github/wonderwall
1
0
Fork 0
mirror of https://github.com/nais/wonderwall.git synced 2026-05-08 09:27:12 +00:00
Code Issues Packages Projects Releases Wiki Activity
173 Commits 2 Branches 0 Tags
7432f86b64f6443887e6584dfd72d9711dcdc4ea
Commit Graph

140 Commits

Author SHA1 Message Date
Trong Huu Nguyen
7432f86b64 refactor(cookie): set expires to epoch zero time on deletion 2022-01-07 15:29:49 +01:00
Trong Huu Nguyen
879319cd2a fix(router/login): alleviate SameSite issues for login cookie 
A login cookie is set as part of the redirection flow between the RP
and OP, and thus inherently involves cross-site requests. Our client
uses the response_mode=query parameter for authorization requests, which
should work with the SameSite attribute set to Lax. However, there are
certain versions of user agents on certain operating systems (e.g.
Safari 12.2 on iOS<12.2, MacOS<10.14.4, Android WebView<72) that do not
properly handle cookies with the SameSite attribute set.

This commit attempts to alleviate this issue for legacy browsers by
introducing a fallback cookie without the SameSite attribute set.

Additionally, we also set the SameSite value for the original login
cookie to None to ensure that the cookie persists through the
cross-origin redirection requests.
 2022-01-07 14:16:46 +01:00
Trong Huu Nguyen
a4461ad294 fix(router/frontchannellogout): do not write response headers before clearing cookies 2022-01-07 14:16:40 +01:00
Trong Huu Nguyen
05e2509fac refactor: separate cookie operations to own package 2022-01-07 11:03:22 +01:00
Trong Huu Nguyen
2d4ced719f feat: remove custom header for id_token 
This isn't really needed, and might cause headaches if headers are
proxied further downstream and logged by components that do not
properly mask or redact its contents.
 2022-01-06 09:58:17 +01:00
Trong Huu Nguyen
c311f46219 revert: "fix: ensure deletion of cookies have SameSite set to None" 
This reverts commit 826f16f4df.

