RPJosh
/
authelia
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
authelia/internal/handlers/handler_oidc_authorization_...

220 lines
8.4 KiB
Go
Raw Normal View History

feat(oidc): persistent storage (#2965) This moves the OpenID Connect storage from memory into the SQL storage, making it persistent and allowing it to be used with clustered deployments like the rest of Authelia.
2022-04-07 05:33:53 +00:00
package handlers
import (
feat(oidc): implicit consent (#4080) This adds multiple consent modes to OpenID Connect clients. Specifically it allows configuration of a new consent mode called implicit which never asks for user consent.
2022-10-20 02:16:36 +00:00
"errors"
feat(oidc): persistent storage (#2965) This moves the OpenID Connect storage from memory into the SQL storage, making it persistent and allowing it to be used with clustered deployments like the rest of Authelia.
2022-04-07 05:33:53 +00:00
"fmt"
"net/http"
fix(handlers): consent session prevents standard flow (#3668) This fixes an issue where consent sessions prevent the standard workflow.
2022-07-26 05:43:39 +00:00
"net/url"
"path"
feat(oidc): persistent storage (#2965) This moves the OpenID Connect storage from memory into the SQL storage, making it persistent and allowing it to be used with clustered deployments like the rest of Authelia.
2022-04-07 05:33:53 +00:00
"strings"
"github.com/google/uuid"
"github.com/ory/fosite"
"github.com/authelia/authelia/v4/internal/middlewares"
"github.com/authelia/authelia/v4/internal/model"
"github.com/authelia/authelia/v4/internal/oidc"
"github.com/authelia/authelia/v4/internal/session"
"github.com/authelia/authelia/v4/internal/utils"
)
feat(oidc): client authentication modes (#5150) This adds a feature to OpenID Connect 1.0 where clients can be restricted to a specific client authentication mode, as well as implements some backend requirements for the private_key_jwt client authentication mode (and potentially the tls_client_auth / self_signed_tls_client_auth client authentication modes). It also adds some improvements to configuration defaults and validations which will for now be warnings but likely be made into errors. Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-04-13 10:58:18 +00:00
func handleOIDCAuthorizationConsent(ctx *middlewares.AutheliaCtx, issuer *url.URL, client oidc.Client,
fix(handlers): consent session prevents standard flow (#3668) This fixes an issue where consent sessions prevent the standard workflow.
2022-07-26 05:43:39 +00:00
userSession session.UserSession,
feat(oidc): persistent storage (#2965) This moves the OpenID Connect storage from memory into the SQL storage, making it persistent and allowing it to be used with clustered deployments like the rest of Authelia.
2022-04-07 05:33:53 +00:00
rw http.ResponseWriter, r *http.Request, requester fosite.AuthorizeRequester) (consent *model.OAuth2ConsentSession, handled bool) {
fix(handlers): consent session prevents standard flow (#3668) This fixes an issue where consent sessions prevent the standard workflow.
2022-07-26 05:43:39 +00:00
var (
subject uuid.UUID
err error
)
fix(oidc): subject generated for anonymous users (#3238) Fix and issue that would prevent a correct ID Token from being generated for users who start off anonymous. This also avoids generating one in the first place for anonymous users.
2022-04-25 00:31:05 +00:00
feat(oidc): implicit consent (#4080) This adds multiple consent modes to OpenID Connect clients. Specifically it allows configuration of a new consent mode called implicit which never asks for user consent.
2022-10-20 02:16:36 +00:00
var handler handlerAuthorizationConsent
fix(handlers): consent session prevents standard flow (#3668) This fixes an issue where consent sessions prevent the standard workflow.
2022-07-26 05:43:39 +00:00
feat(oidc): implicit consent (#4080) This adds multiple consent modes to OpenID Connect clients. Specifically it allows configuration of a new consent mode called implicit which never asks for user consent.
