canaille-globuzma/doc/development/specifications.rst

Specifications
##############

This page details which specifications are implemented in Canaille, and compares Canaille with other well-known identity providers.

State of the specs in Canaille
==============================

OAuth2
------

- ✅ `RFC6749: OAuth 2.0 Framework <https://tools.ietf.org/html/rfc6749>`_
- ✅ `RFC6750: OAuth 2.0 Bearer Tokens <https://tools.ietf.org/html/rfc6750>`_
- ✅ `RFC7009: OAuth 2.0 Token Revocation <https://tools.ietf.org/html/rfc7009>`_
- ❌ `RFC7523: JWT Profile for OAuth 2.0 Client Authentication and Authorization Grants <https://tools.ietf.org/html/rfc7523>`_
- ✅ `RFC7591: OAuth 2.0 Dynamic Client Registration Protocol <https://tools.ietf.org/html/rfc7591>`_
- ✅ `RFC7592: OAuth 2.0 Dynamic Client Registration Management Protocol <https://tools.ietf.org/html/rfc7592>`_
- ✅ `RFC7636: Proof Key for Code Exchange by OAuth Public Clients <https://tools.ietf.org/html/rfc7636>`_
- ✅ `RFC7662: OAuth 2.0 Token Introspection <https://tools.ietf.org/html/rfc7662>`_
- ✅ `RFC8414: OAuth 2.0 Authorization Server Metadata <https://tools.ietf.org/html/rfc8414>`_
- ❌ `RFC8428: OAuth 2.0 Device Authorization Grant <https://tools.ietf.org/html/rfc8428>`_
- ❌ `RFC8693: OAuth 2.0 Token Exchange <https://tools.ietf.org/html/rfc8693>`_
- ❌ `RFC8705: OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens <https://tools.ietf.org/html/rfc8705>`_
- ❌ `RFC8707: Resource Indicators for OAuth 2.0 <https://tools.ietf.org/html/rfc8707>`_
- ❌ `RFC9068: JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens <https://tools.ietf.org/html/rfc9068>`_
- ❌ `RFC9101: OAuth 2.0 JWT-Secured Authorization Request (JAR) <https://tools.ietf.org/html/rfc9101>`_
- ❌ `RFC9126: OAuth 2.0 Pushed Authorization Requests <https://tools.ietf.org/html/rfc9126>`_
- ❌ `RFC9207: OAuth 2.0 Authorization Server Issuer Identification <https://tools.ietf.org/html/rfc9207>`_
- ❌ `RFC9394: OAuth 2.0 Rich Authorization Requests <https://www.rfc-editor.org/rfc/rfc9396.html>`_
- ❌ `OAuth2 Multiple Response Types <https://openid.net/specs/oauth-v2-multiple-response-types-1_0.html>`_
- ❌ `OAuth2 Form Post Response Mode <https://openid.net/specs/oauth-v2-form-post-response-mode-1_0.html>`_

OpenID Connect
--------------

- ✅ `OpenID Connect Core <https://openid.net/specs/openid-connect-core-1_0.html>`_
- ✅ `OpenID Connect Discovery <https://openid.net/specs/openid-connect-discovery-1_0.html>`_
- ✅ `OpenID Connect Dynamic Client Registration <https://openid.net/specs/openid-connect-registration-1_0.html>`_
- ✅ `OpenID Connect RP Initiated Logout <https://openid.net/specs/openid-connect-rpinitiated-1_0.html>`_
- ❌ `OpenID Connect Session Management <https://openid.net/specs/openid-connect-session-1_0.html>`_
- ❌ `OpenID Connect Front Channel Logout <https://openid.net/specs/openid-connect-frontchannel-1_0.html>`_
- ❌ `OpenID Connect Back Channel Logout <https://openid.net/specs/openid-connect-backchannel-1_0.html>`_
- ❌ `OpenID Connect Back Channel Authentication Flow <https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0.html>`_
- ❌ `OpenID Connect Core Error Code unmet_authentication_requirements <https://openid.net/specs/openid-connect-unmet-authentication-requirements-1_0.html>`_
- ✅ `Initiating User Registration via OpenID Connect 1.0 <https://openid.net/specs/openid-connect-prompt-create-1_0.html>`_

