5aeb886523
Merge branch 'main' into single-cookie-domain
2026-05-07 15:50:55 +03:00
1382ab41e7
refactor: rework user context handling throughout tinyauth ( #829 )
...
* wip
* fix: fix util imports
* fix: fix bootstrap import issues
* fix: fix cli imports
* fix: context controller
* fix: use new context in user controller
* fix: fix imports and context in proxy controller
* fix: fix oauth and oidc controller imports and context
* feat: finalize context functionality
* refactor: simplify acls checking logic by passing the entire acl struct
* chore: rename get basic auth to encode basic auth for clarity
* fix: fix controller tests
* tests: fix service tests
* tests: fix utils tests
* tests: move to testify for testing in utils
* fix: fix config reference generator
* tests: add tests for context parsing
* tests: add tests for context middleware
* tests: remove error wrapper from context tests
* tests: fix log wrapper tests
* fix: fix verion setting in cd and dockerfiles
* fix: review comments batch 1
* fix: review comments batch 2
* fix: review comments batch 3
* fix: delete totp pending session cookie on totp success
* tests: fix user controller tests
* fix: don't audit login too early
* fix: own comments
2026-05-07 15:41:07 +03:00
b06b60150f
Merge branch 'main' into single-cookie-domain
2026-05-04 15:59:22 +03:00
956d2f55c3
feat(access-control): Add support for Kubernetes Label ( #627 )
...
* feat(access-control): Add support for Kubernetes Label
* feat(access-control): Defaults to Docker
* feat(access-control): Remove kubeconfig fallback
* feat(watcher): Watcher for kubernetes service
* feat(watcher): Merge with main + remove nightly fix redirect
* fix(go): Go mod + Go sum after sync with main
* fix(config): Ser default value for LabelProvider to Docker
* feat(go): go mod tidy
* feat(k8s_service): Remove logic for deprecated Ingress k8s v1.22
* feat(k8s_service): (Watcher) -> Wait 5s before breaking to outer loop again
* feat(k8s_service): Remove logic for deprecated Ingress k8s v1.22
* feat(k8s_service): Remove logic for deprecated Ingress k8s v1.22
* feat(k8s_service): Remove logic for deprecated Ingress k8s v1.22
* feat(k8s_service): Remove
var _ = unstructured.Unstructured{} + comments + msg edits
* feat(bootstrap): Remove dockerService from bootstrap svc
* feat(auth_svc): Remove dockerService from authservice
* feat(test): Add tests for kubernetes_services
* feat(test): Remove docker serivce form proxy/user test
* fix(refactor): Remove update logic from watcher and resync
* fix(refactor): Split watchGVR to make it more readable
* fix(refactor): Remove discovery + drop K 1.22 completely
* fix(refactor): Move interface to acess_controls_service
* feat: Autodetect labelprovider if TINYAUTH_LABELPROVIDER not set
* fix(test): Match testing scheme to the controllers
* fix: service bootstrap import after merge
* fix: service bootstrap import after merge
2026-04-29 16:16:21 +03:00
5e822d99e1
chore: fix typos in oidc service
2026-04-29 16:08:21 +03:00
373ee8806e
chore: prefer errors.is instead of comparison
2026-04-29 16:04:27 +03:00
4077bacfdf
chore: rabbit feedback
2026-04-29 16:00:59 +03:00
a14d64c8ba
chore: remove exp slices package and use stdlib
2026-04-29 15:56:35 +03:00
4c0181c5e2
Merge branch 'main' into single-cookie-domain
2026-04-29 15:50:52 +03:00
44a7cbf41b
fix: inform services and controllers if subdomain cookie domain is enabled
2026-04-29 15:49:45 +03:00
5d95123dcb
feat(oidc): support for all in-spec attributes and scopes ( #777 )
...
* feat(oidc): support for all in-spec attributes and scopes
* add tests
* assert phone/email verified when either is set
* update tests
* add claims back to userinfo
* remove redundant column drop in migration
* fix duplicate migration id
* fix clobbered imports post-rebase
2026-04-27 19:25:52 +03:00
f3186571cc
Organisation update, steveiliop56 to tinyauthapp ( #793 )
...
* infrastructure and docs
* code
* fix issue templates
* chore: fix scoreboard url
* chore: remove migration warning
* chore: fix readme docs link
---------
Co-authored-by: Stavros <steveiliop56@gmail.com >
2026-04-26 17:13:53 +03:00
d90e3d652d
Add TINYAUTH_AUTH_SUBDOMAINSENABLED option
...
Setting it to false allows to use Tinyauth on top-level domain only,
but forbids automatic cross-app authentication using Traefik/Nginx.
2026-04-19 22:17:10 +02:00
479f165781
fix: fail app on empty app url before parsing
2026-04-16 12:44:24 +03:00
f257d00648
fix: use fmt println to show warning regardless of log level
2026-04-14 13:43:24 +03:00
9f77816a1d
feat: add organization migration note
2026-04-14 13:26:55 +03:00
93d6191139
fix: lighthouse fixes
2026-04-14 13:16:15 +03:00
6f99e7acff
fix: revoke access token on duplicate auth code user ( #786 )
...
* fix: revoke access token on duplicate auth code user
* fix: review comments
* tests: fix tests
2026-04-14 12:45:27 +03:00
18c8413ea3
feat: support unsigned oidc request objects ( #785 )
2026-04-12 19:19:47 +03:00
cc94294ece
feat: add x-tinyauth-location to nginx response ( #783 )
...
