github/wonderwall
1
0
Fork 0
mirror of https://github.com/nais/wonderwall.git synced 2026-05-06 16:36:51 +00:00
Code Issues Packages Projects Releases Wiki Activity
958 Commits 2 Branches 0 Tags
0258ce7cfdc41eeb752deb967862d0f5ff765ef9
Commit Graph

78 Commits

Author SHA1 Message Date
Trong Huu Nguyen
0258ce7cfd feat: add handler for forward-auth 2025-01-14 13:44:49 +01:00
Trong Huu Nguyen
b7b43e9793 refactor(openid): remove more indirection layers 2024-11-05 21:58:38 +01:00
Trong Huu Nguyen
bfb4929dc7 feat: allow disabling secure cookies for localhost 
This is geerally only necessary when using Safari.
Most other browsers respect the Secure attribute when using localhost.
 2024-11-05 21:14:14 +01:00
Trong Huu Nguyen
db060a4caf feat(handler): do not automatically retry token redemption failures 2024-11-05 19:57:48 +01:00
Trong Huu Nguyen
3876820aee refactor(retry): use DoValue 2024-08-23 13:55:51 +02:00
Trong Huu Nguyen
16ccb3a6be feat(config): add explicit toggle for legacy cookies 2024-06-26 12:20:05 +02:00
Trong Huu Nguyen
584f58bb6d refactor(retry): use functional opts, proxy to external lib 2024-05-08 08:39:43 +02:00
Trong Huu Nguyen
41f4354ce4 revert: "feat(handler/error): remove automatic retry" 
This reverts commit 083cb54df7.
 2023-12-20 11:17:51 +01:00
Trong Huu Nguyen
e71e4a2fda feat(handler/reverseproxy): add toggle for access logs 2023-12-20 08:25:35 +01:00
Trong Huu Nguyen
55839d72f0 feat(handler/login): log existing sid on prompt 2023-12-19 12:19:39 +01:00
Trong Huu Nguyen
f82c8a7078 feat(handler/login): drop logging sub claim 2023-12-19 11:04:03 +01:00
Trong Huu Nguyen
9c2d1cb520 feat(cookie): remove expiry options 
Always create session cookies instead of
persistent cookies with expiry.
 2023-12-19 08:46:08 +01:00
Trong Huu Nguyen
e00832016b feat(handler/login): remove legacy cookie 
We don't really need to set an additional cookie without SameSite
as we now use SameSite=Lax for the login cookie.
 2023-12-19 08:46:08 +01:00
Trong Huu Nguyen
083cb54df7 feat(handler/error): remove automatic retry 2023-12-19 08:46:06 +01:00
Trong Huu Nguyen
273eb3604a feat(cookie): use samesite lax instead of none for callback 2023-12-19 08:46:03 +01:00
Trong Huu Nguyen
c3904433f2 feat: log and propagate session metadata 
- stop using jti, use sid instead
- store amr and auth_time from id_token in session
- log more metadata on login callback
- log session id where possible
- propagate acr, amr, auth_time, sid to upstreams in headers
- log authenticated reverseproxy requests
 2023-12-19 08:46:02 +01:00
Trong Huu Nguyen
a10da5d0d7 feat(handler/login): add support for prompt param in login 2023-12-19 08:46:01 +01:00
Trong Huu Nguyen
de78193361 chore(handler): remove temporary amr-based redirect 2023-11-24 16:52:15 +01:00
J-K. Solbakken
d28579028e removed unused variable 2023-11-23 08:56:52 +01:00
J-K. Solbakken
38b9891caf use otelchi middleware for http tracing 2023-11-23 08:53:36 +01:00
J-K. Solbakken
23268c6762 starting simple 2023-11-21 08:47:42 +01:00
Trong Huu Nguyen
2f351a1388 feat(handler/callback): redirect minid passport users to separate landing page 2023-11-06 11:45:15 +01:00
Trong Huu Nguyen
e3022c7923 feat(handler/session): reduce logging level for not found errors 2023-11-02 08:33:09 +01:00
Trong Huu Nguyen
af6642fe90 refactor(openid): use pkce implementation from golang.org/x/oauth2 2023-10-10 10:18:01 +02:00
Trong Huu Nguyen
a2e939f716 fix(handler/sessionrefresh): handle not found error 2023-10-04 10:06:03 +02:00
Trong Huu Nguyen
337723150b fix(reverseproxy/autologin): skip cleaning redirect target 2023-09-25 14:13:15 +02:00
Trong Huu Nguyen
34d90d2c78 fix(autologin): do not return ambiguous 3xx redirect 
If autologin is enabled, check for headers that indicate that the request is a navigation request
and respond appropriately.

