docs/content/roadmap/active/openid-connect-1.0-provider.md
We have decided to implement OAuth 2.0 and OpenID Connect 1.0 as a beta feature. While it's relatively stable there may inevitably be the occasional breaking change as we carefully implement each aspect of the relevant specifications. It's suggested to use a bit more caution with this feature than most features, we do however greatly appreciate your feedback. OpenID Connect 1.0 and it's related endpoints are not enabled by default unless you explicitly configure the OpenID Connect 1.0 Provider Configuration and OpenID Connect 1.0 Registered Clients sections.
As OpenID Connect 1.0 is fairly complex (the OpenID Connect 1.0 Provider role especially so) it's intentional that it is both a beta and that the implemented features are part of a thoughtful roadmap. Items that are not immediately obvious as required (i.e. bug fixes or spec features), will likely be discussed in team meetings or on GitHub issues before being added to the list. We want to implement this feature in a very thoughtful way in order to avoid security issues.
Authelia is OpenID Certified™ to conform to the OpenID Connect™ protocol.
{{< figure src="/images/oid-certification.jpg" class="center" sizes="100px" >}}
For more information read the Integration Documentation.
This section represents the stages involved in implementation of this feature. The stages are either in order of implementation due to there being an underlying requirement to implement them in this order, or in a rough order due to how important or difficult to implement they are.
{{< roadmap-status stage="complete" version="v4.29.0" >}}
Feature List:
{{< roadmap-status stage="complete" version="v4.30.0" >}}
Feature List:
{{< roadmap-status stage="complete" version="v4.34.0" >}}
Feature List:
preferred_username - sending the username in this claim instead of the sub claim.{{< roadmap-status stage="complete" version="v4.35.0" >}}
Feature List:
sub - replace username with opaque random RFC4122 UUID v4amr - authentication method references as per RFC8176azp - authorized party as per OpenID Connect Core 1.0 (ID Token)client_id - the Client ID as per RFC8693 Section 4.3{{< roadmap-status stage="complete" version="v4.37.0" >}}
Feature List:
consent prompt type{{< roadmap-status stage="complete" version="v4.38.0" >}}
client_secret_jwtprivate_key_jwtRS256, RS384, RS512PS256, PS384, PS512ES256, ES384, ES512{{< roadmap-status stage="complete" version="v4.39.0" >}}
{{< callout context="danger" title="Important Notes" icon="outline/alert-octagon" >}} This version will contain one or more breaking changes per our Versioning Policy. {{< /callout >}}
Breaking Changes:
Feature List:
See OpenID Connect Core 1.0 (Mandatory to Implement Features for All OpenID Providers).
{{< roadmap-status stage="in-progress" version="v4.40.0" >}}
{{< callout context="danger" title="Important Notes" icon="outline/alert-octagon" >}} This version will contain one or more breaking changes per our Versioning Policy. {{< /callout >}}
Breaking Changes:
Feature List:
Potential Feature List:
{{< roadmap-status >}}
Feature List:
Potential Feature List:
{{< roadmap-status >}}
This stage will signify official stability guarantees surrounding this implemented feature.
This stage lists features which individually do not fit into a specific stage and may or may not be implemented.
{{< callout context="danger" title="Important Notes" icon="outline/alert-octagon" >}} This will be a planned breaking-change as per our Versioning Policy. {{< /callout >}}
The initial design of our OpenID Connect 1.0 implementation was before Multi-Domain Protection was considered. It's important for the future of Authelia that we carefully consider the implications of this and force users to configure a issuer per domain they wish to serve OpenID Connect 1.0 from and each of these are completely separate logical units.
{{< roadmap-status stage="complete" version="v4.34.0" >}}
For more information see the RFC8414: OAuth 2.0 Authorization Server Metadata specification.
{{< roadmap-status >}}
For more information see the RFC8693: OAuth 2.0 Token Exchange specification.
{{< roadmap-status >}}
For more information see the OAuth 2.0 website for the RFC7591: OAuth 2.0 Dynamic Client Registration Protocol specification; and see both OAuth 2.0 Client Registration Management Protocol and OpenID Connect Dynamic Client Registration 1.0.
See also Beta 8.
{{< roadmap-status >}}
For more information see the OAuth 2.0 website for the RFC7592: OAuth 2.0 Dynamic Client Registration Management Protocol specification; and see both OAuth 2.0 Client Registration Protocol and OpenID Connect Dynamic Client Registration 1.0.
See also Beta 8.
{{< roadmap-status >}}
For more information see the OpenID Connect 1.0 website for the OpenID Connect Dynamic Client Registration 1.0 specification; and see both OAuth 2.0 Client Registration Protocol and OAuth 2.0 Client Registration Management Protocol.
See also Beta 8.
{{< roadmap-status >}}
For more information see the OpenID Connect 1.0 website for the OpenID Connect Session Management 1.0 specification.
See also Beta 9.
{{< roadmap-status >}}
For more information see the OpenID Connect 1.0 website for the OpenID Connect Back-Channel Logout 1.0 specification.
Should be implemented at a similar time to Dynamic Client Registration.
See also Beta 9.
{{< roadmap-status >}}
For more information see the OpenID Connect 1.0 website for the OpenID Connect Front-Channel Logout 1.0 specification.
Should be implemented at the same time, or just after OpenID Connect Dynamic Client Registration 1.0.
See also Beta 9.
{{< roadmap-status >}}
See the OpenID Connect 1.0 website for the OpenID Connect RP-Initiated Logout 1.0 specification.
See also Beta 9.
{{< roadmap-status >}}
See the OpenID Connect 1.0 website for the OpenID Connect Client-Initiated Backchannel Authentication Flow 1.0 (CIBA) specification.
See also Beta 9.
{{< roadmap-status stage="in-progress" >}}
This profile is a suite of security focused features and settings which comply with several financial requirements in various jurisdictions. While we're not expressly targeting these financial institutions the security profile itself has many security-enhancing measures which everyone can benefit from.
See the OpenID Connect 1.0 website for the FAPI 2.0 Security Profile specification, and the FAPI 2.0 Attacker Model.
{{< roadmap-status >}}
Allow users to choose which scopes they grant. It may be better to just allow optional claims and to avoid implementing this feature all together.
{{< roadmap-status stage="complete" version="v4.38.0" >}}
See also Beta 6 and Client RBAC: Networks.
Allow the creation of custom authorization policies for OpenID Connect 1.0. Allow the policies to contain either users
or groups and an effective authorization policy applied to them from either one_factor, two_factor, or deny.
Allow these policies to be configured on one or more clients.
{{< roadmap-status stage="complete" version="v4.39.0" >}}
See also Beta 7 and Client RBAC: Users and Groups.
Allow enhancing the existing custom authorization policies to include networks.
{{< roadmap-status stage="complete" version="v4.33.2" >}}
The preferred_username claim was missing and was fixed.