diff options
7 files changed, 74 insertions, 33 deletions
diff --git a/cmd/authelia-gen/cmd_docs_jsonschema.go b/cmd/authelia-gen/cmd_docs_jsonschema.go index ceea8e091..93e9d7df5 100644 --- a/cmd/authelia-gen/cmd_docs_jsonschema.go +++ b/cmd/authelia-gen/cmd_docs_jsonschema.go @@ -359,16 +359,23 @@ func jsonschemaKoanfMapper(t reflect.Type) *jsonschema.Schema { } case "schema.CryptographicKey": return &jsonschema.Schema{ - Type: jsonschema.TypeString, + Type: jsonschema.TypeString, + Pattern: `^-{5}BEGIN (((RSA|EC) )?(PRIVATE|PUBLIC) KEY|CERTIFICATE)-{5}\n([a-zA-Z0-9\/+]{1,64}\n)+([a-zA-Z0-9\/+]{1,64}[=]{0,2})\n-{5}END (((RSA|EC) )?(PRIVATE|PUBLIC) KEY|CERTIFICATE)-{5}\n?$`, } case "schema.CryptographicPrivateKey": return &jsonschema.Schema{ Type: jsonschema.TypeString, - Pattern: `^-{5}(BEGIN ((RSA|EC) )?PRIVATE KEY-{5}\n([a-zA-Z0-9/+]{1,64}\n)+([a-zA-Z0-9/+]{1,64}[=]{0,2})\n-{5}END ((RSA|EC) )?PRIVATE KEY-{5}\n?)+$`, + Pattern: `^-{5}BEGIN ((RSA|EC) )?PRIVATE KEY-{5}\n([a-zA-Z0-9\/+]{1,64}\n)+([a-zA-Z0-9\/+]{1,64}[=]{0,2})\n-{5}END ((RSA|EC) )?PRIVATE KEY-{5}\n?$`, } - case "rsa.PrivateKey", "*rsa.PrivateKey", "ecdsa.PrivateKey", "*.ecdsa.PrivateKey": + case "rsa.PrivateKey", "*rsa.PrivateKey": return &jsonschema.Schema{ - Type: jsonschema.TypeString, + Type: jsonschema.TypeString, + Pattern: `^-{5}(BEGIN (RSA )?PRIVATE KEY-{5}\n([a-zA-Z0-9\/+]{1,64}\n)+([a-zA-Z0-9\/+]{1,64}[=]{0,2})\n-{5}END (RSA )?PRIVATE KEY-{5}\n?)+$`, + } + case "ecdsa.PrivateKey", "*.ecdsa.PrivateKey": + return &jsonschema.Schema{ + Type: jsonschema.TypeString, + Pattern: `^-{5}(BEGIN ((EC )?PRIVATE KEY-{5}\n([a-zA-Z0-9\/+]{1,64}\n)+([a-zA-Z0-9\/+]{1,64}[=]{0,2})\n-{5}END (EC )?PRIVATE KEY-{5}\n?)+$`, } case "mail.Address", "*mail.Address": return &jsonschema.Schema{ diff --git a/docs/content/en/configuration/identity-providers/openid-connect/clients.md b/docs/content/en/configuration/identity-providers/openid-connect/clients.md index d8571ea23..23410473e 100644 --- a/docs/content/en/configuration/identity-providers/openid-connect/clients.md +++ b/docs/content/en/configuration/identity-providers/openid-connect/clients.md @@ -68,6 +68,8 @@ identity_providers: access_token_signed_response_key_id: '' userinfo_signed_response_alg: 'none' userinfo_signed_response_key_id: '' + introspection_signed_response_alg: 'none' + introspection_signed_response_key_id: '' request_object_signing_alg: 'RS256' token_endpoint_auth_signing_alg: 'RS256' token_endpoint_auth_method: 'client_secret_basic' diff --git a/docs/content/en/integration/openid-connect/gitlab/index.md b/docs/content/en/integration/openid-connect/gitlab/index.md index 844cde6fe..d9f5febb4 100644 --- a/docs/content/en/integration/openid-connect/gitlab/index.md +++ b/docs/content/en/integration/openid-connect/gitlab/index.md @@ -18,7 +18,7 @@ community: true * [Authelia] * [v4.38.0](https://github.com/authelia/authelia/releases/tag/v4.38.0) * [GitLab] CE - * 14.0.1 + * 16.9.0 ## Before You Begin @@ -37,6 +37,10 @@ This example makes the following assumptions: ### Authelia +_**Important Note:** This configuration assumes you've configured