User Story
As a developer using Authula,
I want the OAuth2 plugin to support OpenID Connect (OIDC),
so that I can use Authula with standard OIDC-compliant identity providers and clients.
Context & Rationale
Currently, the OAuth2 plugin supports OAuth2 sign-in flows, but it is not yet OIDC-compliant. OIDC builds on OAuth2 by adding an identity layer, including the id_token, standard user claims, discovery metadata, and user information endpoints. Supporting OIDC will allow Authula to integrate with providers that expose the standard discovery document at /.well-known/openid-configuration, reducing provider-specific integration work and improving compatibility with tools that support OIDC.
Technical Implementation Details
-
Open ID Configuration
- Add support for fetching the OIDC configuration via the provider’s endpoint, typically
https://domain/.well-known/openid-configuration.
- Use this file to resolve the provider’s
authorization_endpoint, token_endpoint, userinfo_endpoint, and jwks_uri.
-
ID token validation
- Parse the
id_token returned by the token endpoint.
- Verify the token signature using the provider’s JWKS.
- Validate standard claims including:
iss matches the configured issuer.aud includes the Authula client ID.exp has not expired.
- Optionally validate
nonce when the authorization request includes one.
-
Standard scopes and claims
- When OIDC mode is enabled, automatically request the following scopes:
openid, profile, email.
- Map standard OIDC claims such as
sub, email, email_verified, and name to Authula’s core user model.
-
UserInfo support
- Add support for calling the OIDC
userinfo endpoint using the access token.
- Use
userinfo as a fallback or supplement when claims are not fully available in the id_token.
-
Configuration
- Add an explicit OIDC mode or provider type in the plugin configuration.
- Support issuer-based configuration so the plugin can discover endpoints dynamically from the provider base URL.
Acceptance Criteria
- The plugin can complete an OIDC login flow against a standard provider.
- The plugin reads OIDC endpoints from discovery rather than requiring hardcoded provider-specific URLs.
- The
id_token is validated against the provider’s JWKS.
- Authula can map the authenticated identity to an internal user record using standard claims.
- The plugin continues to support existing OAuth2 behavior for non-OIDC providers.
Subject to change.
User Story
As a developer using Authula,
I want the OAuth2 plugin to support OpenID Connect (OIDC),
so that I can use Authula with standard OIDC-compliant identity providers and clients.
Context & Rationale
Currently, the OAuth2 plugin supports OAuth2 sign-in flows, but it is not yet OIDC-compliant. OIDC builds on OAuth2 by adding an identity layer, including the
id_token, standard user claims, discovery metadata, and user information endpoints. Supporting OIDC will allow Authula to integrate with providers that expose the standard discovery document at/.well-known/openid-configuration, reducing provider-specific integration work and improving compatibility with tools that support OIDC.Technical Implementation Details
Open ID Configuration
https://domain/.well-known/openid-configuration.authorization_endpoint,token_endpoint,userinfo_endpoint, andjwks_uri.ID token validation
id_tokenreturned by the token endpoint.issmatches the configured issuer.audincludes the Authula client ID.exphas not expired.noncewhen the authorization request includes one.Standard scopes and claims
openid, profile, email.sub,email,email_verified, andnameto Authula’s core user model.UserInfo support
userinfoendpoint using the access token.userinfoas a fallback or supplement when claims are not fully available in theid_token.Configuration
Acceptance Criteria
id_tokenis validated against the provider’s JWKS.Subject to change.