| Age | Commit message (Collapse) | Author |
|---|
|
Add support for passkeys, granular attachment modality, granular authenticator selection, and authenticator filtering which is commonly used in an enterprise environment. This also adds metadata verification elements utilizing the MDS3 to the project, including saving attestation statements, verification of attestation statements, etc. This also makes a significant change to the authentication level logic to purely use RFC8176 authentication method references to ensure the future-proof nature of the implementation. This change paves the way for the future of Authelia ensuring we can add custom policies in the future to allow administrators to very deliberately decide what authentication methods are sufficient for a given resource as well as the ability to clearly communicate these authentication methods to third parties via OpenID Connect 1.0 and SAML 2.0. It should be noted that at the time of this commit Passkey authentication is considered a single factor and we will at a later stage add the customizable policies described here to handle other use cases, though we've included a flag that considers properly implemented passkeys as if they were MFA.
Closes #2827, Closes #2761
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
This adds reusable definitions into the mix for the configuration. This replaces the existing networks section for the access_control section and is automatically remapped for users.
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
A misconfigured client can potentially throw a nil panic which is recovered but undesirable. This fixes that issue.
Fixes #6933
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
When using the file provider with watch enabled, the refresh interval should just be set to always default as the cost is minimal.
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
Adds a JSON Schema for the configuration, user database, and most exports.
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
This adds support for multiple JWK algorithms and keys and allows for per-client algorithm choices.
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
Large integers used with the duration common syntax failed to parse if they exceeded the ability to fit into an int32.
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
This adds support for LDAP unix sockets using the ldapi scheme. In addition it improves all of the address related parsing significantly deprecating old options.
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
This allows listening on unix sockets.
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
Use any alias instead of empty interfaces.
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
|
|
This implements mTLS support for LDAP, Redis, and SMTP. Specified via the tls.certificate_chain and tls.private_key options.
Closes #4044
|
|
Allow use of hashed OpenID Connect client secrets.
|
|
This adds multiple consent modes to OpenID Connect clients. Specifically it allows configuration of a new consent mode called implicit which never asks for user consent.
|
|
* refactor: any
* refactor: fix test
|
|
|
|
This allows for JWKs to include certificate information, either signed via Global PKI, Enterprise PKI, or self-signed.
|
|
Adds ability to record metrics and gather them for Prometheus.
|
|
This fixes the hash-password usage instructions and ensures it uses mostly a configuration source based config. In addition it updates our recommended argon2id parameters with the RFC recommendations.
|
|
|
|
This adds an option to match domains by regex including two special named matching groups. User matches the username of the user, and Group matches the groups a user is a member of. These are both case-insensitive and you can see examples in the docs.
|
|
This adds a hook func for url.URL and *url.URL types to the configuration.
|
|
This fixes a potential panic in the time duration decode hook when the YAML value is a zero integer.
|
|
This implements Webauthn. Old devices can be used to authenticate via the appid compatibility layer which should be automatic. New devices will be registered via Webauthn, and devices which do not support FIDO2 will no longer be able to be registered. At this time it does not fully support multiple devices (backend does, frontend doesn't allow registration of additional devices). Does not support passwordless.
|
|
This enhances the existing time.Duration parser to allow multiple units, and implements a decode hook which can be used by koanf to decode string/integers into time.Durations as applicable.
|
|
This fixes an issue with the mail address decode hook func which previously would attempt to decode any struct type to a mail address.
|
|
This change addresses an issue with the usage of the full sender configuration option in the MAIL FROM SMTP command. If a user includes a name in the sender this shouldn't be sent in the MAIL FROM command, instead we should extract it and use just the email portion.
Fixes #2571
|