the `client_auth_method` in [GitLab] as per below. If you +have not done this the default in [GitLab] will require the `token_endpoint_auth_method` changes to +`client_secret_post`._ + The following YAML configuration is an example __Authelia__ [client configuration](../../../configuration/identity-providers/openid-connect/clients.md) for use with [GitLab] which will operate with the above example: @@ -60,6 +64,7 @@ identity_providers: - 'groups' - 'email' userinfo_signed_response_alg: 'none' + token_endpoint_auth_method: 'client_secret_basic' ``` ### Application @@ -76,13 +81,16 @@ gitlab_rails['omniauth_providers'] = [ icon: "https://www.authelia.com/images/branding/logo-cropped.png", args: { name: "openid_connect", - scope: ["openid","profile","email","groups"], - response_type: "code", + strategy_class: "OmniAuth::Strategies::OpenIDConnect", issuer: "https://auth.example.com", discovery: true, - client_auth_method: "query", + scope: ["openid","profile","email","groups"], + client_auth_method: "basic", + response_type: "code", + response_mode: "query", uid_field: "preferred_username", - send_scope_to_token_endpoint: "false", + send_scope_to_token_endpoint: true, + pkce: true, client_options: { identifier: "gitlab", secret: "insecure_secret", @@ -93,6 +101,16 @@ gitlab_rails['omniauth_providers'] = [ ] ``` +#### Groups + +[GitLab] offers group mapping options with OpenID Connect 1.0, shamefully it's only for paid plans. However see +[the guide](https://docs.gitlab.com/ee/administration/auth/oidc.html#configure-users-based-on-oidc-group-membership) on +how to configure it on their end. + +Alternatively if GitLab is associated with LDAP you can use that as a group source, and you can configure a policy on +Authelia to restrict which resource owners are allowed access to the client for free via a custom `authorization_policy` +value. + ## See Also * [GitLab OpenID Connect OmniAuth Documentation](https://docs.gitlab.com/ee/administration/auth/oidc.html) diff --git a/docs/static/schemas/latest/json-schema/configuration.json b/docs/static/schemas/latest/json-schema/configuration.json index 2a6a0f9a7..e03d64cf9 100644 --- a/docs/static/schemas/latest/json-schema/configuration.json +++ b/docs/static/schemas/latest/json-schema/configuration.json @@ -279,12 +279,12 @@ "oneOf": [ { "type": "string", - "pattern": "^(user|group|oauth2:client:):.+$" + "pattern": "^(user|group|oauth2:client):.+$" }, { "items": { "type": "string", - "pattern": "^(user|group|oauth2:client:):.+$" + "pattern": "^(user|group|oauth2:client):.+$" }, "type": "array" }, @@ -292,7 +292,7 @@ "items": { "items": { "type": "string", - "pattern": "^(user|group|oauth2:client:):.+$" + "pattern": "^(user|group|oauth2:client):.+$" }, "type": "array" }, @@ -1125,6 +1125,7 @@ }, "issuer_private_key": { "type": "string", + "pattern": "^-{5}(BEGIN (RSA )?PRIVATE KEY-{5}\\n([a-zA-Z0-9\\/+]{1,64}\\n)+([a-zA-Z0-9\\/+]{1,64}[=]{0,2})\\n-{5}END (RSA )?PRIVATE KEY-{5}\\n?)