We no longer expect nor accept tokens with old acr values during
validation as ID-porten no longer issues tokens with these values.
This also removes backward compatibility in cases where configured
values targeted the new ID-porten while using old ID-porten.
We still maintain an internal mapping from old values to new values
for forward compatibilty when using old values provided in the login
parameter and the `openid.acr-values` flag.
- stop using jti, use sid instead
- store amr and auth_time from id_token in session
- log more metadata on login callback
- log session id where possible
- propagate acr, amr, auth_time, sid to upstreams in headers
- log authenticated reverseproxy requests
Reduces IdleConnTimeout to 5 seconds. Reverse proxying to a server that
has a shorter keep-alive may cause "EOF" and "connection reset by peer"
issues as the connections may be closed by the upstream before our
client notices.
One of the changes in OAuth 2.1 addresses attacks with refresh token
replays by recommending the use of one-time use tokens. A refresh token
is thus rotated and invalid after exactly one use, returning a new token
for each successful grant. Any further attempts must thus use the most
recently acquired refresh token. Reusing a refresh token may also
cause the authorization server to invalidate the current active refresh
token, requiring a refresh authorization grant to be reacquired for
further refresh token usage.
The use of locks prevents multiple refresh grant attempts for a given
session from happening across concurrent requests.
Replace hardcoded callback URLs with dynamic generation
of URLs based on incoming requests. These are validated against
a pre-registered list of ingresses for which Wonderwall is considered
authorative for.
We also preserve the cookie behaviour; the most specific ingress path
and domain is used for the cookies.
The `url` package has been moved to the `handler` package, and its
implementation refactored slightly for readability and DRY.
Access Tokens are not necessarily JWTs. We also don't
have to validate them as we only pass it on as an opaque
string.
This also means that we don't log the JTI access tokens
anymore.
We also simplify handling of oidc callbacks.