SCIM
----

- ❌ `RFC7642: System for Cross-domain Identity Management: Definitions, Overview, Concepts, and Requirements <https://www.rfc-editor.org/rfc/rfc7642>`_
- ❌ `RFC7643: System for Cross-domain Identity Management: Core Schema <https://www.rfc-editor.org/rfc/rfc7642>`_
- ❌ `RFC7644: System for Cross-domain Identity Management: Protocol <https://www.rfc-editor.org/rfc/rfc7642>`_

Comparison with other providers
===============================

Here is a feature comparison with other OpenID Connect server software.

Canaille voluntarily only implements the OpenID Connect protocol to keep its codebase simple.

+---------------+-------+-----------+------+---------------------------+--------------+
| Software      | Project                  | Protocols implementations | Backends     |
|               +-------+-----------+------+------+------+------+------+------+-------+
|               | FLOSS | Language  | LOC  | OIDC | SAML | CAS  | SCIM | LDAP | SQL   |
+===============+=======+===========+======+======+======+======+======+======+=======+
| Canaille      | ✅    | Python    | 10k  | ✅   | ❌   | ❌   | ❌   | ✅   | ✅    |
+---------------+-------+-----------+------+------+------+------+------+------+-------+
| `Auth0`_      | ❌    | ❔        | ❔   | ✅   | ✅   | ❌   | ✅   | ✅   | ❔    |
+---------------+-------+-----------+------+------+------+------+------+------+-------+
| `Authelia`_   | ✅    | Go        | 50k  | ✅   | ❌   | ❌   | ❌   | ✅   | ✅    |
+---------------+-------+-----------+------+------+------+------+------+------+-------+
| `Authentic2`_ | ✅    | Python    | 65k  | ✅   | ✅   | ✅   | ❌   | ✅   | ✅    |
+---------------+-------+-----------+------+------+------+------+------+------+-------+
| `Authentik`_  | ✅    | Python    | 55k  | ✅   | ✅   | ❌   | ✅   | ✅   | ✅    |
+---------------+-------+-----------+------+------+------+------+------+------+-------+
| `CAS`_        | ✅    | Java      | 360k | ✅   | ✅   | ✅   | ✅   | ✅   | ❌    |
+---------------+-------+-----------+------+------+------+------+------+------+-------+
| `Connect2id`_ | ❌    | ❔        | ❔   | ✅   | ✅   | ❌   | ❌   | ✅   | ✅    |
+---------------+-------+-----------+------+------+------+------+------+------+-------+
| `Gluu`_       | ✅    | Java      | ❔   | ✅   | ✅   | ✅   | ✅   | ✅   | ❔    |
+---------------+-------+-----------+------+------+------+------+------+------+-------+
| `Hydra`_      | ✅    | Go        | 50k  | ✅   | ✅   | ❌   | ❌   | ✅   | ✅    |
+---------------+-------+-----------+------+------+------+------+------+------+-------+
| `Keycloak`_   | ✅    | Java      | 600k | ✅   | ✅   | ✅   | ✅   | ✅   | ✅    |
+---------------+-------+-----------+------+------+------+------+------+------+-------+
| `LemonLDAP`_  | ✅    | Perl      | 130k | ✅   | ✅   | ✅   | ❌   | ✅   | ✅    |
+---------------+-------+-----------+------+------+------+------+------+------+-------+
| `Okta`_       | ❌    | ❔        | ❔   | ✅   | ✅   | ❌   | ✅   | ✅   | ✅    |
+---------------+-------+-----------+------+------+------+------+------+------+-------+

.. _Auth0: https://auth0.com
.. _Authelia: https://authelia.com
.. _Authentic2: https://dev.entrouvert.org/projects/authentic
.. _Authentik: https://goauthentik.io
.. _CAS: https://apereo.github.io/cas
.. _Connect2id: https://connect2id.com
.. _Gluu: https://gluu.org
.. _Hydra: https://ory.sh
.. _Keycloak: https://keycloak.org
.. _LemonLDAP: https://lemonldap-ng.org
.. _Okta: https://okta.com
-												Documentation: Draft of the specifications support

