From 773387291ae8f339e511d87d4841419f1677f061 Mon Sep 17 00:00:00 2001 From: James Elliott Date: Sat, 15 Apr 2023 15:39:13 +1000 Subject: [PATCH 1/8] docs: update branding docs (#5249) Signed-off-by: James Elliott --- docs/content/en/reference/guides/branding.md | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/docs/content/en/reference/guides/branding.md b/docs/content/en/reference/guides/branding.md index 42066893f..1b2fda0f9 100644 --- a/docs/content/en/reference/guides/branding.md +++ b/docs/content/en/reference/guides/branding.md @@ -15,17 +15,19 @@ toc: true ## Usage The images are currently licensed under the same [Apache 2.0](https://github.com/authelia/authelia/blob/master/LICENSE) -as everything else in the repository. It is kindly requested however that with all of our branding that users only make -modifications that are in harmony with the following rules which are not intended to restrict usage unreasonably and are -only intended to preserve the Authelia branding identity: +as everything else in the repository. It is kindly requested however that with all of our branding that without explicit +contrary permission users only use the images and only make modifications that are in harmony with the following rules +which are not intended to restrict usage unreasonably and are only intended to preserve the Authelia branding identity: 1. They do not unreasonably alter the quality of the branding: - - Image size changes should be done only when the size is appropriate for the intended display scenario. - - Compression should not be applied overly aggressively for the intended display scenario. + - Image size changes should be done only when the size is appropriate for the intended display scenario. + - Compression should not be applied overly aggressively for the intended display scenario. 2. The changes do not unreasonably alter the design of the branding and should fit one or more of the following categories: - Layout - Format +3. They are not used in a way that would indicate affiliation or endorsement by Authelia. +4. They are not used in exchange for trade or financial reimbursement as they are intellectual property of Authelia. Examples of changes which fit these categories include: From 11eafba079ef105f05442fe25ac61b088e5dd821 Mon Sep 17 00:00:00 2001 From: James Elliott Date: Sat, 15 Apr 2023 16:08:29 +1000 Subject: [PATCH 2/8] docs: update blog (#5251) Signed-off-by: James Elliott --- .../en/blog/pre-release-notes-4.38/index.md | 65 ++++++++++++++++++- 1 file changed, 62 insertions(+), 3 deletions(-) diff --git a/docs/content/en/blog/pre-release-notes-4.38/index.md b/docs/content/en/blog/pre-release-notes-4.38/index.md index 90c20c02c..86f6b48a2 100644 --- a/docs/content/en/blog/pre-release-notes-4.38/index.md +++ b/docs/content/en/blog/pre-release-notes-4.38/index.md @@ -42,16 +42,65 @@ specific scenarios._ The following contains information on getting access to the pre-production builds of 4.38.0. _**Note:** We strongly recommend people who wish to try the beta builds make backups of their proxy configuration, -authelia configuration, and authelia database prior to attempting to do so._ +Authelia configuration, and Authelia database prior to attempting to do so._ + +### 4.38.0-beta2 + +This is a quick release before we start merging the TOTP and WebAuthn improvements. Once these are merged another beta +will be released and then shortly after the release will be officially published. + +Notable Missing Features from this build: + +- Multi-Device Webauthn +- Device Registration OTP + +Actual Builds: + +- Container Images: + - [docker.io/authelia/authelia:v4.38.0-beta2](https://hub.docker.com/layers/authelia/authelia/v4.38.0-beta2/images/sha256-e02b645853db2cbd371c6bc8a80333718c830dcf7f3b5ec8c14d8178ea04cb78?context=explore) + - [ghcr.io/authelia/authelia:v4.38.0-beta2](https://github.com/authelia/authelia/pkgs/container/authelia/85646062?tag=v4.38.0-beta2) +- [Binaries](https://buildkite.com/authelia/authelia/builds/19741) +- [Documentation](https://deploy-preview-5250--authelia-staging.netlify.app/) + +Major Documentation Changes: + +- [LDAP](https://deploy-preview-5250--authelia-staging.netlify.app/configuration/first-factor/ldap/) + - [Reference Guide](https://deploy-preview-5250--authelia-staging.netlify.app/reference/guides/ldap/) +- [Server](https://deploy-preview-5250--authelia-staging.netlify.app/configuration/miscellaneous/server/) + - [Authz Endpoints](https://deploy-preview-5250--authelia-staging.netlify.app/configuration/miscellaneous/server-endpoints-authz/) + - [Reference Guide](https://deploy-preview-5250--authelia-staging.netlify.app/reference/guides/proxy-authorization/) +- [Session](https://deploy-preview-5250--authelia-staging.netlify.app/configuration/session/introduction/) +- [Configuration Files](https://deploy-preview-5250--authelia-staging.netlify.app/configuration/methods/files/) +- [Proxy