RPJosh
/
authelia
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
authelia/internal/oidc/client.go

200 lines
6.1 KiB
Go
Raw Normal View History

feature(oidc): add support for OpenID Connect OpenID connect has become a standard when it comes to authentication and in order to fix a security concern around forwarding authentication and authorization information it has been decided to add support for it. This feature is in beta version and only enabled when there is a configuration for it. Before enabling it in production, please consider that it's in beta with potential bugs and that there are several production critical features still missing such as all OIDC related data is stored in configuration or memory. This means you are potentially going to experience issues with HA deployments, or when restarting a single instance specifically related to OIDC. We are still working on adding the remaining set of features before making it GA as soon as possible. Related to #189 Co-authored-by: Clement Michaud <clement.michaud34@gmail.com>
2021-05-04 22:06:05 +00:00
package oidc
import (
"github.com/ory/fosite"
feat(oidc): per-client pkce enforcement policy (#4692) This implements a per-client PKCE enforcement policy with the ability to enforce that it's used, and the specific challenge mode.
2023-01-03 15:03:23 +00:00
"github.com/ory/x/errorsx"
feature(oidc): add support for OpenID Connect OpenID connect has become a standard when it comes to authentication and in order to fix a security concern around forwarding authentication and authorization information it has been decided to add support for it. This feature is in beta version and only enabled when there is a configuration for it. Before enabling it in production, please consider that it's in beta with potential bugs and that there are several production critical features still missing such as all OIDC related data is stored in configuration or memory. This means you are potentially going to experience issues with HA deployments, or when restarting a single instance specifically related to OIDC. We are still working on adding the remaining set of features before making it GA as soon as possible. Related to #189 Co-authored-by: Clement Michaud <clement.michaud34@gmail.com>
2021-05-04 22:06:05 +00:00
fix: include major in go.mod module directive (#2278) * build: include major in go.mod module directive * fix: xflags * revert: cobra changes * fix: mock doc
2021-08-11 01:04:35 +00:00
"github.com/authelia/authelia/v4/internal/authentication"
"github.com/authelia/authelia/v4/internal/authorization"
"github.com/authelia/authelia/v4/internal/configuration/schema"
feat(oidc): implement amr claim (#2969) This adds the amr claim which stores methods used to authenticate with Authelia by the users session.
2022-04-01 11:18:58 +00:00
"github.com/authelia/authelia/v4/internal/model"
feature(oidc): add support for OpenID Connect OpenID connect has become a standard when it comes to authentication and in order to fix a security concern around forwarding authentication and authorization information it has been decided to add support for it. This feature is in beta version and only enabled when there is a configuration for it. Before enabling it in production, please consider that it's in beta with potential bugs and that there are several production critical features still missing such as all OIDC related data is stored in configuration or memory. This means you are potentially going to experience issues with HA deployments, or when restarting a single instance specifically related to OIDC. We are still working on adding the remaining set of features before making it GA as soon as possible. Related to #189 Co-authored-by: Clement Michaud <clement.michaud34@gmail.com>
2021-05-04 22:06:05 +00:00
)
feat(oidc): persistent storage (#2965) This moves the OpenID Connect storage from memory into the SQL storage, making it persistent and allowing it to be used with clustered deployments like the rest of Authelia.
2022-04-07 05:33:53 +00:00
// NewClient creates a new Client.
func NewClient(config schema.OpenIDConnectClientConfiguration) (client *Client) {
client = &Client{
feat(oidc): pairwise subject identifiers (#3116) Allows configuring clients with a sector identifier to allow pairwise subject types.
2022-04-07 06:13:01 +00:00
ID: config.ID,
Description: config.Description,
feat(oidc): hashed client secrets (#4026) Allow use of hashed OpenID Connect client secrets.
2022-10-20 03:21:45 +00:00
Secret: config.Secret,
feat(oidc): pairwise subject identifiers (#3116) Allows configuring clients with a sector identifier to allow pairwise subject types.
