trustchain-oc1-orchestral/authentik
Archived
10
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity
12400 commits 95 branches 330 tags 336 MiB
Commit graph

526 commits

Author SHA1 Message Date
Jens L cfad472e1b
flows: optimise queries (#3818) 
* flows: optimise flow queries

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* index source on slug and name

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* binding index

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* add policy parent index

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* fix migrations

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* cleanup old migrations

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* fix

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* add release note to upgrade

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2022-10-19 22:53:07 +02:00
Jens Langhammer 3e1490dcac providers/saml: don't attempt verification of SAML request when no verification certificate is configured 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2022-10-18 22:26:04 +02:00
Jens L b85be12567
providers/oauth2: fix issues with es256 and add tests (#3808) 
fix issues with es256 and add tests

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2022-10-18 22:01:29 +02:00
Jens L 363872715d
sources/saml: revamp SAML Source (#3785) 
* update saml source to use user connections, add all attributes to flow context

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* check for SAML Status in response, add tests

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* package apple icon

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* add webui for connections

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2022-10-14 17:04:47 +02:00
Jens L 217e145d23
stages/authenticator_sms: make sms stage payload customisable (#3780) 
* make sms stage payload customisable

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* update phrasing for webhook mapping

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2022-10-14 11:53:01 +02:00
Jens Langhammer e5e6c33b2d providers/oauth2: fix expires_in not being an int 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2022-10-11 14:25:30 +03:00
Jens L 8ed2f7fe9e
providers/oauth2: add device flow (#3334) 
* start device flow

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* web: fix inconsistent app filtering

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* add tenant device code flow

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* add throttling to device code view

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* somewhat unrelated changes

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* add initial device code entry flow

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* add finish stage

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* it works

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* add support for verification_uri_complete

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* add some tests

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* add more tests

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* add docs

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2022-10-11 12:42:10 +02:00
Jens Langhammer 9bbe8e6c57 providers/oauth2: save full IDToken to database, only use to_dict for encoding final token 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2022-10-08 15:06:17 +03:00
Jens Langhammer b2a658d091 providers/oauth2: remove c_hash and nonce claim if they're not set 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2022-10-07 17:07:33 +03:00
Jens Langhammer ce085a029d providers/oauth2: exclude at_hash claim if not set instead of being null 
closes #3739

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2022-10-07 10:10:53 +03:00
Jens Langhammer 7c0754000c providers/oauth2: add all hardcoded claims to claims_supported list 
closes #3702

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2022-09-29 10:27:46 +02:00
Jens Langhammer a407334d3b providers/oauth2: use @method_decorator instead of decorating in urls 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2022-09-10 13:26:17 +02:00
Jens L 7517d612d0
providers/oauth2: add x5c (#3556) 
* add x5c, x5t and x5t#S256

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* strip trailing = to fix encoding issues

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2022-09-08 23:30:05 +02:00
Jens L 62f93c83d4
ci: update pyright (#3546) 2022-09-07 00:23:25 +02:00
Jens L f2f22719f8
core: improve error template (#3521) 2022-09-03 19:46:37 +02:00
Jens L 54ba3e9616
blueprints: add meta model to apply blueprint within blueprint for dependencies (#3486) 
* add meta model to apply blueprint within blueprint for dependencies

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* fix tests

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* use custom registry

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* fix again

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* move ManagedAppConfig to apps.py

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* rename manager to registry

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* ci: use full tag in comment

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2022-08-29 21:20:58 +02:00
Jens Langhammer 917c4ae835 ci: fix typos 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2022-08-23 18:49:23 +02:00
Jens Langhammer 0cc83c23c4 providers/proxy: fix duplicate proxy set default 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2022-08-18 21:13:45 +01:00
Jens Langhammer fdb8fb4b4c providers/oauth2: fix oauth2 requests being logged as unauthenticated 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2022-08-18 20:26:12 +02:00
Jens Langhammer f4441c9fcf providers/proxy: trigger proxy set_defaults task on startup 
closes #3445

