2020-04-23 01:47:27 +00:00
|
|
|
package validator
|
|
|
|
|
2021-08-03 09:55:21 +00:00
|
|
|
import "regexp"
|
|
|
|
|
2021-07-15 11:02:03 +00:00
|
|
|
const (
|
|
|
|
loopback = "127.0.0.1"
|
|
|
|
oauth2InstalledApp = "urn:ietf:wg:oauth:2.0:oob"
|
|
|
|
)
|
|
|
|
|
2021-08-03 09:55:21 +00:00
|
|
|
// Policy constants.
|
2021-03-22 09:04:09 +00:00
|
|
|
const (
|
2021-08-03 09:55:21 +00:00
|
|
|
policyBypass = "bypass"
|
|
|
|
policyOneFactor = "one_factor"
|
|
|
|
policyTwoFactor = "two_factor"
|
|
|
|
policyDeny = "deny"
|
|
|
|
)
|
2021-03-22 09:04:09 +00:00
|
|
|
|
2021-08-03 09:55:21 +00:00
|
|
|
// Hashing constants.
|
|
|
|
const (
|
|
|
|
hashArgon2id = "argon2id"
|
|
|
|
hashSHA512 = "sha512"
|
|
|
|
)
|
2021-03-22 09:04:09 +00:00
|
|
|
|
2021-08-03 09:55:21 +00:00
|
|
|
// Scheme constants.
|
|
|
|
const (
|
2021-03-22 09:04:09 +00:00
|
|
|
schemeLDAP = "ldap"
|
|
|
|
schemeLDAPS = "ldaps"
|
feat(oidc): add additional config options, accurate token times, and refactoring (#1991)
* This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes.
* Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately.
* Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have.
2021-07-03 23:44:30 +00:00
|
|
|
schemeHTTP = "http"
|
|
|
|
schemeHTTPS = "https"
|
2021-08-03 09:55:21 +00:00
|
|
|
)
|
2021-03-22 09:04:09 +00:00
|
|
|
|
2021-08-03 09:55:21 +00:00
|
|
|
// Test constants.
|
|
|
|
const (
|
2021-03-22 09:04:09 +00:00
|
|
|
testBadTimer = "-1"
|
|
|
|
testInvalidPolicy = "invalid"
|
|
|
|
testJWTSecret = "a_secret"
|
|
|
|
testLDAPBaseDN = "base_dn"
|
|
|
|
testLDAPPassword = "password"
|
|
|
|
testLDAPURL = "ldap://ldap"
|
|
|
|
testLDAPUser = "user"
|
|
|
|
testModeDisabled = "disable"
|
|
|
|
testTLSCert = "/tmp/cert.pem"
|
|
|
|
testTLSKey = "/tmp/key.pem"
|
2021-08-03 09:55:21 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
// OpenID Error constants.
|
|
|
|
const (
|
|
|
|
errFmtOIDCClientsDuplicateID = "openid connect provider: one or more clients have the same ID"
|
|
|
|
errFmtOIDCClientsWithEmptyID = "openid connect provider: one or more clients have been configured with an empty ID"
|
|
|
|
errFmtOIDCNoClientsConfigured = "openid connect provider: no clients are configured"
|
|
|
|
errFmtOIDCNoPrivateKey = "openid connect provider: issuer private key must be provided"
|
|
|
|
errFmtOIDCClientInvalidSecret = "openid connect provider: client with ID '%s' has an empty secret"
|
|
|
|
errFmtOIDCClientPublicInvalidSecret = "openid connect provider: client with ID '%s' is public but does not have " +
|
|
|
|
"an empty secret"
|
|
|
|
errFmtOIDCClientRedirectURI = "openid connect provider: client with ID '%s' redirect URI %s has an " +
|
|
|
|
"invalid scheme %s, should be http or https"
|
|
|
|
errFmtOIDCClientRedirectURICantBeParsed = "openid connect provider: client with ID '%s' has an invalid redirect " +
|
|
|
|
"URI '%s' could not be parsed: %v"
|
|
|
|
errFmtOIDCClientRedirectURIPublic = "openid connect provider: client with ID '%s' redirect URI '%s' is " +
|
|
|
|
"only valid for the public client type, not the confidential client type"
|
|
|
|
errFmtOIDCClientRedirectURIAbsolute = "openid connect provider: client with ID '%s' redirect URI '%s' is invalid " +
|
|
|
|
"because it has no scheme when it should be http or https"
