4.5 KiB
OIDC Connect Core Notes
dex aims to be a full featured OIDC Provider, but it still has a little ways to go. Most of the places where dex and OIDC diverge are minor, but we do want to fix them. Here's a list of these places; there may be other discrepancies as well if you find any please file an issue or even better, a pull request.
To be clear: the places were we are not in compliance with mandatory features, we will fix. As for things marked as OPTIONAL in the spec, whether and when those are supported by dex will be driven by the needs of the community.
Notes on OpenID Connect Core
Sec. 2. ID Token
- None of the OPTIONAL claims (
acr
,amr
,azp
,auth_time
) are supported - dex signs using JWS but does not do the OPTIONAL encryption.
Sec. 3. Authentication
- Only the authorization code flow (where
response_type
iscode
) is supported.
Sec. 3.1.2. Authorization Endpoint
- In a production system TLS is required but the dex web-server only supports HTTP right now - it is expected that until HTTPS is supported, TLS termination will be handled outside of dex.
Sec. 3.1.2.1. Authentication Request
- max_age not implemented; it's OPTIONAL in the spec, but if it's present servers MUST include auth_time, which dex does not.
- None of the other OPTIONAL parameters are implemented with the exception of:
- state
- nonce
- dex also defines a non-standard
register
parameter; when this parameter is1
, end-users are taken through a registration flow, which after completing successfully, lands them at the specifiedredirect_uri
Sec. 3.2.2.3. Authorization Server Authenticates End-User
- The spec states that the authentication server "MUST NOT interact with the End-User" when
prompt
isnone
We don't check the prompt parameter at all; similarly, dex MUST re-prompt whenprompt
islogin
- dex does not do this either.
Sec. 3.1.3.2. Token Request Validation
- In Token requests, dex chooses to proceed without error when
redirect_uri
is not present and there's only one registered valid URI (which is valid behavior)
Sec. 4. Initiating Login from a Third Party - dex does not support this at this time
Sec. 5.1.2. AdditionalClaims
- dex defines uses the following additional claims:
http://coreos.com/password/old-hash
http://coreos.com/password/reset-callback
http://coreos.com/email/verification-callback
http://coreos.com/email/verificationEmail
Sec. 5.3. UserInfo Endpoint
- dex does not implement this endpoint.
Sec. 6.1 Passing a Request Object by Value
- dex does not implement this feature.
Sec. 7. Self-Issued OpenID Provider
- dex does not implement this feature.
Sec. 8. Subject Identifier Types
- dex only supports the
public
subject identifier type.
Sec. 9. Client Authentication
- dex only supports the
client_secret_basic
client authentication type.
Sec. 11. Offline Access
- offline_access in 'scope' is supported, but as we haven't implemented 'prompt' yet, the spec's requirement is not fully met yet.
Sec. 15.1. Mandatory to Implement Features for All OpenID Providers
- dex is missing the follow mandatory features (some are already noted elsewhere in this document):
- Support for
prompt
parameter - Support for the
auth_time
parameter - Support for enforcing
max_age
parameter
- Support for
Sec. 15.3. Discovery and Registration
- dex supports OIDC Discovery at the standard
/.well-known/openid-configuration
endpoint.