Our recent work on Canaille funded by NLNet Foundation brings us to release a beta version. Let's have a look on what changed.

Recent Work

Task Manager

We implemented a task manager that allows Canaille to perform long-running tasks asynchronously. This is notably used to propagate SCIM requests or send emails. The implementation uses dramatiq, and we published the dramatiq-eager-broker package which allows maintaining synchronous behavior in the test suite, and when the task manager is not configured.

OpenID Connect Certification

As we mentioned recently, Canaille obtained OpenID Connect Foundation certification last September. This guarantees that Canaille behaves in compliance with most common OpenID Connect operations.

The certification process revealed many interpretation errors, often minor but sometimes significant. We fixed most issues directly in Authlib, the underlying library implementing the standards.

Security

We implemented the remaining recommendations from the Radically Open Security audit. Most were minor recommendations following best practices, but everything is now in place. We also documented the ANSSI recommendations regarding authentication and password management, which Canaille implements. Most recommendations are implemented, the main remaining task is to support WebAuthn.

Documentation

We continuously work on documentation, aiming to follow Diátaxis recommendations. We wrote chapters for getting started with Canaille and configuring the first OpenID Connect client. These initial steps indirectly led us to work on pydantic-settings-export, which notably allows users to export a configuration file with all default values commented and described, providing a good starting point to begin adapting the configuration. We're still using a custom implementation while we upstream all the changes we need to the original project.

What's Next

Canaille aims for simplicity and its functional scope is therefore quite limited. We thus limit the number of features we want to implement, however a few remain:

• WebAuthn support as an authentication factor. This will allow us to implement the last missing ANSSI recommendations.
• Captcha method support. At first glance it's surprising to include this feature at a time when the relevance of Captchas is diminishing with the emergence of AIs. However, we note that this is an essential feature for some users, as evidenced by the very thorough comparison of open source SSO solutions published by La Contre-Voie last year.
• Implementation of a custom plugin system for Canaille. This is on a more distant horizon, but we would like to offer an API so developers can implement their own authentication factor for Canaille, or their own database connector.

Besides these visible features, most upcoming developments will be under the hood:

• Improving the SCIM stack, notably to bring support for SCIM filters.
• Improving the OIDC stack to bring support for new standards. Particularly those related to centralized logout or security.