pierre/BasicOIDC
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Compare commits

base: pierre:renovate/lazy-regex-3.x-lockfile
Branches Tags
pierre:master
pierre:renovate/lazy-regex-3.x-lockfile
pierre:renovate/webauthn-rs-0.x-lockfile
pierre:renovate/jwt-simple-0.x-lockfile
..
compare: pierre:master
Branches Tags
pierre:master
pierre:renovate/lazy-regex-3.x-lockfile
pierre:renovate/webauthn-rs-0.x-lockfile
pierre:renovate/jwt-simple-0.x-lockfile

36 Commits
renovate/l ... master

Author SHA1 Message Date
Pierre HUBERT
c9d41f2517 Add CORS on token endpoint
All checks were successful
continuous-integration/drone/push Build is passing
Details
2025-02-21 15:51:33 +01:00
Pierre HUBERT
1a1a41d5dc Disable client secret check when no secret is specified
All checks were successful
continuous-integration/drone/push Build is passing
Details
2025-02-21 14:58:13 +01:00
Pierre HUBERT
d01311abf1 Can initiate code authentication without client secret
All checks were successful
continuous-integration/drone/push Build is passing
Details
2025-02-21 14:49:45 +01:00
Pierre HUBERT
a73ad4bf41 Add CORS headers on OpenID configuration endpoint
All checks were successful
continuous-integration/drone/push Build is passing
Details
2025-02-21 11:59:32 +01:00
Pierre HUBERT
4a248e84ac Merge pull request 'Update Rust crate uuid to v1.13.1' (#355) from renovate/uuid-1.x-lockfile into master
All checks were successful
continuous-integration/drone/push Build is passing
Details 
Reviewed-on: #355
 2025-02-21 10:53:37 +00:00
Pierre HUBERT
e650fe0c29 Merge pull request 'Update Rust crate mailchecker to v6.0.16' (#357) from renovate/mailchecker-6.x-lockfile into master
All checks were successful
continuous-integration/drone/push Build is passing
Details 
Reviewed-on: #357
 2025-02-21 10:53:29 +00:00
Pierre HUBERT
473abb2d38 Merge pull request 'Update Rust crate clap to v4.5.29' (#356) from renovate/clap-4.x-lockfile into master
All checks were successful
continuous-integration/drone/push Build is passing
Details 
Reviewed-on: #356
 2025-02-21 10:53:23 +00:00
Pierre HUBERT
1b743c86bf Merge pull request 'Update Rust crate serde to v1.0.218' (#358) from renovate/serde-1.x-lockfile into master
All checks were successful
continuous-integration/drone/push Build is passing
Details 
Reviewed-on: #358
 2025-02-21 10:53:16 +00:00
Pierre HUBERT
8c25e2aa4c Merge pull request 'Update Rust crate serde_json to v1.0.139' (#359) from renovate/serde_json-1.x-lockfile into master
All checks were successful
continuous-integration/drone/push Build is passing
Details 
Reviewed-on: #359
 2025-02-21 10:53:07 +00:00
Pierre HUBERT
f7e4eb955c Update Rust crate serde_json to v1.0.139
All checks were successful
continuous-integration/drone/push Build is passing
Details
continuous-integration/drone/pr Build is passing
Details
2025-02-21 00:05:04 +00:00
Pierre HUBERT
7d521ef040 Update Rust crate serde to v1.0.218
All checks were successful
continuous-integration/drone/push Build is passing
Details
continuous-integration/drone/pr Build is passing
Details
2025-02-21 00:05:01 +00:00
Pierre HUBERT
c59e7b96db Update Rust crate mailchecker to v6.0.16
All checks were successful
continuous-integration/drone/push Build is passing
Details
continuous-integration/drone/pr Build is passing
Details
2025-02-18 00:04:45 +00:00
Pierre HUBERT
a0d204ad09 Update Rust crate clap to v4.5.29
All checks were successful
continuous-integration/drone/push Build is passing
Details
continuous-integration/drone/pr Build is passing
Details
2025-02-12 00:04:41 +00:00
Pierre HUBERT
a06be2e889 Update Rust crate uuid to v1.13.1
All checks were successful
continuous-integration/drone/push Build is passing
Details
continuous-integration/drone/pr Build is passing
Details
2025-02-06 00:08:38 +00:00
Pierre HUBERT
42862aea7f Merge pull request 'Update Rust crate clap to v4.5.28' (#354) from renovate/clap-4.x-lockfile into master
All checks were successful
continuous-integration/drone/push Build is passing
Details 
Reviewed-on: #354
 2025-02-04 07:04:12 +00:00
Pierre HUBERT
8173ac5bc1 Update Rust crate clap to v4.5.28
All checks were successful
continuous-integration/drone/push Build is passing
Details
continuous-integration/drone/pr Build is passing
Details
2025-02-04 00:08:27 +00:00
Pierre HUBERT
79a00ff7ad Merge pull request 'Update Rust crate rand to 0.9.0' (#351) from renovate/rand-0.x into master
All checks were successful
continuous-integration/drone/push Build is passing
