authelia/internal/oidc/hasher.go

package oidc

import (
	"context"

	"github.com/go-crypt/crypt"
	"github.com/go-crypt/crypt/algorithm"
	"github.com/go-crypt/crypt/algorithm/plaintext"
)

// NewHasher returns a new Hasher.
func NewHasher() (hasher *Hasher, err error) {
	hasher = &Hasher{}

	if hasher.decoder, err = crypt.NewDefaultDecoder(); err != nil {
		return nil, err
	}

	if err = plaintext.RegisterDecoderPlainText(hasher.decoder); err != nil {
		return nil, err
	}

	return hasher, nil
}

// Hasher implements the fosite.Hasher interface and adaptively compares hashes.
type Hasher struct {
	decoder algorithm.DecoderRegister
}

// Compare compares the hash with the data and returns an error if they don't match.
func (h Hasher) Compare(_ context.Context, hash, data []byte) (err error) {
	var digest algorithm.Digest

	if digest, err = h.decoder.Decode(string(hash)); err != nil {
		return err
	}

	if digest.MatchBytes(data) {
		return nil
	}

	return errPasswordsDoNotMatch
}

// Hash creates a new hash from data.
func (h Hasher) Hash(_ context.Context, data []byte) (hash []byte, err error) {
	return data, nil
}
feature(oidc): add support for OpenID Connect OpenID connect has become a standard when it comes to authentication and in order to fix a security concern around forwarding authentication and authorization information it has been decided to add support for it. This feature is in beta version and only enabled when there is a configuration for it. Before enabling it in production, please consider that it's in beta with potential bugs and that there are several production critical features still missing such as all OIDC related data is stored in configuration or memory. This means you are potentially going to experience issues with HA deployments, or when restarting a single instance specifically related to OIDC. We are still working on adding the remaining set of features before making it GA as soon as possible. Related to #189 Co-authored-by: Clement Michaud <clement.michaud34@gmail.com> 2021-05-04 22:06:05 +00:00			`package oidc`

			`import (`
			`"context"`
feat(oidc): hashed client secrets (#4026) Allow use of hashed OpenID Connect client secrets. 2022-10-20 03:21:45 +00:00
			`"github.com/go-crypt/crypt"`
build(deps): update module github.com/go-crypt/crypt to v0.2.2 (#4452) 2022-12-04 22:37:08 +00:00			`"github.com/go-crypt/crypt/algorithm"`
			`"github.com/go-crypt/crypt/algorithm/plaintext"`
feature(oidc): add support for OpenID Connect OpenID connect has become a standard when it comes to authentication and in order to fix a security concern around forwarding authentication and authorization information it has been decided to add support for it. This feature is in beta version and only enabled when there is a configuration for it. Before enabling it in production, please consider that it's in beta with potential bugs and that there are several production critical features still missing such as all OIDC related data is stored in configuration or memory. This means you are potentially going to experience issues with HA deployments, or when restarting a single instance specifically related to OIDC. We are still working on adding the remaining set of features before making it GA as soon as possible. Related to #189 Co-authored-by: Clement Michaud <clement.michaud34@gmail.com> 2021-05-04 22:06:05 +00:00			`)`

feat(oidc): pushed authorization requests (#4546) This implements RFC9126 OAuth 2.0 Pushed Authorization Requests. See https://datatracker.ietf.org/doc/html/rfc9126 for the specification details. 2023-03-06 03:58:50 +00:00			`// NewHasher returns a new Hasher.`
			`func NewHasher() (hasher *Hasher, err error) {`
			`hasher = &Hasher{}`
build(deps): update module github.com/go-crypt/crypt to v0.2.2 (#4452) 2022-12-04 22:37:08 +00:00
			`if hasher.decoder, err = crypt.NewDefaultDecoder(); err != nil {`
			`return nil, err`
			`}`

			`if err = plaintext.RegisterDecoderPlainText(hasher.decoder); err != nil {`
			`return nil, err`
			`}`

