3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-04-30 02:46:30 +02:00
Code Issues Projects Releases Packages Wiki Activity
3250 commits 156 branches 125 tags 103 MiB
Commit graph

172 commits

Author SHA1 Message Date
Caleb Doxsey
3adbc65d37
core/authenticate: refactor identity authenticators to initiate redirect (#4858) 
* core/authenticate: refactor identity authenticators to initiate redirect, use cookie for redirect url for cognito

* set secure and http only, update test
 2023-12-19 12:04:23 -07:00
Kenneth Jenkins
5ccd7a520a
support both stateful and stateless authenticate (#4765) 
Update the initialization logic for the authenticate, authorize, and
proxy services to automatically select between the stateful
authentication flow and the stateless authentication flow, depending on
whether Pomerium is configured to use the hosted authenticate service.

Add a unit test case to verify that the sign_out handler does not 
trigger a sign in redirect.
 2023-12-07 14:24:13 -08:00
Kenneth Jenkins
b7896b3153
authenticateflow: move stateless flow logic (#4820) 
Consolidate all logic specific to the stateless authenticate flow into a
a new Stateless type in a new package internal/authenticateflow. This is
in preparation for adding a new Stateful type implementing the older
stateful authenticate flow (from Pomerium v0.20 and previous).

This change is intended as a pure refactoring of existing logic, with no
changes in functionality.
 2023-12-06 16:55:57 -08:00
Kenneth Jenkins
3b2bdd059a
authenticate: getUserInfoData() cleanup (#4818) 
The Authenticate.getUserInfoData() method has an error return value, but
always returns nil for this value. Let's remove this return value from
the method signature.
 2023-12-05 14:48:56 -08:00
Kenneth Jenkins
3c4b03f1d2
authenticate: remove extra UpdateUserInfo() call (#4813) 
The buildIdentityProfile() method is called only from
Authenticate.getOAuthCallback(), which has previously called
Authenticator.Authenticate(). It looks like all implementations of the
Authenticator interface already call UpdateUserInfo(), so we shouldn't
need to call UpdateUserInfo() a second time from buildIdentityProfile().

This should simplify the code a little and provide a slight performance
improvement (by avoiding one network request).
 2023-12-05 09:22:35 -08:00
Caleb Doxsey
a0c92896ef
core/authenticate: refactor idp sign out (#4582) 2023-09-28 08:41:19 -07:00
Caleb Doxsey
e5a7b994b6
core/authenticate: validate the identity profile (#4545) 2023-09-15 14:16:28 -06:00
Kenneth Jenkins
2f4005cc09
authenticate: remove extraneous error log (#4319) 
Currently the Authenticate.storeIdentityProfile() method always emits an
Error log. If there is no error from cookieChunker.SetCookie(), this
results in an empty log entry:

    {"level":"error","time":"2023-06-27T23:56:38Z"}

Refactor this method to instead return the error from SetCookie(), and
update the calling code so that it logs a message only when this error
is non-nil.

(Moving the log call to the calling method gives access to the request
context, so the log entry will include the request ID and other related
info.)
 2023-06-28 11:02:06 -07:00
Denis Mishin
2db2d66eba
authenticate: add aws cognito (#4137) 2023-05-16 12:28:12 -04:00
Caleb Doxsey
be0104b842
config: add cookie_same_site option (#4148) 2023-05-03 14:36:42 -06:00
Caleb Doxsey
facf9ab093
hpke: compress query string (#4147) 
* hpke: compress query string

* only use v2 in authenticate if v2 was used for the initial request

* fix comment
 2023-05-02 14:12:34 -06:00
Denis Mishin
0ab2057714
authenticate: add events (#4051) 2023-05-01 15:11:30 -04:00
Caleb Doxsey
bbed421cd8
config: remove source, remove deadcode, fix linting issues (#4118) 
* remove source, remove deadcode, fix linting issues

