mirror
/
hydra
mirror of https://github.com/ory/hydra
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
4,044 Commits 131 Branches 234 Tags 228 MiB
Commit Graph

209 Commits

Author SHA1 Message Date
aeneasr bbe0406df6 feat: config hot reloading architecture 2022-09-07 08:10:31 +02:00
Grant Zvolsky 8e961d0eb3 code review 2022-09-07 08:10:31 +02:00
Grant Zvolsky 53862f290c refactor: improve performance and reduce data use of consent persistence layer (#2836) 
This patch changes the internal data structure and reduces four (sort of redundant) tables into one. As part of this change, a few new tools have been added:

* Introduce the `hydra sql gen` command and a convenience Make target with autocompletion. The command reads migration templates from a source directory and produces migration files in a target directory. Its main function is to split a single source file into multiple files using split marks.

* Introduce the `hack/db-diff.sh` command to generate database schema diffs at different commits. This script is used to view and review the impact of migrations on the database schema.

BREAKING CHANGES: This patch merges four SQL Tables into a new table, deleting the old tables in the process. The migrations in this patch are expected to be applied offline. Please be aware that *there are no down migrations*, and if something goes wrong, data loss is possible. Always back up your database before applying migrations. For more information, see [Hydra 2.x Migration Guide](https://www.ory.sh/hydra/docs/guides/migrate-v2).

Rows with NULL login_challenge in `hydra_oauth2_consent_request` and corresponding `hydra_oauth2_consent_request_handled` are deleted as a side effect of the merge migration. This is done with the assumption that only a very small number of sessions, issued by pre-1.0 Hydra, will be affected. Please contact us if this assumption doesn't apply or if the deletion adversely affects your deployment.

Signed-off-by: Grant Zvolsky <grant@zvolsky.org>
 2022-09-07 08:10:31 +02:00
Mart Aarma 22e1ebb574
feat: async backchannel logout (#2849) 
Co-authored-by: aeneasr <3372410+aeneasr@users.noreply.github.com>
 2022-04-28 23:42:37 +02:00
Andrew Minkin 5895d03a37
docs: ORY -> Ory to follow styleguides (#2941) 2022-01-18 14:44:04 +01:00
Felix Jung f701310a8b
feat: include amr claim in ID token (#2770) 
Closes #1756

Co-authored-by: Stepan Rakitin <stepanr@mailbox.org>
 2021-09-30 14:25:06 +02:00
Stepan Rakitin 1a7dcd1c46
feat: refresh token hook to update claims (#2649) 
This patch adds a new feature to Ory Hydra which allows the updating of access and ID tokens during the refresh flow. To set it up, use the `oauth2.refresh_token_hook` configuration to set up a HTTP(S) endpoint which receives a POST request when a refresh token is about to be issued.

Closes #2570

Co-authored-by: hackerman <3372410+aeneasr@users.noreply.github.com>
 2021-09-01 09:28:04 +03:00
Flavio Leggio 6ea0bf8f4d
feat: improve delete queries for janitor command (#2540) 
This patch improves delete queries by separating the data extraction from actual delete. Extraction is made with a configurable limit, using the `--limit` CLI flag. Deletes use that list in batch mode with a configurable batch size (`--batch-size` CLI flag). Default value for limit is 100000 records and default value for batch size is 100 records.

To improve performance, `LEFT JOIN` is used to select also login and consent requests which did not result in a complete authentication, i.e. user requested login but timed out or user logged in and timed out at consent. Also, two independent `SELECT`s are used in the extraction of login and consent requests eligible for deletion. This solves a bug in the single `SELECT` causing deletion of consent requests where matching login requests were eligible for deletion and vice versa. With independent `SELECT`s we keep consent requests even if matching login request gets deleted.

