authelia/docs/roadmap/oidc.md
James Elliott 0a970aef8a
feat(oidc): persistent storage (#2965)
This moves the OpenID Connect storage from memory into the SQL storage, making it persistent and allowing it to be used with clustered deployments like the rest of Authelia.
2022-04-07 15:33:53 +10:00

6.5 KiB

layout title parent nav_order
default OpenID Connect Roadmap 1

We have decided to implement OpenID Connect as a beta feature, it's suggested you only utilize it for testing and providing feedback, and should take caution in relying on it in production as of now. OpenID Connect and it's related endpoints are not enabled by default unless you specifically configure the OpenID Connect section.

As OpenID Connect is fairly complex (the OpenID Connect Provider role especially so) it's intentional that it is both a beta and that the implemented features are part of a thoughtful roadmap. Items that are not immediately obvious as required (i.e. bug fixes or spec features), will likely be discussed in team meetings or on GitHub issues before being added to the list. We want to implement this feature in a very thoughtful way in order to avoid security issues.

The beta will be broken up into stages. Each stage will bring additional features. The following table is a rough plan for which stage will have each feature, and may evolve over time:

Stage Feature Description
beta1 (4.29.0) User Consent
Authorization Code Flow
OpenID Connect Discovery
RS256 Signature Strategy
Per Client Scope/Grant Type/Response Type Restriction
Per Client Authorization Policy (1FA/2FA)
Per Client List of Valid Redirection URI's
Confidential Client Type
beta2 (4.30.0) Userinfo Endpoint (missed in beta1)
Parameter Entropy Configuration
Token/Code Lifespan Configuration
Client Debug Messages
Client Audience
Public Client Type
beta3 (4.34.0) Proof Key for Code Exchange (PKCE) for Authorization Code Flow
beta5 (4.35.0) Token Storage
Audit Storage
Subject Storage
Pairwise Subject Identifier Type
Per-Client Consent Pre-Configuration
Cross-Origin Resource Sharing Configuration
Authentication Methods References Claim
UUID v4 sub claim
beta5 1 Prompt Handling
Display Handling
beta6 1 Back-Channel Logout
Deny Refresh on Session Expiration
Signing Key Rotation Policy
Client Secrets Hashed in Configuration
GA 1 General Availability after previous stages are vetted for bug fixes
misc List of other features that may be implemented
Front-Channel Logout 2
OAuth 2.0 Authorization Server Metadata 2
OpenID Connect Session Management 2
End-User Scope Grants 2
Client RBAC 2
Add preferred_username claim (4.33.2)

¹ This stage has not been implemented as of yet.

² This individual feature has not been implemented as of yet.