Commit Graph

425 Commits (3a65d9af5492aff7dd9a455871f4440ce0ac0cd2)

Author SHA1 Message Date
James Elliott e99fb7a08f
feat(configuration): configurable default second factor method (#3081)
This allows configuring the default second factor method.
2022-04-18 09:58:24 +10:00
Helvio Pedreschi de6d1698be
docs: update portainer ce and ee (#3202)
This adds some additional docs to Portainer docs specifically around Portainer EE.

Closes #3203

Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2022-04-16 13:35:01 +10:00
James Elliott 4710de33a4
refactor(configuration): remove ptr for duoapi and notifier (#3200)
This adds to the ongoing effort to remove all pointers to structs in the configuration without breaking backwards compatibility.
2022-04-16 09:34:26 +10:00
James Elliott 92aba8eb0b
feat(server): zxcvbn password policy server side (#3151)
This is so the zxcvbn ppolicy is checked on the server.
2022-04-15 19:30:51 +10:00
Helvio Pedreschi 71511a5c4f
docs: fix typo (#3191)
Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2022-04-15 10:43:04 +10:00
James Elliott e7112bfbd6
feat(oidc): client id claims (#3150)
Adds the authorized party (azp) and client_id registered claims to ID Tokens.
2022-04-09 16:55:24 +10:00
James Elliott 66a450ed38
feat(oidc): pre-configured consent (#3118)
Allows users to pre-configure consent if enabled by the client configuration by selecting a checkbox during consent.

Closes #2598
2022-04-08 15:35:21 +10:00
James Elliott 4503ac07be
fix(web): lowercase locales are not consistent with localization platforms (#3141)
This fixes an issue with localization platforms and the docs regarding localization, and the forcing locale names to lowercase.
2022-04-08 14:53:46 +10:00
James Elliott 2da50f6128
docs: add k8s important notes (#3140)
Add some implementation notes about k8s.

Fixes #2882
2022-04-08 14:15:35 +10:00
Lorenz Schmid 5f51dcdb51
docs: fix missing backtick (#3136)
Fix formatting error introduced in #3131

Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2022-04-08 09:33:14 +10:00
James Elliott 9b6bcca1ba
feat(totp): secret customization (#2681)
Allow customizing the shared secrets size specifically for apps which don't support 256bit shared secrets.
2022-04-08 09:01:01 +10:00
Lorenz Schmid efccf77c10
docs(oidc): seafile integration example (#3131)
- Adds description and callback URL for the Seafile file server.
- Orders the entries in the two OIDC integration tables by name.
2022-04-08 07:11:43 +10:00
James Elliott ad84c8c33e
feat(oidc): opaque subject identifiers (#3129)
This is a meta commit for a feature originally implemented in 0a970aef8a documenting the change from using the username as a subject identifier to a specification compliant subject identifier in the form of RFC4122 UUID V4 subject identifiers. This is a required change in order to be compliant with the specification as per https://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes. Relying parties which utilize the subject identifier / sub claim may need manual intervention in order to relink accounts. Users who have issues will have to consult with the documentation of their individual relying parties in order to relink accounts. Users who utilized the subject identifier as a means to provision their users are also encouraged to utilize the preferred_username claim from the profile scope.
2022-04-07 17:35:54 +10:00
James Elliott 8bb8207808
feat(oidc): pairwise subject identifiers (#3116)
Allows configuring clients with a sector identifier to allow pairwise subject types.
2022-04-07 16:13:01 +10:00
James Elliott 0a970aef8a
feat(oidc): persistent storage (#2965)
This moves the OpenID Connect storage from memory into the SQL storage, making it persistent and allowing it to be used with clustered deployments like the rest of Authelia.
2022-04-07 15:33:53 +10:00
James Elliott 06fd7105ea
refactor(templates): utilize more accurate naming (#3125) 2022-04-07 13:05:20 +10:00
James Elliott 4ebd8fdf4e
feat(oidc): provide cors config including options handlers (#3005)
This adjusts the CORS headers appropriately for OpenID Connect. This includes responding to OPTIONS requests appropriately. Currently this is only configured to operate when the Origin scheme is HTTPS; but can easily be expanded in the future to include additional Origins.
2022-04-07 10:58:51 +10:00
Clément Michaud 3ca438e3d5
feat: implement mutual tls in the web server (#3065)
Mutual TLS helps prevent untrusted clients communicating with services like Authelia. This can be utilized to reduce the attack surface.

Fixes #3041
2022-04-05 09:57:47 +10:00
James Elliott a2eb0316c8
feat(web): password reset custom url (#3111)
This allows providing a custom URL for password resets. If provided the disable_reset_password option is ignored, the password reset API is disabled, and the button provided in the UI to reset the password redirects users to the configured endpoint.

