authelia/internal/configuration/schema/identity_providers.go

146 lines
5.2 KiB
Go
Raw Normal View History

package schema
import (
"crypto/rsa"
"net/url"
"time"
)
// IdentityProviders represents the Identity Providers configuration for Authelia.
type IdentityProviders struct {
OIDC *OpenIDConnect `koanf:"oidc"`
}
// OpenIDConnect configuration for OpenID Connect 1.0.
type OpenIDConnect struct {
HMACSecret string `koanf:"hmac_secret"`
IssuerPrivateKeys []JWK `koanf:"issuer_private_keys"`
IssuerCertificateChain X509CertificateChain `koanf:"issuer_certificate_chain"`
IssuerPrivateKey *rsa.PrivateKey `koanf:"issuer_private_key"`
AccessTokenLifespan time.Duration `koanf:"access_token_lifespan"`
AuthorizeCodeLifespan time.Duration `koanf:"authorize_code_lifespan"`
IDTokenLifespan time.Duration `koanf:"id_token_lifespan"`
RefreshTokenLifespan time.Duration `koanf:"refresh_token_lifespan"`
EnableClientDebugMessages bool `koanf:"enable_client_debug_messages"`
MinimumParameterEntropy int `koanf:"minimum_parameter_entropy"`
EnforcePKCE string `koanf:"enforce_pkce"`
EnablePKCEPlainChallenge bool `koanf:"enable_pkce_plain_challenge"`
PAR OpenIDConnectPAR `koanf:"pushed_authorizations"`
CORS OpenIDConnectCORS `koanf:"cors"`
Clients []OpenIDConnectClient `koanf:"clients"`
Policies map[string]OpenIDConnectPolicy `koanf:"policies"`
Discovery OpenIDConnectDiscovery // MetaData value. Not configurable by users.
}
type OpenIDConnectPolicy struct {
DefaultPolicy string `koanf:"default_policy"`
Rules []OpenIDConnectPolicyRule `koanf:"rules"`
}
type OpenIDConnectPolicyRule struct {
Policy string `koanf:"policy"`
Subjects [][]string `koanf:"subject"`
}
// OpenIDConnectDiscovery is information discovered during validation reused for the discovery handlers.
type OpenIDConnectDiscovery struct {
Policies []string
DefaultKeyIDs map[string]string
DefaultKeyID string
ResponseObjectSigningKeyIDs []string
ResponseObjectSigningAlgs []string
RequestObjectSigningAlgs []string
}
// OpenIDConnectPAR represents an OpenID Connect 1.0 PAR config.
type OpenIDConnectPAR struct {
Enforce bool `koanf:"enforce"`
ContextLifespan time.Duration `koanf:"context_lifespan"`
}
// OpenIDConnectCORS represents an OpenID Connect 1.0 CORS config.
type OpenIDConnectCORS struct {
Endpoints []string `koanf:"endpoints"`
AllowedOrigins []url.URL `koanf:"allowed_origins"`
AllowedOriginsFromClientRedirectURIs bool `koanf:"allowed_origins_from_client_redirect_uris"`
}
// OpenIDConnectClient represents a configuration for an OpenID Connect 1.0 client.
type OpenIDConnectClient struct {
ID string `koanf:"id"`
Description string `koanf:"description"`
Secret *PasswordDigest `koanf:"secret"`
SectorIdentifier url.URL `koanf:"sector_identifier"`
Public bool `koanf:"public"`
RedirectURIs []string `koanf:"redirect_uris"`
Audience []string `koanf:"audience"`
Scopes []string `koanf:"scopes"`
GrantTypes []string `koanf:"grant_types"`
ResponseTypes []string `koanf:"response_types"`
ResponseModes []string `koanf:"response_modes"`
Policy string `koanf:"authorization_policy"`
ConsentMode string `koanf:"consent_mode"`
ConsentPreConfiguredDuration *time.Duration `koanf:"pre_configured_consent_duration"`
EnforcePAR bool `koanf:"enforce_par"`
EnforcePKCE bool `koanf:"enforce_pkce"`
PKCEChallengeMethod string `koanf:"pkce_challenge_method"`
IDTokenSigningAlg string `koanf:"id_token_signing_alg"`
IDTokenSigningKeyID string `koanf:"id_token_signing_key_id"`
UserinfoSigningAlg string `koanf:"userinfo_signing_alg"`
UserinfoSigningKeyID string `koanf:"userinfo_signing_key_id"`
RequestObjectSigningAlg string `koanf:"request_object_signing_alg"`
TokenEndpointAuthSigningAlg string `koanf:"token_endpoint_auth_signing_alg"`
TokenEndpointAuthMethod string `koanf:"token_endpoint_auth_method"`
PublicKeys OpenIDConnectClientPublicKeys `koanf:"public_keys"`
Discovery OpenIDConnectDiscovery
}
// OpenIDConnectClientPublicKeys represents the Client Public Keys configuration for an OpenID Connect 1.0 client.
type OpenIDConnectClientPublicKeys struct {
URI *url.URL `koanf:"uri"`
Values []JWK `koanf:"values"`
}
// DefaultOpenIDConnectConfiguration contains defaults for OIDC.
var DefaultOpenIDConnectConfiguration = OpenIDConnect{
AccessTokenLifespan: time.Hour,
AuthorizeCodeLifespan: time.Minute,
IDTokenLifespan: time.Hour,
RefreshTokenLifespan: time.Minute * 90,
EnforcePKCE: "public_clients_only",
}
var defaultOIDCClientConsentPreConfiguredDuration = time.Hour * 24 * 7
// DefaultOpenIDConnectClientConfiguration contains defaults for OIDC Clients.
var DefaultOpenIDConnectClientConfiguration = OpenIDConnectClient{
Policy: "two_factor",
Scopes: []string{"openid", "groups", "profile", "email"},
ResponseTypes: []string{"code"},
ResponseModes: []string{"form_post"},
IDTokenSigningAlg: "RS256",
UserinfoSigningAlg: "none",
ConsentMode: "auto",
ConsentPreConfiguredDuration: &defaultOIDCClientConsentPreConfiguredDuration,
}