Benjamin Dauvergne
e57fea6e5c
misc: add Secure flag to cookies ( #90240 )
...
gitea/django-mellon/pipeline/head This commit looks good
Details
It is required by the SameSite=None flag.
https://developer.mozilla.org/fr/docs/Web/HTTP/Headers/Set-Cookie#samesitesamesite-value
2024-05-02 10:29:44 +02:00
Benjamin Dauvergne
51ee9d8cac
views: show message when logout is refused ( #85904 )
gitea/django-mellon/pipeline/head This commit looks good
Details
2024-01-22 10:41:23 +01:00
Benjamin Dauvergne
200e009b1e
middleware: use sec-fetch-dest=document to identify page requests ( #84104 )
gitea/django-mellon/pipeline/head This commit looks good
Details
2024-01-16 12:22:24 +01:00
Benjamin Dauvergne
c98d4629ec
middleware: check ajax request with sec-fetch-mode header header ( #81211 )
gitea/django-mellon/pipeline/head This commit looks good
Details
2023-09-14 16:41:22 +02:00
Benjamin Dauvergne
170e728d3a
misc: allow login_hint parameter in login url ( #76712 )
gitea/django-mellon/pipeline/head This commit looks good
Details
2023-04-17 15:27:37 +02:00
Benjamin Dauvergne
cce77e82e5
adapters: update new UserSAMLIdentifier fields on each SSO ( #69955 )
...
On existing UserSAMLIdentifier missing values for nid_format especially,
will break the SLO code as the emitted LogoutRequest will have an
unknown NameID when analyzed by the identity provider (NameID content
and attributes must match exactly).
2022-10-06 16:21:17 +02:00
Benjamin Dauvergne
45f81514bc
misc: clean SessionIndex during logout ( #69740 )
...
SessionIndex are deleted when the linked session does not exist anymore
and 5 minutes after the creation of the logout request.
2022-10-05 19:53:07 +02:00
Benjamin Dauvergne
f335a403c1
views: implement a sessionless logout endpoint ( #69740 )
...
To implement SAML single logout in authentic we need a logout endpoint
which works event after the user session has been killed, to do that we
store the needed information in Django signed token, and use it to
initiate the logout request. Afterward the next_url is stored in
short-lived session cookie instead of the session.
2022-10-05 17:23:51 +02:00
Benjamin Dauvergne
218afde9cd
misc: make logout work with transient NameID ( #69740 )
...
Implementation of transient NameID is special, the transient NameID is
ignored and an attribut value is used as the federation key. But in
order to producre a proper NameID for the logout request we need the
transient NameID value. To work around this problem we add a
transient_name_id attribute to the SessionIndex model representing the
current SSO session, and we modify the session dump template to use this
value instead of UserSAMLIdentifier.name_id if transient_name_id is not
None.
2022-10-05 17:23:51 +02:00
Benjamin Dauvergne
7f9602c528
utils: add method to build a session dump from models ( #69740 )
...
Storing the LassoSession dump in the Django session is no longer needed,
we can rebuild it from the information in the models.
2022-10-05 17:23:51 +02:00
Benjamin Dauvergne
e98308d45c
views: allow overriding the default return url after logout ( #69740 )
2022-10-05 17:23:50 +02:00
Benjamin Dauvergne
86d3cad3b8
views: improve handling of next_url for sp initiated logout ( #69740 )
2022-10-05 17:23:20 +02:00
Valentin Deniaud
a7a3582c97
views: show debug login view on lasso exception ( #68962 )
2022-09-14 13:53:49 +02:00
Benjamin Dauvergne
437d1a3063
middleware: clear PASSIVE_TRIED_COOKIE when logged in ( #67084 )
2022-07-06 16:11:39 +02:00
Paul Marillonnet
1fa1541c02
views: use MELLON_OPENED_SESSION to anchor local session to the global session ( #66747 )
...
If the MELLON_OPENED_SESSION cookie change or disappear during an opened
session, the user is automatically logged out. If it changes after a
previous passive login try, passive login is allowed again.
2022-06-29 11:14:05 +02:00
Paul Marillonnet
dedd924f99
use force_str only when necessary ( #64309 )
2022-04-20 09:54:54 +02:00
Benjamin Dauvergne
7c9ca09de7
misc: remove six module usage ( #63688 )
2022-04-08 10:14:54 +02:00
Benjamin Dauvergne
947c355baf
views: keep next_url trough sp logout ( #61431 )
...
* first, create relaystate before build logout.msgUrl
* second, retrieve it in sp_logout_response
2022-02-04 13:00:55 +01:00
Benjamin Dauvergne
be1e50e826
views: log SAML response and assertion in debug view ( #58915 )
2021-11-23 19:21:23 +01:00
Benjamin Dauvergne
4729ef9a3b
apply isort and pyupgrade ( #55990 )
2021-08-05 11:13:19 +02:00
Benjamin Dauvergne
2704f4feaa
views: keep a nonce during a forceAuthn request ( #55953 )
...
Nonce value and forceAuthn is linked to the request id which is randomly
generated by lasso and returned by IdPs as part of a SAML SSO.
2021-08-03 17:20:49 +02:00
Valentin Deniaud
dbdd6fd70b
views: add debug login view ( #55557 )
2021-08-03 11:59:17 +02:00
Benjamin Dauvergne
74e6f5a93d
middleware: disable automatic passive authentication if ?no-passive-auth ( #55854 )
...
You can add ?no-passive-auth to an URL do disable passive authentication based on
an IdP set common domain cookie.
2021-07-27 12:04:24 +02:00
Benjamin Dauvergne
5b9bc1ff57
trivial: apply black ( #51575 )
2021-03-02 14:52:10 +01:00
7cd78e96ab
views: fix logout is user is already logged out ( #50155 )
2021-01-15 10:51:51 +01:00
Valentin Deniaud
bdbc251291
views: handle empty session at authentication ( #45461 )
2020-07-28 09:33:12 +02:00
Benjamin Dauvergne
e1deb96f8c
tests: clear caplog between sessions ( #41949 )
2020-06-21 13:13:57 +02:00
Benjamin Dauvergne
482aa09f92
misc: add support for SOAP SLO ( #41949 )
2020-06-21 13:13:57 +02:00
Benjamin Dauvergne
65cbdcefc3
misc: support asynchronous logout ( #41949 )
...
It means that will lookup for other Django sessions linked to the
received logout request; logout request can specify session indexes or
ask for logout of all sessions of the user targeted by the NameID.
2020-06-21 13:13:57 +02:00
Benjamin Dauvergne
c05f4a3129
views: ignore XML content in SAML attributes ( #43193 )
2020-05-21 21:04:51 +02:00
Frédéric Péters
74230b51ec
general: remove compatibility with django < 1.11 ( #38616 )
2020-01-29 20:33:02 +01:00
Frédéric Péters
7802e85d52
misc: allow all views to receive template_base/context_hook kwargs ( #38610 )
2019-12-18 09:39:48 +01:00
Frédéric Péters
b1b85cf0d2
add possibility to define a hook to alter login template context ( #38533 )
2019-12-16 14:22:18 +01:00
Benjamin Dauvergne
09c32c83d5
misc: make login_hint works without next parameter ( #38163 )
2019-12-03 19:53:37 +01:00
Benjamin Dauvergne
63c7cdc151
tests: fix passive authentication tests ( #30497 )
...
Passive authentication only works for text/html requests by browsers
now.
2019-12-03 19:11:04 +01:00
Benjamin Dauvergne
d5e5701899
add kwargs template_base to LoginView ( #35083 )
2019-12-02 17:47:13 +01:00
Benjamin Dauvergne
7095b1368b
use MiddlewareMixin on middleware ( #36509 )
...
Remove OPENED_SESSION_COOKIE_DOMAIN which has no use.
2019-10-04 17:45:25 +02:00
Benjamin Dauvergne
83abc78605
factorize compatibility layer ( #36509 )
2019-10-04 17:45:25 +02:00
Frédéric Péters
389e6d790b
tests: update for compatibility with django 2.2 ( #36330 )
2019-09-22 10:10:15 +02:00
Benjamin Dauvergne
ab92ca9a07
use unicode_literals ( #34008 )
2019-07-02 17:44:03 +02:00
Benjamin Dauvergne
83a09d874e
code style ( #10196 )
2019-06-18 00:53:01 +02:00
Benjamin Dauvergne
968aa07faf
really retrieve XML encoding ( #10196 )
2019-06-18 00:53:01 +02:00
Benjamin Dauvergne
e1fa70d28d
add setting MELLON_SIGNATURE_METHOD ( #32008 )
...
It defaults to RSA-SHA256 as RSA-SHA1 which is the default in Lasso is
deprecated.
2019-04-19 11:09:11 +02:00
Benjamin Dauvergne
c5da4db69c
tests: use RSA-SHA256 certificates ( fixes #31963 )
2019-04-03 12:41:32 +02:00
Benjamin Dauvergne
b640f5b334
tests: test failed request path with artifact ( #31690 )
2019-03-25 15:24:13 +01:00
Benjamin Dauvergne
b3e1b9c533
views: add new setting LOGIN_HINTS ( fixes #30966 )
...
You can set MELLON_LOGIN_HINTS = ['backoffice'] to get a node
eo:login-hint set to "backoffice" in AuthnRequest when next_url for the
login view is among /manage/, /admin/ or /manager/.
Another value is 'always_backoffice' which always set the 'backoffice'
login_hint.
2019-03-07 23:12:56 +01:00
Benjamin Dauvergne
f2e05b84ae
prevent redirection loop on artifact resolution errors ( fixes #14810 )
...
Signature of method sso_failure() is changed to match the name name of
the context variable in template mellon/authentication_failed.html
(idp_message => reason).
2019-03-02 16:42:46 +01:00
Benjamin Dauvergne
d4d0b85944
use good API from lasso to set Extensions node content ( #23003 )
...
- use extensions.any tuple to set the content of the Extensions node
- add tests for the presence of the eo:next_url node when
ADD_AUTHNREQUEST_NEXT_URL_EXTENSION is used
- add tests for next_url propagation through the RelayState value
2018-06-06 11:05:59 +02:00
Frédéric Péters
8252e948e7
tests: adapt to python 3
2018-04-05 14:38:49 +02:00
Benjamin Dauvergne
6c528dd2c3
Revert "support federation file loading ( #19396 )"
...
This reverts commit 63993e360c
2018-01-09 21:43:25 +01:00
Benjamin Dauvergne
Valentin Deniaud
Paul Marillonnet
Lauréline Guérin
Frédéric Péters