2022-10-20 02:16:36 +00:00
switch {
case userSession.IsAnonymous():
handler = handleOIDCAuthorizationConsentNotAuthenticated
case client.IsAuthenticationLevelSufficient(userSession.AuthenticationLevel):
if subject, err = ctx.Providers.OpenIDConnect.GetSubject(ctx, client.GetSectorIdentifier(), userSession.Username); err != nil {
feat(oidc): client authentication modes (#5150) This adds a feature to OpenID Connect 1.0 where clients can be restricted to a specific client authentication mode, as well as implements some backend requirements for the private_key_jwt client authentication mode (and potentially the tls_client_auth / self_signed_tls_client_auth client authentication modes). It also adds some improvements to configuration defaults and validations which will for now be warnings but likely be made into errors. Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-04-13 10:58:18 +00:00
ctx.Logger.Errorf(logFmtErrConsentCantGetSubject, requester.GetID(), client.GetID(), client.GetConsentPolicy(), userSession.Username, client.GetSectorIdentifier(), err)
fix(oidc): subject generated for anonymous users (#3238) Fix and issue that would prevent a correct ID Token from being generated for users who start off anonymous. This also avoids generating one in the first place for anonymous users.
2022-04-25 00:31:05 +00:00
build(deps): update module github.com/ory/fosite to v0.43.0 (#4269) This updates fosite and refactors our usage out of compose.
2022-11-13 03:26:10 +00:00
ctx.Providers.OpenIDConnect.WriteAuthorizeError(ctx, rw, requester, oidc.ErrSubjectCouldNotLookup)
fix(oidc): subject generated for anonymous users (#3238) Fix and issue that would prevent a correct ID Token from being generated for users who start off anonymous. This also avoids generating one in the first place for anonymous users.
2022-04-25 00:31:05 +00:00
return nil, true
}
feat(oidc): client authentication modes (#5150) This adds a feature to OpenID Connect 1.0 where clients can be restricted to a specific client authentication mode, as well as implements some backend requirements for the private_key_jwt client authentication mode (and potentially the tls_client_auth / self_signed_tls_client_auth client authentication modes). It also adds some improvements to configuration defaults and validations which will for now be warnings but likely be made into errors. Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-04-13 10:58:18 +00:00
switch client.GetConsentPolicy().Mode {
feat(oidc): implicit consent (#4080) This adds multiple consent modes to OpenID Connect clients. Specifically it allows configuration of a new consent mode called implicit which never asks for user consent.
2022-10-20 02:16:36 +00:00
case oidc.ClientConsentModeExplicit:
handler = handleOIDCAuthorizationConsentModeExplicit
case oidc.ClientConsentModeImplicit:
handler = handleOIDCAuthorizationConsentModeImplicit
case oidc.ClientConsentModePreConfigured:
handler = handleOIDCAuthorizationConsentModePreConfigured
default:
ctx.Logger.Errorf(logFmtErrConsentCantDetermineConsentMode, requester.GetID(), client.GetID())
feat(oidc): persistent storage (#2965) This moves the OpenID Connect storage from memory into the SQL storage, making it persistent and allowing it to be used with clustered deployments like the rest of Authelia.
2022-04-07 05:33:53 +00:00
build(deps): update module github.com/ory/fosite to v0.43.0 (#4269) This updates fosite and refactors our usage out of compose.
2022-11-13 03:26:10 +00:00
ctx.Providers.OpenIDConnect.WriteAuthorizeError(ctx, rw, requester, fosite.ErrServerError.WithHint("Could not determine the client consent mode."))
feat(oidc): persistent storage (#2965) This moves the OpenID Connect storage from memory into the SQL storage, making it persistent and allowing it to be used with clustered deployments like the rest of Authelia.
2022-04-07 05:33:53 +00:00
return nil, true
}
feat(oidc): implicit consent (#4080) This adds multiple consent modes to OpenID Connect clients. Specifically it allows configuration of a new consent mode called implicit which never asks for user consent.
2022-10-20 02:16:36 +00:00
default:
if subject, err = ctx.Providers.OpenIDConnect.GetSubject(ctx, client.GetSectorIdentifier(), userSession.Username); err != nil {
feat(oidc): client authentication modes (#5150) This adds a feature to OpenID Connect 1.0 where clients can be restricted to a specific client authentication mode, as well as implements some backend requirements for the private_key_jwt client authentication mode (and potentially the tls_client_auth / self_signed_tls_client_auth client authentication modes). It also adds some improvements to configuration defaults and validations which will for now be warnings but likely be made into errors. Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-04-13 10:58:18 +00:00
ctx.Logger.Errorf(logFmtErrConsentCantGetSubject, requester.GetID(), client.GetID(), client.GetConsentPolicy(), userSession.Username, client.GetSectorIdentifier(), err)
feat(oidc): persistent storage (#2965) This moves the OpenID Connect storage from memory into the SQL storage, making it persistent and allowing it to be used with clustered deployments like the rest of Authelia.
