Currently most requests to the authenticate service will result in a log
entry with the message "authenticate: origin blocked". This may be
confusing, as the request is not in fact blocked; instead, what happens
is that no special CORS headers are added to the response.
Let's reverse the logging behavior, and instead log a message only for
those requests with a valid signature, where we do add CORS headers to
the response.
Add a unit test case exercising the CORS middleware.
* core/authenticate: refactor identity authenticators to initiate redirect, use cookie for redirect url for cognito
* set secure and http only, update test
Update the initialization logic for the authenticate, authorize, and
proxy services to automatically select between the stateful
authentication flow and the stateless authentication flow, depending on
whether Pomerium is configured to use the hosted authenticate service.
Add a unit test case to verify that the sign_out handler does not
trigger a sign in redirect.
Consolidate all logic specific to the stateless authenticate flow into a
a new Stateless type in a new package internal/authenticateflow. This is
in preparation for adding a new Stateful type implementing the older
stateful authenticate flow (from Pomerium v0.20 and previous).
This change is intended as a pure refactoring of existing logic, with no
changes in functionality.
The Authenticate.getUserInfoData() method has an error return value, but
always returns nil for this value. Let's remove this return value from
the method signature.
The buildIdentityProfile() method is called only from
Authenticate.getOAuthCallback(), which has previously called
Authenticator.Authenticate(). It looks like all implementations of the
Authenticator interface already call UpdateUserInfo(), so we shouldn't
need to call UpdateUserInfo() a second time from buildIdentityProfile().
This should simplify the code a little and provide a slight performance
improvement (by avoiding one network request).
Currently the Authenticate.storeIdentityProfile() method always emits an
Error log. If there is no error from cookieChunker.SetCookie(), this
results in an empty log entry:
{"level":"error","time":"2023-06-27T23:56:38Z"}
Refactor this method to instead return the error from SetCookie(), and
update the calling code so that it logs a message only when this error
is non-nil.
(Moving the log call to the calling method gives access to the request
context, so the log entry will include the request ID and other related
info.)
* proxy: add userinfo and webauthn endpoints
* use TLD for RP id
* use EffectiveTLDPlusOne
* upgrade webauthn
* fix test
* Update internal/handlers/jwks.go
Co-authored-by: bobby <1544881+desimone@users.noreply.github.com>
Co-authored-by: bobby <1544881+desimone@users.noreply.github.com>
* authenticate: update user info dashboard to show group info for enterprise
* Update ui/src/components/GroupDetails.tsx
Co-authored-by: bobby <1544881+desimone@users.noreply.github.com>
Co-authored-by: bobby <1544881+desimone@users.noreply.github.com>
* session: add accessed at date
* authorize: track session and service account access times
* Revert "databroker: add support for field masks on Put (#3210)"
This reverts commit 2dc778035d.
* add test
* fix data race in test
* add deadline for update
* track dropped accesses
