Commit Graph

422 Commits (cee5a684223a7d01cd57524b2080450ca3a61244)

Author SHA1 Message Date
Amir Zarrinkafsh 3d312cf3b9
refactor: replace yarn with pnpm (#2424)
* Check for pnpm in authelia-scripts
* Improve husky hooks to check for required apps
* Use pnpm in coverage dockerfile
* Use pnpm in dev workflow
* Stop buildx log truncation
* Ignore pnpm lockfile in yamllint
* Update versions required for docker and docker-compose in contributing docs
2021-09-29 17:24:21 +10:00
James Elliott 6a75fc6f67
build(deps): update module github.com/golang-jwt/jwt/v4 to v4.1.0 (#2418) 2021-09-26 22:06:11 +10:00
renovate[bot] 6343f70f01
build(deps): update traefik docker tag to v2.5.3 (#2401)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-09-21 10:40:22 +10:00
James Elliott aed9099ce2
refactor: factorize startup checks (#2386)
* refactor: factorize startup checks

* refactor: address linting issues
2021-09-17 19:53:59 +10:00
Clément Michaud 92d328926d
refactor(handlers): lower case error messages (#2289)
* refactor(handlers): lower case error messages

also refactor verifyAuth function to detect malicious activity both with session
cookie and authorization header.

* refacto(handlers): simplify error construction

* fix(handlers): check prefix in authorization header to determine auth method

* fix(handlers): determining the method should be done with headers instead of query arg

* refacto(handlers): rollback changes of verifyAuth

* don't lowercase log messages

* Apply suggestions from code review

Make sure logger errors are not lowercased.

* fix: uppercase logger errors and remove unused param

* Do not lowercase logger errors
* Remove unused param targetURL
* Rename url variable to not conflict with imported package

Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2021-09-17 15:53:40 +10:00
yossbg 05406cfc7b
feat(ntp): check clock sync on startup (#2251)
This adds method to validate the system clock is synchronized on startup. Configuration allows adjusting the server address, enabled state, desync limit, and if the error is fatal.

Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2021-09-17 14:44:35 +10:00
Amir Zarrinkafsh 11032bdf93
fix(server): remove obselete memory check warning (#2380)
Given the fact that many Linux OSes are defaulting to CGroups v2 and also Authelia changing the default memory config for argon2id this warning is now obselete.
2021-09-16 12:26:34 +10:00
Alex Gustafsson a88c5588e8
feat: add config flag to hash-password tool (#2047)
This change implements a --config flag for the hash-password which parses the config and validates it just as it would at run-time. The values specified in the config replace those specified as parameters.

* feat(cmd): add config flag to hash-password tool
* fix(cmd): fix linting issue

Closes: #1709.
2021-09-16 10:20:42 +10:00
James Elliott 2f03b02fc9
fix(session): handle redis logging properly (#2350)
This catches redis logs and displays them via our logging utility.
2021-09-09 13:08:21 +10:00
renovate[bot] 4da10f9cea
build(deps): update haproxy docker tag to v2.4.4 (#2351)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-09-08 09:52:49 +10:00
Amir Zarrinkafsh 84f370aa68
fix(suites): prevent dev workflow overriding .healthcheck.env (#2345) 2021-09-06 20:51:58 +10:00
renovate[bot] 9de8aafadf
build(deps): update traefik docker tag to v2.5.2 (#2337)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-09-03 11:59:46 +10:00
renovate[bot] d2bf1eb4e2
build(deps): update alpine docker tag to v3.14.2 (#2325) 2021-08-28 09:13:07 +10:00
James Elliott 8d102ce5d8
refactor(session): remove unencrypted session fallback (#2314)
This removes a temporary session fallback for unencrypted sessions.
2021-08-26 21:48:14 +10:00
renovate[bot] ad16f99e6d
build(deps): update traefik docker tag to v2.5.1 (#2306)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-08-21 11:03:00 +10:00
Amir Zarrinkafsh aa20dad04b
refactor(configuration): add import commentary for golint (#2303) 2021-08-20 11:42:35 +10:00
renovate[bot] 8ac9ce9367
build(deps): update traefik docker tag to v2.5.0 (#2296)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-08-19 09:28:05 +10:00
renovate[bot] 956db2dbaa
build(deps): update haproxy docker tag to v2.4.3 (#2295)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-08-18 14:50:49 +10:00
renovate[bot] 0aba819899
build(deps): update golang docker tag (#2293)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-08-17 13:46:47 +10:00
renovate[bot] c768144c07
build(deps): update traefik docker tag to v2.4.14 (#2292)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-08-17 07:30:27 +10:00
James Elliott b4e570358e
fix: include major in go.mod module directive (#2278)
* build: include major in go.mod module directive