2022-04-07 06:13:01 +00:00
SectorIdentifier: config.SectorIdentifier.String(),
Public: config.Public,
feat(oidc): implement client type public (#2171) This implements the public option for clients which allows using Authelia as an OpenID Connect Provider for cli applications and SPA's where the client secret cannot be considered secure.
2021-07-15 11:02:03 +00:00
feat(oidc): per-client pkce enforcement policy (#4692) This implements a per-client PKCE enforcement policy with the ability to enforce that it's used, and the specific challenge mode.
2023-01-03 15:03:23 +00:00
EnforcePKCE: config.EnforcePKCE || config.PKCEChallengeMethod != "",
EnforcePKCEChallengeMethod: config.PKCEChallengeMethod != "",
PKCEChallengeMethod: config.PKCEChallengeMethod,
feat(oidc): implement client type public (#2171) This implements the public option for clients which allows using Authelia as an OpenID Connect Provider for cli applications and SPA's where the client secret cannot be considered secure.
2021-07-15 11:02:03 +00:00
Audience: config.Audience,
Scopes: config.Scopes,
feat(oidc): add additional config options, accurate token times, and refactoring (#1991) * This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes. * Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately. * Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have.
2021-07-03 23:44:30 +00:00
RedirectURIs: config.RedirectURIs,
GrantTypes: config.GrantTypes,
ResponseTypes: config.ResponseTypes,
fix(oidc): default response mode not validated (#5129) This fixes an issue where the default response mode (i.e. if the mode is omitted) would skip the validations against the allowed response modes. Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-04-11 11:29:02 +00:00
ResponseModes: []fosite.ResponseModeType{},
feat(oidc): add additional config options, accurate token times, and refactoring (#1991) * This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes. * Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately. * Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have.
2021-07-03 23:44:30 +00:00
feat(oidc): pushed authorization requests (#4546) This implements RFC9126 OAuth 2.0 Pushed Authorization Requests. See https://datatracker.ietf.org/doc/html/rfc9126 for the specification details.
2023-03-06 03:58:50 +00:00
EnforcePAR: config.EnforcePAR,
feat(oidc): userinfo endpoint (#2146) This is a required endpoint for OIDC and is one we missed in our initial implementation. Also adds some rudamentary documentaiton about the implemented endpoints.
2021-07-10 04:56:33 +00:00
UserinfoSigningAlgorithm: config.UserinfoSigningAlgorithm,
feat(oidc): pre-configured consent (#3118) Allows users to pre-configure consent if enabled by the client configuration by selecting a checkbox during consent. Closes #2598
2022-04-08 05:35:21 +00:00
refactor: const int type stringers (#4588)
2022-12-17 12:39:24 +00:00
Policy: authorization.NewLevel(config.Policy),
feat(oidc): pre-configured consent (#3118) Allows users to pre-configure consent if enabled by the client configuration by selecting a checkbox during consent. Closes #2598
2022-04-08 05:35:21 +00:00
feat(oidc): implicit consent (#4080) This adds multiple consent modes to OpenID Connect clients. Specifically it allows configuration of a new consent mode called implicit which never asks for user consent.
2022-10-20 02:16:36 +00:00
Consent: NewClientConsent(config.ConsentMode, config.ConsentPreConfiguredDuration),
feat(oidc): add additional config options, accurate token times, and refactoring (#1991) * This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes. * Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately. * Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have.
2021-07-03 23:44:30 +00:00
}
for _, mode := range config.ResponseModes {
client.ResponseModes = append(client.ResponseModes, fosite.ResponseModeType(mode))
}
return client
feature(oidc): add support for OpenID Connect OpenID connect has become a standard when it comes to authentication and in order to fix a security concern around forwarding authentication and authorization information it has been decided to add support for it. This feature is in beta version and only enabled when there is a configuration for it. Before enabling it in production, please consider that it's in beta with potential bugs and that there are several production critical features still missing such as all OIDC related data is stored in configuration or memory. This means you are potentially going to experience issues with HA deployments, or when restarting a single instance specifically related to OIDC. We are still working on adding the remaining set of features before making it GA as soon as possible. Related to #189 Co-authored-by: Clement Michaud <clement.michaud34@gmail.com>
2021-05-04 22:06:05 +00:00
}
feat(oidc): pushed authorization requests (#4546) This implements RFC9126 OAuth 2.0 Pushed Authorization Requests. See https://datatracker.ietf.org/doc/html/rfc9126 for the specification details.
