{{ $faq := "../frequently-asked-questions/" }}{{ $config := "../../../../configuration/identity-providers/openid-connect" }} {{- with .Get "faq" }}{{ $faq = . }}{{ end }} {{- with .Get "config" }}{{ $config = . }}{{ end }} ## Before You Begin
Important Reading
This section contains important elements that you should carefully consider before configuration of an OpenID Connect 1.0 Registered Client.
Client Has Known Significant Bugs
Unfortunately at the time this guide was last modified (noted at the bottom of the guide) this third-party application has bugs which are significant and indicate either a fairly low level of support for OpenID Connect 1.0 or no effective support at all. This guide may have workarounds to adapt to this but this is done solely on a best effort basis. The developers of the application should be encouraged to fix these bugs.
{{- if in $bugs "claims-hydration" }}Claims Hydration: this client outright does not support OpenID Connect 1.0 as it does not honor the expected process to retrieve the claims it needs to access. The workaround is documented in Configuration Escape Hatch.
{{- end }} {{- if in $bugs "client-credentials-encoding" }}
Client Credentials Encoding: this client does not properly encode the client credentials before
using them for authentication as per
RFC6749 Appendix B. It is
required that the Client ID and Client Secret are both URL Escaped before being used for both the
client_secret_post and client_secret_basic authentication mechanisms. Avoiding special
characters in both the Client ID and Client Secret or URL Escaping them before adding them to the clients
configuration are the only workarounds. Authelia's random password generator will automatically output both
a normal version and a pre-encoded version which you could utilize.
Claim Binding: this client outright does not support
OpenID Connect 1.0 as it
does not bind the identity provider identity (the sub and iss claims which are
guaranteed not to change) to local accounts, instead it uses claims like email and
preferred_username which is a vulnerability that could result in a simple privilege escalation. The
developer has been made aware of this vulnerability but has decided not to fix it. See
Connect 1.0 Section 5.7 Claim Stability and Uniqueness
for more information.