Commits · 3b53d9f8b29367d63ff37aa390d5ceb18cb8ccdf · id / go-sso

10 Jan, 2021 2 commits
- Update id/keystore · 3b53d9f8
  ale authored Jan 10, 2021
  
  3b53d9f8
- Add go.mod, update dependencies, build on Bullseye · 018bd88d
  ale authored Jan 10, 2021
  
  018bd88d
11 Nov, 2020 1 commit

ale authored Nov 11, 2020

Fixes issue #16, the only change is in the u2f/otp login links.

71512831

24 Aug, 2020 1 commit
- Document the allowed_cors_origins option · a0c2b587
  ale authored Aug 24, 2020
  
  a0c2b587
23 Aug, 2020 6 commits
- Merge branch 'saml-enforce-groups' · a64b4480
  ale authored Aug 23, 2020
  
  a64b4480
- Set the logout URL on the SAML server descriptor · 2cd5254c
  ale authored Aug 23, 2020
```
Update the crewjam/saml library too.
```
  2cd5254c
- Merge branch 'saml-enforce-groups' into 'master' · 4c546e2f
  ale authored Aug 23, 2020
```
Enforce group membership checks in the SAML server

See merge request !9
```
  4c546e2f
- Enforce group membership checks in the SAML server · 01df95f6
  ale authored Aug 23, 2020
  
  01df95f6
- Support the case where usernames are already email addresses · d00e7f54
  ale authored Aug 23, 2020
```
In this scenario there is no need to set 'users_file', instead we
introduce the new boolean attribute 'email_usernames'.
```
  d00e7f54
- Upgrade ai3/go-common · f1c2d0bf
  ale authored Aug 23, 2020
  
  f1c2d0bf
06 May, 2020 1 commit

Drop form-action from CSP · b111e43a

ale authored May 06, 2020

Apparently this is applied even after the redirect, so we can't use it.

b111e43a

04 May, 2020 2 commits
- Stricter Content-Security-Policy headers · 81b8bd24
  ale authored May 04, 2020
```
Adds the 'base-uri', 'form-action' and 'frame-ancestors' properties.
```
  81b8bd24
- Set SameSite policy on CSRF cookies · 72bb1ac7
  ale authored May 04, 2020
  
  72bb1ac7
28 Apr, 2020 1 commit
- Add some error logging on saml-server · fb63c3d1
  ale authored Apr 28, 2020
  
  fb63c3d1
27 Apr, 2020 2 commits
- Fix X-Frame-Options header (uppercase) · 65b137a4
  ale authored Apr 27, 2020
  
  65b137a4
- Fix X-Frame-Options header · 8af8979f
  ale authored Apr 27, 2020
  
  8af8979f
29 Mar, 2020 1 commit
- Set default timeouts on the proxy http.Transport · d1e6a380
  ale authored Mar 29, 2020
  
  d1e6a380
20 Mar, 2020 1 commit
- Handle the double-logout case more cleanly · 28fcb558
  ale authored Mar 20, 2020
```
Do not attempt to call backends (keystore) with empty usernames.
```
  28fcb558
14 Mar, 2020 1 commit
- Fix URLs for flipping between otp/u2f · f3fd32c0
  ale authored Mar 14, 2020
  
  f3fd32c0
12 Feb, 2020 1 commit
- Upgrade id/auth (tracing) · 72395351
  ale authored Feb 12, 2020
  
  72395351
06 Feb, 2020 2 commits
- Upgrade go-common: handle a nil pointer deref · a1bb2db9
  ale authored Feb 06, 2020
  
  a1bb2db9
- Upgrade go-common (enforce rpc timeouts) · 7c1711be
  ale authored Feb 06, 2020
  
  7c1711be
06 Jan, 2020 1 commit
- Update ai3/go-common/clientutil · 3ecaec92
  ale authored Jan 06, 2020
  
  3ecaec92
20 Dec, 2019 11 commits
- Register the Prometheus metrics · 0c0c8424
  ale authored Dec 20, 2019
  
  0c0c8424
- Add Prometheus instrumentation for sso server internals · 1d049ac2
  ale authored Dec 20, 2019
```
Metrics cover specifically the authentication workflow.
```
  1d049ac2
- Trim spaces on submitted usernames · 5d8f8021
  ale authored Dec 20, 2019
  
  5d8f8021
- Log the shard when we are unlocking a key · a7b1ae99
  ale authored Dec 20, 2019
  
  a7b1ae99
- Always set the keystore shard in maybeUnlockKeystore() · 8d3f4507
  ale authored Dec 20, 2019
  
  8d3f4507
- Pass a valid UserInfo to the login callback · 0a0ca7d5
  ale authored Dec 20, 2019
```
The sess.UserInfo is still unset at that stage, use valid information
instead. This fixes a bug where keys were not being unlocked for users.
```
  0a0ca7d5
- Improve keystore test · 79a14158
  ale authored Dec 20, 2019
  
  79a14158
- Remove debugging printf · 7417d7d5
  ale authored Dec 20, 2019
  
  7417d7d5
- Add a grace time to the keystore TTL · 10aba630
  ale authored Dec 20, 2019
```
Just to cover edge cases when sessions are about to expire.
```
  10aba630
- Log successful authorizations (with ttl) · c31919d0
  ale authored Dec 20, 2019
  
  c31919d0
- Check the deadline independently from securecookie · ca680333
  ale authored Dec 20, 2019
  
  ca680333
19 Dec, 2019 6 commits
- Use short names for fields in the JSON-encoded session · 79c42231
  ale authored Dec 19, 2019
```
Makes the authentication cookie quite shorter.
```
  79c42231
- Do not generate SSO tickets valid for longer than the auth session · ab1f1f82
  ale authored Dec 19, 2019
```
This prevents an error where the keystore will have invalid keys even
in presence of a valid SSO ticket (because the parent auth session has
expired already).
```
  ab1f1f82
- Add tests for the /exchange HTTP endpoint · e3651fe8
  ale authored Dec 19, 2019
  
  e3651fe8
- Add tests for the Exchange method · 8238fdff
  ale authored Dec 19, 2019
  
  8238fdff
- Add test for OTP login failure · babd8cbf
  ale authored Dec 19, 2019
  
  babd8cbf
- Return 404 for unauthenticated requests to URLs that do not exist · 188a0870
  ale authored Dec 19, 2019
```
This avoids browsers messing up the session state (given that /login
calls session.Reset) with requests to various kinds of well-known URLs
that might not exist.

Also add an integration test for a server with non-nil URL prefix.
```
  188a0870