This adds support for JWK selection by ID on a per-client basis, and allows multiple JWK's for the same algorithm.
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
This adds support for the private_key_jwt client authentication method.
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
This adds support for multiple JWK algorithms and keys and allows for per-client algorithm choices.
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
This adds the authentication machinery for the client_secret_jwt to the Default Client Authentication Strategy.
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
Large integers used with the duration common syntax failed to parse if they exceeded the ability to fit into an int32.
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
This adds support for LDAP unix sockets using the ldapi scheme. In addition it improves all of the address related parsing significantly deprecating old options.
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
This fixes an edge case where the RemoteIP detection could safely fail with an error, and instead defaults to the TCP packet information.
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
Several crypto generate situations could not generate PKCS #8 ASN.1 DER format keys. Ths fixes this.
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
This fixes an issue where the authelia crypto hash generate command does not require no arguments leading to some confusing output.
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
This adds a feature to OpenID Connect 1.0 where clients can be restricted to a specific client authentication mode, as well as implements some backend requirements for the private_key_jwt client authentication mode (and potentially the tls_client_auth / self_signed_tls_client_auth client authentication modes). It also adds some improvements to configuration defaults and validations which will for now be warnings but likely be made into errors.
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
This fixes an issue where the default response mode (i.e. if the mode is omitted) would skip the validations against the allowed response modes.
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
This fixes an issue where the encoding of the YAML files fails when exporting TOTP/WebAuthn devices.
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
This fixes an issue where if the implicit config location of configuration.yml does not exist that an error is returned. This does not affect the behavior when the method was either implicit or environment.
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
This fixes an issue where attempting to load secrets the process does not have read permissions for would cause panics as well as the bit size check of the OpenID Connect 1.0 private key can potentially panic on malformed private keys. This was caused by us returning values on errors instead of nil's.
Fixes#5138
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
This adjusts the AuthRequest Authz implementation behave similarly to the other implementations in as much as Authelia can return the relevant redirection to the proxy and the proxy just utilizes it if possible. In addition it swaps the HAProxy examples over to the ForwardAuth implementation as that's now supported.
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>