2020-02-01 12:54:50 +00:00
|
|
|
package handlers
|
|
|
|
|
|
|
|
import (
|
|
|
|
"fmt"
|
|
|
|
"net/url"
|
2021-11-29 03:09:14 +00:00
|
|
|
"time"
|
2020-02-01 12:54:50 +00:00
|
|
|
|
2020-05-05 21:27:38 +00:00
|
|
|
"github.com/valyala/fasthttp"
|
|
|
|
|
2021-08-11 01:04:35 +00:00
|
|
|
"github.com/authelia/authelia/v4/internal/authorization"
|
|
|
|
"github.com/authelia/authelia/v4/internal/middlewares"
|
2022-05-03 05:28:58 +00:00
|
|
|
"github.com/authelia/authelia/v4/internal/model"
|
2022-04-07 05:33:53 +00:00
|
|
|
"github.com/authelia/authelia/v4/internal/oidc"
|
2021-08-11 01:04:35 +00:00
|
|
|
"github.com/authelia/authelia/v4/internal/utils"
|
2020-02-01 12:54:50 +00:00
|
|
|
)
|
|
|
|
|
feat(oidc): add additional config options, accurate token times, and refactoring (#1991)
* This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes.
* Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately.
* Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have.
2021-07-03 23:44:30 +00:00
|
|
|
// handleOIDCWorkflowResponse handle the redirection upon authentication in the OIDC workflow.
|
|
|
|
func handleOIDCWorkflowResponse(ctx *middlewares.AutheliaCtx) {
|
2021-05-04 22:06:05 +00:00
|
|
|
userSession := ctx.GetSession()
|
|
|
|
|
2022-04-07 05:33:53 +00:00
|
|
|
if userSession.ConsentChallengeID == nil {
|
|
|
|
ctx.Logger.Errorf("Unable to handle OIDC workflow response because the user session doesn't contain a consent challenge id")
|
|
|
|
|
|
|
|
respondUnauthorized(ctx, messageOperationFailed)
|
2021-05-04 22:06:05 +00:00
|
|
|
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2022-04-07 05:33:53 +00:00
|
|
|
externalRootURL, err := ctx.ExternalRootURL()
|
2021-05-04 22:06:05 +00:00
|
|
|
if err != nil {
|
2021-11-29 03:09:14 +00:00
|
|
|
ctx.Logger.Errorf("Unable to determine external Base URL: %v", err)
|
|
|
|
|
|
|
|
respondUnauthorized(ctx, messageOperationFailed)
|
2021-05-04 22:06:05 +00:00
|
|
|
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2022-04-07 05:33:53 +00:00
|
|
|
consent, err := ctx.Providers.StorageProvider.LoadOAuth2ConsentSessionByChallengeID(ctx, *userSession.ConsentChallengeID)
|
|
|
|
if err != nil {
|
|
|
|
ctx.Logger.Errorf("Unable to load consent session from database: %v", err)
|
|
|
|
|
|
|
|
respondUnauthorized(ctx, messageOperationFailed)
|
|
|
|
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
client, err := ctx.Providers.OpenIDConnect.Store.GetFullClient(consent.ClientID)
|
|
|
|
if err != nil {
|
|
|
|
ctx.Logger.Errorf("Unable to find client for the consent session: %v", err)
|
|
|
|
|
|
|
|
respondUnauthorized(ctx, messageOperationFailed)
|
|
|
|
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
if !client.IsAuthenticationLevelSufficient(userSession.AuthenticationLevel) {
|
|
|
|
ctx.Logger.Warnf("OpenID Connect client '%s' requires 2FA, cannot be redirected yet", client.ID)
|
|
|
|
ctx.ReplyOK()
|
|
|
|
|
|
|
|
return
|
|
|
|
}
|
2021-05-04 22:06:05 +00:00
|
|
|
|
2022-05-03 05:28:58 +00:00
|
|
|
