github/wonderwall
1
0
Fork 0
mirror of https://github.com/nais/wonderwall.git synced 2026-05-07 00:46:56 +00:00
Code Issues Packages Projects Releases Wiki Activity
1,160 Commits 2 Branches 0 Tags
fddff23a8bb2b45f5a46ec202c444c8a9a3093ca
Commit Graph

631 Commits

Author SHA1 Message Date
Trong Huu Nguyen
a820dc5b9b perf(session/redis): disable caller tracing 
This drops the calling function, filepath and line number attributes
for redisotel tracing. The underlying implementation here calls
runtime.Callers, which are more expensive than we'd like.
 2025-07-01 14:03:04 +02:00
Trong Huu Nguyen
4bf3b1bdd4 refactor: move string generator to crypto package 2025-06-16 09:55:44 +02:00
Trong Huu Nguyen
4e1c8e68f8 feat(openid): retry front-channel logouts 2025-06-16 09:55:44 +02:00
Trong Huu Nguyen
a156c11ace refactor(session): use SetSpanAttributes on refresh 2025-06-16 09:55:43 +02:00
Trong Huu Nguyen
1a138c66a3 refactor: move retry package 2025-06-16 09:55:42 +02:00
Trong Huu Nguyen
b3c2c72155 feat(openid): only set max_age parameter for prompt=login 
We generally don't want to instruct the identity provider
to attempt full reauthentication when switching accounts
with `prompt=select_account`.
 2025-06-11 13:28:52 +02:00
Trong Huu Nguyen
052d310280 fix(openid): require expires_in for token responses 
While RFC 6749 specify this field as recommended:

> If omitted, the authorization server SHOULD provide the
> expiration time via other means or document the default value.

and equivalently the OIDC Core spec specifies the same field as optional,
we will explicitly enforce that these fields are returned from the AS.

This isn't a breaking change as the existing session refresh logic implicitly
depends on this field and its value.

While there are probably some providers that omit the `expires_in` field
or sets it to zero with the intent of returning access tokens that do not
expire, we assume these are relatively rare. We might revisit this
at some point in the future, should our assumptions be wrong.
 2025-06-11 13:07:18 +02:00
Trong Huu Nguyen
bf2f97f400 feat: set more session and token-related span attributes 2025-06-10 13:51:15 +02:00
Trong Huu Nguyen
9bb5ac9210 fix(openid/client): also accept acr and locale params when no defaults are configured 2025-05-23 09:00:45 +02:00
Trong Huu Nguyen
b9963b19f9 refactor(openid): clean up id_token validation tests 2025-05-23 08:59:42 +02:00
Trong Huu Nguyen
c5ec362e60 feat(session): update id_token in session if returned from refresh grant 
Co-authored-by: Thomas Krampl <thomas.siegfried.krampl@nav.no>
 2025-05-22 15:52:15 +02:00
Trong Huu Nguyen
192cd86022 feat: use id_token instead of access_token for forward-auth headers 
Co-authored-by: Thomas Krampl <thomas.siegfried.krampl@nav.no>
 2025-05-22 11:09:59 +02:00
Trong Huu Nguyen
b21068f522 feat: set response headers for forward-auth behind feature flag 2025-05-22 09:04:58 +02:00
Trong Huu Nguyen
abf235dac6 feat(handler): attach token in forward-auth response 
Co-authored-by: Thomas Krampl <thomas.siegfried.krampl@nav.no>
 2025-05-21 15:16:27 +02:00
Trong Huu Nguyen
259bf635d1 chore(deps): bump github.com/lestrrat-go/jwx from v2 to v3 2025-05-21 10:38:26 +02:00
Trong Huu Nguyen
2ca79b595a test: move upstream struct to reverseproxy file 2025-05-21 10:38:25 +02:00
Trong Huu Nguyen
762b64eff5 fix(reverseproxy): strip incoming id-token header for unauthenticated requests 2025-04-28 10:50:12 +02:00
Trong Huu Nguyen
6bd858407b chore(deps): bump dependencies, replace deprecated mapstructure 2025-04-08 12:53:00 +02:00
Trong Huu Nguyen
ca8c09ae10 fix(openid/client): flatten audience for client assertion 
In accordance with OpenID Connect 1.0 Core, draft 36 incorporating
errata set 3:

