AuthorCommitMessageCommit dateIssues
Simon EisenmannSimon Eisenmann
3d15985f37dAdd v0.33.5 to changelog
Simon EisenmannSimon Eisenmann
769caa9623fFix regression which encodes URL fragments twiceEncoding of URL fragments happen when serializing the full URL. After the fix in 9533d4ccd9788a8f2c210ee319d0771d31fb1ee1 those fragments started to get encoded twice, breaking client side parsing of response parameters when running in fragment response type. This change avoids the double encoding, fixing the issue. For example with Kopano Meet errors like `failed to create guest session` when...
Felix BartelsFelix Bartels
58f09f199a8Update Docker dependenciesSigned-off-by: Felix Bartels <f.bartels@kopano.com>
Simon EisenmannSimon Eisenmann
23da0987d30Add v0.33.4 to changelog
Simon EisenmannSimon Eisenmann
9533d4ccd97Avoid generating fragmet/query URLs with wrong orderIn URLs the fragment must come after the query part. Previously it was possible that Konnect created URLs where the query was append after the hash and thus rendering it non-effective and potentially breaking any previous frament value. This change corrects URL generation by correctly parsing and reconstructing the source/target URL.
Simon EisenmannSimon Eisenmann
b07dfa84f15Return state for oidc endsession response redirectsWhen endsession is called with a state, the state should be returned with the response redirect as query parameter. This change uses the same state internally for all requests and adds it to response redirects if available.
Simon EisenmannSimon Eisenmann
08de694d7d8Build with Go 1.14.4
Simon EisenmannSimon Eisenmann
86bb32d454eAdd v0.33.3 to changelog
Simon EisenmannSimon Eisenmann
d442b761f5eUse server provided username to avoid case mismatchIf a identifier backend allows case insensitve user name sign in, the token data was inconsistent and could lead to string comparison problems in RPs. This change always puts the backend provider user name into the token data, resolving the issue. Fixes: KWM-91KWM-91
Simon EisenmannSimon Eisenmann
c0a9bf3c1feAdd v0.33.2 to changelog
Simon EisenmannSimon Eisenmann
28dbe6a8960Use signed-out-uri if set as fallback for goodbye redirect on saml sloA RP might not have set a redirect target where to go after end session request. Those requests end up at Konnect idenfier goodbye page. This change uses the value from `signed-out-uri` commandline parameter instead (if set).
Simon EisenmannSimon Eisenmann
9b3dace572dAdd checks to ensure post_logout_redirect_uri is not emptyIt was discovered that in certain cases Konnect was generating empty Location header fields in the response to end session requests. The reason was improper checks if there is actually a target uri set and not empty. This change adds the checks accordingly.
Simon EisenmannSimon Eisenmann
635a1078255add v0.33.1 to changelog
Simon EisenmannSimon Eisenmann
0e16fd2a185Fix SAML2 logout request parsingThis change fixes an error when receiving an IdP initaed logour request which previously failed with ``` msg="failed to make saml2 slo redirect request url" error="invalid request data" ``` by fixing the relevant type conversion which was wrong before.
Simon EisenmannSimon Eisenmann
49d7721f665Cure panic when no state is found in saml esrA state cookie might not be available when processing SAML single logout service callback requests. If so when previously the handler did panic it now returns a bad request message with corresponding log entry to hint what the problem is.
Simon EisenmannSimon Eisenmann
fc74713ba1fUse SAML IdP Issuer value from meta data entityIDSome IdP might use an issuer value which is different form the meta data URI. This change uses the entityID attribute value from the meta data document as issuer if it is not empty. Otherwise the full meta data URI is used as issuer value like before. Fixes: https://github.com/Kopano-dev/konnect/issues/30
Simon EisenmannSimon Eisenmann
c1ed0b735ebAdd v0.33.0 to changelog
Simon EisenmannSimon Eisenmann
b639e71ce4eAllow configuration of expiration of oidc access, id and refresh tokensThis change adds commandline parameters to allow configuration of the OIDC related token expiration. The default behaviour is unchanged.
