80ce622caa
cleanup(oidc): Verify logout tokens useing golang-jwt
...
golang-jwt provides all the necessary functionality to parse and verify
LogoutTokens. This gets us rid of the direct go-jose dependency and
quite a bit of custom crafted jwt verification code.
2024-08-26 15:58:33 +02:00
109b23966c
bump some jwt related go modules to current version
...
go-jwt/jwt to v5.2.1
MicahParks/keyfunc to v2.1.0
2024-08-26 15:35:15 +02:00
3be286a2a3
Bump go-jose an update to new location
...
It's now maintained in github.com/go-jose/go-jose. Bumping to
latest backwards compatible release. (v4 will require some code changes)
2024-05-08 17:52:17 +02:00
f1d09af547
support AD FS ( #7140 )
...
* support AD FS
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de >
* drop unnecessary else
Co-authored-by: kobergj <jkoberg@owncloud.com >
---------
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de >
Co-authored-by: kobergj <jkoberg@owncloud.com >
2023-09-01 15:25:06 +02:00
5422586bfa
allow skipping userinfo call
...
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de >
2023-08-23 13:56:48 +02:00
b7990875c1
oidc: Remove "aud" claim validation of logout tokens ( #6156 )
...
The "aud" claim of the logout token is supposed to contain the client-id
of the client for which the token was issued. Our current implementation of
validating that claim is somewhat broken. We only allow to configure a single
value for the allowed client id. But we have different client-ids
accessing oCIS.
This completely removes the current validation of the `aud` claim until
we come up with a working solution. As we currently require a session id
to be present in the logout token the risk not validating the `aud`
claim is pretty low.
Related: #6149
2023-04-27 10:34:09 +02:00
70a80125c3
Fix backchannel logout
...
Use access token to lookup session id. The userinfo endpoint does
not return the session id. Also add some debug logging.
Co-authored-by: Christian Richter <crichter@owncloud.com >
Co-authored-by: Michael Barz <mbarz@owncloud.com >
2023-04-20 18:04:52 +02:00
a6ced1f99f
Simplifiy Unmarshall function for stringAsBool struct
...
Co-authored-by: Julian Koberg <jkoberg@owncloud.com >
Signed-off-by: Christian Richter <crichter@owncloud.com >
2023-04-20 11:45:13 +02:00
30bcf32062
incorporate requested changes
...
Signed-off-by: Christian Richter <crichter@owncloud.com >
2023-04-20 09:00:58 +02:00
e88a0d7bc3
add tests for oidc backchannel logout
...
Signed-off-by: Christian Richter <crichter@owncloud.com >
2023-04-19 17:32:49 +02:00
15691ae78a
fix contexts, render result
...
Signed-off-by: Christian Richter <crichter@owncloud.com >
2023-04-19 17:32:25 +02:00
d2d7c49df4
properly parse logout request
...
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de >
2023-04-19 17:32:25 +02:00
a98a880e7d
move code, delete duplicate lines
...
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de >
2023-04-19 17:32:25 +02:00
dc399a61ac
implement backchannel logout, reuse useringo cache
...
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de >
2023-04-19 17:32:25 +02:00
bc15b8a396
work on logout
...
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de >
2023-04-19 17:32:25 +02:00
b608d0b0f9
move verify access token code to oidc client
...
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de >
2023-04-19 17:32:25 +02:00
469534b321
small cleanup
...
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de >
2023-04-19 17:32:25 +02:00
58dce9bed8
use our oidc client
...
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de >
2023-04-19 17:32:25 +02:00
014308ddc9
introduce oidc client, based on coreos go-oidc
...
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de >
2023-04-19 17:32:25 +02:00
Ralf Haferkamp