github/wonderwall
1
0
Fork 0
mirror of https://github.com/nais/wonderwall.git synced 2026-05-07 17:06:57 +00:00
Code Issues Packages Projects Releases Wiki Activity
952 Commits 2 Branches 0 Tags
b2cf17a39fdc2cd0dfd063af5ef3044e644e7483
Commit Graph

547 Commits

Author SHA1 Message Date
Trong Huu Nguyen
724132e51c test: correct description for secure cookie test 2024-11-06 10:17:11 +01:00
Trong Huu Nguyen
2d5d99f5ee fix(openid): don't ignore existence check for key mutator 2024-11-06 09:40:56 +01:00
Trong Huu Nguyen
b4b38f30ef test(openid): add missing token validation cases 2024-11-06 09:27:27 +01:00
Trong Huu Nguyen
3761d40bf6 feat(crypto): log warning for ephemeral encryption key 2024-11-06 08:47:05 +01:00
Trong Huu Nguyen
5c63a2a743 refactor(openid/client): inline unnecessary variables 2024-11-05 22:15:48 +01:00
Trong Huu Nguyen
b7b43e9793 refactor(openid): remove more indirection layers 2024-11-05 21:58:38 +01:00
Trong Huu Nguyen
d2e01b2ead refactor: consolidate cookie config, correct documentation 2024-11-05 21:24:25 +01:00
Trong Huu Nguyen
bfb4929dc7 feat: allow disabling secure cookies for localhost 
This is geerally only necessary when using Safari.
Most other browsers respect the Secure attribute when using localhost.
 2024-11-05 21:14:14 +01:00
Trong Huu Nguyen
6b46d57422 refactor(openid): consolidate validation and verification of id_tokens 
Also remove some indirection layers.
 2024-11-05 21:10:44 +01:00
Trong Huu Nguyen
e6297750d6 feat(openid): set expected default public JWK algorithm if the OP doesn't set them 
This allows us to verify signatures without relying on heuristics used
by jws.WithInferAlgorithmFromKey() that may introduce security and
performance implications.
 2024-11-05 21:08:46 +01:00
Trong Huu Nguyen
db060a4caf feat(handler): do not automatically retry token redemption failures 2024-11-05 19:57:48 +01:00
Trong Huu Nguyen
4c2d1f4813 docs(config): clarify description of openid.scopes flag 2024-11-05 11:44:45 +01:00
Trong Huu Nguyen
192b196d3f refactor(config): inline samesite options 2024-11-05 08:48:46 +01:00
Trong Huu Nguyen
7c2d6d3f71 feat(templates): clean up error page after feedback 2024-10-16 12:46:29 +02:00
Trong Huu Nguyen
a4b832839c feat(templates): make error page more generic and responsive 
Co-authored-by: Morten Lied Johansen <morten.lied.johansen@nav.no>
 2024-10-09 08:58:36 +02:00
Trong Huu Nguyen
df5c78b821 feat(openid/client): add support for the client_secret_post authentication method 2024-10-08 09:19:38 +02:00
Trong Huu Nguyen
5ae325ca3d fix(retry): correct usage of MaxDuration, remove unused code 2024-09-20 11:47:49 +02:00
Trong Huu Nguyen
d6b57a6b7d refactor(handler/sso/proxy): correct variable name 2024-09-11 09:27:13 +02:00
Trong Huu Nguyen
9e78ba78be fix(handler/sso/proxy): avoid duplicate headers when proxying to server 2024-09-03 12:08:38 +02:00
Trong Huu Nguyen
155ebc745b docs: clarify forwarded headers 2024-08-23 13:56:21 +02:00
Trong Huu Nguyen
57376643ba build: go 1.23 2024-08-23 13:56:19 +02:00
Trong Huu Nguyen
3876820aee refactor(retry): use DoValue 2024-08-23 13:55:51 +02:00
Trong Huu Nguyen
3465d8aef3 refactor(config): clean up tests 2024-08-23 13:55:49 +02:00
Trong Huu Nguyen
f9761c3437 test(config): add some more cases, remove unneeded parameter 2024-07-02 21:58:14 +02:00
Trong Huu Nguyen
1906024da0 feat(openid/acr): remove old values and backward compatibility for new idporten 
We no longer expect nor accept tokens with old acr values during
validation as ID-porten no longer issues tokens with these values.

This also removes backward compatibility in cases where configured
values targeted the new ID-porten while using old ID-porten.