> aud
>    REQUIRED. Audience. The aud (audience) Claim. [...] The Audience value MUST be the OP's Issuer Identifier passed as a string, and not a single-element array.
 2025-04-02 13:44:37 +02:00
Trong Huu Nguyen
01241f91ac perf: replace bytes.Buffer with strings.Builder 2025-04-02 11:53:30 +02:00
Trong Huu Nguyen
126db31d25 feat: restrict non-navigational requests to oauth2-routes for all modes 2025-04-02 11:53:29 +02:00
Trong Huu Nguyen
39d695e104 fix(openid/client): retry server errors for PAR 2025-03-06 10:05:58 +01:00
Trong Huu Nguyen
9c26a5591d feat(retry): increase max retry duration 2025-03-06 10:05:58 +01:00
Trong Huu Nguyen
12f6ce57aa feat(redis): register prometheus metrics 2025-03-06 10:05:57 +01:00
Trong Huu Nguyen
1982d010f9 fix(handler/session): ignore request context cancellations 
We ignore these as they are very likely due to the http request itself
being cancelled by the browser due to navigation and so on.
 2025-03-03 08:48:21 +01:00
Trong Huu Nguyen
7698a6f9b8 fix(router): only apply cors for forward-auth 2025-02-05 11:31:24 +01:00
Trong Huu Nguyen
1efcf32cc0 fix(router): only disallow non-navigation requests for forward-auth 
Unfortunately, public pages may have older user-agents that does not support Sec-Fetch- headers.
This is mostly Safari <16.3. We only apply this limitation for forward-auth for now.
 2025-02-05 11:10:24 +01:00
Trong Huu Nguyen
9d926fff03 fix(router): correct cors setup part deux 2025-02-03 11:56:40 +01:00
Trong Huu Nguyen
2e8c7075ff fix: set content-type header before status 2025-02-03 11:38:35 +01:00
Trong Huu Nguyen
c9de679951 feat(cors): reflect headers for allow-headers 
Co-authored-by: sindrerh2 <sindre.rodseth.hansen@nav.no>
 2025-02-03 10:52:32 +01:00
Trong Huu Nguyen
1f6a23f73d fix(router): configure cors for login and logout endpoints 
Co-authored-by: sindrerh2 <sindre.rodseth.hansen@nav.no>
 2025-02-03 10:18:24 +01:00
Trong Huu Nguyen
ed02b782fe refactor(http): inline navigation check in middleware 2025-02-03 08:41:59 +01:00
Trong Huu Nguyen
7c6f9d6f70 feat(session): record id attribute regardless of session validity 2025-01-31 18:52:19 +01:00
Trong Huu Nguyen
4b1bdef5cd feat: disallow non-navigational requests to login and logout endpoints 2025-01-31 16:42:24 +01:00
Trong Huu Nguyen
f192d55971 fix(config): drop 'vcs.modified' when resolving version 
Co-authored-by: sindrerh2 <sindre.rodseth.hansen@nav.no>
 2025-01-30 15:17:36 +01:00
Trong Huu Nguyen
1268f7627c feat(config): use OTEL_SERVICE_NAME if set 
Co-authored-by: sindrerh2 <sindre.rodseth.hansen@nav.no>
 2025-01-30 14:03:41 +01:00
Trong Huu Nguyen
79ac15d455 feat(otel): consistency passthrough for spans and attributes 
Co-authored-by: sindrerh2 <sindre.rodseth.hansen@nav.no>
 2025-01-30 14:03:39 +01:00
Sindre Rødseth Hansen
07b542a2f5 feat(openid/error): add spans and attributes 
Co-authored-by: tronghn <trong.huu.nguyen@nav.no>
 2025-01-30 14:03:39 +01:00
Sindre Rødseth Hansen
dd0373b72d feat(openid/client): add spans and attributes 
Co-authored-by: tronghn <trong.huu.nguyen@nav.no>
 2025-01-30 14:03:38 +01:00
Trong Huu Nguyen
44bb683531 feat(handler): add spans 
Co-authored-by: sindrerh2 <sindre.rodseth.hansen@nav.no>
 2025-01-30 14:03:38 +01:00
Trong Huu Nguyen
e6207fe3b4 feat(handler/reverseproxy): more spans 
Co-authored-by: sindrerh2 <sindre.rodseth.hansen@nav.no>
 2025-01-30 14:03:37 +01:00
Trong Huu Nguyen
475fe25100 feat(session): add even more tracing 
Co-authored-by: sindrerh2 <sindre.rodseth.hansen@nav.no>
 2025-01-30 14:03:36 +01:00
Trong Huu Nguyen
787b54beeb refactor(crypto): move to internal 
Co-authored-by: sindrerh2 <sindre.rodseth.hansen@nav.no>
 2025-01-30 14:03:36 +01:00
Trong Huu Nguyen
85230d5403 feat(session): add trace spans and attributes 
Co-authored-by: sindrerh2 <sindre.rodseth.hansen@nav.no>
 2025-01-30 14:03:35 +01:00
Trong Huu Nguyen
a157a13b9c refactor(o11y): separate logging and otel packages 
Co-authored-by: sindrerh2 <sindre.rodseth.hansen@nav.no>
 2025-01-30 14:03:34 +01:00
Trong Huu Nguyen
21b85c4b54 feat(handler/reverseproxy): add trace spans with attributes 
Co-authored-by: sindrerh2 <sindre.rodseth.hansen@nav.no>
 2025-01-30 14:03:34 +01:00
Trong Huu Nguyen
dc4c563b26 feat(otel): set more resource attributes 
Co-authored-by: sindrerh2 <sindre.rodseth.hansen@nav.no>
 2025-01-30 14:03:33 +01:00
Trong Huu Nguyen
05c5da6bf6 fix(middleware/tracing): check attribute types before setting them 
Co-authored-by: sindrerh2 <sindre.rodseth.hansen@nav.no>
 2025-01-30 14:03:33 +01:00
Trong Huu Nguyen
13b11790fe feat(handler): log additional fields for errors and reverseproxy 
Co-authored-by: sindrerh2 <sindre.rodseth.hansen@nav.no>
 2025-01-30 14:03:31 +01:00
Sindre Rødseth Hansen
ca77435d6a feat(http): propagate traceparent for httpclient 
Co-authored-by: tronghn <trong.huu.nguyen@nav.no>
 2025-01-30 14:03:30 +01:00