2021-05-05 05:06:05 +07:00
|
|
|
package schema
|
|
|
|
|
feat(oidc): add additional config options, accurate token times, and refactoring (#1991)
* This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes.
* Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately.
* Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have.
2021-07-04 06:44:30 +07:00
|
|
|
import "time"
|
|
|
|
|
2021-05-05 05:06:05 +07:00
|
|
|
// IdentityProvidersConfiguration represents the IdentityProviders 2.0 configuration for Authelia.
|
|
|
|
type IdentityProvidersConfiguration struct {
|
|
|
|
OIDC *OpenIDConnectConfiguration `mapstructure:"oidc"`
|
|
|
|
}
|
|
|
|
|
|
|
|
// OpenIDConnectConfiguration configuration for OpenID Connect.
|
|
|
|
type OpenIDConnectConfiguration struct {
|
|
|
|
// This secret must be 32 bytes long
|
|
|
|
HMACSecret string `mapstructure:"hmac_secret"`
|
|
|
|
IssuerPrivateKey string `mapstructure:"issuer_private_key"`
|
|
|
|
|
feat(oidc): add additional config options, accurate token times, and refactoring (#1991)
* This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes.
* Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately.
* Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have.
2021-07-04 06:44:30 +07:00
|
|
|
AccessTokenLifespan time.Duration `mapstructure:"access_token_lifespan"`
|
|
|
|
AuthorizeCodeLifespan time.Duration `mapstructure:"authorize_code_lifespan"`
|
|
|
|
IDTokenLifespan time.Duration `mapstructure:"id_token_lifespan"`
|
|
|
|
RefreshTokenLifespan time.Duration `mapstructure:"refresh_token_lifespan"`
|
|
|
|
EnableClientDebugMessages bool `mapstructure:"enable_client_debug_messages"`
|
|
|
|
MinimumParameterEntropy int `mapstructure:"minimum_parameter_entropy"`
|
|
|
|
|
2021-05-05 05:06:05 +07:00
|
|
|
Clients []OpenIDConnectClientConfiguration `mapstructure:"clients"`
|
|
|
|
}
|
|
|
|
|
|
|
|
// OpenIDConnectClientConfiguration configuration for an OpenID Connect client.
|
|
|
|
type OpenIDConnectClientConfiguration struct {
|
2021-07-15 18:02:03 +07:00
|
|
|
ID string `mapstructure:"id"`
|
|
|
|
Description string `mapstructure:"description"`
|
|
|
|
Secret string `mapstructure:"secret"`
|
|
|
|
Public bool `mapstructure:"public"`
|
|
|
|
|
|
|
|
Policy string `mapstructure:"authorization_policy"`
|
|
|
|
|
|
|
|
Audience []string `mapstructure:"audience"`
|
2021-05-05 05:06:05 +07:00
|
|
|
Scopes []string `mapstructure:"scopes"`
|
2021-07-15 18:02:03 +07:00
|
|
|
RedirectURIs []string `mapstructure:"redirect_uris"`
|
2021-05-05 05:06:05 +07:00
|
|
|
GrantTypes []string `mapstructure:"grant_types"`
|
|
|
|
ResponseTypes []string `mapstructure:"response_types"`
|
feat(oidc): add additional config options, accurate token times, and refactoring (#1991)
* This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes.
* Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately.
* Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have.
2021-07-04 06:44:30 +07:00
|
|
|
ResponseModes []string `mapstructure:"response_modes"`
|
2021-07-10 11:56:33 +07:00
|
|
|
|
|
|
|
UserinfoSigningAlgorithm string `mapstructure:"userinfo_signing_algorithm"`
|
feat(oidc): add additional config options, accurate token times, and refactoring (#1991)
* This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes.
* Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately.
* Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have.
2021-07-04 06:44:30 +07:00
|
|
|
}
|
|
|
|
|
|
|
|
// DefaultOpenIDConnectConfiguration contains defaults for OIDC.
|
|
|
|
var DefaultOpenIDConnectConfiguration = OpenIDConnectConfiguration{
|
|
|
|
AccessTokenLifespan: time.Hour,
|
|
|
|
AuthorizeCodeLifespan: time.Minute,
|
|
|
|
IDTokenLifespan: time.Hour,
|
|
|
|
RefreshTokenLifespan: time.Minute * 90,
|
2021-05-05 05:06:05 +07:00
|
|
|
}
|
|
|
|
|
feat(oidc): add additional config options, accurate token times, and refactoring (#1991)
* This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes.
* Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately.
* Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have.
2021-07-04 06:44:30 +07:00
|
|
|
// DefaultOpenIDConnectClientConfiguration contains defaults for OIDC Clients.
|
2021-05-05 05:06:05 +07:00
|
|
|
var DefaultOpenIDConnectClientConfiguration = OpenIDConnectClientConfiguration{
|
feat(oidc): add additional config options, accurate token times, and refactoring (#1991)
* This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes.
* Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately.
* Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have.
2021-07-04 06:44:30 +07:00
|
|
|
Policy: "two_factor",
|
2021-05-05 05:06:05 +07:00
|
|
|
Scopes: []string{"openid", "groups", "profile", "email"},
|
|
|
|
GrantTypes: []string{"refresh_token", "authorization_code"},
|
feat(oidc): add additional config options, accurate token times, and refactoring (#1991)
* This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes.
* Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately.
* Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have.
2021-07-04 06:44:30 +07:00
|
|
|
ResponseTypes: []string{"code"},
|
|
|
|
ResponseModes: []string{"form_post", "query", "fragment"},
|
2021-07-10 11:56:33 +07:00
|
|
|
|
|
|
|
UserinfoSigningAlgorithm: "none",
|
2021-05-05 05:06:05 +07:00
|
|
|
}
|