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2022-08-18 17:42:27 +02:00
Jens Langhammer 846b63a17b *: remove some very verbose logging messages 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2022-08-17 13:36:56 +02:00
Jens Langhammer e9c1276634 blueprints: use relative path in @apply_blueprint 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2022-08-16 14:20:45 +02:00
Jens Langhammer f01f10c5e5 providers/oauth2: don't separate scopes by comma-space 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2022-08-07 13:15:12 +02:00
Jens Langhammer e1249d3760 providers/oauth2: fix scopes without descriptions not being saved in consent 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2022-08-07 13:02:47 +02:00
Jens L ec42d378ab
blueprints/cleanup (#3369) 2022-08-05 08:39:00 +02:00
Jens L d1004e3798
blueprints: webui (#3356) 2022-08-03 00:05:49 +02:00
Jens Langhammer 2bd29e2fdd *: improve error handling for startup tasks 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2022-08-01 23:31:47 +02:00
Jens L a023eee9bf
blueprints: migrate from managed (#3338) 
* test all bundled blueprints

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* fix empty title

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* fix default blueprints

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* add script to generate dev config

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* migrate managed to blueprints

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* add more to blueprint instance

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* migrated away from ObjectManager

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* fix lint errors

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* migrate things

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* migrate tests

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* fix some tests

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* fix a bit more

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* fix more tests

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* whops

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* fix missing name

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* *sigh*

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* fix more tests

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* add tasks

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* scheduled

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* run discovery on start

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* oops this test should stay

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2022-08-01 23:05:58 +02:00
Jens L 89c84f10d0
blueprints: v1 (#1573) 
* managed: move flowexporter to managed

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* *: implement SerializerModel in all models

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* managed: add initial api

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* managed: start blueprint

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* managed: spec

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* version blueprint

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* yep

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* remove v2, improve v1

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* start custom tag, more rebrand

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* add default flows

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* move blueprints out of website

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* try new things

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* add !lookup, fix web

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* update and cleanup default

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* fix tags in lists

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* don't save field if its set to default value

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* more flow cleanup

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* format web

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* fix missing serializer for sms

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* ignore _set fields

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* remove custom file extension

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* migrate default flow to tenant

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* include blueprints

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* fix tests

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2022-07-31 17:11:44 +02:00
Jens Langhammer fcf4657833 providers/proxy: add is_superuser to ak_proxy object, only show full error when superuser 
closes #3314

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2022-07-30 20:29:23 +02:00
Jens L 393d7ec486
providers/proxy: no exposed urls (#3151) 
* test any callback

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* cleanup

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* dont detect callback in per-server handler

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* use full redirect uri with both path and query param

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* update tests

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* correctly route to embedded outpost for callback signature

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* fix allowed redirects

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2022-07-30 17:51:01 +02:00
Jens Langhammer 549f6f2077 providers/oauth2: correctly log authenticated user for OAuth views using protected_resource_view 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2022-07-18 22:20:09 +02:00
Jens Langhammer 4cd629b5fc core: handle FlowNonApplicableException correctly in source flow_manager 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2022-07-03 22:03:03 +02:00
Jens Langhammer 14a4047bdd flows: show messages from ak_message when flow is denied 
fallback to same generic message

closes #3197

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2022-07-03 21:36:13 +02:00
Jens Langhammer 23273f53cc providers/oauth2: if no scopes are sent in authorize request, select all configured scopes 
closes #3112

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2022-07-01 19:45:26 +02:00
Jens Langhammer d11ce0a86e providers/proxy: set default scopes based on managed attribute 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2022-07-01 18:26:49 +02:00
Jens Langhammer 56fd436e5d web: fix redirect when accessing authentik URLs authenticated 
closes #3174

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2022-06-30 23:04:39 +02:00
Jens Langhammer ea60c389be providers/saml: include SSO Binding URLs in Provider API 
closes #3179

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2022-06-30 22:18:21 +02:00
Jens Langhammer 983882f5a0 providers/oauth2: ensure refresh tokens are URL safe 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

#3185
 2022-06-30 12:43:08 +02:00
Jens L c5a2831665
api: add basic jwt support with required scope (#2624) 
* api: add basic jwt support with required scope

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* api: only set auth_via when actually authenticating via token

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* save consented permissions in user consent, re-prompt when new permissions are required

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* update locale

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* translate special scope map

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* more api auth tests

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* add docs

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* build web api in e2e tests

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* link generated client instead of copying

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2022-06-26 17:51:15 +02:00
Jens Langhammer 6c9dc7a15b providers/oauth2: fix OAuth form_post response mode for code response_type 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

#3113
 2022-06-20 21:52:36 +02:00
Jens Langhammer 7caac1d0c7 providers/oauth2: add test to ensure capitalised redirect_uri isn't changed 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