2023-03-06 03:58:50 +00:00
// ValidatePKCEPolicy is a helper function to validate PKCE policy constraints on a per-client basis.
func (c *Client) ValidatePKCEPolicy(r fosite.Requester) (err error) {
feat(oidc): per-client pkce enforcement policy (#4692) This implements a per-client PKCE enforcement policy with the ability to enforce that it's used, and the specific challenge mode.
2023-01-03 15:03:23 +00:00
form := r.GetRequestForm()
if c.EnforcePKCE {
feat(oidc): pushed authorization requests (#4546) This implements RFC9126 OAuth 2.0 Pushed Authorization Requests. See https://datatracker.ietf.org/doc/html/rfc9126 for the specification details.
2023-03-06 03:58:50 +00:00
if form.Get(FormParameterCodeChallenge) == "" {
feat(oidc): per-client pkce enforcement policy (#4692) This implements a per-client PKCE enforcement policy with the ability to enforce that it's used, and the specific challenge mode.
2023-01-03 15:03:23 +00:00
return errorsx.WithStack(fosite.ErrInvalidRequest.
WithHint("Clients must include a code_challenge when performing the authorize code flow, but it is missing.").
WithDebug("The server is configured in a way that enforces PKCE for this client."))
}
if c.EnforcePKCEChallengeMethod {
feat(oidc): pushed authorization requests (#4546) This implements RFC9126 OAuth 2.0 Pushed Authorization Requests. See https://datatracker.ietf.org/doc/html/rfc9126 for the specification details.
2023-03-06 03:58:50 +00:00
if method := form.Get(FormParameterCodeChallengeMethod); method != c.PKCEChallengeMethod {
feat(oidc): per-client pkce enforcement policy (#4692) This implements a per-client PKCE enforcement policy with the ability to enforce that it's used, and the specific challenge mode.
2023-01-03 15:03:23 +00:00
return errorsx.WithStack(fosite.ErrInvalidRequest.
feat(oidc): pushed authorization requests (#4546) This implements RFC9126 OAuth 2.0 Pushed Authorization Requests. See https://datatracker.ietf.org/doc/html/rfc9126 for the specification details.
2023-03-06 03:58:50 +00:00
WithHintf("Client must use code_challenge_method=%s, %s is not allowed.", c.PKCEChallengeMethod, method).
WithDebugf("The server is configured in a way that enforces PKCE %s as challenge method for this client.", c.PKCEChallengeMethod))
feat(oidc): per-client pkce enforcement policy (#4692) This implements a per-client PKCE enforcement policy with the ability to enforce that it's used, and the specific challenge mode.
2023-01-03 15:03:23 +00:00
}
}
}
return nil
}
feat(oidc): pushed authorization requests (#4546) This implements RFC9126 OAuth 2.0 Pushed Authorization Requests. See https://datatracker.ietf.org/doc/html/rfc9126 for the specification details.
2023-03-06 03:58:50 +00:00
// ValidatePARPolicy is a helper function to validate additional policy constraints on a per-client basis.
func (c *Client) ValidatePARPolicy(r fosite.Requester, prefix string) (err error) {
if c.EnforcePAR {
fix(oidc): default response mode not validated (#5129) This fixes an issue where the default response mode (i.e. if the mode is omitted) would skip the validations against the allowed response modes. Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-04-11 11:29:02 +00:00
if !IsPushedAuthorizedRequest(r, prefix) {
switch requestURI := r.GetRequestForm().Get(FormParameterRequestURI); requestURI {
case "":
feat(oidc): pushed authorization requests (#4546) This implements RFC9126 OAuth 2.0 Pushed Authorization Requests. See https://datatracker.ietf.org/doc/html/rfc9126 for the specification details.
