docs: move oidc roadmap (#2933)

This commit is contained in:
James Elliott 2022-03-01 16:00:27 +11:00 committed by GitHub
parent b7ddcb1d29
commit 1eef78ff7b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 148 additions and 138 deletions

View File

@ -16,132 +16,7 @@ social media or development platforms for login.
The Relying Party role is the role which allows an application to use GitHub, Google, or other [OpenID Connect]
providers for authentication and authorization. We do not intend to support this functionality at this moment in time.
## Roadmap
We have decided to implement [OpenID Connect] as a beta feature, it's suggested you only utilize it for testing and
providing feedback, and should take caution in relying on it in production as of now. [OpenID Connect] and it's related
endpoints are not enabled by default unless you specifically configure the [OpenID Connect] section.
As [OpenID Connect] is fairly complex (the [OpenID Connect] Provider role especially so) it's intentional that it is
both a beta and that the implemented features are part of a thoughtful roadmap. Items that are not immediately obvious
as required (i.e. bug fixes or spec features), will likely be discussed in team meetings or on GitHub issues before being
added to the list. We want to implement this feature in a very thoughtful way in order to avoid security issues.
The beta will be broken up into stages. Each stage will bring additional features. The following table is a *rough* plan
for which stage will have each feature, and may evolve over time:
<table>
<thead>
<tr>
<th class="tbl-header">Stage</th>
<th class="tbl-header">Feature Description</th>
</tr>
</thead>
<tbody>
<tr>
<td rowspan="8" class="tbl-header tbl-beta-stage">beta1 (4.29.0)</td>
<td><a href="https://openid.net/specs/openid-connect-core-1_0.html#Consent" target="_blank" rel="noopener noreferrer">User Consent</a></td>
</tr>
<tr>
<td><a href="https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowSteps" target="_blank" rel="noopener noreferrer">Authorization Code Flow</a></td>
</tr>
<tr>
<td><a href="https://openid.net/specs/openid-connect-discovery-1_0.html" target="_blank" rel="noopener noreferrer">OpenID Connect Discovery</a></td>
</tr>
<tr>
<td>RS256 Signature Strategy</td>
</tr>
<tr>
<td>Per Client Scope/Grant Type/Response Type Restriction</td>
</tr>
<tr>
<td>Per Client Authorization Policy (1FA/2FA)</td>
</tr>
<tr>
<td class="tbl-beta-stage">Per Client List of Valid Redirection URI's</td>
</tr>
<tr>
<td class="tbl-beta-stage"><a href="https://datatracker.ietf.org/doc/html/rfc6749#section-2.1" target="_blank" rel="noopener noreferrer">Confidential Client Type</a></td>
</tr>
<tr>
<td rowspan="6" class="tbl-header tbl-beta-stage">beta2 (4.30.0)</td>
