WeftID 1.11 makes WeftID an OpenID Provider. An application can now offer a "Sign in with WeftID" button, much as it might offer "Sign in with Google," and get back a verified user.
Until now, WeftID could only sign users in to applications that speak SAML: Slack, Jira, GitLab, and most other established business software. SAML is the older of the two standards, and it is not what most applications reach for today. OIDC is, and it is well supported by authentication libraries in every common language.
That left an obvious hole. An application that speaks OIDC but not SAML, which includes most things written in the last few years, could not use WeftID at all. 1.11 fills it.
What it does
Turn OIDC on for an application in the admin UI and it becomes a normal OIDC client. Point any standard library at WeftID's discovery URL, and sign-in works. There is no WeftID-specific code to write, and nothing for the application to store: it receives a signed token identifying the user, their name and email, and the groups they belong to.
Because WeftID sits in the middle, the application does not need to care where the user actually came from. A partner's Okta, a passkey, an invited user with a password: it all arrives at the application as the same signed identity.
Who is allowed in
Knowing who a user is does not settle whether they should be let in. OIDC applications use the access model WeftID already applies to SAML apps: assign groups to the application, and only members of those groups can sign in. Everyone else is turned away at the login screen, before they reach the application. An application can also be marked available to all users, which skips the check.
Access is live. Remove someone from a group and their existing sessions stop working, rather than lasting until a token happens to expire. Every grant and every denial is recorded in the audit log.
So the application is handed a set of groups and decides what to show. Who is in which group, and who may sign in at all, is administered in WeftID.
Getting it
Enable OIDC on an app under Integrations, copy the discovery URL, and point the application's OIDC library at it. The Sign in with WeftID admin guide has the walkthrough, including the scopes and claims on offer and how to rotate the signing key.
1.11 also fixes several security issues in the OAuth2 and OIDC endpoints, including a denial-of-service that could be triggered without authenticating. The details are in the changelog.
Next is OIDC in the other direction: federating to upstream providers that speak OIDC rather than SAML, and social sign-in on top of it. See the roadmap.