diff --git a/services/idp/pkg/config/config.go b/services/idp/pkg/config/config.go index 2c3fcf91b..893ea068e 100644 --- a/services/idp/pkg/config/config.go +++ b/services/idp/pkg/config/config.go @@ -70,9 +70,6 @@ type Client struct { } type Settings struct { - // don't change the order of elements in this struct - // it needs to match github.com/libregraph/lico/bootstrap.Settings - Iss string `yaml:"iss" env:"OCIS_URL;OCIS_OIDC_ISSUER;IDP_ISS" desc:"The OIDC issuer URL to use." introductionVersion:"pre5.0"` IdentityManager string `yaml:"identity_manager" env:"IDP_IDENTITY_MANAGER" desc:"The identity manager implementation to use. Supported identity managers are 'ldap', 'cs3', 'libregraph' and 'guest'." introductionVersion:"pre5.0"` @@ -115,8 +112,8 @@ type Settings struct { CookieNames []string CookieSameSite http.SameSite - AccessTokenDurationSeconds uint64 `yaml:"access_token_duration_seconds" env:"IDP_ACCESS_TOKEN_EXPIRATION" desc:"'Access token lifespan in seconds (time before an access token is expired).'" introductionVersion:"pre5.0"` - IDTokenDurationSeconds uint64 `yaml:"id_token_duration_seconds" env:"IDP_ID_TOKEN_EXPIRATION" desc:"ID token lifespan in seconds (time before an ID token is expired)." introductionVersion:"pre5.0"` - RefreshTokenDurationSeconds uint64 `yaml:"refresh_token_duration_seconds" env:"IDP_REFRESH_TOKEN_EXPIRATION" desc:"Refresh token lifespan in seconds (time before an refresh token is expired). This also limits the duration of an idle offline session." introductionVersion:"pre5.0"` - DyamicClientSecretDurationSeconds uint64 `yaml:"dynamic_client_secret_duration_seconds" env:"IDP_DYNAMIC_CLIENT_SECRET_DURATION" desc:"Lifespan in seconds of a dynamically registered OIDC client." introductionVersion:"pre5.0"` + AccessTokenDurationSeconds uint64 `yaml:"access_token_duration_seconds" env:"IDP_ACCESS_TOKEN_EXPIRATION" desc:"'Access token lifespan in seconds (time before an access token is expired).'" introductionVersion:"pre5.0"` + IDTokenDurationSeconds uint64 `yaml:"id_token_duration_seconds" env:"IDP_ID_TOKEN_EXPIRATION" desc:"ID token lifespan in seconds (time before an ID token is expired)." introductionVersion:"pre5.0"` + RefreshTokenDurationSeconds uint64 `yaml:"refresh_token_duration_seconds" env:"IDP_REFRESH_TOKEN_EXPIRATION" desc:"Refresh token lifespan in seconds (time before an refresh token is expired). This also limits the duration of an idle offline session." introductionVersion:"pre5.0"` + DynamicClientSecretDurationSeconds uint64 `yaml:"dynamic_client_secret_duration_seconds" env:"IDP_DYNAMIC_CLIENT_SECRET_DURATION" desc:"Lifespan in seconds of a dynamically registered OIDC client." introductionVersion:"pre5.0"` } diff --git a/services/idp/pkg/config/defaults/defaultconfig.go b/services/idp/pkg/config/defaults/defaultconfig.go index aa908a865..6a129bd45 100644 --- a/services/idp/pkg/config/defaults/defaultconfig.go +++ b/services/idp/pkg/config/defaults/defaultconfig.go @@ -38,38 +38,38 @@ func DefaultConfig() *config.Config { Name: "idp", }, IDP: config.Settings{ - Iss: "https://localhost:9200", - IdentityManager: "ldap", - URIBasePath: "", - SignInURI: "", - SignedOutURI: "", - AuthorizationEndpointURI: "", - EndsessionEndpointURI: "", - Insecure: false, - TrustedProxy: nil, - AllowScope: nil, - AllowClientGuests: false, - AllowDynamicClientRegistration: false, - EncryptionSecretFile: filepath.Join(defaults.BaseDataPath(), "idp", "encryption.key"), - Listen: "", - IdentifierClientDisabled: true, - IdentifierClientPath: filepath.Join(defaults.BaseDataPath(), "idp"), - IdentifierRegistrationConf: filepath.Join(defaults.BaseDataPath(), "idp", "tmp", "identifier-registration.yaml"), - IdentifierScopesConf: "", - IdentifierDefaultBannerLogo: "", - IdentifierDefaultSignInPageText: "", - IdentifierDefaultUsernameHintText: "", - SigningKid: "private-key", - SigningMethod: "PS256", - SigningPrivateKeyFiles: []string{filepath.Join(defaults.BaseDataPath(), "idp", "private-key.pem")}, - ValidationKeysPath: "", - CookieBackendURI: "", - CookieNames: nil, - CookieSameSite: http.SameSiteStrictMode, - AccessTokenDurationSeconds: 60 * 5, // 5 minutes - IDTokenDurationSeconds: 60 * 5, // 5 minutes - RefreshTokenDurationSeconds: 60 * 60 * 24 * 30, // 30 days - DyamicClientSecretDurationSeconds: 0, + Iss: "https://localhost:9200", + IdentityManager: "ldap", + URIBasePath: "", + SignInURI: "", + SignedOutURI: "", + AuthorizationEndpointURI: "", + EndsessionEndpointURI: "", + Insecure: false, + TrustedProxy: nil, + AllowScope: nil, + AllowClientGuests: false, + AllowDynamicClientRegistration: false, + EncryptionSecretFile: filepath.Join(defaults.BaseDataPath(), "idp", "encryption.key"), + Listen: "", + IdentifierClientDisabled: true, + IdentifierClientPath: filepath.Join(defaults.BaseDataPath(), "idp"), + IdentifierRegistrationConf: filepath.Join(defaults.BaseDataPath(), "idp", "tmp", "identifier-registration.yaml"), + IdentifierScopesConf: "", + IdentifierDefaultBannerLogo: "", + IdentifierDefaultSignInPageText: "", + IdentifierDefaultUsernameHintText: "", + SigningKid: "private-key", + SigningMethod: "PS256", + SigningPrivateKeyFiles: []string{filepath.Join(defaults.BaseDataPath(), "idp", "private-key.pem")}, + ValidationKeysPath: "", + CookieBackendURI: "", + CookieNames: nil, + CookieSameSite: http.SameSiteStrictMode, + AccessTokenDurationSeconds: 60 * 5, // 5 minutes + IDTokenDurationSeconds: 60 * 5, // 5 minutes + RefreshTokenDurationSeconds: 60 * 60 * 24 * 30, // 30 days + DynamicClientSecretDurationSeconds: 0, }, Clients: []config.Client{ { diff --git a/services/idp/pkg/service/v0/service.go b/services/idp/pkg/service/v0/service.go index 1bca23f90..e0eeea460 100644 --- a/services/idp/pkg/service/v0/service.go +++ b/services/idp/pkg/service/v0/service.go @@ -79,8 +79,41 @@ func NewService(opts ...Option) Service { libreGraphBackendSupport.MustRegister() } - // https://play.golang.org/p/Mh8AVJCd593 - idpSettings := bootstrap.Settings(options.Config.IDP) + idpSettings := bootstrap.Settings{ + Iss: options.Config.IDP.Iss, + IdentityManager: options.Config.IDP.IdentityManager, + URIBasePath: options.Config.IDP.URIBasePath, + SignInURI: options.Config.IDP.SignInURI, + SignedOutURI: options.Config.IDP.SignedOutURI, + AuthorizationEndpointURI: options.Config.IDP.AuthorizationEndpointURI, + EndsessionEndpointURI: options.Config.IDP.EndsessionEndpointURI, + Insecure: options.Config.IDP.Insecure, + TrustedProxy: options.Config.IDP.TrustedProxy, + AllowScope: options.Config.IDP.AllowScope, + AllowClientGuests: options.Config.IDP.AllowClientGuests, + AllowDynamicClientRegistration: options.Config.IDP.AllowDynamicClientRegistration, + EncryptionSecretFile: options.Config.IDP.EncryptionSecretFile, + Listen: options.Config.IDP.Listen, + IdentifierClientDisabled: options.Config.IDP.IdentifierClientDisabled, + IdentifierClientPath: options.Config.IDP.IdentifierClientPath, + IdentifierRegistrationConf: options.Config.IDP.IdentifierRegistrationConf, + IdentifierScopesConf: options.Config.IDP.IdentifierScopesConf, + IdentifierDefaultBannerLogo: options.Config.IDP.IdentifierDefaultBannerLogo, + IdentifierDefaultSignInPageText: options.Config.IDP.IdentifierDefaultSignInPageText, + IdentifierDefaultUsernameHintText: options.Config.IDP.IdentifierDefaultUsernameHintText, + IdentifierUILocales: options.Config.IDP.IdentifierUILocales, + SigningKid: options.Config.IDP.SigningKid, + SigningMethod: options.Config.IDP.SigningMethod, + SigningPrivateKeyFiles: options.Config.IDP.SigningPrivateKeyFiles, + ValidationKeysPath: options.Config.IDP.ValidationKeysPath, + CookieBackendURI: options.Config.IDP.CookieBackendURI, + CookieNames: options.Config.IDP.CookieNames, + CookieSameSite: options.Config.IDP.CookieSameSite, + AccessTokenDurationSeconds: options.Config.IDP.AccessTokenDurationSeconds, + IDTokenDurationSeconds: options.Config.IDP.IDTokenDurationSeconds, + RefreshTokenDurationSeconds: options.Config.IDP.RefreshTokenDurationSeconds, + DyamicClientSecretDurationSeconds: options.Config.IDP.DynamicClientSecretDurationSeconds, + } bs, err := bootstrap.Boot(ctx, &idpSettings, &licoconfig.Config{ Logger: log.LogrusWrap(logger), }) @@ -179,7 +212,7 @@ func initLicoInternalLDAPEnvVars(ldap *config.Ldap) error { if ldap.UserEnabledAttribute != "" { // Using a (!(enabled=FALSE)) filter here to allow user without - // any value for the enable flag to login + // any value for the enable flag to log in filter += fmt.Sprintf("(!(%s=FALSE))", ldap.UserEnabledAttribute) needsAnd = true } @@ -225,7 +258,7 @@ type IDP struct { tp trace.TracerProvider } -// initMux initializes the internal idp gorilla mux and mounts it in to a ocis chi-router +// initMux initializes the internal idp gorilla mux and mounts it in to an ocis chi-router func (idp *IDP) initMux(ctx context.Context, r []server.WithRoutes, h http.Handler, options Options) { gm := mux.NewRouter() for _, route := range r {