Fork me on GitHub Link Search Menu Expand Document Survey contribution
Help the team improve Authelia by taking this 10-second survey.

We have decided to implement OpenID Connect as a beta feature, it’s suggested you only utilize it for testing and providing feedback, and should take caution in relying on it in production as of now. OpenID Connect and it’s related endpoints are not enabled by default unless you specifically configure the OpenID Connect section.

As OpenID Connect is fairly complex (the OpenID Connect Provider role especially so) it’s intentional that it is both a beta and that the implemented features are part of a thoughtful roadmap. Items that are not immediately obvious as required (i.e. bug fixes or spec features), will likely be discussed in team meetings or on GitHub issues before being added to the list. We want to implement this feature in a very thoughtful way in order to avoid security issues.

The beta will be broken up into stages. Each stage will bring additional features. The following table is a rough plan for which stage will have each feature, and may evolve over time:

Stage Feature Description
beta1 (4.29.0) User Consent
Authorization Code Flow
OpenID Connect Discovery
RS256 Signature Strategy
Per Client Scope/Grant Type/Response Type Restriction
Per Client Authorization Policy (1FA/2FA)
Per Client List of Valid Redirection URI's
Confidential Client Type
beta2 (4.30.0) Userinfo Endpoint (missed in beta1)
Parameter Entropy Configuration
Token/Code Lifespan Configuration
Client Debug Messages
Client Audience
Public Client Type
beta3 (4.34.0) Proof Key for Code Exchange (PKCE) for Authorization Code Flow
beta5 (4.35.0) Token Storage
Audit Storage
Subject Storage
Pairwise Subject Identifier Type
Per-Client Consent Pre-Configuration
Cross-Origin Resource Sharing Configuration
Authentication Methods References Claim
Opaque Subject Identifiers (UUID V4) for sub Claim
beta5 1 Prompt Handling
Display Handling
beta6 1 Back-Channel Logout
Deny Refresh on Session Expiration
Signing Key Rotation Policy
Client Secrets Hashed in Configuration
GA 1 General Availability after previous stages are vetted for bug fixes
misc List of other features that may be implemented
Front-Channel Logout 2
OAuth 2.0 Authorization Server Metadata 2
OpenID Connect Session Management 2
End-User Scope Grants 2
Client RBAC 2
Add preferred_username claim (4.33.2)

¹ This stage has not been implemented as of yet.

² This individual feature has not been implemented as of yet.