Closes #2513
 2021-08-04 17:46:14 +02:00
aeneasr 1807e893fd
fix: resolve sdk build issues 2021-07-06 15:22:07 +02:00
Flori 63402dee76
feat: add custom claims to top-level JWT payload (#2545) 
Closes #1974

Co-authored-by: hackerman <3372410+aeneasr@users.noreply.github.com>
 2021-06-11 12:29:08 +02:00
George Bolo 96931685da
fix: add RFC 8414 pkce info to OpenID Connect Discovery (#2547) 
Closes #2311
 2021-06-03 09:34:24 +02:00
aeneasr a27b057517 autogen(docs): generate and format documentation 2021-05-31 15:30:58 +00:00
Nestor 5bdc4bc156
refactor: integrate with fosite `v0.40` (go-jose migration) (#2526) 
Co-authored-by: aeneasr <3372410+aeneasr@users.noreply.github.com>
 2021-05-31 18:01:28 +03:00
Mitar 8c703945e9
fix: audience should include client ID (#2455) 2021-05-14 15:33:57 +02:00
Mitar f701b28eaa
fix: WWW-Authenticate header in userinfo handler (#2454) 2021-05-14 15:24:39 +02:00
James Elliott c463d9f893
fix(oauth2): enforce assertion check on userinfo aud field (#2524) 
This is so the check on the `ok` variable is effectual. Prior to this patch the type assertion on the *client.Client was setting the value of `ok`. Due to the fact the type assertion on *client.Client is already checked and on a false value it exits the func, this value will *always* be true.

Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
 2021-05-10 08:11:46 +02:00
Mitar ff90c47ff5
fix: do not use error_hint anymore (#2450) 2021-04-09 11:47:50 +02:00
lauri 666cd2580d
feat: enable "nbf" (not before) claim to be optional for Access Token (#2437) 
Closes #1542
 2021-04-04 12:50:59 +02:00
naveenpaul1 b46a14cd6d
feat: flush refresh tokens for service oauth2/flush (#2373) 
See https://github.com/ory/hydra/issues/1574#issuecomment-736684327

Co-authored-by: hackerman <3372410+aeneasr@users.noreply.github.com>
 2021-03-08 12:43:18 +01:00
aeneasr 24daede2a6 fix: add 400 as possible reply to /oauth2/token 
Closes #2260
 2021-01-12 12:11:39 +01:00
aeneasr 428df22c7f chore: clean up viper mentions 2020-12-02 13:37:05 +01:00
aeneasr 8c12b27a59 refactor: replace viper with koanf config management 
BREAKING CHANGES: After battling with [spf13/viper](https://github.com/spf13/viper) for several years we finally found a viable alternative with [knadh/koanf](https://github.com/knadh/koanf). The complete internal configuration infrastructure has changed, with several highlights:

1. Configuration sourcing works from all sources (file, env, cli flags) with validation against the configuration schema, greatly improving developer experience when changing or updating configuration.
2. Configuration reloading has improved significantly and works flawlessly on Kubernetes.
3. Performance increased dramatically, completely removing the need for a cache layer between the configuration system and ORY Hydra.
4. It is now possible to load several config files using the `--config` flag.
5. Configuration values are now sent to the tracer (e.g. Jaeger) if tracing is enabled.