<td class="tbl-beta-stage"><a href="https://openid.net/specs/openid-connect-core-1_0.html#UserInfo" target="_blank" rel="noopener noreferrer">Userinfo Endpoint</a> (missed in beta1)</td>
</tr>
<tr>
<td class="tbl-beta-stage">Parameter Entropy Configuration</td>
</tr>
<tr>
<td class="tbl-beta-stage">Token/Code Lifespan Configuration</td>
</tr>
<tr>
<td class="tbl-beta-stage">Client Debug Messages</td>
</tr>
<tr>
<td class="tbl-beta-stage">Client Audience</td>
</tr>
<tr>
<td class="tbl-beta-stage"><a href="https://datatracker.ietf.org/doc/html/rfc6749#section-2.1" target="_blank" rel="noopener noreferrer">Public Client Type</a></td>
</tr>
<tr>
<td rowspan="2" class="tbl-header tbl-beta-stage">beta3 <sup>1</sup></td>
<td>Token Storage</td>
</tr>
<tr>
<td class="tbl-beta-stage">Audit Storage</td>
</tr>
<tr>
<td rowspan="2" class="tbl-header tbl-beta-stage">beta4 <sup>1</sup></td>
<td class="tbl-beta-stage">Prompt Handling</td>
</tr>
<tr>
<td class="tbl-beta-stage">Display Handling</td>
</tr>
<tr>
<td rowspan="4" class="tbl-header tbl-beta-stage">beta5 <sup>1</sup></td>
<td><a href="https://openid.net/specs/openid-connect-backchannel-1_0.html" target="_blank" rel="noopener noreferrer">Back-Channel Logout</a></td>
</tr>
<tr>
<td>Deny Refresh on Session Expiration</td>
</tr>
<tr>
<td><a href="https://openid.net/specs/openid-connect-messages-1_0-20.html#rotate.sig.keys" target="_blank" rel="noopener noreferrer">Signing Key Rotation Policy</a></td>
</tr>
<tr>
<td class="tbl-beta-stage">Client Secrets Hashed in Configuration</td>
</tr>
<tr>
<td class="tbl-header tbl-beta-stage">GA <sup>1</sup></td>
<td class="tbl-beta-stage">General Availability after previous stages are vetted for bug fixes</td>
</tr>
<tr>
<td rowspan="7" class="tbl-header">misc</td>
<td>List of other features that may be implemented</td>
</tr>
<tr>
<td class="tbl-beta-stage"><a href="https://openid.net/specs/openid-connect-frontchannel-1_0.html" target="_blank" rel="noopener noreferrer">Front-Channel Logout</a> <sup>2</sup></td>
</tr>
<tr>
<td class="tbl-beta-stage"><a href="https://datatracker.ietf.org/doc/html/rfc8414" target="_blank" rel="noopener noreferrer">OAuth 2.0 Authorization Server Metadata</a> <sup>2</sup></td>
</tr>
<tr>
<td class="tbl-beta-stage"><a href="https://openid.net/specs/openid-connect-session-1_0-17.html" target="_blank" rel="noopener noreferrer">OpenID Connect Session Management</a> <sup>2</sup></td>
</tr>
<tr>
<td class="tbl-beta-stage">End-User Scope Grants <sup>2</sup></td>
</tr>
<tr>
<td class="tbl-beta-stage">Client RBAC <sup>2</sup></td>
</tr>
<tr>
<td class="tbl-beta-stage">Preferred Username Claim (implemented in 4.33.2)</td>
</tr>
</tbody>
</table>
¹ _This stage has not been implemented as of yet_.
² _This individual feature has not been implemented as of yet_.
More information about the beta can be found in the [roadmap](../../roadmap/oidc.md).
## Configuration

