wicked should support multiple redirect_uris for OAuth2 applications #178
Labels
Milestone
Comments
DonMartin76
added a commit
to apim-haufe-io/wicked.api
that referenced
this issue
Mar 1, 2019
DonMartin76
added a commit
to apim-haufe-io/wicked.kong-adapter
that referenced
this issue
Mar 1, 2019
DonMartin76
added a commit
to apim-haufe-io/wicked.auth
that referenced
this issue
Mar 1, 2019
DonMartin76
added a commit
to apim-haufe-io/wicked.test
that referenced
this issue
Mar 1, 2019
DonMartin76
added a commit
to apim-haufe-io/wicked.ui
that referenced
this issue
Mar 2, 2019
Last part in the fix of Haufe-Lexware/wicked.haufe.io#178
DonMartin76
added a commit
to apim-haufe-io/wicked.k8s-init
that referenced
this issue
Mar 4, 2019
- Full refactoring with async/await instead of callbacks - Moved to axios instead of request/request - Support for detecting changed clientType, plan ID and redirect URIs Concludes fix of Haufe-Lexware/wicked.haufe.io#178 - yay!
|
Implemented in 1.0.0-rc.2. |
maksimlikharev
pushed a commit
to clarivate/wicked.ui
that referenced
this issue
Apr 15, 2019
* Changes to use the client credentials flow with Kong to access to API anonymously * Work in progress: Adaptions to the Portal using OAuth2 to get access tokens, both anonymous and personalized. Started refactoring out the login process. * Launch configuration for VS code * Retrieve admin and approver status from wicked API * hide api endpoint for partner api (#27) * Feat/api tags filter (#19) * API category filtering * Fixing checkbox sidenav and grid column layout * Updating apis grid style and layout * Not all changes were pushed * Adding custom.css to layout.jade, changes are in global file, config * Updating media queries for responsive * Fixing condition were there are no categories in the eft column. * removing custom.css inclusion * New layout for API tags filtering * Fix package version * layout fix * version revert * Implement review comments * Make sure the layout looks good if no tags are used * Text Updates as per PPT (#25) * Bump to version 0.12.5 * Take out delete of subscription (will need to add this again later). * Redirect to correct host (from globals.json). * Updated dependencies * Set installing wicked-sdk straight * Refactor logging of wicked portal (use portal-env/winston) * Minor code cleanup in startup code * Wire the auth server endpoints on the API page UI * Updated dependencies * Updated dependencies * Updated dependencies * Add "put" function; refactor out all "var" * Use registration pool instead of user info end points; take out signup * Add link to verification on auth server * Remove forgot password and email validation from portal (now in portal-auth) * Debug message for "verify email link". * Make login buttons nicer using bootstrap-social * Take email and custom ID back in for the user list (they are also stored in the registrations now). * Also pass in callback URL to authorize call (needed in Auth Server by now) * Incorporate a link to managing application grants * Adaptions to breaking API changes ("items" instead of naked arrays) * Added implementation notes on how to proceed with the new /applications endpoint * More notes on how to use the extended backend API * UI enhancement: Better error message if an app ID is already taken. * Changelog (#37) * Added application description field * Initial Grid integration * Added server side pagination * Grid integration * Review comments * More review comments * Allow markdown in application description * Remove dead code * minor bug fix * JSGrid integration with user applications page * Grid integration to verifications page and user applications page * Minor bug fix: Use userId instead of registration ID (which is just for internal purposes). * Redirect after login works again (also in dev mode), some fixes to admin.js - Admin pages were no longer restricted to admin users - Now the redirect takes place if not logged in - And the 403 page is displayed if you are, but you don't have rights * Updated dependencies * Remove lots of unused auth related code (--> wicked.portal-auth) * Replace all 'var' with 'let' or 'const' * Swagger ui plugin upgrade * Support for "trusted" subscriptions, also for approving such subscriptions * Add support for setting the "confidental" flag for applications * Refactoring of pool properties to an array * Adaptions for refactoring of registrations in API * Only show authorization endpoints for the methods configured for an API * Refactoring of auth server loading, UI improvement(?) * Some improvements for Swagger UI; almost works, but not quite yet * Fix if you happen to have an app of the name swagger-ui * Updated dependencies * Updated dependencies * Bug fix: Swagger ui rendering for "View Swagger Definition" button * Updated dependencies * Updated dependencies * Make sure panel titles display a hand icon (button role) * Pull highlight.js completely from self * Portal assist Swagger Application Registration * In case authentication fails, propagate error message * Updated dependencies * Updated dependencies * Updated dependencies * Updated dependencies * Use the same class for the body as in portal-auth * Updated dependencies * Use the internal proxy port of Kong to retrieve tokens from the auth server - This fixes an issue with self signed certificates when getting tokens via Kong internally * Use the internal proxy URL as API URL instead of the externally visible one * Updated dependencies * Fix "undefined" in display of registration properties * Update to latest Swagger UI dist * Bug fix: Fix rendering of "All applications" page * Make it even easier to use the Swagger UI special application * Started help pages