Integration](https://deploy-preview-5250--authelia-staging.netlify.app/integration/proxies/introduction/) + - [Caddy](https://deploy-preview-5250--authelia-staging.netlify.app/integration/proxies/caddy/) + - [Envoy](https://deploy-preview-5250--authelia-staging.netlify.app/integration/proxies/envoy/) + - [HAProxy](https://deploy-preview-5250--authelia-staging.netlify.app/integration/proxies/haproxy/) + - [HAProxy](https://deploy-preview-5250--authelia-staging.netlify.app/integration/proxies/haproxy/) + - [NGINX](https://deploy-preview-5250--authelia-staging.netlify.app/integration/proxies/nginx/) + - [Traefik](https://deploy-preview-5250--authelia-staging.netlify.app/integration/proxies/traefik/) +- [Kubernetes Integration](https://deploy-preview-5250--authelia-staging.netlify.app/integration/kubernetes/introduction/) + - [Traefik Ingress](https://deploy-preview-5250--authelia-staging.netlify.app/integration/kubernetes/traefik-ingress/) + - [Istio](https://deploy-preview-5250--authelia-staging.netlify.app/integration/kubernetes/istio/) + - [NGINX Ingress](https://deploy-preview-5250--authelia-staging.netlify.app/integration/kubernetes/nginx-ingress/) +- [Templating Reference Guide](https://deploy-preview-5250--authelia-staging.netlify.app/reference/guides/templating/) ### 4.38.0-beta1 Notable Missing Features from this build: -- OpenID Connect 1.0 PAR +- OpenID Connect 1.0 + - Pushed Authorization Requests + - Client Authentication Modes + - Additional Client Validations - Multi-Device WebAuthn - Device Registration OTP +Known Bugs: + +- WebAuthn doesn't work. Fixed in master or 4.38.0-beta2 + +Actual Builds: + - Container Images: - [docker.io/authelia/authelia:v4.38.0-beta1](https://hub.docker.com/layers/authelia/authelia/v4.38.0-beta1/images/sha256-53faae6b6a0616f71f1f77069237d92969433b0037b9825be12852e013812bd0?context=explore) - [ghcr.io/authelia/authelia:v4.38.0-beta1](https://github.com/authelia/authelia/pkgs/container/authelia/65909221?tag=v4.38.0-beta1) @@ -67,7 +116,6 @@ Major Documentation Changes: - [Reference Guide](https://63d20934fa12200009e12cbf--authelia-staging.netlify.app/reference/guides/proxy-authorization/) - [Session](https://63d20934fa12200009e12cbf--authelia-staging.netlify.app/configuration/session/introduction/) - [Configuration Files](https://63d20934fa12200009e12cbf--authelia-staging.netlify.app/configuration/methods/files/) -- [Configuration Files](https://63d20934fa12200009e12cbf--authelia-staging.netlify.app/configuration/methods/files/) - [Proxy Integration](https://63d20934fa12200009e12cbf--authelia-staging.netlify.app/integration/proxies/introduction/) - [Caddy](https://63d20934fa12200009e12cbf--authelia-staging.netlify.app/integration/proxies/caddy/) - [Envoy](https://63d20934fa12200009e12cbf--authelia-staging.netlify.app/integration/proxies/envoy/) @@ -137,6 +185,17 @@ These features combined with our requirement for the HTTPS scheme are very power [OpenID Connect 1.0]: https://openid.net/ [Pushed Authorization Requests]: https://oauth.net/2/pushed-authorization-requests/ +##### Client Authentication Method (Token Endpoint) + +This release will allow administrators to optionally configure the Client Authentication Method for the Token Endpoint, +restricting the client usage of the token endpoint and paving the way to more advanced Client Authentication Methods. + +##### Additional Client Validations + +This release will add additional client configuration validations for various elements which are not technically +compatible. It's important to note that these likely will become errors but are currently just warnings. + + ## Multi-Domain Protection In this release we are releasing the main implementation of the Multi-Domain Protection roadmap item. From 9e8db3c3f3544c7457fecc0caded307eeda77649 Mon Sep 17 00:00:00 2001 From: James Elliott Date: Sat, 15 Apr 2023 22:25:21 +1000 Subject: [PATCH 3/8] docs(oidc): faq refresh (#5254) Signed-off-by: James Elliott --- .../identity-providers/open-id-connect.md | 2 +- ...ation.md => frequently-asked-questions.md} | 32 ++++++++++--------- .../openid-connect/nextcloud/index.md | 5 +++ .../guides/frequently-asked-questions.md | 2 +- docs/layouts/shortcodes/oidc-common.html | 8 ++--- 5 files changed, 28 insertions(+), 21 deletions(-) rename docs/content/en/integration/openid-connect/{specific-information.md => frequently-asked-questions.md} (66%) diff --git a/docs/content/en/configuration/identity-providers/open-id-connect.md b/docs/content/en/configuration/identity-providers/open-id-connect.md index a01f33f3c..83abaa8d7 100644 --- a/docs/content/en/configuration/identity-providers/open-id-connect.md +++ b/docs/content/en/configuration/identity-providers/open-id-connect.md @@ -375,7 +375,7 @@ The shared secret between Authelia and the application consuming this client. Th configured in the application. This secret must be generated by the administrator and can be done by following the -[Generating Client Secrets](../../integration/openid-connect/specific-information.md#generating-client-secrets) guide. +[How