* use github action for lint

* fix missing envoy
 2023-04-21 17:25:11 -06:00
Denis Mishin
860a881fe0
authenticate: have an option to trim the contents of the callback (#4090) 2023-03-31 11:48:31 -04:00
Caleb Doxsey
2b8d51def5
urlutil: add version to query string (#4028) 2023-02-28 14:01:13 -07:00
Caleb Doxsey
00c047b114
authenticate: fix identity provider id in encrypted query string (#4006) 
Co-authored-by: Denis Mishin <dmishin@pomerium.com>
 2023-02-23 08:30:50 -07:00
Caleb Doxsey
be13027fe0
authenticate: don't require a session for sign_out (#4007) 
authenticate: dont require a session for sign_out
 2023-02-22 21:42:10 -07:00
Caleb Doxsey
b62efeb16c
authenticate: only use csrf none for apple (#3979) 2023-02-16 08:52:39 -07:00
Mike Nestor
1d4474f7c5
Appleid (#3959) 
* appleid oauth works but probably not implemented the best

chore(deps): bump golang from 1.19.5-buster to 1.20.0-buster (#3949)

Bumps golang from 1.19.5-buster to 1.20.0-buster.

---
updated-dependencies:
- dependency-name: golang
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Denis Mishin <dmishin@pomerium.com>

implemented correct expiration, refresh and revoke

chore(deps): bump golang from 1.19.5-buster to 1.20.0-buster (#3949)

Bumps golang from 1.19.5-buster to 1.20.0-buster.

---
updated-dependencies:
- dependency-name: golang
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Denis Mishin <dmishin@pomerium.com>

fixed lint issues and maybe ignored G101

* Update internal/identity/oauth/apple/apple.go

Co-authored-by: Caleb Doxsey <caleb@doxsey.net>

* Update internal/identity/oauth/apple/apple.go

Co-authored-by: Caleb Doxsey <caleb@doxsey.net>

* Update internal/identity/oauth/apple/apple.go

Co-authored-by: Caleb Doxsey <caleb@doxsey.net>

* Update internal/identity/oauth/apple/apple.go

Co-authored-by: Caleb Doxsey <caleb@doxsey.net>

* Update internal/identity/oauth/apple/apple.go

Co-authored-by: Caleb Doxsey <caleb@doxsey.net>

* Update internal/identity/oauth/apple/apple.go

Co-authored-by: Caleb Doxsey <caleb@doxsey.net>

---------

Co-authored-by: Caleb Doxsey <caleb@doxsey.net>
 2023-02-13 18:01:00 -07:00
Caleb Doxsey
54676afce2
authenticate: always trust the passed in idp (#3917) 2023-01-30 18:59:07 -07:00
Caleb Doxsey
bfcd15435f
authenticate: add additional error details for hmac errors (#3878) 2023-01-11 07:53:11 -07:00
Caleb Doxsey
539fd51579
authenticate: remove databroker dependency (#3820) 2022-12-17 09:03:46 -07:00
Caleb Doxsey
c86ca6f76f
webauthn: require session when accessing /.pomerium/webauthn (#3814) 
* webauthn: require session when accessing /.pomerium/webauthn

* remove dead code

* remove unusued PomeriumDomains field
 2022-12-16 10:59:21 -07:00
Caleb Doxsey
57217af7dd
authenticate: implement hpke-based login flow (#3779) 
* urlutil: add time validation functions

* authenticate: implement hpke-based login flow

* fix import cycle

* fix tests

* log error

* fix callback url

* add idp param

* fix test

* fix test
 2022-12-05 15:31:07 -07:00
Caleb Doxsey
fa26587f19
remove forward auth (#3628) 2022-11-23 15:59:28 -07:00
Caleb Doxsey
c1a522cd82
proxy: add userinfo and webauthn endpoints (#3755) 
* proxy: add userinfo and webauthn endpoints

* use TLD for RP id

* use EffectiveTLDPlusOne

* upgrade webauthn

* fix test

* Update internal/handlers/jwks.go

Co-authored-by: bobby <1544881+desimone@users.noreply.github.com>

Co-authored-by: bobby <1544881+desimone@users.noreply.github.com>
 2022-11-22 10:26:35 -07:00
Caleb Doxsey
2b319822a4
authenticate: update user info dashboard to show group info for enterprise (#3736) 
* authenticate: update user info dashboard to show group info for enterprise

* Update ui/src/components/GroupDetails.tsx

Co-authored-by: bobby <1544881+desimone@users.noreply.github.com>

Co-authored-by: bobby <1544881+desimone@users.noreply.github.com>
 2022-11-09 07:44:35 -07:00
Caleb Doxsey
c178819875
move directory providers (#3633) 
* remove directory providers and support for groups