on OAuth2... * Clean up the API page regarding authentication and authorization * Remove commented code * Finished OAuth2 help pages * Updated dependencies * Updated swagger-ui to 3.18.2 (including fix of error messages) * Updated dependencies * MVP support for API bundling, also in the portal * Support for displaying multiple API URIs in the portal * Retry logic for the most API calls * Updated dependencies * Fix view Swagger UI without forUser parameter * Minor fixes to Swagger UI layout (better CSS, hosted jQuery) * Obey selected password strategy * Better checking of valid redirect URIs (according to spec and API) * Make the case nicer where the user does not have the right plans * Show description by default * Wire wicked API to /wicked instead of /api * Updated dependencies * Updated dependencies * Redirect from /signup to /login, Haufe-Lexware/wicked.haufe.io#136 * UI bits and help pages for Haufe-Lexware/wicked.haufe.io#138 * remove choice wording when not needed (#38) * Fix for the case that the API does not have any scopes * Fscksbgrbmbnmbgmnrg * Ability to pull subscriptions in paginated fashion * minor typo fix * Fix edge case "just one scope" * Fix XSS vulnerability via marked sanitize * Remove package-lock.json * Rename images (drop portal-, here: rename to "ui") * Better misconfiguration error message regarding schema and environment * Update to Bootstrap 3.4.0 * Better error message when trying to look at the internal portal user. * Adapted reverse build trigger * Tiny feature: Don't display auth method selection if only one is configured * Update of OAuth2 help texts, fixes Haufe-Lexware/wicked.haufe.io#157 * Portal UI part of Haufe-Lexware/wicked.haufe.io#159 - Support for more granular client types * Add a "reload configuration" button - Part of Haufe-Lexware/wicked.haufe.io#162, not quite finished yet * Ignore build_date file * Ignore git_* files * Bump to version 1.0.0-rc.1 * Remove versioning from portal-env.tgz * Enable local builds * Turn off build cache * Typo * More typo * Clarification on public/native clients * Bump to version 1.0.0-rc.2 * Implements wicked.ui part of Haufe-Lexware/wicked.haufe.io#172 - Filter auth methods (in UI) * Support for multiple redirect URIs Last part in the fix of Haufe-Lexware/wicked.haufe.io#178 * Fixes Haufe-Lexware/wicked.haufe.io#174 * Docs and help improvements * Bump to version 1.0.0-rc.3 * Bump to version 1.0.0-rc.4 * Simplify application init code somewhat * Linting + typo * Feat/no auth (#41) * Feature to allow publishing of an api without having to require any authentication. * Don't show application related message for no-auth API * Fixed issue Haufe-Lexware/wicked.haufe.io#177 * Fixed Haufe-Lexware/wicked.haufe.io#179 * Audit Report or All subscriptions page for administrators and approvers (#40) * Integrate Audit Report * Initial Export to CSV feature * Added Status column (Prod team requested this) * Hyperlink user email address to user page * Minor fix * Implement review comments * Implement review comments * Update bootstrap * Update async and request * Short note on "none" auth APIs * Linting
maksimlikharev
pushed a commit
to clarivate/wicked.kong-adapter
that referenced
this issue
Apr 15, 2019
* Work in progress - support all flows for portal-api
* Major cleanup - take out user consumers (a never published feature), take out oauth2 functionality completely (moved to kong-oauth2)
* Take out commented code
* Change to ISO date, adapt to node 8, add lock file.
* WIP - reference wicked-sdk from lopcal directories - this has to be changed back again
* Assume Kong 0.11.2 as of wicked 0.12.5.
* Bump to version 0.12.5
* Updated dependencies
* Set installing wicked-sdk straight
* Launch configuration for vs code
* Refcatorings:
- Remove 'var' in the entire code base
- Use logging component from portal-env
- Updated dependencies
* Updated dependencies
* Updated dependencies
* Adaption to breaking API change (items instead of direct array)
* Updated dependencies
* Updated dependencies
* Update to Kong 0.13.1
* Preserve calling host for swagger-ui API
* Updated dependencies
* Updated dependencies
* Updated dependencies
* Updated dependencies
* Upgrade to kong 14
* Migrate to using TypeScript to enable type hinting
* Take out the stupid "app" reference which was everywhere.
- No idea why I did it that way back then.
* Clean up commented code
* Minor incompatibility between legacy and wicked SDK implementation.
* Add wicked groups as additional scopes to each API.
* Extract and name all Kong actions
* Migrate to 0.13+ API of Kong, using routes and services
* Patching and deleting plugins must be done on /plugins for services
* Full typing of Kong Adapter code - allows refactoring now
- Bugfix: Getting by username does not work with query parameters -> returned entire list
* Don't use .total anymore, not always present
* Remove "total" property - not used anymore
* Add Prometheus global plugin always
* hide credentials flag propagation
* Patching an API plugin fixed (did not patch)
- Some better logging output ("Updating consumers" only when it actually happens)
* Propagate hide credentials flag
* Hide credentials flag
* Rework consumer syncing; now works like all other entities
- Portal and Kong consumers are retrieved individually
- And synced subsequently
* Update package-lock
* Use internal portal URL for swagger UI forwarding
* Make communication with Kong more robust ("make Kong behave")
* Also use redis for response-ratelimiting kong plugin
* Updated dependencies
* Updated dependencies
* Dockerfile contained the wrong port
* Updated dependencies
* Updated dependencies
* Experimental support for bundling APIs (common use of tokens).
