Dan Milne
c5898bd9a4
Add passkey option on TOTP page and auto-trigger passkey for TOTP users
...
When a user has both passkeys and TOTP configured, auto-trigger the
passkey flow on login to save them from the password→TOTP path. Also
add a "Use Passkey Instead" button on the TOTP verification page as
an escape hatch for users who end up there.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com >
2026-03-05 23:09:01 +11:00
Dan Milne
65c19fa732
Upgrade to Ruby 4.0.1, bump version to 0.9.0
...
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / scan_container (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
Replace CGI.parse (removed in Ruby 4.0) with Rack::Utils.parse_query
in application controller, sessions controller, and OIDC tests.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com >
2026-03-05 21:52:11 +11:00
Dan Milne
fd8785a43d
Add API keys / bearer tokens for forward auth
...
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / scan_container (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
Enables server-to-server authentication for forward auth applications
(e.g., video players accessing WebDAV) where browser cookies aren't
available. API keys use clk_ prefixed tokens stored as HMAC hashes.
Bearer token auth is checked before cookie auth in /api/verify.
Invalid tokens return 401 JSON (no redirect). Requests without
bearer tokens fall through to existing cookie flow unchanged.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com >
2026-03-05 21:45:40 +11:00
Dan Milne
444ae6291c
Add missing files, fix formatting
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / scan_container (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
2026-01-05 23:34:11 +11:00
Dan Milne
5268f10eb3
Don't allow claim escalation
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / scan_container (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
2026-01-05 16:40:11 +11:00
Dan Milne
27d77ebf47
Expose 'username' via forward auth headers
2026-01-05 15:12:02 +11:00
Dan Milne
46ae65f4d2
Move the 'remove_query_param' to the application controller
2026-01-05 13:03:03 +11:00
Dan Milne
95d0d844e9
Add a method to remove parameters from urls, so we can redirect without risk of infinite redirect. Fix a bunch of redirects to login afer being foced to log out. Add missing migrations
2026-01-05 13:01:32 +11:00
Dan Milne
524a7719c3
Merge branch 'main' into feature/claims
2026-01-05 12:11:53 +11:00
Dan Milne
8110d547dd
Fix bug with session deletion when logout forced and we have a redirect to follow
2026-01-05 12:11:52 +11:00
Dan Milne
25e1043312
Add skip-consent, correctly use 303, rather than 302, actually rename per app 'logout' to 'require re-auth'. Add helper methods for token lifetime - allowing 10d for 10days for example.
2026-01-05 12:03:01 +11:00
Dan Milne
074a734c0c
Accidentally added skip-consent to this branch
2026-01-05 12:01:04 +11:00
Dan Milne
4a48012a82
Add claims support
2026-01-05 12:00:29 +11:00
Dan Milne
e631f606e7
Better error messages
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / scan_container (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
2026-01-03 12:29:27 +11:00
Dan Milne
f4a697ae9b
More OpenID Conformance test fixes - work with POST, correct auth code character set, correct no-store cache headers
2026-01-03 12:28:43 +11:00
Dan Milne
16e34ffaf0
Updates for oidc conformance
2026-01-03 10:11:10 +11:00
Dan Milne
0bb84f08d6
OpenID conformance test: we get a warning for not having a value for every claim. But we can explictly list support claims. Nothing we can do about a warning in the complience.
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / scan_container (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
2026-01-02 16:35:12 +11:00
Dan Milne
182682024d
OpenID Conformance: Include all required scopes when profile is requested, even if they're empty
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / scan_container (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
2026-01-02 15:47:40 +11:00
Dan Milne
b517ebe809
OpenID conformance test: Allow posting the access token in the body for userinfo endpoint
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / scan_container (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
2026-01-02 15:41:07 +11:00
Dan Milne
dd8bd15a76
CSRF issue with API endpoint
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / scan_container (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
2026-01-02 15:29:34 +11:00
Dan Milne
f67a73821c
OpenID Conformance: user info endpoint should support get and post requets, not just get
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / scan_container (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
2026-01-02 15:26:39 +11:00
Dan Milne
b09ddf6db5
OpenID Conformance: We need to return to the redirect_uri in the case of errors.
