github/wonderwall
1
0
Fork 0
mirror of https://github.com/nais/wonderwall.git synced 2026-05-11 10:56:53 +00:00
Code Issues Packages Projects Releases Wiki Activity
1,053 Commits 2 Branches 0 Tags
0ad616a23189f6ead30a4cd7c410e395bb4d61ba
Commit Graph

71 Commits

Author SHA1 Message Date
Trong Huu Nguyen
787b54beeb refactor(crypto): move to internal 
Co-authored-by: sindrerh2 <sindre.rodseth.hansen@nav.no>
 2025-01-30 14:03:36 +01:00
Trong Huu Nguyen
10360958c0 feat(middleware): clean up logging middleware, add span attributes 
Co-authored-by: sindrerh2 <sindre.rodseth.hansen@nav.no>
 2025-01-30 14:03:29 +01:00
Trong Huu Nguyen
0b32d8839c test(openid/client): add negative assertions for unwanted parameters 2025-01-24 08:07:52 +01:00
Trong Huu Nguyen
837323d728 refactor(mock): use oauth error response for all idp errors 2025-01-23 09:02:19 +01:00
Sindre Rødseth Hansen
c442000be4 feat: implement PAR for relying party 
Fixes #235

Co-authored-by: tronghn <trong.huu.nguyen@nav.no>
 2025-01-23 08:48:32 +01:00
Trong Huu Nguyen
909060d8fd feat(mock): implement PAR for identity provider 
Co-authored-by: sindrerh2 <sindre.rodseth.hansen@nav.no>
 2025-01-23 08:48:28 +01:00
Trong Huu Nguyen
75f98debc5 feat(openid/client): validate iss parameter if provider declares authorization_response_iss_parameter_supported 
Fixes #306.

Co-authored-by: sindrerh2 <sindre.rodseth.hansen@nav.no>
 2025-01-21 09:39:21 +01:00
Trong Huu Nguyen
e6297750d6 feat(openid): set expected default public JWK algorithm if the OP doesn't set them 
This allows us to verify signatures without relying on heuristics used
by jws.WithInferAlgorithmFromKey() that may introduce security and
performance implications.
 2024-11-05 21:08:46 +01:00
Trong Huu Nguyen
df5c78b821 feat(openid/client): add support for the client_secret_post authentication method 2024-10-08 09:19:38 +02:00
Trong Huu Nguyen
1906024da0 feat(openid/acr): remove old values and backward compatibility for new idporten 
We no longer expect nor accept tokens with old acr values during
validation as ID-porten no longer issues tokens with these values.

This also removes backward compatibility in cases where configured
values targeted the new ID-porten while using old ID-porten.