Closes #1934, Closes #2854

Co-authored-by: you1996 <youssri@flyweight.tech>
2022-04-04 17:46:55 +10:00
James Elliott aac4c4772c
feat(web): i18n asset overrides (#3040)
This allows overriding translation files in folders with lowercase RFC5646 / BCP47 Format language codes. This also fixes an issues where languages which don't expressly match the language code specified due to having a variant will also match the existing codes.

Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2022-04-04 12:15:26 +10:00
Manuel Nuñez bfd5d66ed8
feat(notification): password reset notification custom templates (#2828)
Implemented a system to allow overriding email templates, including the remote IP, and sending email notifications when the password was reset successfully.

Closes #2755, Closes #2756

Co-authored-by: Manuel Nuñez <@mind-ar>
Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2022-04-03 22:24:51 +10:00
James Elliott 9e05066097
refactor(handlers): ppolicy (#3103)
Add tests and makes the password policy a provider so the configuration can be loaded to memory on startup.
2022-04-03 21:58:27 +10:00
James Elliott 36cf662458
refactor: misc password policy refactoring (#3102)
Add tests and makes the password policy a provider so the configuration can be loaded to memory on startup.
2022-04-03 10:48:26 +10:00
Manuel Nuñez 8659ba394d
feat(authentication): password policy (#2723)
Implement a password policy with visual feedback in the web portal.

Co-authored-by: Manuel Nuñez <@mind-ar>
Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2022-04-03 08:32:57 +10:00
bgh-github cd2d88f9f3
docs: add oidc details for miniflux app (#3096)
Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2022-04-02 17:28:48 +11:00
James Elliott 4d7f930e74
docs: fix regex examples (#3094) 2022-04-02 16:41:16 +11:00
bgh-github ce69cb2414
docs: fix oidc applications table display (#3088) 2022-04-02 15:09:47 +11:00
James Elliott 3c1bb3ec19
feat(authorization): domain regex match with named groups (#2789)
This adds an option to match domains by regex including two special named matching groups. User matches the username of the user, and Group matches the groups a user is a member of. These are both case-insensitive and you can see examples in the docs.
2022-04-01 22:38:49 +11:00
James Elliott 0116506330
feat(oidc): implement amr claim (#2969)
This adds the amr claim which stores methods used to authenticate with Authelia by the users session.
2022-04-01 22:18:58 +11:00
James Elliott b2d35d88ec
feat(configuration): allow rfc4918 http verbs in acl (#2988)
This allows the HTTP Method verbs from RFC4918 to be used. See https://datatracker.ietf.org/doc/html/rfc4918 for more information.
2022-04-01 21:53:10 +11:00
James Elliott f65643caff
docs: fix missing single quote (#3029) 2022-03-17 16:29:43 +11:00
Alestrix d393d80aee
docs: adjust acl policy example to be possible (#3008)
An access control policy with a policy of bypass and subjects is not configurable, this addresses an example in the docs which shows this misconfiguration erroneously.

Fixes #3006
2022-03-14 23:30:47 +11:00
Dennis Gaida 1e549caf15
Small description fix for OIDC groups (#3007)
OIDC groups claim actually contains the user's groups, not the user's display name.
2022-03-14 23:26:10 +11:00
James Elliott 5af58c7df1
docs(oidc): add subject storage to storage beta (#2987) 2022-03-10 09:19:15 +11:00
James Elliott 337dd61468
docs: add docs about remember me duration (#2979)
This documents disabling remember me.
2022-03-09 13:25:11 +11:00
James Elliott 6d937cf6cc
refactor(model): rename from models (#2968) 2022-03-06 16:47:40 +11:00
thehedgefrog 7e59df6f7f
docs: updated year (#2963)
Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2022-03-06 11:06:09 +11:00
James Elliott 03cf92ff48
docs: fix misleading config (#2966) 2022-03-06 10:15:55 +11:00
James Elliott 204cef4d03
fix(storage): webauthn kid too short for some devices (#2957)
This fixes an issue that may cause the kid length of a webauthn device to exceed that length allowed by the database column.
2022-03-04 21:21:08 +11:00
James Elliott c9d86a9240
feat(oidc): oauth2 discovery support (#2925)
* feat(oidc): oauth2 discovery and endpoint rename

This implements the oauth2 authorization server discovery document, adds tests to the discovery documents, implements an efficiency upgrade to these docs, and renames some endpoints to be uniform.
2022-03-04 14:09:27 +11:00
James Elliott 8f05846e21
feat: webauthn (#2707)
This implements Webauthn. Old devices can be used to authenticate via the appid compatibility layer which should be automatic. New devices will be registered via Webauthn, and devices which do not support FIDO2 will no longer be able to be registered. At this time it does not fully support multiple devices (backend does, frontend doesn't allow registration of additional devices). Does not support passwordless.
2022-03-03 22:20:43 +11:00
James Elliott 6276883f04
refactor(configuration): utilize time duration decode hook (#2938)
This enhances the existing time.Duration parser to allow multiple units, and implements a decode hook which can be used by koanf to decode string/integers into time.Durations as applicable.
2022-03-02 17:40:26 +11:00
Andrew Moore 6ef6d0499a
feat(oidc): add pkce support (#2924)
Implements Proof Key for Code Exchange for OpenID Connect Authorization Code Flow. By default this is enabled for the public client type and requires the S256 challenge method.