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / scan_container (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
2026-01-02 15:12:55 +11:00
Dan Milne
abbb11a41d
Return only scopes requested, add tests ( OpenID conformance test )
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / scan_container (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
2026-01-02 14:55:06 +11:00
Dan Milne
5137a25626
Add remainging rate limits. Add docker compose production example. Update beta-checklist.
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
2026-01-02 12:14:13 +11:00
Dan Milne
93a0edb0a2
StandardRB fixes
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
2026-01-01 13:29:44 +11:00
Dan Milne
7d3af2bcec
SRB fixes
2026-01-01 13:19:17 +11:00
Dan Milne
c03034c49f
Add files to support brakeman and standardrb. Fix some SRB warnings
2026-01-01 13:18:30 +11:00
Dan Milne
e36a9a781a
Add new claims to the discovery endpoint
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
2025-12-31 17:27:28 +11:00
Dan Milne
d036e25fef
Add auth_time, acr and azp support for OIDC claims
2025-12-31 17:07:54 +11:00
Dan Milne
fcdd2b6de7
Continue adding auth_time - need it in the refresh token too, so we can accurately create new access tokens.
2025-12-31 16:57:28 +11:00
Dan Milne
3939ea773f
We already have a login_time stored - the time stamp of the Session instance creation ( created after successful login ).
2025-12-31 16:45:45 +11:00
Dan Milne
4b4afe277e
Include auth_time in ID token. Switch from upsert -> find_and_create_by so we actually get sid values for consent on the creation of the record
2025-12-31 16:36:32 +11:00
Dan Milne
7c6ae7ab7e
Store only HMAC'd Auth codes, rather than plain text auth codes.
2025-12-31 15:00:00 +11:00
Dan Milne
ed7ceedef5
Include the hash of the access token in the JWT / ID Token under the key at_hash as per the requirements. Update the discovery endpoint to describe subject_type as 'pairwise', rather than 'public', since we do pairwise subject ids.
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
2025-12-31 14:45:38 +11:00
Dan Milne
40815d3576
Use SolidQueue in production. Use the find_by_token method, rather than iterating over refresh tokens, as we already fixed for tokens
2025-12-31 14:32:34 +11:00
Dan Milne
9d402fcd92
Clean up and secure web_authn controller
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
2025-12-31 11:44:11 +11:00
Dan Milne
bb5aa2e6d6
Add rails encryption for totp - allow configuration of encryption secrets from env, or derive them from SECRET_KEY_BASE. Don't leak email address via web_authn, rate limit web_authn, escape oidc state value, require password for changing email address, allow settings the hmac secret for token prefix generation
2025-12-31 10:33:56 +11:00
Dan Milne
cc7beba9de
PKCE is now default enabled. You can now create public / no-secret apps OIDC apps
2025-12-31 09:22:18 +11:00
Dan Milne
00eca6d8b2
Default deny forward_auth requests
2025-12-30 16:04:01 +11:00
Dan Milne
acab15ce30
Fix more tests
2025-12-29 18:48:41 +11:00
Dan Milne
0361bfe470
Fix forward_auth bugs - including disabled apps still working. Fix forward_auth tests
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
2025-12-29 15:37:12 +11:00
Dan Milne
5b9d15584a
Add more rate limiting, and more restrictive headers
2025-12-29 13:29:14 +11:00
Dan Milne
ab362aabac
Remove the rate limit for the forward auth system
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
2025-12-28 14:40:53 +11:00
Dan Milne
f8543f98cc
Add a subdirectory for active storage
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
2025-11-27 19:12:09 +11:00
Dan Milne
6be23c2c37
Add backchannel logout, per application logout.
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
2025-11-27 16:38:27 +11:00
Dan Milne
d6029556d3
Add OIDC fixes, add prefered_username, add application-user claims
2025-11-25 16:29:40 +11:00
Dan Milne
7796c38c08
Add pairwise SID with a UUIDv4, a significatant upgrade over User.id.to_s. Complete allowing admin to enforce TOTP per user
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
2025-11-23 11:16:06 +11:00
Dan Milne
e882a4d6d1
More complete oidc
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
2025-11-18 20:03:03 +11:00
Dan Milne
1ee3302319
Improvements derived from rodauth-oauth
2025-11-12 22:17:55 +11:00
Dan Milne
67f28faaca
Improve some front end views. More descriptive error condition reporting. Updates to CLINCH_HOST for better WEBAUTHN
2025-11-12 16:24:05 +11:00