if consent.Subject.UUID, err = ctx.Providers.OpenIDConnect.Store.GetSubject(ctx, client.GetSectorIdentifier(), userSession.Username); err != nil {
|
|
|
|
ctx.Logger.Errorf("Unable to find subject for the consent session: %v", err)
|
|
|
|
|
|
|
|
respondUnauthorized(ctx, messageOperationFailed)
|
|
|
|
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
consent.Subject.Valid = true
|
|
|
|
|
|
|
|
var preConsent *model.OAuth2ConsentSession
|
|
|
|
|
|
|
|
if preConsent, err = getOIDCPreConfiguredConsentFromClientAndConsent(ctx, client, consent); err != nil {
|
|
|
|
ctx.Logger.Errorf("Unable to lookup pre-configured consent for the consent session: %v", err)
|
|
|
|
|
|
|
|
respondUnauthorized(ctx, messageOperationFailed)
|
|
|
|
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
if userSession.ConsentChallengeID != nil && preConsent == nil {
|
2022-04-07 05:33:53 +00:00
|
|
|
if err = ctx.SetJSONBody(redirectResponse{Redirect: fmt.Sprintf("%s/consent", externalRootURL)}); err != nil {
|
2021-05-04 22:06:05 +00:00
|
|
|
ctx.Logger.Errorf("Unable to set default redirection URL in body: %s", err)
|
|
|
|
}
|
2022-05-03 05:28:58 +00:00
|
|
|
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
if userSession.ConsentChallengeID != nil {
|
|
|
|
userSession.ConsentChallengeID = nil
|
|
|
|
|
|
|
|
if err = ctx.SaveSession(userSession); err != nil {
|
|
|
|
ctx.Logger.Errorf("Unable to update user session: %v", err)
|
|
|
|
|
|
|
|
respondUnauthorized(ctx, messageOperationFailed)
|
|
|
|
|
|
|
|
return
|
2021-05-04 22:06:05 +00:00
|
|
|
}
|
|
|
|
}
|
2022-05-03 05:28:58 +00:00
|
|
|
|
|
|
|
if err = ctx.SetJSONBody(redirectResponse{Redirect: fmt.Sprintf("%s%s?%s", externalRootURL, oidc.AuthorizationPath, consent.Form)}); err != nil {
|
|
|
|
ctx.Logger.Errorf("Unable to set default redirection URL in body: %s", err)
|
|
|
|
}
|
2021-05-04 22:06:05 +00:00
|
|
|
}
|
|
|
|
|
2020-05-02 05:06:39 +00:00
|
|
|
// Handle1FAResponse handle the redirection upon 1FA authentication.
|
2021-03-05 04:18:31 +00:00
|
|
|
func Handle1FAResponse(ctx *middlewares.AutheliaCtx, targetURI, requestMethod string, username string, groups []string) {
|
2020-02-04 21:18:02 +00:00
|
|
|
if targetURI == "" {
|
2020-03-06 00:31:09 +00:00
|
|
|
if !ctx.Providers.Authorizer.IsSecondFactorEnabled() && ctx.Configuration.DefaultRedirectionURL != "" {
|
2020-12-16 01:47:31 +00:00
|
|
|
err := ctx.SetJSONBody(redirectResponse{Redirect: ctx.Configuration.DefaultRedirectionURL})
|
|
|
|
if err != nil {
|
|
|
|
ctx.Logger.Errorf("Unable to set default redirection URL in body: %s", err)
|
|
|
|
}
|
2020-02-04 21:18:02 +00:00
|
|
|
} else {
|
|
|
|
ctx.ReplyOK()
|
2020-02-01 12:54:50 +00:00
|
|
|
}
|
2020-05-05 19:35:32 +00:00
|
|
|
|
2020-02-04 21:18:02 +00:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
targetURL, err := url.ParseRequestURI(targetURI)
|
|
|
|
if err != nil {
|
2021-09-17 05:53:40 +00:00
|
|
|
ctx.Error(fmt.Errorf("unable to parse target URL %s: %s", targetURI, err), messageAuthenticationFailed)
|
