github/wonderwall
1
0
Fork 0
mirror of https://github.com/nais/wonderwall.git synced 2026-05-21 07:42:53 +00:00
Code Issues Packages Projects Releases Wiki Activity
1,175 Commits 3 Branches 0 Tags
1ace7d6500a512bc42d1e45456a953af088f0930
Commit Graph

124 Commits

Author SHA1 Message Date
Trong Huu Nguyen
75ff84ba28 refactor: suppress some noisy startup logs 2025-07-09 13:33:40 +02:00
Trong Huu Nguyen
4bf3b1bdd4 refactor: move string generator to crypto package 2025-06-16 09:55:44 +02:00
Trong Huu Nguyen
4e1c8e68f8 feat(openid): retry front-channel logouts 2025-06-16 09:55:44 +02:00
Trong Huu Nguyen
1a138c66a3 refactor: move retry package 2025-06-16 09:55:42 +02:00
Trong Huu Nguyen
b3c2c72155 feat(openid): only set max_age parameter for prompt=login 
We generally don't want to instruct the identity provider
to attempt full reauthentication when switching accounts
with `prompt=select_account`.
 2025-06-11 13:28:52 +02:00
Trong Huu Nguyen
052d310280 fix(openid): require expires_in for token responses 
While RFC 6749 specify this field as recommended:

> If omitted, the authorization server SHOULD provide the
> expiration time via other means or document the default value.

and equivalently the OIDC Core spec specifies the same field as optional,
we will explicitly enforce that these fields are returned from the AS.

This isn't a breaking change as the existing session refresh logic implicitly
depends on this field and its value.

While there are probably some providers that omit the `expires_in` field
or sets it to zero with the intent of returning access tokens that do not
expire, we assume these are relatively rare. We might revisit this
at some point in the future, should our assumptions be wrong.
 2025-06-11 13:07:18 +02:00
Trong Huu Nguyen
bf2f97f400 feat: set more session and token-related span attributes 2025-06-10 13:51:15 +02:00
Trong Huu Nguyen
9bb5ac9210 fix(openid/client): also accept acr and locale params when no defaults are configured 2025-05-23 09:00:45 +02:00
Trong Huu Nguyen
b9963b19f9 refactor(openid): clean up id_token validation tests 2025-05-23 08:59:42 +02:00
Trong Huu Nguyen
c5ec362e60 feat(session): update id_token in session if returned from refresh grant 
Co-authored-by: Thomas Krampl <thomas.siegfried.krampl@nav.no>
 2025-05-22 15:52:15 +02:00
Trong Huu Nguyen
259bf635d1 chore(deps): bump github.com/lestrrat-go/jwx from v2 to v3 2025-05-21 10:38:26 +02:00
Trong Huu Nguyen
ca8c09ae10 fix(openid/client): flatten audience for client assertion 
In accordance with OpenID Connect 1.0 Core, draft 36 incorporating
errata set 3:

> aud
>    REQUIRED. Audience. The aud (audience) Claim. [...] The Audience value MUST be the OP's Issuer Identifier passed as a string, and not a single-element array.
 2025-04-02 13:44:37 +02:00
Trong Huu Nguyen
01241f91ac perf: replace bytes.Buffer with strings.Builder 2025-04-02 11:53:30 +02:00
Trong Huu Nguyen
39d695e104 fix(openid/client): retry server errors for PAR 2025-03-06 10:05:58 +01:00
Trong Huu Nguyen
79ac15d455 feat(otel): consistency passthrough for spans and attributes 
Co-authored-by: sindrerh2 <sindre.rodseth.hansen@nav.no>
 2025-01-30 14:03:39 +01:00
Sindre Rødseth Hansen
07b542a2f5 feat(openid/error): add spans and attributes 
Co-authored-by: tronghn <trong.huu.nguyen@nav.no>
 2025-01-30 14:03:39 +01:00
Sindre Rødseth Hansen
dd0373b72d feat(openid/client): add spans and attributes 
Co-authored-by: tronghn <trong.huu.nguyen@nav.no>
 2025-01-30 14:03:38 +01:00
Trong Huu Nguyen
787b54beeb refactor(crypto): move to internal 
Co-authored-by: sindrerh2 <sindre.rodseth.hansen@nav.no>
 2025-01-30 14:03:36 +01:00
Sindre Rødseth Hansen
ca77435d6a feat(http): propagate traceparent for httpclient 
Co-authored-by: tronghn <trong.huu.nguyen@nav.no>
 2025-01-30 14:03:30 +01:00
Trong Huu Nguyen
9c8055bcd6 feat(openid/client): fall back to default value for invalid parameter values 
Instead of erroring when receiving non-empty, invalid parameters, we fall back to
the configured (if any) default value for the identity provider, which
is already validated with its metadata document on start-up.

