github/wonderwall
1
0
Fork 0
mirror of https://github.com/nais/wonderwall.git synced 2026-05-08 17:37:01 +00:00
Code Issues Packages Projects Releases Wiki Activity
376 Commits 2 Branches 0 Tags
80738f2a4bd784ae3a623ff401b39112e6c5643d
Commit Graph

49 Commits

Author SHA1 Message Date
Trong Huu Nguyen
ed56aac3d0 style: follow conventions for error variable names 2022-09-19 08:41:23 +02:00
Trong Huu Nguyen
b8785b7414 style: use shorthand time functions where possible 2022-09-19 08:41:21 +02:00
Trong Huu Nguyen
d732a5b3cd test(session/store): add missing assertion 2022-09-19 08:41:18 +02:00
Trong Huu Nguyen
27d2bc2c26 fix(session/handler): log errors for lock release failures 2022-09-09 10:19:22 +02:00
Trong Huu Nguyen
b22c130e60 fix(session/handler): invalidate session state if refresh attempt is a client error 
A client error response for the refresh grant is assumed to be an
irrecoverable error; e.g. the refresh token is invalid, the
authorization is invalid, user is logged out, etc. In such cases we will
consider the session state to be invalid, and a new authorization grant
should be performed.
 2022-09-04 17:15:40 +02:00
Trong Huu Nguyen
c0138f4b49 feat(session): use locks for refreshing 
One of the changes in OAuth 2.1 addresses attacks with refresh token
replays by recommending the use of one-time use tokens. A refresh token
is thus rotated and invalid after exactly one use, returning a new token
for each successful grant. Any further attempts must thus use the most
recently acquired refresh token. Reusing a refresh token may also
cause the authorization server to invalidate the current active refresh
token, requiring a refresh authorization grant to be reacquired for
further refresh token usage.

The use of locks prevents multiple refresh grant attempts for a given
session from happening across concurrent requests.
 2022-09-04 17:14:35 +02:00
Trong Huu Nguyen
c78674e54a fix(session/store): check for existence before update 2022-09-03 16:48:37 +02:00
Trong Huu Nguyen
92ee6313c5 refactor: remove unnecessary interfaces 2022-09-02 17:39:27 +02:00
Trong Huu Nguyen
619ae52d45 refactor: separate refresh-specific fields from session info; enable endpoint without refresh feature 2022-09-01 19:35:48 +02:00
Trong Huu Nguyen
cdba90bc5b test(session/data): add missing tests 2022-08-29 14:48:39 +02:00
Trong Huu Nguyen
af48778bf7 fix(session/handler): lock metadata operations behind feature gate until rollout 2022-08-29 10:00:43 +02:00
Trong Huu Nguyen
cdd07838f4 refactor(session/data): separate into object groups 2022-08-29 08:35:03 +02:00
Trong Huu Nguyen
1d9339e139 refactor(session/handler): extract predicates for readability 2022-08-26 18:09:40 +02:00
Trong Huu Nguyen
5ec969981d fix(session/handler): ensure access token is not expired before proxying 2022-08-26 17:58:39 +02:00
Trong Huu Nguyen
d5bbca9897 feat: rudimentary support for refresh tokens 2022-08-26 14:32:39 +02:00
Trong Huu Nguyen
08f570363a refactor(openid): extract magic strings 2022-08-19 11:44:38 +02:00
Trong Huu Nguyen
5990e4bb71 refactor(session): extract session handler 2022-08-19 11:44:13 +02:00
Trong Huu Nguyen
c15e00469b refactor: clean up session error handling 2022-08-18 21:35:15 +02:00
Trong Huu Nguyen
ae8028cc96 refactor: remove cookie session fallback store 
The implementation is error-prone and difficult to maintain.
We instead just assume that the backing session store is highly
available.
 2022-08-17 20:44:07 +02:00
Trong Huu Nguyen
eac2d5789d refactor: passthrough for consistency in openid configuration 2022-07-20 09:58:49 +02:00
Trong Huu Nguyen
3e62683cad refactor: use pointer receivers when possible 2022-07-19 19:24:28 +02:00
Trong Huu Nguyen
cbb6be135a feat(metrics): add metrics for successful logins and logouts 2022-07-19 09:25:43 +02:00
Trong Huu Nguyen
b674a0ffa7 refactor(session): wrap own error type instead of using store-specific errors 2022-07-19 08:39:02 +02:00
Trong Huu Nguyen
284fa2a76f fix(openid/client): ensure assertion time claims are rounded down instead of up 
Hopefully fixes intermittent 'invalid_grant' errors from IdP.
 2022-07-18 09:24:26 +02:00
Trong Huu Nguyen
aab249d78a refactor(jwt): skip parsing access tokens 
Access Tokens are not necessarily JWTs. We also don't
have to validate them as we only pass it on as an opaque
string.