Details 
Reviewed-on: #351
 2025-02-03 20:00:33 +00:00
Pierre HUBERT
f2e4d82f87 Fix rand breaking changes
All checks were successful
continuous-integration/drone/push Build is passing
Details
continuous-integration/drone/pr Build is passing
Details
2025-02-03 20:57:49 +01:00
Pierre HUBERT
022073f26a Update Rust crate rand to 0.9.0
Some checks failed
renovate/artifacts Artifact file update failure
continuous-integration/drone/push Build is failing
Details
continuous-integration/drone/pr Build is failing
Details
2025-02-01 00:22:15 +00:00
Pierre HUBERT
c22fcdab74 Merge pull request 'Update Rust crate bcrypt to 0.17.0' (#353) from renovate/bcrypt-0.x into master
All checks were successful
continuous-integration/drone/push Build is passing
Details 
Reviewed-on: #353
 2025-01-31 07:10:50 +00:00
Pierre HUBERT
672267d521 Merge pull request 'Update Rust crate serde_json to v1.0.138' (#352) from renovate/serde_json-1.x-lockfile into master
All checks were successful
continuous-integration/drone/push Build is passing
Details 
Reviewed-on: #352
 2025-01-31 07:10:41 +00:00
Pierre HUBERT
c26a3af253 Update Rust crate bcrypt to 0.17.0
All checks were successful
continuous-integration/drone/push Build is passing
Details
continuous-integration/drone/pr Build is passing
Details
2025-01-31 00:22:28 +00:00
Pierre HUBERT
84d69de09b Update Rust crate serde_json to v1.0.138
All checks were successful
continuous-integration/drone/push Build is passing
Details
continuous-integration/drone/pr Build is passing
Details
2025-01-30 00:22:18 +00:00
Pierre HUBERT
76faa33c4e Update Rust crate uuid to v1.12.1
All checks were successful
continuous-integration/drone/pr Build is passing
Details
continuous-integration/drone/push Build is passing
Details
2025-01-22 00:22:26 +00:00
Pierre HUBERT
fb0ebde748 Update Rust crate clap to v4.5.27
All checks were successful
continuous-integration/drone/pr Build is passing
Details
continuous-integration/drone/push Build is passing
Details
2025-01-21 00:22:26 +00:00
Pierre HUBERT
e0f33c133b Update Rust crate serde_json to v1.0.137
All checks were successful
continuous-integration/drone/pr Build is passing
Details
continuous-integration/drone/push Build is passing
Details
2025-01-20 00:22:30 +00:00
Pierre HUBERT
8a0ef75295 Update Rust crate uuid to v1.12.0
All checks were successful
continuous-integration/drone/push Build is passing
Details
2025-01-15 00:56:58 +00:00
Pierre HUBERT
a4f73db82e Update Rust crate log to v0.4.25
All checks were successful
continuous-integration/drone/pr Build is passing
Details
continuous-integration/drone/push Build is passing
Details
2025-01-15 00:30:18 +00:00
Pierre HUBERT
31ad52607f Update Rust crate uuid to v1.11.1
All checks were successful
continuous-integration/drone/push Build is passing
Details
2025-01-11 00:30:21 +00:00
Pierre HUBERT
a201f175a2 Update Rust crate log to v0.4.24
All checks were successful
continuous-integration/drone/pr Build is passing
Details
continuous-integration/drone/push Build is passing
Details
2025-01-11 00:19:08 +00:00
Pierre HUBERT
f5eaecc189 Update Rust crate clap to v4.5.26
All checks were successful
continuous-integration/drone/pr Build is passing
Details
continuous-integration/drone/push Build is passing
Details
2025-01-10 00:19:07 +00:00
Pierre HUBERT
6c18a58c43 Update Rust crate serde_json to v1.0.135
All checks were successful
continuous-integration/drone/push Build is passing
Details
2025-01-08 00:33:32 +00:00
Pierre HUBERT
677b4221eb Update Rust crate clap to v4.5.24
All checks were successful
continuous-integration/drone/pr Build is passing
Details
continuous-integration/drone/push Build is passing
Details
2025-01-08 00:24:08 +00:00
Pierre HUBERT
ae92f8f405 Update Rust crate mailchecker to v6.0.15
All checks were successful
continuous-integration/drone/pr Build is passing
Details
continuous-integration/drone/push Build is passing
Details
2025-01-04 00:20:22 +00:00
Pierre HUBERT
16083a7624 Update Rust crate lazy-regex to v3.4.1
All checks were successful
continuous-integration/drone/push Build is passing
Details
2024-12-28 00:31:42 +00:00
Pierre HUBERT
09da003f35 Update Rust crate serde to v1.0.217
All checks were successful
continuous-integration/drone/pr Build is passing
Details
continuous-integration/drone/push Build is passing
Details
2024-12-28 00:20:30 +00:00
6 changed files with 471 additions and 437 deletions
Show Stats Expand all files Collapse all files