A navigation request is assumed to match all of the following:

- uses the GET HTTP method
- either:
  - a) sends the fetch metadata headers, specifically
    `Sec-Fetch-Mode=navigate` and `Sec-Fetch-Dest=document`, or (if
    unsupported by the browser)
  - b) sends the `Accept` header with a value that contains
    `text/html` (which most browsers do by default for navigation
    requests, the exception being IE8 AFAIK)

Non-navigation requests (e.g. fetch / xhr / ajax requests) will receive a
401 Unauthorized, with the Location header set to the login endpoint.
The redirect parameter is also set to point back to the URL found in the
Referer header (though with the scheme and host removed to only allow
redirects relative to the origin host.)

With this fix, autologin will also intercept requests other than GET.
This is to improve the security posture of upstreams that assume that autologin
enforces authentication for all methods.

Fixes #156.
 2023-09-22 14:51:35 +02:00
Trong Huu Nguyen
c4911b1344 feat(session): add feature toggle for automatic refreshing 2023-09-15 09:08:42 +02:00
Trong Huu Nguyen
75567f3016 refactor(handler): split up logout and local logout handlers 2023-07-20 12:01:21 +02:00
Trong Huu Nguyen
1e485aa0f8 refactor(url): embed validator instead of using proxy struct 2023-07-20 11:54:05 +02:00
Trong Huu Nguyen
d0c5e91c45 refactor(url): remove unused field for relative validator 2023-07-20 10:52:47 +02:00
Trong Huu Nguyen
2925ebe9e4 fix(handler/session): return metadata response even if session is inactive 2023-06-09 13:52:36 +02:00
Trong Huu Nguyen
9852b0a290 fix(handler/logout): ignore session validation errors; attempt to delete regardless 2023-06-09 13:52:35 +02:00
Trong Huu Nguyen
390cd78e9f feat(handler): set legacy cookie for sso server 2023-05-12 08:47:26 +02:00
Trong Huu Nguyen
5c96d5a0fd feat(all): reduce log level for some spammy statements 2023-05-08 10:56:07 +02:00
Trong Huu Nguyen
0c531d9ec1 perf: increase max idle connections for http clients 2023-05-04 14:45:45 +02:00
Trong Huu Nguyen
6151aa3279 feat(openid, handler): support runtime override of redirect after single-logout 
Fixes #100.
 2023-05-04 14:45:13 +02:00
Trong Huu Nguyen
3a239a95c3 feat(reverseproxy): validate acr and redirect if applicable 2023-04-29 11:54:53 +02:00
Trong Huu Nguyen
7c98fe161e refactor(handler/reverseproxy): retrieve both session and token 2023-04-29 11:17:00 +02:00
Trong Huu Nguyen
568f9f7683 feat(handler): use 302 instead of 303 for redirects 2023-04-29 08:42:29 +02:00
Trong Huu Nguyen
bc651d9082 fix: use 303 instead of 307 for redirects 2023-04-28 01:30:17 +02:00
Trong Huu Nguyen
c60f9478a5 fix(metrics): strip urls for login counter 2023-04-26 09:57:29 +02:00
Trong Huu Nguyen
55d2e0ce3b feat(metrics): add redirect label for login counter 2023-04-26 09:28:00 +02:00
Trong Huu Nguyen
0ba41e312a feat(handler): local logout returns 204 instead of redirect 
Redirecting after local logout introduces the possibility of matching a
path that automatically performs login, which for a local logout means
the user is automatically logged in again due to having an SSO session -
which nullifies the whole logout operation.

Applications that want local logout must trigger and handle the response
just like any other API call.
 2023-04-21 16:25:26 +02:00
Trong Huu Nguyen
0ba124809a feat(handler): local logout redirects back to preconfigured URL 2023-04-21 15:21:02 +02:00
Trong Huu Nguyen
19b2401831 feat(metrics): add authentication method reference label for successful logins 2023-04-18 12:20:23 +02:00
Trong Huu Nguyen
442e056b26 refactor(handler): inline error handler, remove unnecessary getters 2023-02-24 19:24:02 +01:00
Trong Huu Nguyen
f346e9e91d refactor(router): use a more apt name for wildcard handler 2023-02-24 18:33:41 +01:00
Trong Huu Nguyen
5342913676 refactor: move cookie options to handler constructors 2023-02-24 18:21:36 +01:00
Trong Huu Nguyen
3e93423464 refactor(sso/server): redirect requests for wildcard routes to default URL 2023-02-22 10:19:26 +01:00