dani/lemonldap-ng
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
12,065 Commits 3 Branches 0 Tags 75 MiB
78bd430057
Commit Graph

361 Commits

Author SHA1 Message Date
Maxime Besson
4eeef91588 Add SAML ACS to environment (#2427) 2020-12-29 14:17:06 +01:00
Maxime Besson
daef0cf776 add oidcGenerateUserInfoResponse hook (#2359) 2020-11-27 14:00:58 +01:00
Maxime Besson
faadb3f059 add oidcGotRequest hook (#2359) 2020-11-27 14:00:58 +01:00
Maxime Besson
c19be1d501 Tidy SAML issuer (#2359) 2020-11-27 14:00:58 +01:00
Maxime Besson
a706f8a470 add samlBuildLogoutResponse hook (#2359) 2020-11-27 14:00:58 +01:00
Maxime Besson
ddc43f7c9c add samlGotLogoutRequest hook (#2359) 2020-11-27 14:00:58 +01:00
Maxime Besson
2dba11e6b3 Add samlBuildAuthnResponse hook (#2359) 2020-11-27 14:00:58 +01:00
Maxime Besson
de1d6e205b Add samlGotAuthnRequest hook (#2359) 2020-11-27 14:00:58 +01:00
Christophe Maudoux
c742d8320e Set user and oldpassword fields into reset password form & Improve unit tests (#2377) 2020-11-09 13:27:16 +01:00
Christophe Maudoux
e704fe24ea Fix warning if no path given & code refactoring 2020-10-26 19:21:54 +01:00
Maxime Besson
277e0872fa Fix missing session timeouts (#2262) 2020-09-09 12:04:17 +02:00
Maxime Besson
d598513504 Fix warning when resolving cas target authlevel (#2309) 2020-09-09 10:37:00 +02:00
Maxime Besson
f9c7d0bdf7 saml proxy logout: Delay info until we return from idp (#2262) 2020-09-08 17:25:11 +02:00
Maxime Besson
683b5a7861 Resume logout when returning from Auth::SAML IDP (#2262) 2020-09-08 15:47:58 +02:00
Maxime Besson
24297aa942 Redirect to external provider for logout (#2262) 2020-09-08 14:16:49 +02:00
Maxime Besson
8b5ddf6e43 Perform authLogout step during SAML SLO (#2262) 2020-09-08 14:16:49 +02:00
Maxime Besson
bd110e7de6 cas issuer: check auth level and reauth if insufficient (#2124) 2020-09-04 17:15:34 +02:00
Maxime Besson
ce5c19e3f4 saml issuer: check auth level and reauth if insufficient (#2124) 2020-09-04 17:15:34 +02:00
Maxime Besson
7a36489b73 oidc issuer: check auth level and reauth if insufficient (#2124) 2020-09-04 17:15:34 +02:00
Maxime Besson
8bfa5179cc Issuers: Store required auth level in pdata (#2124) 2020-09-04 17:14:04 +02:00
Maxime Besson
5e78464d7f Resolve nameid session attribute from local macros (#2280) 2020-08-17 22:06:09 +02:00
Maxime Besson
9ac49b881a Lookup casAppMetaDataOptionsUserAttribute in per-app macros (#2280) 2020-08-17 22:06:09 +02:00
Maxime Besson
52c6edb453 Lookup oidcRPMetaDataOptionsUserIDAttr in per-RP macros (#2280) 2020-08-17 22:06:09 +02:00
Maxime Besson
b2a2575896 Fix incorrect SOAP content type in SAML issuer (#2263) 2020-08-10 15:06:00 +02:00
Clément OUDOT
e544ee7778 Adapt user log in SAML issuer (#2244) 2020-06-18 18:40:13 +02:00
Clément OUDOT
5d5eda9799 Adapt user log in CAS issuer (#2244) 2020-06-18 18:39:53 +02:00
Clément OUDOT
0b3908e6dc Add user log in GET issuer (#2244) 2020-06-18 18:01:33 +02:00
Clément OUDOT
2da914cc90 Publish support for refresh_token grant_type (#2242) 2020-06-18 09:43:56 +02:00
Maxime Besson
33a5496e55 Fix regression in #2085 (#2224) 
Clearing all hidden form values was a mistake as it breaks SAML when the
redirection URL contains a query string. We should keep existing hidden
fields. In the context of OIDC request, we clear them before redirection
to avoid #2085
 2020-05-29 15:51:51 +02:00
Christophe Maudoux
bb9e03d1e5 Tidy 2020-05-24 00:04:33 +02:00
Christophe Maudoux
46bb6fea4f Return PE_SESSIONEXPIRED instead of 400 bad request (#2184) 2020-05-01 19:52:32 +02:00
Maxime Besson
e607d8281f OIDC: do not advertise missing functionality (#1194) 
Back-Channel logout is not supported yet
 2020-04-24 12:15:51 +02:00
Clément OUDOT
138ee4284f Disable cache when registering a new OIDC client (#2058) 2020-04-24 11:52:04 +02:00
Maxime Besson
a3821fc560 Implement additional audiences in ID token (#2177) 2020-04-24 11:10:44 +02:00
Maxime Besson
6ccf078432 Implement Resource Owner Password Credentials grant (#2155) 2020-04-23 17:49:25 +02:00
Maxime Besson
ded6c74fe0 Allow special characters in scope names (#2168) 2020-04-23 14:50:53 +02:00
Maxime Besson
31f05b9e2d Make Introspection endpoint look for offline sessions (#2171) 2020-04-23 10:29:08 +02:00
Maxime Besson
626715a580 Prevent duplicate consents in psession (#2169) 2020-04-22 21:26:38 +02:00
Maxime Besson
a217590869 Tidy OIDC 2020-04-22 21:25:56 +02:00
Christophe Maudoux
ea8b0bb024 Highlight error message (#2126 & #1625) 2020-03-28 18:12:34 +01:00
Christophe Maudoux
68e2e81898 Fix warning if error is undefined (#2126 & #1625) 2020-03-28 17:59:37 +01:00
Xavier Montagutelli
9c0e09f89d Update OpenIDConnect.pm - Correct typo staticPrefi*x* 2020-03-26 16:48:31 +01:00
Maxime Besson
34928123f3 OIDC refactoring 
split token method by response type
