| Age | Commit message (Collapse) | Author |
|---|
|
(#8899)
Adds some more helpful log information to the change password feature.
Signed-off-by: Brynn Crowley <littlehill723@gmail.com>
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
Add the ability for users to change their password from their user settings, without requiring them to use the reset password workflow. User's are required to create a elevated session in order to change their password. Users may not change their password to their current password. The user's current password is required for the password change. Users must follow any established password policies. Administrators are able to turn this feature off.
Closes #3548
|
|
Add support for passkeys, granular attachment modality, granular authenticator selection, and authenticator filtering which is commonly used in an enterprise environment. This also adds metadata verification elements utilizing the MDS3 to the project, including saving attestation statements, verification of attestation statements, etc. This also makes a significant change to the authentication level logic to purely use RFC8176 authentication method references to ensure the future-proof nature of the implementation. This change paves the way for the future of Authelia ensuring we can add custom policies in the future to allow administrators to very deliberately decide what authentication methods are sufficient for a given resource as well as the ability to clearly communicate these authentication methods to third parties via OpenID Connect 1.0 and SAML 2.0. It should be noted that at the time of this commit Passkey authentication is considered a single factor and we will at a later stage add the customizable policies described here to handle other use cases, though we've included a flag that considers properly implemented passkeys as if they were MFA.
Closes #2827, Closes #2761
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
Per our standard review process this adjusts the appropriate elements detected during the review.
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
Use the new go.uber.org/mock which is currently maintained.
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
Add tests and adjust tests and code as appropriate. This also ensures we have thorough coverage of the code.
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
This implements misc fixes as part of one of our betas.
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
This replaces the JWT method for Identity Verification for most elements with a One-Time Code which has a controllable lifetime. These codes elevate the session for a duration, are less likely to be accidentally clicked, can be revoked, and generally a better experience for users. Users will be able to copy the codes directly from the email or manually type them. This improves the process as the user is very unlikely to input the code into the wrong window, and can't open it in the wrong browser. In addition the process prevents accidental clicking from causing issues.
Closes #3801
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
This allows administrators to configure a list of Time-based One-Time Password parameters that users can pick from the web UI during registrations.
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
This implements multiple WebAuthn Credential registrations by means of a generic user settings UI.
Closes #275, Closes #4366
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
Co-authored-by: Clément Michaud <clement.michaud34@gmail.com>
Co-authored-by: Stephen Kent <smkent@smkent.net>
Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
|
|
This improves the pre-configured consent logging adding the audience and logging each failed match.
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
This fixes an issue where the PAR context redirect contained more parameters than required.
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
This adjusts the AuthRequest Authz implementation behave similarly to the other implementations in as much as Authelia can return the relevant redirection to the proxy and the proxy just utilizes it if possible. In addition it swaps the HAProxy examples over to the ForwardAuth implementation as that's now supported.
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
This allows users to customize the authz endpoints.
Closes #2753, Fixes #3716
Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
|
|
This adds support to configure multiple session cookie domains.
Closes #1198
Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
|
|
This adds multiple consent modes to OpenID Connect clients. Specifically it allows configuration of a new consent mode called implicit which never asks for user consent.
|
|
This fixes an issue where consent sessions prevent the standard workflow.
|
|
|
|
|
|
Adds ability to record metrics and gather them for Prometheus.
|
|
This adjusts the CORS headers appropriately for OpenID Connect. This includes responding to OPTIONS requests appropriately. Currently this is only configured to operate when the Origin scheme is HTTPS; but can easily be expanded in the future to include additional Origins.
|
|
Implement a password policy with visual feedback in the web portal.
