| Age | Commit message (Collapse) | Author |
|---|
|
Add the ability for users to change their password from their user settings, without requiring them to use the reset password workflow. User's are required to create a elevated session in order to change their password. Users may not change their password to their current password. The user's current password is required for the password change. Users must follow any established password policies. Administrators are able to turn this feature off.
Closes #3548
|
|
|
|
This adds rate limits to the TOTP second factor endpoint, the Duo second factor endpoint, Session Elevation endpoint, and the Reset Password endpoint. This protection exists as several configurable tokenized buckets anchored to the users remote IP address. In the event the rate limit is exceeded by the user the middleware will respond with a 429 status, a Retry-After header, and JSON body indicating it's rate limited, which the UI will gracefully handle. This has several benefits that compliment the 1FA regulation, specifically in simple architectures it limits the number of SMTP sends a unique client can make, as well as the number of requests a particular client can make in general on specific endpoints where too many requests may indicate either a fault or some form of abuse.
Closes #7353, Closes #1947
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
Add support for passkeys, granular attachment modality, granular authenticator selection, and authenticator filtering which is commonly used in an enterprise environment. This also adds metadata verification elements utilizing the MDS3 to the project, including saving attestation statements, verification of attestation statements, etc. This also makes a significant change to the authentication level logic to purely use RFC8176 authentication method references to ensure the future-proof nature of the implementation. This change paves the way for the future of Authelia ensuring we can add custom policies in the future to allow administrators to very deliberately decide what authentication methods are sufficient for a given resource as well as the ability to clearly communicate these authentication methods to third parties via OpenID Connect 1.0 and SAML 2.0. It should be noted that at the time of this commit Passkey authentication is considered a single factor and we will at a later stage add the customizable policies described here to handle other use cases, though we've included a flag that considers properly implemented passkeys as if they were MFA.
Closes #2827, Closes #2761
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
* fix: swagger-ui csp and cleanup unnecessary files
This change fixes CSP errors when browsing Swagger and cuts down the binary/image size 10%+ by keeping only required files from the swagger-ui package.
Signed-off-by: Amir Zarrinkafsh <nightah@me.com>
* fix(api): fix server url
Signed-off-by: Amir Zarrinkafsh <nightah@me.com>
* refactor: set strict csp on static served files
Signed-off-by: Amir Zarrinkafsh <nightah@me.com>
---------
Signed-off-by: Amir Zarrinkafsh <nightah@me.com>
|
|
This fixes an issue where the 'select_account' prompt is considered invalid.
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
Per our standard review process this adjusts the appropriate elements detected during the review.
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
Use the new go.uber.org/mock which is currently maintained.
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
This implements misc fixes as part of one of our betas.
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
This adds functionality to the frontend to revoke the Reset Password JWT's.
Closes #136
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
This updates various documentaiton elements for the pending changes.
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
This replaces the JWT method for Identity Verification for most elements with a One-Time Code which has a controllable lifetime. These codes elevate the session for a duration, are less likely to be accidentally clicked, can be revoked, and generally a better experience for users. Users will be able to copy the codes directly from the email or manually type them. This improves the process as the user is very unlikely to input the code into the wrong window, and can't open it in the wrong browser. In addition the process prevents accidental clicking from causing issues.
Closes #3801
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
This implements multiple WebAuthn Credential registrations by means of a generic user settings UI.
Closes #275, Closes #4366
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
Co-authored-by: Clément Michaud <clement.michaud34@gmail.com>
Co-authored-by: Stephen Kent <smkent@smkent.net>
Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
|
|
Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
This implements the Financial-grade API JWT Secured Authorization Response Mode for OAuth 2.0 also known as JARM per https://openid.net/specs/openid-financial-api-jarm.html and related specifications. This implements part of the FAPI 2.0 security profile.
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
This implements the standard for JWT encoded and signed responses from the introspection endpoint. This has been implemented as per the IETF draft https://datatracker.ietf.org/doc/html/draft-ietf-oauth-jwt-introspection-response and as it is a draft (it is also an expired draft) so it should be noted that this implementation may be removed or changed without any regard for breaking changes. While this factor points in the direction of this never receiving ratification the IANA has accepted registration of the metadata parameters for this specification which points to the fact that it probably will.
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
Fixes miscellaneous OpenAPI 3.0 spec elements for OpenID Connect 1.0.
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
|
|
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
Misc fixes to OpenAPI Specification that were missed.
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
This adjusts the AuthRequest Authz implementation behave similarly to the other implementations in as much as Authelia can return the relevant redirection to the proxy and the proxy just utilizes it if possible. In addition it swaps the HAProxy examples over to the ForwardAuth implementation as that's now supported.
