Several crypto generate situations could not generate PKCS #8 ASN.1 DER format keys. Ths fixes this.
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
This fixes an issue where the authelia crypto hash generate command does not require no arguments leading to some confusing output.
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
This adds a feature to OpenID Connect 1.0 where clients can be restricted to a specific client authentication mode, as well as implements some backend requirements for the private_key_jwt client authentication mode (and potentially the tls_client_auth / self_signed_tls_client_auth client authentication modes). It also adds some improvements to configuration defaults and validations which will for now be warnings but likely be made into errors.
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
This fixes an issue where the default response mode (i.e. if the mode is omitted) would skip the validations against the allowed response modes.
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
This fixes an issue where the encoding of the YAML files fails when exporting TOTP/WebAuthn devices.
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
This fixes an issue where if the implicit config location of configuration.yml does not exist that an error is returned. This does not affect the behavior when the method was either implicit or environment.
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
This fixes an issue where attempting to load secrets the process does not have read permissions for would cause panics as well as the bit size check of the OpenID Connect 1.0 private key can potentially panic on malformed private keys. This was caused by us returning values on errors instead of nil's.
Fixes#5138
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
This adjusts the AuthRequest Authz implementation behave similarly to the other implementations in as much as Authelia can return the relevant redirection to the proxy and the proxy just utilizes it if possible. In addition it swaps the HAProxy examples over to the ForwardAuth implementation as that's now supported.
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
This fixes an issue with the PostgreSQL schema where the webauthn tables aaguid column had a NOT NULL constraint erroneously.
Fixes#5182
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
The plain text email template for identity verifications indicates it's for registering a 2FA device but it may also be used for password resets. This fixes that issue.
Fixes#4915
This fixes a race condition which in some circumstances (seemed to only affect a deliberately under provisioned VM in testing, however it could still theoretically occur on any system) can cause the process to hang during a shutdown. While unrelated this also adds additional trace logging to the shutdown process to better capture each stage to better facilitate debugging in the future specifically when one particular service is taking time to stop.
Fixes#4963
Since nginx doesn't do portal URL detection we have to skip returning an error on the legacy authz implementation when the portal URL isn't detected. This issue only exists in unreleased versions.
James Elliott
renovate[bot]
Manuel Nuñez
Matthieu7503
Amir Zarrinkafsh