Skip to main content

Product Roadmap

OAuth 2.0 Demonstrating Proof-of-Possession (DPoP) - RFC 9449

  • Goal: Prevent token theft and replay attacks by binding tokens to client's cryptographic keys.
  • Action: Implement RFC 9449 DPoP mechanism requiring clients to prove possession of a private key when using access and refresh tokens, creating cryptographic binding between tokens and the client instance that requested them.
  • Benefits: Significantly enhanced security against token theft, replay attacks, and man-in-the-middle attacks; essential for zero-trust architectures and high-security environments; protects tokens even if TLS is compromised.
  • When: Q2 2025.
  • Reference: RFC 9449 - OAuth 2.0 Demonstrating Proof-of-Possession

OAuth 2.0 Token Exchange (RFC 8693)

  • Goal: Enable secure token exchange for delegation and impersonation scenarios.
  • Action: Implement RFC 8693 OAuth 2.0 Token Exchange protocol, allowing clients to exchange access tokens, refresh tokens, or other token types for new tokens with different scopes, audiences, or subject contexts.
  • Benefits: Support for microservices architectures where services need to call other services on behalf of users, secure token translation between security domains, and delegation scenarios without exposing user credentials.
  • When: Q2 2025.
  • Reference: RFC 8693 - OAuth 2.0 Token Exchange

Rich Authorization Requests (RAR) - RFC 9396

  • Goal: Enable fine-grained, expressive authorization requests beyond simple scope strings.
  • Action: Implement RFC 9396 Rich Authorization Requests allowing clients to specify detailed authorization requirements using structured JSON objects, supporting complex permission models with context-specific parameters.
  • Benefits: More precise authorization control for complex business requirements, better support for fine-grained permissions in healthcare/financial/enterprise scenarios, clearer communication of authorization intent between client and authorization server.
  • When: Q2 2025.
  • Reference: RFC 9396 - OAuth 2.0 Rich Authorization Requests

Minimal API Support

  • Goal: Enable developers to use .NET Minimal APIs as an alternative to MVC controllers for OIDC endpoints.
  • Action: Provide endpoint implementations compatible with .NET Minimal API routing and dependency injection patterns, allowing developers to register OIDC endpoints using the simpler Minimal API syntax.
  • Benefits: Modern .NET development experience with reduced ceremony, better performance through optimized routing, and improved developer productivity for teams preferring Minimal APIs over MVC controllers.
  • When: Q3 2025.

Code Generation for Framework-Specific Models

  • Goal: Automatically generate MVC and Minimal API models with proper bindings, validation, and mapping code from framework-agnostic Oidc.Server models.
  • Action: Provide source generators that automatically produce framework-specific model classes with appropriate binding attributes ([FromQuery], [FromBody], [FromRoute]) and validation attributes ([Required], [StringLength], etc.) based on core Oidc.Server models, along with automatic generation of mapping logic between framework-specific and framework-agnostic models, eliminating manual model duplication and mapping code across MVC controllers and Minimal API endpoints.
  • Benefits: Single source of truth for model definitions, automatic synchronization between core models and framework-specific implementations, no manual mapping code maintenance, reduced maintenance burden, and guaranteed consistency across different hosting frameworks.
  • When: Q3 2025.

JWT Secured Authorization Response Mode (JARM)

  • Goal: Protect authorization responses from tampering and interception through encryption and signing.
  • Action: Implement JWT Secured Authorization Response Mode (JARM) specification, delivering authorization responses as signed and optionally encrypted JWTs, protecting authorization codes and tokens during transmission back to the client.
  • Benefits: Enhanced security for authorization responses, protection against authorization code interception and injection attacks, compliance with high-security requirements in financial and government sectors.
  • When: Q3 2025.
  • Reference: JARM - JWT Secured Authorization Response Mode

Aspect-Oriented Logging

  • Goal: Provide comprehensive, production-ready logging infrastructure without cluttering business logic.
  • Action: Implement aspect-oriented logging using .NET source generators or interceptors to automatically capture authentication flows, token operations, and security events with configurable verbosity levels and structured logging support.
  • Benefits: Better observability for troubleshooting production issues, audit trails for compliance requirements, security monitoring without manual logging code, and consistent log formatting across all OIDC operations.
  • When: Q4 2025.

OpenID Federation 1.0

  • Goal: Enable federated trust and identity provider chaining across organizational boundaries.
  • Action: Implement OpenID Federation 1.0 specification, allowing Abblix OIDC Server to establish trust relationships with other identity providers without manual configuration, supporting automatic metadata discovery and trust chain validation.
  • Benefits: Simplified integration with multiple upstream identity providers, dynamic trust establishment without pre-configuration, support for multi-organization scenarios, and centralized authentication policy enforcement across federated environments.
  • When: Q4 2025.
  • Reference: OpenID Federation 1.0
INFO

We are always excited to consider implementing useful and relevant features. We welcome your suggestions on our Abblix GitHub page. Looking forward to your proposals!