			`return hasher, nil`
			`}`

feat(oidc): pushed authorization requests (#4546) This implements RFC9126 OAuth 2.0 Pushed Authorization Requests. See https://datatracker.ietf.org/doc/html/rfc9126 for the specification details. 2023-03-06 03:58:50 +00:00			`// Hasher implements the fosite.Hasher interface and adaptively compares hashes.`
			`type Hasher struct {`
build(deps): update module github.com/go-crypt/crypt to v0.2.2 (#4452) 2022-12-04 22:37:08 +00:00			`decoder algorithm.DecoderRegister`
			`}`

feature(oidc): add support for OpenID Connect OpenID connect has become a standard when it comes to authentication and in order to fix a security concern around forwarding authentication and authorization information it has been decided to add support for it. This feature is in beta version and only enabled when there is a configuration for it. Before enabling it in production, please consider that it's in beta with potential bugs and that there are several production critical features still missing such as all OIDC related data is stored in configuration or memory. This means you are potentially going to experience issues with HA deployments, or when restarting a single instance specifically related to OIDC. We are still working on adding the remaining set of features before making it GA as soon as possible. Related to #189 Co-authored-by: Clement Michaud <clement.michaud34@gmail.com> 2021-05-04 22:06:05 +00:00			`// Compare compares the hash with the data and returns an error if they don't match.`
feat(oidc): pushed authorization requests (#4546) This implements RFC9126 OAuth 2.0 Pushed Authorization Requests. See https://datatracker.ietf.org/doc/html/rfc9126 for the specification details. 2023-03-06 03:58:50 +00:00			`func (h Hasher) Compare(_ context.Context, hash, data []byte) (err error) {`
build(deps): update module github.com/go-crypt/crypt to v0.2.2 (#4452) 2022-12-04 22:37:08 +00:00			`var digest algorithm.Digest`
feat(oidc): hashed client secrets (#4026) Allow use of hashed OpenID Connect client secrets. 2022-10-20 03:21:45 +00:00
build(deps): update module github.com/go-crypt/crypt to v0.2.2 (#4452) 2022-12-04 22:37:08 +00:00			`if digest, err = h.decoder.Decode(string(hash)); err != nil {`
feat(oidc): hashed client secrets (#4026) Allow use of hashed OpenID Connect client secrets. 2022-10-20 03:21:45 +00:00			`return err`
			`}`

			`if digest.MatchBytes(data) {`
			`return nil`
feature(oidc): add support for OpenID Connect OpenID connect has become a standard when it comes to authentication and in order to fix a security concern around forwarding authentication and authorization information it has been decided to add support for it. This feature is in beta version and only enabled when there is a configuration for it. Before enabling it in production, please consider that it's in beta with potential bugs and that there are several production critical features still missing such as all OIDC related data is stored in configuration or memory. This means you are potentially going to experience issues with HA deployments, or when restarting a single instance specifically related to OIDC. We are still working on adding the remaining set of features before making it GA as soon as possible. Related to #189 Co-authored-by: Clement Michaud <clement.michaud34@gmail.com> 2021-05-04 22:06:05 +00:00			`}`

feat(oidc): hashed client secrets (#4026) Allow use of hashed OpenID Connect client secrets. 2022-10-20 03:21:45 +00:00			`return errPasswordsDoNotMatch`
feature(oidc): add support for OpenID Connect OpenID connect has become a standard when it comes to authentication and in order to fix a security concern around forwarding authentication and authorization information it has been decided to add support for it. This feature is in beta version and only enabled when there is a configuration for it. Before enabling it in production, please consider that it's in beta with potential bugs and that there are several production critical features still missing such as all OIDC related data is stored in configuration or memory. This means you are potentially going to experience issues with HA deployments, or when restarting a single instance specifically related to OIDC. We are still working on adding the remaining set of features before making it GA as soon as possible. Related to #189 Co-authored-by: Clement Michaud <clement.michaud34@gmail.com> 2021-05-04 22:06:05 +00:00			`}`

			`// Hash creates a new hash from data.`
feat(oidc): pushed authorization requests (#4546) This implements RFC9126 OAuth 2.0 Pushed Authorization Requests. See https://datatracker.ietf.org/doc/html/rfc9126 for the specification details. 2023-03-06 03:58:50 +00:00			`func (h Hasher) Hash(_ context.Context, data []byte) (hash []byte, err error) {`
feature(oidc): add support for OpenID Connect OpenID connect has become a standard when it comes to authentication and in order to fix a security concern around forwarding authentication and authorization information it has been decided to add support for it. This feature is in beta version and only enabled when there is a configuration for it. Before enabling it in production, please consider that it's in beta with potential bugs and that there are several production critical features still missing such as all OIDC related data is stored in configuration or memory. This means you are potentially going to experience issues with HA deployments, or when restarting a single instance specifically related to OIDC. We are still working on adding the remaining set of features before making it GA as soon as possible. Related to #189 Co-authored-by: Clement Michaud <clement.michaud34@gmail.com> 2021-05-04 22:06:05 +00:00			`return data, nil`
			`}`