|
|
|
|
errFmtOIDCClientInvalidPolicy = "openid connect provider: client with ID '%s' has an invalid policy " +
|
|
|
|
"'%s', should be either 'one_factor' or 'two_factor'"
|
|
|
|
errFmtOIDCClientInvalidScope = "openid connect provider: client with ID '%s' has an invalid scope " +
|
|
|
|
"'%s', must be one of: '%s'"
|
|
|
|
errFmtOIDCClientInvalidGrantType = "openid connect provider: client with ID '%s' has an invalid grant type " +
|
|
|
|
"'%s', must be one of: '%s'"
|
|
|
|
errFmtOIDCClientInvalidResponseMode = "openid connect provider: client with ID '%s' has an invalid response mode " +
|
|
|
|
"'%s', must be one of: '%s'"
|
|
|
|
errFmtOIDCClientInvalidUserinfoAlgorithm = "openid connect provider: client with ID '%s' has an invalid userinfo signing " +
|
|
|
|
"algorithm '%s', must be one of: '%s'"
|
|
|
|
errFmtOIDCServerInsecureParameterEntropy = "openid connect provider: SECURITY ISSUE - minimum parameter entropy is " +
|
|
|
|
"configured to an unsafe value, it should be above 8 but it's configured to %d"
|
|
|
|
)
|
|
|
|
|
|
|
|
// Error constants.
|
|
|
|
const (
|
|
|
|
errFmtDeprecatedConfigurationKey = "the %s configuration option is deprecated and will be " +
|
|
|
|
"removed in %s, please use %s instead"
|
|
|
|
errFmtReplacedConfigurationKey = "invalid configuration key '%s' was replaced by '%s'"
|
2021-03-22 09:04:09 +00:00
|
|
|
|
2021-08-03 09:55:21 +00:00
|
|
|
errFmtLoggingLevelInvalid = "the log level '%s' is invalid, must be one of: %s"
|
|
|
|
|
|
|
|
errFmtSessionSecretRedisProvider = "the session secret must be set when using the %s session provider"
|
|
|
|
errFmtSessionRedisPortRange = "the port must be between 1 and 65535 for the %s session provider"
|
|
|
|
errFmtSessionRedisHostRequired = "the host must be provided when using the %s session provider"
|
|
|
|
errFmtSessionRedisHostOrNodesRequired = "either the host or a node must be provided when using the %s session provider"
|
|
|
|
|
|
|
|
errFileHashing = "config key incorrect: authentication_backend.file.hashing should be authentication_backend.file.password"
|
|
|
|
errFilePHashing = "config key incorrect: authentication_backend.file.password_hashing should be authentication_backend.file.password"
|
|
|
|
errFilePOptions = "config key incorrect: authentication_backend.file.password_options should be authentication_backend.file.password"
|
|
|
|
|
|
|
|
errAccessControlInvalidPolicyWithSubjects = "policy [bypass] for rule #%d domain %s with subjects %s is invalid. It is " +
|
|
|
|
"not supported to configure both policy bypass and subjects. For more information see: " +
|
2021-03-22 09:04:09 +00:00
|
|
|
"https://www.authelia.com/docs/configuration/access-control.html#combining-subjects-and-the-bypass-policy"
|
|
|
|
)
|
|
|
|
|
2021-06-01 04:09:50 +00:00
|
|
|
var validLoggingLevels = []string{"trace", "debug", "info", "warn", "error"}
|
2021-07-10 04:56:33 +00:00
|
|
|
var validHTTPRequestMethods = []string{"GET", "HEAD", "POST", "PUT", "PATCH", "DELETE", "TRACE", "CONNECT", "OPTIONS"}
|
|
|
|
|
|
|
|
var validOIDCScopes = []string{"openid", "email", "profile", "groups", "offline_access"}
|
feat(oidc): add additional config options, accurate token times, and refactoring (#1991)
* This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes.
* Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately.
* Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have.
2021-07-03 23:44:30 +00:00
|
|
|
var validOIDCGrantTypes = []string{"implicit", "refresh_token", "authorization_code", "password", "client_credentials"}
|
|
|
|
var validOIDCResponseModes = []string{"form_post", "query", "fragment"}
|
2021-07-10 04:56:33 +00:00
|
|
|
var validOIDCUserinfoAlgorithms = []string{"none", "RS256"}
|
2021-03-05 04:18:31 +00:00
|
|
|
|
2021-08-03 09:55:21 +00:00
|
|
|
var reKeyReplacer = regexp.MustCompile(`\[\d+]`)
|
2021-03-22 09:04:09 +00:00
|
|
|
|
2021-08-03 09:55:21 +00:00
|
|
|
// ValidKeys is a list of valid keys that are not secret names. For the sake of consistency please place any secret in
|
2021-03-22 09:04:09 +00:00
|
|
|
// the secret names map and reuse it in relevant sections.
|
2021-08-03 09:55:21 +00:00
|
|
|
var ValidKeys = []string{
|
2020-04-23 01:47:27 +00:00
|
|
|
// Root Keys.
|
2021-01-04 10:28:55 +00:00
|
|
|
"certificates_directory",
|
2021-08-02 11:55:30 +00:00
|
|
|
"theme",
|
|
|
|
"default_redirection_url",
|
2021-08-03 09:55:21 +00:00
|
|
|
"jwt_secret",
|
2020-04-23 01:47:27 +00:00
|
|
|
|
2021-06-08 13:15:43 +00:00
|
|
|
// Log keys.
|
|
|
|
"log.level",
|
|
|
|
"log.format",
|
|
|
|
"log.file_path",
|
|
|
|
"log.keep_stdout",
|
2021-06-01 04:09:50 +00:00
|
|
|
|
|
|
|
// TODO: DEPRECATED START. Remove in 4.33.0.
|
2021-08-02 11:55:30 +00:00
|
|
|
"host",
|
|
|
|
"port",
|
|
|
|
"tls_key",
|
|
|
|
"tls_cert",
|
2021-06-01 04:09:50 +00:00
|
|
|
"log_level",
|
|
|
|
"log_format",
|
|
|
|
"log_file_path",
|
|
|
|
// TODO: DEPRECATED END. Remove in 4.33.0.
|
|
|
|
|
2020-04-30 02:03:05 +00:00
|
|
|
// Server Keys.
|
2021-08-02 11:55:30 +00:00
|
|
|
"server.host",
|
|
|
|
"server.port",
|
2020-04-30 02:03:05 +00:00
|
|
|
"server.read_buffer_size",
|
|
|
|
"server.write_buffer_size",
|
2020-05-21 02:20:55 +00:00
|
|
|
"server.path",
|
2021-06-01 04:09:50 +00:00
|
|
|
"server.enable_pprof",
|
|
|
|
"server.enable_expvars",
|
2021-08-05 04:02:07 +00:00
|
|
|
"server.disable_healthcheck",
|
2021-08-02 11:55:30 +00:00
|
|
|
"server.tls.key",
|
|
|
|
"server.tls.certificate",
|
2020-04-30 02:03:05 +00:00
|
|
|
|
2020-05-15 23:41:42 +00:00
|
|
|
// TOTP Keys.
|
2020-04-23 01:47:27 +00:00
|
|
|
"totp.issuer",
|
|
|
|
"totp.period",
|
|
|
|
"totp.skew",
|
|
|
|
|
2021-08-03 09:55:21 +00:00
|
|
|
// DUO API Keys.
|
|
|
|
"duo_api.hostname",
|
|
|
|
"duo_api.secret_key",
|
|
|
|
"duo_api.integration_key",
|
|
|
|
|
2020-05-15 23:41:42 +00:00
|
|
|
// Access Control Keys.
