da48cf64b3
Set OpenID Connect Expiry
...
This commit adds a default OpenID Connect expiry to 180d to align with
Tailscale SaaS (previously infinite or based on token expiry).
In addition, it adds an option use the expiry time from the Token sent
by the OpenID provider. This will typically cause really short expiry
and you should only turn on this option if you know what you are
desiring.
This fixes #1176 .
Co-authored-by: Even Holthe <even.holthe@bekk.no>
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
2023-01-31 18:55:16 +01:00
e3a2593344
Rename [Nn]amespace -> [Uu]ser in go code
...
Use gopls, ag and perl to rename all occurances of Namespace
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
2023-01-18 15:40:04 +01:00
dd173ecc1f
Refresh machines with correct new expiry
2023-01-12 13:43:21 +01:00
7157e14aff
add expiration from OIDC token to machine
2023-01-04 09:23:52 +01:00
70f2f5d750
Added an OIDC AllowGroups option for authorization.
2022-12-07 08:53:16 +01:00
8909f801bb
Added more debug messages in OIDC registration
2022-11-15 21:28:26 +01:00
ef68f17a96
Return the correct error on cache miss
2022-11-14 18:34:27 +01:00
f74266f8f8
OIDC code cleanup and harmonize with regular web auth
2022-11-14 18:34:27 +01:00
18c0009a51
Fix oidc.go linting issues
...
Signed-off-by: Juan Font Alonso <juanfontalonso@gmail.com>
2022-11-13 15:42:54 +01:00
07f92e647c
fix bug in #912 ( #914 )
2022-11-05 09:07:22 +01:00
52073ce7c9
Pass context in OIDC helpers
2022-09-04 15:02:18 +02:00
cc3de7e723
Fix error decoding claims ( #744 )
2022-08-17 15:03:10 +00:00
8e56d8b425
Merge branch 'main' into switch-to-db-d
2022-08-11 13:11:38 +02:00
110b01befa
Merge remote-tracking branch 'origin/main' into fix-bug-in-excludecorrectlytaggednodes
2022-08-11 12:49:26 +02:00
804d70386d
Switch to nodekey in urls
2022-08-11 12:15:16 +02:00
e91c378bd4
Replace machine key with node key in preparation for Noise in auth related stuff
2022-08-10 15:35:26 +02:00
8a9fe1da4b
Merge branch 'main' into oidc-refactoring
2022-08-09 20:29:02 +02:00
a1e7e771ce
refactor OIDC callback aux functions
2022-08-07 13:57:07 +02:00
00d2a447f4
decompose OIDCCallback method
2022-08-07 13:27:29 +02:00
79688e6187
chore(all): apply formater
2022-08-04 10:47:00 +02:00
911e6ba6de
exported API errors
2022-07-29 17:35:21 +02:00
ffcc72876c
Lint fixes 7/n
2022-06-26 12:30:52 +02:00
c810b24eb9
Lint fixes 5/n
2022-06-26 12:21:35 +02:00
c859bea0cf
Lint fixes 3/n
2022-06-26 12:01:04 +02:00
a913d1b521
Lint fixes 2/n
2022-06-26 11:55:37 +02:00
396c3ecdf7
Remove Gin from the OIDC handlers
2022-06-20 12:31:19 +02:00
d5e331a2fb
Remove Gin from OIDC callback
2022-06-17 17:42:17 +02:00
e631c6f7e0
Merge master
2022-05-16 21:41:46 +02:00
7cc58af932
Allow more configuration over the OIDC flow.
...
Adds knobs to configure three aspects of the OpenID Connect flow:
* Custom scopes to override the default "openid profile email".
* Custom parameters to be added to the Authorize Endpoint request.
* Domain allowlisting for authenticated principals.
* User allowlisting for authenticated principals.
2022-05-02 17:11:07 +02:00
14994cb6cc
Use new logic and fields for dns
2022-04-24 20:55:54 +01:00
739653fa71
Merge branch 'main' into feat-add-debug-log
2022-03-18 20:44:21 +00:00
2e04abf4bb
feat(oidc): add debug log
2022-03-18 09:40:12 +01:00
61ebb713f2
fix(oidc): Reset expiry for reauthentication
...
The previous code resetted the expiry time to be expired. So the machine was never reauthenticated
2022-03-18 09:32:07 +01:00
f19c048569
fix: change normalization function name
2022-03-07 22:55:54 +01:00
1114449601
change: update name of method to check and normalize Domain name
2022-03-06 20:46:17 +01:00
1f8c7f427b
Add comment
2022-03-02 07:29:56 +00:00
ec4dc68524
Use correct machinekey format for oidc reg
2022-03-02 07:29:56 +00:00
86ade72c19
Remove err check
2022-03-02 07:29:56 +00:00
82cb6b9ddc
Cleanup some unreachable code
2022-02-28 23:00:41 +00:00
8bef04d8df
Remove sorted todo
2022-02-28 22:45:42 +00:00
5e92ddad43
Remove redundant caches
...
This commit removes the two extra caches (oidc, requested time) and uses
the new central registration cache instead. The requested time is
unified into the main machine object and the oidc key is just added to
the same cache, as a string with the state as a key instead of machine
key.
2022-02-28 22:42:30 +00:00
16b21e8158
Remove all references to Machine.Registered
2022-02-28 16:55:57 +00:00
35616eb861
Fix oidc error were namespace isnt created #365
2022-02-28 16:41:28 +00:00
54cc3c067f
Implement new machine register parameter
2022-02-28 16:34:50 +00:00
469551bc5d
Register new machines needing callback in memory
...
This commit stores temporary registration data in cache, instead of
memory allowing us to only have actually registered machines in the
database.
2022-02-28 08:06:39 +00:00
fd1e4a1dcd
Generalise registration for openid
2022-02-27 18:42:24 +01:00
046116656b
chore: update formatting
2022-02-23 14:22:21 +01:00
4f1f235a2e
feat: add strip_email_domain to normalization of namespace
2022-02-23 14:03:07 +01:00
afd4a3706e
chore: update formating
2022-02-22 21:05:39 +01:00
0191ea93ff
feat(oidc): bind email to namespace
2022-02-22 19:59:15 +01:00
Kristoffer Dalby
Even Holthe
Zachary Newell
Juan Font
Juan Font Alonso
LiuHanCheng
Adrien Raffin-Caboisse
Grigoriy Mikhalkin
Kristoffer Dalby
Antoine POPINEAU