Commit Graph

16 Commits

Author SHA1 Message Date
James Elliott
c9d86a9240
feat(oidc): oauth2 discovery support (#2925)
* feat(oidc): oauth2 discovery and endpoint rename

This implements the oauth2 authorization server discovery document, adds tests to the discovery documents, implements an efficiency upgrade to these docs, and renames some endpoints to be uniform.
2022-03-04 14:09:27 +11:00
Andrew Moore
6ef6d0499a
feat(oidc): add pkce support (#2924)
Implements Proof Key for Code Exchange for OpenID Connect Authorization Code Flow. By default this is enabled for the public client type and requires the S256 challenge method.

Closes #2921
2022-03-02 15:44:05 +11:00
James Elliott
ddbb21af90
fix(handlers): include preferred_username claim in meta (#2829)
This includes the preferred_username claim in the meta. Also uses the consts for all the applicable claims and scopes.
2022-02-10 09:55:28 +11:00
James Elliott
fcdd41ea2a
feat: oidc scope i18n (#2799)
This adds i18n for the OIDC scope descriptsions descriptions.
2022-02-08 01:18:16 +11:00
James Elliott
1772a83190
refactor: apply godot recommendations (#2839) 2022-01-31 16:25:15 +11:00
James Elliott
06641cd15a
fix(oidc): add preferred username claim (#2801)
This adds the missing preferred username claim to the ID Token for OIDC.

Fixes #2798
2022-01-18 20:32:06 +11:00
renovate[bot]
526d71ae8c
build(deps): update module github.com/ory/fosite to v0.42.0 (#2691)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2022-01-13 02:52:15 +11:00
James Elliott
3695aa8140
feat(storage): primary key for all tables and general qol refactoring (#2431)
This is a massive overhaul to the SQL Storage for Authelia. It facilitates a whole heap of utility commands to help manage the database, primary keys, ensures all database requests use a context for cancellations, and paves the way for a few other PR's which improve the database.

Fixes #1337
2021-11-23 20:45:38 +11:00
Dominik Schmidt
c99b6e7294
feat(oidc): include introspection_endpoint in .well-known/openid-configuration
This adds the OAuth 2.0 introspection endpoint to the OpenID Connect discovery document.

https://datatracker.ietf.org/doc/html/draft-ietf-oauth-discovery-10
2021-11-11 14:41:49 +11:00
James Elliott
b4e570358e
fix: include major in go.mod module directive (#2278)
* build: include major in go.mod module directive

* fix: xflags

* revert: cobra changes

* fix: mock doc
2021-08-11 11:16:46 +10:00
Amir Zarrinkafsh
28991dd71a
fix(oidc): do not lower case in log messages (#2236) 2021-08-04 08:54:45 +10:00
James Elliott
8342a46ba1
feat(oidc): implement client type public (#2171)
This implements the public option for clients which allows using Authelia as an OpenID Connect Provider for cli applications and SPA's where the client secret cannot be considered secure.
2021-07-15 21:02:03 +10:00
James Elliott
143db66445
feat(oidc): userinfo endpoint (#2146)
This is a required endpoint for OIDC and is one we missed in our initial implementation. Also adds some rudamentary documentaiton about the implemented endpoints.
2021-07-10 14:56:33 +10:00
Clément Michaud
21f9056c00
fix(oidc): use lower case in log messages (#2153) 2021-07-08 12:44:43 +10:00
James Elliott
ef549f851d
feat(oidc): add additional config options, accurate token times, and refactoring (#1991)
* This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes.
* Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately. 
* Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have.
2021-07-04 09:44:30 +10:00
James Elliott
ddea31193b
feature(oidc): add support for OpenID Connect
OpenID connect has become a standard when it comes to authentication and
in order to fix a security concern around forwarding authentication and authorization information
it has been decided to add support for it.

This feature is in beta version and only enabled when there is a configuration for it.
Before enabling it in production, please consider that it's in beta with potential bugs and that there
are several production critical features still missing such as all OIDC related data is stored in
configuration or memory. This means you are potentially going to experience issues with HA
deployments, or when restarting a single instance specifically related to OIDC.

We are still working on adding the remaining set of features before making it GA as soon as possible.

Related to #189

Co-authored-by: Clement Michaud <clement.michaud34@gmail.com>
2021-05-05 00:15:36 +02:00