2022-04-07 05:33:53 +00:00
build(deps): update module github.com/ory/fosite to v0.43.0 (#4269) This updates fosite and refactors our usage out of compose.
2022-11-13 03:26:10 +00:00
ctx.Providers.OpenIDConnect.WriteAuthorizeError(ctx, rw, requester, oidc.ErrSubjectCouldNotLookup)
feat(oidc): persistent storage (#2965) This moves the OpenID Connect storage from memory into the SQL storage, making it persistent and allowing it to be used with clustered deployments like the rest of Authelia.
2022-04-07 05:33:53 +00:00
return nil, true
}
feat(oidc): implicit consent (#4080) This adds multiple consent modes to OpenID Connect clients. Specifically it allows configuration of a new consent mode called implicit which never asks for user consent.
2022-10-20 02:16:36 +00:00
handler = handleOIDCAuthorizationConsentGenerate
feat(oidc): persistent storage (#2965) This moves the OpenID Connect storage from memory into the SQL storage, making it persistent and allowing it to be used with clustered deployments like the rest of Authelia.
2022-04-07 05:33:53 +00:00
}
feat(oidc): implicit consent (#4080) This adds multiple consent modes to OpenID Connect clients. Specifically it allows configuration of a new consent mode called implicit which never asks for user consent.
2022-10-20 02:16:36 +00:00
return handler(ctx, issuer, client, userSession, subject, rw, r, requester)
}
feat(oidc): persistent storage (#2965) This moves the OpenID Connect storage from memory into the SQL storage, making it persistent and allowing it to be used with clustered deployments like the rest of Authelia.
2022-04-07 05:33:53 +00:00
feat(oidc): client authentication modes (#5150) This adds a feature to OpenID Connect 1.0 where clients can be restricted to a specific client authentication mode, as well as implements some backend requirements for the private_key_jwt client authentication mode (and potentially the tls_client_auth / self_signed_tls_client_auth client authentication modes). It also adds some improvements to configuration defaults and validations which will for now be warnings but likely be made into errors. Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-04-13 10:58:18 +00:00
func handleOIDCAuthorizationConsentNotAuthenticated(_ *middlewares.AutheliaCtx, issuer *url.URL, _ oidc.Client,
feat(oidc): implicit consent (#4080) This adds multiple consent modes to OpenID Connect clients. Specifically it allows configuration of a new consent mode called implicit which never asks for user consent.
2022-10-20 02:16:36 +00:00
_ session.UserSession, _ uuid.UUID,
rw http.ResponseWriter, r *http.Request, requester fosite.AuthorizeRequester) (consent *model.OAuth2ConsentSession, handled bool) {
redirectionURL := handleOIDCAuthorizationConsentGetRedirectionURL(issuer, nil, requester)
http.Redirect(rw, r, redirectionURL.String(), http.StatusFound)
return nil, true
feat(oidc): persistent storage (#2965) This moves the OpenID Connect storage from memory into the SQL storage, making it persistent and allowing it to be used with clustered deployments like the rest of Authelia.
2022-04-07 05:33:53 +00:00
}
feat(oidc): client authentication modes (#5150) This adds a feature to OpenID Connect 1.0 where clients can be restricted to a specific client authentication mode, as well as implements some backend requirements for the private_key_jwt client authentication mode (and potentially the tls_client_auth / self_signed_tls_client_auth client authentication modes). It also adds some improvements to configuration defaults and validations which will for now be warnings but likely be made into errors. Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-04-13 10:58:18 +00:00
func handleOIDCAuthorizationConsentGenerate(ctx *middlewares.AutheliaCtx, issuer *url.URL, client oidc.Client,
fix(handlers): consent session prevents standard flow (#3668) This fixes an issue where consent sessions prevent the standard workflow.
2022-07-26 05:43:39 +00:00
userSession session.UserSession, subject uuid.UUID,
feat(oidc): persistent storage (#2965) This moves the OpenID Connect storage from memory into the SQL storage, making it persistent and allowing it to be used with clustered deployments like the rest of Authelia.