+$", "title": "Issuer Private Key", "description": "The Issuer Private Key with an RSA Private Key used to sign ID Tokens.", "deprecated": true @@ -1225,7 +1226,8 @@ "offline_access", "groups", "email", - "profile" + "profile", + "authelia.bearer.authz" ] }, "type": "array", @@ -1239,7 +1241,8 @@ "enum": [ "authorization_code", "implicit", - "refresh_token" + "refresh_token", + "client_credentials" ] }, "type": "array", @@ -1270,8 +1273,12 @@ "type": "string", "enum": [ "form_post", + "form_post.jwt", "query", - "fragment" + "query.jwt", + "fragment", + "fragment.jwt", + "jwt" ] }, "type": "array", @@ -1524,7 +1531,6 @@ "type": "object", "required": [ "client_id", - "redirect_uris", "scopes" ], "description": "IdentityProvidersOpenIDConnectClient represents a configuration for an OpenID Connect 1.0 client." @@ -2015,6 +2021,7 @@ }, "key": { "type": "string", + "pattern": "^-{5}BEGIN (((RSA|EC) )?(PRIVATE|PUBLIC) KEY|CERTIFICATE)-{5}\\n([a-zA-Z0-9\\/+]{1,64}\\n)+([a-zA-Z0-9\\/+]{1,64}[=]{0,2})\\n-{5}END (((RSA|EC) )?(PRIVATE|PUBLIC) KEY|CERTIFICATE)-{5}\\n?$", "description": "The Private/Public key material of this JWK in Base64 PEM format." }, "certificate_chain": { @@ -3184,7 +3191,7 @@ }, "private_key": { "type": "string", - "pattern": "^-{5}(BEGIN ((RSA|EC) )?PRIVATE KEY-{5}\\n([a-zA-Z0-9/+]{1,64}\\n)+([a-zA-Z0-9/+]{1,64}[=]{0,2})\\n-{5}END ((RSA|EC) )?PRIVATE KEY-{5}\\n?)+$", + "pattern": "^-{5}BEGIN ((RSA|EC) )?PRIVATE KEY-{5}\\n([a-zA-Z0-9\\/+]{1,64}\\n)+([a-zA-Z0-9\\/+]{1,64}[=]{0,2})\\n-{5}END ((RSA|EC) )?PRIVATE KEY-{5}\\n?$", "title": "Private Key", "description": "The private key." }, @@ -3411,7 +3418,7 @@ }, "X509CertificateChain": { "type": "string", - "pattern": "^(-{5}BEGIN CERTIFICATE-{5}\\n([a-zA-Z0-9/+]{1,64}\\n)+([a-zA-Z0-9/+]{1,64}[=]{0,2})\\n-{5}END CERTIFICATE-{5}\\n?)+$" + "pattern": "^(-{5}BEGIN CERTIFICATE-{5}\\n([a-zA-Z0-9\\/+]{1,64}\\n)+([a-zA-Z0-9\\/+]{1,64}[=]{0,2})\\n-{5}END CERTIFICATE-{5}\\n?)+$" } } }
\ No newline at end of file diff --git a/docs/static/schemas/v4.38/json-schema/configuration.json b/docs/static/schemas/v4.38/json-schema/configuration.json index 2a6a0f9a7..e03d64cf9 100644 --- a/docs/static/schemas/v4.38/json-schema/configuration.json +++ b/docs/static/schemas/v4.38/json-schema/configuration.json @@ -279,12 +279,12 @@ "oneOf": [ { "type": "string", - "pattern": "^(user|group|oauth2:client:):.+$" + "pattern": "^(user|group|oauth2:client):.+$" }, { "items": { "type": "string", - "pattern": "^(user|group|oauth2:client:):.+$" + "pattern": "^(user|group|oauth2:client):.+$" }, "type": "array" }, @@ -292,7 +292,7 @@ "items": { "items": { "type": "string", - "pattern": "^(user|group|oauth2:client:):.+$" + "pattern": "^(user|group|oauth2:client):.+$" }, "type": "array" }, @@ -1125,6 +1125,7 @@ }, "issuer_private_key": { "type": "string", + "pattern": "^-{5}(BEGIN (RSA )?PRIVATE KEY-{5}\\n([a-zA-Z0-9\\/+]{1,64}\\n)+([a-zA-Z0-9\\/+]{1,64}[=]{0,2})\\n-{5}END (RSA )?PRIVATE KEY-{5}\\n?)