Better document which oauth handlers are required for only OpenID connect

[mitar]

Is your feature request related to a problem? Please describe.

I am trying to build an OpenID provider only, I do not really have any resources to which one would delegate access to. So I do not need OAuth provider, just OpenId provider. The issue is that currently documentation/example just says that OAuth handlers have to be registered before OpenId ones, but does not explain which are the minimal list of those which have to be:

https://github.com/ory/fosite-example/blob/21823512273f02b611d1a5912e3699a682b42bc7/authorizationserver/oauth2.go#L57

[aeneasr]

Thank you for opening these issues. Getting to OpenID Connect certification is a bit of work with this library. There are also implications in the datastore that require extra attention. We use fosite primarily for ORY Hydra which I recommend you take a look before starting on implementing OIDC with raw fosite. It will take you about 6 months or probably even more to get everything up and running and tested plus getting rid of bugs and adding extra features (e.g. revoking access for specific oauth2 clients).

Hydra fullfills all OAuth2 & OIDC needs and is OpenID Certified and also supports all the things (e.g. well-known endpoint) you pointed at. I'd really recommend checking the project out first and then deciding again if you want to use raw fosite. Hydra will save you a lot of time!

[mitar]

Yes, I am familiar with Hydra, but in my case I am really interested in a pretty limited subset of functionality here, just OpenID provider which would be a broker towards other OpenID providers.

[aeneasr]

You can achieve that with Hydra with less work! We're also working on ORY Kratos which will reduce the work even more! Alternatively I'd recommend checking out https://github.com/dexidp/dex which sounds like the tool you need.

ps: not trying to discourage you from contributions but I think you can solve your issue way easier and with spending less time :)

[mitar]

Thanks for the pointers. I will check them.

[mitar]

Also, Kratos has some limitations for me.

[mitar]

So is OAuth2ResourceOwnerPasswordCredentialsFactory and OAuth2ClientCredentialsGrantFactory used when OpenID Connect is wanted (openid scope)? It seems one can remove those and still have full OpenID Connect compatibility? But OAuth2AuthorizeExplicitFactory and OAuth2AuthorizeImplicitFactory are necessary?

[aeneasr]

I don't think they're necessary! Hydra achieves - for example - OIDC without ROPC Factory