|
2020-04-23 01:47:27 +00:00
|
|
|
"access_control.default_policy",
|
2021-01-04 10:55:23 +00:00
|
|
|
"access_control.networks",
|
2021-08-03 09:55:21 +00:00
|
|
|
"access_control.rules",
|
|
|
|
"access_control.rules[].domain",
|
|
|
|
"access_control.rules[].methods",
|
|
|
|
"access_control.rules[].networks",
|
|
|
|
"access_control.rules[].subject",
|
|
|
|
"access_control.rules[].policy",
|
|
|
|
"access_control.rules[].resources",
|
2020-04-23 01:47:27 +00:00
|
|
|
|
|
|
|
// Session Keys.
|
|
|
|
"session.name",
|
2021-04-18 00:02:04 +00:00
|
|
|
"session.domain",
|
2021-08-03 09:55:21 +00:00
|
|
|
"session.secret",
|
2021-04-18 00:02:04 +00:00
|
|
|
"session.same_site",
|
2020-04-23 01:47:27 +00:00
|
|
|
"session.expiration",
|
|
|
|
"session.inactivity",
|
|
|
|
"session.remember_me_duration",
|
|
|
|
|
|
|
|
// Redis Session Keys.
|
|
|
|
"session.redis.host",
|
|
|
|
"session.redis.port",
|
feat(session): add redis sentinel provider (#1768)
* feat(session): add redis sentinel provider
* refactor(session): use int for ports as per go standards
* refactor(configuration): adjust tests and validation
* refactor(configuration): add err format consts
* refactor(configuration): explicitly map redis structs
* refactor(session): merge redis/redis sentinel providers
* refactor(session): add additional checks to redis providers
* feat(session): add redis cluster provider
* fix: update config for new values
* fix: provide nil certpool to affected tests/mocks
* test: add additional tests to cover uncovered code
* docs: expand explanation of host and nodes relation for redis
* ci: add redis-sentinel to suite highavailability, add redis-sentinel quorum
* fix(session): sentinel password
* test: use redis alpine library image for redis sentinel, use expose instead of ports, use redis ip, adjust redis ip range, adjust redis config
* test: make entrypoint.sh executable, fix entrypoint.sh if/elif
* test: add redis failover tests
* test: defer docker start, adjust sleep, attempt logout before login, attempt visit before login and tune timeouts, add additional logging
* test: add sentinel integration test
* test: add secondary node failure to tests, fix password usage, bump test timeout, add sleep
* feat: use sentinel failover cluster
* fix: renamed addrs to sentineladdrs upstream
* test(session): sentinel failover
* test: add redis standard back into testing
* test: move redis standalone test to traefik2
* fix/docs: apply suggestions from code review
2021-03-09 23:03:05 +00:00
|
|
|
"session.redis.username",
|
2021-08-03 09:55:21 +00:00
|
|
|
"session.redis.password",
|
2020-04-23 01:47:27 +00:00
|
|
|
"session.redis.database_index",
|
feat(session): add redis sentinel provider (#1768)
* feat(session): add redis sentinel provider
* refactor(session): use int for ports as per go standards
* refactor(configuration): adjust tests and validation
* refactor(configuration): add err format consts
* refactor(configuration): explicitly map redis structs
* refactor(session): merge redis/redis sentinel providers
* refactor(session): add additional checks to redis providers
* feat(session): add redis cluster provider
* fix: update config for new values
* fix: provide nil certpool to affected tests/mocks
* test: add additional tests to cover uncovered code
* docs: expand explanation of host and nodes relation for redis
* ci: add redis-sentinel to suite highavailability, add redis-sentinel quorum
* fix(session): sentinel password
* test: use redis alpine library image for redis sentinel, use expose instead of ports, use redis ip, adjust redis ip range, adjust redis config
* test: make entrypoint.sh executable, fix entrypoint.sh if/elif
* test: add redis failover tests
