Skip to content

Latest commit

 

History

History
147 lines (139 loc) · 7.92 KB

README.md

File metadata and controls

147 lines (139 loc) · 7.92 KB

OAuth 2.0 Framework

This library is the Authelia OAuth 2.0 Framework which is internally used to deliver OAuth 2.0 and OpenID Connect 1.0 Flows to its users.

Notable Implemented or Intended Differences

In an effort to assist users who wish to use this library we aim to maintain the following list of differences:

  • Module path changed from github.com/ory/fosite to authelia.com/provider/oauth2.
  • Documentation:
    • Add spec support documentation
  • Overhaul testing:
    • Ensure all tests and subtests are well named
    • Ensure all tests are simplified where possible
    • Restore/Implement conformance tests
  • Rename interfaces and implementations:
    • OAuth2Provider to Provider.
    • Fosite to TBA.
  • Minimum dependency is go version 1.21
  • Replace string values with constants where applicable commit
  • Simplify the internal JWT logic to leverage github.com/golang-jwt/jwt/v5 or other such libraries
  • Implement internal JWKS logic
  • Higher Debug error information visibility (Debug Field includes the complete RFC6749 error with debug information if available)
  • Fixes:
    • Basic Scheme Rejects Special Characters commit
    • RFC9068 must condition ignored commit
    • Arguments are treated as case-insensitive commit
    • Refresh Flow:
      • Requested scope ignored commit
      • Original request id not set early enough commit
    • PKCE Flow:
      • Session generated needlessly commit
      • Failure to fetch session causes an error even when not enforced commit
    • OpenID Flows:
      • Absence of Redirect URI does not result in an error commit
    • Decode id_token_hint with correct signer
    • Write Revocation Response does not correctly error commit
    • Invalid Token base 64 error not mapped to RFC
    • Auth Request omitted Response Mode not validated
    • Refresh Grant if Token Invalid/Expired status is not 400 commit
    • Access Token iat and nbf in JWT Profile always original claims commit
  • Features:
  • Removal of the following dependencies:
    • go.opentelemetry.io/otel/trace
    • github.com/ecordell/optgen
    • github.com/asaskevich/govalidator
    • github.com/gorilla/websocket
    • github.com/magiconair/properties
    • github.com/mattn/goveralls
    • github.com/oleiade/reflections
    • github.com/ory/go-acc
    • github.com/ory/go-convenience
    • github.com/ory/x
    • github.com/gorilla/sessions
    • github.com/gobuffalo/packr
    • github.com/form3tech-oss/jwt-go
    • github.com/dgrijalva/jwt-go
  • Migration of the following dependencies:
    • github.com/go-jose/go-jose/v3 => github.com/go-jose/go-jose/v4
    • github.com/golang/mock => github.com/uber-go/mock
    • github.com/cristalhq/jwt/v4 => github.com/golang-jwt/jwt/v5

Thanks

This is a hard fork of ORY Fosite under the Apache 2.0 License for the purpose of performing self-maintenance of this critical Authelia dependency.

We however:

  • Acknowledge the amazing hard work of the ORY developers in making such an amazing framework that we can do this with.
  • Plan to continue to contribute back to te ORY fosite and related projects.
  • Have ensured the licensing is unchanged in this fork of the library.
  • Do not have a formal affiliation with ORY and individuals utilizing this library should not allow their usage to be a reflection on ORY as this library is not maintained by them.