2019-04-24 21:52:08 +00:00
|
|
|
package session
|
|
|
|
|
2020-05-04 19:39:25 +00:00
|
|
|
import (
|
feat(oidc): add additional config options, accurate token times, and refactoring (#1991)
* This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes.
* Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately.
* Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have.
2021-07-03 23:44:30 +00:00
|
|
|
"errors"
|
|
|
|
"time"
|
|
|
|
|
2021-08-11 01:04:35 +00:00
|
|
|
"github.com/authelia/authelia/v4/internal/authentication"
|
|
|
|
"github.com/authelia/authelia/v4/internal/authorization"
|
2020-05-04 19:39:25 +00:00
|
|
|
)
|
2019-04-24 21:52:08 +00:00
|
|
|
|
|
|
|
// NewDefaultUserSession create a default user session.
|
|
|
|
func NewDefaultUserSession() UserSession {
|
|
|
|
return UserSession{
|
|
|
|
KeepMeLoggedIn: false,
|
|
|
|
AuthenticationLevel: authentication.NotAuthenticated,
|
|
|
|
LastActivity: 0,
|
|
|
|
}
|
|
|
|
}
|
feat(oidc): add additional config options, accurate token times, and refactoring (#1991)
* This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes.
* Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately.
* Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have.
2021-07-03 23:44:30 +00:00
|
|
|
|
2022-10-20 02:16:36 +00:00
|
|
|
// IsAnonymous returns true if the username is empty or the AuthenticationLevel is authentication.NotAuthenticated.
|
|
|
|
func (s *UserSession) IsAnonymous() bool {
|
|
|
|
return s.Username == "" || s.AuthenticationLevel == authentication.NotAuthenticated
|
|
|
|
}
|
|
|
|
|
2022-04-01 11:18:58 +00:00
|
|
|
// SetOneFactor sets the 1FA AMR's and expected property values for one factor authentication.
|
feat(oidc): add additional config options, accurate token times, and refactoring (#1991)
* This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes.
* Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately.
* Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have.
2021-07-03 23:44:30 +00:00
|
|
|
func (s *UserSession) SetOneFactor(now time.Time, details *authentication.UserDetails, keepMeLoggedIn bool) {
|
|
|
|
s.FirstFactorAuthnTimestamp = now.Unix()
|
|
|
|
s.LastActivity = now.Unix()
|
|
|
|
s.AuthenticationLevel = authentication.OneFactor
|
|
|
|
|
|
|
|
s.KeepMeLoggedIn = keepMeLoggedIn
|
|
|
|
|
|
|
|
s.Username = details.Username
|
|
|
|
s.DisplayName = details.DisplayName
|
|
|
|
s.Groups = details.Groups
|
|
|
|
s.Emails = details.Emails
|
2022-04-01 11:18:58 +00:00
|
|
|
|
|
|
|
s.AuthenticationMethodRefs.UsernameAndPassword = true
|
feat(oidc): add additional config options, accurate token times, and refactoring (#1991)
* This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes.
* Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately.
* Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have.
2021-07-03 23:44:30 +00:00
|
|
|
}
|
|
|
|
|
2022-04-01 11:18:58 +00:00
|
|
|
func (s *UserSession) setTwoFactor(now time.Time) {
|
feat(oidc): add additional config options, accurate token times, and refactoring (#1991)
* This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes.
* Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately.
* Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have.
2021-07-03 23:44:30 +00:00
|
|
|
s.SecondFactorAuthnTimestamp = now.Unix()
|
|
|
|
s.LastActivity = now.Unix()
|
|
|
|
s.AuthenticationLevel = authentication.TwoFactor
|
|
|
|
}
|
|
|
|
|
2022-04-01 11:18:58 +00:00
|
|
|
// SetTwoFactorTOTP sets the relevant TOTP AMR's and sets the factor to 2FA.
|
|
|
|
func (s *UserSession) SetTwoFactorTOTP(now time.Time) {
|
|
|
|
s.setTwoFactor(now)
|
|
|
|
s.AuthenticationMethodRefs.TOTP = true
|
|
|
|
}
|
|
|
|
|
|
|
|
// SetTwoFactorDuo sets the relevant Duo AMR's and sets the factor to 2FA.
|
|
|
|
func (s *UserSession) SetTwoFactorDuo(now time.Time) {
|
|
|
|
s.setTwoFactor(now)
|
|
|
|
s.AuthenticationMethodRefs.Duo = true
|
|
|
|
}
|
|
|
|
|
2023-04-11 04:40:09 +00:00
|
|
|
// SetTwoFactorWebAuthn sets the relevant WebAuthn AMR's and sets the factor to 2FA.
|
|
|
|
func (s *UserSession) SetTwoFactorWebAuthn(now time.Time, userPresence, userVerified bool) {
|
2022-04-01 11:18:58 +00:00
|
|
|
s.setTwoFactor(now)
|
2023-04-11 04:40:09 +00:00
|
|
|
s.AuthenticationMethodRefs.WebAuthn = true
|
|
|
|
s.AuthenticationMethodRefs.WebAuthnUserPresence, s.AuthenticationMethodRefs.WebAuthnUserVerified = userPresence, userVerified
|
2022-04-01 11:18:58 +00:00
|
|
|
|
2023-04-11 04:40:09 +00:00
|
|
|
s.WebAuthn = nil
|
2022-04-01 11:18:58 +00:00
|
|
|
}
|
|
|
|
|
feat(oidc): add additional config options, accurate token times, and refactoring (#1991)
* This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes.
* Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately.
* Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have.
2021-07-03 23:44:30 +00:00
|
|
|
// AuthenticatedTime returns the unix timestamp this session authenticated successfully at the given level.
|
2022-09-03 01:51:02 +00:00
|
|
|
func (s *UserSession) AuthenticatedTime(level authorization.Level) (authenticatedTime time.Time, err error) {
|
feat(oidc): add additional config options, accurate token times, and refactoring (#1991)
* This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes.
* Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately.
* Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have.
2021-07-03 23:44:30 +00:00
|
|
|
switch level {
|
|
|
|
case authorization.OneFactor:
|
|
|
|
return time.Unix(s.FirstFactorAuthnTimestamp, 0), nil
|
|
|
|
case authorization.TwoFactor:
|
|
|
|
return time.Unix(s.SecondFactorAuthnTimestamp, 0), nil
|
|
|
|
default:
|
|
|
|
return time.Unix(0, 0), errors.New("invalid authorization level")
|
|
|
|
}
|
|
|
|
}
|