The current implementation only supports one provider by user. This feature will allow your user to support multiple authentication providers like Google and Twitter for the same user. Related issue: https://github.com/strapi/strapi/issues/2468

As a Project Owner, TeamLead, Strapi Admin etc, id love to see who did what and when. Id love to see an edit history for a content item, to potentially discover issues later one, or be able to trace unwanted content changes. Secondly, this audit log would be neseccary when delivering content for specific industries, such as in car software. Those changes need to be traceable and archived for 10 Years, by German law. see: https://github.com/strapi/strapi/issues/11500

When integrating with oauth2, I think it's more common to use strapi as resource server instead of client(strapi is headless). It's the duty of frontend (like nextjs) to get user authenticated and obtain the access token which used in Authentication header when access strapi, what strapi should do is validate access token and get user info from it. This make strapi more easy to integrate with other backend. see: https://github.com/strapi/strapi/issues/12207

Currently, the plugin which allows you to manage users and permissions doesn't support a provider system like it's already the case with the email plugin For more details, please see https://github.com/strapi/strapi/issues/1819

If you're building an API which needs a high-security level, it can be very useful to use a 2FA. We could pretty easily support two-factor authentication using the current implementation of the Users & Permissions plugin. For more details, please see https://github.com/strapi/strapi/issues/786

Currently, you cannot change the user email because it works like a unique ID. As we allow to edit the user password, we should also offer the ability to edit the email. This is the purpose of this feature. More details in this issue: https://github.com/strapi/strapi/issues/2691

I think it would be very easy to add something like TOTP 2FA (EG google authentication) http://www.passportjs.org/packages/passport-2fa-totp/

I would like to be able to set password complexity. It would be convenient to set restrictions to password length, big letters, small letters, numbers, etc see: https://github.com/strapi/strapi/issues/4990

It's critical for the most recently-issued refresh token to get immediately invalidated when a previously-used refresh token is sent to the authorization server. This prevents any refresh tokens in the same token family from being used to get new access tokens. This is what happens when your identity platform has 🤖 Automatic Reuse Detection: The 🚓 Auth0 Authorization Server has been keeping track of all the refresh tokens descending from the original refresh token. That is, it has created a "token family". The 🚓 Auth0 Authorization Server recognizes that someone is reusing 🔄 Refresh Token 1 and immediately invalidates the refresh token family, including 🔄 Refresh Token 2. The 🚓 Auth0 Authorization Server returns an Access Denied response to 😈 Malicious User. 🔑 Access Token 2 expires, and 🐱 Legitimate User attempts to use 🔄 Refresh Token 2 to request a new refresh-access token pair. The 🚓 Auth0 Authorization Server returns an Access Denied response to 🐱 Legitimate User. The 🚓 Auth0 Authorization Server requires re-authentication to get new access and refresh tokens. https://auth0.com/blog/refresh-tokens-what-are-they-and-when-to-use-them/

Part of the SSO, we would like to support permissions management via third parties such as Active Directory, LDAP, JumpCloud, etc. It includes fields synchronization and roles mapping.