Closes #2921
2022-03-02 15:44:05 +11:00
James Elliott decc4fd05e
docs: fix missing link (#2934) 2022-03-01 16:06:17 +11:00
James Elliott 1eef78ff7b
docs: move oidc roadmap (#2933) 2022-03-01 16:00:27 +11:00
James Elliott c479ba6386
fix(oidc): make preferred_username a profile scope claim (#2930)
This corrects an issue with the preferred_username which should be part of the profile scope as per https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims.

Introduced in ddbb21a via #2829
2022-03-01 14:07:39 +11:00
James Elliott 3c81e75d79
feat(commands): add access-control check-policy command (#2871)
This adds an access-control command that checks the policy enforcement for a given criteria using a configuration file and refactors the configuration validation command to include all configuration sources.
2022-02-28 14:15:01 +11:00
dependabot[bot] 5ff2323a7f
build(deps): bump nokogiri from 1.12.5 to 1.13.3 in /docs (#2919)
Bumps [nokogiri](https://github.com/sparklemotion/nokogiri) from 1.12.5 to 1.13.3.
- [Release notes](https://github.com/sparklemotion/nokogiri/releases)
- [Changelog](https://github.com/sparklemotion/nokogiri/blob/main/CHANGELOG.md)
- [Commits](https://github.com/sparklemotion/nokogiri/compare/v1.12.5...v1.13.3)

---
updated-dependencies:
- dependency-name: nokogiri
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2022-02-27 15:19:10 +11:00
James Elliott bed7a8ae32
feat(server): csp template (#2856)
Implements the ability for advanced users to override the CSP and easily include the required nonce.
2022-02-21 10:14:09 +11:00
Clément Michaud 6043b43d94
docs: fix roadmap item about oidc (#2885) 2022-02-21 08:50:20 +11:00
Clément Michaud 64adb9eb67
docs: update roadmap with new priorities based on feedbacks (#2878) 2022-02-18 22:35:22 +11:00
James White 50e9ccafa1
docs: fix grammar (#2863)
Remove the gender specific examples for `default_redirection_url`

Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2022-02-17 13:26:17 +11:00
Karlos 096946bcb7
docs: add OIDC integration details about Harbor and Verdaccio (#2867)
Added Harbor (docker/helm open source registry) and verdaccio (open source NPM proxy registry)
2022-02-13 10:05:38 +01:00
James Elliott ddbb21af90
fix(handlers): include preferred_username claim in meta (#2829)
This includes the preferred_username claim in the meta. Also uses the consts for all the applicable claims and scopes.
2022-02-10 09:55:28 +11:00
Clément Michaud 100d598a0e
docs: add documentation about the logout endpoint (#2860)
fix #2859
2022-02-10 09:10:35 +11:00
Biel Frontera 8fc48476c6
docs: add community example of integrating authelia with Django (#2858)
Extend the information given at #2636 about how to integrate
authelia with Django.
2022-02-09 21:50:34 +01:00
Dylan Drost b6cffaaf50
docs: added example configs for oidc for specific services (portainer, proxmox) (#2831)
Co-authored-by: Clément Michaud <clement.michaud34@gmail.com>
2022-02-08 00:05:10 +01:00
Michael Shamoon 5dd0cfb8c7
docs: add Bookstack to list of community-tested OIDC integrations (#2849)
Co-authored-by: Clément Michaud <clement.michaud34@gmail.com>
2022-02-07 22:08:48 +01:00
James Elliott fcdd41ea2a
feat: oidc scope i18n (#2799)
This adds i18n for the OIDC scope descriptsions descriptions.
2022-02-08 01:18:16 +11:00
James Elliott 7775d2af0e
fix(ntp): disable failure ignored (#2835)
Disable failure was ignored previously, this ensures it isn't.
2022-02-03 14:04:24 +11:00
James Elliott e59f571816
refactor(oidc): add client id to two factor log message (#2816)
Adds the client id to a log message where it's likely useful. Additionally adds beta stage for prompt/display handling.
2022-01-21 14:15:50 +11:00
James Elliott 06641cd15a
fix(oidc): add preferred username claim (#2801)
This adds the missing preferred username claim to the ID Token for OIDC.

