github/wonderwall
1
0
Fork 0
mirror of https://github.com/nais/wonderwall.git synced 2026-05-07 00:46:56 +00:00
Code Issues Packages Projects Releases Wiki Activity
587 Commits 2 Branches 0 Tags
cbfa3fe2e23378ffc382fe8983d0d9d4b97c19dc
Commit Graph

75 Commits

Author SHA1 Message Date
Trong Huu Nguyen
46852be025 feat(openid): prepare acr mappings for migration to new idporten 2023-05-25 15:54:29 +02:00
Trong Huu Nguyen
b28c91c94c perf(all): use single Transport, set IdleConnTimeout 
Reduces IdleConnTimeout to 5 seconds. Reverse proxying to a server that
has a shorter keep-alive may cause "EOF" and "connection reset by peer"
issues as the connections may be closed by the upstream before our
client notices.
 2023-05-16 08:36:45 +02:00
Trong Huu Nguyen
0c531d9ec1 perf: increase max idle connections for http clients 2023-05-04 14:45:45 +02:00
Trong Huu Nguyen
6151aa3279 feat(openid, handler): support runtime override of redirect after single-logout 
Fixes #100.
 2023-05-04 14:45:13 +02:00
Trong Huu Nguyen
6ebc95a8e0 feat: add logout cookie 2023-05-03 09:05:42 +02:00
Trong Huu Nguyen
2a0c376c4b feat(openid): validate acr in id_token if sent in auth request 2023-04-29 10:27:23 +02:00
Trong Huu Nguyen
19095ccfea feat(openid): store acr in state cookie 2023-04-29 09:09:02 +02:00
Trong Huu Nguyen
19b2401831 feat(metrics): add authentication method reference label for successful logins 2023-04-18 12:20:23 +02:00
Trong Huu Nguyen
47218da6d2 refactor(openid): simplify parameter handling for auth url 2023-04-18 11:16:50 +02:00
Trong Huu Nguyen
fd73a0a83e refactor(openid/config): more descriptive error message for unsupported values 2023-03-21 09:11:30 +01:00
Trong Huu Nguyen
27897dad63 refactor(handler/standalone): use new sessionmanager, remove unneeded methods 2023-02-21 14:16:51 +01:00
Trong Huu Nguyen
fb28da7241 refactor: consolidate handlers 2023-02-16 10:55:50 +01:00
Trong Huu Nguyen
473e4a95a7 refactor: remove loginstatus 
Loginstatus is no longer needed with the SSO setup.
Fixes #50.
 2023-02-10 14:58:17 +01:00
Trong Huu Nguyen
42dcba8367 refactor: replace relative canonical redirect with handler 
This also ensure that we clean any urls that may stem from user input (e.g.
url parameter or login cookie) before performing redirects.
 2023-02-10 14:58:14 +01:00
Trong Huu Nguyen
5f74ee08bc refactor(url): extract utility functions 2023-02-10 14:58:12 +01:00
Trong Huu Nguyen
0e73c9b4d8 refactor(mock): configure relying party ingress before server start 2023-02-10 14:58:11 +01:00
Trong Huu Nguyen
bd748b9cef refactor(openid/provider): use name from config instead of indirection layer 2023-02-10 14:57:56 +01:00
Trong Huu Nguyen
ed56aac3d0 style: follow conventions for error variable names 2022-09-19 08:41:23 +02:00
Trong Huu Nguyen
b8785b7414 style: use shorthand time functions where possible 2022-09-19 08:41:21 +02:00
Trong Huu Nguyen
d718c36595 style(openid/client): remove unused struct field 2022-09-19 08:41:20 +02:00
Trong Huu Nguyen
7f93c62604 fix(openid/client): handle missing redirect uri for callbacks 2022-09-09 12:31:17 +02:00
Trong Huu Nguyen
3f24537b36 fix(openid/client): set iat for assertion in the past to alleviate clock skew 2022-09-06 08:46:35 +02:00
Trong Huu Nguyen
c0138f4b49 feat(session): use locks for refreshing 
One of the changes in OAuth 2.1 addresses attacks with refresh token
replays by recommending the use of one-time use tokens. A refresh token
is thus rotated and invalid after exactly one use, returning a new token
for each successful grant. Any further attempts must thus use the most
recently acquired refresh token. Reusing a refresh token may also
cause the authorization server to invalidate the current active refresh
token, requiring a refresh authorization grant to be reacquired for
further refresh token usage.

