ContextQMD
Back to Authelia

Oidc Common

docs/layouts/_shortcodes/oidc-common.html

4.39.195.1 KB
Original Source

{{ $faq := "../frequently-asked-questions/" }}{{ $config := "../../../../configuration/identity-providers/openid-connect" }} {{- with .Get "faq" }}{{ $faq = . }}{{ end }} {{- with .Get "config" }}{{ $config = . }}{{ end }} ## Before You Begin

Important Reading

This section contains important elements that you should carefully consider before configuration of an OpenID Connect 1.0 Registered Client.

{{- with .Get "bugs" }} {{- $bugs := split . "," }} ### Known Bugs

Client Has Known Significant Bugs

Unfortunately at the time this guide was last modified (noted at the bottom of the guide) this third-party application has bugs which are significant and indicate either a fairly low level of support for OpenID Connect 1.0 or no effective support at all. This guide may have workarounds to adapt to this but this is done solely on a best effort basis. The developers of the application should be encouraged to fix these bugs.

{{- if in $bugs "claims-hydration" }}

Claims Hydration: this client outright does not support OpenID Connect 1.0 as it does not honor the expected process to retrieve the claims it needs to access. The workaround is documented in Configuration Escape Hatch.

{{- end }} {{- if in $bugs "client-credentials-encoding" }}

Client Credentials Encoding: this client does not properly encode the client credentials before using them for authentication as per RFC6749 Appendix B. It is required that the Client ID and Client Secret are both URL Escaped before being used for both the client_secret_post and client_secret_basic authentication mechanisms. Avoiding special characters in both the Client ID and Client Secret or URL Escaping them before adding them to the clients configuration are the only workarounds. Authelia's random password generator will automatically output both a normal version and a pre-encoded version which you could utilize.

{{- end }} {{- if in $bugs "claim-binding" }}

Claim Binding: this client outright does not support OpenID Connect 1.0 as it does not bind the identity provider identity (the sub and iss claims which are guaranteed not to change) to local accounts, instead it uses claims like email and preferred_username which is a vulnerability that could result in a simple privilege escalation. The developer has been made aware of this vulnerability but has decided not to fix it. See Connect 1.0 Section 5.7 Claim Stability and Uniqueness for more information.

{{- end }}

{{- end }} ### Common Notes 1. The OpenID Connect 1.0 client_id parameter: 1. This *__must__* be a unique value for every client. 2. The value used in this guide is merely for readability and demonstration purposes and you *__should not__* use this value in production and should instead utilize the [How do I generate a client identifier or client secret?]({{ $faq }}#how-do-i-generate-a-client-identifier-or-client-secret) FAQ. We recommend 64 random characters but you can use any arbitrary value that meets the other criteria. 3. This *__must__* only contain RFC3986 Unreserved Characters. 4. This *__must__* be no more than 100 characters in length. 2. The OpenID Connect 1.0 client_secret parameter: 1. The value used in this guide is merely for demonstration purposes and you *__should absolutely not__* use this value in production and should instead utilize the [How do I generate a client identifier or client secret?]({{ $faq }}#how-do-i-generate-a-client-identifier-or-client-secret) FAQ. 2. This string may be stored as plaintext in the Authelia configuration but this behavior is deprecated and is not guaranteed to be supported in the future. See the [Plaintext]({{ $faq }}#plaintext) guide for more information. 3. When the secret is stored in hashed form in the Authelia configuration (*__heavily recommended__*), the cost of hashing can, if too great, cause timeouts for clients. See the [Tuning the work factors]({{ $faq }}#tuning-work-factors) guide for more information. 3. The configuration example for Authelia: 1. Only contains an example configuration for the client registration and you *__MUST__* also configure the required elements from the [OpenID Connect 1.0 Provider Configuration]({{ printf "%s/provider/" $config }}) guide. 2. Only contains a small portion of all of the available options for a registered client and users may wish to configure portions that are not part of this guide or configure them differently, as such it's important to both familiarize yourself with the other options available and the effect of each of the options configured in this section by looking at the [OpenID Connect 1.0 Clients Configuration]({{ printf "%s/clients/" $config }}) guide.