Sometimes, LDAP organization is such that groups membership cannot be computed
with username only. User DN is required to retrieve groups.
e.g. user Joe has a username joe and a cn of Joe Blogs, resulting in a dn of
cn=Joe Blogs,ou=users,dc=example,dc=com which is needed to retrieve groups
but cannot be computed from joe only.
Issue was reported in issue #146
A window of 1 means the token is checked against current time slot T
as well as at time slot T-1 and T+1.
A time slot is 30 seconds by default in Authelia.
Now, /verify can return 401 or 403 depending on the user authentication.
Every public API endpoints and pages return 200 with error message in
JSON body or 401 if the user is not authorized.
This policy makes it complicated for an attacker to know what is the source of
the failure and hide server-side bugs (not returning 500), bugs being potential
threats.
Example 1: The user has validated first factor when accessing a service
protected by basic auth. When he tries to access another service protected
by second factor, he is redirected to second factor step to complete
authentication.
Example 2: The user has already validated second factor. When he access auth
service, he is redirected either to /loggedin page that displays an "already
logged in" page or to the URL provided in the "redirect" query parameter.
One can now customize the default authentication method for all sub-domains,
i.e., either 'two_factor' or 'basic_auth' and define specific authentication
method per sub-domain.
For example, one can specify that every sub-domain must be authenticated with
two factor except one sub-domain that must be authenticated with basic auth.
This note tells the users testing with npm that they can enable the
filesystem notifier feature to test identity validation without access
to mailcatcher webmail.
Previously, logs were not very friendly and it was hard to track
a request because of the lack of request ID.
Now every log message comes with a header containing: method, path
request ID, session ID, IP of the user, date.
Moreover, the configurations displayed in the logs have their secrets
hidden from this commit.
Prior to this fix, every master commits was released to Dockerhub under latest
tag and tagged commit was released with a version tag in Dockerhub.
'Latest' tag in dockerhub should reference the latest released version and not
the head of master branch.
Thus, after this fix, 'latest' tag references the latest released version of
Authelia and 'master' tag references the head of master git branch.
The notification message pops up and hide after few seconds.
Sometimes, chrome drivers tries to click on a button that moves due
to the notification message animation and thus miss it.
Basically, the ACL configuration was very static and it was not allowed
to remove 'any', 'groups', 'users'. The application crashed when those
keys did not exist.
After this fix, every key is optional and replaced by a default value
for the app configuration to be complete and used by Authelia.
Later, a configuration validator will be implemented to detect issues
with configuration at startup.
Clement Michaud