OpenID Connect 1.0

The OpenID Connect 1.0 Provider role is a very useful but complex feature to enhance interoperability of Authelia with other products.

We have decided to implement OpenID Connect 1.0 as a beta feature, it’s suggested you only utilize it for testing and providing feedback, and should take caution in relying on it in production as of now. OpenID Connect 1.0 and it’s related endpoints are not enabled by default unless you specifically configure the OpenID Connect 1.0 section.

As OpenID Connect 1.0 is fairly complex (the OpenID Connect 1.0 Provider role especially so) it’s intentional that it is both a beta and that the implemented features are part of a thoughtful roadmap. Items that are not immediately obvious as required (i.e. bug fixes or spec features), will likely be discussed in team meetings or on GitHub issues before being added to the list. We want to implement this feature in a very thoughtful way in order to avoid security issues.

Stages

This section represents the stages involved in implementation of this feature. The stages are either in order of implementation due to there being an underlying requirement to implement them in this order, or in a rough order due to how important or difficult to implement they are.

Beta 1

complete v4.29.0

Feature List:

Beta 2

complete v4.30.0

Feature List:

Beta 3

complete v4.34.0

Feature List:

Beta 4

complete v4.35.0

Feature List:

Beta 5

complete v4.37.0

Feature List:

  • JWK’s backed by X509 Certificate Chains
  • Hashed Client Secrets
  • Per-Client Consent Mode:
    • Explicit:
      • The default
      • Always asks for end-user consent
    • Implicit:
      • Not expressly standards compliant
      • Never asks for end-user consent
      • Not compatible with the consent prompt type
    • Pre-Configured:
      • Allows users to save consent sessions for a duration configured by the administrator
      • Operates nearly identically to the explicit consent mode

Beta 6

in progress v4.38.0

Beta 7

not started

Feature List:

  • Prompt Handling
  • Display Handling

See OpenID Connect Core 1.0 (Mandatory to Implement Features for All OpenID Providers).

Beta 8

not started

Feature List:

  • Revoke Tokens on User Logout or Expiration
  • JSON Web Key Rotation
  • In-Storage Configuration:
    • Multi-Issuer Configuration (require one per Issuer URL)
    • Dynamically Configured via CLI
    • Import from YAML:
      • Manual method
      • Bootstrap method:
        • Defaults to one time only
        • Can optionally override the database configuration
    • Salt (random) and/or Peppered (storage encryption) Client Credentials

General Availability

not started

Feature List:

  • Enable by Default
  • Only after all previous stages are checked for bugs

Miscellaneous

This stage lists features which individually do not fit into a specific stage and may or may not be implemented.

OAuth 2.0 Authorization Server Metadata

complete v4.34.0

See the RFC8414: OAuth 2.0 Authorization Server Metadata specification for more information.

OpenID Connect Dynamic Client Registration 1.0

not started

See the OpenID Connect 1.0 website for the OpenID Connect Dynamic Client Registration 1.0 specification.

OpenID Connect Session Management 1.0

not started

See the OpenID Connect 1.0 website for the OpenID Connect Session Management 1.0 specification.

OpenID Connect Back-Channel Logout 1.0

not started

See the OpenID Connect 1.0 website for the OpenID Connect Back-Channel Logout 1.0 specification.

Should be implemented alongside Dynamic Client Registration.

OpenID Connect Front-Channel Logout 1.0

not started

See the OpenID Connect 1.0 website for the OpenID Connect Front-Channel Logout 1.0 specification.

Should be implemented alongside Dynamic Client Registration.

OpenID Connect RP-Initiated Logout 1.0

not started

See the OpenID Connect 1.0 website for the OpenID Connect RP-Initiated Logout 1.0 specification.

End-User Scope Grants

not started

Allow users to choose which scopes they grant.

Client RBAC

in progress v4.38.0

Allow clients to be configured with a list of users and groups who have access to them. See Beta 6.

Preferred Username Claim

complete v4.33.2

The preferred_username claim was missing and was fixed.