letro/letro-authentication-service
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity
5,223 Commits 2 Branches 1 Tag
c03216b3aefefdd66a33b2cec293db31312c8f3a
Commit Graph

190 Commits

Author SHA1 Message Date
Quentin Gliech
e8627166a9 Log out oauth & compat sessions when receiving a backchannel logout request 2025-07-04 16:27:10 +02:00
Quentin Gliech
db8c557f81 Backchannel logout behavior settings on upstream providers 2025-07-04 16:27:10 +02:00
Quentin Gliech
5b7bf232d6 Record the decoded ID token claims on upstream auth sessions 2025-07-04 16:27:09 +02:00
Quentin Gliech
52b0a9b2ba Update license headers to match the actual license 2025-06-12 10:32:16 +02:00
Quentin Gliech
642c8ba508 Support for experimental plan management tab in UI (#4549) 2025-06-10 14:14:24 +02:00
Hugh Nimmo-Smith
a127136384 Make plan_management_iframe_uri be a String not URL 2025-06-06 10:31:45 +01:00
Quentin Gliech
dcef4bcf3f Add config flag to require registration tokens for password registrations 2025-06-03 17:42:53 +02:00
Quentin Gliech
e28221ac49 Data model and repository for user registration tokens 2025-06-03 17:42:52 +02:00
Hugh Nimmo-Smith
23c91ec06c Lint 2025-05-09 10:58:03 +01:00
Hugh Nimmo-Smith
aad2d8afb3 Merge branch 'main' into hughns/plan-management 2025-05-09 10:33:39 +01:00
Quentin Gliech
955bd28590 Don't generate and send a nonce for non-OIDC-compliant auth requests 2025-05-07 15:34:27 +02:00
Doug
7f91c8948b Add a configuration for forwarding the login hint to the upstream provider. 2025-05-06 17:50:33 +01:00
Quentin Gliech
7ec87b1855 storage: add a user-provided human name to OAuth 2.0 sessions 2025-04-25 16:55:29 +02:00
Quentin Gliech
234de8b737 Save the locale detected when starting an authorization grant 2025-04-25 12:55:22 +02:00
Quentin Gliech
f457bd8d35 Don't parse the user agent unless we need to 2025-04-24 13:13:26 +02:00
Quentin Gliech
dbb68257fc Compile the user-agent regexes once 2025-04-24 12:36:41 +02:00
Hugh Nimmo-Smith
57cc89a0c8 WIP support for experimental plan management tab in UI 2025-04-22 13:17:29 +01:00
Quentin Gliech
a47dba1b1d Always ask for consent, never for reauth (#4386) 2025-04-14 15:51:48 +02:00
Quentin Gliech
73a4007c18 Always ask for consent, never for reauth 
Now that we have deduplicated clients, we're in this weird situation
where authorization grants just… go through.

This is because 4 years ago, I designed it to support prompt=consent and
prompt=none, but that never ended up being used/mentioned in the MSCs.

We also had support for max_age, but that required reauthing, which
doesn't work well with upstream providers.

So this removes support for prompt=consent|none and max_age, and makes
sure we always go through the consent page.

Lots of code deleted, yay!
 2025-04-10 19:57:45 +02:00
mcalinghee
2fe4752aa4 add login by email + feature flag 2025-04-10 17:57:58 +02:00
Quentin Gliech
e064c381b6 Admin API for adding and removing upstream oauth links (#4255) 2025-04-09 13:33:16 +02:00
Quentin Gliech
2c6e2b42a1 compat login: support using client-provided device ID (#4342) 2025-04-07 08:52:29 +02:00
Quentin Gliech
e9525fff9e Fix doc comment 2025-04-07 08:31:58 +02:00
Olivier 'reivilibre
1e2af0fd3a compat login (sso): support using client-provided device_id 2025-04-04 16:25:01 +01:00
Quentin Gliech
8fbd75eb7e Deduplicate client registrations by hashing the metadata 2025-03-25 15:00:23 +01:00
MTRNord
1ab402c7bf Link removal storage API 
From #3245 with changes from review
 2025-03-17 18:31:11 +02:00
Quentin Gliech
fd41b719ba Merge branch 'main' into quenting/dynamic-policy-data 2025-03-14 10:16:16 +01:00
Quentin Gliech
a6992b718c Config option to allow account self-deactivation 2025-03-12 15:58:54 +01:00
Quentin Gliech
9c35f18d79 Add a deactivated_at flag on users 2025-03-11 17:35:13 +01:00
Quentin Gliech
44b6777f1b Merge remote-tracking branch 'origin/main' into quenting/compat-device-id 2025-03-04 13:33:09 +01:00
Quentin Gliech
098517edd0 storage: store dynamic policy data in the database 2025-02-25 12:26:22 +01:00
Quentin Gliech
b4b2e4c7bb Fix some old Synapse access tokens not being recognized 2025-02-24 11:12:02 +01:00
Quentin Gliech
56d9c7e63b Upgrade to Rust 1.85 and edition 2024 2025-02-21 16:15:02 +01:00
Quentin Gliech
a3f22ae5f6 Allow compat session devices to have spaces 2025-02-19 17:55:18 +01:00
Quentin Gliech
b40fcdd712 Experimental feature to timeout inactive sessions 2025-02-12 17:31:21 +01:00
Olivier 'reivilibre
3034819b7d Introduce optional human_name column on compat_sessions 2025-02-05 11:36:51 +01:00
Quentin Gliech
ab69351f77 Avoid unnecessary clones in the login_hint parser 2025-01-28 17:25:54 +01:00
reivilibre
87009be7e6 Support compatibility sessions that do not have devices (#3801) 
Co-authored-by: Quentin Gliech <quenting@element.io>
 2025-01-27 14:50:31 +00:00
Quentin Gliech
0bca802585 Merge branch 'main' into quenting/optional-email 2025-01-20 11:31:48 +01:00
reivilibre
e6967210cc Recognise macaroons as access tokens from Synapse (#3797) 2025-01-17 09:50:13 +00:00
Quentin Gliech
d58e13e2cf Data model and storage layer for storing user registrations 2025-01-14 16:30:43 +01:00
Quentin Gliech
9db14f6743 Rip out the email verification codes 
This considers all user_emails as confirmed, and removes the verification code.
It will be replaced by a new email authentication code flow
 2025-01-14 15:46:45 +01:00
Quentin Gliech
b697a2dfb2 storage: new email authentication codes 2025-01-13 17:00:30 +01:00
Quentin Gliech
077a55fd5d Remove the primary email address concept 2025-01-13 17:00:30 +01:00
Mathieu Velten
33e1cdbf16 Allow response_mode to be null and if so do not add the query param (#3700) 2024-12-18 18:18:39 +01:00
Quentin Gliech
f563daf822 Make the issue optional on upstream OAuth 2.0 providers 2024-12-17 13:40:34 +01:00
Mathieu Velten
75ee9a1e58 Add id_token_signed_response_alg and userinfo_signed_response_alg (#3664) 2024-12-17 11:54:16 +01:00
Quentin Gliech
6bda8b91d0 Allow revoking refresh tokens 
This lets us track 'revoked' tokens separately from 'consumed' tokens.
 2024-12-11 14:15:01 +01:00
Quentin Gliech
42bb83a628 Record when access tokens are first used 2024-12-11 14:15:01 +01:00
Quentin Gliech
b3756e4ae4 Record the next refresh token ID when refreshing 
This will help us determine whether we had a double-refresh happening
 2024-12-11 14:15:01 +01:00