											
										
										
											2022-10-21 13:47:38 +00:00
+								Specifications
 								##############
-												doc: fix CHANGELOG titles

											
										
										
											2024-03-28 13:35:01 +00:00
+								This page details which specifications are implemented in Canaille, and compares Canaille with other well-known identity providers.
-												Documentation: Draft of the specifications support

											
										
										
											2022-10-21 13:47:38 +00:00
+								State of the specs in Canaille
 								==============================
-												docs: SCIM implementation

											
										
										
											2024-02-05 15:38:22 +00:00
+								OAuth2
-												Documentation: Draft of the specifications support

											
										
										
											2022-10-21 13:47:38 +00:00
+								------
-												Updated specifications

											
										
										
											2022-10-21 14:39:55 +00:00
+								- ✅ `RFC6749: OAuth 2.0 Framework <https://tools.ietf.org/html/rfc6749>`_
 								- ✅ `RFC6750: OAuth 2.0 Bearer Tokens <https://tools.ietf.org/html/rfc6750>`_
 								- ✅ `RFC7009: OAuth 2.0 Token Revocation <https://tools.ietf.org/html/rfc7009>`_
-												RFC7523 is not yet implemented

											
										
										
											2022-10-31 12:58:19 +00:00
+								- ❌ `RFC7523: JWT Profile for OAuth 2.0 Client Authentication and Authorization Grants <https://tools.ietf.org/html/rfc7523>`_
-												Implemented dynamic client registration

											
										
										
											2022-10-19 19:57:25 +00:00
+								- ✅ `RFC7591: OAuth 2.0 Dynamic Client Registration Protocol <https://tools.ietf.org/html/rfc7591>`_
-												Implemented RFC7592 OAuth Client Registration Management

											
										
										
											2022-10-24 15:18:46 +00:00
+								- ✅ `RFC7592: OAuth 2.0 Dynamic Client Registration Management Protocol <https://tools.ietf.org/html/rfc7592>`_
-												Updated specifications

											
										
										
											2022-10-21 14:39:55 +00:00
+								- ✅ `RFC7636: Proof Key for Code Exchange by OAuth Public Clients <https://tools.ietf.org/html/rfc7636>`_
-												documentation: Added an OAuth2 spec, again

											
										
										
											2022-10-24 10:12:55 +00:00
+								- ✅ `RFC7662: OAuth 2.0 Token Introspection <https://tools.ietf.org/html/rfc7662>`_
-												Updated specifications

											
										
										
											2022-10-21 14:39:55 +00:00
+								- ✅ `RFC8414: OAuth 2.0 Authorization Server Metadata <https://tools.ietf.org/html/rfc8414>`_
 								- ❌ `RFC8428: OAuth 2.0 Device Authorization Grant <https://tools.ietf.org/html/rfc8428>`_
 								- ❌ `RFC8693: OAuth 2.0 Token Exchange <https://tools.ietf.org/html/rfc8693>`_
 								- ❌ `RFC8705: OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens <https://tools.ietf.org/html/rfc8705>`_
-												documentation: Added an OAuth2 spec, again

											
										
										
											2022-10-24 10:12:55 +00:00
+								- ❌ `RFC8707: Resource Indicators for OAuth 2.0 <https://tools.ietf.org/html/rfc8707>`_
-												documentation: Added an OAuth2 spec

											
										
										
											2022-10-24 09:54:04 +00:00
+								- ❌ `RFC9068: JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens <https://tools.ietf.org/html/rfc9068>`_
 								- ❌ `RFC9101: OAuth 2.0 JWT-Secured Authorization Request (JAR) <https://tools.ietf.org/html/rfc9101>`_
-												Updated specifications

											
										