2023-03-06 03:58:50 +00:00
return errorsx.WithStack(ErrPAREnforcedClientMissingPAR.WithDebug("The request_uri parameter was empty."))
fix(oidc): default response mode not validated (#5129) This fixes an issue where the default response mode (i.e. if the mode is omitted) would skip the validations against the allowed response modes. Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-04-11 11:29:02 +00:00
default:
return errorsx.WithStack(ErrPAREnforcedClientMissingPAR.WithDebugf("The request_uri parameter '%s' is malformed.", requestURI))
feat(oidc): pushed authorization requests (#4546) This implements RFC9126 OAuth 2.0 Pushed Authorization Requests. See https://datatracker.ietf.org/doc/html/rfc9126 for the specification details.
2023-03-06 03:58:50 +00:00
}
}
}
return nil
}
fix(oidc): default response mode not validated (#5129) This fixes an issue where the default response mode (i.e. if the mode is omitted) would skip the validations against the allowed response modes. Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-04-11 11:29:02 +00:00
// ValidateResponseModePolicy is an additional check to the response mode parameter to ensure if it's omitted that the
// default response mode for the fosite.AuthorizeRequester is permitted.
func (c *Client) ValidateResponseModePolicy(r fosite.AuthorizeRequester) (err error) {
if r.GetResponseMode() != fosite.ResponseModeDefault {
return nil
}
m := r.GetDefaultResponseMode()
modes := c.GetResponseModes()
if len(modes) == 0 {
return nil
}
for _, mode := range modes {
if m == mode {
return nil
}
}
return errorsx.WithStack(fosite.ErrUnsupportedResponseMode.WithHintf(`The request omitted the response_mode making the default response_mode "%s" based on the other authorization request parameters but registered OAuth 2.0 client doesn't support this response_mode`, m))
}
feature(oidc): add support for OpenID Connect OpenID connect has become a standard when it comes to authentication and in order to fix a security concern around forwarding authentication and authorization information it has been decided to add support for it. This feature is in beta version and only enabled when there is a configuration for it. Before enabling it in production, please consider that it's in beta with potential bugs and that there are several production critical features still missing such as all OIDC related data is stored in configuration or memory. This means you are potentially going to experience issues with HA deployments, or when restarting a single instance specifically related to OIDC. We are still working on adding the remaining set of features before making it GA as soon as possible. Related to #189 Co-authored-by: Clement Michaud <clement.michaud34@gmail.com>
2021-05-04 22:06:05 +00:00
// IsAuthenticationLevelSufficient returns if the provided authentication.Level is sufficient for the client of the AutheliaClient.
feat(oidc): implicit consent (#4080) This adds multiple consent modes to OpenID Connect clients. Specifically it allows configuration of a new consent mode called implicit which never asks for user consent.
2022-10-20 02:16:36 +00:00
func (c *Client) IsAuthenticationLevelSufficient(level authentication.Level) bool {
if level == authentication.NotAuthenticated {
return false
}
feature(oidc): add support for OpenID Connect OpenID connect has become a standard when it comes to authentication and in order to fix a security concern around forwarding authentication and authorization information it has been decided to add support for it. This feature is in beta version and only enabled when there is a configuration for it. Before enabling it in production, please consider that it's in beta with potential bugs and that there are several production critical features still missing such as all OIDC related data is stored in configuration or memory. This means you are potentially going to experience issues with HA deployments, or when restarting a single instance specifically related to OIDC. We are still working on adding the remaining set of features before making it GA as soon as possible. Related to #189 Co-authored-by: Clement Michaud <clement.michaud34@gmail.com>
2021-05-04 22:06:05 +00:00
return authorization.IsAuthLevelSufficient(level, c.Policy)
}
feat(oidc): persistent storage (#2965) This moves the OpenID Connect storage from memory into the SQL storage, making it persistent and allowing it to be used with clustered deployments like the rest of Authelia.
