[Category] OpenID Connect

[robotdan]

OpenID Connect

Description

General tracking issue for OIDC improvements.

Related

• Feature: Support Well-Known URL for Changing Passwords #52
• User-Managed Access (UMA) support #129
• Feature: Support for RFC 7009 : Revoke Refresh Tokens #201
• Support Authentication Context Class Reference (acr_values) when making a request to a 3rd Party OIDC IdP #339
• OIDC Certification #359
• Feature: OIDC Back-Channel Logout Support #465
• Support silent renewal with prompt=none in Oauth2 Implicit Grant #521
• Feature Request: User Impersonation #830
• Provide OAuth 2.1 compatibility option #942
• last-modified headers on .well-known endpoints. #1014
• Support OAuth2 metadata RFC (RFC 8414) #1029
• Introspect endpoint does not support client authentication according to the spec #1100
• Support multiple OIDC user agent response formats #1118
• Support dynamic client registration #1125
• Support Financial Grade APIs specifications #1144
• signal support for PKCE in discovery document #1177
• Support private_key_jwt client authentication method #1281
• Allow Permissions Grant to User for an Entity in OAuth Grant #1295
• Support PAR standard #1329
• Add support for tokens obtained from the client credentials grant on the introspection endpoint #1434
• Implement Impersonation and Delegation Tokens (RFC8693) #1471
• Public Client : Refresh Token Revocation on Token Reuse #1619
• Client Authentication Policy "Not required when using PKCE" blocking the refresh token grant #1653
• Support DPoP standard #1679
• Use JWT header typ from RFC 9068 to differentiate between an id_token and access_token #1973
• Support RP initiated logout #2143
• Allow an OIDC IdP to restrict the use of the email claim during linking unless email_verified: true #2184
• Support the prompt parameter #2208
• Allow Device Grant to be completed out of band #2218
• OIDC discovery well known endpoint has the tenant id suffix #2259
• Allow custom app schemes in the Logout URL #2291
• OpenID integration / nonce missing (France Connect) #2410
• Add new default behavior to reject a link in an OIDC IdP if email_verified is present and is false #2423
• Add prompt to the RP initiated logout request  #2446
• Support OAuth 2.0 Step Up Authentication Challenge Protocol #2458
• Document the /register OAuth2.0 endpoint #2509
• Support refreshing an access token with narrower scope #2590
• Compatibility with OpenID Shared Signals #2608
• Only add WWW-Authenticate when returning 401 when using Authentication: Basic scheme #2645

Related Standards based issues

RFCs that may or may not be directly related to OIDC, but are standards based items we could or should consider.

• Support RFC 8707, resource indicators #1767
• Add mTLS support for token binding #1025
• Support OAuth 2.0 Step Up Authentication Challenge Protocol #2458
• Support Web Message Response Mode #2740

Community guidelines

All issues filed in this repository must abide by the FusionAuth community guidelines.