Please be aware that deprecated configuration flags have finally been removed with this change. It is also possible that ORY Hydra might complain about an invalid configuration, because the validation process has improved significantly.
 2020-12-02 13:37:05 +01:00
aeneasr c376473c37 test: refactor oauth2 auth code tests 2020-11-17 17:25:54 +01:00
aeneasr b74cffa8d2 test: refactor client credential tests 2020-11-17 17:25:54 +01:00
aeneasr e2a7135fad feat: remove legacy error fields unless configured to do so 
BREAKING CHANGE: This patch removes `error_hint` and `error_debug` fields from OAuth2 responses. These are now all merged into `error_description` which is according to the OAuth2 and OpenID Connect specification. If you wish to keep the old behavior around, set `oauth2.include_legacy_error_fields` to `true` in your ORY Hydra configuration.
 2020-11-17 17:25:54 +01:00
aeneasr d0697fab29 fix: add required aud, jti claims to userinfo response 2020-11-17 17:25:54 +01:00
aeneasr 4220959c02 feat: add new `request_object_signing_alg_values_supported` to oidc discovery 2020-11-17 17:25:54 +01:00
aeneasr fdf142cc7c feat: improve error stack trace wrapping 2020-11-17 17:25:54 +01:00
aeneasr bb8b9824e8 feat: add ability to override oidc discovery urls 
Added config options `webfinger.oidc_discovery.token_url`, `webfinger.oidc_discovery.auth_url`, `webfinger.oidc_discovery.jwks_url`.
 2020-11-17 17:25:54 +01:00
Bernat Mut 0b1de34a5c
feat: add configuration option to grant default client_credential scope when no scope is requested (#2144) 
Adds an option which allows granting the OAuth2 Client's authorized scope when performing a `client_credentials` flow without specifying a scope. This enables compatibility with MITREid.

Closes #2141
 2020-10-29 15:06:20 +01:00
Patrik 56bce678cb refactor: use gobuffalo/pop for SQL abstraction (#2059) 
This patch replaces the existing SQL and memory managers with a pop based persister. Existing SQL migrations are compatible as they have been migrated to the new SQL abstraction in version 1.7.x. As a goodie, ORY Hydra now supports SQLite for both in-memory as well as on-disk (useful for development and very small deployments) databases!

Closes #1730

Co-authored-by: aeneasr <aeneas@ory.sh>
Co-authored-by: hackerman <3372410+aeneasr@users.noreply.github.com>
 2020-10-20 14:55:49 +02:00
zepatrik 4540ece128 docs: swagger route headline capitalization 
These should be the last places, therefore closes #2015
 2020-10-08 13:32:47 +02:00
hackerman b36073af48
fix: bump deps to patch CVE-2020-15223 (#2067) 
BREAKING CHANGES: As part of this patch, a few things have changed in a breaking fashion:

- OAuth2 Redirection URL error parameters `error_hint`, `error_debug` have been deprecated and now part of `error_description`. The parameters are still included for compatibility reasons but will be removed in a future release.
- OAuth2 Error `revocation_client_mismatch` was not standardized and has been removed. Instead, you will now receive `unauthorized_client` with a description explaning why the flow failed.
 2020-09-29 10:01:13 +02:00
catper 82208c43a1
fix: downgrade log level for access rejections (#2038) 
Closes #2031
 2020-09-20 09:48:07 +03:00
Ajanthan 077c54ab51
feat: API for deleting a client's access tokens (#2058) 
Closes #1728
 2020-09-20 09:43:58 +03:00
phiremande 29b2af4add
fix: support HTTP POST method for logout (#2043) 2020-09-19 16:38:06 +03:00
Helmuth Bederna 595e3b0eda
docs: capitalize swagger titles in NYT style (#2023) 
See #2015
 2020-08-28 15:21:50 +02:00
hackerman 973d57b830
docs: remove introspect security spec (#2002) 
Closes #1520
 2020-08-20 17:53:30 +02:00
sawadashota 379eed3db3
fix: do not log error at login/consent cancelation (#1914) 
Closes #1912

Signed-off-by: sawadashota <xiootas@gmail.com>
 2020-06-22 11:17:09 +02:00
sawadashota 4bfbddb5a4
feat: log errors with request information (#1893) 
Signed-off-by: sawadashota <xiootas@gmail.com>
 2020-06-08 12:08:21 +02:00
Furkan e785bc71cd
oauth2: add www-authenticate at userinfo endpoint (#1891) 
Closes  #1827
 2020-06-05 08:33:10 +02:00
Patrik 700d17d3b7
Merge pull request from GHSA-3p3g-vpw6-4w66 
BREAKING CHANGE: This patch requires a new SQL Table which needs to be created using `hydra migrate sql`. No other breaking changes have been introduced by this patch.