2022-04-07 05:33:53 +00:00
rw http.ResponseWriter, r *http.Request, requester fosite.AuthorizeRequester) (consent *model.OAuth2ConsentSession, handled bool) {
var (
fix(oidc): subject generated for anonymous users (#3238) Fix and issue that would prevent a correct ID Token from being generated for users who start off anonymous. This also avoids generating one in the first place for anonymous users.
2022-04-25 00:31:05 +00:00
err error
feat(oidc): persistent storage (#2965) This moves the OpenID Connect storage from memory into the SQL storage, making it persistent and allowing it to be used with clustered deployments like the rest of Authelia.
2022-04-07 05:33:53 +00:00
)
feat(oidc): client authentication modes (#5150) This adds a feature to OpenID Connect 1.0 where clients can be restricted to a specific client authentication mode, as well as implements some backend requirements for the private_key_jwt client authentication mode (and potentially the tls_client_auth / self_signed_tls_client_auth client authentication modes). It also adds some improvements to configuration defaults and validations which will for now be warnings but likely be made into errors. Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-04-13 10:58:18 +00:00
ctx.Logger.Debugf(logFmtDbgConsentGenerate, requester.GetID(), client.GetID(), client.GetConsentPolicy())
fix(oidc): subject generated for anonymous users (#3238) Fix and issue that would prevent a correct ID Token from being generated for users who start off anonymous. This also avoids generating one in the first place for anonymous users.
2022-04-25 00:31:05 +00:00
feat(oidc): implicit consent (#4080) This adds multiple consent modes to OpenID Connect clients. Specifically it allows configuration of a new consent mode called implicit which never asks for user consent.
2022-10-20 02:16:36 +00:00
if len(ctx.QueryArgs().PeekBytes(qryArgConsentID)) != 0 {
feat(oidc): client authentication modes (#5150) This adds a feature to OpenID Connect 1.0 where clients can be restricted to a specific client authentication mode, as well as implements some backend requirements for the private_key_jwt client authentication mode (and potentially the tls_client_auth / self_signed_tls_client_auth client authentication modes). It also adds some improvements to configuration defaults and validations which will for now be warnings but likely be made into errors. Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-04-13 10:58:18 +00:00
ctx.Logger.Errorf(logFmtErrConsentGenerateError, requester.GetID(), client.GetID(), client.GetConsentPolicy(), "generating", errors.New("consent id value was present when it should be absent"))
feat(oidc): persistent storage (#2965) This moves the OpenID Connect storage from memory into the SQL storage, making it persistent and allowing it to be used with clustered deployments like the rest of Authelia.
2022-04-07 05:33:53 +00:00
build(deps): update module github.com/ory/fosite to v0.43.0 (#4269) This updates fosite and refactors our usage out of compose.
2022-11-13 03:26:10 +00:00
ctx.Providers.OpenIDConnect.WriteAuthorizeError(ctx, rw, requester, oidc.ErrConsentCouldNotGenerate)
feat(oidc): persistent storage (#2965) This moves the OpenID Connect storage from memory into the SQL storage, making it persistent and allowing it to be used with clustered deployments like the rest of Authelia.
2022-04-07 05:33:53 +00:00
fix(oidc): subject generated for anonymous users (#3238) Fix and issue that would prevent a correct ID Token from being generated for users who start off anonymous. This also avoids generating one in the first place for anonymous users.
2022-04-25 00:31:05 +00:00
return nil, true
}
feat(oidc): persistent storage (#2965) This moves the OpenID Connect storage from memory into the SQL storage, making it persistent and allowing it to be used with clustered deployments like the rest of Authelia.
2022-04-07 05:33:53 +00:00
if consent, err = model.NewOAuth2ConsentSession(subject, requester); err != nil {
feat(oidc): client authentication modes (#5150) This adds a feature to OpenID Connect 1.0 where clients can be restricted to a specific client authentication mode, as well as implements some backend requirements for the private_key_jwt client authentication mode (and potentially the tls_client_auth / self_signed_tls_client_auth client authentication modes). It also adds some improvements to configuration defaults and validations which will for now be warnings but likely be made into errors. Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-04-13 10:58:18 +00:00
ctx.Logger.Errorf(logFmtErrConsentGenerateError, requester.GetID(), client.GetID(), client.GetConsentPolicy(), "generating", err)
feat(oidc): persistent storage (#2965) This moves the OpenID Connect storage from memory into the SQL storage, making it persistent and allowing it to be used with clustered deployments like the rest of Authelia.