This prevents end-users from being exposed to unnecessary errors.
 2025-01-27 08:44:07 +01:00
Sindre Rødseth Hansen
c07077a148 refactor: extract method for making authCodeURL 
Co-authored-by: tronghn <trong.huu.nguyen@nav.no>
 2025-01-24 10:02:15 +01:00
Trong Huu Nguyen
c147a5a19e refactor(openid): extract request params for remaining grants, minor cleanups 2025-01-24 08:07:54 +01:00
Trong Huu Nguyen
062e7b09ce fix(openid/client): prompt parameter is optional 2025-01-24 08:07:54 +01:00
Trong Huu Nguyen
0b32d8839c test(openid/client): add negative assertions for unwanted parameters 2025-01-24 08:07:52 +01:00
Trong Huu Nguyen
110dd64750 refactor(openid/client): extract authorization code parameters 
Co-authored-by: sindrerh2 <sindre.rodseth.hansen@nav.no>
 2025-01-23 12:03:42 +01:00
Trong Huu Nguyen
642457b950 refactor(openid/client): extract oauth request method 
Co-authored-by: sindrerh2 <sindre.rodseth.hansen@nav.no>
 2025-01-23 10:17:13 +01:00
Sindre Rødseth Hansen
ade44f0950 refactor: remove indirection layer for login client 
Co-authored-by: tronghn <trong.huu.nguyen@nav.no>
 2025-01-23 08:48:32 +01:00
Sindre Rødseth Hansen
c442000be4 feat: implement PAR for relying party 
Fixes #235

Co-authored-by: tronghn <trong.huu.nguyen@nav.no>
 2025-01-23 08:48:32 +01:00
Trong Huu Nguyen
6be5a1ebe5 wip: implement PAR for relying party 
Co-authored-by: sindrerh2 <sindre.rodseth.hansen@nav.no>
 2025-01-23 08:48:32 +01:00
Trong Huu Nguyen
909060d8fd feat(mock): implement PAR for identity provider 
Co-authored-by: sindrerh2 <sindre.rodseth.hansen@nav.no>
 2025-01-23 08:48:28 +01:00
Trong Huu Nguyen
64e9167e05 refactor(openid/client): remove indirection layer for login callback 
Co-authored-by: sindrerh2 <sindre.rodseth.hansen@nav.no>
 2025-01-21 09:39:23 +01:00
Trong Huu Nguyen
75f98debc5 feat(openid/client): validate iss parameter if provider declares authorization_response_iss_parameter_supported 
Fixes #306.

Co-authored-by: sindrerh2 <sindre.rodseth.hansen@nav.no>
 2025-01-21 09:39:21 +01:00
Trong Huu Nguyen
2d5d99f5ee fix(openid): don't ignore existence check for key mutator 2024-11-06 09:40:56 +01:00
Trong Huu Nguyen
b4b38f30ef test(openid): add missing token validation cases 2024-11-06 09:27:27 +01:00
Trong Huu Nguyen
5c63a2a743 refactor(openid/client): inline unnecessary variables 2024-11-05 22:15:48 +01:00
Trong Huu Nguyen
b7b43e9793 refactor(openid): remove more indirection layers 2024-11-05 21:58:38 +01:00
Trong Huu Nguyen
6b46d57422 refactor(openid): consolidate validation and verification of id_tokens 
Also remove some indirection layers.
 2024-11-05 21:10:44 +01:00
Trong Huu Nguyen
e6297750d6 feat(openid): set expected default public JWK algorithm if the OP doesn't set them 
This allows us to verify signatures without relying on heuristics used
by jws.WithInferAlgorithmFromKey() that may introduce security and
performance implications.
 2024-11-05 21:08:46 +01:00
Trong Huu Nguyen
df5c78b821 feat(openid/client): add support for the client_secret_post authentication method 2024-10-08 09:19:38 +02:00
Trong Huu Nguyen
1906024da0 feat(openid/acr): remove old values and backward compatibility for new idporten 
We no longer expect nor accept tokens with old acr values during
validation as ID-porten no longer issues tokens with these values.

This also removes backward compatibility in cases where configured
values targeted the new ID-porten while using old ID-porten.

We still maintain an internal mapping from old values to new values
for forward compatibilty when using old values provided in the login
parameter and the `openid.acr-values` flag.
 2024-06-27 12:34:16 +02:00
Trong Huu Nguyen
d69cf79664 refactor: reduce noisy config logs 
Fixes #262.
 2024-06-26 14:51:05 +02:00
Trong Huu Nguyen
e00832016b feat(handler/login): remove legacy cookie 
We don't really need to set an additional cookie without SameSite
as we now use SameSite=Lax for the login cookie.
 2023-12-19 08:46:08 +01:00
Trong Huu Nguyen
c3904433f2 feat: log and propagate session metadata 
- stop using jti, use sid instead
- store amr and auth_time from id_token in session
- log more metadata on login callback
- log session id where possible
- propagate acr, amr, auth_time, sid to upstreams in headers
- log authenticated reverseproxy requests
 2023-12-19 08:46:02 +01:00
Trong Huu Nguyen
a10da5d0d7 feat(handler/login): add support for prompt param in login 2023-12-19 08:46:01 +01:00
Trong Huu Nguyen
2f351a1388 feat(handler/callback): redirect minid passport users to separate landing page 2023-11-06 11:45:15 +01:00
Trong Huu Nguyen
f246fc7975 refactor(openid): move acr to own package 2023-10-11 14:25:12 +02:00
Trong Huu Nguyen
af6642fe90 refactor(openid): use pkce implementation from golang.org/x/oauth2 2023-10-10 10:18:01 +02:00
Trong Huu Nguyen
185701d53b refactor(openid): clean up tests 2023-08-16 12:18:58 +02:00
Trong Huu Nguyen
e7799204b2 feat(openid): harden id_token validation 2023-08-15 21:30:41 +02:00
Trong Huu Nguyen
46852be025 feat(openid): prepare acr mappings for migration to new idporten 2023-05-25 15:54:29 +02:00