* fix: xflags

* revert: cobra changes

* fix: mock doc
2021-08-11 11:16:46 +10:00
James Elliott c0ebe3eb8c
fix(notifier): use sane default connection timeout (#2273) 2021-08-10 10:52:41 +10:00
Amir Zarrinkafsh e2ebdb7e41
fix: oidc issuer path and strip path middleware (#2272)
* fix: oidc issuer path and strip path middleware

This ensures the server.path requests append the base_url to the oidc well-known issuer information and adjusts server.path configuration to only strip the configured path instead of the first level entirely regardless of its content.

* fix: only log the token error and general refactoring

* refactor: factorize base_url functions

* refactor(server): include all paths in startup logging

* refactor: factorize

* refactor: GetExternalRootURL -> ExternalRootURL

Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2021-08-10 10:31:08 +10:00
renovate[bot] c593ebc573
build(deps): update mariadb docker tag to v10.6.4 (#2274)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-08-10 07:30:29 +10:00
James Elliott 997036f9c3
fix(configuration): make notifier logging consistent and more specific (#2268)
This ensures the notifier logs are more specific to give people a clear picture of if they either have no notifier specified or multiple.
2021-08-07 13:58:08 +10:00
renovate[bot] cc1ecafc1c
build(deps): update alpine docker tag to v3.14.1 (#2262)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-08-07 06:48:15 +10:00
James Elliott 9ebad9bec2
fix(storage): set sane default connection timeout (#2256)
This sets a sane default connection timeout for SQL connections.
2021-08-06 15:35:14 +10:00
James Elliott 9789ad070b
fix(configuration): ldap timeout option not recognized as valid (#2252)
This is so an unexpected error doesn't occur when someone uses the new ldap timeout key which we missed adding to the list of valid keys in b2a49e1780.
2021-08-06 09:28:52 +10:00
James Elliott 655ae98ced
fix(notifier): regression in startup check (#2248)
The changes in the koanf commit a7e867a699 introduced a regression in the startup procedure that prevented the option to disable the startup check from having an effect. This ensures the startup check is not performed if it is disabled as it was intended.
2021-08-05 20:41:56 +10:00
James Elliott 13ae1b4f26
fix(configuration): missing oidc minimum_parameter_entropy validator key (#2244)
* fix(oidc): missing validator key

* revert: return removed key

Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2021-08-05 17:19:17 +10:00
James Elliott b2a49e1780
feat(authentication): allow customizable ldap connection timeout (#2240)
This implements both a connection timeout for LDAP connections, and makes it configurable by administrators. The default is 5s. The reason for this commit is currently if a connection to an LDAP server cannot be established it does not timeout in a reasonable period.
2021-08-05 14:30:00 +10:00
James Elliott a3b14871ba
perf(authentication): improve ldap dynamic replacement performance (#2239)
This change means we only check the filters for the existence of placeholders that cannot be replaced at startup. We then utilized cached results of that lookup for subsequent replacements.
2021-08-05 14:17:07 +10:00
James Elliott c5c6bda8b0
refactor: configuration agnostic healthcheck (#2231)
This makes the healthcheck simple and configured directly by Authelia's configuration on startup.
2021-08-05 14:02:07 +10:00
Clément Michaud e693302c75
fix(storage): use lower case in error messages (#2145)
Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2021-08-04 09:36:53 +10:00
Clément Michaud 4a570489d1
fix(server): use lower case in error messages (#2151)
Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2021-08-04 09:18:20 +10:00
Amir Zarrinkafsh 28991dd71a
fix(oidc): do not lower case in log messages (#2236) 2021-08-04 08:54:45 +10:00
James Elliott f7b358e72a
build(deps): update module github.com/golang-jwt/jwt to v4 (#2235) 2021-08-04 07:38:07 +10:00
James Elliott a7e867a699
feat(configuration): replace viper with koanf (#2053)
This commit replaces github.com/spf13/viper with github.com/knadh/koanf. Koanf is very similar library to viper, with less dependencies and several quality of life differences. This also allows most config options to be defined by ENV. Lastly it also enables the use of split configuration files which can be configured by setting the --config flag multiple times.

Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2021-08-03 19:55:21 +10:00
James Elliott 942fd69776
docs(logging): fix invalid key log_file (#2226)
A small fix to the documentation regarding migrating configuration.
2021-08-03 10:44:21 +10:00
James Elliott 158783a9d4
feat(configuration): replace several configuration options (#2209)
This change adjusts several global options moving them into the server block. It additionally notes other breaking changes in the configuration.

BREAKING CHANGE: Several configuration options have been changed and moved into other sections. Migration instructions are documented here: https://authelia.com/docs/configuration/migration.html#4.30.0
2021-08-02 21:55:30 +10:00
James Elliott ac17841721
fix(handlers): make user banned message consistent (#2223)
This is so the user banned API message is consistent with other authentication failed messages, even in the API.
2021-08-02 16:54:20 +10:00
Clément Michaud bc983ce9f5
fix: user is now redirected when authenticated (#2082)
* fix(handlers,web): user is now redirected when authenticated

Fix: #1788

* remove dead code and fix ci issues

* fix infinite loop in frontend

* fix issue with integration tests

* handle bot recommendation

* fix integration test & add dot to comment

* fix last integration test

* Update api/openapi.yml

Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>

* Update web/src/services/SafeRedirection.ts

Co-authored-by: Amir Zarrinkafsh <nightah@me.com>

* Update web/src/services/SafeRedirection.ts

Co-authored-by: Amir Zarrinkafsh <nightah@me.com>

* Update api/openapi.yml

* Update openapi.yml

* refactor: valid -> safe

* refactor: adjust merge conflicts

* Apply suggestions from code review

Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>

* fix: adjust test return messaging

Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2021-08-02 16:15:38 +10:00
renovate[bot] 77a51d5c2f
build(deps): update traefik docker tag to v2.4.13 (#2217)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-07-31 09:53:41 +10:00
Georg Lauterbach 5ed0636f77
fix(notifier): remove SMTPS warning (#2200)
Removes a warning about SMTPS when using port 465 and replaces it with info about SUBMISSIONS.
2021-07-30 13:15:12 +10:00
renovate[bot] c98b2a7d59
build(deps): update traefik docker tag to v2.4.12 (#2203)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-07-27 10:29:31 +10:00
James Elliott 911d71204f
fix(handlers): handle xhr requests to /api/verify with 401 (#2189)
This changes the way XML HTTP requests are handled on the verify endpoint so that they are redirected using a 401 instead of a 302/303.
2021-07-22 13:52:37 +10:00
James Elliott ddeb46b262
fix(handlers): send status 303 auth requests that are not get/head (#2184)
When a request occurs, if the browser is not performing a HTTP GET/HEAD request, the 302 status code is not valid. This commit resolves this. MDN: https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/302.
2021-07-16 13:43:48 +10:00
renovate[bot] 596346de1e
build(deps): update traefik docker tag to v2.4.11 (#2187)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-07-16 06:42:05 +10:00
James Elliott 8342a46ba1
feat(oidc): implement client type public (#2171)
This implements the public option for clients which allows using Authelia as an OpenID Connect Provider for cli applications and SPA's where the client secret cannot be considered secure.
2021-07-15 21:02:03 +10:00
James Elliott c794d57afc
perf(authentication): improve active directory default users filter (#2181)
This adds a performance change to the default Active Directory users filter. Basically as per TechNet the (sAMAccountType=805306368) filter is the same as (&(objectCategory=person)(objectClass=user)) except the performance is better.
2021-07-14 20:30:25 +10:00
renovate[bot] 3537cce660
build(deps): update mariadb docker tag to v10.6.3 (#2180)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-07-13 22:46:04 +02:00
James Elliott f292050822
fix(authentication): ldap connection left open (#2179)
The recent ldap changes in cb71df5 left a connection to the LDAP server open at startup. This resolves this which prevents an ugly log message and unnecessary open sockets.
2021-07-13 21:12:50 +10:00
James Elliott 143db66445
feat(oidc): userinfo endpoint (#2146)
This is a required endpoint for OIDC and is one we missed in our initial implementation. Also adds some rudamentary documentaiton about the implemented endpoints.
2021-07-10 14:56:33 +10:00
renovate[bot] d2422e9965
build(deps): update haproxy docker tag to v2.4.2 (#2168)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-07-09 08:49:30 +10:00
Clément Michaud 21f9056c00
fix(oidc): use lower case in log messages (#2153) 2021-07-08 12:44:43 +10:00
Clément Michaud 98d9cad62e
fix(regulation): use lower case in error messages (#2152) 2021-07-08 12:04:43 +10:00
Clément Michaud 2d634e9b20
fix(session): use lower case in error messages (#2150) 2021-07-08 11:33:22 +10:00
Arsenović Arsen 8ee0597486
feat(authentication): use the passwordmodify exop for pwd resets with ldap (#2124)
Implement the LDAP password modify extended operation for LDAP providers that advertise they support it.
2021-07-06 19:13:17 +10:00
James Elliott 31c5c820f0
refactor(authentication): log ldap warning on startup in rare condition (#2141)
This is so on startup administrators who have a LDAP server implementation that may not support password hashing by default are clearly warned. This only triggers if the disable password reset option is not enabled, we cannot find the extension OID for the Extended Password Modify Operation, and the implementation is not Active Directory. Active Directory has it's own method for this which doesn't advertise an OID.
2021-07-04 15:44:11 +10:00
James Elliott ef549f851d
feat(oidc): add additional config options, accurate token times, and refactoring (#1991)
* This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes.
* Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately. 
* Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have.
2021-07-04 09:44:30 +10:00
Clément Michaud 2dbd7ed219
fix(utils): use lower case in error messages (#2144) 2021-07-04 08:08:24 +10:00
James Elliott b2638d4af9
fix(authentication): use passwdmodify oid instead of whoami oid (#2139)
This is the correct OID for the passwdModify Extended Operation.
2021-07-02 11:33:10 +10:00
James Elliott cb71df5d9b
feat(authentiation): check ldap support for extended operations on startup (#2133)
* feat(authentiation): check ldap server on startup

