barbercollie/tinyauth
1
0
Fork 1
mirror of https://github.com/steveiliop56/tinyauth.git synced 2025-12-31 04:22:28 +00:00
Code Issues Packages Projects Releases Wiki Activity
561 Commits 46 Branches 93 Tags
ef157ae9ba3a23ccd5c09a8a291c5f4ba016d81d
Commit Graph

219 Commits

Author SHA1 Message Date
Olivier Dumont
ef157ae9ba Fix critical security issue: verify JWT signature in access token validation 
The validateAccessToken method was only decoding the JWT payload without
verifying the signature, allowing attackers to forge tokens. This fix:

- Adds ValidateAccessToken method to OIDCService that properly verifies
  JWT signature using RSA public key
- Validates issuer, expiration, and required claims
- Updates controller to use the secure validation method
- Removes insecure manual JWT parsing code
 2025-12-30 12:36:30 +01:00
Olivier Dumont
020fcb9878 Add OIDC provider functionality with validation setup 
This commit adds OpenID Connect (OIDC) provider functionality to tinyauth,
allowing it to act as an OIDC identity provider for other applications.

Features:
- OIDC discovery endpoint at /.well-known/openid-configuration
- Authorization endpoint for OAuth 2.0 authorization code flow
- Token endpoint for exchanging authorization codes for tokens
- ID token generation with JWT signing
- JWKS endpoint for public key distribution
- Support for PKCE (code challenge/verifier)
- Nonce validation for ID tokens
- Configurable OIDC clients with redirect URIs, scopes, and grant types

Validation:
- Docker Compose setup for local testing
- OIDC test client (oidc-whoami) with session management
- Nginx reverse proxy configuration
- DNS server (dnsmasq) for custom domain resolution
- Chrome launch script for easy testing

Configuration:
- OIDC configuration in config.yaml
- Example configuration in config.example.yaml
- Database migrations for OIDC client storage
 2025-12-30 12:17:55 +01:00
Stavros
43487d44f7 feat: forward sub from oidc providers (#543) 
* feat: forward sub from oidc providers

* fix: review comments
 2025-12-26 19:02:51 +02:00
Stavros
2d8af0510e feat: refresh session cookie when session is active (#540) 
* feat: refresh session cookie when session is active

* refactor: use current time to set new expiry
 2025-12-26 17:55:54 +02:00
Stavros
a1c3e416b6 refactor: use proper module name (#542) 
* chore: reorganize go mod

* refactor: use proper module name
 2025-12-26 17:53:24 +02:00
Stavros
ef25872fc3 feat: add support for Envoy proxy (#538) 
* feat: add support for 'envoy' proxy in proxyHandler validation

* refactor: simplify proxy route setup by consolidating envoy handling

* feat(proxy): add method validation for proxy authentication

* fix(proxy): reorder method validation for proxy authentication

* refactor: use a slice to check for supported proxies

---------

Co-authored-by: pushpinderbal <me@s1ngh.ca>
Co-authored-by: Pushpinder Singh <53684951+pushpinderbal@users.noreply.github.com>
Co-authored-by: Pushpinder Singh <pushpinder.singh@arcticwolf.com>
 2025-12-22 22:28:34 +02:00
Stavros
03ed18343e feat: unified config (#533) 
* chore: add yaml config ref

* feat: add initial implementation of a traefik like cli

* refactor: remove dependency on traefik

* chore: update example env

* refactor: update build

* chore: remove unused code

* fix: fix translations not loading

* feat: add experimental config file support

* chore: mod tidy

* fix: review comments

* refactor: move tinyauth to separate package

* chore: add quotes to all env variables

* chore: resolve go mod and sum conflicts

* chore: go mod tidy

* fix: review comments
 2025-12-22 22:13:40 +02:00
Stavros
78f97c8550 refactor: split bootstrap to smaller files for better readability (#518) 
* refactor: split bootstrap to smaller files for better readability

* chore: rename setup routes to setup router

* fix: assign configured providers to app context
 2025-12-17 15:04:09 +02:00
Modestas Rinkevičius
3961589f1e feat: auto-create database directory if missing (#510) 2025-12-11 14:43:57 +02:00
Stavros
641b9aa531 feat: log unsafe redirect uri in oauth controller 2025-11-23 14:06:35 +02:00
Stavros
6c90046343 feat: add option to disable ui warnings 2025-11-21 17:37:08 +02:00
Stavros
6d663bb1e8 fix: use unix seconds in db cleanup 2025-11-15 11:45:19 +02:00
Stavros
8453c48d9e feat: add log in json option 2025-11-06 18:11:43 +02:00
Stavros
2af036b38e feat: add logging for session creation 2025-11-06 16:18:01 +02:00
Stavros
60dada86a6 feat: add support for listening on unix sockets 2025-11-04 18:42:04 +02:00
Stavros
bb1ecd4183 fix: allow for all subdomains to be considered safe for redirection 2025-11-04 17:58:56 +02:00
Stavros
57aca58de3 fix: ensure providers prefix exists on env variables and flags 2025-11-04 17:50:56 +02:00
Stavros
e23f4f1371 chore: disable env acls 2025-11-04 17:48:45 +02:00
Stavros
0227af6d2b refactor: rework decoders logic for cleaner code (#431) 
* refactor: rework decoders logic for cleaner code