+$", "title": "Issuer Private Key", "description": "The Issuer Private Key with an RSA Private Key used to sign ID Tokens.", "deprecated": true @@ -1225,7 +1226,8 @@ "offline_access", "groups", "email", - "profile" + "profile", + "authelia.bearer.authz" ] }, "type": "array", @@ -1239,7 +1241,8 @@ "enum": [ "authorization_code", "implicit", - "refresh_token" + "refresh_token", + "client_credentials" ] }, "type": "array", @@ -1270,8 +1273,12 @@ "type": "string", "enum": [ "form_post", + "form_post.jwt", "query", - "fragment" + "query.jwt", + "fragment", + "fragment.jwt", + "jwt" ] }, "type": "array", @@ -1524,7 +1531,6 @@ "type": "object", "required": [ "client_id", - "redirect_uris", "scopes" ], "description": "IdentityProvidersOpenIDConnectClient represents a configuration for an OpenID Connect 1.0 client." @@ -2015,6 +2021,7 @@ }, "key": { "type": "string", + "pattern": "^-{5}BEGIN (((RSA|EC) )?(PRIVATE|PUBLIC) KEY|CERTIFICATE)-{5}\\n([a-zA-Z0-9\\/+]{1,64}\\n)+([a-zA-Z0-9\\/+]{1,64}[=]{0,2})\\n-{5}END (((RSA|EC) )?(PRIVATE|PUBLIC) KEY|CERTIFICATE)-{5}\\n?$", "description": "The Private/Public key material of this JWK in Base64 PEM format." }, "certificate_chain": { @@ -3184,7 +3191,7 @@ }, "private_key": { "type": "string", - "pattern": "^-{5}(BEGIN ((RSA|EC) )?PRIVATE KEY-{5}\\n([a-zA-Z0-9/+]{1,64}\\n)+([a-zA-Z0-9/+]{1,64}[=]{0,2})\\n-{5}END ((RSA|EC) )?PRIVATE KEY-{5}\\n?)+$", + "pattern": "^-{5}BEGIN ((RSA|EC) )?PRIVATE KEY-{5}\\n([a-zA-Z0-9\\/+]{1,64}\\n)+([a-zA-Z0-9\\/+]{1,64}[=]{0,2})\\n-{5}END ((RSA|EC) )?PRIVATE KEY-{5}\\n?$", "title": "Private Key", "description": "The private key." }, @@ -3411,7 +3418,7 @@ }, "X509CertificateChain": { "type": "string", - "pattern": "^(-{5}BEGIN CERTIFICATE-{5}\\n([a-zA-Z0-9/+]{1,64}\\n)+([a-zA-Z0-9/+]{1,64}[=]{0,2})\\n-{5}END CERTIFICATE-{5}\\n?)+$" + "pattern": "^(-{5}BEGIN CERTIFICATE-{5}\\n([a-zA-Z0-9\\/+]{1,64}\\n)+([a-zA-Z0-9\\/+]{1,64}[=]{0,2})\\n-{5}END CERTIFICATE-{5}\\n?)+$" } } }
\ No newline at end of file diff --git a/internal/configuration/schema/identity_providers.go b/internal/configuration/schema/identity_providers.go index 46e2c9800..ac75460cd 100644 --- a/internal/configuration/schema/identity_providers.go +++ b/internal/configuration/schema/identity_providers.go @@ -120,13 +120,13 @@ type IdentityProvidersOpenIDConnectClient struct { SectorIdentifierURI *url.URL `koanf:"sector_identifier_uri" json:"sector_identifier_uri" jsonschema:"title=Sector Identifier URI" jsonschema_description:"The Client Sector Identifier URI for Privacy Isolation via Pairwise subject types."` Public bool `koanf:"public" json:"public" jsonschema:"default=false,title=Public" jsonschema_description:"Enables the Public Client Type."` - RedirectURIs IdentityProvidersOpenIDConnectClientRedirectURIs `koanf:"redirect_uris" json:"redirect_uris" jsonschema:"required,title=Redirect URIs" jsonschema_description:"List of authorized redirect URIs."` + RedirectURIs IdentityProvidersOpenIDConnectClientRedirectURIs `koanf:"redirect_uris" json:"redirect_uris" jsonschema:"title=Redirect URIs" jsonschema_description:"List of authorized redirect URIs."` Audience []string `koanf:"audience" json:"audience" jsonschema:"uniqueItems,title=Audience" jsonschema_description:"List of authorized audiences."