2022-04-07 05:33:53 +00:00
build(deps): update module github.com/ory/fosite to v0.43.0 (#4269) This updates fosite and refactors our usage out of compose.
2022-11-13 03:26:10 +00:00
ctx.Providers.OpenIDConnect.WriteAuthorizeError(ctx, rw, requester, oidc.ErrConsentCouldNotGenerate)
feat(oidc): persistent storage (#2965) This moves the OpenID Connect storage from memory into the SQL storage, making it persistent and allowing it to be used with clustered deployments like the rest of Authelia.
2022-04-07 05:33:53 +00:00
return nil, true
}
if err = ctx.Providers.StorageProvider.SaveOAuth2ConsentSession(ctx, *consent); err != nil {
feat(oidc): client authentication modes (#5150) This adds a feature to OpenID Connect 1.0 where clients can be restricted to a specific client authentication mode, as well as implements some backend requirements for the private_key_jwt client authentication mode (and potentially the tls_client_auth / self_signed_tls_client_auth client authentication modes). It also adds some improvements to configuration defaults and validations which will for now be warnings but likely be made into errors. Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-04-13 10:58:18 +00:00
ctx.Logger.Errorf(logFmtErrConsentGenerateError, requester.GetID(), client.GetID(), client.GetConsentPolicy(), "saving", err)
feat(oidc): persistent storage (#2965) This moves the OpenID Connect storage from memory into the SQL storage, making it persistent and allowing it to be used with clustered deployments like the rest of Authelia.
2022-04-07 05:33:53 +00:00
build(deps): update module github.com/ory/fosite to v0.43.0 (#4269) This updates fosite and refactors our usage out of compose.
2022-11-13 03:26:10 +00:00
ctx.Providers.OpenIDConnect.WriteAuthorizeError(ctx, rw, requester, oidc.ErrConsentCouldNotSave)
feat(oidc): persistent storage (#2965) This moves the OpenID Connect storage from memory into the SQL storage, making it persistent and allowing it to be used with clustered deployments like the rest of Authelia.
2022-04-07 05:33:53 +00:00
return nil, true
}
fix(handlers): consent session prevents standard flow (#3668) This fixes an issue where consent sessions prevent the standard workflow.
2022-07-26 05:43:39 +00:00
handleOIDCAuthorizationConsentRedirect(ctx, issuer, consent, client, userSession, rw, r, requester)
return consent, true
}
feat(oidc): client authentication modes (#5150) This adds a feature to OpenID Connect 1.0 where clients can be restricted to a specific client authentication mode, as well as implements some backend requirements for the private_key_jwt client authentication mode (and potentially the tls_client_auth / self_signed_tls_client_auth client authentication modes). It also adds some improvements to configuration defaults and validations which will for now be warnings but likely be made into errors. Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-04-13 10:58:18 +00:00
func handleOIDCAuthorizationConsentRedirect(ctx *middlewares.AutheliaCtx, issuer *url.URL, consent *model.OAuth2ConsentSession, client oidc.Client,
fix(handlers): consent session prevents standard flow (#3668) This fixes an issue where consent sessions prevent the standard workflow.
2022-07-26 05:43:39 +00:00
userSession session.UserSession, rw http.ResponseWriter, r *http.Request, requester fosite.AuthorizeRequester) {
var location *url.URL
feat(oidc): persistent storage (#2965) This moves the OpenID Connect storage from memory into the SQL storage, making it persistent and allowing it to be used with clustered deployments like the rest of Authelia.
2022-04-07 05:33:53 +00:00
fix(handlers): consent session prevents standard flow (#3668) This fixes an issue where consent sessions prevent the standard workflow.
2022-07-26 05:43:39 +00:00
if client.IsAuthenticationLevelSufficient(userSession.AuthenticationLevel) {
refactor: clean up uri checking functions (#3943)
2022-09-03 01:51:02 +00:00
location, _ = url.ParseRequestURI(issuer.String())
feat(oidc): implicit consent (#4080) This adds multiple consent modes to OpenID Connect clients. Specifically it allows configuration of a new consent mode called implicit which never asks for user consent.
