| Age | Commit message (Collapse) | Author |
|---|
|
Add support for passkeys, granular attachment modality, granular authenticator selection, and authenticator filtering which is commonly used in an enterprise environment. This also adds metadata verification elements utilizing the MDS3 to the project, including saving attestation statements, verification of attestation statements, etc. This also makes a significant change to the authentication level logic to purely use RFC8176 authentication method references to ensure the future-proof nature of the implementation. This change paves the way for the future of Authelia ensuring we can add custom policies in the future to allow administrators to very deliberately decide what authentication methods are sufficient for a given resource as well as the ability to clearly communicate these authentication methods to third parties via OpenID Connect 1.0 and SAML 2.0. It should be noted that at the time of this commit Passkey authentication is considered a single factor and we will at a later stage add the customizable policies described here to handle other use cases, though we've included a flag that considers properly implemented passkeys as if they were MFA.
Closes #2827, Closes #2761
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
This implements RFC8628 OAuth 2.0 Device Authorization Grant and the accompanying OAuth 2.0 Device Code Flow.
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
This adds formal support for the prompt parameter.
Closes #2596
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
Signed-off-by: Amir Zarrinkafsh <nightah@me.com>
|
|
Instead of utilizing the ID of the UUID this compares it directly which was intentionally intended by the authors.
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
Replaces github.com/ory/fosite with authelia.com/providers.oauth2 which is a hard fork of the former and has several major improvements.
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
This fixes an issue in master which prevented the audience from matching in pre-configured consent sessions.
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
This fixes an issue where the PAR context redirect contained more parameters than required.
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
This fixes a state error during a PAR session were if the session requires consent the flow fails.
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
This fixes an issue where the client credentials grant fails on insert as the challenge_id foreign key constraint can't be null. This resolves this issue allowing the access token associated (as this is the only token that can be generated), to be null.
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
This adds support to adjust the authorization policy on specific clients per subject in a reusable way.
Closes #2621
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
This adds a feature to OpenID Connect 1.0 where clients can be restricted to a specific client authentication mode, as well as implements some backend requirements for the private_key_jwt client authentication mode (and potentially the tls_client_auth / self_signed_tls_client_auth client authentication modes). It also adds some improvements to configuration defaults and validations which will for now be warnings but likely be made into errors.
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
|
|
This updates fosite and refactors our usage out of compose.
|
|
This adds multiple consent modes to OpenID Connect clients. Specifically it allows configuration of a new consent mode called implicit which never asks for user consent.
|
|
|
|
This fixes an issue where consent sessions prevent the standard workflow.
|
|
|
|
This fixes an issue where pre-configured consent is entirely skipped if the process was initiated via an anonymous user.
|
|
Fix and issue that would prevent a correct ID Token from being generated for users who start off anonymous. This also avoids generating one in the first place for anonymous users.
|
|
This moves the OpenID Connect storage from memory into the SQL storage, making it persistent and allowing it to be used with clustered deployments like the rest of Authelia.
|