#3114
 2022-06-18 13:13:36 +02:00
9p4 45364d6553
providers/oauth2: dont lowercase URL for token requests (#3114) 
this was a leftover from before the migration regex checking for redirect URIs

closes #3076 and #3083
 2022-06-18 13:08:15 +02:00
Jens Langhammer e892ed14da providers/oauth2: include source's user path in M2M created users 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2022-06-15 14:07:28 +02:00
Jens L 6821402fef
providers/oauth2: remove deprecated verification_keys (#3071) 
remove verification_keys

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2022-06-11 19:48:07 +02:00
Jens L 8dbb0bd2c6
providers/oauth2: token revoke (#3077) 2022-06-11 18:49:16 +02:00
Jens L 0cad56ec73
providers/oauth2: if a redirect_uri cannot be parsed as regex, compare strict (#3070) 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2022-06-10 23:32:57 +02:00
Jens Langhammer 23023ec727 providers/oauth2: add JWKS URL to OAuth2ProviderSetupURLs 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2022-06-07 20:17:06 +02:00
Jens L 0c591a50e3
*: don't dispatch tasks on startup of server (#3033) 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2022-06-03 18:29:24 +02:00
Jens Langhammer 558c7bba2a lib: add lxml wrapper 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2022-06-02 13:25:24 +02:00
Jens Langhammer 8cd1a42fb9 *: fix linting 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2022-06-02 11:50:10 +02:00
Jens L 2c6d82593e
root: cleanup session keys to use common format (#3003) 
cleanup session keys to use common format

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2022-05-31 21:53:23 +02:00
Jens L 9f2529c886
stages/authentiactor_validate: cookies (#2978) 
* stages/authenticator_validate: rewrite to use signed jwt cookie + expiry as MFA threshold

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* add more tests

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* add more tests

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2022-05-29 19:47:34 +02:00
Jens Langhammer 18b48684eb providers/oauth2: add configuration error event when wrong redirect uri is used in token request 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2022-05-28 21:15:58 +02:00
Jens Langhammer 2b68363452 providers/oauth2: add migration from "*" to ".*" 
closes #2970

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2022-05-27 10:23:13 +02:00
Jens Langhammer a81d5a3d41 providers/oauth2: regex-escape URLs when set to blank 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2022-05-26 12:52:56 +02:00
Jens Langhammer 5da47b69dd providers/oauth2: only set expiry on user when it was freshly created 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2022-05-25 23:02:33 +02:00
Jens Langhammer 0e0dd2437b providers/oauth2: handle attribute errors when validation JWK contains private key 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2022-05-25 22:23:05 +02:00
Jens Langhammer 4a9b788703 providers/oauth2: set related_name for many-to-many so used by detects the connection 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2022-05-24 22:12:35 +02:00
Jens L 80c1dbdfbb
ensure all viewsets have filter and search and add tests (#2946) 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2022-05-24 22:01:18 +02:00
Jens L b4e75218f5
sources/oauth: OIDC well-known and JWKS (#2936) 
* add initial

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* add provider

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* include source and jwk key id in event

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* add more docs

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* add tests for source

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* fix web formatting

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* add provider tests

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* fix lint error

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2022-05-24 21:02:50 +02:00
Jens Langhammer 61a876b582 providers/saml: handle parse error 
AUTHENTIK-1K5

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2022-05-23 22:03:12 +02:00
Jens Langhammer 8c9748e4a0 providers/oauth2: improve error handling for invalid regular expressions 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2022-05-23 20:47:36 +02:00
Jens Langhammer 11f7935155 providers/oauth2: use regex to check redirect URI 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

#2799
 2022-05-18 21:22:27 +02:00
Jens Langhammer f391c33bdf providers/oauth2: fix tests 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2022-05-14 12:41:40 +02:00
Jens Langhammer ee36b7f3eb flows: move autosubmit stage into flows package 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2022-05-14 12:06:19 +02:00
Jens Langhammer a9a62bbfc8 providers/oauth2: use correct title based on flow context and translated 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2022-05-14 00:08:29 +02:00
Jens Langhammer ddd785898b providers/saml: add title attribute to autosubmit stage and render correctly 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2022-05-14 00:08:14 +02:00
Jens Langhammer 8ba45a5f6a providers/oauth2: don't create events before client_id can be verified to prevent spam 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2022-05-14 00:02:01 +02:00
Jens Langhammer 7d41e6227b providers/oauth2: add tests for form_post, fix attrs not being flattened 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2022-05-13 23:52:50 +02:00
Jens Langhammer 1363226697 providers/saml: make SAML metadata generation consistent 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2022-05-13 17:40:18 +02:00
scheibling d4abf5621e
providers/oauth2: add support for form_post response mode (#2818) 
* Added request verification and parameter generation

