Commit Graph

62 Commits

Author SHA1 Message Date
David Taylor 5e1f1a57db
FIX: Correctly handle end_session_endpoint with query parameters (#18) 2021-09-17 17:00:29 +01:00
discoursebot cb3f891361
DEV: Update CI workflows (#17)
Co-authored-by: CvX <CvX@users.noreply.github.com>
2021-09-15 19:48:40 +02:00
dependabot[bot] 4b82ee9304
Bump path-parse from 1.0.6 to 1.0.7 (#16)
Bumps [path-parse](https://github.com/jbgutierrez/path-parse) from 1.0.6 to 1.0.7.
- [Release notes](https://github.com/jbgutierrez/path-parse/releases)
- [Commits](https://github.com/jbgutierrez/path-parse/commits/v1.0.7)

---
updated-dependencies:
- dependency-name: path-parse
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2021-08-13 00:52:09 +02:00
David Taylor 4aa0e1b4ab
FIX: Ensure nonce mismatch causes auth to fail correctly (#15) 2021-08-09 13:25:10 +01:00
discoursebot f32c23eece
DEV: Update CI workflows (#14)
Co-authored-by: davidtaylorhq <davidtaylorhq@users.noreply.github.com>
2021-07-02 16:39:56 +02:00
dependabot[bot] dd1d00ea9f
Bump glob-parent from 5.1.1 to 5.1.2 (#13)
Bumps [glob-parent](https://github.com/gulpjs/glob-parent) from 5.1.1 to 5.1.2.
- [Release notes](https://github.com/gulpjs/glob-parent/releases)
- [Changelog](https://github.com/gulpjs/glob-parent/blob/main/CHANGELOG.md)
- [Commits](https://github.com/gulpjs/glob-parent/compare/v5.1.1...v5.1.2)

---
updated-dependencies:
- dependency-name: glob-parent
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2021-06-12 13:58:50 +02:00
dependabot[bot] d457171bfa
Bump lodash from 4.17.20 to 4.17.21 (#12)
Bumps [lodash](https://github.com/lodash/lodash) from 4.17.20 to 4.17.21.
- [Release notes](https://github.com/lodash/lodash/releases)
- [Commits](https://github.com/lodash/lodash/compare/4.17.20...4.17.21)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2021-05-10 13:40:29 -04:00
dependabot[bot] ce59261c3f
Bump rexml from 3.2.4 to 3.2.5 (#11)
Bumps [rexml](https://github.com/ruby/rexml) from 3.2.4 to 3.2.5.
- [Release notes](https://github.com/ruby/rexml/releases)
- [Changelog](https://github.com/ruby/rexml/blob/master/NEWS.md)
- [Commits](https://github.com/ruby/rexml/compare/v3.2.4...v3.2.5)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2021-05-02 17:11:23 +02:00
dependabot[bot] 92f0bffc90
Bump y18n from 4.0.0 to 4.0.1 (#10)
Bumps [y18n](https://github.com/yargs/y18n) from 4.0.0 to 4.0.1.
- [Release notes](https://github.com/yargs/y18n/releases)
- [Changelog](https://github.com/yargs/y18n/blob/master/CHANGELOG.md)
- [Commits](https://github.com/yargs/y18n/commits)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2021-04-01 11:24:14 +02:00
discoursebot e1c9411e30
DEV: Update CI workflows (#9)
Co-authored-by: CvX <CvX@users.noreply.github.com>
2021-03-18 16:49:38 +11:00
discoursebot 0ae547fbc3
DEV: Update CI workflows (#8)
Co-authored-by: justindirose <justindirose@users.noreply.github.com>
2021-01-04 14:18:40 -06:00
Discourse CI a03a26535d DEV: Update CI workflows 2020-11-15 16:09:46 +00:00
David Taylor 4170927338 FEATURE: Support RP-initiated logout post_logout_redirect_uri 2020-11-12 17:16:11 +00:00
David Taylor a9dd528aea FIX: RP-initiated logout should pass id_token, not access_token 2020-11-12 17:16:11 +00:00
David Taylor 3ad22e0cef
FEATURE: Add support for OIDC RP-initiated logout (#5)
Based on the specification at https://openid.net/specs/openid-connect-rpinitiated-1_0.html

When logging out, this feature will redirect the user to the end_session_url from the discovery document. Their most recent id token will be included in the `id_token_hint` parameter.

To use this, the identity provider must include an end_session_url in the discovery document, and the openid_connect_rp_initiated_logout site setting must be enabled.
2020-11-12 15:21:43 +00:00
David Taylor 85abe67701
FIX: Gracefully handle errors while fetching the discovery document (#4)
Previously an error loading the discovery document would raise an exception. Now, it will display an error to the user, and log the error for site admins to view at `/logs`. Specs are updated and improved accordingly.