* refactor: use strcase lib to handle text case conversions
 2025-10-26 12:01:19 +02:00
Chris Ellrich
c5bb389258 feat: ACL labels from environment variables (#422) 
* feat: add LabelService to retrieve application labels from environment variables

* feat: allow usage of labels from docker and env variables simultaneously

Prioritize labels from environment variables over labels from docker
labels

* fix: handle error returned by label_serive.go/LoadLabels

see https://github.com/steveiliop56/tinyauth/pull/422#discussion_r2443443032

* refactor(label_service): use simple loop instead of slices.ContainsFunc to avoid experimental slices package
see https://github.com/steveiliop56/tinyauth/pull/422#pullrequestreview-3354632045

* refactor: merge acl logic into one service

---------

Co-authored-by: Stavros <steveiliop56@gmail.com>
 2025-10-21 16:02:31 +03:00
Stavros
6647c6cd78 refactor: use gorm generics api for database actions 2025-10-19 19:16:53 +03:00
Stavros
7231efcbc3 feat: add routine to cleanup expired sessions 2025-10-19 19:10:24 +03:00
Stavros
5482430907 refactor: generate a verifier on every oauth auth session 2025-10-19 19:03:38 +03:00
Scott McKendry
f628d1f0b3 fix(redirect): allow root cookie domain host redirects (#409) 
Previously IsRedirectSafe rejected redirects to the exact cookie domain
when AppURL had multiple subdomain levels, because it stripped the first
label twice.
 2025-10-13 11:55:43 +03:00
Stavros
64222b6d15 fix: don't use container name in label discovery 2025-10-12 11:29:31 +03:00
Stavros
1b87ed9b99 feat: add config dumps to trace log level 2025-10-12 11:29:31 +03:00
Stavros
9b76a84ee2 feat: add trace logging 2025-10-11 15:27:01 +03:00
Stavros
fc7e395e66 feat: sort configured providers based on name length 2025-10-10 17:16:22 +03:00
Stavros
b940d681c3 feat: use recovery gin middleware in engine 2025-10-10 16:42:19 +03:00
Stavros
a1ec4a69cf fix: remove spaces before checking oauth name and username 2025-10-10 16:28:52 +03:00
Stavros
5a4855c12c refactor: move docker connection check to start up 2025-10-10 15:45:04 +03:00
CzBiX
76f2014444 feat: add http cache for static files (#395) 
* feat: add http cache for static files

fix #392

* minor typo fix
 2025-10-08 18:58:22 +03:00
Stavros
c77da30d87 refactor: set gin mode using env 2025-10-08 16:24:14 +03:00
Stavros
287c6f975f fix: do not allow request if docker labels check fail 2025-10-08 15:44:34 +03:00
Stavros
adffb4ac0a fix: names in oauth broker 2025-10-08 15:15:30 +03:00
Stavros
f0a48cc91c feat: add health check command 2025-10-06 21:45:23 +03:00
Stavros
085f6257c5 fix: fix oauth group provider check 2025-09-25 22:35:44 +03:00
Stavros
c307f7eb2e fix: handle 201 status for heartbeat 2025-09-22 19:56:59 +03:00
Stavros
5dd8526833 fix: fix key normalization function handing more cases than it needs to 2025-09-22 19:29:55 +03:00
Stavros
e8558b89b4 fix: set gin mode correctly 2025-09-22 16:15:55 +03:00
Stavros
f8047a6c2e feat: add option to disable resources server 2025-09-22 15:52:43 +03:00
Stavros
c9867ccb76 chore: fix typo 2025-09-20 11:08:57 +03:00
Stavros
866933b3d6 fix: fix version handling in docker and cd 2025-09-19 15:38:32 +03:00
Stavros
d70cbea546 chore: handle trusted proxies config error 2025-09-19 14:53:10 +03:00
Stavros
50105e4e9d feat: version info analytics (#363) 
* feat: version info analytics

* refactor: don't create new client everytime
 2025-09-19 14:44:22 +03:00
Stavros
b62b2932fe fix: only set trusted proxies if config option is not empty 2025-09-16 15:14:42 +03:00
Stavros
5c866bad1a feat: multiple oauth providers (#355) 
* feat: add flag decoder (candidate)

* refactor: finalize flags decoder

* feat: add env decoder

* feat: add oauth config parsing logic

* feat: implement backend logic for multiple oauth providers

* feat: implement multiple oauth providers in the frontend

* feat: add some default icons

* chore: add credits for parser

* feat: style oauth auto redirect screen

* fix: bot suggestions

* refactor: rework decoders using simpler and more efficient pattern

* refactor: rework oauth name database migration
 2025-09-16 13:28:28 +03:00
Stavros
2d78e6b598 feat: add cookie domain back to context controller 2025-09-10 13:47:48 +03:00
Stavros
e03eaf4f08 feat: add psl check in cookie domain 2025-09-10 13:43:08 +03:00
Stavros
74cb8067a8 tests: add util tests 2025-09-03 17:52:51 +03:00