These feature flags were enabled by default. We specifically disallowed
the use of automatic refresh with the SSO mode, though this poses some
complexity if using the forward-auth feature.
To simplify configuration and code, we remove the flags in their
entirety as session refresh behaviour is mostly already handled by the
implementation of GetSession() in the handlers. Specifically:
- the Standalone handler needs to refresh sessions when reverse-proxying
to the upstream.
- the SSO server handler needs to refresh sessions only when using the
forward-auth feature. It does not have an upstream to reverse proxy
to.
- the SSO proxy handler is a read-only upstream proxy and does not
possess the ability to refresh sessions itself, though it will
delegate traffic for the session endpoints to the configured SSO server.
Automatic refreshing is thus only disabled when running in SSO mode
without the forward-auth feature.
This allows us to verify signatures without relying on heuristics used
by jws.WithInferAlgorithmFromKey() that may introduce security and
performance implications.
We no longer expect nor accept tokens with old acr values during
validation as ID-porten no longer issues tokens with these values.
This also removes backward compatibility in cases where configured
values targeted the new ID-porten while using old ID-porten.
We still maintain an internal mapping from old values to new values
for forward compatibilty when using old values provided in the login
parameter and the `openid.acr-values` flag.
The use of these headers in upstreams may be risky, espeically
if Wonderwall is accidentally misconfigured or disabled, or requests
are performed directly to the upstream circumventing Wonderwall.
We should prefer using a signed token or similar that can be verified by
the upstreams.
- stop using jti, use sid instead
- store amr and auth_time from id_token in session
- log more metadata on login callback
- log session id where possible
- propagate acr, amr, auth_time, sid to upstreams in headers
- log authenticated reverseproxy requests