Fixes #2798
2022-01-18 20:32:06 +11:00
Patrick Ruckstuhl 8507195240
docs: add annotations for nginx ingress to k8s doc (#2726) 2021-12-17 09:11:36 +11:00
Shadow f05f9cf12a
docs: add link to migrations page from faq (#2686) 2021-12-09 18:44:40 +11:00
James Elliott c1c980f107
docs: update matrix links (#2675)
This updates our matrix links to use the new Authelia homeserver.
2021-12-04 15:50:31 +11:00
James Elliott 255aaeb2ad
feat(storage): encrypt u2f key (#2664)
Adds encryption to the U2F public keys. While the public keys cannot be used to authenticate, only to validate someone is authenticated, if a rogue operator changed these in the database they may be able to bypass 2FA. This prevents that.
2021-12-03 11:04:11 +11:00
James Elliott 104a61ecd6
refactor(web): only fetch totp conf if required (#2663)
Prevents the TOTP user config from being requested when the user has not registered or is already authenticated 2FA.
2021-12-02 21:28:16 +11:00
James Elliott f0119b5c75
docs: update fail2ban example (#2661)
Updates the fail2ban examples to align with new messages.

Fixes #2649.
2021-12-02 17:09:47 +11:00
James Elliott f90ca855e3
feat(storage): postgresql schema and ssl options (#2659)
Adds the schema name and all ssl options for PostgreSQL. Also a significant refactor of the storage validation process.
2021-12-02 16:36:03 +11:00
Aram Akhavan 5b3fa1fffb
docs: consistent naming for configuration file (#2626)
* change all instances (file names and docs) of "config.template.yml" to "configuration.template.yml" so its consistent with the expectations of the Dockerfile

* Keep config.template.yml named as is

Co-authored-by: Amir Zarrinkafsh <nightah@me.com>

* Update index.html

* revert filename changes and add a note about docker

* refactor: apply suggestions from code review

Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2021-12-02 15:50:05 +11:00
James Elliott 8a12af97ab
refactor: remove previously deprecated options (#2629)
This removes the deprecated logging, host, port, and tls options per our deprecation policy.
2021-12-02 00:01:32 +11:00
James Elliott ad8e844af6
feat(totp): algorithm and digits config (#2634)
Allow users to configure the TOTP Algorithm and Digits. This should be used with caution as many TOTP applications do not support it. Some will also fail to notify the user that there is an issue. i.e. if the algorithm in the QR code is sha512, they continue to generate one time passwords with sha1. In addition this drastically refactors TOTP in general to be more user friendly by not forcing them to register a new device if the administrator changes the period (or algorithm).

Fixes #1226.
2021-12-01 23:11:29 +11:00
Philipp Staiger 01b77384f9
feat(duo): multi device selection (#2137)
Allow users to select and save the preferred duo device and method, depending on availability in the duo account. A default enrollment URL is provided and adjusted if returned by the duo API. This allows auto-enrollment if enabled by the administrator.

Closes #594. Closes #1039.
2021-12-01 14:32:58 +11:00
James Elliott ee14fcf3cb
docs: fix tables (#2647) 2021-11-30 22:36:16 +11:00
James Elliott ab8f9b0697
fix(notifier): force use of sender email in smtp from cmd (#2616)
This change addresses an issue with the usage of the full sender configuration option in the MAIL FROM SMTP command. If a user includes a name in the sender this shouldn't be sent in the MAIL FROM command, instead we should extract it and use just the email portion.

Fixes #2571
2021-11-30 22:15:21 +11:00
James Elliott 87f3cf71c1
docs(oidc): provide beta intentions clarification and fix typo (#2632) 2021-11-25 16:11:31 +11:00
James Elliott 347bd1be77
feat(storage): encrypted secret values (#2588)
This adds an AES-GCM 256bit encryption layer for storage for sensitive items. This is only TOTP secrets for the time being but this may be expanded later. This will require a configuration change as per https://www.authelia.com/docs/configuration/migration.html#4330.

Closes #682
2021-11-25 12:56:58 +11:00
James Elliott 3695aa8140
feat(storage): primary key for all tables and general qol refactoring (#2431)
This is a massive overhaul to the SQL Storage for Authelia. It facilitates a whole heap of utility commands to help manage the database, primary keys, ensures all database requests use a context for cancellations, and paves the way for a few other PR's which improve the database.

Fixes #1337
2021-11-23 20:45:38 +11:00
Amir Zarrinkafsh 0be883befb
feat: customizable static assets (#2597)
* feat: customizable static assets

This change provides the means to override specific assets from the embedded Go FS with files situated on disk.

