website/blog: Becoming OpenID certified - Why standards matter

[BeryJu]

No description provided.

[netlify]

✅ Deploy Preview for authentik ready!

Name	Link
🔨 Latest commit	0f90e43
🔍 Latest deploy log	https://app.netlify.com/sites/authentik/deploys/640772e0083ea7000860f27b
😎 Deploy Preview	https://deploy-preview-4865--authentik.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site settings.

[codecov]

Codecov Report

Patch coverage has no change and project coverage change: +0.01 🎉

Comparison is base (41d17dc) 92.86% compared to head (3557a8f) 92.87%.

❗ Current head 3557a8f differs from pull request most recent head 44fae58. Consider uploading reports for the commit 44fae58 to get more accurate results

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #4865      +/-   ##
==========================================
+ Coverage   92.86%   92.87%   +0.01%     
==========================================
  Files         499      499              
  Lines       25363    25375      +12     
==========================================
+ Hits        23552    23564      +12     
  Misses       1811     1811              

Flag	Coverage Δ
e2e	52.81% <ø> (-<0.01%)	⬇️
integration	26.54% <ø> (+0.01%)	⬆️
unit	89.64% <ø> (+0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files	Coverage Δ
authentik/providers/scim/models.py	98.15% <0.00%> (-1.85%)	⬇️
authentik/providers/scim/tasks.py	84.38% <0.00%> (-0.12%)	⬇️
authentik/providers/scim/api/providers.py	83.34% <0.00%> (ø)
authentik/providers/scim/tests/test_user.py	100.00% <0.00%> (ø)
authentik/stages/consent/api.py	100.00% <0.00%> (+2.50%)	⬆️

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

☔ View full report at Codecov.
📢 Do you have feedback about the report comment? Let us know in this issue.

[github-actions]

authentik PR Installation instructions

Instructions for docker-compose

Add the following block to your .env file:

AUTHENTIK_IMAGE=ghcr.io/goauthentik/dev-server
AUTHENTIK_TAG=gh-website-blog-Becoming-OpenID-certified---Why-standards-matter-1678209638-9433d94
AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s

For arm64, use these values:

AUTHENTIK_IMAGE=ghcr.io/goauthentik/dev-server
AUTHENTIK_TAG=gh-website-blog-Becoming-OpenID-certified---Why-standards-matter-1678209638-9433d94-arm64
AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s

Afterwards, run the upgrade commands from the latest release notes.

Instructions for Kubernetes

Add the following block to your values.yml file:

authentik:
    outposts:
        container_image_base: ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
image:
    repository: ghcr.io/goauthentik/dev-server
    tag: gh-website-blog-Becoming-OpenID-certified---Why-standards-matter-1678209638-9433d94

For arm64, use these values:

authentik:
    outposts:
        container_image_base: ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
image:
    repository: ghcr.io/goauthentik/dev-server
    tag: gh-website-blog-Becoming-OpenID-certified---Why-standards-matter-1678209638-9433d94-arm64

Afterwards, run the upgrade commands from the latest release notes.

[tanberry]

Awesome info in here!

[tanberry]

Suggested change

	In the end we decided to follow suit with authentik (mostly for the sake of compatibility, but also since it can make sense), and vCenter logins via authentik are now [fully supported](https://goauthentik.io/integrations/services/vmware-vcenter/) (at least from our side).
	In the end, for authentik we decided to follow suit with the use of JWT (mostly for the sake of compatibility, but also since it just makes sense), and vCenter logins via authentik are now [fully supported](https://goauthentik.io/integrations/services/vmware-vcenter/) (at least from our side).

[tanberry]

@BeryJu I wanted to make it very clear what "follow suit" meant... does it mean that we now use/support JWTs? Please triple-check my wording above.

[BeryJu]

authentik used to use JWTs before this as well, this specifically is to say we followed suit with using JWTs within the access_token

[tanberry]

Suggested change

Quickly touching on standards more generally in authentik; we aim to make authentik as standards-compliant as possible while retaining its feature set. For example, for SAML sources/providers, all generated responses are tested against the official SAML XML schema. The same is done for the newly added SCIM integration, where everything is equally validated.

Quickly touching on standards more generally in authentik; we aim to make authentik as standards-compliant as possible while retaining its feature set. For example, for SAML sources/providers, all generated responses are tested against the official SAML XML schema. The same is done for the newly added [SCIM](https://en.wikipedia.org/wiki/System_for_Cross-domain_Identity_Management) integration, where user identity information is equally validated across all systems and domains.

[tanberry]

@BeryJu I feel like the phrase "while retaining its feature set" might need clarification. Does this mean we want to be as OIDC-compliant as possible without compromising our features?

And actually, do we mean "standards-compliant" or do we mean specifically "OIDC-compliant"?

[BeryJu]

Oh yeah that is pretty unclear; yeah I wanted to say to stay as close as possible to OIDC standards (or rather standards in general) while also retaining our feature set

I think for this post it makes more sense to be OIDC-compliant since that's the topic, but the general goal is to be compliant with all standards authentik supports