OIDC Certification

[robotdan]

OpenID Connect Certification

Problem

There may be some edge cases FusionAuth does not cover in our current OIDC implementation. There may also be some customers who require or desire OIDC certification in their IAM solution of choice.

Solution

Complete self certification of OIDC.

Alternatives/workarounds

N/A

Additional context

https://openid.net/certification/ https://openid.net/certification/faq/ https://openid.net/developers/certified/

Known Issues

• The OpenID Connect Provider Configuration Request does not prefix the issuer in the URL ( https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationRequest ) See https://github.com/FusionAuth/fusionauth-issues/issues/359#issuecomment-596710077

Related Issues

• https://github.com/FusionAuth/fusionauth-issues/issues/201
• https://github.com/FusionAuth/fusionauth-issues/issues/465
• https://github.com/FusionAuth/fusionauth-issues/issues/521
• https://github.com/FusionAuth/fusionauth-issues/issues/1111

How to vote

Please give us a thumbs up or thumbs down as a reaction to help us prioritize this feature. Feel free to comment if you have a particular need or comment on how this feature should work.

[andrew-landsverk-win]

I was evaluating IdP solutions for an upcoming project. We are looking to use all OIDC certified libraries and providers and the first roadblock we found with FusionAuth is the Provider Document URL is in the wrong order, so tools that need to take the Issuer and append /.well-known/openid-configuration do not work because the tenant ID comes after it for FusionAuth. Please see the referenced spec: https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationRequest

[robotdan]

Thanks for the comment @andrew-landsverk-win . Appreciate the feedback, we'll take a look.

[mooreds]

You can run through a certification test using https://www.certification.openid.net/ which will give us an idea of what the gaps are.

[mooreds]

I was evaluating IdP solutions for an upcoming project. We are looking to use all OIDC certified libraries and providers and the first roadblock we found with FusionAuth is the Provider Document URL is in the wrong order, so tools that need to take the Issuer and append /.well-known/openid-configuration do not work because the tenant ID comes after it for FusionAuth. Please see the referenced spec: https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationRequest

@andrew-landsverk-win looks like your particular issue was resolved in https://github.com/FusionAuth/fusionauth-issues/issues/2259 , which was included in 1.46.0.

[andrew-landsverk-win]

@mooreds - Thanks for the reply! I see that the application has received updates to make it more "standards compliant" and I really appreciate it. At this time, however, we are not pursuing alternative libraries for authentication. Thank you though!!

[mooreds]

Thanks @andrew-landsverk-win . What solution did you end up going with, if you don't mind sharing?

[andrew-landsverk-win]

@mooreds we went with Keycloak.

[mooreds]

Thanks @andrew-landsverk-win ! appreciate the feedback.