We only allow overriding the following files currently:
* favicon.ico
* logo.png

* refactor(server): make logo string a const

* refactor(suites): override favicon and use ntp3 in traefik2 suite

* test(suites): test logo override in traefik2 suite

* test(suites): test asset override fallback in traefik suite

Closes #1630.
2021-11-15 19:37:58 +11:00
Amir Zarrinkafsh 7d5a59098d
docs: add hashicorp vault oidc configuration and update minio tested version (#2592) 2021-11-11 15:36:21 +11:00
Justin Sievenpiper 04831c2433
feat(session): add support for acl-based sentinel auth against redis (#2516)
Implements the sentinel username parameter which can be different to the redis username.
2021-10-31 11:49:27 +11:00
James Elliott 183f0974ae
docs: fix tables (#2468)
Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2021-10-08 11:32:57 +11:00
Amir Zarrinkafsh 8685e095e9
fix(web): clarify 2fa informational message (#2451) 2021-10-07 10:54:48 +11:00
Amir Zarrinkafsh 209b39ffd0
docs: fix required flag for smtp notifier sender option (#2446)
Fixes: #2445.
2021-10-04 13:44:59 +11:00
Amir Zarrinkafsh 33fe1262bd
docs: fix typo in secrets env var (#2432) 2021-10-01 13:30:56 +10:00
Amir Zarrinkafsh 3d312cf3b9
refactor: replace yarn with pnpm (#2424)
* Check for pnpm in authelia-scripts
* Improve husky hooks to check for required apps
* Use pnpm in coverage dockerfile
* Use pnpm in dev workflow
* Stop buildx log truncation
* Ignore pnpm lockfile in yamllint
* Update versions required for docker and docker-compose in contributing docs
2021-09-29 17:24:21 +10:00
dependabot[bot] 3b2e4ad477
build(deps): bump nokogiri from 1.11.4 to 1.12.5 in /docs (#2420)
Bumps [nokogiri](https://github.com/sparklemotion/nokogiri) from 1.11.4 to 1.12.5.
- [Release notes](https://github.com/sparklemotion/nokogiri/releases)
- [Changelog](https://github.com/sparklemotion/nokogiri/blob/main/CHANGELOG.md)
- [Commits](https://github.com/sparklemotion/nokogiri/compare/v1.11.4...v1.12.5)

---
updated-dependencies:
- dependency-name: nokogiri
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2021-09-29 09:24:34 +10:00
yossbg 05406cfc7b
feat(ntp): check clock sync on startup (#2251)
This adds method to validate the system clock is synchronized on startup. Configuration allows adjusting the server address, enabled state, desync limit, and if the error is fatal.

Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2021-09-17 14:44:35 +10:00
Alex Gustafsson a88c5588e8
feat: add config flag to hash-password tool (#2047)
This change implements a --config flag for the hash-password which parses the config and validates it just as it would at run-time. The values specified in the config replace those specified as parameters.

* feat(cmd): add config flag to hash-password tool
* fix(cmd): fix linting issue

Closes: #1709.
2021-09-16 10:20:42 +10:00
James Elliott f1b2b4d79e
docs(oidc): remove invalid footnote (#2354)
Removes the footnote from beta2.
2021-09-09 12:24:47 +10:00
Amir Zarrinkafsh cc765115b2
ci: add husky with pre-commit and commit-msg hooks (#2352)
* ci: add husky with pre-commit and commit-msg hooks

This change includes two new hooks as part of our GitHub workflow with husky:

* `pre-commit`: Performs linting with golangci-lint and eslint/prettier
* `commit-msg`: Ensures that the commit messages conform to our guidelines and will error and provide context to a user when they do not.

The `prepare` command which has been included is executed each time a `yarn install` is executed.

* ci: extend @commitlint/config-conventional configuration

* fix: lint all dot js files
2021-09-09 12:22:11 +10:00
Nicolas Reymundo eb07bff5d4
docs: add wekan and portainer to community oidc list (#2302) 2021-08-20 07:59:52 +10:00
Nicolas Reymundo 34ad7da213
docs: add nextcloud community tested oidc apps (#2298)
Adds additional oidc apps.

Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2021-08-19 22:17:42 +10:00
polandy 880a6c5832
docs: add gitea redirect_uri with notes to community docs (#2275)
* docs: add gitea redirect_uri with notes to community docs