* Kong expects CORS methods to be string array
* Ouch
* Resync APIs every five minutes to check for updated scopes
* Updated dependencies
* Update to Kong 0.14.1
* Updated dependencies
* Try to fix premature Kong Adapter exit
* Don't answer 500 if Kong or wicked are not available
- This would just trigger e.g. Kubernetes to restart the Kong Adapter
- This is usually not necessary; the thing will restart itself after a while
* Support refresh_token_ttl in kong oauth2 plugin config (#10)
* Redo refresh_token_ttl changes (were not working as intended)
* Fix error logging; fix tsc compiler error (@types/node version)
* Updated dependencies
* Part II of fix Haufe-Lexware/wicked.haufe.io#127
* Updated dependencies
* Fixes Haufe-Lexware/wicked.haufe.io#140
* Fixes Haufe-Lexware/wicked.haufe.io#148 - apply redis also to Plan rate limiting
* Removed package-lock.jso
* Renaming of images (drop portal-)
* Corrected reverse build trigger
* Wrong base image for actual image, corrected.
* Enable building local docker images
* Fixes Haufe-Lexware/wicked.haufe.io#147
* Additional fixes for Haufe-Lexware/wicked.haufe.io#147
* Ignore build_date file
* Also ignore git_* files
* Bump to version 1.0.0-rc.1
* Remove versioning from portal-env.tgz
* Turn off caching when building docker image
* Bump to version 1.0.0-rc.2
* Endline
* Support for multiple redirectUris in the Kong Adapter
- Fixes parts of Haufe-Lexware/wicked.haufe.io#178
* Not used file; deleted
* Added link to Haufe-Lexware/wicked.haufe.io#180
* Bump to version 1.0.0-rc.3
* Bump to version 1.0.0-rc.4
* Update morgan to 1.9.1
* Took out typescript dependency (moved to devDeps)
* Update async and request
* Fix typescript version for build and dev
maksimlikharev
pushed a commit
to clarivate/wicked.api
that referenced
this issue
Apr 15, 2019
* wip - preparation to run API via Kong * Some minor adaptions, added registration pools (still not finished) * Various changes to adapt for accessing via OAuth2. * Monster check in: Refactor entire data access code into a DAO for JSON in preparation for the Postgres/Cassandra DAO; all unit tests pass again. Other adaptions for the portal using OAuth2, but not finished quite yet. Still missing: Moving authorization to scopes, taking out loading the user all the time, except where needed. * Remove the outdated integration tests from this repository; they have been in a separate repo for a long time (wicked.portal-test). * Finished first (almost) complete implementation of the Postgres DAO. All integration tests in wicked.portal-test actually pass now! * Work in progress - minor fixes to user entities * Bump version to 0.12.3 * Bump to 1.0.0 for this branch * Ignore IntelliJ files for now * Minor fixes of the approval feature which went bust during the merge * Added missing implementation of delete webhook event * Refactored core.sql ingest to add meta information by node code instead of SQL * partner api flag (#11) * introducing partner API flag filtering * additional fix for partner api access check * WIP - registrations API * Bump to version 0.12.5 * Some rework on the webhooks - use Postgres notifications to speed up * Some rework on webhook notifications - missing bits * Updated dependencies * VS Code launch configuration based on the wicked-sample-config * Both JSON and Postgres environments * Minor fix in error message * Eliminate var --> const and let * Fix faulty sync-to-async pattern; the callback must go OUTSIDE of the try-catch. * Add a retry counter for connecting to Postgres * Lint * Also check for "Postgres starting up" error code, and retry subsequently * Updated logging/debugging component to using winston (from portal-env) * Draft implementation JSON DAO for Registrations * Registration endpoints - JSON and generic implementation * Refactor out 'var' from utils.js * Added pools utilities and endpoints * Validation logic for pool definitions * Add scope verification for registration end points * Draft implementation of the Grants entity (JSON DAO only until now) * Minor fixes in the grants code (from tests) * Suppress jshint warning for predicate * Sanity check DAO implementation - parameter naming match - Plus fixing some issues this showed... * Postgres DAO for registrations * Clean up comments * Grants DAO implementation for Postgres * Huge refactoring - enable OAuth2 scope checking over all end points * Endpoint for creating machine users (backend admin users) * Updated dependencies * Added mandatory verification link to verification entity * Sync defined auth methods for portal with the portal-api's apis.json * Inject the authorize and token end points to the authMethod config if not present * Also add email and customId to registration records * Allow http:// for redirects if NODE_ENV contains 'local' * Remove firstName and lastName from user --> registration * Add a link to the "grants" endpoint * Write offset/limit with API where necessary; update Swagger - Add a "count" return value where arrays are returned - Breaking API change - almost never are just arrays returned, but instead an object * Add option no_cache to counting registrations; fixes a regression in the tests * Filtering and ordering for the registrations endpoint - This will also be applied to the applications endpoint * Pagin/filtering/sorting endpoint for applications; some refactorings * Minor refactoring - move getDynamicDir() to JSON utils (it belongs there). * Refcatoring: Make DAO a class which can be instantiated multiple times if needed * Refactoring - also PG now has a DAO class for encapsulation * Some fixes for special queries (applications); filtering now working... - also for "id" and "ownerEmail"/"ownerUserId" * Migration of data to/from JSON and Postgres - Minor refactorings to make migration easier - Still hard coded source and target configuration for migration - Docs and surrounding scripting still missing * Changelog (#16) * Added additional "application description" field * Bug fix: Allow approvers to decline an approval request. Approver was getting "403" while declining an approval request * bug fix * Application description field changes * Re-apply application description change * Description field * Review comments * Re-apply changes after resolving merge conflicts * Updated dependencies * Postgres verification reconciliation implementation * Principal election mechanism - only one instance should fire events * Update dependencies * Migration: When migrating legacy data, create registrations for wicked pool - Minor refactorings regarding JSON metadata files - Improve migrate CLI, can now write a sample config, plus takes config JSON file * Swagger UI plugin upgrade * Refactoring - move loading of auth servers to the utils.js file * Add support for trusted subscriptions; addt'l approvals/:id endpoint * Initialize initial users with lower case email addresses * Update Swagger spec for upcoming changes * Change behaviour due to changed specs of pools * Refactoring of registrations/namespaces - Add entity "namespaces" - Allow multiple registrations per pool (one per namespace) * Minor fixes to namespaces DAO for postgres * Remove authServers from portal-api apis.json entry; not needed * Improvements for Swagger UI; Implicit Grant and Auth Code work now - For some reason, client_credentials flow does *not* * Recreate swagger.json from YAML files at startup * First adaptions to scopes for OAuth2 APIs * Updated dependencies * Handle Open API 3.0 specifications in swagger * Add a built in echo server for testing purposes * Refactored the swagger related helper methods to swagger-utils file to remove clutter from apis.js file * Minor fixes to Swagger found during SDK creation * Updated dependencies * Document passhtrough* properties of APIs * Migration: Add ID for approvals if not present. * Permission fix in docker case * Added debug message for already present file list * Updated dependencies * Remove group scope injection from the API, this is done in the Kong Adapter * Echo Server: Support listening to a different port than 3009 - Needed for integration testing locally * Canonicalize URLs for upstream URLs for APIs * Some minor bugfixes - Make sure ordering of webhook events remains the same - Use users.loadUser when performing roles checking * Retry connecting to PG in case of unexpected termination * Restructure PG init and make it more robust (hopefully) * Update to pg 7.4.3 (latest version) * Take out explicit owner of things; use the logged in user * Take out disturbing collate calls * Add error checking after creating initial schema. * Add support for creating users with pre-hashed passwords * Support checking meteor style password hashes as well * Updated dependencies * Map prefix "internal" correctly when migrating * Some additional information on the Echo API. * Nicer description of the Portal API. * Add support for patching user passwords with pre-hashed passwords * Allow "passwords" >24 chars if already hashed * Fix for rewriting meteor style passwords (sent answers twice). * Add basic prometheus metrics * Track open connect Ids * Tweaking of Postgres to prevent deadlocks with full connection pools * Change how authenticated user id is expected (using sub=<user id>). * Lower number of connections to Postgres (Azure cannot take it) * Enable custom database name for wicked database Fixes Haufe-Lexware/wicked.haufe.io#118 (API part) * Support for external API scopes * Error handling and Postgres metrics for Prometheus * Log errors if getting swagger from remote fails * Make OpenAPI Authorization injection more robust * Fixing some minor bugs with OpenAPI 3 support, make it more robust - Additionally support multiple request URIs * Support for templated CSS files * Use pluggable and configurable password validation mechanism * Support storing "must change password" * Added some debug messages * Be somewhat less restrictive regarding redirect URIs (allow custom scheme) * Allow requiring a user group to access echo and portal-api APIs * If Swagger didn't contain securityDefinitions, the swagger endpoint crashed * Fixes Haufe-Lexware/wicked.haufe.io#121 - Regression from feature "custom wicked database" * Enable the PgDao to be instanciated twice (for migrations). * Remove health API, move portal-api to /wicked and echo to /wicked-echo * Rule out invalid email addresses when creating a user * Updated dependencies * Missing feature: Drop database always dropped "wicked", not the specified one. * Updated dependencies * variable substitution for the migration (#17) * Preparations for Haufe-Lexware/wicked.haufe.io#138 - Support for allowedScopesMode and allowedScopes on subscriptions - Minor refactorings * Approval ability to read applications/subscriptions (#18) * variable substitution for the migration * allow approver to read applications * modifying subscriptions as well * Forgotten bug fix check in * Ability to paginated subscriptions for administrators and approvers * Tab to space * Remove old bash tests script * Test to see whether commits are linked to my account again * Remove package-lock.json * Don't return a 500 for certain things in JSON mode, return 501 instead. * Rename images (drop portal-). * More adaptions to image renaming. * Correct upstream project * Simple script for development purposes * Pass back the NODE_ENV in the