discourse
/
discourse-openid-connect
mirror of https://github.com/discourse/discourse-openid-connect.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
148 Commits 2 Branches 0 Tags 951 KiB
Commit Graph

45 Commits

Author SHA1 Message Date
Balázs Orbán 1130cd9716
FEATURE: PKCE support (#86) 
Introduces a new site setting (openid_connect_use_pkce) which enables PKCE support

Co-authored-by: Jincoco88912 <jincoco88912@gmail.com>
Co-authored-by: David Taylor <david@taylorhq.com>
 2024-10-16 12:31:57 +01:00
Bianca Nenciu 9e4471586a
DEV: Revert verbose logging commit (#87) 
This change was introduced to aid debugging, but it has not proved to
be useful.

This reverts commit 90d0df12b2.
 2024-10-09 18:22:11 +03:00
Bianca Nenciu 90d0df12b2
DEV: Raise errors if verbose logging is enabled (#85) 
Some exceptions are caught and `nil` is returned instead. This can lead
to some errors be silently ignored.
 2024-09-26 20:12:57 +03:00
Loïc Guitaut b6616847a3
DEV: Update rubocop-discourse to version 3.8.0 (#77) 2024-05-28 11:33:29 +02:00
Jarek Radosz e9981c8906
DEV: Update linting (#71) 2024-01-16 18:01:20 +01:00
Natalie Tay 2b6397b6cb
DEV: Case insensitive check on email_verified field (#70) 2023-12-01 01:19:11 +08:00
David Taylor 030f82f880
DEV: Introduce syntax_tree for ruby formatting (#51) 2022-12-29 13:33:26 +01:00
David Taylor 07c57fd31a
FEATURE: Allow match_by_email to be configured by a site setting (#46) 
The default behavior is unchanged
 2022-11-07 12:06:40 +00:00
David Taylor 0817bef63a
SECURITY: Improve SSRF protections (#45) 
See https://github.com/discourse/discourse/security/advisories/GHSA-rcc5-28r3-23rr
 2022-11-01 17:37:53 +00:00
David Taylor d3b347388d
FIX: Correctly handle sub mismatch between idtoken and userinfo (#42) 2022-08-24 12:19:52 +01:00
David Taylor 87c59fb03f
DEV: Correct `timeout` spelling (#39) 
Followup to 13c74cdb83
 2022-05-23 16:33:37 +01:00
David Taylor 8e4c5f7e61
DEV: Make request timeout configurable (#38) 2022-05-23 16:05:20 +01:00
David Taylor 344e962299
FIX: Add 10s timeout to all outbound requests (#36) 2022-05-19 15:30:56 +01:00
Jarek Radosz e897702139
DEV: General cleanup (#34) 2022-04-06 12:19:39 +02:00
David Taylor ac6d5d1a36
FIX: Only send `claims` parameter if it has been set (#23) 
Follow-up to 25454d6707
 2021-10-14 16:58:42 +01:00
Lucas Leadbetter 25454d6707
FEATURE: token endpoint `client_secret_post` authentication, and explicit `claims` (#19) 
The `client_secret_post` authentication method will be used when the discovery document defines `token_endpoint_auth_methods_supported`, includes `client_secret_post`, and does not include the default `client_secret_basic`.

A new (optional) site setting is introduced which allows `claims` to be explicitly requested.

Co-authored-by: David Taylor <david@taylorhq.com>
 2021-10-04 17:25:42 +01:00
David Taylor 4aa0e1b4ab
FIX: Ensure nonce mismatch causes auth to fail correctly (#15) 2021-08-09 13:25:10 +01:00
David Taylor a9dd528aea FIX: RP-initiated logout should pass id_token, not access_token 2020-11-12 17:16:11 +00:00
David Taylor 85abe67701
FIX: Gracefully handle errors while fetching the discovery document (#4) 
Previously an error loading the discovery document would raise an exception. Now, it will display an error to the user, and log the error for site admins to view at `/logs`. Specs are updated and improved accordingly.