* idp: remove directory providers

* better error messages

* fix errors

* restore postgres

* fix test
 2022-11-03 11:33:56 -06:00
Caleb Doxsey
30bdae3d9e
sessions: check idp id to detect provider changes to force session invalidation (#3707) 
* sessions: check idp id to detect provider changes to force session invalidation

* remove dead code

* fix test
 2022-10-25 16:20:32 -06:00
Caleb Doxsey
b68dc1ff4f
controlplane: move jwks.json endpoint to control plane (#3691) 2022-10-25 08:01:33 -06:00
Caleb Doxsey
bdd6145e91
authenticate: get/set identity provider id for all sessions (#3597) 2022-09-07 10:06:59 -06:00
Caleb Doxsey
5f51510e91
authenticate: add CORS headers to jwks endpoint (#3574) 2022-08-25 16:09:11 -06:00
Caleb Doxsey
e9e52d8225
authenticate: fix branding for webauthn device registration page (#3572) 2022-08-24 15:51:34 -06:00
Caleb Doxsey
46703b9419
config: add branding settings (#3558) 2022-08-16 14:51:47 -06:00
Caleb Doxsey
6140ee1d88
controlplane: add well-known endpoint to the controlplane http handler (#3555) 
* controlplane: add well-known endpoint to the controlplane http handler

* add support for trailing /

* remove redundant test
 2022-08-16 09:59:39 -06:00
Caleb Doxsey
464ccdf767
authenticate: fix internal service URL dashboard redirect (#3305) 2022-04-29 08:09:28 -06:00
Caleb Doxsey
61ffeb837d
authenticate: fix internal service URL CORS check (#3279) 2022-04-19 10:09:47 -06:00
Caleb Doxsey
36f73fa6c7
authorize: track session and service account access date (#3220) 
* session: add accessed at date

* authorize: track session and service account access times

* Revert "databroker: add support for field masks on Put (#3210)"

This reverts commit 2dc778035d.

* add test

* fix data race in test

* add deadline for update

* track dropped accesses
 2022-03-31 09:19:04 -06:00
Caleb Doxsey
69ba511c64
authenticate: fix internal url with webauthn (#3194) 2022-03-28 06:36:48 -06:00
Caleb Doxsey
7d00ad9b7d
remove version (#3184) 2022-03-23 11:51:24 -06:00
Caleb Doxsey
da97546de1
authenticate: show the device enrolled page as the user info page (#3151) 2022-03-17 11:15:57 -07:00
Nathan Hayfield
351f562c42
adds pomerium version to the user info endpoint (#3093) 
* adds pomerium version to the user info endpoint

* linting

* order imports
 2022-03-03 20:00:17 +01:00
Caleb Doxsey
1342523cda
grpc: remove ptypes references (#3078) 2022-02-24 08:37:59 -07:00
Caleb Doxsey
35f697e491
userinfo: add webauthn buttons to user info page (#3075) 
* userinfo: add webauthn buttons to user info page

* use new buttons on original page

* fix test
 2022-02-23 10:08:24 -07:00
Caleb Doxsey
38c7089642
userinfo: fix logout button, add sign out confirm page (#3058) 
* userinfo: fix logout button, add sign out confirm page

* fix test
 2022-02-23 08:15:00 -07:00
Caleb Doxsey
f9b95a276b
authenticate: support for per-route client id and client secret (#3030) 
* implement dynamic provider support

* authenticate: support per-route client id and secret
 2022-02-16 12:31:55 -07:00
Caleb Doxsey
46c4d5fa7e
session: remove unused session state properties (#3022) 
* fix error page

* share dashboard code

* sessions: remove unused session state properties

* remove programmatic

* remove version
 2022-02-09 10:59:06 -07:00
Caleb Doxsey
0898dd4f34
proxy: fix error page (#3020) 
* fix error page

* proxy: fix error page

* share dashboard code

* fix test
 2022-02-09 09:14:24 -07:00
Caleb Doxsey
2824faecbf
frontend: react+mui (#3004) 
* mui v5 wip

* wip

* wip

* wip

* use compressor for all controlplane endpoints

* wip

* wip

* add deps

* fix authenticate URL

* fix test

* fix test

* fix build

* maybe fix build

* fix integration test

* remove image asset test

* add yarn.lock
 2022-02-07 08:47:58 -07:00
Caleb Doxsey
2f328e7de0
authenticate: fix expiring user info endpoint (#2976) 
* authenticate: fix expiring user info endpoint

* add test
 2022-01-27 16:10:47 -07:00