2022-04-07 05:33:53 +00:00
// GetSectorIdentifier returns the SectorIdentifier for this client.
feat(oidc): implicit consent (#4080) This adds multiple consent modes to OpenID Connect clients. Specifically it allows configuration of a new consent mode called implicit which never asks for user consent.
2022-10-20 02:16:36 +00:00
func (c *Client) GetSectorIdentifier() string {
feat(oidc): persistent storage (#2965) This moves the OpenID Connect storage from memory into the SQL storage, making it persistent and allowing it to be used with clustered deployments like the rest of Authelia.
2022-04-07 05:33:53 +00:00
return c.SectorIdentifier
}
// GetConsentResponseBody returns the proper consent response body for this session.OIDCWorkflowSession.
feat(oidc): implicit consent (#4080) This adds multiple consent modes to OpenID Connect clients. Specifically it allows configuration of a new consent mode called implicit which never asks for user consent.
2022-10-20 02:16:36 +00:00
func (c *Client) GetConsentResponseBody(consent *model.OAuth2ConsentSession) ConsentGetResponseBody {
feat(oidc): add additional config options, accurate token times, and refactoring (#1991) * This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes. * Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately. * Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have.
2021-07-03 23:44:30 +00:00
body := ConsentGetResponseBody{
ClientID: c.ID,
ClientDescription: c.Description,
feat(oidc): implicit consent (#4080) This adds multiple consent modes to OpenID Connect clients. Specifically it allows configuration of a new consent mode called implicit which never asks for user consent.
2022-10-20 02:16:36 +00:00
PreConfiguration: c.Consent.Mode == ClientConsentModePreConfigured,
feat(oidc): add additional config options, accurate token times, and refactoring (#1991) * This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes. * Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately. * Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have.
2021-07-03 23:44:30 +00:00
}
feat(oidc): persistent storage (#2965) This moves the OpenID Connect storage from memory into the SQL storage, making it persistent and allowing it to be used with clustered deployments like the rest of Authelia.
2022-04-07 05:33:53 +00:00
if consent != nil {
body.Scopes = consent.RequestedScopes
body.Audience = consent.RequestedAudience
feat(oidc): add additional config options, accurate token times, and refactoring (#1991) * This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes. * Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately. * Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have.
2021-07-03 23:44:30 +00:00
}
return body
}
feat(oidc): per-client pkce enforcement policy (#4692) This implements a per-client PKCE enforcement policy with the ability to enforce that it's used, and the specific challenge mode.
2023-01-03 15:03:23 +00:00
// GetID returns the ID.
func (c *Client) GetID() string {
return c.ID
}
feature(oidc): add support for OpenID Connect OpenID connect has become a standard when it comes to authentication and in order to fix a security concern around forwarding authentication and authorization information it has been decided to add support for it. This feature is in beta version and only enabled when there is a configuration for it. Before enabling it in production, please consider that it's in beta with potential bugs and that there are several production critical features still missing such as all OIDC related data is stored in configuration or memory. This means you are potentially going to experience issues with HA deployments, or when restarting a single instance specifically related to OIDC. We are still working on adding the remaining set of features before making it GA as soon as possible. Related to #189 Co-authored-by: Clement Michaud <clement.michaud34@gmail.com>
2021-05-04 22:06:05 +00:00
// GetHashedSecret returns the Secret.
feat(oidc): pushed authorization requests (#4546) This implements RFC9126 OAuth 2.0 Pushed Authorization Requests. See https://datatracker.ietf.org/doc/html/rfc9126 for the specification details.
2023-03-06 03:58:50 +00:00
func (c *Client) GetHashedSecret() (secret []byte) {
feat(oidc): hashed client secrets (#4026) Allow use of hashed OpenID Connect client secrets.