This patch introduces a blacklist for JTIs which prevents a potential replay of `private_key_jwt` JWTs when performing client authorization.

## GHSA-3p3g-vpw6-4w66

### Impact

When using client authentication method "private_key_jwt" [1], OpenId specification says the following about assertion `jti`:

> A unique identifier for the token, which can be used to prevent reuse of the token. These tokens MUST only be used once, unless conditions for reuse were negotiated between the parties

Hydra does not seem to check the uniqueness of this `jti` value. Here is me sending the same token request twice, hence with the same `jti` assertion, and getting two access tokens:

```
$ curl --insecure --location --request POST 'https://localhost/_/oauth2/token' \
   --header 'Content-Type: application/x-www-form-urlencoded' \
   --data-urlencode 'grant_type=client_credentials' \
   --data-urlencode 'client_id=c001d00d-5ecc-beef-ca4e-b00b1e54a111' \
   --data-urlencode 'scope=application openid' \
   --data-urlencode 'client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer' \
   --data-urlencode 'client_assertion=eyJhb [...] jTw'
{"access_token":"zeG0NoqOtlACl8q5J6A-TIsNegQRRUzqLZaYrQtoBZQ.VR6iUcJQYp3u_j7pwvL7YtPqGhtyQe5OhnBE2KCp5pM","expires_in":3599,"scope":"application openid","token_type":"bearer"}⏎            ~$ curl --insecure --location --request POST 'https://localhost/_/oauth2/token' \
   --header 'Content-Type: application/x-www-form-urlencoded' \
   --data-urlencode 'grant_type=client_credentials' \
   --data-urlencode 'client_id=c001d00d-5ecc-beef-ca4e-b00b1e54a111' \
   --data-urlencode 'scope=application openid' \
   --data-urlencode 'client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer' \
   --data-urlencode 'client_assertion=eyJhb [...] jTw'
{"access_token":"wOYtgCLxLXlELORrwZlmeiqqMQ4kRzV-STU2_Sollas.mwlQGCZWXN7G2IoegUe1P0Vw5iGoKrkOzOaplhMSjm4","expires_in":3599,"scope":"application openid","token_type":"bearer"}
```

### Severity

We rate the severity as medium because the following reasons make it hard to replay tokens without the patch:

- TLS protects against MITM which makes it difficult to intercept valid tokens for replay attacks
- The expiry time of the JWT gives only a short window of opportunity where it could be replayed

### Patches

This will be patched with v1.4.0+oryOS.17

### Workarounds

Two workarounds have been identified:

- Do not allow clients to use `private_key_jwt`
- Use short expiry times for the JWTs

### References

https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication

### Upstream

This issue will be resolved in the upstream repository https://github.com/ory/fosite
 2020-04-02 11:35:32 +02:00
vancity-amir 30d420d2ca
chore: move to non-deprecated ExactOne (#1772) 
fix linter due to deprecation notice on 'func (r Arguments) Exact(name string) bool'
 2020-03-26 10:13:03 +01:00
hackerman 7ab715402b
refactor(client): Reduce SQL boilerplate code (#1758) 
Part of #1730
 2020-03-15 00:34:18 +01:00
aeneasr f1c926bd72 fix: Resolve linter complaints 2020-02-03 14:58:00 +01:00
Samuele Lilli 53d5c7cb96 Fix typo in handler.go comment (#1626) 
... and generated documentation
 2019-11-14 09:01:14 +01:00
hackerman d1343ae202
Improve OAuth2 API Docs (#1499) 2019-08-19 19:14:36 +02:00
hackerman b5cb1534cc
sdk: Fix missing and broken swagger annotations (#1440) 
Closes #1435

Signed-off-by: aeneasr <aeneas@ory.sh>
 2019-05-17 11:05:33 +02:00
David f8f23630d8 all: add CockroachDB support (#1348) 
Closes #1326 

