2021-05-04 22:06:05 +00:00
|
|
|
package schema
|
|
|
|
|
2022-04-07 00:58:51 +00:00
|
|
|
import (
|
2022-10-02 02:07:40 +00:00
|
|
|
"crypto/rsa"
|
2022-04-07 00:58:51 +00:00
|
|
|
"net/url"
|
|
|
|
"time"
|
|
|
|
)
|
feat(oidc): add additional config options, accurate token times, and refactoring (#1991)
* This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes.
* Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately.
* Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have.
2021-07-03 23:44:30 +00:00
|
|
|
|
2023-05-22 11:14:32 +00:00
|
|
|
// IdentityProviders represents the Identity Providers configuration for Authelia.
|
|
|
|
type IdentityProviders struct {
|
|
|
|
OIDC *OpenIDConnect `koanf:"oidc"`
|
2021-05-04 22:06:05 +00:00
|
|
|
}
|
|
|
|
|
2023-05-22 11:14:32 +00:00
|
|
|
// OpenIDConnect configuration for OpenID Connect 1.0.
|
|
|
|
type OpenIDConnect struct {
|
2023-05-15 00:32:10 +00:00
|
|
|
HMACSecret string `koanf:"hmac_secret"`
|
|
|
|
IssuerPrivateKeys []JWK `koanf:"issuer_private_keys"`
|
|
|
|
|
2022-10-02 02:07:40 +00:00
|
|
|
IssuerCertificateChain X509CertificateChain `koanf:"issuer_certificate_chain"`
|
|
|
|
IssuerPrivateKey *rsa.PrivateKey `koanf:"issuer_private_key"`
|
2021-05-04 22:06:05 +00:00
|
|
|
|
2021-08-03 09:55:21 +00:00
|
|
|
AccessTokenLifespan time.Duration `koanf:"access_token_lifespan"`
|
|
|
|
AuthorizeCodeLifespan time.Duration `koanf:"authorize_code_lifespan"`
|
|
|
|
IDTokenLifespan time.Duration `koanf:"id_token_lifespan"`
|
|
|
|
RefreshTokenLifespan time.Duration `koanf:"refresh_token_lifespan"`
|
feat(oidc): add additional config options, accurate token times, and refactoring (#1991)
* This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes.
* Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately.
* Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have.
2021-07-03 23:44:30 +00:00
|
|
|
|
2021-08-03 09:55:21 +00:00
|
|
|
EnableClientDebugMessages bool `koanf:"enable_client_debug_messages"`
|
|
|
|
MinimumParameterEntropy int `koanf:"minimum_parameter_entropy"`
|
|
|
|
|
2022-03-02 04:44:05 +00:00
|
|
|
EnforcePKCE string `koanf:"enforce_pkce"`
|
|
|
|
EnablePKCEPlainChallenge bool `koanf:"enable_pkce_plain_challenge"`
|
|
|
|
|
2023-05-22 11:14:32 +00:00
|
|
|
PAR OpenIDConnectPAR `koanf:"pushed_authorizations"`
|
|
|
|
CORS OpenIDConnectCORS `koanf:"cors"`
|
2022-04-07 00:58:51 +00:00
|
|
|
|
2023-05-22 11:14:32 +00:00
|
|
|
Clients []OpenIDConnectClient `koanf:"clients"`
|
2023-05-15 00:03:19 +00:00
|
|
|
|
2023-05-25 13:28:21 +00:00
|
|
|
Policies map[string]OpenIDConnectPolicy `koanf:"policies"`
|
|
|
|
|
2023-05-15 00:03:19 +00:00
|
|
|
Discovery OpenIDConnectDiscovery // MetaData value. Not configurable by users.
|
|
|
|
}
|
|
|
|
|
2023-05-25 13:28:21 +00:00
|
|
|
type OpenIDConnectPolicy struct {
|
|
|
|
DefaultPolicy string `koanf:"default_policy"`
|
|
|
|
|
|
|
|
Rules []OpenIDConnectPolicyRule `koanf:"rules"`
|
|
|
|
}
|
|
|
|
|
|
|
|
type OpenIDConnectPolicyRule struct {
|
|
|
|
Policy string `koanf:"policy"`
|
|
|
|
Subjects [][]string `koanf:"subject"`
|
|
|
|
}
|
|
|
|
|
2023-05-22 11:14:32 +00:00
|
|
|
// OpenIDConnectDiscovery is information discovered during validation reused for the discovery handlers.
