Commit Graph

32 Commits (f32242f023d75bd5f8f0af8a18213f974bc632e2)

Author SHA1 Message Date
James Elliott 3aaca0604f
feat(oidc): implicit consent (#4080)
This adds multiple consent modes to OpenID Connect clients. Specifically it allows configuration of a new consent mode called implicit which never asks for user consent.
2022-10-20 13:16:36 +11:00
Amir Zarrinkafsh 1a866f206a
ci: add eslint rule for sorting imports (#3858)
The [ignoreDeclarationSort](https://eslint.org/docs/latest/rules/sort-imports#ignoredeclarationsort) and [memberSyntaxSortOrder](https://eslint.org/docs/latest/rules/sort-imports#membersyntaxsortorder) options have been turned on and omitted respective to not conflict with the existing import/order rules.
2022-08-18 19:13:10 +10:00
James Elliott b2cbcf3913
fix(handlers): consent session prevents standard flow (#3668)
This fixes an issue where consent sessions prevent the standard workflow.
2022-07-26 15:43:39 +10:00
James Elliott 92aba8eb0b
feat(server): zxcvbn password policy server side (#3151)
This is so the zxcvbn ppolicy is checked on the server.
2022-04-15 19:30:51 +10:00
James Elliott 9d5ac4526e
fix(configuration): remove unused password policy option (#3149)
Removes the min score option from the ZXCVBN policy and adds tests.
2022-04-09 09:21:49 +10:00
James Elliott 66a450ed38
feat(oidc): pre-configured consent (#3118)
Allows users to pre-configure consent if enabled by the client configuration by selecting a checkbox during consent.

Closes #2598
2022-04-08 15:35:21 +10:00
James Elliott 90edf11b88
feat(web): add user display name to oidc consent view (#3138)
This adds the current logged in users display name to the consent page as well as some other minor tweaks.

Closes #2595
2022-04-08 12:50:55 +10:00
James Elliott 9e05066097
refactor(handlers): ppolicy (#3103)
Add tests and makes the password policy a provider so the configuration can be loaded to memory on startup.
2022-04-03 21:58:27 +10:00
James Elliott 70ab8aab15
fix(web): show appropriate default and available methods (#2999)
This ensures that; the method set when a user does not have a preference is a method that is available, that if a user has a preferred method that is not available it is changed to an enabled method with preference put on methods the user has configured, that the frontend does not show the method selection option when only one method is available.
2022-03-28 12:26:30 +11:00
James Elliott 8f05846e21
feat: webauthn (#2707)
This implements Webauthn. Old devices can be used to authenticate via the appid compatibility layer which should be automatic. New devices will be registered via Webauthn, and devices which do not support FIDO2 will no longer be able to be registered. At this time it does not fully support multiple devices (backend does, frontend doesn't allow registration of additional devices). Does not support passwordless.
2022-03-03 22:20:43 +11:00
James Elliott fcdd41ea2a
feat: oidc scope i18n (#2799)
This adds i18n for the OIDC scope descriptsions descriptions.
2022-02-08 01:18:16 +11:00
James Elliott ad8e844af6
feat(totp): algorithm and digits config (#2634)
Allow users to configure the TOTP Algorithm and Digits. This should be used with caution as many TOTP applications do not support it. Some will also fail to notify the user that there is an issue. i.e. if the algorithm in the QR code is sha512, they continue to generate one time passwords with sha1. In addition this drastically refactors TOTP in general to be more user friendly by not forcing them to register a new device if the administrator changes the period (or algorithm).

Fixes #1226.
2021-12-01 23:11:29 +11:00
Philipp Staiger 01b77384f9
feat(duo): multi device selection (#2137)
Allow users to select and save the preferred duo device and method, depending on availability in the duo account. A default enrollment URL is provided and adjusted if returned by the duo API. This allows auto-enrollment if enabled by the administrator.

