for the [OpenID Connect Dynamic Client Registration] specification.
See the [OpenID Connect 1.0] website for the [OpenID Connect Dynamic Client Registration 1.0] specification.
#### OpenID Connect Back-Channel Logout
{{< roadmap-status >}}
See the [OpenID Connect] website for the [OpenID Connect Back-Channel Logout] specification.
See the [OpenID Connect 1.0] website for the [OpenID Connect Back-Channel Logout 1.0] specification.
Should be implemented alongside [Dynamic Client Registration](#openid-connect-dynamic-client-registration).
@ -176,7 +186,7 @@ Should be implemented alongside [Dynamic Client Registration](#openid-connect-dy
{{< roadmap-status >}}
See the [OpenID Connect] website for the [OpenID Connect Front-Channel Logout] specification.
See the [OpenID Connect 1.0] website for the [OpenID Connect Front-Channel Logout 1.0] specification.
Should be implemented alongside [Dynamic Client Registration](#openid-connect-dynamic-client-registration).
@ -190,7 +200,7 @@ See the [IETF Specification RFC8414](https://datatracker.ietf.org/doc/html/rfc84
{{< roadmap-status >}}
See the [OpenID Connect] website for the [OpenID Connect Session Management] specification.
See the [OpenID Connect 1.0] website for the [OpenID Connect Session Management 1.0] specification.
#### End-User Scope Grants
@ -216,14 +226,17 @@ The `preferred_username` claim was missing and was fixed.
[RFC8693 Section 4.3]: https://datatracker.ietf.org/doc/html/rfc8693/#section-4.3
[RFC4122]: https://datatracker.ietf.org/doc/html/rfc4122
[OpenID Connect]: https://openid.net/connect/
[OpenID Connect Front-Channel Logout]: https://openid.net/specs/openid-connect-frontchannel-1_0.html
[OpenID Connect Back-Channel Logout]: https://openid.net/specs/openid-connect-backchannel-1_0.html
[OpenID Connect Session Management]: https://openid.net/specs/openid-connect-session-1_0.html
[OpenID Connect Dynamic Client Registration]: https://openid.net/specs/openid-connect-registration-1_0.html
[OpenID Connect 1.0]: https://openid.net/connect/
[OpenID Connect Front-Channel Logout 1.0]: https://openid.net/specs/openid-connect-frontchannel-1_0.html
[OpenID Connect Back-Channel Logout 1.0]: https://openid.net/specs/openid-connect-backchannel-1_0.html
[OpenID Connect Session Management 1.0]: https://openid.net/specs/openid-connect-session-1_0.html
[OpenID Connect Dynamic Client Registration 1.0]: https://openid.net/specs/openid-connect-registration-1_0.html
[OpenID Connect Core (ID Token)]: https://openid.net/specs/openid-connect-core-1_0.html#IDToken
[OpenID Connect Core (Subject Identifier Types)]: https://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes
[OpenID Connect Core (Pairwise Identifier Algorithm)]: https://openid.net/specs/openid-connect-core-1_0.html#PairwiseAlg
[OpenID Connect Core (Mandatory to Implement Features for All OpenID Providers)]: https://openid.net/specs/openid-connect-core-1_0.html#ServerMTI
[Proof Key Code Exchange (PKCE)]: https://datatracker.ietf.org/doc/html/rfc7636
[OpenID Connect Core 1.0 (ID Token)]: https://openid.net/specs/openid-connect-core-1_0.html#IDToken
[OpenID Connect Core 1.0 (Subject Identifier Types)]: https://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes
[OpenID Connect Core 1.0 (Pairwise Identifier Algorithm)]: https://openid.net/specs/openid-connect-core-1_0.html#PairwiseAlg
[OpenID Connect Core 1.0 (Mandatory to Implement Features for All OpenID Providers)]: https://openid.net/specs/openid-connect-core-1_0.html#ServerMTI
[RFC7636: Proof Key for Code Exchange (PKCE)]: https://datatracker.ietf.org/doc/html/rfc7636
[RFC7523: JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants]: https://datatracker.ietf.org/doc/html/rfc7523
[RFC9126: OAuth 2.0 Pushed Authorization Requests]: https://datatracker.ietf.org/doc/html/rfc9126

View File

@ -25,7 +25,7 @@ be glad to share ideas and plans with you.
This is a summary of the features which are currently on the roadmap with links to further details:
1. [WebAuthn](../active/webauthn.md)
2. [OpenID Connect Provider](../active/openid-connect.md)
2. [OpenID Connect 1.0 Provider](../active/openid-connect.md)
3. [Internationalization or Multilingual Support](../active/internationalization.md)
4. [Multiple Domain Protection](../active/multi-domain-protection.md)
5. [Control Panel / Dashboard for User / Administration Settings](../active/dashboard-control-panel.md)

View File

@ -244,8 +244,8 @@ func (s *Store) GetPKCERequestSession(ctx context.Context, signature string, ses
return s.loadRequesterBySignature(ctx, storage.OAuth2SessionTypePKCEChallenge, signature, session)
}
// CreateOpenIDConnectSession creates an open id connect session for a given authorize code.
// This is relevant for explicit open id connect flow.
// CreateOpenIDConnectSession creates an OpenID Connect 1.0 connect session for a given authorize code.
// This is relevant for explicit OpenID Connect 1.0 flow.
// This implements a portion of openid.OpenIDConnectRequestStorage.
func (s *Store) CreateOpenIDConnectSession(ctx context.Context, authorizeCode string, request fosite.Requester) (err error) {
return s.saveSession(ctx, storage.OAuth2SessionTypeOpenIDConnect, authorizeCode, request)