You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
@@ -24,12 +24,12 @@ This document provides a detailed breakdown of tasks, components, test cases, an
24
24
>
25
25
> Do **not** move partially complete features. If even one checkbox is unchecked or there are known concerns, the feature stays here in full detail until resolved.
26
26
27
-
**Key priorities:**
28
-
- Phase 0 (Foundation) is now first priority — asymmetric keys, revocation, introspection
29
-
- Passwordless authentication is Phase 1
30
-
- Test infrastructure overhaul is a dedicated effort
> **Review finding (2026-03-15):** If rotation fails mid-operation, it can lead to token theft going undetected or legitimate users being locked out. This is a correctness bug, not a feature.
496
509
497
510
* **Component:** Atomic Token Exchange
498
511
- [ ] (L2) Add compensating rollback to `IRefreshTokenStore` — if new token storage fails after old token consumption, restore the old token
@@ -504,13 +517,27 @@ This document provides a detailed breakdown of tasks, components, test cases, an
> **Review finding (2026-03-15):** Login, registration, and token endpoints have no rate limiting. This is a production security gap. This feature provides a basic IP-based rate limiter as a v1.0 prerequisite. The full `IRateLimiter` abstraction (Feature 2.7) expands on this later.
**Prerequisites:** Phase 1 core features complete (0.x–1.13). Features 1.14–1.26 may be completed in parallel.
514
541
515
542
---
516
543
@@ -598,6 +625,10 @@ This document provides a detailed breakdown of tasks, components, test cases, an
598
625
599
626
**Prerequisites:** Phase 1.5 complete
600
627
628
+
> **Review finding (2026-03-15):** Social login (Google/Microsoft/GitHub) is table stakes — the 80% expects these to "just work." Prioritize 2.2–2.4 before Phase 3 hardening.
629
+
>
630
+
> **Cross-cutting feature:** `login_hint` → provider auto-redirect. When the authorize endpoint receives `login_hint=user@example.com` and the email domain matches a configured external provider, auto-redirect to that provider. This is a common B2B UX pattern (WorkOS, Auth0). Implement alongside or after providers ship.
@@ -608,16 +639,18 @@ This document provides a detailed breakdown of tasks, components, test cases, an
608
639
609
640
---
610
641
611
-
### Feature 2.2: Google Provider
642
+
### Feature 2.2: Google Provider (In Progress)
643
+
644
+
> **Note:** `CoreIdent.Providers.Google` project and `GoogleAuthProvider` class already exist with ID token validation and claim extraction. Remaining tasks below track completion of the full feature.
> **Review finding (2026-03-15):** MFA is table stakes for any production auth system in 2026. Required by SOC 2, PCI-DSS, HIPAA. Promoted from Phase 5.1 to Phase 2. More important than PAR, RAR, or JAR for the 80% market.
- [ ] (L2) MFA challenge step in login flow (after primary auth, before token issuance)
744
+
- [ ] (L2) Configuration: require MFA for all users, or opt-in per user
745
+
* **Test Case:**
746
+
- [ ] (L3) Full TOTP enrollment + login flow
747
+
- [ ] (L2) Backup code recovery works and is single-use
748
+
- [ ] (L2) MFA enforcement blocks login without second factor
749
+
750
+
---
751
+
695
752
## Phase 3: OAuth/OIDC Server Hardening
696
753
697
754
**Goal:** Production-grade OAuth 2.0 / OIDC server capabilities.
698
755
699
756
**Estimated Duration:** 4-5 weeks
700
757
701
-
**Prerequisites:** Phase 2 complete
758
+
**Prerequisites:** Phase 1 core + Phase 2 providers. Features like Key Rotation (3.1) and Session Management (3.2) do not depend on external providers and may start earlier.
702
759
703
760
---
704
761
@@ -1113,11 +1170,9 @@ This document provides a detailed breakdown of tasks, components, test cases, an
1113
1170
1114
1171
---
1115
1172
1116
-
### Feature 5.1: MFA Framework
1173
+
### Feature 5.1: MFA Framework — PROMOTED TO 2.8
1117
1174
1118
-
* **Component:** TOTP Support (L2)
1119
-
* **Component:** Backup Codes (L2)
1120
-
* **Component:** MFA Enforcement Policies (L2)
1175
+
> **Moved to Feature 2.8 (Phase 2).** MFA is table stakes for production auth systems and compliance (SOC 2, PCI-DSS, HIPAA). See Feature 2.8 for full checklist.