factor ID token generation between implicit and hybrid flows
still a lot to do!
 2020-03-18 21:14:54 +01:00
Maxime Besson
4ae628bfcd Avoid generatin a bogus ID token when generation fails (#2105) 2020-02-24 16:28:41 +01:00
Xavier Guimard
a76cba3856 Update versions 2020-02-20 23:37:01 +01:00
Maxime Besson
5758e371bf Improve introspection endpoint (#2096) 2020-02-19 21:49:51 +01:00
Maxime Besson
68be974e51 Add option to compute userdb groups before macros (#1877) 2020-02-05 15:39:45 +01:00
Maxime Besson
3b48746948 SAML: Hide error in storeEnv (#2084) 2020-02-03 17:08:18 +01:00
Clément OUDOT
681452524d Associate SAML access rule to SP conf key and not SP entityID (#2074) 2020-01-24 09:01:56 +01:00
Christophe Maudoux
1988983c90 Typo 2019-12-31 17:14:44 +01:00
Clément OUDOT
f5c2b81051 Possibility to add extra claims and extra vars in OIDC register (#2003) 2019-12-21 12:08:48 +01:00
Maxime Besson
f7f526b825 Fix #1882 in refresh token code 2019-12-17 10:59:45 +01:00
Maxime Besson
a410793122 CAS per-service macros portal code (#2042) 2019-12-16 17:26:35 +01:00
Maxime Besson
2a15bb0523 SAML per-service macros portal code (#2042) 2019-12-16 17:26:34 +01:00
Maxime Besson
32ecf37be4 OIDC per-service macros portal code (#2042) 2019-12-16 17:26:34 +01:00
Maxime Besson
75559bfb15 Fix TTL of offline session (#813) 2019-11-27 12:12:47 +01:00
Maxime Besson
2639c482b1 Fix cookie removal on SAML logout (#2001) 
Since the fixes for #1863, calling p->do consumes the response headers
set by any previous code. So we must only call do() in a return statement.
 2019-11-06 18:44:10 +01:00
Maxime Besson
713737c11f Add an option to return claims in ID token 2019-11-04 18:27:28 +01:00
Maxime Besson
68704955d2 Apply suggestion to lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/OpenIDConnect.pm 2019-11-04 10:47:35 +01:00
Maxime Besson
a386a7502a Allow refresh tokens to be emitted for regular sessions (#813) 2019-11-04 10:44:54 +01:00
Maxime Besson
ea2365cc98 Implement OIDC Offline sessions through refresh tokens (#813) 2019-11-04 10:44:54 +01:00
Clément OUDOT
a239091553 Load String::Random (#1963) 2019-10-01 14:49:41 +02:00
Xavier
461cd51e45 Try to fix #1785 without breaking pdata 2019-09-29 23:04:17 +02:00
Christophe Maudoux
5d9fc02205 Typo & logger 2019-09-20 22:47:48 +02:00
Clément OUDOT
dc0a8f7848 Add some log when user is authorized to access to service (#1702) 2019-09-19 16:52:08 +02:00
Clément OUDOT
dd76c4f3db Improve log for CAS Issuer (#1702) 2019-09-19 16:18:51 +02:00
Clément OUDOT
e446e09a7f Improve log (#1702) 2019-09-19 16:07:10 +02:00
Christophe Maudoux
92c8e6791f Typo (#1702) 2019-09-18 19:49:22 +02:00
Xavier
e50e7d09d1 Update version of (really) modified files 2019-09-12 21:56:49 +02:00
Maxime Besson
00e91f374b Add specific error code when missing a required SAML attr (#1919) 
The MISSINGREQATTR message is a good default value, but a site
administrator may decide to override it with a personnalized version
that only applies to issuer errors caused by an incomplete user profile
(for example, giving a pointer to the local user profile management
application)
 2019-09-06 11:04:39 +02:00
Maxime Besson
d61935ab6e Implement introspection endpoint for access tokens (#1843) 2019-08-29 19:10:51 +02:00
Maxime Besson
fd7453b7a5 Refactor endpoint auth 2019-08-29 18:57:26 +02:00
Maxime Besson
661a007b4a Check OIDC access token expiration (#1879) 2019-08-21 12:18:55 +02:00
Maxime Besson
2e9f57ab6f Better default behavior for oidcServiceMetaDataIssuer (#1882) 2019-08-13 18:09:59 +02:00
Maxime Besson
daa03a9a9c OIDC: tie client_id to authorization code (#1881) 2019-08-09 13:54:53 +02:00
Clément OUDOT
4ee49de4c2 Adapt grant_types_supported attribute (#1846) 2019-07-25 19:06:53 +02:00
Clément OUDOT
c76dc52436 Adapt response_types_supported attribute in OpenID Connect metadata depending on configured flows (#1846) 2019-07-08 15:38:57 +02:00
Clément OUDOT
9b98893c44 Manage claims in ID token if no access token requested (#1846) 2019-07-08 15:15:13 +02:00
Clément OUDOT
1ebbde9a50 Tidy code and add missing check on hash_level (#1835) 2019-07-04 09:49:01 +02:00
Christophe Maudoux
161d6cee0f Fix unit test warning (Auth-and-issuer-OIDC-authorization_code-with-none-alg.t) 2019-07-03 22:17:22 +02:00
Xavier Guimard
c1137edba8 make tidy with perltidy-20181120 2019-07-02 20:03:40 +02:00
Xavier
c921c295ed Use user skin in loadTemplate (Fixes: #1828) 2019-06-28 13:40:56 +02:00
Xavier Guimard
264410409d Move CAS service verification from main to Issuer::CAS (#1795) 2019-06-27 16:55:12 +02:00
Maxime Besson
e1f927a195 Check service= parameter on CAS logout (#1795) 
service= redirect URL is not checked when logging out from CAS, to avoid
insecure redirect attacks. The verification is only made if CAS access
control is enabled.