* docs: remove unnecessary dash from Gitea notes

Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2021-08-10 20:48:31 +10:00
James Elliott c0ebe3eb8c
fix(notifier): use sane default connection timeout (#2273) 2021-08-10 10:52:41 +10:00
James Elliott 997036f9c3
fix(configuration): make notifier logging consistent and more specific (#2268)
This ensures the notifier logs are more specific to give people a clear picture of if they either have no notifier specified or multiple.
2021-08-07 13:58:08 +10:00
James Elliott b5d0e667cc
docs(configuration): add migration note about k8s (#2266)
This adds some additional information about configuration on k8s for version 4.30+.
2021-08-07 09:55:17 +10:00
James Elliott 9ebad9bec2
fix(storage): set sane default connection timeout (#2256)
This sets a sane default connection timeout for SQL connections.
2021-08-06 15:35:14 +10:00
James Elliott b2a49e1780
feat(authentication): allow customizable ldap connection timeout (#2240)
This implements both a connection timeout for LDAP connections, and makes it configurable by administrators. The default is 5s. The reason for this commit is currently if a connection to an LDAP server cannot be established it does not timeout in a reasonable period.
2021-08-05 14:30:00 +10:00
James Elliott a3b14871ba
perf(authentication): improve ldap dynamic replacement performance (#2239)
This change means we only check the filters for the existence of placeholders that cannot be replaced at startup. We then utilized cached results of that lookup for subsequent replacements.
2021-08-05 14:17:07 +10:00
James Elliott c5c6bda8b0
refactor: configuration agnostic healthcheck (#2231)
This makes the healthcheck simple and configured directly by Authelia's configuration on startup.
2021-08-05 14:02:07 +10:00
James Elliott 171b323274
docs: enhance supported proxies documentation (#2210)
This enhances the supported proxies documentation to be more comprehensive.
2021-08-04 11:21:49 +10:00
James Elliott 1440394b60
docs: fix missing line from the lite guide (#2230)
This ensures users checkout the latest tagged release when using the lite deployment.

Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2021-08-03 20:52:13 +10:00
James Elliott a7e867a699
feat(configuration): replace viper with koanf (#2053)
This commit replaces github.com/spf13/viper with github.com/knadh/koanf. Koanf is very similar library to viper, with less dependencies and several quality of life differences. This also allows most config options to be defined by ENV. Lastly it also enables the use of split configuration files which can be configured by setting the --config flag multiple times.

Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2021-08-03 19:55:21 +10:00
James Elliott 942fd69776
docs(logging): fix invalid key log_file (#2226)
A small fix to the documentation regarding migrating configuration.
2021-08-03 10:44:21 +10:00
James Elliott ec2fc27910
docs: fix parents (#2225) 2021-08-03 07:23:40 +10:00
James Elliott 158783a9d4
feat(configuration): replace several configuration options (#2209)
This change adjusts several global options moving them into the server block. It additionally notes other breaking changes in the configuration.

BREAKING CHANGE: Several configuration options have been changed and moved into other sections. Migration instructions are documented here: https://authelia.com/docs/configuration/migration.html#4.30.0
2021-08-02 21:55:30 +10:00
James Elliott 0fbd3c3938
docs: update and unify contact options (#2213)
This updates and unifies the contact options so it is easier to maintain. All contact options now link back to one of two locations, and both of these locations are a copy and paste for the most part.

Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2021-07-30 14:19:17 +10:00
James Elliott 2bb7b2efec
docs: update style guidelines (#2172)
Update the style guidelines.

Co-authored-by: Clément Michaud <clement.michaud34@gmail.com>
2021-07-30 14:17:44 +10:00
James Elliott d49f2908e0
docs(oidc): fix links (#2212) 2021-07-30 09:41:42 +10:00
Georg Lauterbach 51dcf7c02b
docs(oidc): add guidance to community docs for minio (#2191) 2021-07-20 08:23:55 +10:00
Georg Lauterbach bf2b413172
Update OIDC MinIO community content (#2188)
* update OIDC MinIO community content
2021-07-17 08:50:05 +10:00
James Elliott 8342a46ba1
feat(oidc): implement client type public (#2171)
This implements the public option for clients which allows using Authelia as an OpenID Connect Provider for cli applications and SPA's where the client secret cannot be considered secure.
2021-07-15 21:02:03 +10:00
James Elliott 0da770d900
docs: misc fixes (#2186)
This fixes misc broken links in the docs as well as an invalid viewBox element.
2021-07-15 13:21:47 +10:00
James Elliott 76189b86b7
docs(oidc): misc docs fixes and additional references (#2185)
This fixes a few anchor issues in the OpenID Connect docs, as well as adds some additional references and fixes the name of one of the endpoints.
2021-07-15 13:04:44 +10:00
James Elliott c794d57afc
perf(authentication): improve active directory default users filter (#2181)
This adds a performance change to the default Active Directory users filter. Basically as per TechNet the (sAMAccountType=805306368) filter is the same as (&(objectCategory=person)(objectClass=user)) except the performance is better.
2021-07-14 20:30:25 +10:00
Georg Lauterbach 9d7cfb8455
docs: update and enhance oidc documentation (#2142)
Update and adjust OIDC documentation. This also adds information for users about RP's that have been tested.

Co-authored-by: Georg Lauterbach <44545919+aendeavor@users.noreply.github.com>
Co-authored-by: Clément Michaud <clement.michaud34@gmail.com>
Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2021-07-14 11:36:07 +10:00
dependabot[bot] d465c38f0d
build(deps): bump addressable from 2.7.0 to 2.8.0 in /docs (#2175)
Bumps [addressable](https://github.com/sporkmonger/addressable) from 2.7.0 to 2.8.0.