1121
1176
1122
1177
---
1123
1178
@@ -1248,9 +1303,11 @@ This document provides a detailed breakdown of tasks, components, test cases, an
1248
1303
1249
1304
---
1250
1305
1251
-
### Feature 5.9: Blazor Server Integration
1306
+
### Feature 5.9: Blazor Web App Integration (Unified)
1307
+
1308
+
> **Review finding (2026-03-15):** Renamed from `BlazorServer` to `BlazorWeb` per Feature 1.23. .NET 10's unified Blazor Web App model makes separate Server/WASM packages unnecessary. This feature and Feature 1.5.6 (Blazor WASM) should be merged into a single `CoreIdent.Client.BlazorWeb` package targeting all render modes (InteractiveServer, InteractiveWebAssembly, InteractiveAuto).
> **Review finding (2026-03-15):** W3C VC data model alone isn't useful without issuance/presentation protocols. Expanded to include OID4VC family and SD-JWT for EU Digital Identity Wallet compatibility.
> **Review finding (2026-03-15):** Previously removed as "CIBA for AI Actions." Reconsidered for legitimate non-AI use cases: financial services (PSD2 SCA), healthcare consent flows, and IoT device authorization where the device can't render a browser.
- [ ] (L2) User consent via out-of-band channel (push notification, SMS)
1355
+
* **Component:** Token Endpoint Extension
1356
+
- [ ] (L3) `grant_type=urn:openid:params:grant-type:ciba` support
1357
+
- [ ] (L3) Polling with `slow_down` and `authorization_pending` responses
1358
+
* **Test Case:**
1359
+
- [ ] (L3) Full CIBA flow with polling mode
1360
+
* **Documentation:**
1361
+
- [ ] (L1) CIBA use case guide (financial, healthcare, IoT)
1275
1362
1276
1363
---
1277
1364
@@ -1315,7 +1402,7 @@ The following items are tracked here for completeness and cross-referencing:
1315
1402
| Web3 Wallet Login | Niche adoption |
1316
1403
| LNURL-auth | Very niche |
1317
1404
| AI Framework SDK Integrations | Premature (note: MCP-compatible authorization in Feature 3.13 is a distinct, protocol-level OAuth 2.1 extension — not an AI SDK integration) |
1318
-
| CIBA for AI Actions | Specialized (note: MCP Auth in Feature 3.13 addresses AI agent authorization via standard OAuth flows, not the niche CIBA backchannel protocol) |
1405
+
| ~~CIBA for AI Actions~~ | **Reconsidered (2026-03-15).** Removed the AI framing but restored CIBA for legitimate non-AI use cases (PSD2 SCA, healthcare, IoT). See Feature 5.11. |
1319
1406
| Token Vault / Secrets Management | Out of scope |
1320
1407
| Feature Flags / Rollout Control | Out of scope; not an identity concern. Use dedicated tools (LaunchDarkly, Unleash, Flagsmith, etc.) |
1321
1408
| **Resource Owner Password Credentials (ROPC)** | Deprecated in OAuth 2.1 (RFC 9725). Extracted to `CoreIdent.Legacy.PasswordGrant` for migration support. |
* = community/future | † = provided via .EFCore package, not separate | ‡ = excluded from core roadmap; community contribution only
115
115
```
116
116
117
117
**Key modularity principles:**
@@ -516,7 +516,7 @@ Implementation status is tracked in `docs/DEVPLAN.md`. This section describes th
516
516
- Update JWKS endpoint for asymmetric keys
517
517
- Token Revocation endpoint (RFC 7009)
518
518
- Token Introspection endpoint (RFC 7662)
519
-
- Remove/deprecate HS256-only code paths (keep as opt-in for dev/testing)
519
+
- Remove/deprecate HS256-only code paths (ephemeral RSA keys are auto-generated for dev; HS256 retained only for edge-case compatibility)
520
520
521
521
> **Note on JWT revocation:** Revoking a JWT access token only works for resource servers that perform an online check (e.g., introspection or a shared revocation store). Default guidance is short-lived access tokens + refresh token rotation/revocation. See Phase 3 for “revocable access” in controlled distributed systems.
0 commit comments