* response_mode added to OAuthAuthorizationParams return

* Added class OauthPostFulfillmentStage
Check response_mode in initialization

* Corrected typo

* Removed separate class
Added handling for FORM_POST in create_response_uri
Added handling for FORM_POST in return class

* Fixed pylint error (trailing-whitespace)
Removed comment

* Reformatted authorize.py with black
 2022-05-12 21:36:31 +02:00
Jens L ab2299ba1e
outposts/ldap: cached bind (#2824) 
* initial cached ldap bind support

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* add web

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* add docs

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* clean up api generation

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* use gh action for golangci-lint

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2022-05-08 16:48:53 +02:00
scheibling 30c7e6c94c
providers/oauth2: fixed typo (PROMPT_CONSNET => PROMPT_CONSENT) (#2819) 2022-05-06 10:09:09 +02:00
Jens Langhammer f4f9f525d7 providers/oauth2: include application in login event 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2022-04-14 22:36:45 +02:00
Jens Langhammer 7561ea15de providers/oauth2: add additional tracing to token view 2022-04-14 16:48:17 +00:00
Jens Langhammer 5a58f6ee64 providers/oauth2: remove test for non sa user 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2022-04-12 20:35:13 +02:00
Jens Langhammer e84b17d550 providers/oauth2: don't force service accounts for client_credentials flow 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2022-04-12 10:23:25 +02:00
Jens Langhammer 8be04cc013 providers/oauth2: fix elliptic curve keys attempting to use EC256 instead of ES256 
closes #2703

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2022-04-11 20:05:58 +02:00
Jens Langhammer f977bf61eb providers/oauth2: make exp optional on jwt client_credentials flow 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2022-04-10 17:25:35 +02:00
Jens Langhammer f8f8a9bbb9 providers/oauth2: give keypairs private key preference over certificate in client_credentials jwt flow 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2022-04-10 16:27:53 +02:00
Jens Langhammer 5861d41ad3 tenants: add tenant-level attributes, applied to users based on request 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2022-04-06 10:41:35 +02:00
Jens Langhammer 4be238018b providers/oauth2: pass scope and other parameters to access policy request context 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

#2641
 2022-04-01 21:39:05 +02:00
Jens Langhammer 99008252f8 providers/oauth2: fix verification_keys being required 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2022-03-31 20:19:13 +02:00
Jens Langhammer 8689444954 providers/oauth2: add password grant support (treated as client_credentials) 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2022-03-31 18:02:17 +02:00
Jens L bb8af2f19b
providers/oauth2: add client_assertion_type jwt bearer support (#2618) 2022-03-31 00:30:55 +02:00
Adam G d75a864f0e
providers/oauth2: map internal groups to GitHub teams in GHE OAuth emulation (#2497) 
* providers/oauth2: impl `/user/teams` endpoint for Github OAuth2

This commit adds a functional `/user/teams` endpoint for the emulated Github OAuth2 service.
The teams a user is part of are based on the user's groups in Authentik.

* providers/oauth2: Move org template inside loop; Change slug to use Django slugify

* providers/oauth2: Remove placeholder replacement

* Possibly fix complaints from the linters

* Update github.py

* Change organization name

* Update github.py
 2022-03-23 12:05:20 +01:00
Jens Langhammer 53d0205e86 outposts/proxy: use Prefix in ingress for k8s 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2022-03-15 19:01:08 +01:00
Jens L 920d1f1b0e
providers/oauth2: initial client_credentials grant support (#2437) 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2022-03-05 23:24:55 +01:00
Jens Langhammer 08acc7ba41 providers/oauth2: fix invalid launch URL being generated 2022-03-01 15:29:21 +00:00
Jens Langhammer 72259f6479 events: fix lint 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2022-02-14 23:15:45 +01:00
Jens Langhammer 0973c74b9d providers/oauth2: fix redirect_uri being lowercased on successful validation 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2022-02-14 23:04:00 +01:00
Jens Langhammer c040b13b29 providers/proxy: remove leading slash to allow subdirectories in proxy 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

#2305
 2022-02-14 12:51:04 +01:00
Jens Langhammer f61549a60f providers/proxy: enable TLS in ingress via traefik annotation 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

#1997
 2022-02-12 18:35:24 +01:00
Jens Langhammer b5d43b15f8 providers/oauth2: add support for explicit response_mode 
closes #1953