globals. * Clean up some superfluous logging to console * Fixes Haufe-Lexware/wicked.haufe.io#146 (hopefully) * Fix flaky integration tests (mostly on Jenkins) - Don't send the result of the add subscription until also the approval has been persisted * Support a more granular client type (not only confidential/public) - API Implementation of Haufe-Lexware/wicked.haufe.io#159 * Enable /kill for admins; needed to reload the configuration * Debug messages; restart_api scope added * Persist current config hash in Metadata, Check every 15 seconds for updated hashes (from secondary apis instances) * If kongProxyUrl is set, use that instead of external URL * Ignore build_date file * Bump to version 1.0.0-rc.1 * Remove versioning from portal-env.tgz * Enable local builds; use su-exec instead of gosu on Alpine * Turn off docker build caching * Bump to version 1.0.0-rc.2 * Try out SonarQube * More sonar testing * Added sonar project properties file * Ignore SonarQube if not on branch "next" * Tpyo * Declarative Pipeline with docker agent * I love Jenkins * I crave fixing Jenkinsfile problems * This looks wrong, Jenkins. Why do your docs suck so much? * Let's persuade Jenkins to use root * Fix SonarQube "bugs" * Take out root:root; use the right user * Hello Jenkins, my old friend. I've come to fight with you again. * One more try to convince Jenkins to do the right thing. * Try out --group-add instead of -u * WTF * Don't run build script as root + fixing of temp files belonging to root * Temporarily run as root to fix permissions... * Final(?) version of build scripts * ESLint round 1 - let/const/var * ESLint pass 2: No single line for/if statements (force curly) * ESLint part 2b, forgot some files (curly if) * SonarQube BLOCKERS * SonarQube fixes of Blocker/Critical topics * Support in the API for multiple redirect_uris - Part of Haufe-Lexware/wicked.haufe.io#178 * Filter out empty redirectUris from array * Tyoe check redirectUri; fixes crash if passed in array * Fixes Haufe-Lexware/wicked.haufe.io#186 * Bump to version 1.0.0-rc.3 * Bump to version 1.0.0-rc.4 * Update morgan to 1.9.1 * Fixes Haufe-Lexware/wicked.haufe.io#190 - Does not take the .git repo into account when hashing the static config * Fixes Haufe-Lexware/wicked.haufe.io#191 * crlf fix * Fixed issue Haufe-Lexware/wicked.haufe.io#177 (#21) * Fixed issue Haufe-Lexware/wicked.haufe.io#177 * Fixed issue Haufe-Lexware/wicked.haufe.io#179 * Haufe-Lexware/wicked.haufe.io#176 (#20) * Initial DB layer for Audit Report * Initial commit for Audit Report * Optional addition field for subscription API * Using inner join to filter out internal api subscriptions * Added status column * Return userid of the owners * Schema change * Fix conflict issue * Partial review comments implented * More review comments implementation * Only run the populate the api group in step number 3 * Swagger signatures for /subscriptions api * Minor fixes and linting * Update async and request * Minor nit pick on a special error messafe * Fixes Haufe-Lexware/wicked.haufe.io#190
maksimlikharev
pushed a commit
to clarivate/wicked.auth
that referenced
this issue
Apr 15, 2019
* Refactor out build to separate script * Add a /ping endpoint (for health checks) * Ease up strictness of redirect_uri checking slightly * Use updated redirect_uri function * Kong does not accept null scopes, fix for TypeScript * Stringifying recursive structures is not a good idea * Inject client_secret in special cases (password grant) * Now the client_secret thing should be correct * Refactoring of pool properties to an array * Adaptions to registrations refactoring * Bugfix: Check for trustUsers configuration oauth2 auth methods * Disallow signup/registration and namespace handling * Updated dependencies * If client_id/client_secret aren't passed in, check Basic Auth for id/secret * Updated dependencies * Working SAML identity provider implementation * Remove wicked-types (these are in the wicked sdk); use wicked-sdk as TypeScript * Update all API calls to wicked to use the node SDK instead * Remove some dedicated Callback types; not finished yet * Move OidcProfile to wicked SDK * PassthroughScope resolution via external service * Disallow -> disable * Updated dependencies * Add namespace and registration handling for the password grant. * Use = instead of : for separating keys and values * Add user groups as scopes to access tokens - Also fix refresh_token for passthrough APIs (to enable scope changes). * Fixed broken group mapping for ADFS/OAuth2 * Move to services+routes for Kong * Updated dependencies * Don't use ".total" for routes, it's not returned * For simplified integration testing, allow JSON rendering (with env var) * Corner case fixes; integration testing made easier - Check for invalid sessions * Minor fixes of bugs in error handling - Mostly popped up during writing of integration tests - Some adaptions to the OAuth2 RFC (Response codes) * Answer health check both on /auth/ping and /ping * Take out implicit style and add a class * Ad-hoc localization to german (specify LANGUAGE env var) * Display app name with login screen (and some others) - Prepare using a custom URL for the top logo * Check on build that translations are correct * Add some space between log in and links * Updated dependencies * Updated dependencies * Updated dependencies * Add basic prometheus metrics * Change how authenticated_userid is created (adding namespace and sub=). * Also add namespace to back redirect for authorize endpoint (both flows) * Updated dependencies * Make getting a scope from an external URL more robust (retry logic) * Bugfix (for refresh token); the auth server always creates