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
This theoretically adds support for client_secret_jwt.
|
|
This implements some HEAD method handlers for various static resources and the /api/health endpoint.
|
|
|
|
This allows users to customize the authz endpoints.
Closes #2753, Fixes #3716
Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
|
|
This should lead to a small performance gain by caching the openapi.yml with etags as well as eliminating the use of nonce crypto generation when not required.
|
|
Fixes an issue specific to envoy that prevents the verify endpoint working with requests not using the GET or HEAD methods.
|
|
|
|
This adds multiple consent modes to OpenID Connect clients. Specifically it allows configuration of a new consent mode called implicit which never asks for user consent.
|
|
This is so the zxcvbn ppolicy is checked on the server.
|
|
Removes the min score option from the ZXCVBN policy and adds tests.
|
|
Add tests and makes the password policy a provider so the configuration can be loaded to memory on startup.
|
|
This allows the HTTP Method verbs from RFC4918 to be used. See https://datatracker.ietf.org/doc/html/rfc4918 for more information.
|
|
This ensures that; the method set when a user does not have a preference is a method that is available, that if a user has a preferred method that is not available it is changed to an enabled method with preference put on methods the user has configured, that the frontend does not show the method selection option when only one method is available.
|
|
This implements Webauthn. Old devices can be used to authenticate via the appid compatibility layer which should be automatic. New devices will be registered via Webauthn, and devices which do not support FIDO2 will no longer be able to be registered. At this time it does not fully support multiple devices (backend does, frontend doesn't allow registration of additional devices). Does not support passwordless.
|
|
|
|
Allow users to configure the TOTP Algorithm and Digits. This should be used with caution as many TOTP applications do not support it. Some will also fail to notify the user that there is an issue. i.e. if the algorithm in the QR code is sha512, they continue to generate one time passwords with sha1. In addition this drastically refactors TOTP in general to be more user friendly by not forcing them to register a new device if the administrator changes the period (or algorithm).
Fixes #1226.
|
|
Allow users to select and save the preferred duo device and method, depending on availability in the duo account. A default enrollment URL is provided and adjusted if returned by the duo API. This allows auto-enrollment if enabled by the administrator.
Closes #594. Closes #1039.
|
|
The following schemas for /api/checks/safe-redirection were missed in #2082:
* handlers.checkURIWithinDomainRequestBody
* handlers.checkURIWithinDomainResponseBody
|
|
* fix(handlers,web): user is now redirected when authenticated
Fix: #1788
* remove dead code and fix ci issues
* fix infinite loop in frontend
* fix issue with integration tests
* handle bot recommendation
* fix integration test & add dot to comment
* fix last integration test
* Update api/openapi.yml
Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
* Update web/src/services/SafeRedirection.ts
Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
* Update web/src/services/SafeRedirection.ts
Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
* Update api/openapi.yml
* Update openapi.yml
* refactor: valid -> safe
* refactor: adjust merge conflicts
* Apply suggestions from code review
Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
* fix: adjust test return messaging
Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
|
|
|
|
This change implements yamllint and adjusts all yaml files to abide by our linting setup. This excludes config.template.yml as this will be done in an alternate commit.
|
|
|
|
* adjust session refresh to always occur (for disabled users)
* feat: adds filtering option for Request Method in ACL's
* simplify flow of internal/authorization/authorizer.go's methods
* implement query string checking
* utilize authorizer.Object fully
* make matchers uniform
* add tests
* add missing request methods
* add frontend enhancements to handle request method
* add request method to 1FA Handler Suite
* add internal ACL representations (preparsing)
* expand on access_control next
* add docs
* remove unnecessary slice for network names and instead just use a plain string
* add warning for ineffectual bypass policy (due to subjects)
* add user/group wildcard support
* fix(authorization): allow subject rules to match anonymous users
* feat(api): add new params
* docs(api): wording adjustments
* test: add request method into testing and proxy docs
* test: add several checks and refactor schema validation for ACL
* test: add integration test for methods acl
* refactor: apply suggestions from code review
* docs(authorization): update description
|
|
* [FEATURE] Add API docs and swagger-ui
This change will serve out swagger-ui at the `/api/` root path.
* Update descriptions and summaries in API spec
* Utilise frontend assets from unit testing for Docker build steps
* Fix tag for /api/user/* endpoints
* Fix response schema for /api/user/info/2fa_method
* Template and inject the session name during runtime into swagger-ui
This change also factorises and renames index.go into template.go, this can now be generically utilised to template any file.
* Fix integration tests
* Add U2F endpoints
* Change swagger directory to api
This change is to more closely conform to the golang-standards project layout.
* Add authentication for u2f endpoints
* Modify u2f endpoint descriptions
* Rename and fix u2f 2fa sign endpoints
* Fix request body for /api/secondfactor/u2f/sign endpoint
Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