Signed-off-by: David López <not4rent@gmail.com>
 2019-05-10 13:18:19 +02:00
André Filipe b40519074f oauth2: Corrected oidc discovery claims and scope values (#1428) 
Signed-off-by: André Filipe <andre.r.flip@gmail.com>
Signed-off-by: André Filipe Easypay <andre@easypay.pt>
 2019-05-09 14:21:34 +02:00
Matt Drollette 64f31388d4 oauth2: Fix fallback routes and templates (#1402) 
Signed-off-by: Matt Drollette <matt@drollette.com>
 2019-04-30 07:23:58 +02:00
hackerman bbeee653de
Implement OpenID Connect Front-/Backchannel logout (#1376) 
Closes #1368 
Closes #1004 
Closes #834

Signed-off-by: aeneasr <aeneas@ory.sh>
 2019-04-25 23:17:57 +02:00
hackerman 957a2d670a
oauth2: Expose revocation endpoint at OIDC Discovery (#1355) 
Closes #12678

Signed-off-by: aeneasr <aeneas@ory.sh>
 2019-04-11 20:42:49 +02:00
hackerman 95a51deb31
Improve configuration and service management (#1314) 
This patch significantly refactors internal configuration and service management with the goal of making configuration changes possible without service restarts. This patch prepares the possibility to configure ORY Hydra from a remote source (etcd, consul) and watch for changes. This patch also introduces the possibility to configure ORY Hydra from a configuration file on top of environment variables.

The following issues have been fixed as well:

- Key rotation of the system secret is now much simpler (closes #1316)
- Database connectivity parameters such as max_conns no longer cause issues with older postgres versions (closes #1327)
- Non-existing routes now return a JSON error instead of `text/plain` when `application/json` was requested (clsoes #1244)
- We now push tags latest, X, X.Y, X.Y.Z to docker hub (closes #1289)
- The quickstart guide no longer builds the source code but instead pulls latest tag (closes #1309)
- We moved to goreleaser and godownloader for release management (closes #1107)
- The quickstart Docker Compose files are now reusable (closes #1196)

The following issues are also resolved:

- Closes #1121 

Signed-off-by: aeneasr <aeneas@ory.sh>
 2019-04-02 11:52:21 +02:00
Vadim a18c44ef3b oauth2: Return proper refresh token expiration time (#1300) 
Closes #1296

Signed-off-by: Vadim Sabirov <pr0head@gmail.com>
 2019-03-17 18:14:30 +01:00
hackerman 3db25f6a69
oauth2: Fix swagger documentation for oauth2/token (#1284) 
Closes #1274

Signed-off-by: aeneasr <aeneas@ory.sh>
 2019-02-18 10:32:59 +01:00
hackerman 61d068f2ed
oauth2: Improve introspection debugability (#1232) 
Signed-off-by: aeneasr <aeneas@ory.sh>
 2018-12-13 09:26:02 +01:00
hackerman 11924bf5f7
sql: Resolve index/fk regression issues (#1178) 
Closes #1177

Signed-off-by: aeneasr <aeneas@ory.sh>
 2018-11-20 00:02:05 +01:00
arekkas 700a4a2eff sdk: Use new api groups everywhere 2018-11-18 23:04:10 +01:00
hackerman 89f5960c9a
sdk: Update swagger endpoint definition (#1166) 
Closes #1070

Signed-off-by: aeneasr <aeneas@ory.sh>
 2018-11-09 14:10:04 +01:00
hackerman ddafef543c
oauth2: Make client registration endpoint configurable (#1167) 
Closes #1072
 2018-11-08 17:12:32 +01:00
hackerman e88c7b630b
consent: Properly propagate acr value (#1160) 
Closes #1032

Signed-off-by: aeneasr <aeneas@ory.sh>
 2018-11-08 11:36:37 +01:00
hackerman fa19d23983
sdk: Document userinfo as GET instead of POST (#1161) 
Closes #1049

Signed-off-by: aeneasr <aeneas@ory.sh>
 2018-11-05 22:48:29 +01:00
hackerman 3a10df9bff
oauth2: Add OAuth2 audience claim and improve migrations (#1145) 
This patch adds the ability to whitelist and request an audience
when performing any OAuth 2.0 Flow. The audience is useful in multi-
tenant environments where access tokens should be restricted to certain
resources.

