github/wonderwall
1
0
Fork 0
mirror of https://github.com/nais/wonderwall.git synced 2026-02-14 17:49:54 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat: add handler for forward-auth

Browse Source
This commit is contained in:
Trong Huu Nguyen
2025-01-14 13:44:49 +01:00
parent c96e457675
commit 0258ce7cfd
9 changed files with 116 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
docs/configuration.md
View File

@@ -47,6 +47,7 @@ The following flags are available:
| `redis.tls` | boolean | `true` | Whether or not to use TLS for connecting to Redis. Does not override TLS config set by `redis.uri`. |
| `redis.uri` | string | | Redis URI string. An empty value will fall back to `redis-address`. |
| `redis.username` | string | | Username for Redis. Overrides username set by `redis.uri`. |
| `session.forward-auth` | boolean | `false` | Enable endpoint for forward authentication. |
| `session.inactivity` | boolean | `false` | Automatically expire user sessions if they have not refreshed their tokens within a given duration. |
| `session.inactivity-timeout` | duration | `30m` | Inactivity timeout for user sessions. |
| `session.max-lifetime` | duration | `10h` | Max lifetime for user sessions. |

40
docs/endpoints.md
View File

@@ -6,13 +6,14 @@ Wonderwall exposes and owns these endpoints (which means they will never be prox
Endpoints that are available for use by applications:
| Path | Description | Notes |
|--------------------------------|----------------------------------------------------------------------|---------------------------------------------------|
| `GET /oauth2/login` | Initiates the OpenID Connect Authorization Code flow | |
| `GET /oauth2/logout` | Performs local logout and redirects the user to global/single-logout | |
| `GET /oauth2/logout/local` | Performs local logout only | Disabled when `openid.provider` is `idporten`. |
| `GET /oauth2/session` | Returns the current user's session metadata | |
| `POST /oauth2/session/refresh` | Refreshes the tokens for the user's session. | Requires the `session.refresh` flag to be enabled |
| Path | Description | Notes |
|-----------------------------------|----------------------------------------------------------------------|---------------------------------------------------|
| `GET /oauth2/login` | Initiates the OpenID Connect Authorization Code flow | |
| `GET /oauth2/logout` | Performs local logout and redirects the user to global/single-logout | |
| `GET /oauth2/logout/local` | Performs local logout only | Disabled when `openid.provider` is `idporten`. |
| `GET /oauth2/session` | Returns the current user's session metadata | |
| `POST /oauth2/session/refresh` | Refreshes the tokens for the user's session. | Requires the `session.refresh` flag to be enabled |
| `GET /oauth2/session/forwardauth` | Checks the user's session and refreshes it, if necessary. | |
## Endpoints for Identity Providers
@@ -232,3 +233,28 @@ of the tokens returned by the identity provider.
The cooldown period exists to limit the amount of refresh token requests that we send to the identity provider.
A refresh is only triggered if `tokens.refresh_cooldown` is `false`. Requests to the endpoint are idempotent while the cooldown is active.
---
### `/oauth2/session/forwardauth`
This endpoint only exists if the `session.forward-auth` flag is enabled.
The endpoint is intended for use in forward authentication scenarios, where a reverse proxy delegates authentication checks to Wonderwall.
The user's session is checked and refreshed, if necessary.
#### Request:
```
GET /oauth2/session/forwardauth
```
#### Response:
```
HTTP/2 204 No Content
```
The endpoint responds with a `HTTP 204 No Content` if the session is valid.
If the session is invalid (i.e. expired, inactive, or not found), the response is an `HTTP 401 Unauthorized`.