2022-10-20 02:16:36 +00:00
location.Path = path.Join(location.Path, oidc.EndpointPathConsent)
feat(oidc): persistent storage (#2965) This moves the OpenID Connect storage from memory into the SQL storage, making it persistent and allowing it to be used with clustered deployments like the rest of Authelia.
2022-04-07 05:33:53 +00:00
fix(handlers): consent session prevents standard flow (#3668) This fixes an issue where consent sessions prevent the standard workflow.
2022-07-26 05:43:39 +00:00
query := location.Query()
feat(oidc): implicit consent (#4080) This adds multiple consent modes to OpenID Connect clients. Specifically it allows configuration of a new consent mode called implicit which never asks for user consent.
2022-10-20 02:16:36 +00:00
query.Set(queryArgID, consent.ChallengeID.String())
feat(oidc): persistent storage (#2965) This moves the OpenID Connect storage from memory into the SQL storage, making it persistent and allowing it to be used with clustered deployments like the rest of Authelia.
2022-04-07 05:33:53 +00:00
fix(handlers): consent session prevents standard flow (#3668) This fixes an issue where consent sessions prevent the standard workflow.
2022-07-26 05:43:39 +00:00
location.RawQuery = query.Encode()
feat(oidc): client authentication modes (#5150) This adds a feature to OpenID Connect 1.0 where clients can be restricted to a specific client authentication mode, as well as implements some backend requirements for the private_key_jwt client authentication mode (and potentially the tls_client_auth / self_signed_tls_client_auth client authentication modes). It also adds some improvements to configuration defaults and validations which will for now be warnings but likely be made into errors. Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-04-13 10:58:18 +00:00
ctx.Logger.Debugf(logFmtDbgConsentAuthenticationSufficiency, requester.GetID(), client.GetID(), client.GetConsentPolicy(), userSession.AuthenticationLevel.String(), "sufficient", client.GetAuthorizationPolicy())
fix(handlers): consent session prevents standard flow (#3668) This fixes an issue where consent sessions prevent the standard workflow.
2022-07-26 05:43:39 +00:00
} else {
feat(oidc): implicit consent (#4080) This adds multiple consent modes to OpenID Connect clients. Specifically it allows configuration of a new consent mode called implicit which never asks for user consent.
2022-10-20 02:16:36 +00:00
location = handleOIDCAuthorizationConsentGetRedirectionURL(issuer, consent, requester)
fix(handlers): consent session prevents standard flow (#3668) This fixes an issue where consent sessions prevent the standard workflow.
2022-07-26 05:43:39 +00:00
feat(oidc): client authentication modes (#5150) This adds a feature to OpenID Connect 1.0 where clients can be restricted to a specific client authentication mode, as well as implements some backend requirements for the private_key_jwt client authentication mode (and potentially the tls_client_auth / self_signed_tls_client_auth client authentication modes). It also adds some improvements to configuration defaults and validations which will for now be warnings but likely be made into errors. Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-04-13 10:58:18 +00:00
ctx.Logger.Debugf(logFmtDbgConsentAuthenticationSufficiency, requester.GetID(), client.GetID(), client.GetConsentPolicy(), userSession.AuthenticationLevel.String(), "insufficient", client.GetAuthorizationPolicy())
feat(oidc): persistent storage (#2965) This moves the OpenID Connect storage from memory into the SQL storage, making it persistent and allowing it to be used with clustered deployments like the rest of Authelia.
2022-04-07 05:33:53 +00:00
}
feat(oidc): client authentication modes (#5150) This adds a feature to OpenID Connect 1.0 where clients can be restricted to a specific client authentication mode, as well as implements some backend requirements for the private_key_jwt client authentication mode (and potentially the tls_client_auth / self_signed_tls_client_auth client authentication modes). It also adds some improvements to configuration defaults and validations which will for now be warnings but likely be made into errors. Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-04-13 10:58:18 +00:00
ctx.Logger.Debugf(logFmtDbgConsentRedirect, requester.GetID(), client.GetID(), client.GetConsentPolicy(), location)
feat(oidc): persistent storage (#2965) This moves the OpenID Connect storage from memory into the SQL storage, making it persistent and allowing it to be used with clustered deployments like the rest of Authelia.
2022-04-07 05:33:53 +00:00
fix(handlers): consent session prevents standard flow (#3668) This fixes an issue where consent sessions prevent the standard workflow.