Co-authored-by: Manuel Nuñez <@mind-ar>
Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
* feat(oidc): oauth2 discovery and endpoint rename
This implements the oauth2 authorization server discovery document, adds tests to the discovery documents, implements an efficiency upgrade to these docs, and renames some endpoints to be uniform.
|
|
This implements Webauthn. Old devices can be used to authenticate via the appid compatibility layer which should be automatic. New devices will be registered via Webauthn, and devices which do not support FIDO2 will no longer be able to be registered. At this time it does not fully support multiple devices (backend does, frontend doesn't allow registration of additional devices). Does not support passwordless.
|
|
This enhances the existing time.Duration parser to allow multiple units, and implements a decode hook which can be used by koanf to decode string/integers into time.Durations as applicable.
|
|
This adds a smart delay on reset password attempts to prevent username enumeration. Additionally utilizes crypto rand instead of math rand. It also moves the timing delay functionality into its own handler func.
|
|
This utilizes the referrer query parameters instead of current request query parameters for logging the requested URI and method. Minor performance improvements to header peek/sets.
|
|
Allow users to configure the TOTP Algorithm and Digits. This should be used with caution as many TOTP applications do not support it. Some will also fail to notify the user that there is an issue. i.e. if the algorithm in the QR code is sha512, they continue to generate one time passwords with sha1. In addition this drastically refactors TOTP in general to be more user friendly by not forcing them to register a new device if the administrator changes the period (or algorithm).
Fixes #1226.
|
|
Allow users to select and save the preferred duo device and method, depending on availability in the duo account. A default enrollment URL is provided and adjusted if returned by the duo API. This allows auto-enrollment if enabled by the administrator.
Closes #594. Closes #1039.
|
|
This adds additional logging to the authentication logs such as type, remote IP, request method, redirect URL, and if the attempt was done during a ban. This also means we log attempts that occur when the attempt was blocked by the regulator for record keeping purposes, as well as record 2FA attempts which can be used to inform admins and later to regulate based on other factors.
Fixes #116, Fixes #1293.
|
|
This is a massive overhaul to the SQL Storage for Authelia. It facilitates a whole heap of utility commands to help manage the database, primary keys, ensures all database requests use a context for cancellations, and paves the way for a few other PR's which improve the database.
Fixes #1337
|
|
* fix: oidc issuer path and strip path middleware
This ensures the server.path requests append the base_url to the oidc well-known issuer information and adjusts server.path configuration to only strip the configured path instead of the first level entirely regardless of its content.
* fix: only log the token error and general refactoring
* refactor: factorize base_url functions
* refactor(server): include all paths in startup logging
* refactor: factorize
* refactor: GetExternalRootURL -> ExternalRootURL
Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
This is so the user banned API message is consistent with other authentication failed messages, even in the API.
|
|
This changes the way XML HTTP requests are handled on the verify endpoint so that they are redirected using a 401 instead of a 302/303.
|
|
This is a required endpoint for OIDC and is one we missed in our initial implementation. Also adds some rudamentary documentaiton about the implemented endpoints.
|
|
refactoring (#1991)
* This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes.
* Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately.
* Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have.
|
|
This responds to the client with the correct error when used with Synology LDAP servers.
|
|
OpenID connect has become a standard when it comes to authentication and
in order to fix a security concern around forwarding authentication and authorization information
it has been decided to add support for it.
This feature is in beta version and only enabled when there is a configuration for it.
Before enabling it in production, please consider that it's in beta with potential bugs and that there
are several production critical features still missing such as all OIDC related data is stored in
configuration or memory. This means you are potentially going to experience issues with HA
deployments, or when restarting a single instance specifically related to OIDC.
We are still working on adding the remaining set of features before making it GA as soon as possible.
Related to #189
Co-authored-by: Clement Michaud <clement.michaud34@gmail.com>
|
|
(#1563)
* [FEATURE] Add auth query param to /api/verify (#1353)
When `/api/verify` is called with `?auth=basic`, use the standard
Authorization header instead of Proxy-Authorization.
* [FIX] Better basic auth error reporting
* [FIX] Return 401 when using basic auth instead of redirecting
* [TESTS] Add tests for auth=basic query param
* [DOCS] Mention auth=basic argument and provide nginx example
* docs: add/adjust basic auth query arg docs for proxies
Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
|
|
* [MISC] Catch OpenLDAP ppolicy error
Further to the discussion over at #361, this change now ensures that OpenLDAP password complexity errors are caught and appropriately handled.
