101 Commits

Author	SHA1	Message	Date
Dan Milne	e36a9a781a	Add new claims to the discovery endpoint	2025-12-31 17:27:28 +11:00
Dan Milne	d036e25fef	Add auth_time, acr and azp support for OIDC claims	2025-12-31 17:07:54 +11:00
Dan Milne	fcdd2b6de7	Continue adding auth_time - need it in the refresh token too, so we can accurately create new access tokens.	2025-12-31 16:57:28 +11:00
Dan Milne	3939ea773f	We already have a login_time stored - the time stamp of the Session instance creation ( created after successful login ).	2025-12-31 16:45:45 +11:00
Dan Milne	4b4afe277e	Include auth_time in ID token. Switch from upsert -> find_and_create_by so we actually get sid values for consent on the creation of the record	2025-12-31 16:36:32 +11:00
Dan Milne	3db466f5a2	Switch Access / Refresh tokens / Auth Code from bcrypt ( and plain ) to hmac. BCrypt is for low entropy passwords and prevents dictionary attacks - HMAC is suitable for 256-bit random data.	2025-12-31 15:48:32 +11:00
Dan Milne	7c6ae7ab7e	Store only HMAC'd Auth codes, rather than plain text auth codes.	2025-12-31 15:00:00 +11:00
Dan Milne	ed7ceedef5	Include the hash of the access token in the JWT / ID Token under the key at_hash as per the requirements. Update the discovery endpoint to describe subject_type as 'pairwise', rather than 'public', since we do pairwise subject ids.	2025-12-31 14:45:38 +11:00
Dan Milne	40815d3576	Use SolidQueue in production. Use the find_by_token method, rather than iterating over refresh tokens, as we already fixed for tokens	2025-12-31 14:32:34 +11:00
Dan Milne	9d402fcd92	Clean up and secure web_authn controller	2025-12-31 11:44:11 +11:00
Dan Milne	bb5aa2e6d6	Add rails encryption for totp - allow configuration of encryption secrets from env, or derive them from SECRET_KEY_BASE. Don't leak email address via web_authn, rate limit web_authn, escape oidc state value, require password for changing email address, allow settings the hmac secret for token prefix generation	2025-12-31 10:33:56 +11:00
Dan Milne	cc7beba9de	PKCE is now default enabled. You can now create public / no-secret apps OIDC apps	2025-12-31 09:22:18 +11:00
Dan Milne	00eca6d8b2	Default deny forward_auth requests	2025-12-30 16:04:01 +11:00
Dan Milne	99c3ac905f	Add a token prefix column, generate the token_prefix and the token_digest, removing the plaintext token from use.	2025-12-30 09:45:16 +11:00
Dan Milne	0761c424c1	Fix tests. Remove tests which test rails functionality	2025-12-30 00:18:19 +11:00
Dan Milne	acab15ce30	Fix more tests	2025-12-29 18:48:41 +11:00
Dan Milne	0361bfe470	Fix forward_auth bugs - including disabled apps still working. Fix forward_auth tests	2025-12-29 15:37:12 +11:00
Dan Milne	5b9d15584a	Add more rate limiting, and more restrictive headers	2025-12-29 13:29:14 +11:00
Dan Milne	898fd69a5d	Add permissions initializer and missing image paste controller	2025-12-29 13:27:30 +11:00
Dan Milne	ab362aabac	Remove the rate limit for the forward auth system	2025-12-28 14:40:53 +11:00
Dan Milne	283feea175	Update depenencies, bump versoin	2025-11-30 23:13:25 +11:00
Dan Milne	7af8624bf8	Handle empty backchannel logout urls	2025-11-27 19:19:34 +11:00
Dan Milne	f8543f98cc	Add a subdirectory for active storage	2025-11-27 19:12:09 +11:00
Dan Milne	6be23c2c37	Add backchannel logout, per application logout.	2025-11-27 16:38:27 +11:00
Dan Milne	eb2d7379bf	Backchannel complete - improve oidc credential display	2025-11-27 11:52:25 +11:00
Dan Milne	67d86e5835	Add Icons for apps	2025-11-25 19:11:22 +11:00
Dan Milne	d6029556d3	Add OIDC fixes, add prefered_username, add application-user claims	2025-11-25 16:29:40 +11:00
Dan Milne	7796c38c08	Add pairwise SID with a UUIDv4, a significatant upgrade over User.id.to_s. Complete allowing admin to enforce TOTP per user	2025-11-23 11:16:06 +11:00
Dan Milne	e882a4d6d1	More complete oidc	2025-11-18 20:03:03 +11:00
Dan Milne	ab0085e9c9	More complete oidc	2025-11-18 20:02:45 +11:00
Dan Milne	1ee3302319	Improvements derived from rodauth-oauth	2025-11-12 22:17:55 +11:00
Dan Milne	67f28faaca	Improve some front end views. More descriptive error condition reporting. Updates to CLINCH_HOST for better WEBAUTHN	2025-11-12 16:24:05 +11:00
Dan Milne	11ec753c68	Bump up the forward auth token ttl, fix leaking of error data	2025-11-09 12:27:53 +11:00
Dan Milne	4df2eee4d9	Bug fix for domain names with empty string instead of null. Form errors and some security fixes	2025-11-09 12:22:41 +11:00
Dan Milne	d9f11abbbf	Fixes for OIDC and HTML	2025-11-09 12:04:26 +11:00
Dan Milne	c92e69fa4a	Add PCKE	2025-11-09 11:54:45 +11:00
Dan Milne	f02665f690	Consolidate all the error messages - add some stimulus controller.	2025-11-07 16:58:28 +11:00
Dan Milne	6049429a41	Fix mobile view menu popout. Add an option SENTRY_DSN support, which uses rails event reporting	2025-11-04 23:16:28 +11:00
Dan Milne	2b15aa2c40	Add sentry, set csp reporting API	2025-11-04 22:58:32 +11:00
Dan Milne	4f5974dd37	bah	2025-11-04 21:33:52 +11:00
Dan Milne	5de53f1841	bug fix	2025-11-04 21:21:00 +11:00
Dan Milne	73b2ae2f02	Add some docs	2025-11-04 21:13:46 +11:00
Dan Milne	4c5ac344bd	Bug updating OIDC apps. Update readme	2025-11-04 20:14:41 +11:00
Dan Milne	044b9239d6	Ok - this time add the new controllers we stripped out of inline and add back the csp	2025-11-04 18:55:20 +11:00
Dan Milne	e9b1995e89	Remove unneeded stuff	2025-11-04 18:47:31 +11:00
Dan Milne	fb14ce032f	Strip out more inline javascript code. Encrypt backup codes and treat the backup codes attribute as a json array	2025-11-04 18:46:11 +11:00
Dan Milne	bf104a9983	Fix CSP errors - migrate inline JS to stimulus controllers. Add a URL for applications so users can discover them	2025-11-04 17:06:53 +11:00
Dan Milne	ec13dd2b60	Fix storing passkeys	2025-11-04 16:32:50 +11:00
Dan Milne	57abc0b804	Add webauthn	2025-11-04 16:20:11 +11:00
Dan Milne	19bfc21f11	Move sessions into their own view for easier management	2025-11-04 15:19:39 +11:00