2020-02-04 21:18:02 +00:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2021-03-05 04:18:31 +00:00
|
|
|
requiredLevel := ctx.Providers.Authorizer.GetRequiredLevel(
|
|
|
|
authorization.Subject{
|
|
|
|
Username: username,
|
|
|
|
Groups: groups,
|
|
|
|
IP: ctx.RemoteIP(),
|
|
|
|
},
|
|
|
|
authorization.NewObject(targetURL, requestMethod))
|
2020-02-04 21:18:02 +00:00
|
|
|
|
|
|
|
ctx.Logger.Debugf("Required level for the URL %s is %d", targetURI, requiredLevel)
|
|
|
|
|
2020-04-19 11:45:46 +00:00
|
|
|
if requiredLevel == authorization.TwoFactor {
|
|
|
|
ctx.Logger.Warnf("%s requires 2FA, cannot be redirected yet", targetURI)
|
2020-02-04 21:18:02 +00:00
|
|
|
ctx.ReplyOK()
|
2020-05-05 19:35:32 +00:00
|
|
|
|
2020-02-04 21:18:02 +00:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
safeRedirection := utils.IsRedirectionSafe(*targetURL, ctx.Configuration.Session.Domain)
|
2020-02-01 12:54:50 +00:00
|
|
|
|
2020-02-04 21:18:02 +00:00
|
|
|
if !safeRedirection {
|
2021-09-17 05:53:40 +00:00
|
|
|
ctx.Logger.Debugf("Redirection URL %s is not safe", targetURI)
|
|
|
|
|
2020-03-06 00:31:09 +00:00
|
|
|
if !ctx.Providers.Authorizer.IsSecondFactorEnabled() && ctx.Configuration.DefaultRedirectionURL != "" {
|
2020-12-16 01:47:31 +00:00
|
|
|
err := ctx.SetJSONBody(redirectResponse{Redirect: ctx.Configuration.DefaultRedirectionURL})
|
|
|
|
if err != nil {
|
|
|
|
ctx.Logger.Errorf("Unable to set default redirection URL in body: %s", err)
|
|
|
|
}
|
2020-02-01 12:54:50 +00:00
|
|
|
} else {
|
|
|
|
ctx.ReplyOK()
|
|
|
|
}
|
2020-05-05 19:35:32 +00:00
|
|
|
|
2020-02-04 21:18:02 +00:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
ctx.Logger.Debugf("Redirection URL %s is safe", targetURI)
|
2021-08-02 06:15:38 +00:00
|
|
|
err = ctx.SetJSONBody(redirectResponse{Redirect: targetURI})
|
2020-05-05 19:35:32 +00:00
|
|
|
|
2020-12-16 01:47:31 +00:00
|
|
|
if err != nil {
|
|
|
|
ctx.Logger.Errorf("Unable to set redirection URL in body: %s", err)
|
|
|
|
}
|
2020-02-04 21:18:02 +00:00
|
|
|
}
|
|
|
|
|
2020-05-02 05:06:39 +00:00
|
|
|
// Handle2FAResponse handle the redirection upon 2FA authentication.
|
2020-02-04 21:18:02 +00:00
|
|
|
func Handle2FAResponse(ctx *middlewares.AutheliaCtx, targetURI string) {
|
|
|
|
if targetURI == "" {
|
2020-02-01 12:54:50 +00:00
|
|
|
if ctx.Configuration.DefaultRedirectionURL != "" {
|
2020-12-16 01:47:31 +00:00
|
|
|
err := ctx.SetJSONBody(redirectResponse{Redirect: ctx.Configuration.DefaultRedirectionURL})
|
|
|
|
if err != nil {
|
|
|
|
ctx.Logger.Errorf("Unable to set default redirection URL in body: %s", err)
|
|
|
|
}
|
2020-02-01 12:54:50 +00:00
|
|
|
} else {
|
|
|
|
ctx.ReplyOK()
|
|
|
|
}
|
2020-05-05 19:35:32 +00:00
|
|
|
|
2020-02-04 21:18:02 +00:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2021-08-02 06:15:38 +00:00
|
|
|
safe, err := utils.IsRedirectionURISafe(targetURI, ctx.Configuration.Session.Domain)
|
2020-02-04 21:18:02 +00:00
|
|
|
|
|
|
|
if err != nil {
|
2021-09-17 05:53:40 +00:00
|
|
|
ctx.Error(fmt.Errorf("unable to check target URL: %s", err), messageMFAValidationFailed)