This change also includes the PasswordComplexity test suite in the LDAP integration suite. This is because a ppolicy has been setup and enforced.
* Remove password history for integration tests
* Adjust max failures due to regulation trigger
* Fix error handling for password resets
* Refactor and include code suggestions
|
|
* Adding the Session-Username header to the /api/verify endpoint when using cookie auth will check the value stored in the session store for the username and the header value are the same.
* use strings.EqualFold to compare case insensitively
* add docs
* add unit tests
* invalidate session if it is theoretically hijacked and log it as a warning (can only be determined if the header doesn't match the cookie)
* add example PAM script
* go mod tidy
* go mod bump to 1.15
|
|
* Added `ActiveDirectory` suite for integration tests with Samba AD
* Updated documentation
* Minor styling refactor to suites
* Clean up LDAP user provisioning
* Fix Authelia home splash to reference correct link for webmail
* Add notification message for password complexity errors
* Add password complexity integration test
* Rename implementation default from rfc to custom
* add specific defaults for LDAP (activedirectory implementation)
* add docs to show the new defaults
* add docs explaining the importance of users filter
* add tests
* update instances of LDAP implementation names to use the new consts where applicable
* made the 'custom' case in the UpdatePassword method for the implementation switch the default case instead
* update config examples due to the new defaults
* apply changes from code review
* replace schema default name from MSAD to ActiveDirectory for consistency
* fix missing default for username_attribute
* replace test raising on empty username attribute with not raising on empty
Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
|
|
* adaptively delay 1FA by the actual execution time of authentication
* should grow and shrink over time as successful attempts are made
* uses the average of the last 10 successful attempts to calculate
* starts at an average of 1000ms
* minimum is 250ms
* a random delay is added to the largest of avg or minimum
* the random delay is between 0ms and 85ms
* bump LDAP suite to 80s timeout
* bump regulation scenario to 45s
* add mutex locking
* amend logging
* add docs
* add tests
Co-authored-by: Clément Michaud <clement.michaud34@gmail.com>
|
|
* it doesn't work with our current CSP
* it's probably not used by anyone
* it isn't in harmony with our security purposes
* literally removes all use of it
* suggestions from code review
* remove useless test.
Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
Co-authored-by: Clement Michaud <clement.michaud34@gmail.com>
|
|
* [CI] Add goconst linter
* Implement goconst recommendations
* Rename defaultPolicy to denyPolicy
* Change order for test constants
Co-authored-by: Clément Michaud <clement.michaud34@gmail.com>
|
|
Co-authored-by: Clément Michaud <clement.michaud34@gmail.com>
|
|
* add a nolint for gosec 'possibly hardcoded password' that was incorrect
* make all parameters consistent
* update the docs for the correct key name 'password' instead of 'password_options' or 'password_hashing'
* reword some of the docs
* apply suggestions from code review
Co-Authored-By: Amir Zarrinkafsh <nightah@me.com>
|
|
* [Buildkite] Introduce CI linting with golangci-lint and reviewdog
* Initial pass of golangci-lint
* Add gosimple (megacheck) recommendations
* Add golint recommendations
* [BUGFIX] Migrate authentication traces from v3 mongodb
* Add deadcode recommendations
* [BUGFIX] Fix ShortTimeouts suite when run in dev workflow
* Add unused recommendations
* Add unparam recommendations
* Disable linting on unfixable errors instead of skipping files
* Adjust nolint notation for unparam
* Fix ineffectual assignment to err raised by linter.
* Export environment variable in agent hook
* Add ineffassign recommendations
* Add staticcheck recommendations
* Add gocyclo recommendations
* Adjust ineffassign recommendations
Co-authored-by: Clement Michaud <clement.michaud34@gmail.com>
|