This moves the discovery document fetching out of OmniAuth and into Discourse. This makes it available for the upcoming rp-initiated-logout support.
 2020-11-11 18:46:11 +00:00
David Taylor 109f910fd5
DEV: Fix plugin when installed alongside discourse-jwt (#3) 
Replace `JWT` with `::JWT` so that it doesn't get resolved to `Omniauth::Strategies::JWT`
 2020-11-11 15:27:23 +00:00
buildthomas 0112e5a046
Fix avatar picture in auth hash info (#1) 
Managed Authenticator expects `image` field, not `picture`:
09a97363da/lib/auth/managed_authenticator.rb (L87)
 2020-09-28 12:27:17 +01:00
David Taylor 18c20c29a0
FIX: Do not verify the `iat` claim in JWT tokens 
The JWT specification (https://tools.ietf.org/html/rfc7519#page-10) does not require verification of this claim. If the issuer wishes to restrict the validity of the token, they can use the 'nbf' (not before) claim which is intended for this purpose. Discourse will verify the `nbf` claim if it is present.

In practice, clock skew between identity providers and Discourse was causing JWT validity errors to be raised.
 2020-09-25 10:35:40 +01:00
David Taylor 109ec1a275
FEATURE: Add detailed OIDC request and response logs 
This makes use of Faraday middleware to log precise details about all requests made by the OAuth2 gem. This should make it easier to debug configuration issues
 2020-09-25 09:47:24 +01:00
David Taylor 9ada9528e8
FIX: Accept strings for the email_verified token 
This is technically a spec violation, but many providers do this so we should check for the string 'true'
 2020-07-10 16:49:32 +01:00
David Taylor 2ef80870d3
FIX: Do not include token scope parameter when setting is empty 2020-04-01 17:50:23 +01:00
David Taylor 84c21a572c FEATURE: Optionally allow overriding email on every login 2020-03-06 11:51:41 +00:00
David Taylor 9ad63a3fc7 FEATURE: Allow parameters to be passed from /auth/oidc to the IDP 
The most common use case is when you want the IDP to start with a specific screen (e.g. signup, rather than sign in). This change has no effect by default, you must add the parameter names to the openid_connect_authorize_parameters site setting.
 2020-01-08 14:15:32 +00:00
David Taylor 67a5595e98 FEATURE: Respect the email_verified boolean when supplied by IDP 2020-01-08 13:54:37 +00:00
David Taylor 3e83fa9c50 DEV: Refactor authenticator into its own file 2020-01-08 13:52:24 +00:00
Guo Xiang Tan 1f08770d1a Add frozen string literal comment to files. 2019-05-13 10:51:32 +08:00
David Taylor 94bba5f710 FEATURE: Option to enable verbose logging of authentication process 2019-01-04 15:08:35 +00:00
David Taylor d394c12078 FEATURE: Support latest version of `ruby-jwt` to support core changes 
This change is not backwards compatible. If you install the plugin on
an earlier version of Discourse, the plugin will not initialize.
 2019-01-02 10:42:28 +00:00
David Taylor 84085413d5 REFACTOR: user_associated_account and managed_authenticator moved to core 2018-11-30 11:20:28 +00:00
David Taylor 250bf84faa DEV: Improve specs for managed authenticator 2018-11-27 17:05:00 +00:00
David Taylor f44a2cd7bb DEV: Refactor managed_authenticator into its own file 2018-11-26 14:54:20 +00:00
David Taylor 8558d65e67 DEV: Additional tests, and improved JWT error handling 2018-11-22 12:44:38 +00:00
David Taylor ba3685f2ef DEV: Test token_params 2018-11-22 11:24:31 +00:00
David Taylor a74bd6c27a FIX: Discovery error handling in request phase 2018-11-21 16:56:46 +00:00
David Taylor 78a792b5b6 FIX: Improved 'discovery' error handling, with tests 2018-11-21 15:28:01 +00:00
David Taylor 91774686e7 FEATURE: Maintain `p` parameter between authorization and token request 2018-11-19 12:51:47 +00:00
David Taylor 923df4d39d FIX: Use correct parameter for error description 2018-11-16 18:19:01 +00:00
David Taylor e9c86e6822 FEATURE: Optionally redirect on defined errors, and add site setting descriptions 2018-11-16 17:55:10 +00:00
David Taylor 37753dd377 FEATURE: Pass on policy parameter 
Used for Azure B2C tenants
 2018-11-15 17:31:43 +00:00
David Taylor c4335cc513 FIX: Do not cause server error if OAuth2 callback phase fails 2018-11-15 17:31:03 +00:00
David Taylor 4425b8ae67 FEATURE: OpenID Connect support 2018-11-09 12:49:51 +00:00