Simon EisenmannSimon Eisenmann
24d56d824d9Implement trampolin for external OIDC authority end sessionOIDC validates origin. Thus we cannot simply redirect to endpoints using redirect chains. Instead this change adds a trampolin HTML page which uses javascript and the server controlled state cookie to redirect the client through the identifier webapp origin to the external end point.
Felix BartelsFelix Bartels
f084e90c216Update to latest Alpine releaseSigned-off-by: Felix Bartels <f.bartels@kopano.com>
Felix BartelsFelix Bartels
6166a087806Update ca-certificates versionSigned-off-by: Felix Bartels <f.bartels@kopano.com>
Simon EisenmannSimon Eisenmann
e93f59060b2Add v0.32.0 to changelog
Simon EisenmannSimon Eisenmann
9a6b403bc71Implement delegation of end session to external authorityExternal authority support for sign in is one thing, but in certain cases it might be desired that a sign out in Konnect also triggers a sign out in an external authority. This change brings this for SAML2 external authorities. Enable it by setting `end_session_enabled` in the corresponding authority definition.
Simon EisenmannSimon Eisenmann
1efe3d071c5Improve names of temporary state and consent cookies
Simon EisenmannSimon Eisenmann
b32e79f2287Use correct path when removing state cookies
Simon EisenmannSimon Eisenmann
f8b620a8a25Store identified user external authority ID in session data
Simon EisenmannSimon Eisenmann
76f75e8fef2Implement redirect binding slo response
Simon EisenmannSimon Eisenmann
1692288b7abAdd v0.31.0 to changelog
Simon EisenmannSimon Eisenmann
0a1b8ebd170Relax linter to let more warning pass
Simon EisenmannSimon Eisenmann
4791babbd7cImplement validation for IdP initiated SLO requests
Simon EisenmannSimon Eisenmann
2f9dcd6803aAdd support for expiration and session id for external authorities
Simon EisenmannSimon Eisenmann
88deb79ecadFix wrong error message when there was no errorError logging for nested authentication managers did not compare results correctly, leading to an error being logged when there actually was no error. ``` ERRO[0030] inner authorize request failed ``` This change corrects the comparison, only logging the above error when there actually was an error.
Simon EisenmannSimon Eisenmann
ef1444bdd34Add additional TODO markers for SAML external authority
Simon EisenmannSimon Eisenmann
fc75cee3cf2Improve logging when using external SAML authority
Simon EisenmannSimon Eisenmann
fd7628f48c0Retry SAML initialize on error
Simon EisenmannSimon Eisenmann
c22f1cd17baImprove OIDC endsession endpoint handler when without token hint
Simon EisenmannSimon Eisenmann
4bab370f574Implement support for SAML IdP slo
Simon EisenmannSimon Eisenmann
c0e113d6a80Fail early when SAML2 authority fails to resolve user from backend
Simon EisenmannSimon Eisenmann
bcf8d18ffabApply user mapping when resolving users from LDAP backendWhen user mapping is in place, this mapping needs to be applied for all ways how an user can be retrieved from the backend. This was missing when resolving the user for other purposes than logon and is added by this change.
Simon EisenmannSimon Eisenmann
70274a322ebUpdate 3rd party dependencies
Simon EisenmannSimon Eisenmann
606a789b1c4Update license ranger and generate 3rd party licenses from vendor folder
Simon EisenmannSimon Eisenmann
b6b61ad8781Add v0.30.0 to changelog
Simon EisenmannSimon Eisenmann
8234985ac70Add SAML2 external authority example config
Simon EisenmannSimon Eisenmann
0aea20bb1f2Update linter in CI to latest version so it works with Go 1.14
Simon EisenmannSimon Eisenmann
a881b3d5cd6Implement SAML2 external authority supportThis change enhances the support for external authorities by adding support for SAML2 identity providers alongside the already existing OpenID Connect external authority support. This implements the minimal set of required functionality.
Simon EisenmannSimon Eisenmann
7ea379ffff9Prepare external authority support for different authority types
Simon EisenmannSimon Eisenmann
723e2192145Update and deduplicate external dependencies
Simon EisenmannSimon Eisenmann
0bccae59fd7Update changelog
Simon EisenmannSimon Eisenmann
09c9ef91e86Ensure identifier client index.html is actually loaded
Simon EisenmannSimon Eisenmann
dd3aba9c330Update changelog