* feat: add x-tinyauth-location to nginx response
Solves #773 . Normally you let Nginx handle the login URL creation but with this "hack"
we can set an arbitary header with where Tinyauth wants the user to go to. Later the
Nginx error page can get this header and redirect accordingly.
* tests: fix assert.Equal order
2026-04-11 18:04:56 +03:00
b44dc75f54
fix: return 307 redirects for envoy proxy instead of 401 ( #782 )
...
* fix: return 307 redirects for envoy proxy instead of 401
* tests: extend testing for non browser detection in all proxies
2026-04-10 18:11:10 +03:00
061d28f5e3
refactor: use tinyauthapp/paerser instead of traefik/paerser ( #781 )
...
* refactor: use own paerser library instead of traefik
* chore: remove submodules from release images and workflows
2026-04-10 17:36:13 +03:00
2c1b62f464
feat: preserve oidc params in oauth flow ( #772 )
2026-04-10 15:58:31 +03:00
646e24d98c
feat(oidc): support access token in body for user info post ( #769 )
2026-04-08 09:54:54 +01:00
0d286d1864
feat(oidc): add post route for /userinfo ( #767 )
...
easy two-liner to pass `oidcc-userinfo-post-header` test in conformance
suite.
2026-04-07 23:28:38 +01:00
165197e472
feat: add pkce support to oidc server ( #766 )
...
* feat: add pkce support to oidc server
* tests: add test cases for pkce
* fix: review comments
* chore: remove debug line
* chore: remove simple logger from testing
* tests: add test for invalid challenge method
* chore: fix typo
2026-04-07 19:04:20 +03:00
3373dcc412
test: extend traefik browser tests
2026-04-02 18:46:38 +03:00
9d666dc108
fix: skip browser detection for nginx and envoy
2026-04-02 18:24:38 +03:00
892097dc4d
fix: account for proxy type in browser response
2026-04-02 15:35:55 +03:00
fc1d4f2082
refactor: use better ignore paths in context middleware ( #743 )
2026-04-01 17:07:14 +03:00
da247f8552
fix: handle oauth provider id mismatch correctly
2026-03-30 23:02:20 +03:00
5811218dbf
refactor: tests ( #731 )
...
* tests: rework tests for context controller
* tests: add tests for health controller
* tests: add tests for oidc controller
* tests: use testify assert in context and health controller
* tests: add tests for user controller
* tests: add tests for resources controller
* tests: add well known controller tests
* test: add proxy controller tests
* chore: review comments
* chore: more review comments
* chore: cancel lockdown in testing
* tests: fix get cookie domain tests
* chore: add comment for testing passwords
2026-03-30 15:31:34 +03:00
f65df872f0
refactor: allow root domain app urls for testing
2026-03-29 20:27:09 +03:00
d3cda06a75
feat: add lockdown mode on multiple login attempts ( #727 )
...
* feat: add lockdown mode on multiple login attempts
* fix: review comments
* fix: fix typo
2026-03-28 20:35:49 +02:00
f26c217161
refactor: oauth flow ( #726 )
...
* wip
* feat: add oauth session impl in auth service
* feat: move oauth logic into auth service and handle multiple sessions
* tests: fix tests
* fix: review comments
* fix: prevent ddos attacks in oauth rate limit
2026-03-22 21:03:32 +02:00
dc3fa58d21
refactor: refactor proxy controller to handle proxy auth modules better ( #714 )
...
* wip
* fix: add extauthz to friendly error messages
* refactor: better module handling per proxy
* fix: get envoy host from the gin request
* tests: rework tests for proxy controller
* fix: review comments
2026-03-14 19:56:15 +02:00
b3de69e5d6
chore: add comment explaining uri header
2026-03-12 16:36:13 +02:00
016a954963
fix: make a x forwarded uri an non required header
2026-03-12 16:26:42 +02:00
b2a1bfb1f5
fix: validate client id on oidc token endpoint
2026-03-11 16:48:04 +02:00
f1e869a920
fix: ensure user context has is logged in set to true
2026-03-11 15:57:50 +02:00
cc5a6d73cf
tests: ensure all forwarded headers are set on tests
2026-03-11 15:53:39 +02:00
2e03eb9612
fix: do not continue auth on empty x-forwarded headers
2026-03-11 15:46:09 +02:00
b6eb902d47
fix: fix typo in public key loading
2026-03-08 15:54:50 +02:00
e3bd834b85
fix: support pkix public keys in oidc
2026-03-08 11:39:16 +02:00
d7d540000f
fix: state should not be a required field in oidc
2026-03-08 11:17:44 +02:00
766270f5d6
fix: add kid header to id token
2026-03-08 11:07:15 +02:00
69c6c0ba1d
fix: add cache control header to token response
2026-03-04 19:38:52 +02:00
a71f61df8d
feat: add email verified claim
2026-03-04 15:52:31 +02:00
6bf444010b
feat: add nonce claim support to oidc server ( #686 )
...
* feat: add nonce claim support to oidc server
* fix: review feedback
2026-03-04 15:34:11 +02:00
0e6bcf9713
fix: lookup config file options correctly in file loader
2026-03-03 22:48:44 +02:00
Stavros