The use of locks prevents multiple refresh grant attempts for a given
session from happening across concurrent requests.
 2022-09-04 17:14:35 +02:00
Trong Huu Nguyen
08eefbf1d5 refactor(openid): clean up client and provider 2022-09-02 18:08:36 +02:00
Trong Huu Nguyen
92ee6313c5 refactor: remove unnecessary interfaces 2022-09-02 17:39:27 +02:00
Trong Huu Nguyen
c8f48335d4 refactor(openid/config): extract getter for ingresses 2022-09-02 15:17:36 +02:00
Trong Huu Nguyen
9144056e28 refactor(handler): split up request handlers into separate modules 2022-09-02 14:53:11 +02:00
Trong Huu Nguyen
d5bbca9897 feat: rudimentary support for refresh tokens 2022-08-26 14:32:39 +02:00
Trong Huu Nguyen
cafebabea5 fix(openid/client): set redirect_uri param when redeeming auth code 2022-08-23 08:27:34 +02:00
Trong Huu Nguyen
08f570363a refactor(openid): extract magic strings 2022-08-19 11:44:38 +02:00
Trong Huu Nguyen
5a50ba7c3a feat: support multiple ingresses 
Replace hardcoded callback URLs with dynamic generation
of URLs based on incoming requests. These are validated against
a pre-registered list of ingresses for which Wonderwall is considered
authorative for.

We also preserve the cookie behaviour; the most specific ingress path
and domain is used for the cookies.

The `url` package has been moved to the `handler` package, and its
implementation refactored slightly for readability and DRY.
 2022-08-17 20:43:56 +02:00
Trong Huu Nguyen
41a10d8fe7 refactor: replace deprecated ioutil method and magic string 2022-08-17 11:39:43 +02:00
Trong Huu Nguyen
242dc12be9 refactor(openid/config): remove unused field 2022-07-20 15:25:28 +02:00
Trong Huu Nguyen
eac2d5789d refactor: passthrough for consistency in openid configuration 2022-07-20 09:58:49 +02:00
Trong Huu Nguyen
3e62683cad refactor: use pointer receivers when possible 2022-07-19 19:24:28 +02:00
Trong Huu Nguyen
284fa2a76f fix(openid/client): ensure assertion time claims are rounded down instead of up 
Hopefully fixes intermittent 'invalid_grant' errors from IdP.
 2022-07-18 09:24:26 +02:00
Trong Huu Nguyen
822c37ac20 test: add error handler tests, use httptest lib for requests 2022-07-15 08:43:25 +02:00
Trong Huu Nguyen
e3b9d33296 refactor: split out packages from router 2022-07-15 07:44:54 +02:00
Trong Huu Nguyen
aab249d78a refactor(jwt): skip parsing access tokens 
Access Tokens are not necessarily JWTs. We also don't
have to validate them as we only pass it on as an opaque
string.

This also means that we don't log the JTI access tokens
anymore.

We also simplify handling of oidc callbacks.
 2022-07-14 12:14:25 +02:00
Trong Huu Nguyen
9ac091fe91 test(openid/client): fix broken login callback tests 2022-07-14 10:05:34 +02:00
Trong Huu Nguyen
aead53c60a refactor(openid/client): expose method for generating code challenge 2022-07-14 10:03:14 +02:00
Trong Huu Nguyen
2b730f1c32 refactor(openid/client): scope is not required for client assertions 2022-07-14 09:42:58 +02:00
Trong Huu Nguyen
1f59173266 refactor(openid/client): scope is already set by oauth2 pkg 2022-07-14 09:14:59 +02:00
Trong Huu Nguyen
66cf08e602 refactor(openid/logout): simplify logout logic 
As we already clear any local sessions before redirecting to the
Identity Provider, and the callback always redirects to a pre-configured URL,
there isn't really any need to maintain and verify state in the logout
callback.

In other words, the logout callback handler is simply a redirect handler.
 2022-07-12 15:09:49 +02:00
Trong Huu Nguyen
c321cff4eb test(openid/client): add missing tests 2022-07-12 14:28:17 +02:00
Trong Huu Nguyen
b937c64dd6 refactor(openid/client): ensure callback cookies are not nil 2022-07-11 14:30:04 +02:00
Trong Huu Nguyen
b770f22174 refactor(handler/logoutcallback): extract to openid client 2022-07-11 13:37:40 +02:00
Trong Huu Nguyen
ad3201fbfb refactor(handler/logout): extract to openid client 2022-07-11 13:09:10 +02:00
Trong Huu Nguyen
451642caf8 refactor(handler/frontchannellogout): extract to openid client 2022-07-11 13:04:00 +02:00
Trong Huu Nguyen
2f237ec89c refactor(handler/callback): extract openid specific code to client 2022-07-08 15:07:16 +02:00