2022-07-26 05:43:39 +00:00
http.Redirect(rw, r, location.String(), http.StatusFound)
feat(oidc): persistent storage (#2965) This moves the OpenID Connect storage from memory into the SQL storage, making it persistent and allowing it to be used with clustered deployments like the rest of Authelia.
2022-04-07 05:33:53 +00:00
}
feat(oidc): implicit consent (#4080) This adds multiple consent modes to OpenID Connect clients. Specifically it allows configuration of a new consent mode called implicit which never asks for user consent.
2022-10-20 02:16:36 +00:00
func handleOIDCAuthorizationConsentGetRedirectionURL(issuer *url.URL, consent *model.OAuth2ConsentSession, requester fosite.AuthorizeRequester) (redirectURL *url.URL) {
iss := issuer.String()
fix(handler): oidc two factor handling (#3512)
2022-06-14 05:17:11 +00:00
feat(oidc): implicit consent (#4080) This adds multiple consent modes to OpenID Connect clients. Specifically it allows configuration of a new consent mode called implicit which never asks for user consent.
2022-10-20 02:16:36 +00:00
if !strings.HasSuffix(iss, "/") {
iss += "/"
}
redirectURL, _ = url.ParseRequestURI(iss)
query := redirectURL.Query()
query.Set(queryArgWorkflow, workflowOpenIDConnect)
fix(handlers): consent session prevents standard flow (#3668) This fixes an issue where consent sessions prevent the standard workflow.
2022-07-26 05:43:39 +00:00
feat(oidc): implicit consent (#4080) This adds multiple consent modes to OpenID Connect clients. Specifically it allows configuration of a new consent mode called implicit which never asks for user consent.
2022-10-20 02:16:36 +00:00
switch {
case consent != nil:
query.Set(queryArgWorkflowID, consent.ChallengeID.String())
case requester != nil:
rd, _ := url.ParseRequestURI(iss)
rd.Path = path.Join(rd.Path, oidc.EndpointPathAuthorization)
rd.RawQuery = requester.GetRequestForm().Encode()
query.Set(queryArgRD, rd.String())
feat(oidc): persistent storage (#2965) This moves the OpenID Connect storage from memory into the SQL storage, making it persistent and allowing it to be used with clustered deployments like the rest of Authelia.
2022-04-07 05:33:53 +00:00
}
feat(oidc): implicit consent (#4080) This adds multiple consent modes to OpenID Connect clients. Specifically it allows configuration of a new consent mode called implicit which never asks for user consent.
2022-10-20 02:16:36 +00:00
redirectURL.RawQuery = query.Encode()
return redirectURL
}
feat(oidc): client authentication modes (#5150) This adds a feature to OpenID Connect 1.0 where clients can be restricted to a specific client authentication mode, as well as implements some backend requirements for the private_key_jwt client authentication mode (and potentially the tls_client_auth / self_signed_tls_client_auth client authentication modes). It also adds some improvements to configuration defaults and validations which will for now be warnings but likely be made into errors. Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-04-13 10:58:18 +00:00
func verifyOIDCUserAuthorizedForConsent(ctx *middlewares.AutheliaCtx, client oidc.Client, userSession session.UserSession, consent *model.OAuth2ConsentSession, subject uuid.UUID) (err error) {
feat(oidc): implicit consent (#4080) This adds multiple consent modes to OpenID Connect clients. Specifically it allows configuration of a new consent mode called implicit which never asks for user consent.
2022-10-20 02:16:36 +00:00
var sid uint32
fix(handlers): consent session prevents standard flow (#3668) This fixes an issue where consent sessions prevent the standard workflow.
2022-07-26 05:43:39 +00:00
if client == nil {
feat(oidc): implicit consent (#4080) This adds multiple consent modes to OpenID Connect clients. Specifically it allows configuration of a new consent mode called implicit which never asks for user consent.
2022-10-20 02:16:36 +00:00
if client, err = ctx.Providers.OpenIDConnect.GetFullClient(consent.ClientID); err != nil {
fix(handlers): consent session prevents standard flow (#3668) This fixes an issue where consent sessions prevent the standard workflow.
2022-07-26 05:43:39 +00:00
return fmt.Errorf("failed to retrieve client: %w", err)
}
}
fix(handler): oidc two factor handling (#3512)
2022-06-14 05:17:11 +00:00
fix(handlers): consent session prevents standard flow (#3668) This fixes an issue where consent sessions prevent the standard workflow.