This moves the discovery document fetching out of OmniAuth and into Discourse. This makes it available for the upcoming rp-initiated-logout support.
2020-11-11 18:46:11 +00:00
David Taylor 109f910fd5
DEV: Fix plugin when installed alongside discourse-jwt (#3)
Replace `JWT` with `::JWT` so that it doesn't get resolved to `Omniauth::Strategies::JWT`
2020-11-11 15:27:23 +00:00
Discourse CI 62c63d78ec DEV: Update CI workflows 2020-10-14 16:27:52 +00:00
Discourse CI 297e29fcbe DEV: Update CI workflows 2020-10-12 08:16:53 +00:00
Discourse CI bc3e208526 DEV: Update CI workflows 2020-10-09 19:03:17 +00:00
Justin DiRose 2727ed4fa1
DEV: Apply coding standards (#2) 2020-10-09 13:52:08 -05:00
Discourse CI e7ff3dccbf DEV: Update CI workflows 2020-10-09 16:15:05 +00:00
Discourse CI c8ace5e9d4 DEV: Update CI workflows 2020-10-09 15:09:46 +00:00
buildthomas 0112e5a046
Fix avatar picture in auth hash info (#1)
Managed Authenticator expects `image` field, not `picture`:
09a97363da/lib/auth/managed_authenticator.rb (L87)
2020-09-28 12:27:17 +01:00
David Taylor 18c20c29a0
FIX: Do not verify the `iat` claim in JWT tokens
The JWT specification (https://tools.ietf.org/html/rfc7519#page-10) does not require verification of this claim. If the issuer wishes to restrict the validity of the token, they can use the 'nbf' (not before) claim which is intended for this purpose. Discourse will verify the `nbf` claim if it is present.

In practice, clock skew between identity providers and Discourse was causing JWT validity errors to be raised.
2020-09-25 10:35:40 +01:00
David Taylor 109ec1a275
FEATURE: Add detailed OIDC request and response logs
This makes use of Faraday middleware to log precise details about all requests made by the OAuth2 gem. This should make it easier to debug configuration issues
2020-09-25 09:47:24 +01:00
David Taylor 9ada9528e8
FIX: Accept strings for the email_verified token
This is technically a spec violation, but many providers do this so we should check for the string 'true'
2020-07-10 16:49:32 +01:00
David Taylor 20c835ea06
DEV: Remove deprecated full screen login parameter 2020-05-12 12:13:38 +01:00
David Taylor 2ef80870d3
FIX: Do not include token scope parameter when setting is empty 2020-04-01 17:50:23 +01:00
David Taylor 84c21a572c FEATURE: Optionally allow overriding email on every login 2020-03-06 11:51:41 +00:00
David Taylor 9ad63a3fc7 FEATURE: Allow parameters to be passed from /auth/oidc to the IDP
The most common use case is when you want the IDP to start with a specific screen (e.g. signup, rather than sign in). This change has no effect by default, you must add the parameter names to the openid_connect_authorize_parameters site setting.
2020-01-08 14:15:32 +00:00
David Taylor 67a5595e98 FEATURE: Respect the email_verified boolean when supplied by IDP 2020-01-08 13:54:37 +00:00
David Taylor 3e83fa9c50 DEV: Refactor authenticator into its own file 2020-01-08 13:52:24 +00:00
Guo Xiang Tan 1f08770d1a Add frozen string literal comment to files. 2019-05-13 10:51:32 +08:00
David Taylor 94bba5f710 FEATURE: Option to enable verbose logging of authentication process 2019-01-04 15:08:35 +00:00
David Taylor d394c12078 FEATURE: Support latest version of `ruby-jwt` to support core changes
This change is not backwards compatible. If you install the plugin on
an earlier version of Discourse, the plugin will not initialize.
2019-01-02 10:42:28 +00:00
David Taylor 88fdf7b5ab DEV: Update README 2018-12-06 16:14:28 +00:00
David Taylor 84085413d5 REFACTOR: user_associated_account and managed_authenticator moved to core 2018-11-30 11:20:28 +00:00
David Taylor 250bf84faa DEV: Improve specs for managed authenticator 2018-11-27 17:05:00 +00:00
David Taylor a41be68dfe DEV: Initial specs for managed authenticator 2018-11-26 18:03:23 +00:00
David Taylor 79d377cb12 DEV: Use mocha instead of rspec-mocks for omniauth spec 2018-11-26 18:03:08 +00:00
David Taylor f44a2cd7bb DEV: Refactor managed_authenticator into its own file 2018-11-26 14:54:20 +00:00
David Taylor b3124f90d2 DEV: Spec for error redirect handler 2018-11-26 12:04:01 +00:00
David Taylor adcc85dde3 FEATURE: Add enabled setting, and some refactoring 2018-11-22 14:49:49 +00:00
David Taylor 8558d65e67 DEV: Additional tests, and improved JWT error handling 2018-11-22 12:44:38 +00:00
David Taylor ba3685f2ef DEV: Test token_params 2018-11-22 11:24:31 +00:00
David Taylor 17f12b05ce DEV: Specs for authorize_params 2018-11-21 16:57:03 +00:00
David Taylor a74bd6c27a FIX: Discovery error handling in request phase 2018-11-21 16:56:46 +00:00
David Taylor d8f2ceb65a DEV: Add stylesheet placeholder 2018-11-21 15:48:20 +00:00
David Taylor 78a792b5b6 FIX: Improved 'discovery' error handling, with tests 2018-11-21 15:28:01 +00:00