fusionauth-issues icon indicating copy to clipboard operation
fusionauth-issues copied to clipboard

Published 20 hours ago verified publisher icon FusionAuth

OIDC Certification

Open robotdan opened this issue 5 years ago • 8 comments

OpenID Connect Certification

Problem

There may be some edge cases FusionAuth does not cover in our current OIDC implementation. There may also be some customers who require or desire OIDC certification in their IAM solution of choice.

Solution

Complete self certification of OIDC.

Alternatives/workarounds

N/A

Additional context

https://openid.net/certification/ https://openid.net/certification/faq/ https://openid.net/developers/certified/

Known Issues

  • The OpenID Connect Provider Configuration Request does not prefix the issuer in the URL ( https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationRequest ) See https://github.com/FusionAuth/fusionauth-issues/issues/359#issuecomment-596710077

Related Issues

  • https://github.com/FusionAuth/fusionauth-issues/issues/201
  • https://github.com/FusionAuth/fusionauth-issues/issues/465
  • https://github.com/FusionAuth/fusionauth-issues/issues/521
  • https://github.com/FusionAuth/fusionauth-issues/issues/1111

How to vote

Please give us a thumbs up or thumbs down as a reaction to help us prioritize this feature. Feel free to comment if you have a particular need or comment on how this feature should work.

robotdan avatar Nov 07 '19 15:11 robotdan

I was evaluating IdP solutions for an upcoming project. We are looking to use all OIDC certified libraries and providers and the first roadblock we found with FusionAuth is the Provider Document URL is in the wrong order, so tools that need to take the Issuer and append /.well-known/openid-configuration do not work because the tenant ID comes after it for FusionAuth. Please see the referenced spec: https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationRequest

andrew-landsverk-win avatar Mar 09 '20 18:03 andrew-landsverk-win

Thanks for the comment @andrew-landsverk-win . Appreciate the feedback, we'll take a look.

robotdan avatar Mar 09 '20 23:03 robotdan

You can run through a certification test using https://www.certification.openid.net/ which will give us an idea of what the gaps are.

mooreds avatar Jul 22 '22 14:07 mooreds

I was evaluating IdP solutions for an upcoming project. We are looking to use all OIDC certified libraries and providers and the first roadblock we found with FusionAuth is the Provider Document URL is in the wrong order, so tools that need to take the Issuer and append /.well-known/openid-configuration do not work because the tenant ID comes after it for FusionAuth. Please see the referenced spec: https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationRequest

@andrew-landsverk-win looks like your particular issue was resolved in https://github.com/FusionAuth/fusionauth-issues/issues/2259 , which was included in 1.46.0.

mooreds avatar May 09 '24 16:05 mooreds

@mooreds - Thanks for the reply! I see that the application has received updates to make it more "standards compliant" and I really appreciate it. At this time, however, we are not pursuing alternative libraries for authentication. Thank you though!!

andrew-landsverk-win avatar May 13 '24 13:05 andrew-landsverk-win

Thanks @andrew-landsverk-win . What solution did you end up going with, if you don't mind sharing?

mooreds avatar May 13 '24 16:05 mooreds

@mooreds we went with Keycloak.

andrew-landsverk-win avatar May 13 '24 16:05 andrew-landsverk-win

Thanks @andrew-landsverk-win ! appreciate the feedback.

mooreds avatar May 13 '24 18:05 mooreds