This PR adds a startup check to the LDAP authentication backend. It additionally adds support for checking supportedExtension OIDs, currently only checking passwdModifyOID (1.3.6.1.4.1.4203.1.11.3). This can relatively easily be enhanced to add detection for other rootDSE capabilities like supportedControl and supportedCapabilities as necessary.

* test(authentication): add unit tests for new feature

* refactor(authentication): factorize ldap user provider newup

* refactor: minor adjustments
2021-07-02 09:16:16 +10:00
Philipp Staiger 7ff0a39c02
fix(suites): disable cgo for delve during development (#2129)
#2101 introduced a minor regression when using the authelia scripts suite for developing.

The following issues occurred:

```
[00] # runtime/cgo
[00] cgo: exec gcc: exec: "gcc": executable file not found in $PATH
```

Adding the CGO_ENABLED=0 before the dlv build command in the run-backend-dev.sh fixed the issue.
2021-07-01 10:28:24 +10:00
renovate[bot] 9640b48b60
build(deps): update haproxy docker tag to v2.4.1 (#2120)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-06-27 14:22:29 +10:00
renovate[bot] 5c78dfaa0d
build(deps): update traefik docker tag to v2.4.9 (#2113)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-06-23 08:49:05 +10:00
Amir Zarrinkafsh 4cab3a4a4e
refactor: drop cgo requirement for sqlite (#2101)
* refactor: drop cgo requirement for sqlite

Replace github.com/mattn/go-sqlite3 with modernc.org/sqlite which drops our CGO requirement.

* refactor: newline for consistency with dockerfiles
2021-06-22 10:45:33 +10:00
renovate[bot] 986f88fd89
build(deps): update mariadb docker tag to v10.6.2 (#2099)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-06-19 08:33:13 +10:00
Amir Zarrinkafsh f32a0a7407
test(web): integration test auto theme (#2096)
Allows capturing of code coverage for the `auto` theme in the Standalone suite.
2021-06-18 17:15:58 +10:00
James Elliott 0d7b33022c
build: add enhanced information (#2067)
This commit adjusts the build flags to include version information in the LDFLAGS using the -X options. Additionally this makes the information recorded at build time more comprehensive. All build information can now be obtained via the `authelia build` command, and the `authelia version` command is now `authelia --version`. Lastly this adjusts the Dockerfile to utilize docker cache more effectively.
2021-06-18 14:35:43 +10:00
James Elliott ef3c2faeb5
fix(authorization): configuration reports 2fa disabled with 2fa oidc clients (#2089)
This resolves an issue where if you have zero two_factor ACL rules but enabled two_factor OIDC clients, 2FA is reported as disabled.
2021-06-18 11:38:01 +10:00
James Elliott 438555886e
build(deps): replace jwt-go (#2092)
This replaces github.com/dgrijalva/jwt-go and github.com/form3tech-oss/jwt-go with github.com/golang-jwt/jwt which will be the maintained package going forward.

Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2021-06-18 10:39:19 +10:00
Alex Gustafsson 150116a172
feat(web): implement automatic theme switch for light/dark (#2046)
* Implement an automatic theme

The "auto" theme will automatically switch between "dark" and "light"
depending on user preference. This allows for automatic dark mode.

* fix(configuration): allow the "auto" theme when validating

The new theme "auto" was not allowed to be used in a configuration file.

* docs: clarify what critera controls the automatic theme

How the "auto" theme functioned was unclear.

* docs: typeset themes as code

* fix(web): apply useEffector to media query watch

* docs: add technical details

* fix(configuration): resolve merge conflicts
2021-06-17 16:42:03 +10:00
James Elliott fcfff9748c
feat(handlers): synology password complexity err on reset (#2083)
This responds to the client with the correct error when used with Synology LDAP servers.
2021-06-16 12:50:14 +10:00
renovate[bot] 923f7c7aec
build(deps): update alpine docker tag to v3.14.0 (#2084)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-06-16 09:38:02 +10:00
Amir Zarrinkafsh 8a171e6344
ci(golangci-lint): replace golint with revive linter (#2078)
Remove deprecated `golint` linter and replace with `revive` linter.

Also fix outstanding issues due to upgraded linters.
2021-06-11 10:30:53 +10:00
James Elliott 2c42464fc8
refactor(configuration): use key log instead of logging (#2072)
* refactor: logging config key to log

This refactors the recent pre-release change adding log options to their own configuration section in favor of a log section (from logging).

* docs: add step to getting started to get the latest tagged commit

This is so we avoid issues with changes on master having differences that don't work on the latest docker tag.

* test: adjust tests

* docs: adjust doc strings
2021-06-08 23:15:43 +10:00
James Elliott cef35fadcd
feat(configuration): add error and warn log levels (#2050)
This is so levels like warn and error can be used to exclude info or warn messages. Additionally there is a reasonable refactoring of logging moving the log config options to the logging key because there are a significant number of log options now. This also decouples the expvars and pprof handlers from the log level, and they are now configured by server.enable_expvars and server.enable_pprof at any logging level.
2021-06-01 14:09:50 +10:00
Amir Zarrinkafsh 05df642f3e
feat: add option to keep stdout logging with log_file_path (#2037)
Currently if a `log_file_path` is defined Authelia will redirect all logging from standard output to said defined location. This change allows users to keep standard output logging along with a defined `log_file_path`.
2021-05-31 14:02:54 +10:00
renovate[bot] d28d36b568
build(deps): update haproxy docker tag to v2.4.0 (#2004)
* build(deps): update haproxy docker tag to v2.4.0

* fix(suites): fix haproxy dockerfile user

Co-authored-by: Renovate Bot <bot@renovateapp.com>
Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2021-05-26 14:13:53 +10:00
renovate[bot] 6a226ec122
build(deps): update mariadb docker tag to v10.6.1 (#2028)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-05-26 08:28:16 +10:00
James Elliott c62dbd43d6
fix(handlers): align response status codes for the verify endpoint (#2016)
This aligns all response status codes on the /api/verify endpoint when an error occurs, making it impossible to determine the actual reason for the failure.
2021-05-21 14:03:44 +02:00
renovate[bot] 3ff50ae979
build(deps): update node.js to v16 (#2005) 2021-05-16 00:18:01 +10:00
James Elliott 46c8a25c15
fix(oidc): implement required subject types supported meta (#1996)
The well known openid-configuration should have the subject_types_supported meta values.
2021-05-11 11:00:29 +10:00
renovate[bot] f97c0df929
build(deps): update postgres docker tag to v13 (#1987) 2021-05-08 00:40:58 +10:00
James Elliott c0ac8bf5ad
fix: include the jwk key id in the jwt for validation (#1983)
This is so the sig key used to sign the JWT can be verified using the JWKS endpoint.

Fixes #1979
2021-05-07 11:59:39 +10:00
Amir Zarrinkafsh a31a17b222
fix(cmd): retry clean tag logic for dockerhub (#1976)
This change will ensure that if the curl command for the cleaning of Docker tags on DockerHub fails it will be reattempted up to 2 more times (total of 3) with a 10 second sleep between each attempt.

