github/wonderwall
1
0
Fork 0
mirror of https://github.com/nais/wonderwall.git synced 2026-05-07 17:06:57 +00:00
Code Issues Packages Projects Releases Wiki Activity
205 Commits 2 Branches 0 Tags
3d45cfb99840fa24d4e4af3cb2a626e447b031ee
Commit Graph

168 Commits

Author SHA1 Message Date
Trong Huu Nguyen
3d45cfb998 refactor(config): remove features stanza 2022-02-03 13:52:48 +01:00
Trong Huu Nguyen
72f64b6c4c refactor(handler/frontchannellogout): better log statements 2022-02-03 12:17:56 +01:00
Trong Huu Nguyen
f95e618585 refactor(jwt): azure ad sets uti claim instead of jti 2022-02-03 11:41:44 +01:00
Trong Huu Nguyen
3828437dc5 refactor(jwt): clean up and deduplicate 2022-02-03 11:41:43 +01:00
Trong Huu Nguyen
b449ab2191 refactor: token -> jwt for accuracy 2022-02-03 11:41:43 +01:00
Trong Huu Nguyen
eeccebc5dd feat: log jwt IDs for tracability 2022-02-03 11:41:42 +01:00
Trong Huu Nguyen
e4e95ef5c6 refactor: move token parsing to own package; prepare for audit logs 2022-02-03 11:41:41 +01:00
Trong Huu Nguyen
c3da899190 feat(loginstatus): ensure that cookie is set in default route 2022-02-03 11:41:41 +01:00
Trong Huu Nguyen
fcba6815b9 feat: add feature toggled support for loginstatus 
Co-Authored-By: Youssef Bel Mekki <youssef.bel.mekki@nav.no>
Co-Authored-By: Tommy Trøen <tommy.troen@nav.no>
 2022-02-03 11:41:40 +01:00
Trong Huu Nguyen
f36d65a6ba fix(openid/config): close response body after get 2022-02-03 11:41:39 +01:00
Trong Huu Nguyen
05fae6ca5e refactor: get or generate session ID with fallbacks 
Turns out that Azure AD doesn't support the `check_session_iframe` property.
However it still returns the session ID in the `session_state` parameter during
callbacks, and optionally can be configured to return the `sid` claim in id_tokens.

This commit changes the behaviour of the SessionID method to get the session ID
if found, with the order of preference being:

1. from the `sid` claim in the id_token,
2. from the `session_state` parameter provided by the OP during callbacks

If neither are found, and the OP's configuration does not indicate that either
should be (e.g. no support for front-channel logout and/or session
management), we fall back to generating our own session ID.
 2022-01-27 12:57:52 +01:00
Trong Huu Nguyen
834c79ef1d style: go fmt 2022-01-25 15:59:57 +01:00
Trong Huu Nguyen
b40dbffa19 refactor: clean up tests 
Co-Authored-By: Youssef Bel Mekki <youssef.bel.mekki@nav.no>
 2022-01-25 15:58:19 +01:00
Trong Huu Nguyen
24cae11ba2 refactor: split out session ID generation to own file, add tests 
Co-Authored-By: Youssef Bel Mekki <youssef.bel.mekki@nav.no>
 2022-01-25 15:33:45 +01:00
ybelMekk
abc8bd1835 fix: clean up tests and fix name 2022-01-25 12:08:42 +01:00
ybelMekk
1a2b85a5f5 fix: rename from externalSessionId to sessionID. 
Better impl. for generating a random sessionID.
 2022-01-25 11:38:17 +01:00
ybelMekk
413b8dfc19 fix: revert frontChannelLogout impl. 2022-01-25 11:36:41 +01:00
ybelMekk
768aa7af49 fix: test to only check for generated session_state, remove frontChannel from CheckIframe test. 2022-01-25 11:35:56 +01:00
ybelMekk
8df169e6e0 debug: remove print statm. 2022-01-24 23:13:10 +01:00
ybelMekk
f996c4a6fe fix: remove omitempty from check_session_iframe, more robust checking of empty values in checkIframe configuration function. Fix bug in extractExternalSessionID in frontChannelLogout, return first match. 2022-01-24 23:12:07 +01:00
ybelMekk
74c1592d0a remove: unused function 2022-01-24 22:57:43 +01:00
ybelMekk
bc5f5138e4 add: handle trigger of logout for third-party and session_state 2022-01-24 22:44:45 +01:00
ybelMekk
a23595b9b4 add: handle trigger of logout for third-party and session_state 2022-01-23 23:14:25 +01:00
ybelMekk
e4c47f59e8 fix: create function for externalSessionId add random string generator. fix tests to reflect provider with checkSessionIframe Session management. 2022-01-23 21:37:36 +01:00
ybelMekk
65a0b5de52 fix: create function for externalSessionId add random string generator. 2022-01-23 14:31:01 +01:00
ybelMekk
7f6d323dde add: session management check to get session_state from OP response, generate a externalSessionID if none supported. 2022-01-22 16:23:16 +01:00
ybelMekk
f5e5d842e6 wip: sid claim only required if frontchannel_logout_session_supported && frontchannel_logout_supported. 2022-01-22 15:03:54 +01:00
Trong Huu Nguyen
6411f168e2 refactor(handler/login): move user agent debug statement to field 2022-01-10 11:12:54 +01:00
Trong Huu Nguyen
7432f86b64 refactor(cookie): set expires to epoch zero time on deletion 2022-01-07 15:29:49 +01:00
Trong Huu Nguyen
879319cd2a fix(router/login): alleviate SameSite issues for login cookie 
A login cookie is set as part of the redirection flow between the RP
and OP, and thus inherently involves cross-site requests. Our client
uses the response_mode=query parameter for authorization requests, which
should work with the SameSite attribute set to Lax. However, there are
certain versions of user agents on certain operating systems (e.g.
Safari 12.2 on iOS<12.2, MacOS<10.14.4, Android WebView<72) that do not
properly handle cookies with the SameSite attribute set.

