diff --git a/Documentation/oidc-notes.md b/Documentation/oidc-notes.md index 09f55787..02fdce6d 100644 --- a/Documentation/oidc-notes.md +++ b/Documentation/oidc-notes.md @@ -11,30 +11,22 @@ Sec. 2. [ID Token](http://openid.net/specs/openid-connect-core-1_0.html#IDToken) - None of the OPTIONAL claims (`acr`, `amr`, `azp`, `auth_time`) are supported - dex signs using JWS but does not do the OPTIONAL encryption. - Sec. 3. [Authentication](http://openid.net/specs/openid-connect-core-1_0.html#Authentication) - Only the authorization code flow (where `response_type` is `code`) is supported. Sec. 3.1.2. [Authorization Endpoint](http://openid.net/specs/openid-connect-core-1_0.html#AuthorizationEndpoint) - In a production system TLS is required but the dex web-server only supports HTTP right now - it is expected that until HTTPS is supported, TLS termination will be handled outside of dex. - Sec. 3.1.2.1. [Authentication Request](http://openid.net/specs/openid-connect-core-1_0.html#AuthRequest) -- dex doesn't check the value of "scope" to make sure it contains "openid" in authentication requests. - max_age not implemented; it's OPTIONAL in the spec, but if it's present servers MUST include auth_time, which dex does not. - None of the other OPTIONAL parameters are implemented with the exception of: - state - nonce - dex also defines a non-standard `register` parameter; when this parameter is `1`, end-users are taken through a registration flow, which after completing successfully, lands them at the specified `redirect_uri` -Sec. 3.1.2.2. [Authentication Request Validation](http://openid.net/specs/openid-connect-core-1_0.html#AuthRequestValidation) -- As mentioned earlier, dex doesn't validate that the `openid` scope value is present. - - Sec. 3.2.2.3. [Authorization Server Authenticates End-User](http://openid.net/specs/openid-connect-core-1_0.html#ImplicitAuthenticates) - The spec states that the authentication server "MUST NOT interact with the End-User" when `prompt` is `none` We don't check the prompt parameter at all; similarly, dex MUST re-prompt when `prompt` is `login` - dex does not do this either. - Sec. 3.1.3.2. [Token Request Validation](http://openid.net/specs/openid-connect-core-1_0.html#TokenRequestValidation) - In Token requests, dex chooses to proceed without error when `redirect_uri` is not present and there's only one registered valid URI (which is valid behavior) @@ -64,8 +56,8 @@ Sec. 9. [Client Authentication](http://openid.net/specs/openid-connect-core-1_0. - dex only supports the `client_secret_basic` client authentication type. Sec. 11. [Offline Access](http://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess) -- dex does not implement this feature. - +- offline_access in 'scope' is supported, but as we haven't implemented 'prompt' yet, the + spec's requirement is not fully met yet. Sec. 15.1. [Mandatory to Implement Features for All OpenID Providers](http://openid.net/specs/openid-connect-core-1_0.html#ImplementationConsiderations) - dex is missing the follow mandatory features (some are already noted elsewhere in this document):