We still maintain an internal mapping from old values to new values
for forward compatibilty when using old values provided in the login
parameter and the `openid.acr-values` flag.
 2024-06-27 12:34:16 +02:00
Trong Huu Nguyen
f94d81aed7 test(config): add missing tests 2024-06-27 09:54:29 +02:00
Trong Huu Nguyen
d7b0d93f11 refactor: split out config again 2024-06-26 15:32:38 +02:00
Trong Huu Nguyen
d69cf79664 refactor: reduce noisy config logs 
Fixes #262.
 2024-06-26 14:51:05 +02:00
Trong Huu Nguyen
16ccb3a6be feat(config): add explicit toggle for legacy cookies 2024-06-26 12:20:05 +02:00
Trong Huu Nguyen
584f58bb6d refactor(retry): use functional opts, proxy to external lib 2024-05-08 08:39:43 +02:00
Trong Huu Nguyen
fc1454fcbb feat(config) support samesite cookie attribute 2024-04-24 14:47:18 +02:00
Trong Huu Nguyen
10e71a7bb5 feat(handler/reverseproxy): remove x-wonderwall headers 
The use of these headers in upstreams may be risky, espeically
if Wonderwall is accidentally misconfigured or disabled, or requests
are performed directly to the upstream circumventing Wonderwall.

We should prefer using a signed token or similar that can be verified by
the upstreams.
 2024-01-16 08:57:07 +01:00
Trong Huu Nguyen
40497da1b9 feat(handler/reverseproxy): filter relevant access requests 2023-12-20 15:41:29 +01:00
Trong Huu Nguyen
41f4354ce4 revert: "feat(handler/error): remove automatic retry" 
This reverts commit 083cb54df7.
 2023-12-20 11:17:51 +01:00
Trong Huu Nguyen
e71e4a2fda feat(handler/reverseproxy): add toggle for access logs 2023-12-20 08:25:35 +01:00
Trong Huu Nguyen
55839d72f0 feat(handler/login): log existing sid on prompt 2023-12-19 12:19:39 +01:00
Trong Huu Nguyen
50e53330b9 feat(handler/reverseproxy): remove unnecessary log fields 2023-12-19 12:05:01 +01:00
Trong Huu Nguyen
f82c8a7078 feat(handler/login): drop logging sub claim 2023-12-19 11:04:03 +01:00
Trong Huu Nguyen
9c2d1cb520 feat(cookie): remove expiry options 
Always create session cookies instead of
persistent cookies with expiry.
 2023-12-19 08:46:08 +01:00
Trong Huu Nguyen
e00832016b feat(handler/login): remove legacy cookie 
We don't really need to set an additional cookie without SameSite
as we now use SameSite=Lax for the login cookie.
 2023-12-19 08:46:08 +01:00
Trong Huu Nguyen
083cb54df7 feat(handler/error): remove automatic retry 2023-12-19 08:46:06 +01:00
Trong Huu Nguyen
273eb3604a feat(cookie): use samesite lax instead of none for callback 2023-12-19 08:46:03 +01:00
Trong Huu Nguyen
c3904433f2 feat: log and propagate session metadata 
- stop using jti, use sid instead
- store amr and auth_time from id_token in session
- log more metadata on login callback
- log session id where possible
- propagate acr, amr, auth_time, sid to upstreams in headers
- log authenticated reverseproxy requests
 2023-12-19 08:46:02 +01:00
Trong Huu Nguyen
a10da5d0d7 feat(handler/login): add support for prompt param in login 2023-12-19 08:46:01 +01:00
Trong Huu Nguyen
8f3c5cde88 fix(handler/error): redirect callbacks to initial handlers, retry others as-is 2023-12-19 08:45:57 +01:00
Trong Huu Nguyen
3f7af9e232 chore(config): set new default value for idporten acr 2023-12-12 09:12:41 +01:00
Trong Huu Nguyen
6d32363d13 feat(config): drop dirty modifier from version string 2023-11-29 09:21:04 +01:00
Trong Huu Nguyen
70a45e1522 style: formatting 2023-11-28 10:15:32 +01:00
Trong Huu Nguyen
423bb4f22f fix(router): skip middleware if otel is not enabled 2023-11-28 10:12:15 +01:00
Trong Huu Nguyen
35e4953557 fix(session/redis): skip setup if otel is not enabled 2023-11-28 10:08:31 +01:00