Do I Generate Client Secrets](../../integration/openid-connect/frequently-asked-questions.md#how-do-i-generate-client-secrets) FAQ. This must be provided when the client is a confidential client type, and must be blank when using the public client type. To set the client type to public see the [public](#public) configuration option. diff --git a/docs/content/en/integration/openid-connect/specific-information.md b/docs/content/en/integration/openid-connect/frequently-asked-questions.md similarity index 66% rename from docs/content/en/integration/openid-connect/specific-information.md rename to docs/content/en/integration/openid-connect/frequently-asked-questions.md index 648d81924..f7b8939df 100644 --- a/docs/content/en/integration/openid-connect/specific-information.md +++ b/docs/content/en/integration/openid-connect/frequently-asked-questions.md @@ -1,7 +1,7 @@ --- -title: "Specific Information" -description: "Specific information regarding integrating the Authelia OpenID Connect Provider with an OpenID Connect relying party" -lead: "Specific information regarding integrating the Authelia OpenID Connect Provider with an OpenID Connect relying party." +title: "Frequently Asked Questions" +description: "Frequently Asked Questions regarding integrating the Authelia OpenID Connect Provider with an OpenID Connect relying party" +lead: "Frequently Asked Questionsregarding integrating the Authelia OpenID Connect Provider with an OpenID Connect relying party." date: 2022-10-20T15:27:09+11:00 draft: false images: [] @@ -12,7 +12,7 @@ weight: 615 toc: true --- -## Generating Client Secrets +## How Do I Generate Client Secrets We strongly recommend the following guidelines for generating client secrets: @@ -26,9 +26,12 @@ We strongly recommend the following guidelines for generating client secrets: when using it to access the token endpoint. Authelia provides an easy way to perform such actions via the [Generating a Random Password Hash] guide. Users can -perform a command such as `authelia crypto hash generate pbkdf2 --variant sha512 --random --random.length 72` command to +perform a command such as +`authelia crypto hash generate pbkdf2 --variant sha512 --random --random.length 72 --random-charset rfc3986` command to both generate a client secret with 72 characters which is printed and is to be used with the relying party and hash it -using PBKDF2 which can be stored in the Authelia configuration. +using PBKDF2 which can be stored in the Authelia configuration. This random command also avoids issues with a relying +party / client application encoding the characters correctly as it uses the +[RFC3986 Unreserved Characters](https://datatracker.ietf.org/doc/html/rfc3986#section-2.3). [Generating a Random Password Hash]: ../../reference/guides/generating-secure-values.md#generating-a-random-password-hash @@ -45,20 +48,19 @@ that is implemented by the authorization server which requires access to the sec which case the secret should be encrypted and not be stored in plaintext. The most likely long term outcome is that the client configurations will be stored in the database with the secret both salted and peppered. -Authelia currently does not implement any of the specifications or protocols which require secrets being accessible in -the clear such as most notibly the `client_secret_jwt` grant and currently we no plans to implement any of these. As -such it's *__strongly discouraged and heavily deprecated__* and we instead recommended that users remove this from their -configuration entirely and use the [Generating Client Secrets](#generating-client-secrets) guide. At such a time as we -support one of these protocols we will very likely only allow plaintext for clients configured expressly for this -purpose i.e. a client that only allows `client_secret_jwt` and no other grants. +Authelia currently does implement the `client_secret_jwt` assertion client authentication method. Warnings will be +generated for any client not explicitly configured to utilize this client authentication method. We do not support any +of the other the specifications or protocols which require secrets being accessible in the clear and currently we no +plans to implement any of these. We only officially support utilization of the plaintext digest types where it's backed +by specifications and as such we plan to make the use outside of the `client_secret_jwt` a fatal error in the future. +For these reasons we recommended that users remove this from their configuration entirely and use the +[How Do I Generate Client Secrets](#how-do-i-generate-client-secrets) FAQ. Plaintext is either denoted by the `$plaintext$` prefix where everything after the prefix is the secret. In addition if the secret does not start with the `$` character it's considered as a plaintext secret for the time being but is deprecated as is the `$plaintext$` prefix. -## Frequently Asked Questions - -### Why