784
Cargo.lock generated
View File

File diff suppressed because it is too large Load Diff

4
Cargo.toml
View File

@ -18,13 +18,13 @@ serde_json = "1.0.128"
serde_yaml = "0.9.34" serde_yaml = "0.9.34"
env_logger = "0.11.3" env_logger = "0.11.3"
serde = { version = "1.0.210", features = ["derive"] } serde = { version = "1.0.210", features = ["derive"] }
bcrypt = "0.16.0" bcrypt = "0.17.0"
uuid = { version = "1.8.0", features = ["v4"] } uuid = { version = "1.8.0", features = ["v4"] }
mime_guess = "2.0.4" mime_guess = "2.0.4"
askama = "0.12.1" askama = "0.12.1"
futures-util = "0.3.30" futures-util = "0.3.30"
urlencoding = "2.1.3" urlencoding = "2.1.3"
rand = "0.8.5" rand = "0.9.0"
base64 = "0.22.1" base64 = "0.22.1"
jwt-simple = { version = "0.12.10", default-features = false, features = ["pure-rust"] } jwt-simple = { version = "0.12.10", default-features = false, features = ["pure-rust"] }
digest = "0.10.7" digest = "0.10.7"

34
src/controllers/openid_controller.rs
View File

@ -16,7 +16,7 @@ use crate::constants::*;
use crate::controllers::base_controller::{build_fatal_error_page, redirect_user}; use crate::controllers::base_controller::{build_fatal_error_page, redirect_user};
use crate::data::action_logger::{Action, ActionLogger}; use crate::data::action_logger::{Action, ActionLogger};
use crate::data::app_config::AppConfig; use crate::data::app_config::AppConfig;
use crate::data::client::{AdditionalClaims, AuthenticationFlow, ClientID, ClientManager}; use crate::data::client::{AdditionalClaims, ClientID, ClientManager};
use crate::data::code_challenge::CodeChallenge; use crate::data::code_challenge::CodeChallenge;
use crate::data::current_user::CurrentUser; use crate::data::current_user::CurrentUser;
use crate::data::id_token::IdToken; use crate::data::id_token::IdToken;
@ -50,7 +50,9 @@ pub async fn get_configuration(req: HttpRequest) -> impl Responder {
host host
); );
HttpResponse::Ok().json(OpenIDConfig { HttpResponse::Ok()
.insert_header(("access-control-allow-origin", "*"))
.json(OpenIDConfig {
issuer: AppConfig::get().website_origin.clone(), issuer: AppConfig::get().website_origin.clone(),
authorization_endpoint: AppConfig::get().full_url(AUTHORIZE_URI), authorization_endpoint: AppConfig::get().full_url(AUTHORIZE_URI),
token_endpoint: curr_origin.clone() + TOKEN_URI, token_endpoint: curr_origin.clone() + TOKEN_URI,
@ -218,8 +220,8 @@ pub async fn authorize(
)); ));
} }
match (client.auth_flow(), query.response_type.as_str()) { match (client.has_secret(), query.response_type.as_str()) {
(AuthenticationFlow::AuthorizationCode, "code") => { (_, "code") => {
// Save all authentication information in memory // Save all authentication information in memory
let session = Session { let session = Session {
session_id: SessionID(rand_str(OPEN_ID_SESSION_LEN)), session_id: SessionID(rand_str(OPEN_ID_SESSION_LEN)),
@ -261,7 +263,8 @@ pub async fn authorize(
.finish()) .finish())
} }
(AuthenticationFlow::Implicit, "id_token") => { // id_token is available only if user has no secret configured
(false, "id_token") => {
let id_token = IdToken { let id_token = IdToken {
issuer: AppConfig::get().website_origin.to_string(), issuer: AppConfig::get().website_origin.to_string(),
subject_identifier: user.uid.0.clone(), subject_identifier: user.uid.0.clone(),
@ -293,11 +296,11 @@ pub async fn authorize(
.finish()) .finish())
} }
(flow, code) => { (secret, code) => {
log::warn!( log::warn!(
"For client {:?}, configured with flow {:?}, made request with code {}", "For client {:?}, configured with secret {:?}, made request with code {}",
client.id, client.id,
flow, secret,
code code
); );
Ok(error_redirect( Ok(error_redirect(
@ -366,9 +369,7 @@ pub async fn token(
let (client_id, client_secret) = let (client_id, client_secret) =
match (&query.client_id, &query.client_secret, authorization_header) { match (&query.client_id, &query.client_secret, authorization_header) {
// post authentication // post authentication
(Some(client_id), Some(client_secret), None) => { (Some(client_id), client_secret, None) => (client_id.clone(), client_secret.clone()),
(client_id.clone(), client_secret.to_string())
}
// Basic authentication // Basic authentication
(_, None, Some(v)) => { (_, None, Some(v)) => {
@ -399,8 +400,8 @@ pub async fn token(
.to_string(); .to_string();
match decode.split_once(':') { match decode.split_once(':') {
None => (ClientID(decode), "".to_string()), None => (ClientID(decode), None),
Some((id, secret)) => (ClientID(id.to_string()), secret.to_string()), Some((id, secret)) => (ClientID(id.to_string()), Some(secret.to_string())),
} }
} }
@ -418,7 +419,7 @@ pub async fn token(
.ok_or_else(|| ErrorUnauthorized("Client not found"))?; .ok_or_else(|| ErrorUnauthorized("Client not found"))?;
// Retrieving token requires the client to have a defined secret // Retrieving token requires the client to have a defined secret
if client.secret != Some(client_secret) { if client.secret != client_secret {
return Ok(error_response( return Ok(error_response(
&query, &query,
"invalid_request", "invalid_request",
@ -608,8 +609,9 @@ pub async fn token(
}; };
Ok(HttpResponse::Ok() Ok(HttpResponse::Ok()
.append_header(("Cache-Control", "no-store")) .insert_header(("Cache-Control", "no-store"))
.append_header(("Pragam", "no-cache")) .insert_header(("Pragma", "no-cache"))
.insert_header(("access-control-allow-origin", "*"))
.json(token_response)) .json(token_response))
} }