Closes #883
Closes #1144

Signed-off-by: arekkas <aeneas@ory.am>
 2018-11-02 16:46:01 +01:00
JiaLiPassion 1f3a1231c0 cors: Add options cors middleware handler (#1125) 
Signed-off-by: JiaLiPassion <JiaLi.Passion@gmail.com>
 2018-10-25 17:08:24 +02:00
JiaLiPassion c26019929b oauth2: wellknown should use corsMiddleware (#1116) 
Signed-off-by: JiaLiPassion <JiaLi.Passion@gmail.com>
 2018-10-24 13:24:06 +02:00
hackerman 65b7406abe
Move dependencies to ory/x (#1095) 
Signed-off-by: aeneasr <aeneas@ory.sh>
 2018-10-23 06:59:31 -07:00
Amir Aslaminejad 4188f69c45 oauth2: propagate go context down the call path 
Signed-off-by: Amir Aslaminejad <aslaminejad@gmail.com>
 2018-09-21 16:02:08 +02:00
Amir Aslaminejad b23029b96c oauth2: pass the request context along to the sql store. 
Signed-off-by: Amir Aslaminejad <aslaminejad@gmail.com>
 2018-09-18 09:48:55 +02:00
hackerman a36d0af611
oauth2: Enable client specific CORS settings (#1009) 
Field `allowed_cors_origins` was added to OAuth 2.0 Clients. It enables
CORS for the whitelisted URLS for paths which clients interact with,
such as /oauth2/token.

Closes #975

Signed-off-by: arekkas <aeneas@ory.am>
 2018-08-26 14:28:05 +02:00
hackerman c72e64cebd
oauth2: Resolve broken expiry when refreshing id token (#1002) 
Closes #985

Signed-off-by: arekkas <aeneas@ory.am>
 2018-08-23 00:27:20 +02:00
hackerman 93dcbcf3b9
consent: Add logout api endpoint (#984) 
Closes #970

Signed-off-by: Michael DeRazon <mderazon@gmail.com>
Signed-off-by: arekkas <aeneas@ory.am>
 2018-08-10 11:27:26 +02:00
arekkas 479acd7ea7 consent: Introduce pairwise support 
This patch introduces the OpenID Connect pairwise Subject Identifier Algorithm.

Closes #950

Signed-off-by: arekkas <aeneas@ory.am>
 2018-08-10 10:23:19 +02:00
arekkas 78e65521c2 oauth2: Adds subject_type support to oidc discovery 
See #950

Signed-off-by: arekkas <aeneas@ory.am>
 2018-08-10 10:23:19 +02:00
hackerman 123e37e132
oauth2: Share error details with redirect fallback (#982) 
Closes #974

Signed-off-by: arekkas <aeneas@ory.am>
 2018-08-08 21:27:52 +02:00
Prateek Malhotra e4e316342e oauth2: Refactor OAuth2 JWT strategy as an interface (#972) 
Signed-off-by: Prateek Malhotra <someone1@gmail.com>
 2018-08-07 17:00:19 +02:00
arekkas 17e63116c8 oauth2: Removes authorization from introspection 
Signed-off-by: arekkas <aeneas@ory.am>
 2018-08-06 16:20:36 +02:00
arekkas cfee3eb3d0 cmd: Introduce public and administrative ports 
This patch introduces two ports, public and administrative. The public
port is responsible for handling API requests to public endpoints such
as /oauth2/auth, while the administrative port handles requests to
JWK, OAuth 2.0 Client, and Login & Consent endpoints.