View File

@ -2,15 +2,14 @@
layout: default
title: Roadmap
nav_order: 9
has_children: true
---
# Roadmap
Currently the team consists of 3 globally distributed developers working actively on improving Authelia in our spare time and we define
our priorities based on a roadmap that we share here for transparency. We also try to balance features and improvements as much as possible with
the maintenance tasks we have to perform to keep the backlog of open issues in a reasonable state.
If you're willing to contribute and help us move forward faster, get in touch with us on Matrix. We'll be glad to share
ideas and plans with you.
The Authelia team consists of 3 globally distributed developers working actively on improving Authelia in our spare time
and we define our priorities based on a roadmap that we share here for transparency. We also try to balance features and
improvements as much as possible with the maintenance tasks we have to perform to keep the backlog of open issues in a
reasonable state. If you're willing to contribute and help us move forward faster, get in touch with us on Matrix. We'll
be glad to share ideas and plans with you.
Below are the prioritised roadmap items:
@ -22,10 +21,8 @@ priority because currently the only way to pass authentication information back
use of HTTP headers as described
[here](https://www.authelia.com/docs/deployment/supported-proxies/#how-can-the-backend-be-aware-of-the-authenticated-users)
however, many apps either do not support this method or are starting to move away from this in favour of OpenID Connect or OAuth2
internally or via plugins.
**[In Preview](./configuration/identity-providers/oidc.md)** *this roadmap item is in preview status since information
is not yet persisted in the database. More information can be found in the docs*.
internally or via plugins. **[In Preview](./oidc.md)** *this roadmap item is in preview status since information is not
yet persisted in the database. More information can be found [here](./oidc.md) in the docs*.
3. [Multilingual full support](https://github.com/authelia/authelia/issues/625). Support as been added but we heed to study multiple providers like Crowdin or Weblate
to help us translate in more languages and make Authelia available to even more people around the world!
@ -41,7 +38,7 @@ kill sessions to reduce security risk due to compromised accounts and many other
items for implementing the features but there is preparatory work to be done on the permissions (likely role-based) we want to
implement.
7. [Facilitate setup on Kubernetes](https://github.com/authelia/authelia/issues/575). There are mainly two objectives
6. [Facilitate setup on Kubernetes](https://github.com/authelia/authelia/issues/575). There are mainly two objectives
here. First, we need to provide the documentation required to setup Authelia on Kubernetes. Even though, some users
already have it working and the feature is even tested in the project, there is a clear lack of documentation. The
second item is to provide a Helm chart to streamline the setup on Kubernetes.

138
docs/roadmap/oidc.md Normal file
View File

@ -0,0 +1,138 @@
---
layout: default
title: OpenID Connect
parent: Roadmap
nav_order: 1
---
We have decided to implement [OpenID Connect] as a beta feature, it's suggested you only utilize it for testing and
providing feedback, and should take caution in relying on it in production as of now. [OpenID Connect] and it's related
endpoints are not enabled by default unless you specifically configure the [OpenID Connect] section.
As [OpenID Connect] is fairly complex (the [OpenID Connect] Provider role especially so) it's intentional that it is
both a beta and that the implemented features are part of a thoughtful roadmap. Items that are not immediately obvious
as required (i.e. bug fixes or spec features), will likely be discussed in team meetings or on GitHub issues before being
added to the list. We want to implement this feature in a very thoughtful way in order to avoid security issues.
The beta will be broken up into stages. Each stage will bring additional features. The following table is a *rough* plan
for which stage will have each feature, and may evolve over time:
<table>
<thead>
<tr>
<th class="tbl-header">Stage</th>
<th class="tbl-header">Feature Description</th>
</tr>
</thead>
<tbody>
<tr>
<td rowspan="8" class="tbl-header tbl-beta-stage">beta1 (4.29.0)</td>
<td><a href="https://openid.net/specs/openid-connect-core-1_0.html#Consent" target="_blank" rel="noopener noreferrer">User Consent</a></td>
</tr>
<tr>
<td><a href="https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowSteps" target="_blank" rel="noopener noreferrer">Authorization Code Flow</a></td>
</tr>
<tr>
<td><a href="https://openid.net/specs/openid-connect-discovery-1_0.html" target="_blank" rel="noopener noreferrer">OpenID Connect Discovery</a></td>
</tr>
<tr>
<td>RS256 Signature Strategy</td>
</tr>
<tr>
<td>Per Client Scope/Grant Type/Response Type Restriction</td>
</tr>
<tr>
<td>Per Client Authorization Policy (1FA/2FA)</td>
</tr>
<tr>
<td class="tbl-beta-stage">Per Client List of Valid Redirection URI's</td>
</tr>
<tr>
<td class="tbl-beta-stage"><a href="https://datatracker.ietf.org/doc/html/rfc6749#section-2.1" target="_blank" rel="noopener noreferrer">Confidential Client Type</a></td>
</tr>
<tr>
<td rowspan="6" class="tbl-header tbl-beta-stage">beta2 (4.30.0)</td>
<td class="tbl-beta-stage"><a href="https://openid.net/specs/openid-connect-core-1_0.html#UserInfo" target="_blank" rel="noopener noreferrer">Userinfo Endpoint</a> (missed in beta1)</td>
</tr>
<tr>
<td class="tbl-beta-stage">Parameter Entropy Configuration</td>
</tr>
<tr>
<td class="tbl-beta-stage">Token/Code Lifespan Configuration</td>
</tr>
<tr>
<td class="tbl-beta-stage">Client Debug Messages</td>
</tr>
<tr>
<td class="tbl-beta-stage">Client Audience</td>
</tr>
<tr>
<td class="tbl-beta-stage"><a href="https://datatracker.ietf.org/doc/html/rfc6749#section-2.1" target="_blank" rel="noopener noreferrer">Public Client Type</a></td>
</tr>
<tr>
<td rowspan="1" class="tbl-header tbl-beta-stage">beta3 (4.34.0)</td>
<td>Proof Key for Code Exchange (PKCE) for Authorization Code Flow</td>
</tr>
<tr>
<td rowspan="2" class="tbl-header tbl-beta-stage">beta4 <sup>1</sup></td>
<td>Token Storage</td>
</tr>
<tr>
<td class="tbl-beta-stage">Audit Storage</td>
</tr>
<tr>
<td rowspan="2" class="tbl-header tbl-beta-stage">beta5 <sup>1</sup></td>
<td class="tbl-beta-stage">Prompt Handling</td>
</tr>
<tr>
<td class="tbl-beta-stage">Display Handling</td>
</tr>
<tr>
<td rowspan="5" class="tbl-header tbl-beta-stage">beta6 <sup>1</sup></td>
<td><a href="https://openid.net/specs/openid-connect-backchannel-1_0.html" target="_blank" rel="noopener noreferrer">Back-Channel Logout</a></td>
</tr>
<tr>
<td>Deny Refresh on Session Expiration</td>
</tr>
<tr>
<td><a href="https://openid.net/specs/openid-connect-messages-1_0-20.html#rotate.sig.keys" target="_blank" rel="noopener noreferrer">Signing Key Rotation Policy</a></td>
</tr>
<tr>
<td class="tbl-beta-stage">Client Secrets Hashed in Configuration</td>
</tr>
<tr>
<td class="tbl-beta-stage">UUID or Random String for <code>sub</code> claim</td>
</tr>
<tr>
<td class="tbl-header tbl-beta-stage">GA <sup>1</sup></td>
<td class="tbl-beta-stage">General Availability after previous stages are vetted for bug fixes</td>
</tr>
<tr>
<td rowspan="7" class="tbl-header">misc</td>
<td>List of other features that may be implemented</td>
</tr>
<tr>
<td class="tbl-beta-stage"><a href="https://openid.net/specs/openid-connect-frontchannel-1_0.html" target="_blank" rel="noopener noreferrer">Front-Channel Logout</a> <sup>2</sup></td>
</tr>
<tr>
<td class="tbl-beta-stage"><a href="https://datatracker.ietf.org/doc/html/rfc8414" target="_blank" rel="noopener noreferrer">OAuth 2.0 Authorization Server Metadata</a> <sup>2</sup></td>
</tr>
<tr>
<td class="tbl-beta-stage"><a href="https://openid.net/specs/openid-connect-session-1_0-17.html" target="_blank" rel="noopener noreferrer">OpenID Connect Session Management</a> <sup>2</sup></td>
</tr>
<tr>
<td class="tbl-beta-stage">End-User Scope Grants <sup>2</sup></td>
</tr>
<tr>
<td class="tbl-beta-stage">Client RBAC <sup>2</sup></td>
</tr>
<tr>
<td class="tbl-beta-stage">Add <code>preferred_username</code> claim (4.33.2)</td>
</tr>
</tbody>
</table>
¹ _This stage has not been implemented as of yet_.
² _This individual feature has not been implemented as of yet_.