This commit attempts to alleviate this issue for legacy browsers by
introducing a fallback cookie without the SameSite attribute set.

Additionally, we also set the SameSite value for the original login
cookie to None to ensure that the cookie persists through the
cross-origin redirection requests.
 2022-01-07 14:16:46 +01:00
Trong Huu Nguyen
a4461ad294 fix(router/frontchannellogout): do not write response headers before clearing cookies 2022-01-07 14:16:40 +01:00
Trong Huu Nguyen
05e2509fac refactor: separate cookie operations to own package 2022-01-07 11:03:22 +01:00
Trong Huu Nguyen
2d4ced719f feat: remove custom header for id_token 
This isn't really needed, and might cause headaches if headers are
proxied further downstream and logged by components that do not
properly mask or redact its contents.
 2022-01-06 09:58:17 +01:00
Trong Huu Nguyen
c311f46219 revert: "fix: ensure deletion of cookies have SameSite set to None" 
This reverts commit 826f16f4df.

This doesn't actually work unless the original cookie set has the same
value for SameSite.
 2021-12-14 15:10:45 +01:00
Trong Huu Nguyen
826f16f4df fix: ensure deletion of cookies have SameSite set to None 2021-12-14 12:46:12 +01:00
Trong Huu Nguyen
4446d4c5b8 fix: ensure that frontchannel logout unconditionally returns OK 2021-12-14 12:45:28 +01:00
Trong Huu Nguyen
8b7e76d6c4 refactor(router/handler): reduce log severity for certain error handler responses 2021-12-06 09:46:19 +01:00
Trong Huu Nguyen
8127d944f3 feat(middleware/logentry): log user agent and cookie names on errors 2021-12-06 09:44:09 +01:00
Trong Huu Nguyen
a87fd1834e fix: increase lifetime for login cookie 2021-11-19 07:55:29 +01:00
Trong Huu Nguyen
a6a11656f9 refactor: rename openid base config for clarity 2021-11-01 11:05:32 +01:00
Trong Huu Nguyen
c70037bd4c refactor: clean up main 2021-11-01 11:04:54 +01:00
Trong Huu Nguyen
40f8177a5f refactor: add provider label to http metrics 2021-11-01 10:57:00 +01:00
Trong Huu Nguyen
e3439e27ab test: use miniredis for testing redis session store 2021-11-01 10:56:59 +01:00
Trong Huu Nguyen
b85ea7136e refactor: only delete fallback session cookies if set 2021-11-01 10:56:49 +01:00
Trong Huu Nguyen
325caeac34 nit: drop import alias 2021-10-20 09:18:50 +02:00
Trong Huu Nguyen
693b1b3bbe test: add missing test for client assertion 2021-10-20 09:05:06 +02:00
Trong Huu Nguyen
3a35584a21 refactor: restructure and group related packages into subpackages 2021-10-20 09:03:14 +02:00
Trong Huu Nguyen
008e486e72 feat: print openid provider and client configuration on startup 2021-10-18 20:29:43 +02:00
Trong Huu Nguyen
204f77581d refactor: move redirect URI creation to openid pkg 2021-10-18 19:33:21 +02:00
Trong Huu Nguyen
62e9e91c73 fix: correct join of paths for redirect URI 2021-10-18 14:22:41 +02:00