The clean tag logic itself within curl attempts to execute the http request upto 3 times so this will ensure a maximum of 9 attempts.
2021-05-05 17:09:31 +10:00
James Elliott ddea31193b
feature(oidc): add support for OpenID Connect
OpenID connect has become a standard when it comes to authentication and
in order to fix a security concern around forwarding authentication and authorization information
it has been decided to add support for it.

This feature is in beta version and only enabled when there is a configuration for it.
Before enabling it in production, please consider that it's in beta with potential bugs and that there
are several production critical features still missing such as all OIDC related data is stored in
configuration or memory. This means you are potentially going to experience issues with HA
deployments, or when restarting a single instance specifically related to OIDC.

We are still working on adding the remaining set of features before making it GA as soon as possible.

Related to #189

Co-authored-by: Clement Michaud <clement.michaud34@gmail.com>
2021-05-05 00:15:36 +02:00
renovate[bot] 77c3058368
build(deps): update mariadb docker tag to v10.6.0 (#1958)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-04-29 15:59:16 +10:00
renovate[bot] b952e9e71d
build(deps): update haproxy docker tag to v2.3.10 (#1942)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-04-24 10:43:48 +02:00
James Elliott 706fbfdb2c
fix(session): ensure default cookie samesite value is lax (#1926)
This implements a change to the default behaviour of the cookies generated by the sessions package. The old behaviour was to set the SameSite=None, this changes it to SameSite=Lax. Additionally this puts the option in the hands of the end-user so they can decide for themselves what the best option is.
2021-04-18 10:02:04 +10:00
James Elliott cc4f47f21c
fix: removed deprecated smtp/ldap options (#1912)
This removes the deprecated options from 4.25. This includes the LDAP filters which allow {0} or {1} placeholders. The new aliases are documented. Additionally it refactors the keys validator to use uniform messages for most replaced keys.
2021-04-16 11:44:37 +10:00
Amir Zarrinkafsh db55325152
fix(suites): ensure k8s suite utilises the registry cache (#1921) 2021-04-15 12:07:19 +10:00
renovate[bot] 4318bb1e0c
build(deps): update alpine docker tag to v3.13.5 (#1915)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-04-15 08:54:56 +10:00
James Elliott 1e30b00f7e
fix(validator): misleading warning for empty acl domains (#1898)
This fixes misleading errors for ACL rules with an empty list of domains. This also enables admins to have a default policy with zero ACL rules as long as the default policy is not deny or bypass. It also adds a rule number to all ACL rule related log messages which is the position in the YAML list plus 1. Lastly it adds comprehensive per rule HIT/MISS logging when Authelia trace logging is enabled. This trace logging includes the rule number.
2021-04-14 20:53:23 +10:00
James Elliott f0cb75e1e1
fix(handlers): logout redirection validation (#1908) 2021-04-13 10:38:12 +02:00
James Elliott 9e7b73bd56
refactor(authentication): add trace logs for the user/group baseDN (#1904)
This logs the baseDN for user and group searching on startup as well as the users filter (with just input remaining). Additionally refactors the location of a few log messages, and exposes the logger to the provider to reduce calls to logging.Logger().
2021-04-12 11:10:50 +10:00
James Elliott 08e674b62f
docs: refactor several areas of documentation (#1726)
Updated all links to use https://www.authelia.com/docs/.
Removed all comment sections from documented configuration on the documentation site and replaced them with their own sections.
Made all documentation inside config.template.yml double hashes, and made all commented configuration sections single quoted.
Added .yamllint.yaml to express our desired YAML styles.
Added a style guide.
Refactored many documentation areas to be 120 char widths where possible. It's by no means exhaustive but is a large start.
Added a statelessness guide for the pending Kubernetes chart introduction.
Added labels to configuration documentation and made many areas uniform.
2021-04-11 21:25:03 +10:00
James Elliott d33d6c2f00
ci: add yamllint (#1895)
This change implements yamllint and adjusts all yaml files to abide by our linting setup. This excludes config.template.yml as this will be done in an alternate commit.
2021-04-11 06:51:00 +10:00
renovate[bot] ad7808d430
build(deps): update traefik docker tag to v1.7.30 (#1897)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-04-09 09:32:21 +10:00