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2021-07-13 11:04:57 +10:00
James Elliott 143db66445
feat(oidc): userinfo endpoint (#2146)
This is a required endpoint for OIDC and is one we missed in our initial implementation. Also adds some rudamentary documentaiton about the implemented endpoints.
2021-07-10 14:56:33 +10:00
Amir Zarrinkafsh 711b5ff0db
feat: publish and deploy to apt.authelia.com (#2148)
This automates the process of publishing our `*.deb` files for stable Authelia releases to apt.authelia.com.
2021-07-05 12:49:48 +10:00
James Elliott ef549f851d
feat(oidc): add additional config options, accurate token times, and refactoring (#1991)
* This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes.
* Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately. 
* Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have.
2021-07-04 09:44:30 +10:00
James Elliott 524c6eb1dc
docs: refactor access control configuration sections (#1945)
Refactors the access-control configuration documentation to be up-to-date and conform to our style guidelines. Additionally went over each part and reworded things that needed it.
2021-06-22 16:00:45 +10:00
Amir Zarrinkafsh fc71030c18
feat(examples): improve local setup script (#2094)
The local setup script expects to be run as root and would only work on a fresh clone of the repo. Now if not run as root the user will be prompted for sudo elevation at the beginning of the script and the script will also survive re-runs on a dirty clone.
2021-06-18 10:01:09 +10:00
Alex Gustafsson 150116a172
feat(web): implement automatic theme switch for light/dark (#2046)
* Implement an automatic theme

The "auto" theme will automatically switch between "dark" and "light"
depending on user preference. This allows for automatic dark mode.

* fix(configuration): allow the "auto" theme when validating

The new theme "auto" was not allowed to be used in a configuration file.

* docs: clarify what critera controls the automatic theme

How the "auto" theme functioned was unclear.

* docs: typeset themes as code

* fix(web): apply useEffector to media query watch

* docs: add technical details

* fix(configuration): resolve merge conflicts
2021-06-17 16:42:03 +10:00
James Elliott 2c42464fc8
refactor(configuration): use key log instead of logging (#2072)
* refactor: logging config key to log

This refactors the recent pre-release change adding log options to their own configuration section in favor of a log section (from logging).

* docs: add step to getting started to get the latest tagged commit

This is so we avoid issues with changes on master having differences that don't work on the latest docker tag.

* test: adjust tests

* docs: adjust doc strings
2021-06-08 23:15:43 +10:00
Amir Zarrinkafsh 3d42f52d4a
docs: update logos with transparent backgrounds (#2071) 2021-06-08 10:41:11 +10:00
James Elliott c555c10496
docs: add matrix space information and update readme (#2061)
* docs: add matrix space information and update readme

We recently created a Matrix Space which includes both the original room, and a new contributing room. This commit also performs some basic housekeeping on the README.md, including but not limited to: factorizing the security section, adjusting the main description, clearly outlining areas where help is wanted, adding information related to the helm chart, adding more details in the features summary, grammar, and misc other changes.

* docs: update security to be in line with the readme
2021-06-06 15:53:28 +10:00
James Elliott 6b3246a6d3
docs: refactor and update security (#1944)
Refactors the secrurity documentation to be up-to-date and conform to our style guidelines. Additionally went over each part and reworded things that needed it.
2021-06-01 14:11:33 +10:00
James Elliott cef35fadcd
feat(configuration): add error and warn log levels (#2050)
This is so levels like warn and error can be used to exclude info or warn messages. Additionally there is a reasonable refactoring of logging moving the log config options to the logging key because there are a significant number of log options now. This also decouples the expvars and pprof handlers from the log level, and they are now configured by server.enable_expvars and server.enable_pprof at any logging level.
2021-06-01 14:09:50 +10:00
Frederic Hemberger 4cfda7eece
fix(docs): Update link to Lite bundle (#2048) 2021-06-01 01:17:26 +02:00
Amir Zarrinkafsh 05df642f3e
feat: add option to keep stdout logging with log_file_path (#2037)
Currently if a `log_file_path` is defined Authelia will redirect all logging from standard output to said defined location. This change allows users to keep standard output logging along with a defined `log_file_path`.
2021-05-31 14:02:54 +10:00
dependabot[bot] d945e2a9b2
build(deps): bump nokogiri from 1.11.3 to 1.11.4 in /docs (#2011)
Bumps [nokogiri](https://github.com/sparklemotion/nokogiri) from 1.11.3 to 1.11.4.
- [Release notes](https://github.com/sparklemotion/nokogiri/releases)
- [Changelog](https://github.com/sparklemotion/nokogiri/blob/main/CHANGELOG.md)
- [Commits](https://github.com/sparklemotion/nokogiri/compare/v1.11.3...v1.11.4)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2021-05-20 13:27:08 +10:00
Clément Michaud 168404fbb4
doc: reword the sponsor section of readme (#1994)
Also add an explicit mention on the fact that the team is looking
for sponsorship to organize an audit of the code or a pen test.
2021-05-10 09:53:34 +10:00
Clément Michaud 0c915b933e
docs: add link for users to take quick survey on usage (#1993)
We want to gather some statistics around the usage of Authelia in
order for the team to take better design decisions and direction
regarding the roadmap.
2021-05-10 01:23:57 +10:00
Ikko Ashimine 9b1151d525
docs: fix capitalization (#1980)
This fixes the capitalization of a single instance of `Github` to `GitHub`.