* test: defer docker start, adjust sleep, attempt logout before login, attempt visit before login and tune timeouts, add additional logging
* test: add sentinel integration test
* test: add secondary node failure to tests, fix password usage, bump test timeout, add sleep
* feat: use sentinel failover cluster
* fix: renamed addrs to sentineladdrs upstream
* test(session): sentinel failover
* test: add redis standard back into testing
* test: move redis standalone test to traefik2
* fix/docs: apply suggestions from code review
2021-03-09 23:03:05 +00:00
|
|
|
"session.redis.maximum_active_connections",
|
|
|
|
"session.redis.minimum_idle_connections",
|
|
|
|
"session.redis.tls.minimum_version",
|
|
|
|
"session.redis.tls.skip_verify",
|
|
|
|
"session.redis.tls.server_name",
|
|
|
|
"session.redis.high_availability.sentinel_name",
|
2021-08-03 09:55:21 +00:00
|
|
|
"session.redis.high_availability.sentinel_password",
|
feat(session): add redis sentinel provider (#1768)
* feat(session): add redis sentinel provider
* refactor(session): use int for ports as per go standards
* refactor(configuration): adjust tests and validation
* refactor(configuration): add err format consts
* refactor(configuration): explicitly map redis structs
* refactor(session): merge redis/redis sentinel providers
* refactor(session): add additional checks to redis providers
* feat(session): add redis cluster provider
* fix: update config for new values
* fix: provide nil certpool to affected tests/mocks
* test: add additional tests to cover uncovered code
* docs: expand explanation of host and nodes relation for redis
* ci: add redis-sentinel to suite highavailability, add redis-sentinel quorum
* fix(session): sentinel password
* test: use redis alpine library image for redis sentinel, use expose instead of ports, use redis ip, adjust redis ip range, adjust redis config
* test: make entrypoint.sh executable, fix entrypoint.sh if/elif
* test: add redis failover tests
* test: defer docker start, adjust sleep, attempt logout before login, attempt visit before login and tune timeouts, add additional logging
* test: add sentinel integration test
* test: add secondary node failure to tests, fix password usage, bump test timeout, add sleep
* feat: use sentinel failover cluster
* fix: renamed addrs to sentineladdrs upstream
* test(session): sentinel failover
* test: add redis standard back into testing
* test: move redis standalone test to traefik2
* fix/docs: apply suggestions from code review
2021-03-09 23:03:05 +00:00
|
|
|
"session.redis.high_availability.nodes",
|
|
|
|
"session.redis.high_availability.route_by_latency",
|
|
|
|
"session.redis.high_availability.route_randomly",
|
|
|
|
"session.redis.timeouts.dial",
|
|
|
|
"session.redis.timeouts.idle",
|
|
|
|
"session.redis.timeouts.pool",
|
|
|
|
"session.redis.timeouts.read",
|
|
|
|
"session.redis.timeouts.write",
|
2020-04-23 01:47:27 +00:00
|
|
|
|
|
|
|
// Local Storage Keys.
|
|
|
|
"storage.local.path",
|
|
|
|
|
|
|
|
// MySQL Storage Keys.
|
|
|
|
"storage.mysql.host",
|
|
|
|
"storage.mysql.port",
|
|
|
|
"storage.mysql.database",
|
|
|
|
"storage.mysql.username",
|
2021-08-03 09:55:21 +00:00
|
|
|
"storage.mysql.password",
|
2020-04-23 01:47:27 +00:00
|
|
|
|
|
|
|
// PostgreSQL Storage Keys.
|
|
|
|
"storage.postgres.host",
|
|
|
|
"storage.postgres.port",
|
|
|
|
"storage.postgres.database",
|
|
|
|
"storage.postgres.username",
|
2021-08-03 09:55:21 +00:00
|
|
|
"storage.postgres.password",
|
2020-04-23 01:47:27 +00:00
|
|
|
"storage.postgres.sslmode",
|
|
|
|
|
|
|
|
// FileSystem Notifier Keys.
|
|
|
|
"notifier.filesystem.filename",
|
|
|
|
"notifier.disable_startup_check",
|
|
|
|
|
|
|
|
// SMTP Notifier Keys.