This doesn't actually work unless the original cookie set has the same
value for SameSite.
 2021-12-14 15:10:45 +01:00
Trong Huu Nguyen
826f16f4df fix: ensure deletion of cookies have SameSite set to None 2021-12-14 12:46:12 +01:00
Trong Huu Nguyen
4446d4c5b8 fix: ensure that frontchannel logout unconditionally returns OK 2021-12-14 12:45:28 +01:00
Trong Huu Nguyen
8b7e76d6c4 refactor(router/handler): reduce log severity for certain error handler responses 2021-12-06 09:46:19 +01:00
Trong Huu Nguyen
8127d944f3 feat(middleware/logentry): log user agent and cookie names on errors 2021-12-06 09:44:09 +01:00
Trong Huu Nguyen
a87fd1834e fix: increase lifetime for login cookie 2021-11-19 07:55:29 +01:00
Trong Huu Nguyen
a6a11656f9 refactor: rename openid base config for clarity 2021-11-01 11:05:32 +01:00
Trong Huu Nguyen
c70037bd4c refactor: clean up main 2021-11-01 11:04:54 +01:00
Trong Huu Nguyen
40f8177a5f refactor: add provider label to http metrics 2021-11-01 10:57:00 +01:00
Trong Huu Nguyen
e3439e27ab test: use miniredis for testing redis session store 2021-11-01 10:56:59 +01:00
Trong Huu Nguyen
b85ea7136e refactor: only delete fallback session cookies if set 2021-11-01 10:56:49 +01:00
Trong Huu Nguyen
325caeac34 nit: drop import alias 2021-10-20 09:18:50 +02:00
Trong Huu Nguyen
693b1b3bbe test: add missing test for client assertion 2021-10-20 09:05:06 +02:00
Trong Huu Nguyen
3a35584a21 refactor: restructure and group related packages into subpackages 2021-10-20 09:03:14 +02:00
Trong Huu Nguyen
008e486e72 feat: print openid provider and client configuration on startup 2021-10-18 20:29:43 +02:00
Trong Huu Nguyen
204f77581d refactor: move redirect URI creation to openid pkg 2021-10-18 19:33:21 +02:00
Trong Huu Nguyen
62e9e91c73 fix: correct join of paths for redirect URI 2021-10-18 14:22:41 +02:00
Trong Huu Nguyen
1b4ce5cab7 Revert "Revert "refactor: infer redirect URI from configured ingress"" 
This reverts commit 8cf9d22324.
 2021-10-18 14:12:41 +02:00
Trong Huu Nguyen
8cf9d22324 Revert "refactor: infer redirect URI from configured ingress" 
This reverts commit 5f0b0df7cf.
 2021-10-18 14:06:10 +02:00
Trong Huu Nguyen
6f2520078e feat: add id_token to downstream header 
Co-Authored-By: Kim Tore Jensen <kim.tore.jensen@nav.no>
Co-Authored-By: Sindre Rødseth Hansen <sindre.rodseth.hansen@nav.no>
 2021-10-18 12:42:34 +02:00
Trong Huu Nguyen
5f0b0df7cf refactor: infer redirect URI from configured ingress 2021-10-18 11:26:55 +02:00
Trong Huu Nguyen
be585f9902 refactor: simplify config for acr_values and ui_locales; validate on startup 2021-10-17 20:24:34 +02:00
Trong Huu Nguyen
5d2f8c3e84 refactor: cleanups for error template; embed and load on startup 2021-10-17 20:24:06 +02:00
Trong Huu Nguyen
c1482d09e1 refactor: generalize config to allow more providers; add azure 2021-10-16 12:44:59 +02:00
Trong Huu Nguyen
e8e1fc7632 refactor: clean up tests and mock setup 2021-10-16 10:50:22 +02:00
Trong Huu Nguyen
c702f8ff6c refactor: introduce generic provider for openid configs 2021-10-16 10:42:49 +02:00
Trong Huu Nguyen
2f0243b69a refactor: move openid related structs to own pkg 2021-10-16 10:39:00 +02:00
Trong Huu Nguyen
e7d5a6073c refactor: add jwks pkg for generating jwk sets 2021-10-16 10:28:49 +02:00
Trong Huu Nguyen
9b15da6251 refactor: move scopes to own pkg 2021-10-16 10:27:17 +02:00
Trong Huu Nguyen
8711f6e0d3 style: clean up imports 2021-10-16 10:25:47 +02:00
Trong Huu Nguyen
5ce7d979c7 refactor: use httputil.ReverseProxy for default route 2021-10-15 08:42:42 +02:00
Trong Huu Nguyen
8724e37e0d refactor: minor cleanups for callback handler 2021-10-14 20:34:26 +02:00
Trong Huu Nguyen
d766e247a9 refactor: safer implementation for getting sid claim from id_token 2021-10-14 20:34:24 +02:00
Trong Huu Nguyen
5db2a01f63 fix: explicitly set status response header for front-channel logout 
Co-Authored-By: Morten Lied Johansen <morten.lied.johansen@nav.no>
Co-Authored-By: Sindre Rødseth Hansen <sindre.rodseth.hansen@nav.no>
 2021-10-13 10:44:01 +02:00
Trong Huu Nguyen
d0482b3490 refactor: log session store unavailability, ensure fallback cookies are deleted when no longer needed 2021-10-13 08:49:53 +02:00
Trong Huu Nguyen
f7f476db87 refactor: add toggle for redis tls negotiation 2021-10-13 08:47:58 +02:00
Morten Lied Johansen
6152b94aba Configure HA redis 
Co-authored-by: Trong Huu Nguyen <trong.huu.nguyen@nav.no>
Co-authored-by: Sindre Rødseth Hansen <sindre.rodseth.hansen@nav.no>
 2021-10-12 15:56:30 +02:00
Trong Huu Nguyen
d58e3339a9 refactor: only log route requests for owned routes 
Co-authored-by: Morten Lied Johansen <morten.lied.johansen@nav.no>
Co-Authored-By: Sindre Rødseth Hansen <sindre.rodseth.hansen@nav.no>
 2021-10-12 10:24:27 +02:00
Trong Huu Nguyen
e209516d32 feat: add toggle for auto redirect to login handler for default route 
Co-Authored-By: Sindre Rødseth Hansen <sindre.rodseth.hansen@nav.no>
 2021-10-11 12:50:11 +02:00
Trong Huu Nguyen
2e10801d0e refactor: move client assertion generation, replace go-jose with jwx 
Co-Authored-By: Sindre Rødseth Hansen <sindre.rodseth.hansen@nav.no>
 2021-10-11 11:46:11 +02:00
Trong Huu Nguyen
399a8175c8 refactor: user-friendly retry URI for default error page 
Co-Authored-By: Sindre Rødseth Hansen <sindre.rodseth.hansen@nav.no>
 2021-10-07 10:26:32 +02:00
Trong Huu Nguyen
3bdbfd0030 refactor: only handle single ingress 
As OIDC is very specific on using complete redirect URIs
for the authorization-step, it does not really make sense
to handle multiple ingresses in Wonderwall.

We could dynamically figure out which ingress was used
by looking at the scheme and host for the request and
decide which redirect URI we would use, but such an
implementation is both time-consuming and prone to
errors and vulnerabilities without the proper precautions.
 2021-10-07 08:16:49 +02:00
Trong Huu Nguyen
8b3075f6d0 fix: do not remove login cookies until end of callback 2021-10-07 07:59:48 +02:00
Trong Huu Nguyen
b8a62826ad fix: remove debug error 
Co-Authored-By: Sindre Rødseth Hansen <sindre.rodseth.hansen@nav.no>
 2021-10-06 14:54:30 +02:00
sindrerh2
1f939d603d feat: add configurable redirect to custom error page 
Co-authored-by: Trong Huu Nguyen <trong.huu.nguyen@nav.no>
 2021-10-06 14:49:04 +02:00