15
src/data/client.rs
View File

@ -7,12 +7,6 @@ use std::collections::HashMap;
#[derive(Clone, Debug, serde::Serialize, serde::Deserialize, Eq, PartialEq)] #[derive(Clone, Debug, serde::Serialize, serde::Deserialize, Eq, PartialEq)]
pub struct ClientID(pub String); pub struct ClientID(pub String);
#[derive(Debug, Copy, Clone, Eq, PartialEq)]
pub enum AuthenticationFlow {
AuthorizationCode,
Implicit,
}
pub type AdditionalClaims = HashMap<String, Value>; pub type AdditionalClaims = HashMap<String, Value>;
#[derive(Clone, Debug, serde::Serialize, serde::Deserialize)] #[derive(Clone, Debug, serde::Serialize, serde::Deserialize)]
@ -61,12 +55,9 @@ impl PartialEq for Client {
impl Eq for Client {} impl Eq for Client {}
impl Client { impl Client {
/// Get the client authentication flow /// Check if the client has a secret defined
pub fn auth_flow(&self) -> AuthenticationFlow { pub fn has_secret(&self) -> bool {
match self.secret { self.secret.is_some()
None => AuthenticationFlow::Implicit,
Some(_) => AuthenticationFlow::AuthorizationCode,
}
} }
/// Process a single claim value /// Process a single claim value

2
src/data/totp_key.rs
View File

@ -21,7 +21,7 @@ pub struct TotpKey {
impl TotpKey { impl TotpKey {
/// Generate a new TOTP key /// Generate a new TOTP key
pub fn new_random() -> Self { pub fn new_random() -> Self {
let random_bytes = rand::thread_rng().gen::<[u8; 20]>(); let random_bytes = rand::rng().random::<[u8; 20]>();
Self { Self {
encoded: base32::encode(BASE32_ALPHABET, &random_bytes), encoded: base32::encode(BASE32_ALPHABET, &random_bytes),
} }

9
src/utils/string_utils.rs
View File

@ -1,14 +1,9 @@
use lazy_regex::regex_find; use lazy_regex::regex_find;
use rand::distributions::Alphanumeric; use rand::distr::{Alphanumeric, SampleString};
use rand::Rng;
/// Generate a random string of a given size /// Generate a random string of a given size
pub fn rand_str(len: usize) -> String { pub fn rand_str(len: usize) -> String {
rand::thread_rng() Alphanumeric.sample_string(&mut rand::rng(), len)
.sample_iter(&Alphanumeric)
.map(char::from)
.take(len)
.collect()
} }
/// Parse environment variables /// Parse environment variables