|
|
|
|
"notifier.smtp.host",
|
|
|
|
"notifier.smtp.port",
|
2021-08-03 09:55:21 +00:00
|
|
|
"notifier.smtp.username",
|
|
|
|
"notifier.smtp.password",
|
2020-11-04 23:22:10 +00:00
|
|
|
"notifier.smtp.identifier",
|
2020-04-23 01:47:27 +00:00
|
|
|
"notifier.smtp.sender",
|
|
|
|
"notifier.smtp.subject",
|
|
|
|
"notifier.smtp.startup_check_address",
|
|
|
|
"notifier.smtp.disable_require_tls",
|
2020-08-21 02:16:23 +00:00
|
|
|
"notifier.smtp.disable_html_emails",
|
2021-01-04 10:28:55 +00:00
|
|
|
"notifier.smtp.tls.minimum_version",
|
|
|
|
"notifier.smtp.tls.skip_verify",
|
|
|
|
"notifier.smtp.tls.server_name",
|
2020-04-23 01:47:27 +00:00
|
|
|
|
|
|
|
// Regulation Keys.
|
|
|
|
"regulation.max_retries",
|
|
|
|
"regulation.find_time",
|
|
|
|
"regulation.ban_time",
|
|
|
|
|
|
|
|
// Authentication Backend Keys.
|
|
|
|
"authentication_backend.disable_reset_password",
|
2020-05-04 19:39:25 +00:00
|
|
|
"authentication_backend.refresh_interval",
|
2020-04-23 01:47:27 +00:00
|
|
|
|
|
|
|
// LDAP Authentication Backend Keys.
|
2020-11-27 09:59:22 +00:00
|
|
|
"authentication_backend.ldap.implementation",
|
2020-04-23 01:47:27 +00:00
|
|
|
"authentication_backend.ldap.url",
|
2021-08-05 23:28:52 +00:00
|
|
|
"authentication_backend.ldap.timeout",
|
2020-04-23 01:47:27 +00:00
|
|
|
"authentication_backend.ldap.base_dn",
|
|
|
|
"authentication_backend.ldap.username_attribute",
|
|
|
|
"authentication_backend.ldap.additional_users_dn",
|
|
|
|
"authentication_backend.ldap.users_filter",
|
|
|
|
"authentication_backend.ldap.additional_groups_dn",
|
|
|
|
"authentication_backend.ldap.groups_filter",
|
|
|
|
"authentication_backend.ldap.group_name_attribute",
|
|
|
|
"authentication_backend.ldap.mail_attribute",
|
2020-06-19 10:50:21 +00:00
|
|
|
"authentication_backend.ldap.display_name_attribute",
|
2020-04-23 01:47:27 +00:00
|
|
|
"authentication_backend.ldap.user",
|
2021-08-03 09:55:21 +00:00
|
|
|
"authentication_backend.ldap.password",
|
2021-01-04 10:28:55 +00:00
|
|
|
"authentication_backend.ldap.start_tls",
|
|
|
|
"authentication_backend.ldap.tls.minimum_version",
|
|
|
|
"authentication_backend.ldap.tls.skip_verify",
|
|
|
|
"authentication_backend.ldap.tls.server_name",
|
2020-04-23 01:47:27 +00:00
|
|
|
|
|
|
|
// File Authentication Backend Keys.
|
|
|
|
"authentication_backend.file.path",
|
|
|
|
"authentication_backend.file.password.algorithm",
|
|
|
|
"authentication_backend.file.password.iterations",
|
|
|
|
"authentication_backend.file.password.key_length",
|
|
|
|
"authentication_backend.file.password.salt_length",
|
|
|
|
"authentication_backend.file.password.memory",
|
|
|
|
"authentication_backend.file.password.parallelism",
|
2021-05-04 22:06:05 +00:00
|
|
|
|
|
|
|
// Identity Provider Keys.
|
2021-08-03 09:55:21 +00:00
|
|
|
"identity_providers.oidc.hmac_secret",
|
|
|
|
"identity_providers.oidc.issuer_private_key",
|
feat(oidc): add additional config options, accurate token times, and refactoring (#1991)
* This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes.
* Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately.
* Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have.