This also means that we don't log the JTI access tokens
anymore.

We also simplify handling of oidc callbacks.
 2022-07-14 12:14:25 +02:00
Trong Huu Nguyen
1f5635239a refactor: split out openid client, config and provider 
There's a bunch of changes here, but in essence:

- split out openid configuration
- separate openid configuration between client/rp and provider
- consolidate client and provider related code in separate packages

These changes allow for simplification of the Handler, as well as a
bunch of test/mock code as the configuration is now instantiated
seperately from the client/provider code.
 2022-07-05 13:09:00 +02:00
Trong Huu Nguyen
a19cbe375c refactor(router/session): extract cookie store 2022-07-04 15:18:40 +02:00
Trong Huu Nguyen
a752978f8f refactor(session): move data to own file 2022-07-04 15:18:37 +02:00
Trong Huu Nguyen
d73a5f24bb refactor(session): move session id generator to relevant pkg 2022-07-04 15:18:36 +02:00
Trong Huu Nguyen
debf97efda feat(session): store metadata 2022-07-04 15:18:36 +02:00
Trong Huu Nguyen
497cf9fba7 feat: store refresh tokens in session 2022-07-04 15:18:34 +02:00
Trong Huu Nguyen
18fffcc755 deps: migrate from lestrrat-go/jwx to lestrrat-go/jwx/v2 2022-05-05 11:09:03 +02:00
Trong Huu Nguyen
f95e618585 refactor(jwt): azure ad sets uti claim instead of jti 2022-02-03 11:41:44 +01:00
Trong Huu Nguyen
3828437dc5 refactor(jwt): clean up and deduplicate 2022-02-03 11:41:43 +01:00
Trong Huu Nguyen
b449ab2191 refactor: token -> jwt for accuracy 2022-02-03 11:41:43 +01:00
Trong Huu Nguyen
eeccebc5dd feat: log jwt IDs for tracability 2022-02-03 11:41:42 +01:00
Trong Huu Nguyen
c70037bd4c refactor: clean up main 2021-11-01 11:04:54 +01:00
Trong Huu Nguyen
e3439e27ab test: use miniredis for testing redis session store 2021-11-01 10:56:59 +01:00
Trong Huu Nguyen
3a35584a21 refactor: restructure and group related packages into subpackages 2021-10-20 09:03:14 +02:00
Trong Huu Nguyen
8711f6e0d3 style: clean up imports 2021-10-16 10:25:47 +02:00
Trong Huu Nguyen
f73b4605a1 refactor: use encrypted cookie as session fallback 
Co-Authored-By: Sindre Rødseth Hansen <sindre.rodseth.hansen@nav.no>
 2021-10-04 13:17:04 +02:00
Trong Huu Nguyen
03eec9d2b8 refactor: robustify logout routes 
Co-authored-by: Morten Lied Johansen <morten.lied.johansen@nav.no>
Co-authored-by: Sindre Rødseth Hansen <sindre.rodseth.hansen@nav.no>
 2021-10-01 09:35:28 +02:00
Trong Huu Nguyen
cc8ba980ca refactor: deduplicate crypto operations for sessions 2021-09-30 18:27:53 +02:00
Trong Huu Nguyen
2ec1b7ace9 feat: encrypt session data 
Co-Authored-By: Sindre Rødseth Hansen <sindre.rodseth.hansen@nav.no>
 2021-09-30 13:47:29 +02:00
Morten Lied Johansen
f551386113 Add Redis latency metrics 
Co-authored-by: Sindre Rødseth Hansen <sindre.rodseth.hansen@nav.no>
 2021-09-29 10:50:27 +02:00
Trong Huu Nguyen
5da34f0139 fix: include id_token_hint on self-initiated logout 
This is required when including the post_logout_redirect_uri
parameter.
 2021-08-25 11:55:36 +02:00
Trong Huu Nguyen
e83542b046 fix: prefix local session keys to prevent collisions 
`sid` is a key that refers to the user's unique SSO session at the
Identity Provider, and the same key is present in all tokens
acquired by any Relying Party (such as Wonderwall) during that session.
Thus, we cannot assume that the value of `sid` to uniquely identify the
pair of (user, application session) if using a shared session store.
 2021-08-25 11:26:24 +02:00
Kim Tore Jensen
55f26fb54c incorporate new session storage code 2021-08-24 12:58:16 +02:00
Kim Tore Jensen
15a7c14324 redis and in-memory session store 2021-08-24 12:49:23 +02:00