isn't my application able to retrieve the token even though I've consented? +## Why isn't my application able to retrieve the token even though I've consented? The most common cause for this issue is when the affected application can not make requests to the Token [Endpoint]. This becomes obvious when the log level is set to `debug` or `trace` and a presence of requests to the Authorization diff --git a/docs/content/en/integration/openid-connect/nextcloud/index.md b/docs/content/en/integration/openid-connect/nextcloud/index.md index d144b71dd..83249dc46 100644 --- a/docs/content/en/integration/openid-connect/nextcloud/index.md +++ b/docs/content/en/integration/openid-connect/nextcloud/index.md @@ -33,6 +33,11 @@ This example makes the following assumptions: * __Client ID:__ `nextcloud` * __Client Secret:__ `insecure_secret` +*__Important Note:__ it has been reported that some of the [Nextcloud] plugins do not properly encode the client secret. +as such it's important to only use alphanumeric characters as well as the other +[RFC3986 Unreserved Characters](https://datatracker.ietf.org/doc/html/rfc3986#section-2.3). We recommend using the +generating client secrets guidance above.* + ## Configuration ### Application diff --git a/docs/content/en/reference/guides/frequently-asked-questions.md b/docs/content/en/reference/guides/frequently-asked-questions.md index 25e0e0588..2ce131a3c 100644 --- a/docs/content/en/reference/guides/frequently-asked-questions.md +++ b/docs/content/en/reference/guides/frequently-asked-questions.md @@ -14,4 +14,4 @@ toc: true ## Identity Providers -- [OpenID Connect 1.0 Integration](../../integration/openid-connect/specific-information.md#frequently-asked-questions) +- [OpenID Connect 1.0 Integration](../../integration/openid-connect/frequently-asked-questions.md) diff --git a/docs/layouts/shortcodes/oidc-common.html b/docs/layouts/shortcodes/oidc-common.html index 0d6c73715..8b6034c29 100644 --- a/docs/layouts/shortcodes/oidc-common.html +++ b/docs/layouts/shortcodes/oidc-common.html @@ -1,5 +1,5 @@ -{{ $specificinfo := "../specific-information/" }}{{ $config := "../../../configuration/identity-providers/open-id-connect.md" }} -{{- with .Get "specificinfo" }}{{ $specificinfo = . }}{{ end }} +{{ $faq := "../frequently-asked-questions/" }}{{ $config := "../../../configuration/identity-providers/open-id-connect.md" }} +{{- with .Get "faq" }}{{ $faq = . }}{{ end }} {{- with .Get "config" }}{{ $config = . }}{{ end }} ### Common Notes @@ -10,9 +10,9 @@ 2. The [OpenID Connect 1.0](https://openid.net/specs/openid-connect-core-1_0.html) `secret` parameter: 1. The value used in this guide is merely for demonstration purposes and you *__should absolutely not__* use this in production and should instead utilize the - [Generating Client Secrets]({{ $specificinfo }}#generating-client-secrets) guide. + [How Do I Generate Client Secrets]({{ $faq }}#how-do-i-generate-client-secrets) FAQ. 2. This string may be stored as plaintext in the Authelia configuration but this behaviour is deprecated and is not - guaranteed to be supported in the future. See the [Plaintext]({{ $specificinfo }}#plaintext) guide for more + guaranteed to be supported in the future. See the [Plaintext]({{ $faq }}#plaintext) guide for more information. 3. The Configuration example for Authelia is only a portion of the required configuration and it should be used as a guide in conjunction with the standard [OpenID Connect 1.0 Configuration]({{ $config }}) guide. \ No newline at end of file From 4db965e19f768bca1c741e5dd51a204ad5bc7b88 Mon Sep 17 00:00:00 2001 From: James Elliott Date: Sat, 15 Apr 2023 22:35:44 +1000 Subject: [PATCH 4/8] refactor: interfaces (#5252) Use any alias instead of empty interfaces. Signed-off-by: James Elliott --- internal/configuration/decode_hooks.go | 14 +++++------ .../koanf_provider_filtered_file.go | 2 +- internal/configuration/koanf_util.go | 24 +++++++++---------- internal/logging/printf.go | 4 ++-- .../session/encrypting_serializer_test.go | 4 ++-- internal/utils/crypto_test.go | 6 ++--- 6 files changed, 27 insertions(+), 27 deletions(-) diff --git a/internal/configuration/decode_hooks.go b/internal/configuration/decode_hooks.go index 5f059e8be..f0cb8468f 100644 --- a/internal/configuration/decode_hooks.go +++ b/internal/configuration/decode_hooks.go @@ -260,7 +260,7 @@ func StringToAddressHookFunc() mapstructure.DecodeHookFuncType { // StringToX509CertificateHookFunc decodes strings to x509.Certificate's. func StringToX509CertificateHookFunc() mapstructure.DecodeHookFuncType { - return func(f reflect.Type, t reflect.Type, data any) (value interface{}, err error) { + return func(f reflect.Type, t reflect.Type, data any) (value any, err error) { if f.Kind() != reflect.String { return data, nil } @@ -283,7 +283,7 @@ func StringToX509CertificateHookFunc() mapstructure.DecodeHookFuncType { return result, nil } - var i interface{} + var i any if i, err = utils.ParseX509FromPEM([]byte(dataStr)); err != nil { return nil, fmt.Errorf(errFmtDecodeHookCouldNotParseBasic, "*", expectedType, err) @@ -300,7 +300,7 @@ func StringToX509CertificateHookFunc() mapstructure.DecodeHookFuncType { // StringToX509CertificateChainHookFunc decodes strings to schema.X509CertificateChain's. func StringToX509CertificateChainHookFunc() mapstructure.DecodeHookFuncType { - return func(f reflect.Type, t reflect.Type, data interface{}) (value interface{}, err error) { + return func(f reflect.Type, t reflect.Type, data any) (value any, err error) { var ptr bool if f.Kind() != reflect.String { @@ -348,7 +348,7 @@ func StringToX509CertificateChainHookFunc() mapstructure.DecodeHookFuncType { // StringToTLSVersionHookFunc decodes strings to schema.TLSVersion's. func StringToTLSVersionHookFunc() mapstructure.DecodeHookFuncType { - return func(f reflect.Type, t reflect.Type, data interface{}) (value interface{}, err error) { + return func(f reflect.Type, t reflect.Type, data any) (value any, err error) { var ptr bool if f.Kind() != reflect.String { @@ -388,7 +388,7 @@ func StringToTLSVersionHookFunc() mapstructure.DecodeHookFuncType { // StringToCryptoPrivateKeyHookFunc decodes strings to schema.CryptographicPrivateKey's. func StringToCryptoPrivateKeyHookFunc() mapstructure.DecodeHookFuncType { - return func(f reflect.Type, t reflect.Type, data interface{}) (value interface{}, err error) { + return func(f reflect.Type, t reflect.Type, data any) (value any, err error) { if f.Kind() != reflect.String { return data, nil } @@ -418,7 +418,7 @@ func StringToCryptoPrivateKeyHookFunc() mapstructure.DecodeHookFuncType { // StringToPrivateKeyHookFunc decodes strings to rsa.PrivateKey's. func StringToPrivateKeyHookFunc() mapstructure.DecodeHookFuncType { - return func(f reflect.Type, t reflect.Type, data interface{}) (value interface{}, err error) { + return func(f reflect.Type, t reflect.Type, data any) (value any, err error) { if f.Kind() != reflect.String { return data, nil } @@ -487,7 +487,7 @@ func StringToPrivateKeyHookFunc() mapstructure.DecodeHookFuncType { // StringToPasswordDigestHookFunc decodes a string into a crypt.Digest. func StringToPasswordDigestHookFunc() mapstructure.DecodeHookFuncType { - return func(f reflect.Type, t reflect.Type, data interface{}) (value interface{}, err error) { + return func(f reflect.Type, t reflect.Type, data any) (value any, err error) { var ptr bool if f.Kind() != reflect.String { diff --git a/internal/configuration/koanf_provider_filtered_file.go b/internal/configuration/koanf_provider_filtered_file.go index 17bfc5b1b..b59c5adf5 100644 --- a/internal/configuration/koanf_provider_filtered_file.go +++ b/internal/configuration/koanf_provider_filtered_file.go @@ -50,7 +50,7 @@ func (f *FilteredFile) ReadBytes() (data []byte, err error) { } // Read is not supported by the filtered file koanf.Provider. -func (f *FilteredFile) Read() (map[string]interface{}, error) { +func (f *FilteredFile) Read() (map[string]any, error) { return nil, errors.New("filtered file provider does not support this method") } diff --git a/internal/configuration/koanf_util.go b/internal/configuration/koanf_util.go index 351048937..b08320e41 100644 --- a/internal/configuration/koanf_util.go +++ b/internal/configuration/koanf_util.go @@ -53,15 +53,15 @@ func koanfRemapKeys(val *schema.StructValidator, ko *koanf.Koanf, ds map[string] return final, nil } -func koanfRemapKeysStandard(keys map[string]any, val *schema.StructValidator, ds map[string]Deprecation) (keysFinal map[string]interface{}) { +func koanfRemapKeysStandard(keys map[string]any, val *schema.StructValidator, ds map[string]Deprecation) (keysFinal map[string]any) { var ( ok bool d Deprecation key string - value interface{} + value any ) - keysFinal = make(map[string]interface{}) + keysFinal = make(map[string]any) for key, value = range keys { if d, ok = ds[key]; ok { @@ -93,35 +93,35 @@ func koanfRemapKeysStandard(keys map[string]any, val *schema.StructValidator, ds return keysFinal } -func koanfRemapKeysMapped(keys map[string]interface{}, val *schema.StructValidator, ds map[string]Deprecation) (keysFinal map[string]interface{}) { +func koanfRemapKeysMapped(keys map[string]any, val *schema.StructValidator, ds map[string]Deprecation) (keysFinal map[string]any) { var ( key string - value interface{} - slc, slcFinal []interface{} + value any + slc, slcFinal []any ok bool - m map[string]interface{} + m map[string]any d Deprecation ) - keysFinal = make(map[string]interface{}) + keysFinal = make(map[string]any) for key, value = range keys { - if slc, ok = value.([]interface{}); !ok { + if slc, ok = value.([]any); !ok { keysFinal[key] = value continue } - slcFinal = make([]interface{}, len(slc)) + slcFinal = make([]any, len(slc)) for i, item := range slc { - if m, ok = item.(map[string]interface{}); !ok { + if m, ok = item.