This implements the public option for clients which allows using Authelia as an OpenID Connect Provider for cli applications and SPA's where the client secret cannot be considered secure.
This adds a performance change to the default Active Directory users filter. Basically as per TechNet the (sAMAccountType=805306368) filter is the same as (&(objectCategory=person)(objectClass=user)) except the performance is better.
Update and adjust OIDC documentation. This also adds information for users about RP's that have been tested.
Co-authored-by: Georg Lauterbach <44545919+aendeavor@users.noreply.github.com>
Co-authored-by: Clément Michaud <clement.michaud34@gmail.com>
Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
The recent ldap changes in cb71df5 left a connection to the LDAP server open at startup. This resolves this which prevents an ugly log message and unnecessary open sockets.
This is a required endpoint for OIDC and is one we missed in our initial implementation. Also adds some rudamentary documentaiton about the implemented endpoints.
This is so on startup administrators who have a LDAP server implementation that may not support password hashing by default are clearly warned. This only triggers if the disable password reset option is not enabled, we cannot find the extension OID for the Extended Password Modify Operation, and the implementation is not Active Directory. Active Directory has it's own method for this which doesn't advertise an OID.
* This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes.
* Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately.
* Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have.
* feat(authentiation): check ldap server on startup
This PR adds a startup check to the LDAP authentication backend. It additionally adds support for checking supportedExtension OIDs, currently only checking passwdModifyOID (1.3.6.1.4.1.4203.1.11.3). This can relatively easily be enhanced to add detection for other rootDSE capabilities like supportedControl and supportedCapabilities as necessary.
* test(authentication): add unit tests for new feature
* refactor(authentication): factorize ldap user provider newup
* refactor: minor adjustments
#2101 introduced a minor regression when using the authelia scripts suite for developing.
The following issues occurred:
```
[00] # runtime/cgo
[00] cgo: exec gcc: exec: "gcc": executable file not found in $PATH
```
Adding the CGO_ENABLED=0 before the dlv build command in the run-backend-dev.sh fixed the issue.
renovate[bot]
James Elliott
Georg Lauterbach
dependabot[bot]
Clément Michaud
Arsenović Arsen
allcontributors[bot]
Amir Zarrinkafsh
Philipp Staiger
dakriy