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2022-02-12 16:56:47 +01:00
Jens L 4343246a41
*: rename akprox to outpost.goauthentik.io (#2266) 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2022-02-08 20:25:38 +01:00
Jens Langhammer eaba8006e6 sources/saml: fix incorrect ProtocolBinding being sent 
closes #2213

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2022-02-03 18:20:06 +01:00
Jens Langhammer 88603fa4f7 providers/proxy: set traefik labels using object_naming_template instead of UUID 2022-02-01 17:13:27 +00:00
Jens Langhammer c7ba183dc0 providers/proxy: fix traefik label 
closes #2128

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2022-01-24 17:45:09 +01:00
Jens Langhammer 82cc1d536a providers/proxy: add PathPrefix to auto-traefik labels 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

#2128
 2022-01-23 21:55:46 +01:00
Jens Langhammer 4d7d700afa providers/oauth2: change default redirect uri behaviour; set first used url when blank and use star for wildcard 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2022-01-12 22:44:57 +01:00
Jens Langhammer c07b8d95d0 outposts/proxy: remove deprecated headers 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2022-01-07 17:01:23 +01:00
Jens Langhammer 90c31c2214 flows: add test helpers to simplify and improve checking of stages, remove force_str 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2022-01-01 20:25:32 +01:00
Jens Langhammer c249b55ff5 *: use py3.10 syntax for unions, remove old Type[] import when possible 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-12-30 14:59:01 +01:00
Jens Langhammer 6dc2003e34 providers/oauth2: fix tests validating JWT incorrectly 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-12-22 23:00:57 +01:00
Jens Langhammer 0149c89003 providers/oauth2: fix invalid assignments in JWKS view 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-12-22 22:41:28 +01:00
Jens Langhammer f458cae954 providers/proxy: add error handing when field is already gone 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-12-22 22:31:53 +01:00
Jens Langhammer f01d117ce6 providers/proxy: fix imports in migrations 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-12-22 22:25:02 +01:00
Jens Langhammer 2bde43e5dc crypto: use older syntax for type union 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-12-22 22:22:45 +01:00
Jens Langhammer 2f3026084e providers/oauth2: remove jwt_alg field and set algorithm based on selected keypair, select HS256 when no keypair is selected 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-12-22 22:09:49 +01:00
Jens Langhammer 8a60a7e26f providers/proxy: revert to static list of forwarded headers 
wildcard is not usable for this since the regular expression doesn't support negative lookahead, meaning we would always forward all headers, including Connection and others

closes #1969

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-12-21 12:04:54 +01:00
Jens Langhammer 92b4244e81 providers/proxy: update traefik regex 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

#1969
 2021-12-20 22:43:58 +01:00
Jens Langhammer dfbf7027bc providers/proxy: add traefik.ingress.kubernetes.io/router.tls annotation for ingress 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-12-20 22:24:42 +01:00
Jens Langhammer 577b7ee515 providers/proxy: include auth headers 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-12-20 21:37:22 +01:00
Jens Langhammer ef23a0da52 outposts/proxy: fix traefik header regex to only match Remote- and X- headers to prevent websocket errors 
closes #1969

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-12-20 13:30:19 +01:00
Jens Langhammer b6ff04694f providers/oauth2: don't rely on expiry task for access codes and refresh tokens 
closes #1911

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-12-18 17:42:41 +01:00
NeroPcStation 273f5211a0
providers/saml: Fix typo (#1950) 2021-12-17 11:00:20 +00:00
Jens Langhammer fec6de1ba2 providers/oauth2: add additional logging to show with token path is taken 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-12-13 22:49:42 +01:00
Jens Langhammer 69678dcfa6 providers/oauth2: use generate_key instead of uuid4 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-12-13 22:13:20 +01:00
Jens Langhammer f2b3a2ec91 providers/saml: optimise excessive queries to user when evaluating attributes 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-12-13 16:38:38 +01:00
Jens Langhammer 326b574d54 root: update dependencies 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-12-07 16:25:10 +01:00
Jens Langhammer 873aa4bb22 providers/saml: remove SESSION_KEY_POST from session after using it 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

#1873
 2021-12-06 12:47:25 +01:00
Jens Langhammer ada2a16412 tests/e2e: add post binding test 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-12-05 11:18:01 +01:00
Jens Langhammer 6a3f7e45cf providers/saml: add ?force_binding to limit bindings for metadata endpoint 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-12-05 11:14:42 +01:00
Jens Langhammer 2b78c4ba86 *: use request.query_params instead of accessing the django request 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-12-05 11:14:20 +01:00
Jens Langhammer 680ef641fb providers/saml: fix error when propertymapping returns invalid data in list 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-12-05 10:31:16 +01:00
Jens Langhammer 4bd1cd127b providers/saml: fix IndexError in signature check 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-12-02 20:30:03 +01:00
Jens Langhammer 4f54ce6afb providers/saml: fix error when using post bindings and user freshly logged in 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