Co-authored-by: Clément Michaud <clement.michaud34@gmail.com>
2021-05-06 07:12:32 +10:00
James Elliott 952e072f1b
docs: update secrets configuration (#1978)
This updates secrets configuration for 4.29.0 and fixes an existing issue.

Fixes #1977
2021-05-05 21:23:24 +02:00
Clément Michaud e8e29831c1
docs: add oidc package in contributor guidelines (#1971) 2021-05-05 09:08:14 +10:00
James Elliott ddea31193b
feature(oidc): add support for OpenID Connect
OpenID connect has become a standard when it comes to authentication and
in order to fix a security concern around forwarding authentication and authorization information
it has been decided to add support for it.

This feature is in beta version and only enabled when there is a configuration for it.
Before enabling it in production, please consider that it's in beta with potential bugs and that there
are several production critical features still missing such as all OIDC related data is stored in
configuration or memory. This means you are potentially going to experience issues with HA
deployments, or when restarting a single instance specifically related to OIDC.

We are still working on adding the remaining set of features before making it GA as soon as possible.

Related to #189

Co-authored-by: Clement Michaud <clement.michaud34@gmail.com>
2021-05-05 00:15:36 +02:00
James Elliott 706fbfdb2c
fix(session): ensure default cookie samesite value is lax (#1926)
This implements a change to the default behaviour of the cookies generated by the sessions package. The old behaviour was to set the SameSite=None, this changes it to SameSite=Lax. Additionally this puts the option in the hands of the end-user so they can decide for themselves what the best option is.
2021-04-18 10:02:04 +10:00
James Elliott cc4f47f21c
fix: removed deprecated smtp/ldap options (#1912)
This removes the deprecated options from 4.25. This includes the LDAP filters which allow {0} or {1} placeholders. The new aliases are documented. Additionally it refactors the keys validator to use uniform messages for most replaced keys.
2021-04-16 11:44:37 +10:00
Clément Michaud c9b853d736
docs: Add a page listing supported proxies. (#1907)
Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2021-04-13 10:41:49 +02:00
Clément Michaud 42cee0ed6c
docs(proxy): clarify the workflow of a client request payload. (#1838)
Fix #1836
2021-04-13 07:47:30 +10:00
Clément Michaud ce77aed178
fix: bump gems used to generate documentation. (#1902)
This solves the security issue reported by dependabot.

Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2021-04-12 14:21:06 +10:00
James Elliott 619da0f7ec
docs: misc fixes to documentation after overhaul (#1906) 2021-04-12 13:21:19 +10:00
James Elliott 1a385947bc
docs: fix license link (#1905) 2021-04-11 21:39:05 +10:00
James Elliott 08e674b62f
docs: refactor several areas of documentation (#1726)
Updated all links to use https://www.authelia.com/docs/.
Removed all comment sections from documented configuration on the documentation site and replaced them with their own sections.
Made all documentation inside config.template.yml double hashes, and made all commented configuration sections single quoted.
Added .yamllint.yaml to express our desired YAML styles.
Added a style guide.
Refactored many documentation areas to be 120 char widths where possible. It's by no means exhaustive but is a large start.
Added a statelessness guide for the pending Kubernetes chart introduction.
Added labels to configuration documentation and made many areas uniform.
2021-04-11 21:25:03 +10:00
Wu Han fd21157aac
docs: add an example of deploying authelia lite on docker swarm (#1899)
Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2021-04-11 07:10:02 +10:00
Clément Michaud be4f6b6fb1
docs: Add a page in docs for listing the links to various community resources. (#1901)
Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2021-04-11 07:03:53 +10:00
James Elliott d33d6c2f00
ci: add yamllint (#1895)
This change implements yamllint and adjusts all yaml files to abide by our linting setup. This excludes config.template.yml as this will be done in an alternate commit.
2021-04-11 06:51:00 +10:00
Amir Zarrinkafsh 661d82587e
fix: remove health checks on compose examples (#1871)
Traefik does not add routes for containers via the Docker provider if the health check does not return healthy, this causes inadvertent user experience issues when attempting the pre-made compose examples.

This change removes the health checks for said examples and also ensures that Traefik logs are written to stdout so a user can view them within the Docker container logs.

Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2021-03-30 16:17:11 +11:00