2022-07-26 05:43:39 +00:00
if sid = subject.ID(); sid == 0 {
feat(oidc): implicit consent (#4080) This adds multiple consent modes to OpenID Connect clients. Specifically it allows configuration of a new consent mode called implicit which never asks for user consent.
2022-10-20 02:16:36 +00:00
if subject, err = ctx.Providers.OpenIDConnect.GetSubject(ctx, client.GetSectorIdentifier(), userSession.Username); err != nil {
fix(handlers): consent session prevents standard flow (#3668) This fixes an issue where consent sessions prevent the standard workflow.
2022-07-26 05:43:39 +00:00
return fmt.Errorf("failed to lookup subject: %w", err)
}
sid = subject.ID()
}
feat(oidc): implicit consent (#4080) This adds multiple consent modes to OpenID Connect clients. Specifically it allows configuration of a new consent mode called implicit which never asks for user consent.
2022-10-20 02:16:36 +00:00
if !consent.Subject.Valid {
if sid == 0 {
return fmt.Errorf("the consent subject is null for consent session with id '%d' for anonymous user", consent.ID)
}
fix(handlers): consent session prevents standard flow (#3668) This fixes an issue where consent sessions prevent the standard workflow.
2022-07-26 05:43:39 +00:00
feat(oidc): implicit consent (#4080) This adds multiple consent modes to OpenID Connect clients. Specifically it allows configuration of a new consent mode called implicit which never asks for user consent.
2022-10-20 02:16:36 +00:00
consent.Subject = uuid.NullUUID{UUID: subject, Valid: true}
fix(handlers): consent session prevents standard flow (#3668) This fixes an issue where consent sessions prevent the standard workflow.
2022-07-26 05:43:39 +00:00
feat(oidc): implicit consent (#4080) This adds multiple consent modes to OpenID Connect clients. Specifically it allows configuration of a new consent mode called implicit which never asks for user consent.
2022-10-20 02:16:36 +00:00
if err = ctx.Providers.StorageProvider.SaveOAuth2ConsentSessionSubject(ctx, *consent); err != nil {
return fmt.Errorf("failed to update the consent subject: %w", err)
}
}
fix(handlers): consent session prevents standard flow (#3668) This fixes an issue where consent sessions prevent the standard workflow.
2022-07-26 05:43:39 +00:00
feat(oidc): implicit consent (#4080) This adds multiple consent modes to OpenID Connect clients. Specifically it allows configuration of a new consent mode called implicit which never asks for user consent.
2022-10-20 02:16:36 +00:00
if consent.Subject.UUID.ID() != sid {
return fmt.Errorf("the consent subject identifier '%s' isn't owned by user '%s' who has a subject identifier of '%s' with sector identifier '%s'", consent.Subject.UUID, userSession.Username, subject, client.GetSectorIdentifier())
}
fix(handlers): consent session prevents standard flow (#3668) This fixes an issue where consent sessions prevent the standard workflow.
2022-07-26 05:43:39 +00:00
feat(oidc): implicit consent (#4080) This adds multiple consent modes to OpenID Connect clients. Specifically it allows configuration of a new consent mode called implicit which never asks for user consent.
2022-10-20 02:16:36 +00:00
return nil
feat(oidc): persistent storage (#2965) This moves the OpenID Connect storage from memory into the SQL storage, making it persistent and allowing it to be used with clustered deployments like the rest of Authelia.
2022-04-07 05:33:53 +00:00
}
fix(oidc): pre-conf consent skipped entirely for anon users (#3250) This fixes an issue where pre-configured consent is entirely skipped if the process was initiated via an anonymous user.
2022-05-03 05:28:58 +00:00
func getOIDCExpectedScopesAndAudienceFromRequest(requester fosite.Requester) (scopes, audience []string) {
return getOIDCExpectedScopesAndAudience(requester.GetClient().GetID(), requester.GetRequestedScopes(), requester.GetRequestedAudience())
}
func getOIDCExpectedScopesAndAudience(clientID string, scopes, audience []string) (expectedScopes, expectedAudience []string) {
if !utils.IsStringInSlice(clientID, audience) {
audience = append(audience, clientID)
}
return scopes, audience
}