authelia/docs/roadmap/oidc.md
James Elliott ad84c8c33e
feat(oidc): opaque subject identifiers (#3129)
This is a meta commit for a feature originally implemented in 0a970aef8a documenting the change from using the username as a subject identifier to a specification compliant subject identifier in the form of RFC4122 UUID V4 subject identifiers. This is a required change in order to be compliant with the specification as per https://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes. Relying parties which utilize the subject identifier / sub claim may need manual intervention in order to relink accounts. Users who have issues will have to consult with the documentation of their individual relying parties in order to relink accounts. Users who utilized the subject identifier as a means to provision their users are also encouraged to utilize the preferred_username claim from the profile scope.
2022-04-07 17:35:54 +10:00

6.6 KiB

layout title parent nav_order
default OpenID Connect Roadmap 1

We have decided to implement OpenID Connect as a beta feature, it's suggested you only utilize it for testing and providing feedback, and should take caution in relying on it in production as of now. OpenID Connect and it's related endpoints are not enabled by default unless you specifically configure the OpenID Connect section.

As OpenID Connect is fairly complex (the OpenID Connect Provider role especially so) it's intentional that it is both a beta and that the implemented features are part of a thoughtful roadmap. Items that are not immediately obvious as required (i.e. bug fixes or spec features), will likely be discussed in team meetings or on GitHub issues before being added to the list. We want to implement this feature in a very thoughtful way in order to avoid security issues.

The beta will be broken up into stages. Each stage will bring additional features. The following table is a rough plan for which stage will have each feature, and may evolve over time:

Stage Feature Description
beta1 (4.29.0) User Consent
Authorization Code Flow
OpenID Connect Discovery
RS256 Signature Strategy
Per Client Scope/Grant Type/Response Type Restriction
Per Client Authorization Policy (1FA/2FA)
Per Client List of Valid Redirection URI's
Confidential Client Type
beta2 (4.30.0) Userinfo Endpoint (missed in beta1)
Parameter Entropy Configuration
Token/Code Lifespan Configuration
Client Debug Messages
Client Audience
Public Client Type
beta3 (4.34.0) Proof Key for Code Exchange (PKCE) for Authorization Code Flow
beta5 (4.35.0) Token Storage
Audit Storage
Subject Storage
Pairwise Subject Identifier Type
Per-Client Consent Pre-Configuration
Cross-Origin Resource Sharing Configuration
Authentication Methods References Claim
Opaque Subject Identifiers (UUID V4) for sub Claim
beta5 1 Prompt Handling
Display Handling
beta6 1 Back-Channel Logout
Deny Refresh on Session Expiration
Signing Key Rotation Policy
Client Secrets Hashed in Configuration
GA 1 General Availability after previous stages are vetted for bug fixes
misc List of other features that may be implemented
Front-Channel Logout 2
OAuth 2.0 Authorization Server Metadata 2
OpenID Connect Session Management 2
End-User Scope Grants 2
Client RBAC 2
Add preferred_username claim (4.33.2)

¹ This stage has not been implemented as of yet.

² This individual feature has not been implemented as of yet.