We still maintain an internal mapping from old values to new values
for forward compatibilty when using old values provided in the login
parameter and the `openid.acr-values` flag.
 2024-06-27 12:34:16 +02:00
Trong Huu Nguyen
d69cf79664 refactor: reduce noisy config logs 
Fixes #262.
 2024-06-26 14:51:05 +02:00
Trong Huu Nguyen
af6642fe90 refactor(openid): use pkce implementation from golang.org/x/oauth2 2023-10-10 10:18:01 +02:00
Trong Huu Nguyen
e7799204b2 feat(openid): harden id_token validation 2023-08-15 21:30:41 +02:00
Trong Huu Nguyen
46852be025 feat(openid): prepare acr mappings for migration to new idporten 2023-05-25 15:54:29 +02:00
Trong Huu Nguyen
6151aa3279 feat(openid, handler): support runtime override of redirect after single-logout 
Fixes #100.
 2023-05-04 14:45:13 +02:00
Trong Huu Nguyen
568f9f7683 feat(handler): use 302 instead of 303 for redirects 2023-04-29 08:42:29 +02:00
Trong Huu Nguyen
bc651d9082 fix: use 303 instead of 307 for redirects 2023-04-28 01:30:17 +02:00
Trong Huu Nguyen
5342913676 refactor: move cookie options to handler constructors 2023-02-24 18:21:36 +01:00
Trong Huu Nguyen
3274cc5c65 refactor: move redirect package into url, clean up naming 2023-02-16 09:24:39 +01:00
Trong Huu Nguyen
5a56c24bcc refactor(crypto): replace aes-256-gcm with xchacha20-poly1305 2023-02-13 21:48:23 +01:00
Trong Huu Nguyen
473e4a95a7 refactor: remove loginstatus 
Loginstatus is no longer needed with the SSO setup.
Fixes #50.
 2023-02-10 14:58:17 +01:00
Trong Huu Nguyen
99e3e7d699 refactor(mock/openid): use redis as session store for integration tests 2023-02-10 14:58:16 +01:00
Trong Huu Nguyen
54a43d832a feat(redirect): extract package for creating and validating canonical redirects 2023-02-10 14:58:13 +01:00
Trong Huu Nguyen
1f60d750f2 fix(mock): correct middleware for request generator 2023-02-10 14:58:13 +01:00
Trong Huu Nguyen
0e73c9b4d8 refactor(mock): configure relying party ingress before server start 2023-02-10 14:58:11 +01:00
Trong Huu Nguyen
c3c0c01926 feat(sso): partially implement handlers 2023-02-10 14:58:09 +01:00
Trong Huu Nguyen
a4e4fc752e refactor(handler): remove provider name getter from handler 2023-02-10 14:57:57 +01:00
Trong Huu Nguyen
c3a5033968 test(handler): add test for authorization headers, ensure upstream validates token 2023-02-10 14:57:45 +01:00
Trong Huu Nguyen
2a80bd7765 refactor(mock/openid): use interface for handler 2022-09-02 18:43:59 +02:00
Trong Huu Nguyen
08eefbf1d5 refactor(openid): clean up client and provider 2022-09-02 18:08:36 +02:00
Trong Huu Nguyen
92ee6313c5 refactor: remove unnecessary interfaces 2022-09-02 17:39:27 +02:00
Trong Huu Nguyen
c8f48335d4 refactor(openid/config): extract getter for ingresses 2022-09-02 15:17:36 +02:00
Trong Huu Nguyen
9144056e28 refactor(handler): split up request handlers into separate modules 2022-09-02 14:53:11 +02:00
Trong Huu Nguyen
5d00d132dd refactor: decouple handler implementation from router and middleware 2022-09-01 19:39:47 +02:00
Trong Huu Nguyen
d5bbca9897 feat: rudimentary support for refresh tokens 2022-08-26 14:32:39 +02:00
Trong Huu Nguyen
cafebabea5 fix(openid/client): set redirect_uri param when redeeming auth code 2022-08-23 08:27:34 +02:00
Trong Huu Nguyen
5990e4bb71 refactor(session): extract session handler 2022-08-19 11:44:13 +02:00
Trong Huu Nguyen
5a50ba7c3a feat: support multiple ingresses 
Replace hardcoded callback URLs with dynamic generation
of URLs based on incoming requests. These are validated against
a pre-registered list of ingresses for which Wonderwall is considered
authorative for.

We also preserve the cookie behaviour; the most specific ingress path
and domain is used for the cookies.

The `url` package has been moved to the `handler` package, and its
implementation refactored slightly for readability and DRY.
 2022-08-17 20:43:56 +02:00
Trong Huu Nguyen
d79f31c18d refactor(autologin): use glob-style matching instead of regex 
Regexes are powerful, but completely overkill and error-prone for this
use-case. So instead, we'll use path.Match with its simpler glob-style
patterns.
 2022-07-21 12:01:30 +02:00
Trong Huu Nguyen
eac2d5789d refactor: passthrough for consistency in openid configuration 2022-07-20 09:58:49 +02:00
Trong Huu Nguyen
3e62683cad refactor: use pointer receivers when possible 2022-07-19 19:24:28 +02:00
Trong Huu Nguyen
bece03c94e refactor(middleware/logentry): replace zerologger with logrus 2022-07-18 15:47:35 +02:00
Trong Huu Nguyen
284fa2a76f fix(openid/client): ensure assertion time claims are rounded down instead of up 
Hopefully fixes intermittent 'invalid_grant' errors from IdP.
 2022-07-18 09:24:26 +02:00
Trong Huu Nguyen
ef649e7aaa feat: add allowlisting of paths for autologin 2022-07-17 20:11:55 +02:00
Trong Huu Nguyen
4b2bf6e095 fix(mock/openid): ensure tokens have jti claim set 2022-07-15 09:04:55 +02:00
Trong Huu Nguyen
e3b9d33296 refactor: split out packages from router 2022-07-15 07:44:54 +02:00
Trong Huu Nguyen
fd630e6dbd test(router): extract some reusable test methods 2022-07-14 13:52:47 +02:00
Trong Huu Nguyen
6469c527a7 refactor(mock/openid): validate params in auth and token requests 2022-07-14 10:08:51 +02:00
Trong Huu Nguyen
9c29bb180b refactor(mock): ensure scope is correctly set for openid client 2022-07-14 10:04:34 +02:00
Trong Huu Nguyen
66cf08e602 refactor(openid/logout): simplify logout logic 
As we already clear any local sessions before redirecting to the
Identity Provider, and the callback always redirects to a pre-configured URL,
there isn't really any need to maintain and verify state in the logout
callback.

In other words, the logout callback handler is simply a redirect handler.
 2022-07-12 15:09:49 +02:00