Adds an slog.Handler wrapper (excludingHandler) that drops log
attributes matching a configured set of keys. This allows
GDPR-sensitive deployments to suppress PII fields like email,
username, preferred_username, or groups at the logger level
rather than per-callsite.
Also adds user_id to the "login successful" log line so operators
who exclude PII fields still have a pseudonymous identifier.
Closes#4391
---------
Signed-off-by: Mark Liu <mark@prove.com.au>
When GetAuthRequest returns ErrNotFound in handleApproval, render a 400
"User session error." instead of logging + rendering a 500 "Database
error.". Covers the double-submit race where sendCodeResponse deletes
the auth request on first approval and the second request finds nothing.
---
Signed-off-by: Mark Liu <mark@prove.com.au>
Signed-off-by: mark-liu <mark-liu@users.noreply.github.com>
Implement the OAuth2 client_credentials grant type for
machine-to-machine authentication. The grant is gated behind a new
clientCredentialsEnabled config flag (defaults to false), following
the same pattern as passwordConnector for the password grant.
---------
Signed-off-by: Mathias Gebbe <mathias.gebbe@gmail.com>
Signed-off-by: Maksim Nabokikh <maksim.nabokikh@flant.com>
Signed-off-by: Maksim Nabokikh <max.nabokih@gmail.com>
Co-authored-by: Maksim Nabokikh <maksim.nabokikh@flant.com>
Co-authored-by: Maksim Nabokikh <max.nabokih@gmail.com>
This change updates the password grant handler to issue a valid JWT
access token instead of just returning a random value as the access
token. This makes it possible to use the access token against the
user info endpoint.
Signed-off-by: Monis Khan <i@monis.app>
* handlePasswordGrant: insert connectorData into OfflineSession
This change will insert the ConnectorData from the initial Login
into the OfflineSession, as already done in handlePasswordLogin.
Signed-off-by: Henning Surmeier <h.surmeier@mittwald.de>
By adding an extra endpoint and a redirect, we can avoid a situation
where it's trivially easy to generate a large number of AuthRequests
by hitting F5/refresh in the browser.
Signed-off-by: Alastair Houghton <alastair@alastairs-place.net>
The back link on the password page was using Javascript to tell the
browser to navigate back, which won't work if the user has entered a
set of incorrect log-in details. Fix this by using an explicit URL
instead.
Fixes#1851
Signed-off-by: Alastair Houghton <alastair@alastairs-place.net>
Rather than creating the auth request when the user hits /auth, pass
the arguments through to /auth/{connector} and have the auth request
created there. This prevents a database error when using the "Select
another login method" link, and also avoids a few other error cases.
Fixes#1849, #646.
Signed-off-by: Alastair Houghton <alastair@alastairs-place.net>
* if enabled, it will make sure client secret is bcrypted correctly
* if not, it falls back to old behaviour that allowing empty client
secret and comparing plain text, though now it will do
ConstantTimeCompare to avoid a timing attack.
So in either way it should provide more secure of client secret
verification.
Co-authored-by: Alex Surraci <suraci.alex@gmail.com>
Signed-off-by: Rui Yang <ruiya@vmware.com>
Mark Liu
Maksim Nabokikh
Mathias Gebbe
Ivan Zviagintsev
Aljoscha Bollmann
Giovanni Vella
Manoj Vivek
Massimiliano Filacchioni
Bob Maertz
Koen de Laat
Sean Liao
Romain Caire
i-amelia
MM53
Ferenc Fabian
nobuyo
Bob Callaway
Bob Callaway
ariary
Monis Khan
Tomasz Kleczek
Henning
Alastair Houghton
Rui Yang
Josh Winters
Mark Sagi-Kazar