|
2023-05-15 00:03:19 +00:00
|
|
|
type OpenIDConnectDiscovery struct {
|
2023-05-25 13:28:21 +00:00
|
|
|
Policies []string
|
2023-05-22 11:14:32 +00:00
|
|
|
DefaultKeyIDs map[string]string
|
|
|
|
DefaultKeyID string
|
|
|
|
ResponseObjectSigningKeyIDs []string
|
|
|
|
ResponseObjectSigningAlgs []string
|
|
|
|
RequestObjectSigningAlgs []string
|
2021-05-04 22:06:05 +00:00
|
|
|
}
|
|
|
|
|
2023-05-22 11:14:32 +00:00
|
|
|
// OpenIDConnectPAR represents an OpenID Connect 1.0 PAR config.
|
|
|
|
type OpenIDConnectPAR struct {
|
2023-03-06 03:58:50 +00:00
|
|
|
Enforce bool `koanf:"enforce"`
|
|
|
|
ContextLifespan time.Duration `koanf:"context_lifespan"`
|
|
|
|
}
|
|
|
|
|
2023-05-22 11:14:32 +00:00
|
|
|
// OpenIDConnectCORS represents an OpenID Connect 1.0 CORS config.
|
|
|
|
type OpenIDConnectCORS struct {
|
2022-04-07 00:58:51 +00:00
|
|
|
Endpoints []string `koanf:"endpoints"`
|
|
|
|
AllowedOrigins []url.URL `koanf:"allowed_origins"`
|
|
|
|
|
|
|
|
AllowedOriginsFromClientRedirectURIs bool `koanf:"allowed_origins_from_client_redirect_uris"`
|
|
|
|
}
|
|
|
|
|
2023-05-22 11:14:32 +00:00
|
|
|
// OpenIDConnectClient represents a configuration for an OpenID Connect 1.0 client.
|
|
|
|
type OpenIDConnectClient struct {
|
2022-10-20 03:21:45 +00:00
|
|
|
ID string `koanf:"id"`
|
|
|
|
Description string `koanf:"description"`
|
|
|
|
Secret *PasswordDigest `koanf:"secret"`
|
|
|
|
SectorIdentifier url.URL `koanf:"sector_identifier"`
|
|
|
|
Public bool `koanf:"public"`
|
2021-07-15 11:02:03 +00:00
|
|
|
|
2022-04-07 05:33:53 +00:00
|
|
|
RedirectURIs []string `koanf:"redirect_uris"`
|
|
|
|
|
2021-08-03 09:55:21 +00:00
|
|
|
Audience []string `koanf:"audience"`
|
|
|
|
Scopes []string `koanf:"scopes"`
|
|
|
|
GrantTypes []string `koanf:"grant_types"`
|
|
|
|
ResponseTypes []string `koanf:"response_types"`
|
|
|
|
ResponseModes []string `koanf:"response_modes"`
|
2021-07-10 04:56:33 +00:00
|
|
|
|
2022-04-08 05:35:21 +00:00
|
|
|
Policy string `koanf:"authorization_policy"`
|
|
|
|
|
2023-05-15 00:32:10 +00:00
|
|
|
ConsentMode string `koanf:"consent_mode"`
|
|
|
|
ConsentPreConfiguredDuration *time.Duration `koanf:"pre_configured_consent_duration"`
|
|
|
|
|
2023-03-06 03:58:50 +00:00
|
|
|
EnforcePAR bool `koanf:"enforce_par"`
|
2023-01-03 15:03:23 +00:00
|
|
|
EnforcePKCE bool `koanf:"enforce_pkce"`
|
|
|
|
|
2023-05-15 00:03:19 +00:00
|
|
|
PKCEChallengeMethod string `koanf:"pkce_challenge_method"`
|
2023-01-03 15:03:23 +00:00
|
|
|
|
2023-05-15 00:32:10 +00:00
|
|
|
IDTokenSigningAlg string `koanf:"id_token_signing_alg"`
|
2023-05-22 11:14:32 +00:00
|
|
|
IDTokenSigningKeyID string `koanf:"id_token_signing_key_id"`
|
2023-05-15 00:32:10 +00:00
|
|
|
UserinfoSigningAlg string `koanf:"userinfo_signing_alg"`
|
2023-05-22 11:14:32 +00:00
|
|
|
UserinfoSigningKeyID string `koanf:"userinfo_signing_key_id"`
|
|