Closes #904

Signed-off-by: arekkas <aeneas@ory.am>
 2018-08-06 11:29:38 +02:00
arekkas e79014d33b oauth2: Add and enhance access/refresh token tests 
This patch introduces more tests for code and refresh flows and the JWT
strategy.

Signed-off-by: arekkas <aeneas@ory.am>
 2018-07-23 17:10:30 +02:00
arekkas c932ab4571 oauth2: Adds JWT Access Token strategy 
This patch adds the (experimental) ability to issue JSON Web Tokens instead of ORY Hydra's opaque access tokens. Please be aware that this feature has had little real-world and unit testing and may not be suitable for production.

Simple integration tests using the JWT strategy have been added to ensure functionality.

To use the new JWT strategy, set environment variable `OAUTH2_ACCESS_TOKEN_STRATEGY` to `jwt`. For example: `export OAUTH2_ACCESS_TOKEN_STRATEGY=jwt`.

Please be aware that we (ORY) do not recommend using the JWT strategy for various reasons. If you can, use the default and recommended "opaque" strategy instead.

Closes #248

Signed-off-by: arekkas <aeneas@ory.am>
 2018-07-23 17:10:30 +02:00
arekkas 00fd517fbf oauth2: Removes tokens when consent is revoked 
Closes #856

Signed-off-by: arekkas <aeneas@ory.am>
 2018-07-07 14:49:16 +02:00
arekkas bc0b54c545 oauth2: Implements userinfo response signing 2018-06-24 17:24:12 +02:00
arekkas e41fcf263c jwk: Removes buggy rotate command and improves jwk refresh 2018-06-24 17:24:12 +02:00
arekkas 1d02cae554 jwk: Implements proper refreshing strategy 2018-06-24 17:24:12 +02:00
aeneasr 6837046546 oauth2: Declares grant type refresh_token as supported 2018-06-24 17:24:12 +02:00
arekkas 8f2e9314f2 oauth2: Exposes proper oidc configuration 2018-06-24 17:24:12 +02:00
arekkas 259d63a4de oauth2: Adds private_key_jwt authentication method 2018-06-24 17:24:12 +02:00
arekkas 1580677926 oauth2: Adds parameter broadcast to oidc discovery 2018-06-24 17:24:12 +02:00
arekkas ffefb74e06 oauth2: Resolves well-known test issues 2018-06-24 17:24:12 +02:00
arekkas ad86dd18d3 oauth2: Implements dynamic client registration 2018-06-24 17:24:12 +02:00
arekkas 526e3a7dbe oauth2: Resolves issues with broken tests 2018-05-29 12:20:50 +02:00
arekkas f7390459da oauth2: Aligns issuer URL from well known with one from id token 2018-05-29 11:28:19 +02:00
arekkas 7afed882d8 oauth2: Resolves various issues related to audience claims 
This patch resolves issues related to the ID and Access Token audience
claim:

* oauth2: Allow multiple audience claims on ID token - closes #790
* oauth2: Reintroduce audience claim - closes #687
 2018-05-29 11:28:19 +02:00
arekkas f2ef5b129f oauth2: Ignores JTI in userinfo 2018-05-24 13:31:02 +02:00
arekkas a4d2e73cdd all: Removes access control relics 2018-05-23 18:22:47 +02:00
arekkas d0919141f6 oauth2: Remove rat (requested_at) from userinfo endpoint 2018-05-20 14:18:30 +02:00
arekkas a7edf63cbc oauth2: Trim left slash from userinfo endpoint 2018-05-19 22:44:39 +02:00
arekkas 1940c3c8ff oauth2: Properly uses issuer in JWT 2018-05-19 22:39:01 +02:00
arekkas e387aeaca5 oauth2: Removes duplicate / in .well-known 2018-05-19 21:48:23 +02:00
arekkas fccfc4da6a consent: Properly handle requestedAt across the login/consent flow 2018-05-19 15:19:29 +02:00