This is a meta commit for a feature originally implemented in 0a970aef8a
documenting the change from using the username as a subject identifier to a specification compliant subject identifier in the form of RFC4122 UUID V4 subject identifiers. This is a required change in order to be compliant with the specification as per https://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes. Relying parties which utilize the subject identifier / sub claim may need manual intervention in order to relink accounts. Users who have issues will have to consult with the documentation of their individual relying parties in order to relink accounts. Users who utilized the subject identifier as a means to provision their users are also encouraged to utilize the preferred_username claim from the profile scope.
6.6 KiB
layout | title | parent | nav_order |
---|---|---|---|
default | OpenID Connect | Roadmap | 1 |
We have decided to implement OpenID Connect as a beta feature, it's suggested you only utilize it for testing and providing feedback, and should take caution in relying on it in production as of now. OpenID Connect and it's related endpoints are not enabled by default unless you specifically configure the OpenID Connect section.
As OpenID Connect is fairly complex (the OpenID Connect Provider role especially so) it's intentional that it is both a beta and that the implemented features are part of a thoughtful roadmap. Items that are not immediately obvious as required (i.e. bug fixes or spec features), will likely be discussed in team meetings or on GitHub issues before being added to the list. We want to implement this feature in a very thoughtful way in order to avoid security issues.
The beta will be broken up into stages. Each stage will bring additional features. The following table is a rough plan for which stage will have each feature, and may evolve over time:
Stage | Feature Description |
---|---|
beta1 (4.29.0) | User Consent |
Authorization Code Flow | |
OpenID Connect Discovery | |
RS256 Signature Strategy | |
Per Client Scope/Grant Type/Response Type Restriction | |
Per Client Authorization Policy (1FA/2FA) | |
Per Client List of Valid Redirection URI's | |
Confidential Client Type | |
beta2 (4.30.0) | Userinfo Endpoint (missed in beta1) |
Parameter Entropy Configuration | |
Token/Code Lifespan Configuration | |
Client Debug Messages | |
Client Audience | |
Public Client Type | |
beta3 (4.34.0) | Proof Key for Code Exchange (PKCE) for Authorization Code Flow |
beta5 (4.35.0) | Token Storage |
Audit Storage | |
Subject Storage | |
Pairwise Subject Identifier Type | |
Per-Client Consent Pre-Configuration | |
Cross-Origin Resource Sharing Configuration | |
Authentication Methods References Claim | |
Opaque Subject Identifiers (UUID V4) for sub Claim |
|
beta5 1 | Prompt Handling |
Display Handling | |
beta6 1 | Back-Channel Logout |
Deny Refresh on Session Expiration | |
Signing Key Rotation Policy | |
Client Secrets Hashed in Configuration | |
GA 1 | General Availability after previous stages are vetted for bug fixes |
misc | List of other features that may be implemented |
Front-Channel Logout 2 | |
OAuth 2.0 Authorization Server Metadata 2 | |
OpenID Connect Session Management 2 | |
End-User Scope Grants 2 | |
Client RBAC 2 | |
Add preferred_username claim (4.33.2) |
¹ This stage has not been implemented as of yet.
² This individual feature has not been implemented as of yet.