a user id with sub= * Don't rely in service_id in token data (not available for shared_credentials) - Instead use credential_id, which is always present * Move metrics and ping to after prometheus middleware * Bug fix: Go back to "log in" from "sign up" form didn't work * Use specified password validation strategy (and pluggable regex) * Some CSRF security changes; support for "must change password". * Prepare to force password change on resource owner password grant * Support PKCE for Auth Code Grant and Public clients * Verify length of code_verifier (has to have specific length) * Improved email regex when creating a user * Updated dependencies * Fixes Haufe-Lexware/wicked.haufe.io#124 - Answer to IdP initiated logout request (logout responses) - Enable initiating SSO logout requests * Better error message when sso_logout_url is missing * Part I of fix Haufe-Lexware/wicked.haufe.io#127 * Implemementation Haufe-Lexware/wicked.haufe.io#128 - Auth method type "external" - Large refactorings to partly use async/await; which substantially simplifies the code - wicked node SDK also supports Promises now * Slight fix for non-passthrough user and external IDP - Don't ask IdP for refresh token if the user is federated to wicked, it wouldn't be able to answer anyway. * Allow APIs with passthrough Scopes to use Resource Owner Password Grant * Fixes at least parts of Haufe-Lexware/wicked.haufe.io#135 - By passing in "renderSignup" to setTimeout as a function, "this" was lost * Fixes Haufe-Lexware/wicked.haufe.io#137 * Basic scope restriction logic, Haufe-Lexware/wicked.haufe.io#138 * Fixes Haufe-Lexware/wicked.haufe.io#142 - Check for defaultGroups also on subsequent logins - Remove unused code * Fixes Haufe-Lexware/wicked.haufe.io#143 * Fixes Haufe-Lexware/wicked.haufe.io#131 * Fix a potential IE11 caching problem * Fixes Haufe-Lexware/wicked.haufe.io#130 - More elaborate scope checking with refresh tokens * Removed package-lock.json * Actually output some debug information on the redis connection * Renaming images (drop portal-) * Corrected reverse build trigger * Updated bootstrap to 3.4.0 * Wrong base image for actual image, corrected. * Force authentication with SAML in case prompt=login is supplied * Copy/Paste mistake fixed when instantiating Logger * Check for sso_logout_url on identityProvider, not on serviceProvider (bug) * Registration validation was not working properly * For security reasons, take out refresh token for... - Authorization Code Grant, in combination with - Public clients * Add build information to /ping status for Auth Server * Enable local docker builds of auth server; enable git info in image * Check for more specific type of client - Actual implementation of Haufe-Lexware/wicked.haufe.io#159 * Default to using the defined internal Kong proxy port, if defined - otherwise, fall back to external API host (as before) * Remove unused package ldapjs * Ignore build_date file * Ignore git_* files * Bump to version 1.0.0-rc.1 * Remove versioning from portal-env.tgz * Turn off build caching * Bump to version 1.0.0-rc.2 * Endline * Support multiple redirectUris in the auth server - Fixes parts of Haufe-Lexware/wicked.haufe.io#178 * Issue prompt=none errors as redirects, not as JSON * Support OIDC type userinfo endpoints for profile * Neater layout of login page. According to me. * Support prefilling username for login screen - Add autofocus for login screen; looks nicer * Support forgotten password URLs for external auth method * Text tweaks * Ahem. * Bump to version 1.0.0-rc.3 * Bump to version 1.0.0-rc.4 * Update morgan to 1.9.1 * Add typescript devDependency * Update bootstrap * Update async and request * Fixes Haufe-Lexware/wicked.haufe.io#188 * Fix typescript version for build and dev
maksimlikharev
pushed a commit
to clarivate/wicked.auth
that referenced
this issue
Apr 18, 2019
* Refactor out build to separate script * Add a /ping endpoint (for health checks) * Ease up strictness of redirect_uri checking slightly * Use updated redirect_uri function * Kong does not accept null scopes, fix for TypeScript * Stringifying recursive structures is not a good idea * Inject client_secret in special cases (password grant) * Now the client_secret thing should be correct * Refactoring of pool properties to an array * Adaptions to registrations refactoring * Bugfix: Check for trustUsers configuration oauth2 auth methods * Disallow signup/registration and namespace handling * Updated dependencies * If client_id/client_secret aren't passed in, check Basic Auth for id/secret * Updated dependencies * Working SAML identity provider implementation * Remove wicked-types (these are in the wicked sdk); use wicked-sdk as TypeScript * Update all API calls to wicked to use the node SDK instead * Remove some dedicated Callback types; not finished yet * Move OidcProfile to wicked SDK * PassthroughScope resolution via external service * Disallow -> disable * Updated dependencies * Add namespace and registration handling for the password grant. * Use = instead of : for separating keys and values * Add user groups as scopes to access tokens - Also fix refresh_token for passthrough APIs (to enable scope changes). * Fixed broken group mapping for ADFS/OAuth2 * Move to services+routes for Kong * Updated dependencies * Don't use ".total" for routes, it's not returned * For simplified integration testing, allow JSON rendering (with env var) * Corner case fixes; integration testing made easier - Check for invalid sessions * Minor fixes of bugs in error handling - Mostly popped up during writing of integration tests - Some adaptions to the OAuth2 RFC (Response codes) * Answer health