` - Scopes []string `koanf:"scopes" json:"scopes" jsonschema:"required,enum=openid,enum=offline_access,enum=groups,enum=email,enum=profile,uniqueItems,title=Scopes" jsonschema_description:"The Scopes this client is allowed request and be granted."` - GrantTypes []string `koanf:"grant_types" json:"grant_types" jsonschema:"enum=authorization_code,enum=implicit,enum=refresh_token,uniqueItems,title=Grant Types" jsonschema_description:"The Grant Types this client is allowed to use for the protected endpoints."` + Scopes []string `koanf:"scopes" json:"scopes" jsonschema:"required,enum=openid,enum=offline_access,enum=groups,enum=email,enum=profile,enum=authelia.bearer.authz,uniqueItems,title=Scopes" jsonschema_description:"The Scopes this client is allowed request and be granted."` + GrantTypes []string `koanf:"grant_types" json:"grant_types" jsonschema:"enum=authorization_code,enum=implicit,enum=refresh_token,enum=client_credentials,uniqueItems,title=Grant Types" jsonschema_description:"The Grant Types this client is allowed to use for the protected endpoints."` ResponseTypes []string `koanf:"response_types" json:"response_types" jsonschema:"enum=code,enum=id_token token,enum=id_token,enum=token,enum=code token,enum=code id_token,enum=code id_token token,uniqueItems,title=Response Types" jsonschema_description:"The Response Types the client is authorized to request."` - ResponseModes []string `koanf:"response_modes" json:"response_modes" jsonschema:"enum=form_post,enum=query,enum=fragment,uniqueItems,title=Response Modes" jsonschema_description:"The Response Modes this client is authorized request."` + ResponseModes []string `koanf:"response_modes" json:"response_modes" jsonschema:"enum=form_post,enum=form_post.jwt,enum=query,enum=query.jwt,enum=fragment,enum=fragment.jwt,enum=jwt,uniqueItems,title=Response Modes" jsonschema_description:"The Response Modes this client is authorized request."` AuthorizationPolicy string `koanf:"authorization_policy" json:"authorization_policy" jsonschema:"title=Authorization Policy" jsonschema_description:"The Authorization Policy to apply to this client."` Lifespan string `koanf:"lifespan" json:"lifespan" jsonschema:"title=Lifespan Name" jsonschema_description:"The name of the custom lifespan to utilize for this client."` diff --git a/internal/configuration/schema/types.go b/internal/configuration/schema/types.go index a7705db1f..af69cac0f 100644 --- a/internal/configuration/schema/types.go +++ b/internal/configuration/schema/types.go @@ -244,7 +244,7 @@ type X509CertificateChain struct { func (X509CertificateChain) JSONSchema() *jsonschema.Schema { return &jsonschema.Schema{ Type: jsonschema.TypeString, - Pattern: `^(-{5}BEGIN CERTIFICATE-{5}\n([a-zA-Z0-9/+]{1,64}\n)+([a-zA-Z0-9/+]{1,64}[=]{0,2})\n-{5}END CERTIFICATE-{5}\n?)+$`, + Pattern: `^(-{5}BEGIN CERTIFICATE-{5}\n([a-zA-Z0-9\/+]{1,64}\n)+([a-zA-Z0-9\/+]{1,64}[=]{0,2})\n-{5}END CERTIFICATE-{5}\n?)+$`, } } @@ -604,7 +604,7 @@ var jsonschemaACLNetwork = jsonschema.Schema{ var jsonschemaACLSubject = jsonschema.Schema{ Type: jsonschema.TypeString, - Pattern: "^(user|group|oauth2:client:):.+$", + Pattern: "^(user|group|oauth2:client):.+$", } var jsonschemaACLMethod = jsonschema.Schema{ |