2021-07-03 23:44:30 +00:00
|
|
|
"identity_providers.oidc.id_token_lifespan",
|
|
|
|
"identity_providers.oidc.access_token_lifespan",
|
|
|
|
"identity_providers.oidc.refresh_token_lifespan",
|
|
|
|
"identity_providers.oidc.authorize_code_lifespan",
|
|
|
|
"identity_providers.oidc.enable_client_debug_messages",
|
2021-08-05 07:19:17 +00:00
|
|
|
"identity_providers.oidc.minimum_parameter_entropy",
|
2021-08-03 09:55:21 +00:00
|
|
|
"identity_providers.oidc.clients",
|
|
|
|
"identity_providers.oidc.clients[].id",
|
|
|
|
"identity_providers.oidc.clients[].description",
|
|
|
|
"identity_providers.oidc.clients[].secret",
|
|
|
|
"identity_providers.oidc.clients[].redirect_uris",
|
|
|
|
"identity_providers.oidc.clients[].authorization_policy",
|
|
|
|
"identity_providers.oidc.clients[].scopes",
|
|
|
|
"identity_providers.oidc.clients[].grant_types",
|
|
|
|
"identity_providers.oidc.clients[].response_types",
|
2020-04-23 01:47:27 +00:00
|
|
|
}
|
|
|
|
|
2021-04-16 01:44:37 +00:00
|
|
|
var replacedKeys = map[string]string{
|
|
|
|
"authentication_backend.ldap.skip_verify": "authentication_backend.ldap.tls.skip_verify",
|
|
|
|
"authentication_backend.ldap.minimum_tls_version": "authentication_backend.ldap.tls.minimum_version",
|
|
|
|
"notifier.smtp.disable_verify_cert": "notifier.smtp.tls.skip_verify",
|
2021-06-08 13:15:43 +00:00
|
|
|
"logs_file_path": "log.file_path",
|
|
|
|
"logs_level": "log.level",
|
2021-04-16 01:44:37 +00:00
|
|
|
}
|
|
|
|
|
2020-04-23 01:47:27 +00:00
|
|
|
var specificErrorKeys = map[string]string{
|
2020-05-15 23:41:42 +00:00
|
|
|
"google_analytics": "config key removed: google_analytics - this functionality has been deprecated",
|
2021-08-03 09:55:21 +00:00
|
|
|
"notifier.smtp.trusted_cert": "invalid configuration key 'notifier.smtp.trusted_cert' it has been removed, " +
|
|
|
|
"option has been replaced by the global option 'certificates_directory'",
|
2021-04-16 01:44:37 +00:00
|
|
|
|
2021-03-22 09:04:09 +00:00
|
|
|
"authentication_backend.file.password_options.algorithm": errFilePOptions,
|
|
|
|
"authentication_backend.file.password_options.iterations": errFilePOptions,
|
|
|
|
"authentication_backend.file.password_options.key_length": errFilePOptions,
|
|
|
|
"authentication_backend.file.password_options.salt_length": errFilePOptions,
|
|
|
|
"authentication_backend.file.password_options.memory": errFilePOptions,
|
|
|
|
"authentication_backend.file.password_options.parallelism": errFilePOptions,
|
|
|
|
"authentication_backend.file.password_hashing.algorithm": errFilePHashing,
|
|
|
|
"authentication_backend.file.password_hashing.iterations": errFilePHashing,
|
|
|
|
"authentication_backend.file.password_hashing.key_length": errFilePHashing,
|
|
|
|
"authentication_backend.file.password_hashing.salt_length": errFilePHashing,
|
|
|
|
"authentication_backend.file.password_hashing.memory": errFilePHashing,
|
|
|
|
"authentication_backend.file.password_hashing.parallelism": errFilePHashing,
|
|
|
|
"authentication_backend.file.hashing.algorithm": errFileHashing,
|
|
|
|
"authentication_backend.file.hashing.iterations": errFileHashing,
|
|
|
|
"authentication_backend.file.hashing.key_length": errFileHashing,
|
|
|
|
"authentication_backend.file.hashing.salt_length": errFileHashing,
|
|
|
|
"authentication_backend.file.hashing.memory": errFileHashing,
|
|
|
|
"authentication_backend.file.hashing.parallelism": errFileHashing,
|
2020-04-23 01:47:27 +00:00
|
|
|
}
|