check both on /auth/ping and /ping * Take out implicit style and add a class * Ad-hoc localization to german (specify LANGUAGE env var) * Display app name with login screen (and some others) - Prepare using a custom URL for the top logo * Check on build that translations are correct * Add some space between log in and links * Updated dependencies * Updated dependencies * Updated dependencies * Add basic prometheus metrics * Change how authenticated_userid is created (adding namespace and sub=). * Also add namespace to back redirect for authorize endpoint (both flows) * Updated dependencies * Make getting a scope from an external URL more robust (retry logic) * Bugfix (for refresh token); the auth server always creates a user id with sub= * Don't rely in service_id in token data (not available for shared_credentials) - Instead use credential_id, which is always present * Move metrics and ping to after prometheus middleware * Bug fix: Go back to "log in" from "sign up" form didn't work * Use specified password validation strategy (and pluggable regex) * Some CSRF security changes; support for "must change password". * Prepare to force password change on resource owner password grant * Support PKCE for Auth Code Grant and Public clients * Verify length of code_verifier (has to have specific length) * Improved email regex when creating a user * Updated dependencies * Fixes Haufe-Lexware/wicked.haufe.io#124 - Answer to IdP initiated logout request (logout responses) - Enable initiating SSO logout requests * Better error message when sso_logout_url is missing * Part I of fix Haufe-Lexware/wicked.haufe.io#127 * Implemementation Haufe-Lexware/wicked.haufe.io#128 - Auth method type "external" - Large refactorings to partly use async/await; which substantially simplifies the code - wicked node SDK also supports Promises now * Slight fix for non-passthrough user and external IDP - Don't ask IdP for refresh token if the user is federated to wicked, it wouldn't be able to answer anyway. * Allow APIs with passthrough Scopes to use Resource Owner Password Grant * Fixes at least parts of Haufe-Lexware/wicked.haufe.io#135 - By passing in "renderSignup" to setTimeout as a function, "this" was lost * Fixes Haufe-Lexware/wicked.haufe.io#137 * Basic scope restriction logic, Haufe-Lexware/wicked.haufe.io#138 * Fixes Haufe-Lexware/wicked.haufe.io#142 - Check for defaultGroups also on subsequent logins - Remove unused code * Fixes Haufe-Lexware/wicked.haufe.io#143 * Fixes Haufe-Lexware/wicked.haufe.io#131 * Fix a potential IE11 caching problem * Fixes Haufe-Lexware/wicked.haufe.io#130 - More elaborate scope checking with refresh tokens * Removed package-lock.json * Actually output some debug information on the redis connection * Renaming images (drop portal-) * Corrected reverse build trigger * Updated bootstrap to 3.4.0 * Wrong base image for actual image, corrected. * Force authentication with SAML in case prompt=login is supplied * Copy/Paste mistake fixed when instantiating Logger * Check for sso_logout_url on identityProvider, not on serviceProvider (bug) * Registration validation was not working properly * For security reasons, take out refresh token for... - Authorization Code Grant, in combination with - Public clients * Add build information to /ping status for Auth Server * Enable local docker builds of auth server; enable git info in image * Check for more specific type of client - Actual implementation of Haufe-Lexware/wicked.haufe.io#159 * Default to using the defined internal Kong proxy port, if defined - otherwise, fall back to external API host (as before) * Remove unused package ldapjs * Ignore build_date file * Ignore git_* files * Bump to version 1.0.0-rc.1 * Remove versioning from portal-env.tgz * Turn off build caching * Bump to version 1.0.0-rc.2 * Endline * Support multiple redirectUris in the auth server - Fixes parts of Haufe-Lexware/wicked.haufe.io#178 * Issue prompt=none errors as redirects, not as JSON * Support OIDC type userinfo endpoints for profile * Neater layout of login page. According to me. * Support prefilling username for login screen - Add autofocus for login screen; looks nicer * Support forgotten password URLs for external auth method * Text tweaks * Ahem. * Bump to version 1.0.0-rc.3 * Bump to version 1.0.0-rc.4 * Update morgan to 1.9.1 * Add typescript devDependency * Update bootstrap * Update async and request * Fixes Haufe-Lexware/wicked.haufe.io#188 * Fix typescript version for build and dev
maksimlikharev
pushed a commit
to clarivate/wicked.auth
that referenced
this issue
Apr 18, 2019
* Refactor out build to separate script * Add a /ping endpoint (for health checks) * Ease up strictness of redirect_uri checking slightly * Use updated redirect_uri function * Kong does not accept null scopes, fix for TypeScript * Stringifying recursive structures is not a good idea * Inject client_secret in special cases (password grant) * Now the client_secret thing should be correct * Refactoring of pool properties to an array * Adaptions to registrations refactoring * Bugfix: Check for trustUsers configuration oauth2 auth methods * Disallow signup/registration and namespace handling * Updated dependencies * If client_id/client_secret aren't passed in, check Basic Auth for id/secret * Updated dependencies * Working SAML identity provider implementation * Remove wicked-types (these are in the wicked sdk); use wicked-sdk as TypeScript * Update all API calls to wicked to use the node SDK instead * Remove some dedicated Callback types; not finished yet * Move OidcProfile to wicked SDK * PassthroughScope resolution via external service * Disallow -> disable * Updated