|
|
RequestObjectSigningAlg string `koanf:"request_object_signing_alg"`
|
|
|
|
TokenEndpointAuthSigningAlg string `koanf:"token_endpoint_auth_signing_alg"`
|
|
|
|
|
|
|
|
TokenEndpointAuthMethod string `koanf:"token_endpoint_auth_method"`
|
2023-05-15 00:32:10 +00:00
|
|
|
|
|
|
|
PublicKeys OpenIDConnectClientPublicKeys `koanf:"public_keys"`
|
|
|
|
|
|
|
|
Discovery OpenIDConnectDiscovery
|
|
|
|
}
|
|
|
|
|
2023-05-22 11:14:32 +00:00
|
|
|
// OpenIDConnectClientPublicKeys represents the Client Public Keys configuration for an OpenID Connect 1.0 client.
|
2023-05-15 00:32:10 +00:00
|
|
|
type OpenIDConnectClientPublicKeys struct {
|
|
|
|
URI *url.URL `koanf:"uri"`
|
|
|
|
Values []JWK `koanf:"values"`
|
feat(oidc): add additional config options, accurate token times, and refactoring (#1991)
* This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes.
* Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately.
* Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have.
2021-07-03 23:44:30 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// DefaultOpenIDConnectConfiguration contains defaults for OIDC.
|
2023-05-22 11:14:32 +00:00
|
|
|
var DefaultOpenIDConnectConfiguration = OpenIDConnect{
|
feat(oidc): add additional config options, accurate token times, and refactoring (#1991)
* This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes.
* Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately.
* Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have.
2021-07-03 23:44:30 +00:00
|
|
|
AccessTokenLifespan: time.Hour,
|
|
|
|
AuthorizeCodeLifespan: time.Minute,
|
|
|
|
IDTokenLifespan: time.Hour,
|
|
|
|
RefreshTokenLifespan: time.Minute * 90,
|
2022-03-02 04:44:05 +00:00
|
|
|
EnforcePKCE: "public_clients_only",
|
2021-05-04 22:06:05 +00:00
|
|
|
}
|
|
|
|
|
2022-10-20 02:16:36 +00:00
|
|
|
var defaultOIDCClientConsentPreConfiguredDuration = time.Hour * 24 * 7
|
|
|
|
|
feat(oidc): add additional config options, accurate token times, and refactoring (#1991)
* This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes.
* Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately.
* Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have.
2021-07-03 23:44:30 +00:00
|
|
|
// DefaultOpenIDConnectClientConfiguration contains defaults for OIDC Clients.
|
2023-05-22 11:14:32 +00:00
|
|
|
var DefaultOpenIDConnectClientConfiguration = OpenIDConnectClient{
|
|
|
|
Policy: "two_factor",
|
|
|
|
Scopes: []string{"openid", "groups", "profile", "email"},
|
|
|
|
ResponseTypes: []string{"code"},
|
|
|
|
ResponseModes: []string{"form_post"},
|
2023-05-15 00:03:19 +00:00
|
|
|
IDTokenSigningAlg: "RS256",
|
|
|
|
UserinfoSigningAlg: "none",
|
2022-10-20 02:16:36 +00:00
|
|
|
ConsentMode: "auto",
|
|
|
|
ConsentPreConfiguredDuration: &defaultOIDCClientConsentPreConfiguredDuration,
|
2021-05-04 22:06:05 +00:00
|
|
|
}
|