Closes #594. Closes #1039.
2021-12-01 14:32:58 +11:00
Clément Michaud bc983ce9f5
fix: user is now redirected when authenticated (#2082)
* fix(handlers,web): user is now redirected when authenticated

Fix: #1788

* remove dead code and fix ci issues

* fix infinite loop in frontend

* fix issue with integration tests

* handle bot recommendation

* fix integration test & add dot to comment

* fix last integration test

* Update api/openapi.yml

Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>

* Update web/src/services/SafeRedirection.ts

Co-authored-by: Amir Zarrinkafsh <nightah@me.com>

* Update web/src/services/SafeRedirection.ts

Co-authored-by: Amir Zarrinkafsh <nightah@me.com>

* Update api/openapi.yml

* Update openapi.yml

* refactor: valid -> safe

* refactor: adjust merge conflicts

* Apply suggestions from code review

Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>

* fix: adjust test return messaging

Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2021-08-02 16:15:38 +10:00
Amir Zarrinkafsh 3494353641
refactor(web): use absolute imports with aliases (#2100)
* refactor(web): use absolute imports with aliases

Refactors all of the TS/JS frontend to utilise absolute imports along with import aliases.
Each of the paths within `src` are represented with their own alias:

* @assets
* @components
* @constants (new)
* @hooks
* @layouts
* @models
* @services
* @themes
* @utils
* @views

`Routes.ts` and `constant.ts` have been relocated to the constants directory for consistency.
2021-06-19 10:20:43 +02:00
James Elliott ddea31193b
feature(oidc): add support for OpenID Connect
OpenID connect has become a standard when it comes to authentication and
in order to fix a security concern around forwarding authentication and authorization information
it has been decided to add support for it.

This feature is in beta version and only enabled when there is a configuration for it.
Before enabling it in production, please consider that it's in beta with potential bugs and that there
are several production critical features still missing such as all OIDC related data is stored in
configuration or memory. This means you are potentially going to experience issues with HA
deployments, or when restarting a single instance specifically related to OIDC.

We are still working on adding the remaining set of features before making it GA as soon as possible.

Related to #189

Co-authored-by: Clement Michaud <clement.michaud34@gmail.com>
2021-05-05 00:15:36 +02:00
James Elliott f0cb75e1e1
fix(handlers): logout redirection validation (#1908) 2021-04-13 10:38:12 +02:00
James Elliott 4dce8f9496
perf(authorizer): preload access control lists (#1640)
* adjust session refresh to always occur (for disabled users)

* feat: adds filtering option for Request Method in ACL's

* simplify flow of internal/authorization/authorizer.go's methods

* implement query string checking

* utilize authorizer.Object fully

* make matchers uniform

* add tests

* add missing request methods

* add frontend enhancements to handle request method

* add request method to 1FA Handler Suite

* add internal ACL representations (preparsing)

* expand on access_control next

* add docs

* remove unnecessary slice for network names and instead just use a plain string

* add warning for ineffectual bypass policy (due to subjects)

* add user/group wildcard support

* fix(authorization): allow subject rules to match anonymous users

* feat(api): add new params

* docs(api): wording adjustments

* test: add request method into testing and proxy docs

* test: add several checks and refactor schema validation for ACL

* test: add integration test for methods acl

* refactor: apply suggestions from code review

* docs(authorization): update description
2021-03-05 15:18:31 +11:00
Amir Zarrinkafsh 689fd7cb95
[CI] Add linting option for frontend and enforce styling (#1565)
We now extend the default Eslint configuration and enforce styling with prettier for all of our frontend code.
2021-01-02 21:58:24 +11:00
Amir Zarrinkafsh 7c6a86882f
[MISC] Catch OpenLDAP ppolicy error (#1508)
* [MISC] Catch OpenLDAP ppolicy error

Further to the discussion over at #361, this change now ensures that OpenLDAP password complexity errors are caught and appropriately handled.

This change also includes the PasswordComplexity test suite in the LDAP integration suite. This is because a ppolicy has been setup and enforced.

* Remove password history for integration tests

* Adjust max failures due to regulation trigger

* Fix error handling for password resets

* Refactor and include code suggestions
2020-12-16 12:30:03 +11:00
Amir Zarrinkafsh 160e98f275
[DEV] Fix webpack for development workflow (#1163) 2020-07-01 17:16:08 +10:00
Amir Zarrinkafsh 29e54c231b
[MISC] Template global config and refactor some /api endpoints (#1135)
* [MISC] Template global config and refactor some /api endpoints
* /api/configuration has been removed in favour of templating said global config
* /api/configuration/extended has been renamed to /api/configuration and display_name has been removed
* /api/user/info has been modified to include display_name

Co-authored-by: Clement Michaud <clement.michaud34@gmail.com>
2020-06-21 15:40:37 +02:00
Amir Zarrinkafsh e43bc93047
[FEATURE] Add configurable display name to frontend (#1124)
* [FEATURE] Add configurable display name to frontend
This feature allows users with a LDAP backend to specify an attribute (default is "displayname") to retrieve a users name for the portal greeting.
Similarly for the file based backend a new required key "name" has been introduced.