#1873
 2021-12-02 13:00:21 +01:00
Jens Langhammer b4963bec76 providers/proxy: fix defaults for traefik integration 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-12-01 21:47:13 +01:00
Jens Langhammer 7aa8e35f87 providers/proxy: use wildcard for traefik headers copy 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-12-01 20:19:35 +01:00
Jens Langhammer 60b95271eb outposts/proxy: add additional headers 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-12-01 20:19:09 +01:00
Jens Langhammer 0b8cfd437b *: fix typo'd signing pair name 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-11-24 09:55:10 +01:00
Jens L 9bb0d04aeb
root: Random tests (#1825) 
* root: add pytest-randomly to randomise tests

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* *: generate flows for testing instead of relying on existing ones

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* *: generate users for testing instead of relying on existing ones

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* *: use generated certificate

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* tests/e2e: keep containers

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* tests/e2e: use websockets test case

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-11-22 22:56:02 +01:00
Jens Langhammer b0fac9c9f1 providers/saml: fix SessionNotOnOrAfter not being included 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-11-16 12:36:40 +01:00
dependabot[bot] f7044e41c6
build(deps-dev): bump bandit from 1.7.0 to 1.7.1 (#1793) 
* build(deps-dev): bump bandit from 1.7.0 to 1.7.1

Bumps [bandit](https://github.com/PyCQA/bandit) from 1.7.0 to 1.7.1.
- [Release notes](https://github.com/PyCQA/bandit/releases)
- [Commits](https://github.com/PyCQA/bandit/compare/1.7.0...1.7.1)

---
updated-dependencies:
- dependency-name: bandit
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

* *: fix bandit false positives

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-11-15 09:16:16 +01:00
Jens Langhammer c98bdbacc5 providers/proxy: return list of configured scope names so outpost requests custom scopes 
closes #1762

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-11-10 23:06:21 +01:00
Jens Langhammer 2cef220a3e providers/ldap: add/squash migrations 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-11-05 10:41:50 +01:00
Jens L 5a8c66d325
providers/ldap: memory Query (#1681) 
* outposts/ldap: modularise ldap outpost, to allow different searchers and binders

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* outposts/ldap: add basic in-memory searcher

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* providers/ldap: add search mode field

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* outpost: add search mode field

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-11-05 10:37:30 +01:00
Jens Langhammer 3005ca17bd web/admin: show warning on provider when not used with outpost 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-11-05 01:15:33 +01:00
Jens Langhammer 909461e533 providers/*: include list of outposts 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-11-05 01:06:04 +01:00
Jens Langhammer 6036d88392 providers/proxy: allow configuring of additional scope mappings for proxy 
closes #1255

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-10-31 22:25:51 +01:00
Jens Langhammer 335d6edd11 providers/saml: fix error on missing AssertionConsumerServiceURL, fall back to default ACS 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-10-31 17:21:15 +01:00
Jens Langhammer 1b21b50b77 providers/oauth2: fallback to uid if UPN was selected but isn't available 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-10-27 16:11:35 +02:00
Jens Langhammer 8eb4d53810 providers/oauth2: fix events being created from /application/o/authorize/ 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-10-21 22:59:01 +02:00
Jens Langhammer 98a56c77e3 providers/proxy: update ingress controller to work with k8s 1.22 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-10-18 10:00:24 +02:00
Jens Langhammer 2b09d97522 core: fix squash migrations error when AK_ADMIN_TOKEN is set 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-10-12 17:45:10 +02:00
Jens L e4f141c6c0
*: Squash Migrations (#1593) 
* *: first squash pass

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* sources/saml: squash less

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* outposts: fix docker controller not correctly checking image

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* tests/e2e: fix old migration reference

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-10-11 21:39:35 +02:00
Jens Langhammer 83150d9920 outposts: fix circular import in kubernetes controller 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-10-03 19:25:18 +02:00
Jens Langhammer d30dcda814 providers/proxy: always check ingress secret in kubernetes controller 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-10-03 19:14:27 +02:00
Jens Langhammer 3c1ac4c7ec outposts/proxy: add new headers with unified naming 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
 2021-10-02 22:00:23 +02:00