2022-10-20 03:21:45 +00:00
if c.Secret == nil {
return []byte(nil)
}
return []byte(c.Secret.Encode())
feature(oidc): add support for OpenID Connect OpenID connect has become a standard when it comes to authentication and in order to fix a security concern around forwarding authentication and authorization information it has been decided to add support for it. This feature is in beta version and only enabled when there is a configuration for it. Before enabling it in production, please consider that it's in beta with potential bugs and that there are several production critical features still missing such as all OIDC related data is stored in configuration or memory. This means you are potentially going to experience issues with HA deployments, or when restarting a single instance specifically related to OIDC. We are still working on adding the remaining set of features before making it GA as soon as possible. Related to #189 Co-authored-by: Clement Michaud <clement.michaud34@gmail.com>
2021-05-04 22:06:05 +00:00
}
// GetRedirectURIs returns the RedirectURIs.
feat(oidc): pushed authorization requests (#4546) This implements RFC9126 OAuth 2.0 Pushed Authorization Requests. See https://datatracker.ietf.org/doc/html/rfc9126 for the specification details.
2023-03-06 03:58:50 +00:00
func (c *Client) GetRedirectURIs() (redirectURIs []string) {
feature(oidc): add support for OpenID Connect OpenID connect has become a standard when it comes to authentication and in order to fix a security concern around forwarding authentication and authorization information it has been decided to add support for it. This feature is in beta version and only enabled when there is a configuration for it. Before enabling it in production, please consider that it's in beta with potential bugs and that there are several production critical features still missing such as all OIDC related data is stored in configuration or memory. This means you are potentially going to experience issues with HA deployments, or when restarting a single instance specifically related to OIDC. We are still working on adding the remaining set of features before making it GA as soon as possible. Related to #189 Co-authored-by: Clement Michaud <clement.michaud34@gmail.com>
2021-05-04 22:06:05 +00:00
return c.RedirectURIs
}
// GetGrantTypes returns the GrantTypes.
feat(oidc): implicit consent (#4080) This adds multiple consent modes to OpenID Connect clients. Specifically it allows configuration of a new consent mode called implicit which never asks for user consent.
2022-10-20 02:16:36 +00:00
func (c *Client) GetGrantTypes() fosite.Arguments {
feature(oidc): add support for OpenID Connect OpenID connect has become a standard when it comes to authentication and in order to fix a security concern around forwarding authentication and authorization information it has been decided to add support for it. This feature is in beta version and only enabled when there is a configuration for it. Before enabling it in production, please consider that it's in beta with potential bugs and that there are several production critical features still missing such as all OIDC related data is stored in configuration or memory. This means you are potentially going to experience issues with HA deployments, or when restarting a single instance specifically related to OIDC. We are still working on adding the remaining set of features before making it GA as soon as possible. Related to #189 Co-authored-by: Clement Michaud <clement.michaud34@gmail.com>
2021-05-04 22:06:05 +00:00
if len(c.GrantTypes) == 0 {
return fosite.Arguments{"authorization_code"}
}
return c.GrantTypes
}
// GetResponseTypes returns the ResponseTypes.
feat(oidc): implicit consent (#4080) This adds multiple consent modes to OpenID Connect clients. Specifically it allows configuration of a new consent mode called implicit which never asks for user consent.
2022-10-20 02:16:36 +00:00
func (c *Client) GetResponseTypes() fosite.Arguments {
feature(oidc): add support for OpenID Connect OpenID connect has become a standard when it comes to authentication and in order to fix a security concern around forwarding authentication and authorization information it has been decided to add support for it. This feature is in beta version and only enabled when there is a configuration for it. Before enabling it in production, please consider that it's in beta with potential bugs and that there are several production critical features still missing such as all OIDC related data is stored in configuration or memory. This means you are potentially going to experience issues with HA deployments, or when restarting a single instance specifically related to OIDC. We are still working on adding the remaining set of features before making it GA as soon as possible. Related to #189 Co-authored-by: Clement Michaud <clement.michaud34@gmail.com>
2021-05-04 22:06:05 +00:00
if len(c.ResponseTypes) == 0 {
return fosite.Arguments{"code"}
}
return c.ResponseTypes
}
// GetScopes returns the Scopes.
feat(oidc): implicit consent (#4080) This adds multiple consent modes to OpenID Connect clients. Specifically it allows configuration of a new consent mode called implicit which never asks for user consent.
