| Age | Commit message (Collapse) | Author |
|---|
|
|
|
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
Add the ability for users to change their password from their user settings, without requiring them to use the reset password workflow. User's are required to create a elevated session in order to change their password. Users may not change their password to their current password. The user's current password is required for the password change. Users must follow any established password policies. Administrators are able to turn this feature off.
Closes #3548
|
|
This adds rate limits to the TOTP second factor endpoint, the Duo second factor endpoint, Session Elevation endpoint, and the Reset Password endpoint. This protection exists as several configurable tokenized buckets anchored to the users remote IP address. In the event the rate limit is exceeded by the user the middleware will respond with a 429 status, a Retry-After header, and JSON body indicating it's rate limited, which the UI will gracefully handle. This has several benefits that compliment the 1FA regulation, specifically in simple architectures it limits the number of SMTP sends a unique client can make, as well as the number of requests a particular client can make in general on specific endpoints where too many requests may indicate either a fault or some form of abuse.
Closes #7353, Closes #1947
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
This introduces a feature to the claims policy that allows merging the granted audience into the ID Token. This is not traditionally spec compliant but has some specific use cases.
Closes #8619
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
This adds an OLED tuned dark mode theme to the web frontend.
|
|
This adds the ability to cache successful basic authz attempts. This is done via a memory store that uses the HMAC-SHA256 algorithm to perform irreversible comparison of input parameters and has a maximum lifetime.
Closes #5006
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
This adds several new features to the regulation functionality including IP banning and the ability to unban users.
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
This allows configuring failover PostgreSQL servers.
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
This implements optional LDAP connection pooling to optimize the speed of LDAP transactions.
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
Add support for passkeys, granular attachment modality, granular authenticator selection, and authenticator filtering which is commonly used in an enterprise environment. This also adds metadata verification elements utilizing the MDS3 to the project, including saving attestation statements, verification of attestation statements, etc. This also makes a significant change to the authentication level logic to purely use RFC8176 authentication method references to ensure the future-proof nature of the implementation. This change paves the way for the future of Authelia ensuring we can add custom policies in the future to allow administrators to very deliberately decide what authentication methods are sufficient for a given resource as well as the ability to clearly communicate these authentication methods to third parties via OpenID Connect 1.0 and SAML 2.0. It should be noted that at the time of this commit Passkey authentication is considered a single factor and we will at a later stage add the customizable policies described here to handle other use cases, though we've included a flag that considers properly implemented passkeys as if they were MFA.
Closes #2827, Closes #2761
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
This adds RFC7516 JSON Web Encryption (JWE) support and the relevant machinery within OAuth 2.0 and OpenID Connect 1.0. Support is available for egress JWT's (such as egress ID Tokens, JWT Profile Access Tokens, Introspection Responses, etc) and for ingress JWT's (such as client assertions, token hints, etc).
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
This implements RFC8628 OAuth 2.0 Device Authorization Grant and the accompanying OAuth 2.0 Device Code Flow.
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
This adds formal support for the claims parameter.
Closes #2868
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
This adds a network criteria to the Authorization Policies for OpenID Connect 1.0 clients. It's important to note that this can only be enforced at the time of the initial consent of an authorization request.
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
This facilitates adding additional attributes to the Authelia authentication backends as well as custom attributes based on the Common Expression Language. This will be utilized in the future to facilitate additional features.
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
Allows the use of abstract unix sockets.
|
|
This adds reusable definitions into the mix for the configuration. This replaces the existing networks section for the access_control section and is automatically remapped for users.
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
This allows unix sockets to include ports in the address URL. In addition allows for a absolute path for the PostgreSQL socket type. Both options are only used by PostgreSQL but other unix sockets will not expressly error if this is included.
Fixes #8509
|
|
* fix(session): add connection timeout and retry options to redis
* docs: add new redis options to docs
Signed-off-by: Amir Zarrinkafsh <nightah@me.com>
|
|
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
This fixes various lints which will error after updating golangci-lint.
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
A misconfigured client can potentially throw a nil panic which is recovered but undesirable. This fixes that issue.
Fixes #6933
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
This fixes a missing option for OpenID Connect 1.0 clients 'request_uris'. This feature was effectively implemented but no way to configure it existed.
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
This fixes an issue where the deprecated server path was not properly mapped to the server address value and adds tests for these scenarios to prevent a regression. This was introduced in #6909 / 32424bf8c5f0abc7199689d82794e30d85d3abbd / v4.38.3.
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
This includes more helpful address mapping logs which actually show the value automatically mapped so users can update and debug easier.
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
This exposes the intended 'allow_multiple_auth_methods' configuration option on OpenID Connect 1.0 Registered Clients. This option permits non-compliant misbehaving clients which use a "shotgun" approach to authentication.
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
Replaces github.com/ory/fosite with authelia.com/providers.oauth2 which is a hard fork of the former and has several major improvements.
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
Optionally adds the signed_metadata value to the OAuth 2.0 Authorization Server Metadata and OpenID Connect Discovery 1.0 documents.
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
Adds several refactored elements to many areas of OpenID Connect 1.0.
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
This implements user authorization utilizing the OAuth 2.0 bearer scheme (i.e. RFC6750) for both the authorize code grant and client credentials grant. This effectively allows application "passwords" when used with the client credentials grant.
Closes #2023, Closes #188.
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
Per our standard review process this adjusts the appropriate elements detected during the review.
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
This prevents the reuse of previously used codes being reused within the validity period. This is prevented in a smart way by recording the step multiplied by the period and hashing that value as a string with the HMAC-SHA256 algorithm, with a HMAC key unique to recording these values (auto generated).
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
This adds customizable options for identity verification where the user can either be required to skip the identity verification requirement when they have performed second factor authentication, or requiring second factor authentication in addition to the identity verification. There are 3 distinct modes. You can require both second factor authentication and the one-time code (recommended), you can require just the one-time code (default), or you can require either second factor authentication or a one-time code (discouraged).
Closes #135
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
This updates various documentaiton elements for the pending changes.
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
This replaces the JWT method for Identity Verification for most elements with a One-Time Code which has a controllable lifetime. These codes elevate the session for a duration, are less likely to be accidentally clicked, can be revoked, and generally a better experience for users. Users will be able to copy the codes directly from the email or manually type them. This improves the process as the user is very unlikely to input the code into the wrong window, and can't open it in the wrong browser. In addition the process prevents accidental clicking from causing issues.
Closes #3801
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
This allows administrators to configure a list of Time-based One-Time Password parameters that users can pick from the web UI during registrations.
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
* ci: remove container read-only mounts
Signed-off-by: Amir Zarrinkafsh <nightah@me.com>
* refactor: linting updates
Signed-off-by: Amir Zarrinkafsh <nightah@me.com>
---------
Signed-off-by: Amir Zarrinkafsh <nightah@me.com>
|
|
This adjusts the router path resoultion to make more sense for the unix socket address based listeners.
|
|
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
Adds a subpath configuration query parameter to unix sockets and other listeners.
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
When using the file provider with watch enabled, the refresh interval should just be set to always default as the cost is minimal.
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