dependencies * Add namespace and registration handling for the password grant. * Use = instead of : for separating keys and values * Add user groups as scopes to access tokens - Also fix refresh_token for passthrough APIs (to enable scope changes). * Fixed broken group mapping for ADFS/OAuth2 * Move to services+routes for Kong * Updated dependencies * Don't use ".total" for routes, it's not returned * For simplified integration testing, allow JSON rendering (with env var) * Corner case fixes; integration testing made easier - Check for invalid sessions * Minor fixes of bugs in error handling - Mostly popped up during writing of integration tests - Some adaptions to the OAuth2 RFC (Response codes) * Answer health check both on /auth/ping and /ping * Take out implicit style and add a class * Ad-hoc localization to german (specify LANGUAGE env var) * Display app name with login screen (and some others) - Prepare using a custom URL for the top logo * Check on build that translations are correct * Add some space between log in and links * Updated dependencies * Updated dependencies * Updated dependencies * Add basic prometheus metrics * Change how authenticated_userid is created (adding namespace and sub=). * Also add namespace to back redirect for authorize endpoint (both flows) * Updated dependencies * Make getting a scope from an external URL more robust (retry logic) * Bugfix (for refresh token); the auth server always creates a user id with sub= * Don't rely in service_id in token data (not available for shared_credentials) - Instead use credential_id, which is always present * Move metrics and ping to after prometheus middleware * Bug fix: Go back to "log in" from "sign up" form didn't work * Use specified password validation strategy (and pluggable regex) * Some CSRF security changes; support for "must change password". * Prepare to force password change on resource owner password grant * Support PKCE for Auth Code Grant and Public clients * Verify length of code_verifier (has to have specific length) * Improved email regex when creating a user * Updated dependencies * Fixes Haufe-Lexware/wicked.haufe.io#124 - Answer to IdP initiated logout request (logout responses) - Enable initiating SSO logout requests * Better error message when sso_logout_url is missing * Part I of fix Haufe-Lexware/wicked.haufe.io#127 * Implemementation Haufe-Lexware/wicked.haufe.io#128 - Auth method type "external" - Large refactorings to partly use async/await; which substantially simplifies the code - wicked node SDK also supports Promises now * Slight fix for non-passthrough user and external IDP - Don't ask IdP for refresh token if the user is federated to wicked, it wouldn't be able to answer anyway. * Allow APIs with passthrough Scopes to use Resource Owner Password Grant * Fixes at least parts of Haufe-Lexware/wicked.haufe.io#135 - By passing in "renderSignup" to setTimeout as a function, "this" was lost * Fixes Haufe-Lexware/wicked.haufe.io#137 * Basic scope restriction logic, Haufe-Lexware/wicked.haufe.io#138 * Fixes Haufe-Lexware/wicked.haufe.io#142 - Check for defaultGroups also on subsequent logins - Remove unused code * Fixes Haufe-Lexware/wicked.haufe.io#143 * Fixes Haufe-Lexware/wicked.haufe.io#131 * Fix a potential IE11 caching problem * Fixes Haufe-Lexware/wicked.haufe.io#130 - More elaborate scope checking with refresh tokens * Removed package-lock.json * Actually output some debug information on the redis connection * Renaming images (drop portal-) * Corrected reverse build trigger * Updated bootstrap to 3.4.0 * Wrong base image for actual image, corrected. * Force authentication with SAML in case prompt=login is supplied * Copy/Paste mistake fixed when instantiating Logger * Check for sso_logout_url on identityProvider, not on serviceProvider (bug) * Registration validation was not working properly * For security reasons, take out refresh token for... - Authorization Code Grant, in combination with - Public clients * Add build information to /ping status for Auth Server * Enable local docker builds of auth server; enable git info in image * Check for more specific type of client - Actual implementation of Haufe-Lexware/wicked.haufe.io#159 * Default to using the defined internal Kong proxy port, if defined - otherwise, fall back to external API host (as before) * Remove unused package ldapjs * Ignore build_date file * Ignore git_* files * Bump to version 1.0.0-rc.1 * Remove versioning from portal-env.tgz * Turn off build caching * Bump to version 1.0.0-rc.2 * Endline * Support multiple redirectUris in the auth server - Fixes parts of Haufe-Lexware/wicked.haufe.io#178 * Issue prompt=none errors as redirects, not as JSON * Support OIDC type userinfo endpoints for profile * Neater layout of login page. According to me. * Support prefilling username for login screen - Add autofocus for login screen; looks nicer * Support forgotten password URLs for external auth method * Text tweaks * Ahem. * Bump to version 1.0.0-rc.3 * Bump to version 1.0.0-rc.4 * Update morgan to 1.9.1 * Add typescript devDependency * Update bootstrap * Update async and request * Fixes Haufe-Lexware/wicked.haufe.io#188 * Fix typescript version for build and dev
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
For different reasons, it would be beneficial if wicked would support multiple redirect URIs for OAuth2 flows for a single application.
This enables e.g. the following: One redirect_uri for the initial login of an SPA, and one for a subsequent silent refresh (e.g. then using a
silent-refresh.htmlpage to receive the redirect).The text was updated successfully, but these errors were encountered: