mirror of
https://github.com/0rangebananaspy/authelia.git
synced 2024-09-14 22:47:21 +07:00
docs: move oidc roadmap (#2933)
This commit is contained in:
parent
b7ddcb1d29
commit
1eef78ff7b
|
@ -16,132 +16,7 @@ social media or development platforms for login.
|
|||
The Relying Party role is the role which allows an application to use GitHub, Google, or other [OpenID Connect]
|
||||
providers for authentication and authorization. We do not intend to support this functionality at this moment in time.
|
||||
|
||||
## Roadmap
|
||||
|
||||
We have decided to implement [OpenID Connect] as a beta feature, it's suggested you only utilize it for testing and
|
||||
providing feedback, and should take caution in relying on it in production as of now. [OpenID Connect] and it's related
|
||||
endpoints are not enabled by default unless you specifically configure the [OpenID Connect] section.
|
||||
|
||||
As [OpenID Connect] is fairly complex (the [OpenID Connect] Provider role especially so) it's intentional that it is
|
||||
both a beta and that the implemented features are part of a thoughtful roadmap. Items that are not immediately obvious
|
||||
as required (i.e. bug fixes or spec features), will likely be discussed in team meetings or on GitHub issues before being
|
||||
added to the list. We want to implement this feature in a very thoughtful way in order to avoid security issues.
|
||||
|
||||
The beta will be broken up into stages. Each stage will bring additional features. The following table is a *rough* plan
|
||||
for which stage will have each feature, and may evolve over time:
|
||||
|
||||
<table>
|
||||
<thead>
|
||||
<tr>
|
||||
<th class="tbl-header">Stage</th>
|
||||
<th class="tbl-header">Feature Description</th>
|
||||
</tr>
|
||||
</thead>
|
||||
<tbody>
|
||||
<tr>
|
||||
<td rowspan="8" class="tbl-header tbl-beta-stage">beta1 (4.29.0)</td>
|
||||
<td><a href="https://openid.net/specs/openid-connect-core-1_0.html#Consent" target="_blank" rel="noopener noreferrer">User Consent</a></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><a href="https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowSteps" target="_blank" rel="noopener noreferrer">Authorization Code Flow</a></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><a href="https://openid.net/specs/openid-connect-discovery-1_0.html" target="_blank" rel="noopener noreferrer">OpenID Connect Discovery</a></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>RS256 Signature Strategy</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>Per Client Scope/Grant Type/Response Type Restriction</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>Per Client Authorization Policy (1FA/2FA)</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td class="tbl-beta-stage">Per Client List of Valid Redirection URI's</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td class="tbl-beta-stage"><a href="https://datatracker.ietf.org/doc/html/rfc6749#section-2.1" target="_blank" rel="noopener noreferrer">Confidential Client Type</a></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td rowspan="6" class="tbl-header tbl-beta-stage">beta2 (4.30.0)</td>
|
||||
<td class="tbl-beta-stage"><a href="https://openid.net/specs/openid-connect-core-1_0.html#UserInfo" target="_blank" rel="noopener noreferrer">Userinfo Endpoint</a> (missed in beta1)</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td class="tbl-beta-stage">Parameter Entropy Configuration</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td class="tbl-beta-stage">Token/Code Lifespan Configuration</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td class="tbl-beta-stage">Client Debug Messages</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td class="tbl-beta-stage">Client Audience</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td class="tbl-beta-stage"><a href="https://datatracker.ietf.org/doc/html/rfc6749#section-2.1" target="_blank" rel="noopener noreferrer">Public Client Type</a></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td rowspan="2" class="tbl-header tbl-beta-stage">beta3 <sup>1</sup></td>
|
||||
<td>Token Storage</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td class="tbl-beta-stage">Audit Storage</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td rowspan="2" class="tbl-header tbl-beta-stage">beta4 <sup>1</sup></td>
|
||||
<td class="tbl-beta-stage">Prompt Handling</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td class="tbl-beta-stage">Display Handling</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td rowspan="4" class="tbl-header tbl-beta-stage">beta5 <sup>1</sup></td>
|
||||
<td><a href="https://openid.net/specs/openid-connect-backchannel-1_0.html" target="_blank" rel="noopener noreferrer">Back-Channel Logout</a></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>Deny Refresh on Session Expiration</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><a href="https://openid.net/specs/openid-connect-messages-1_0-20.html#rotate.sig.keys" target="_blank" rel="noopener noreferrer">Signing Key Rotation Policy</a></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td class="tbl-beta-stage">Client Secrets Hashed in Configuration</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td class="tbl-header tbl-beta-stage">GA <sup>1</sup></td>
|
||||
<td class="tbl-beta-stage">General Availability after previous stages are vetted for bug fixes</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td rowspan="7" class="tbl-header">misc</td>
|
||||
<td>List of other features that may be implemented</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td class="tbl-beta-stage"><a href="https://openid.net/specs/openid-connect-frontchannel-1_0.html" target="_blank" rel="noopener noreferrer">Front-Channel Logout</a> <sup>2</sup></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td class="tbl-beta-stage"><a href="https://datatracker.ietf.org/doc/html/rfc8414" target="_blank" rel="noopener noreferrer">OAuth 2.0 Authorization Server Metadata</a> <sup>2</sup></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td class="tbl-beta-stage"><a href="https://openid.net/specs/openid-connect-session-1_0-17.html" target="_blank" rel="noopener noreferrer">OpenID Connect Session Management</a> <sup>2</sup></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td class="tbl-beta-stage">End-User Scope Grants <sup>2</sup></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td class="tbl-beta-stage">Client RBAC <sup>2</sup></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td class="tbl-beta-stage">Preferred Username Claim (implemented in 4.33.2)</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
¹ _This stage has not been implemented as of yet_.
|
||||
|
||||
² _This individual feature has not been implemented as of yet_.
|
||||
|
||||
More information about the beta can be found in the [roadmap](../../roadmap/oidc.md).
|
||||
|
||||
## Configuration
|
||||
|
||||
|
|
|
@ -2,15 +2,14 @@
|
|||
layout: default
|
||||
title: Roadmap
|
||||
nav_order: 9
|
||||
has_children: true
|
||||
---
|
||||
|
||||
# Roadmap
|
||||
|
||||
Currently the team consists of 3 globally distributed developers working actively on improving Authelia in our spare time and we define
|
||||
our priorities based on a roadmap that we share here for transparency. We also try to balance features and improvements as much as possible with
|
||||
the maintenance tasks we have to perform to keep the backlog of open issues in a reasonable state.
|
||||
If you're willing to contribute and help us move forward faster, get in touch with us on Matrix. We'll be glad to share
|
||||
ideas and plans with you.
|
||||
The Authelia team consists of 3 globally distributed developers working actively on improving Authelia in our spare time
|
||||
and we define our priorities based on a roadmap that we share here for transparency. We also try to balance features and
|
||||
improvements as much as possible with the maintenance tasks we have to perform to keep the backlog of open issues in a
|
||||
reasonable state. If you're willing to contribute and help us move forward faster, get in touch with us on Matrix. We'll
|
||||
be glad to share ideas and plans with you.
|
||||
|
||||
Below are the prioritised roadmap items:
|
||||
|
||||
|
@ -22,10 +21,8 @@ priority because currently the only way to pass authentication information back
|
|||
use of HTTP headers as described
|
||||
[here](https://www.authelia.com/docs/deployment/supported-proxies/#how-can-the-backend-be-aware-of-the-authenticated-users)
|
||||
however, many apps either do not support this method or are starting to move away from this in favour of OpenID Connect or OAuth2
|
||||
internally or via plugins.
|
||||
|
||||
**[In Preview](./configuration/identity-providers/oidc.md)** *this roadmap item is in preview status since information
|
||||
is not yet persisted in the database. More information can be found in the docs*.
|
||||
internally or via plugins. **[In Preview](./oidc.md)** *this roadmap item is in preview status since information is not
|
||||
yet persisted in the database. More information can be found [here](./oidc.md) in the docs*.
|
||||
|
||||
3. [Multilingual full support](https://github.com/authelia/authelia/issues/625). Support as been added but we heed to study multiple providers like Crowdin or Weblate
|
||||
to help us translate in more languages and make Authelia available to even more people around the world!
|
||||
|
@ -41,7 +38,7 @@ kill sessions to reduce security risk due to compromised accounts and many other
|
|||
items for implementing the features but there is preparatory work to be done on the permissions (likely role-based) we want to
|
||||
implement.
|
||||
|
||||
7. [Facilitate setup on Kubernetes](https://github.com/authelia/authelia/issues/575). There are mainly two objectives
|
||||
6. [Facilitate setup on Kubernetes](https://github.com/authelia/authelia/issues/575). There are mainly two objectives
|
||||
here. First, we need to provide the documentation required to setup Authelia on Kubernetes. Even though, some users
|
||||
already have it working and the feature is even tested in the project, there is a clear lack of documentation. The
|
||||
second item is to provide a Helm chart to streamline the setup on Kubernetes.
|
138
docs/roadmap/oidc.md
Normal file
138
docs/roadmap/oidc.md
Normal file
|
@ -0,0 +1,138 @@
|
|||
---
|
||||
layout: default
|
||||
title: OpenID Connect
|
||||
parent: Roadmap
|
||||
nav_order: 1
|
||||
---
|
||||
|
||||
We have decided to implement [OpenID Connect] as a beta feature, it's suggested you only utilize it for testing and
|
||||
providing feedback, and should take caution in relying on it in production as of now. [OpenID Connect] and it's related
|
||||
endpoints are not enabled by default unless you specifically configure the [OpenID Connect] section.
|
||||
|
||||
As [OpenID Connect] is fairly complex (the [OpenID Connect] Provider role especially so) it's intentional that it is
|
||||
both a beta and that the implemented features are part of a thoughtful roadmap. Items that are not immediately obvious
|
||||
as required (i.e. bug fixes or spec features), will likely be discussed in team meetings or on GitHub issues before being
|
||||
added to the list. We want to implement this feature in a very thoughtful way in order to avoid security issues.
|
||||
|
||||
The beta will be broken up into stages. Each stage will bring additional features. The following table is a *rough* plan
|
||||
for which stage will have each feature, and may evolve over time:
|
||||
|
||||
<table>
|
||||
<thead>
|
||||
<tr>
|
||||
<th class="tbl-header">Stage</th>
|
||||
<th class="tbl-header">Feature Description</th>
|
||||
</tr>
|
||||
</thead>
|
||||
<tbody>
|
||||
<tr>
|
||||
<td rowspan="8" class="tbl-header tbl-beta-stage">beta1 (4.29.0)</td>
|
||||
<td><a href="https://openid.net/specs/openid-connect-core-1_0.html#Consent" target="_blank" rel="noopener noreferrer">User Consent</a></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><a href="https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowSteps" target="_blank" rel="noopener noreferrer">Authorization Code Flow</a></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><a href="https://openid.net/specs/openid-connect-discovery-1_0.html" target="_blank" rel="noopener noreferrer">OpenID Connect Discovery</a></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>RS256 Signature Strategy</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>Per Client Scope/Grant Type/Response Type Restriction</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>Per Client Authorization Policy (1FA/2FA)</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td class="tbl-beta-stage">Per Client List of Valid Redirection URI's</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td class="tbl-beta-stage"><a href="https://datatracker.ietf.org/doc/html/rfc6749#section-2.1" target="_blank" rel="noopener noreferrer">Confidential Client Type</a></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td rowspan="6" class="tbl-header tbl-beta-stage">beta2 (4.30.0)</td>
|
||||
<td class="tbl-beta-stage"><a href="https://openid.net/specs/openid-connect-core-1_0.html#UserInfo" target="_blank" rel="noopener noreferrer">Userinfo Endpoint</a> (missed in beta1)</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td class="tbl-beta-stage">Parameter Entropy Configuration</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td class="tbl-beta-stage">Token/Code Lifespan Configuration</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td class="tbl-beta-stage">Client Debug Messages</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td class="tbl-beta-stage">Client Audience</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td class="tbl-beta-stage"><a href="https://datatracker.ietf.org/doc/html/rfc6749#section-2.1" target="_blank" rel="noopener noreferrer">Public Client Type</a></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td rowspan="1" class="tbl-header tbl-beta-stage">beta3 (4.34.0)</td>
|
||||
<td>Proof Key for Code Exchange (PKCE) for Authorization Code Flow</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td rowspan="2" class="tbl-header tbl-beta-stage">beta4 <sup>1</sup></td>
|
||||
<td>Token Storage</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td class="tbl-beta-stage">Audit Storage</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td rowspan="2" class="tbl-header tbl-beta-stage">beta5 <sup>1</sup></td>
|
||||
<td class="tbl-beta-stage">Prompt Handling</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td class="tbl-beta-stage">Display Handling</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td rowspan="5" class="tbl-header tbl-beta-stage">beta6 <sup>1</sup></td>
|
||||
<td><a href="https://openid.net/specs/openid-connect-backchannel-1_0.html" target="_blank" rel="noopener noreferrer">Back-Channel Logout</a></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>Deny Refresh on Session Expiration</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><a href="https://openid.net/specs/openid-connect-messages-1_0-20.html#rotate.sig.keys" target="_blank" rel="noopener noreferrer">Signing Key Rotation Policy</a></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td class="tbl-beta-stage">Client Secrets Hashed in Configuration</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td class="tbl-beta-stage">UUID or Random String for <code>sub</code> claim</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td class="tbl-header tbl-beta-stage">GA <sup>1</sup></td>
|
||||
<td class="tbl-beta-stage">General Availability after previous stages are vetted for bug fixes</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td rowspan="7" class="tbl-header">misc</td>
|
||||
<td>List of other features that may be implemented</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td class="tbl-beta-stage"><a href="https://openid.net/specs/openid-connect-frontchannel-1_0.html" target="_blank" rel="noopener noreferrer">Front-Channel Logout</a> <sup>2</sup></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td class="tbl-beta-stage"><a href="https://datatracker.ietf.org/doc/html/rfc8414" target="_blank" rel="noopener noreferrer">OAuth 2.0 Authorization Server Metadata</a> <sup>2</sup></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td class="tbl-beta-stage"><a href="https://openid.net/specs/openid-connect-session-1_0-17.html" target="_blank" rel="noopener noreferrer">OpenID Connect Session Management</a> <sup>2</sup></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td class="tbl-beta-stage">End-User Scope Grants <sup>2</sup></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td class="tbl-beta-stage">Client RBAC <sup>2</sup></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td class="tbl-beta-stage">Add <code>preferred_username</code> claim (4.33.2)</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
¹ _This stage has not been implemented as of yet_.
|
||||
|
||||
² _This individual feature has not been implemented as of yet_.
|
||||
|
Loading…
Reference in New Issue
Block a user