Documentation: Update the notes on 'offline access'.
This commit is contained in:
parent
93a0830ae0
commit
fb72e6074a
1 changed files with 2 additions and 10 deletions
|
@ -11,30 +11,22 @@ Sec. 2. [ID Token](http://openid.net/specs/openid-connect-core-1_0.html#IDToken)
|
||||||
- None of the OPTIONAL claims (`acr`, `amr`, `azp`, `auth_time`) are supported
|
- None of the OPTIONAL claims (`acr`, `amr`, `azp`, `auth_time`) are supported
|
||||||
- dex signs using JWS but does not do the OPTIONAL encryption.
|
- dex signs using JWS but does not do the OPTIONAL encryption.
|
||||||
|
|
||||||
|
|
||||||
Sec. 3. [Authentication](http://openid.net/specs/openid-connect-core-1_0.html#Authentication)
|
Sec. 3. [Authentication](http://openid.net/specs/openid-connect-core-1_0.html#Authentication)
|
||||||
- Only the authorization code flow (where `response_type` is `code`) is supported.
|
- Only the authorization code flow (where `response_type` is `code`) is supported.
|
||||||
|
|
||||||
Sec. 3.1.2. [Authorization Endpoint](http://openid.net/specs/openid-connect-core-1_0.html#AuthorizationEndpoint)
|
Sec. 3.1.2. [Authorization Endpoint](http://openid.net/specs/openid-connect-core-1_0.html#AuthorizationEndpoint)
|
||||||
- In a production system TLS is required but the dex web-server only supports HTTP right now - it is expected that until HTTPS is supported, TLS termination will be handled outside of dex.
|
- In a production system TLS is required but the dex web-server only supports HTTP right now - it is expected that until HTTPS is supported, TLS termination will be handled outside of dex.
|
||||||
|
|
||||||
|
|
||||||
Sec. 3.1.2.1. [Authentication Request](http://openid.net/specs/openid-connect-core-1_0.html#AuthRequest)
|
Sec. 3.1.2.1. [Authentication Request](http://openid.net/specs/openid-connect-core-1_0.html#AuthRequest)
|
||||||
- dex doesn't check the value of "scope" to make sure it contains "openid" in authentication requests.
|
|
||||||
- max_age not implemented; it's OPTIONAL in the spec, but if it's present servers MUST include auth_time, which dex does not.
|
- max_age not implemented; it's OPTIONAL in the spec, but if it's present servers MUST include auth_time, which dex does not.
|
||||||
- None of the other OPTIONAL parameters are implemented with the exception of:
|
- None of the other OPTIONAL parameters are implemented with the exception of:
|
||||||
- state
|
- state
|
||||||
- nonce
|
- nonce
|
||||||
- dex also defines a non-standard `register` parameter; when this parameter is `1`, end-users are taken through a registration flow, which after completing successfully, lands them at the specified `redirect_uri`
|
- dex also defines a non-standard `register` parameter; when this parameter is `1`, end-users are taken through a registration flow, which after completing successfully, lands them at the specified `redirect_uri`
|
||||||
|
|
||||||
Sec. 3.1.2.2. [Authentication Request Validation](http://openid.net/specs/openid-connect-core-1_0.html#AuthRequestValidation)
|
|
||||||
- As mentioned earlier, dex doesn't validate that the `openid` scope value is present.
|
|
||||||
|
|
||||||
|
|
||||||
Sec. 3.2.2.3. [Authorization Server Authenticates End-User](http://openid.net/specs/openid-connect-core-1_0.html#ImplicitAuthenticates)
|
Sec. 3.2.2.3. [Authorization Server Authenticates End-User](http://openid.net/specs/openid-connect-core-1_0.html#ImplicitAuthenticates)
|
||||||
- The spec states that the authentication server "MUST NOT interact with the End-User" when `prompt` is `none` We don't check the prompt parameter at all; similarly, dex MUST re-prompt when `prompt` is `login` - dex does not do this either.
|
- The spec states that the authentication server "MUST NOT interact with the End-User" when `prompt` is `none` We don't check the prompt parameter at all; similarly, dex MUST re-prompt when `prompt` is `login` - dex does not do this either.
|
||||||
|
|
||||||
|
|
||||||
Sec. 3.1.3.2. [Token Request Validation](http://openid.net/specs/openid-connect-core-1_0.html#TokenRequestValidation)
|
Sec. 3.1.3.2. [Token Request Validation](http://openid.net/specs/openid-connect-core-1_0.html#TokenRequestValidation)
|
||||||
- In Token requests, dex chooses to proceed without error when `redirect_uri` is not present and there's only one registered valid URI (which is valid behavior)
|
- In Token requests, dex chooses to proceed without error when `redirect_uri` is not present and there's only one registered valid URI (which is valid behavior)
|
||||||
|
|
||||||
|
@ -64,8 +56,8 @@ Sec. 9. [Client Authentication](http://openid.net/specs/openid-connect-core-1_0.
|
||||||
- dex only supports the `client_secret_basic` client authentication type.
|
- dex only supports the `client_secret_basic` client authentication type.
|
||||||
|
|
||||||
Sec. 11. [Offline Access](http://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess)
|
Sec. 11. [Offline Access](http://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess)
|
||||||
- dex does not implement this feature.
|
- offline_access in 'scope' is supported, but as we haven't implemented 'prompt' yet, the
|
||||||
|
spec's requirement is not fully met yet.
|
||||||
|
|
||||||
Sec. 15.1. [Mandatory to Implement Features for All OpenID Providers](http://openid.net/specs/openid-connect-core-1_0.html#ImplementationConsiderations)
|
Sec. 15.1. [Mandatory to Implement Features for All OpenID Providers](http://openid.net/specs/openid-connect-core-1_0.html#ImplementationConsiderations)
|
||||||
- dex is missing the follow mandatory features (some are already noted elsewhere in this document):
|
- dex is missing the follow mandatory features (some are already noted elsewhere in this document):
|
||||||
|
|
Reference in a new issue