2022-10-20 02:16:36 +00:00
func (c *Client) GetScopes() fosite.Arguments {
feature(oidc): add support for OpenID Connect OpenID connect has become a standard when it comes to authentication and in order to fix a security concern around forwarding authentication and authorization information it has been decided to add support for it. This feature is in beta version and only enabled when there is a configuration for it. Before enabling it in production, please consider that it's in beta with potential bugs and that there are several production critical features still missing such as all OIDC related data is stored in configuration or memory. This means you are potentially going to experience issues with HA deployments, or when restarting a single instance specifically related to OIDC. We are still working on adding the remaining set of features before making it GA as soon as possible. Related to #189 Co-authored-by: Clement Michaud <clement.michaud34@gmail.com>
2021-05-04 22:06:05 +00:00
return c.Scopes
}
// IsPublic returns the value of the Public property.
feat(oidc): implicit consent (#4080) This adds multiple consent modes to OpenID Connect clients. Specifically it allows configuration of a new consent mode called implicit which never asks for user consent.
2022-10-20 02:16:36 +00:00
func (c *Client) IsPublic() bool {
feature(oidc): add support for OpenID Connect OpenID connect has become a standard when it comes to authentication and in order to fix a security concern around forwarding authentication and authorization information it has been decided to add support for it. This feature is in beta version and only enabled when there is a configuration for it. Before enabling it in production, please consider that it's in beta with potential bugs and that there are several production critical features still missing such as all OIDC related data is stored in configuration or memory. This means you are potentially going to experience issues with HA deployments, or when restarting a single instance specifically related to OIDC. We are still working on adding the remaining set of features before making it GA as soon as possible. Related to #189 Co-authored-by: Clement Michaud <clement.michaud34@gmail.com>
2021-05-04 22:06:05 +00:00
return c.Public
}
// GetAudience returns the Audience.
feat(oidc): implicit consent (#4080) This adds multiple consent modes to OpenID Connect clients. Specifically it allows configuration of a new consent mode called implicit which never asks for user consent.
2022-10-20 02:16:36 +00:00
func (c *Client) GetAudience() fosite.Arguments {
feature(oidc): add support for OpenID Connect OpenID connect has become a standard when it comes to authentication and in order to fix a security concern around forwarding authentication and authorization information it has been decided to add support for it. This feature is in beta version and only enabled when there is a configuration for it. Before enabling it in production, please consider that it's in beta with potential bugs and that there are several production critical features still missing such as all OIDC related data is stored in configuration or memory. This means you are potentially going to experience issues with HA deployments, or when restarting a single instance specifically related to OIDC. We are still working on adding the remaining set of features before making it GA as soon as possible. Related to #189 Co-authored-by: Clement Michaud <clement.michaud34@gmail.com>
2021-05-04 22:06:05 +00:00
return c.Audience
}
feat(oidc): add additional config options, accurate token times, and refactoring (#1991) * This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes. * Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately. * Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have.
2021-07-03 23:44:30 +00:00
// GetResponseModes returns the valid response modes for this client.
//
// Implements the fosite.ResponseModeClient.
feat(oidc): implicit consent (#4080) This adds multiple consent modes to OpenID Connect clients. Specifically it allows configuration of a new consent mode called implicit which never asks for user consent.
2022-10-20 02:16:36 +00:00
func (c *Client) GetResponseModes() []fosite.ResponseModeType {
feat(oidc): add additional config options, accurate token times, and refactoring (#1991) * This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes. * Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately. * Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have.
2021-07-03 23:44:30 +00:00
return c.ResponseModes
}