New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
website/blog: Becoming OpenID certified - Why standards matter #4865
website/blog: Becoming OpenID certified - Why standards matter #4865
Conversation
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
✅ Deploy Preview for authentik ready!
To edit notification comments on pull requests, go to your Netlify site settings. |
Codecov ReportPatch coverage has no change and project coverage change:
Additional details and impacted files@@ Coverage Diff @@
## main #4865 +/- ##
==========================================
+ Coverage 92.86% 92.87% +0.01%
==========================================
Files 499 499
Lines 25363 25375 +12
==========================================
+ Hits 23552 23564 +12
Misses 1811 1811
Flags with carried forward coverage won't be shown. Click here to find out more.
Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here. ☔ View full report at Codecov. |
authentik PR Installation instructions Instructions for docker-composeAdd the following block to your AUTHENTIK_IMAGE=ghcr.io/goauthentik/dev-server
AUTHENTIK_TAG=gh-website-blog-Becoming-OpenID-certified---Why-standards-matter-1678209638-9433d94
AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s For arm64, use these values: AUTHENTIK_IMAGE=ghcr.io/goauthentik/dev-server
AUTHENTIK_TAG=gh-website-blog-Becoming-OpenID-certified---Why-standards-matter-1678209638-9433d94-arm64
AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s Afterwards, run the upgrade commands from the latest release notes. Instructions for KubernetesAdd the following block to your authentik:
outposts:
container_image_base: ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
image:
repository: ghcr.io/goauthentik/dev-server
tag: gh-website-blog-Becoming-OpenID-certified---Why-standards-matter-1678209638-9433d94 For arm64, use these values: authentik:
outposts:
container_image_base: ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
image:
repository: ghcr.io/goauthentik/dev-server
tag: gh-website-blog-Becoming-OpenID-certified---Why-standards-matter-1678209638-9433d94-arm64 Afterwards, run the upgrade commands from the latest release notes. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Awesome info in here!
website/blog/2023-03-07-becoming-openid-certified-why-standards-matter/index.md
Outdated
Show resolved
Hide resolved
website/blog/2023-03-07-becoming-openid-certified-why-standards-matter/index.md
Outdated
Show resolved
Hide resolved
website/blog/2023-03-07-becoming-openid-certified-why-standards-matter/index.md
Outdated
Show resolved
Hide resolved
website/blog/2023-03-07-becoming-openid-certified-why-standards-matter/index.md
Outdated
Show resolved
Hide resolved
website/blog/2023-03-07-becoming-openid-certified-why-standards-matter/index.md
Outdated
Show resolved
Hide resolved
website/blog/2023-03-07-becoming-openid-certified-why-standards-matter/index.md
Outdated
Show resolved
Hide resolved
website/blog/2023-03-07-becoming-openid-certified-why-standards-matter/index.md
Outdated
Show resolved
Hide resolved
|
||
I'll spare you the details, but after a lot of digging through logs and figuring out what vCenter actually expects and attempts to do, I found it expects the `access_token` to be an encoded [JWT](https://jwt.io/) (stay tuned for our upcoming blog post about how JWT took the identity world by storm). Expecting an encoded JWT is not part of the [OpenID standard](https://openid.net/specs/openid-connect-core-1_0.html), so it somewhat made sense that they only advertise ADFS compatibility. However as we were finding out, vCenter was not the only applications that had this requirement. Researching further, it seemed like this had become sort of a "quasi-standard", as many identity providers were behaving this way. | ||
|
||
In the end we decided to follow suit with authentik (mostly for the sake of compatibility, but also since it can make sense), and vCenter logins via authentik are now [fully supported](https://goauthentik.io/integrations/services/vmware-vcenter/) (at least from our side). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In the end we decided to follow suit with authentik (mostly for the sake of compatibility, but also since it can make sense), and vCenter logins via authentik are now [fully supported](https://goauthentik.io/integrations/services/vmware-vcenter/) (at least from our side). | |
In the end, for authentik we decided to follow suit with the use of JWT (mostly for the sake of compatibility, but also since it just makes sense), and vCenter logins via authentik are now [fully supported](https://goauthentik.io/integrations/services/vmware-vcenter/) (at least from our side). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@BeryJu I wanted to make it very clear what "follow suit" meant... does it mean that we now use/support JWTs? Please triple-check my wording above.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
authentik used to use JWTs before this as well, this specifically is to say we followed suit with using JWTs within the access_token
|
||
### Standards in authentik | ||
|
||
Quickly touching on standards more generally in authentik; we aim to make authentik as standards-compliant as possible while retaining its feature set. For example, for SAML sources/providers, all generated responses are tested against the official SAML XML schema. The same is done for the newly added SCIM integration, where everything is equally validated. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Quickly touching on standards more generally in authentik; we aim to make authentik as standards-compliant as possible while retaining its feature set. For example, for SAML sources/providers, all generated responses are tested against the official SAML XML schema. The same is done for the newly added SCIM integration, where everything is equally validated. | |
Quickly touching on standards more generally in authentik; we aim to make authentik as standards-compliant as possible while retaining its feature set. For example, for SAML sources/providers, all generated responses are tested against the official SAML XML schema. The same is done for the newly added [SCIM](https://en.wikipedia.org/wiki/System_for_Cross-domain_Identity_Management) integration, where user identity information is equally validated across all systems and domains. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@BeryJu I feel like the phrase "while retaining its feature set" might need clarification. Does this mean we want to be as OIDC-compliant as possible without compromising our features?
And actually, do we mean "standards-compliant" or do we mean specifically "OIDC-compliant"?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh yeah that is pretty unclear; yeah I wanted to say to stay as close as possible to OIDC standards (or rather standards in general) while also retaining our feature set
I think for this post it makes more sense to be OIDC-compliant since that's the topic, but the general goal is to be compliant with all standards authentik supports
website/blog/2023-03-07-becoming-openid-certified-why-standards-matter/index.md
Outdated
Show resolved
Hide resolved
Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com> Signed-off-by: Jens L. <jens@beryju.org>
…s-matter/index.md Signed-off-by: Jens L. <jens@beryju.org> Signed-off-by: Jens Langhammer <jens@goauthentik.io>
44fae58
to
0f90e43
Compare
No description provided.