(map[string]any); !ok { slcFinal[i] = item continue } - itemFinal := make(map[string]interface{}) + itemFinal := make(map[string]any) for subkey, element := range m { prefix := fmt.Sprintf("%s[].", key) diff --git a/internal/logging/printf.go b/internal/logging/printf.go index 8f6cb7f98..9e5224b2c 100644 --- a/internal/logging/printf.go +++ b/internal/logging/printf.go @@ -13,7 +13,7 @@ type PrintfLogger struct { } // Printf is the implementation of the interface. -func (l *PrintfLogger) Printf(format string, args ...interface{}) { +func (l *PrintfLogger) Printf(format string, args ...any) { l.logrus.Logf(l.level, format, args...) } @@ -24,6 +24,6 @@ type CtxPrintfLogger struct { } // Printf is the implementation of the interface. -func (l *CtxPrintfLogger) Printf(_ context.Context, format string, args ...interface{}) { +func (l *CtxPrintfLogger) Printf(_ context.Context, format string, args ...any) { l.logrus.Logf(l.level, format, args...) } diff --git a/internal/session/encrypting_serializer_test.go b/internal/session/encrypting_serializer_test.go index fac909889..9aa8de1cd 100644 --- a/internal/session/encrypting_serializer_test.go +++ b/internal/session/encrypting_serializer_test.go @@ -9,7 +9,7 @@ import ( ) func TestShouldEncryptAndDecrypt(t *testing.T) { - payload := session.Dict{KV: map[string]interface{}{"key": "value"}} + payload := session.Dict{KV: map[string]any{"key": "value"}} dst, err := payload.MarshalMsg(nil) require.NoError(t, err) @@ -28,7 +28,7 @@ func TestShouldEncryptAndDecrypt(t *testing.T) { } func TestShouldNotSupportUnencryptedSessionForBackwardCompatibility(t *testing.T) { - payload := session.Dict{KV: map[string]interface{}{"key": "value"}} + payload := session.Dict{KV: map[string]any{"key": "value"}} dst, err := payload.MarshalMsg(nil) require.NoError(t, err) diff --git a/internal/utils/crypto_test.go b/internal/utils/crypto_test.go index 99ab52cf8..ea12592c4 100644 --- a/internal/utils/crypto_test.go +++ b/internal/utils/crypto_test.go @@ -325,7 +325,7 @@ func TestShouldParseCurves(t *testing.T) { } } -func testMustBuildPrivateKey(b PrivateKeyBuilder) interface{} { +func testMustBuildPrivateKey(b PrivateKeyBuilder) any { k, err := b.Build() if err != nil { panic(err) @@ -337,8 +337,8 @@ func testMustBuildPrivateKey(b PrivateKeyBuilder) interface{} { func TestPublicKeyFromPrivateKey(t *testing.T) { testCases := []struct { Name string - PrivateKey interface{} - Expected interface{} + PrivateKey any + Expected any }{ { Name: "RSA2048", From 417a32a2821666018aeb769216b9f792f281cb69 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Sun, 16 Apr 2023 01:48:18 +1000 Subject: [PATCH 5/8] build(deps): update module github.com/go-crypt/crypt to v0.2.7 (#5255) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- go.mod | 4 ++-- go.sum | 8 ++++---- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/go.mod b/go.mod index 11f92a9cd..a9281578c 100644 --- a/go.mod +++ b/go.mod @@ -11,7 +11,7 @@ require ( github.com/fasthttp/session/v2 v2.4.17 github.com/fsnotify/fsnotify v1.6.0 github.com/go-asn1-ber/asn1-ber v1.5.4 - github.com/go-crypt/crypt v0.2.6 + github.com/go-crypt/crypt v0.2.7 github.com/go-ldap/ldap/v3 v3.4.4 github.com/go-rod/rod v0.112.8 github.com/go-sql-driver/mysql v1.7.0 @@ -70,7 +70,7 @@ require ( github.com/ecordell/optgen v0.0.6 // indirect github.com/facebookgo/stack v0.0.0-20160209184415-751773369052 // indirect github.com/fxamacker/cbor/v2 v2.4.0 // indirect - github.com/go-crypt/x v0.1.13 // indirect + github.com/go-crypt/x v0.2.0 // indirect github.com/go-redis/redis/v8 v8.11.5 // indirect github.com/go-webauthn/revoke v0.1.9 // indirect github.com/golang/glog v1.0.0 // indirect diff --git a/go.sum b/go.sum index c506c108c..6907d93e0 100644 --- a/go.sum +++ b/go.sum @@ -126,10 +126,10 @@ github.com/fxamacker/cbor/v2 v2.4.0/go.mod h1:TA1xS00nchWmaBnEIxPSE5oHLuJBAVvqrt github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= github.com/go-asn1-ber/asn1-ber v1.5.4 h1:vXT6d/FNDiELJnLb6hGNa309LMsrCoYFvpwHDF0+Y1A= github.com/go-asn1-ber/asn1-ber v1.5.4/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0= -github.com/go-crypt/crypt v0.2.6 h1:OlCSHwqbYnvcemB5N6uL/FlUJJAlQvmIWcJnodIZ1wU= -github.com/go-crypt/crypt v0.2.6/go.mod h1:rnVxiaVafgL1VsN/Pgt+mc2sn2wEozYUr4vS/94rHoI= -github.com/go-crypt/x v0.1.13 h1:kQPfAfudCnpwSL6fS9d637v/QwEwnA6HEkE91yvzIC4= -github.com/go-crypt/x v0.1.13/go.mod h1:vKR4KobuL9RFa+Rts0zItk+u77AFyrvZSD/xQZ4zCpw= +github.com/go-crypt/crypt v0.2.7 h1:Ir6E59c1wrskJhpJXMqaynHA2xAxpGN7nQXlLkbpzR0= +github.com/go-crypt/crypt v0.2.7/go.mod h1:ulieouNs4qwFCq4wF61oyTQYXAXSoOv995EU4hcHwMU= +github.com/go-crypt/x v0.2.0 h1:rHMiKRAu6kFc+xAnQywDb3iHGpvrFbIGXnP3IfCZ+2U= +github.com/go-crypt/x v0.2.0/go.mod h1:uLo5o+Cc8nvahDASQpntR1g3ZMUoq2LM/859PkhykC4= github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU= github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= From 9e5c6ec16a38926f0fbbc4cd3f2b5df7db26dbaf Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Sun, 16 Apr 2023 01:59:21 +1000 Subject: [PATCH 6/8] build(deps): update dependency