										
											2022-10-21 14:39:55 +00:00
+								- ❌ `RFC9126: OAuth 2.0 Pushed Authorization Requests <https://tools.ietf.org/html/rfc9126>`_
-												documentation: Added an OAuth2 spec, again

											
										
										
											2022-10-24 10:12:55 +00:00
+								- ❌ `RFC9207: OAuth 2.0 Authorization Server Issuer Identification <https://tools.ietf.org/html/rfc9207>`_
-												doc: add rfc9394

											
										
										
											2023-08-30 11:52:25 +00:00
+								- ❌ `RFC9394: OAuth 2.0 Rich Authorization Requests <https://www.rfc-editor.org/rfc/rfc9396.html>`_
-												documentation: Added an OAuth2 spec

											
										
										
											2022-10-24 09:54:04 +00:00
+								- ❌ `OAuth2 Multiple Response Types <https://openid.net/specs/oauth-v2-multiple-response-types-1_0.html>`_
 								- ❌ `OAuth2 Form Post Response Mode <https://openid.net/specs/oauth-v2-form-post-response-mode-1_0.html>`_
-												Documentation: Draft of the specifications support

											
										
										
											2022-10-21 13:47:38 +00:00
 								OpenID Connect
 								--------------
-												Updated specifications

											
										
										
											2022-10-21 14:39:55 +00:00
+								- ✅ `OpenID Connect Core <https://openid.net/specs/openid-connect-core-1_0.html>`_
 								- ✅ `OpenID Connect Discovery <https://openid.net/specs/openid-connect-discovery-1_0.html>`_
-												Implemented dynamic client registration

											
										
										
											2022-10-19 19:57:25 +00:00
+								- ✅ `OpenID Connect Dynamic Client Registration <https://openid.net/specs/openid-connect-registration-1_0.html>`_
-												Updated specifications

											
										
										
											2022-10-21 14:39:55 +00:00
+								- ✅ `OpenID Connect RP Initiated Logout <https://openid.net/specs/openid-connect-rpinitiated-1_0.html>`_
 								- ❌ `OpenID Connect Session Management <https://openid.net/specs/openid-connect-session-1_0.html>`_
 								- ❌ `OpenID Connect Front Channel Logout <https://openid.net/specs/openid-connect-frontchannel-1_0.html>`_
 								- ❌ `OpenID Connect Back Channel Logout <https://openid.net/specs/openid-connect-backchannel-1_0.html>`_
 								- ❌ `OpenID Connect Back Channel Authentication Flow <https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0.html>`_
-												doc: add several OIDC documentations

											
										
										
											2023-10-24 21:46:46 +00:00
+								- ❌ `OpenID Connect Core Error Code unmet_authentication_requirements <https://openid.net/specs/openid-connect-unmet-authentication-requirements-1_0.html>`_
-												feat: OIDC prompt=create implementation

											
										
										
											2023-12-23 17:02:08 +00:00
+								- ✅ `Initiating User Registration via OpenID Connect 1.0 <https://openid.net/specs/openid-connect-prompt-create-1_0.html>`_
-												Documentation: Draft of the specifications support

											
										
										
											2022-10-21 13:47:38 +00:00
-												docs: SCIM implementation

											
										
										
											2024-02-05 15:38:22 +00:00
+								SCIM
 								----
 								- ❌ `RFC7642: System for Cross-domain Identity Management: Definitions, Overview, Concepts, and Requirements <https://www.rfc-editor.org/rfc/rfc7642>`_
 								- ❌ `RFC7643: System for Cross-domain Identity Management: Core Schema <https://www.rfc-editor.org/rfc/rfc7642>`_
 								- ❌ `RFC7644: System for Cross-domain Identity Management: Protocol <https://www.rfc-editor.org/rfc/rfc7642>`_
-												Documentation: Draft of the specifications support

											
										
										
											2022-10-21 13:47:38 +00:00
+								Comparison with other providers
 								===============================
-												Documentation: added a small OIDC provider comparison table

											
										