This can also be used down the line with OIDC as a separate scope.

* Update references from Name to DisplayName
* Update compose bundles to include displayname refs
* Update LDAP automatic profile refresh
* Ensure display name is updated
* Fix bug which prevented trace logging for profile refresh to not trigger
2020-06-19 20:50:21 +10:00
James Elliott fcd0b5e46a
[FEATURE] Allow Authelia to listen on a specified path (#1027)
* [FEATURE] Allow Authelia to listen on a specified path

* Fix linting and add a couple typescript types

* Template index.html to support base_url

* Update docs and configuration template

* Access base path from body attribute.

* Update CSP

* Fix unit test
Also remove check for body as this will never get triggered, react itself is loaded inside the body so this has to always be successful.

* Template index.html with ${PUBLIC_URL}

* Define PUBLIC_URL in .env(s)

* Add docs clarification

Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
Co-authored-by: Clement Michaud <clement.michaud34@gmail.com>
2020-05-21 12:20:55 +10:00
James Elliott 40fb13ba3c
[FEATURE] TOTP Tuning Configuration Options and Fix Timer Graphic (#773)
* Add period TOPT config key to define the time in seconds each OTP is rotated
* Add skew TOTP config to define how many keys either side of the current one should be considered valid
* Add tests and set minimum values
* Update config template
* Use unix epoch for position calculation and Fix QR gen
  * This resolves the timer resetting improperly at the 0 seconds mark and allows for periods longer than 1 minute
* Generate QR based on period
* Fix OTP timer graphic
2020-03-25 12:48:20 +11:00
Amir Zarrinkafsh 72a3f1e0d7
[BUGFIX] Skip 2FA step if no ACL rule is two_factor (#684)
When no rule is set to two_factor in ACL configuration, 2FA is
considered disabled. Therefore, when a user cannot be redirected
correctly because no target URL is provided or the URL is unsafe,
the user is either redirected to the default URL or to the
'already authenticated' view instead of the second factor view.

Fixes #683
2020-03-06 11:31:09 +11:00
Clément Michaud d1d02d9eae
[FIX] Redirect to default URL after 1FA when default policy is one_factor. (#611)
* Redirect to default URL after 1FA when default policy is one_factor.

User is now redirected to the default redirection URL after 1FA if
the default policy is set to one_factor and there is no target URL
or if the target URL is unsafe.

Also, if the default policy is set to one_factor and the user is already
authenticated, if she visits the login portal, the 'already authenticated'
view is displayed with a logout button.

This fixes #581.

* Update users.yml

* Fix permissions issue causing suite test failure
2020-02-05 08:18:02 +11:00
Amir Zarrinkafsh 612881ca67 Fix spelling errors 2020-01-10 11:33:18 +01:00
Clement Michaud 3d20142292 Allow administrator to provide a Google Analytics tracking ID.
Providing a GA tracking ID allows administrators to analyze
how the portal is used by their users in large environments,
i.e., with many users.
This will make even more sense when we have users and admins
management interfaces.
2019-12-08 14:31:48 +01:00
Clement Michaud 5f8726fe87 Let the user know device is not enrolled.
A message is now displayed to the user when he first sign in
in Authelia letting him know that a device must be enrolled.

Also introduce a message letting him know when he is already
authenticated.
2019-12-08 14:31:48 +01:00
Clement Michaud 5942e00412 Introduce hasU2F and hasTOTP in user info. 2019-12-08 14:31:48 +01:00
Clement Michaud 9ae2096d2a Rewrite authelia frontend to improve user experience.
This refactoring simplify the code of the frontend and prepare the
portal for receiving a user settings page and an admin page.
2019-12-05 11:05:24 +01:00