happy-dom to v9.7.0 (#5256) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- web/package.json | 2 +- web/pnpm-lock.yaml | 16 ++++++++-------- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/web/package.json b/web/package.json index 5b1e9de53..2a0a898d9 100644 --- a/web/package.json +++ b/web/package.json @@ -92,7 +92,7 @@ "eslint-plugin-prettier": "4.2.1", "eslint-plugin-react": "7.32.2", "eslint-plugin-react-hooks": "4.6.0", - "happy-dom": "9.6.1", + "happy-dom": "9.7.0", "husky": "8.0.3", "prettier": "2.8.7", "react-test-renderer": "18.2.0", diff --git a/web/pnpm-lock.yaml b/web/pnpm-lock.yaml index e10cfbe17..3185156a9 100644 --- a/web/pnpm-lock.yaml +++ b/web/pnpm-lock.yaml @@ -154,8 +154,8 @@ devDependencies: specifier: 4.6.0 version: 4.6.0(eslint@8.38.0) happy-dom: - specifier: 9.6.1 - version: 9.6.1 + specifier: 9.7.0 + version: 9.7.0 husky: specifier: 8.0.3 version: 8.0.3 @@ -185,7 +185,7 @@ devDependencies: version: 4.2.0(typescript@5.0.4)(vite@4.2.1) vitest: specifier: 0.30.1 - version: 0.30.1(happy-dom@9.6.1) + version: 0.30.1(happy-dom@9.7.0) vitest-preview: specifier: 0.0.1 version: 0.0.1 @@ -3087,7 +3087,7 @@ packages: istanbul-lib-source-maps: 4.0.1 istanbul-reports: 3.1.5 test-exclude: 6.0.0 - vitest: 0.30.1(happy-dom@9.6.1) + vitest: 0.30.1(happy-dom@9.7.0) transitivePeerDependencies: - supports-color dev: true @@ -5100,8 +5100,8 @@ packages: resolution: {integrity: sha512-bzh50DW9kTPM00T8y4o8vQg89Di9oLJVLW/KaOGIXJWP/iqCN6WKYkbNOF04vFLJhwcpYUh9ydh/+5vpOqV4YQ==} dev: true - /happy-dom@9.6.1: - resolution: {integrity: sha512-lbRsmw8toqKUCwMIZQtoTW/F3XGOovazC+sdTf+gire4ITx9mPUx2TrdCr/JbB1CF4QplCwdn3+p1/2O5slWDw==} + /happy-dom@9.7.0: + resolution: {integrity: sha512-5QU297xJM+mv+t9+mMUC0fleeNq19gqaxxeGQCaheRNaf2EnvCnykZPZQisqNiBRl6PbCL+9sqpK9OUpGmI+Iw==} dependencies: css.escape: 1.5.1 he: 1.2.0 @@ -7519,7 +7519,7 @@ packages: - terser dev: true - /vitest@0.30.1(happy-dom@9.6.1): + /vitest@0.30.1(happy-dom@9.7.0): resolution: {integrity: sha512-y35WTrSTlTxfMLttgQk4rHcaDkbHQwDP++SNwPb+7H8yb13Q3cu2EixrtHzF27iZ8v0XCciSsLg00RkPAzB/aA==} engines: {node: '>=v14.18.0'} hasBin: true @@ -7564,7 +7564,7 @@ packages: chai: 4.3.7 concordance: 5.0.4 debug: 4.3.4 - happy-dom: 9.6.1 + happy-dom: 9.7.0 local-pkg: 0.4.3 magic-string: 0.30.0 pathe: 1.1.0 From 8638cd19288b1e7afc56c7f57f26c0894d706aa6 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Sun, 16 Apr 2023 05:06:34 +1000 Subject: [PATCH 7/8] build(deps): update dependency happy-dom to v9.7.1 (#5257) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- web/package.json | 2 +- web/pnpm-lock.yaml | 16 ++++++++-------- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/web/package.json b/web/package.json index 2a0a898d9..4aa47a7f3 100644 --- a/web/package.json +++ b/web/package.json @@ -92,7 +92,7 @@ "eslint-plugin-prettier": "4.2.1", "eslint-plugin-react": "7.32.2", "eslint-plugin-react-hooks": "4.6.0", - "happy-dom": "9.7.0", + "happy-dom": "9.7.1", "husky": "8.0.3", "prettier": "2.8.7", "react-test-renderer": "18.2.0", diff --git a/web/pnpm-lock.yaml b/web/pnpm-lock.yaml index 3185156a9..527443f81 100644 --- a/web/pnpm-lock.yaml +++ b/web/pnpm-lock.yaml @@ -154,8 +154,8 @@ devDependencies: specifier: 4.6.0 version: 4.6.0(eslint@8.38.0) happy-dom: - specifier: 9.7.0 - version: 9.7.0 + specifier: 9.7.1 + version: 9.7.1 husky: specifier: 8.0.3 version: 8.0.3 @@ -185,7 +185,7 @@ devDependencies: version: 4.2.0(typescript@5.0.4)(vite@4.2.1) vitest: specifier: 0.30.1 - version: 0.30.1(happy-dom@9.7.0) + version: 0.30.1(happy-dom@9.7.1) vitest-preview: specifier: 0.0.1 version: 0.0.1 @@ -3087,7 +3087,7 @@ packages: istanbul-lib-source-maps: 4.0.1 istanbul-reports: 3.1.5 test-exclude: 6.0.0 - vitest: 0.30.1(happy-dom@9.7.0) + vitest: 0.30.1(happy-dom@9.7.1) transitivePeerDependencies: - supports-color dev: true @@ -5100,8 +5100,8 @@ packages: resolution: {integrity: sha512-bzh50DW9kTPM00T8y4o8vQg89Di9oLJVLW/KaOGIXJWP/iqCN6WKYkbNOF04vFLJhwcpYUh9ydh/+5vpOqV4YQ==} dev: true - /happy-dom@9.7.0: - resolution: {integrity: sha512-5QU297xJM+mv+t9+mMUC0fleeNq19gqaxxeGQCaheRNaf2EnvCnykZPZQisqNiBRl6PbCL+9sqpK9OUpGmI+Iw==} + /happy-dom@9.7.1: + resolution: {integrity: sha512-C5KQXt5JA3Og1qNf32Zqg65Oj5DKe/IeeGo8269DKE4VFK8NZpOEBY1R6ofJLCqsaPppu1t73okYuh7CPJUB6A==} dependencies: css.escape: 1.5.1 he: 1.2.0 @@ -7519,7 +7519,7 @@ packages: - terser dev: true - /vitest@0.30.1(happy-dom@9.7.0): + /vitest@0.30.1(happy-dom@9.7.1): resolution: {integrity: sha512-y35WTrSTlTxfMLttgQk4rHcaDkbHQwDP++SNwPb+7H8yb13Q3cu2EixrtHzF27iZ8v0XCciSsLg00RkPAzB/aA==} engines: {node: '>=v14.18.0'} hasBin: true @@ -7564,7 +7564,7 @@ packages: chai: 4.3.7 concordance: 5.0.4 debug: 4.3.4 - happy-dom: 9.7.0 + happy-dom: 9.7.1 local-pkg: 0.4.3 magic-string: 0.30.0 pathe: 1.1.0 From 9917e3290a94e2e5228f2a506e8996490180e489 Mon Sep 17 00:00:00 2001 From: James Elliott Date: Sun, 16 Apr 2023 07:48:03 +1000 Subject: [PATCH 8/8] docs: misc fixes (#5258) Signed-off-by: James Elliott --- .../en/blog/pre-release-notes-4.38/index.md | 2 -- .../openid-connect/frequently-asked-questions.md | 16 +++++++--------- 2 files changed, 7 insertions(+), 11 deletions(-) diff --git a/docs/content/en/blog/pre-release-notes-4.38/index.md b/docs/content/en/blog/pre-release-notes-4.38/index.md index 86f6b48a2..68ff6f6f2 100644 --- a/docs/content/en/blog/pre-release-notes-4.38/index.md +++ b/docs/content/en/blog/pre-release-notes-4.38/index.md @@ -75,7 +75,6 @@ Major Documentation Changes: - [Caddy](https://deploy-preview-5250--authelia-staging.netlify.app/integration/proxies/caddy/) - [Envoy](https://deploy-preview-5250--authelia-staging.netlify.app/integration/proxies/envoy/) - [HAProxy](https://deploy-preview-5250--authelia-staging.netlify.app/integration/proxies/haproxy/) - - [HAProxy](https://deploy-preview-5250--authelia-staging.netlify.app/integration/proxies/haproxy/) - [NGINX](https://deploy-preview-5250--authelia-staging.netlify.app/integration/proxies/nginx/) - [Traefik](https://deploy-preview-5250--authelia-staging.netlify.app/integration/proxies/traefik/) - [Kubernetes Integration](https://deploy-preview-5250--authelia-staging.netlify.app/integration/kubernetes/introduction/) @@ -120,7 +119,6 @@ Major Documentation Changes: - [Caddy](https://63d20934fa12200009e12cbf--authelia-staging.netlify.app/integration/proxies/caddy/) - [Envoy](https://63d20934fa12200009e12cbf--authelia-staging.netlify.app/integration/proxies/envoy/) - [HAProxy](https://63d20934fa12200009e12cbf--authelia-staging.netlify.app/integration/proxies/haproxy/) - - [HAProxy](https://63d20934fa12200009e12cbf--authelia-staging.netlify.app/integration/proxies/haproxy/) - [NGINX](https://63d20934fa12200009e12cbf--authelia-staging.netlify.app/integration/proxies/nginx/) - [Traefik](https://63d20934fa12200009e12cbf--authelia-staging.netlify.app/integration/proxies/traefik/) - [Kubernetes Integration](https://63d20934fa12200009e12cbf--authelia-staging.netlify.app/integration/kubernetes/introduction/) diff --git a/docs/content/en/integration/openid-connect/frequently-asked-questions.md b/docs/content/en/integration/openid-connect/frequently-asked-questions.md index f7b8939df..ff95c8207 100644 --- a/docs/content/en/integration/openid-connect/frequently-asked-questions.md +++ b/docs/content/en/integration/openid-connect/frequently-asked-questions.md @@ -1,7 +1,7 @@ --- title: "Frequently Asked Questions" description: "Frequently Asked Questions regarding integrating the Authelia OpenID Connect Provider with an OpenID Connect relying party" -lead: "Frequently Asked Questionsregarding integrating the Authelia OpenID Connect Provider with an OpenID Connect relying party." +lead: "Frequently Asked Questions regarding integrating the Authelia OpenID Connect Provider with an OpenID Connect relying party." date: 2022-10-20T15:27:09+11:00 draft: false images: [] @@ -12,7 +12,7 @@ weight: 615 toc: true --- -## How Do I Generate Client Secrets +## How do I generate client secrets? We strongly recommend the following guidelines for generating client secrets: @@ -48,13 +48,11 @@ that is implemented by the authorization server which requires access to the sec which case the secret should be encrypted and not be stored in plaintext. The most likely long term outcome is that the client configurations will be stored in the database with the secret both salted and peppered. -Authelia currently does implement the `client_secret_jwt` assertion client authentication method. Warnings will be -generated for any client not explicitly configured to utilize this client authentication method. We do not support any -of the other the specifications or protocols which require secrets being accessible in the clear and currently we no -plans to implement any of these. We only officially support utilization of the plaintext digest types where it's backed -by specifications and as such we plan to make the use outside of the `client_secret_jwt` a fatal error in the future. -For these reasons we recommended that users remove this from their configuration entirely and use the -[How Do I Generate Client Secrets](#how-do-i-generate-client-secrets) FAQ. +Authelia currently does not implement any of the specifications or protocols which require secrets being accessible in +the clear such as most notably the `client_secret_jwt` grant, we will however likely soon implement `client_secret_jwt`. +We are however *__strongly discouraging__* and formally deprecating the use of plaintext client secrets for purposes +outside those required by specifications. We instead recommended that users remove this from their configuration +entirely and use the [How Do I Generate Client Secrets](#how-do-i-generate-client-secrets) FAQ. Plaintext is either denoted by the `$plaintext$` prefix where everything after the prefix is the secret. In addition if the secret does not start with the `$` character it's considered as a plaintext secret for the time being but is