										
											2022-07-27 13:35:14 +00:00
 								Here is a feature comparison with other OpenID Connect server software.
 								Canaille voluntarily only implements the OpenID Connect protocol to keep its codebase simple.
 								+---------------+-------+-----------+------+---------------------------+--------------+
 								| Software      | Project                  | Protocols implementations | Backends     |
-												docs: SCIM implementation

											
										
										
											2024-02-05 15:38:22 +00:00
+								|               +-------+-----------+------+------+------+------+------+------+-------+
 								|               | FLOSS | Language  | LOC  | OIDC | SAML | CAS  | SCIM | LDAP | SQL   |
 								+===============+=======+===========+======+======+======+======+======+======+=======+
-												docs: Canaille implements a SQL backend

											
										
										
											2024-02-05 15:38:52 +00:00
+								| Canaille      | ✅    | Python    | 10k  | ✅   | ❌   | ❌   | ❌   | ✅   | ✅    |
-												docs: SCIM implementation

											
										
										
											2024-02-05 15:38:22 +00:00
+								+---------------+-------+-----------+------+------+------+------+------+------+-------+
 								| `Auth0`_      | ❌    | ❔        | ❔   | ✅   | ✅   | ❌   | ✅   | ✅   | ❔    |
 								+---------------+-------+-----------+------+------+------+------+------+------+-------+
 								| `Authelia`_   | ✅    | Go        | 50k  | ✅   | ❌   | ❌   | ❌   | ✅   | ✅    |
 								+---------------+-------+-----------+------+------+------+------+------+------+-------+
 								| `Authentic2`_ | ✅    | Python    | 65k  | ✅   | ✅   | ✅   | ❌   | ✅   | ✅    |
 								+---------------+-------+-----------+------+------+------+------+------+------+-------+
 								| `Authentik`_  | ✅    | Python    | 55k  | ✅   | ✅   | ❌   | ✅   | ✅   | ✅    |
 								+---------------+-------+-----------+------+------+------+------+------+------+-------+
 								| `CAS`_        | ✅    | Java      | 360k | ✅   | ✅   | ✅   | ✅   | ✅   | ❌    |
 								+---------------+-------+-----------+------+------+------+------+------+------+-------+
 								| `Connect2id`_ | ❌    | ❔        | ❔   | ✅   | ✅   | ❌   | ❌   | ✅   | ✅    |
 								+---------------+-------+-----------+------+------+------+------+------+------+-------+
 								| `Gluu`_       | ✅    | Java      | ❔   | ✅   | ✅   | ✅   | ✅   | ✅   | ❔    |
 								+---------------+-------+-----------+------+------+------+------+------+------+-------+
 								| `Hydra`_      | ✅    | Go        | 50k  | ✅   | ✅   | ❌   | ❌   | ✅   | ✅    |
 								+---------------+-------+-----------+------+------+------+------+------+------+-------+
 								| `Keycloak`_   | ✅    | Java      | 600k | ✅   | ✅   | ✅   | ✅   | ✅   | ✅    |
 								+---------------+-------+-----------+------+------+------+------+------+------+-------+
 								| `LemonLDAP`_  | ✅    | Perl      | 130k | ✅   | ✅   | ✅   | ❌   | ✅   | ✅    |
 								+---------------+-------+-----------+------+------+------+------+------+------+-------+
 								| `Okta`_       | ❌    | ❔        | ❔   | ✅   | ✅   | ❌   | ✅   | ✅   | ✅    |
 								+---------------+-------+-----------+------+------+------+------+------+------+-------+
-												Documentation: added a small OIDC provider comparison table

											
										
										
											2022-07-27 13:35:14 +00:00
 								.. _Auth0: https://auth0.com
 								.. _Authelia: https://authelia.com
 								.. _Authentic2: https://dev.entrouvert.org/projects/authentic
 								.. _Authentik: https://goauthentik.io
 								.. _CAS: https://apereo.github.io/cas
 								.. _Connect2id: https://connect2id.com
 								.. _Gluu: https://gluu.org
 								.. _Hydra: https://ory.sh
 								.. _Keycloak: https://keycloak.org
 								.. _LemonLDAP: https://lemonldap-ng.org
 								.. _Okta: https://okta.com