|
2020-02-04 21:18:02 +00:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2021-08-02 06:15:38 +00:00
|
|
|
if safe {
|
|
|
|
ctx.Logger.Debugf("Redirection URL %s is safe", targetURI)
|
2020-12-16 01:47:31 +00:00
|
|
|
err := ctx.SetJSONBody(redirectResponse{Redirect: targetURI})
|
2021-08-02 06:15:38 +00:00
|
|
|
|
2020-12-16 01:47:31 +00:00
|
|
|
if err != nil {
|
|
|
|
ctx.Logger.Errorf("Unable to set redirection URL in body: %s", err)
|
|
|
|
}
|
2020-02-04 21:18:02 +00:00
|
|
|
} else {
|
|
|
|
ctx.ReplyOK()
|
2020-02-01 12:54:50 +00:00
|
|
|
}
|
|
|
|
}
|
2020-05-05 21:27:38 +00:00
|
|
|
|
2021-11-29 03:09:14 +00:00
|
|
|
func markAuthenticationAttempt(ctx *middlewares.AutheliaCtx, successful bool, bannedUntil *time.Time, username string, authType string, errAuth error) (err error) {
|
|
|
|
// We only Mark if there was no underlying error.
|
|
|
|
ctx.Logger.Debugf("Mark %s authentication attempt made by user '%s'", authType, username)
|
|
|
|
|
2021-12-02 02:21:46 +00:00
|
|
|
var (
|
|
|
|
requestURI, requestMethod string
|
|
|
|
)
|
|
|
|
|
|
|
|
referer := ctx.Request.Header.Referer()
|
|
|
|
if referer != nil {
|
|
|
|
refererURL, err := url.Parse(string(referer))
|
|
|
|
if err == nil {
|
|
|
|
requestURI = refererURL.Query().Get("rd")
|
|
|
|
requestMethod = refererURL.Query().Get("rm")
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
if err = ctx.Providers.Regulator.Mark(ctx, successful, bannedUntil != nil, username, requestURI, requestMethod, authType, ctx.RemoteIP()); err != nil {
|
2021-11-29 03:09:14 +00:00
|
|
|
ctx.Logger.Errorf("Unable to mark %s authentication attempt by user '%s': %+v", authType, username, err)
|
|
|
|
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
|
|
|
if successful {
|
|
|
|
ctx.Logger.Debugf("Successful %s authentication attempt made by user '%s'", authType, username)
|
|
|
|
} else {
|
|
|
|
switch {
|
|
|
|
case errAuth != nil:
|
|
|
|
ctx.Logger.Errorf("Unsuccessful %s authentication attempt by user '%s': %+v", authType, username, errAuth)
|
|
|
|
case bannedUntil != nil:
|
|
|
|
ctx.Logger.Errorf("Unsuccessful %s authentication attempt by user '%s' and they are banned until %s", authType, username, bannedUntil)
|
|
|
|
default:
|
|
|
|
ctx.Logger.Errorf("Unsuccessful %s authentication attempt by user '%s'", authType, username)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func respondUnauthorized(ctx *middlewares.AutheliaCtx, message string) {
|
2020-05-05 21:27:38 +00:00
|
|
|
ctx.SetStatusCode(fasthttp.StatusUnauthorized)
|
2021-11-29 03:09:14 +00:00
|
|
|
ctx.SetJSONError(message)
|
2020-05-05 21:27:38 +00:00
|
|
|
}
|
2022-04-03 23:58:01 +00:00
|
|
|
|
|
|
|
// SetStatusCodeResponse writes a response status code and an appropriate body on either a
|
|
|
|
// *fasthttp.RequestCtx or *middlewares.AutheliaCtx.
|
|
|
|
func SetStatusCodeResponse(ctx responseWriter, statusCode int) {
|
|
|
|
ctx.SetStatusCode(statusCode)
|
|
|
|
ctx.SetBodyString(fmt.Sprintf("%d %s", statusCode, fasthttp.StatusMessage(statusCode)))
|
|
|
|
}
|