In order for this to work in common cases (applications redirects to an
unprotected page after logout), we add CAS App domains to the list of
globally trusted domains.

If your application wants to redirect to a third-party domain, it needs
to be added to LLNG's trustedDomains
 2019-06-27 12:40:40 +02:00
Clément OUDOT
4e5c450b8b Return error if no code provided on token endpoint (#1802) 2019-06-14 16:05:39 +02:00
Xavier
a6aaf8a507 Add XSS test (#1795) 2019-06-11 21:30:15 +02:00
Xavier
1a8948894d Check CAS "service" parameter (Fixes: #1795) 2019-06-11 21:02:43 +02:00
Maxime Besson
97d0bbf0aa Fix CASv2 logout (#1753) 2019-06-11 16:18:15 +02:00
Xavier
db2ee96bc8 Update versions (#1777) 2019-05-28 22:04:45 +02:00
Xavier
82171e9a90 Fix missing $req in SLO responses (#1777) 2019-05-28 21:45:54 +02:00
Xavier
acd6ba50e8 Fix some missing $req (#1777) 2019-05-28 19:52:08 +02:00
Clément OUDOT
926262170b Implement PKCE in OIDC provider (#1722) 2019-04-29 17:18:16 +02:00
Clément OUDOT
8e6f678be7 Create a configuration option to allow a Relying Party to be a public client 
Allow unauthenticated requests on OAuth2 token endoint

#1725
 2019-04-29 10:02:16 +02:00
Maxime Besson
2f9e6aa623 Allow override of username attribute for CAS apps 
Global CAS options allows the admistrator to set the session attribute
that gets exported to all CAS application as the main identifier
(cas:user)

This commit adds the ability to override this configuration for a
particular CAS application.

OIDC already allows this

Fixes #1713
 2019-04-28 21:06:34 +02:00
Maxime Besson
62f16721ff Send username when calling CAS1.0 validation 
Fixes #1724
 2019-04-28 19:29:54 +02:00
Clément OUDOT
8859fe342b Fix setHiddenFormValue (#1692) 2019-04-03 17:54:58 +02:00
Clément OUDOT
8be0817363 Send optional SAML attributes if they have a value (#1681) 2019-04-03 16:40:41 +02:00
Clément OUDOT
9a454fbb7a Manage SLO termination if there is no RelayState (#1671) 2019-04-03 12:26:01 +02:00
Clément OUDOT
a805a5a00b Manage SLO responses (#1671) 2019-04-02 17:27:47 +02:00
Clément OUDOT
4e76ee9582 Avoid warning during SAML SLO (#1671) 2019-04-02 16:13:45 +02:00