The use of these headers in upstreams may be risky, espeically
if Wonderwall is accidentally misconfigured or disabled, or requests
are performed directly to the upstream circumventing Wonderwall.
We should prefer using a signed token or similar that can be verified by
the upstreams.
- stop using jti, use sid instead
- store amr and auth_time from id_token in session
- log more metadata on login callback
- log session id where possible
- propagate acr, amr, auth_time, sid to upstreams in headers
- log authenticated reverseproxy requests
If autologin is enabled, check for headers that indicate that the request is a navigation request
and respond appropriately.
A navigation request is assumed to match all of the following:
- uses the GET HTTP method
- either:
- a) sends the fetch metadata headers, specifically
`Sec-Fetch-Mode=navigate` and `Sec-Fetch-Dest=document`, or (if
unsupported by the browser)
- b) sends the `Accept` header with a value that contains
`text/html` (which most browsers do by default for navigation
requests, the exception being IE8 AFAIK)
Non-navigation requests (e.g. fetch / xhr / ajax requests) will receive a
401 Unauthorized, with the Location header set to the login endpoint.
The redirect parameter is also set to point back to the URL found in the
Referer header (though with the scheme and host removed to only allow
redirects relative to the origin host.)
With this fix, autologin will also intercept requests other than GET.
This is to improve the security posture of upstreams that assume that autologin
enforces authentication for all methods.
Fixes#156.
Reduces IdleConnTimeout to 5 seconds. Reverse proxying to a server that
has a shorter keep-alive may cause "EOF" and "connection reset by peer"
issues as the connections may be closed by the upstream before our
client notices.
