These feature flags were enabled by default. We specifically disallowed
the use of automatic refresh with the SSO mode, though this poses some
complexity if using the forward-auth feature.
To simplify configuration and code, we remove the flags in their
entirety as session refresh behaviour is mostly already handled by the
implementation of GetSession() in the handlers. Specifically:
- the Standalone handler needs to refresh sessions when reverse-proxying
to the upstream.
- the SSO server handler needs to refresh sessions only when using the
forward-auth feature. It does not have an upstream to reverse proxy
to.
- the SSO proxy handler is a read-only upstream proxy and does not
possess the ability to refresh sessions itself, though it will
delegate traffic for the session endpoints to the configured SSO server.
Automatic refreshing is thus only disabled when running in SSO mode
without the forward-auth feature.
- stop using jti, use sid instead
- store amr and auth_time from id_token in session
- log more metadata on login callback
- log session id where possible
- propagate acr, amr, auth_time, sid to upstreams in headers
- log authenticated reverseproxy requests
If autologin is enabled, check for headers that indicate that the request is a navigation request
and respond appropriately.
A navigation request is assumed to match all of the following:
- uses the GET HTTP method
- either:
- a) sends the fetch metadata headers, specifically
`Sec-Fetch-Mode=navigate` and `Sec-Fetch-Dest=document`, or (if
unsupported by the browser)
- b) sends the `Accept` header with a value that contains
`text/html` (which most browsers do by default for navigation
requests, the exception being IE8 AFAIK)
Non-navigation requests (e.g. fetch / xhr / ajax requests) will receive a
401 Unauthorized, with the Location header set to the login endpoint.
The redirect parameter is also set to point back to the URL found in the
Referer header (though with the scheme and host removed to only allow
redirects relative to the origin host.)
With this fix, autologin will also intercept requests other than GET.
This is to improve the security posture of upstreams that assume that autologin
enforces authentication for all methods.
Fixes#156.
Redirecting after local logout introduces the possibility of matching a
path that automatically performs login, which for a local logout means
the user is automatically logged in again due to having an SSO session -
which nullifies the whole logout operation.
Applications that want local logout must trigger and handle the response
just like any other API call.
