lemonldap-ng issueshttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues2024-03-27T09:53:05Zhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3115Date in login history is based on session _utime, not the very same time as t...2024-03-27T09:53:05Zphilippe lhardyphilha@worteks.comDate in login history is based on session _utime, not the very same time as the login triggering action### Affected version
All versions up to 2.18 and including current dev.
### Summary
Success or Failure records for login history use _utime and not actual time of action.
This is enlighted when using 2FA.
When tentatively implementi...### Affected version
All versions up to 2.18 and including current dev.
### Summary
Success or Failure records for login history use _utime and not actual time of action.
This is enlighted when using 2FA.
When tentatively implementing #3106 ordering of login failure of multiple successive 2FA failure couldn't be based on time since all entries had the very same one.
### Possible fixes
Use current time within loging history.2.19.0philippe lhardyphilha@worteks.comphilippe lhardyphilha@worteks.comhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3109Conf test: should warn when auth is Choice and userDB isn't set to Choice or ...2024-03-27T10:54:34ZYaddConf test: should warn when auth is Choice and userDB isn't set to Choice or SameNot an error but often a mistakeNot an error but often a mistake2.19.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3102Allow custom ordering in history session keys2024-03-18T13:07:55ZMaxime BessonAllow custom ordering in history session keysSurrently, session keys are displayed in the login history by alphabetical order
We should let users reorder them, for example using 1_xxx prefixes like we do for ChoicesSurrently, session keys are displayed in the login history by alphabetical order
We should let users reorder them, for example using 1_xxx prefixes like we do for Choices2.19.0Abhishek PaiAbhishek Paihttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3101OIDC offline session refresh has no access to previous session info2024-03-26T13:21:23ZMaxime BessonOIDC offline session refresh has no access to previous session infoFor a custom plugin, I need to access the _samlToken stored at login time in getUser.
Currently, the offline refresh code does not allow it:
```
$req->user( $refreshSession->data->{_session_uid} );
$req->data->{$_} = $r...For a custom plugin, I need to access the _samlToken stored at login time in getUser.
Currently, the offline refresh code does not allow it:
```
$req->user( $refreshSession->data->{_session_uid} );
$req->data->{$_} = $refreshSession->data->{$_} foreach (qw(_choice));
$req->steps( [
'getUser', @{ $self->p->betweenAuthAndData },
'setSessionInfo', $self->p->groupsAndMacros,
'setLocalGroups',
]
);
```
Only _choice is kept, and the _samlToken cannot be exposed to getUser
In order to fix this, a possible solution would be to run the same process we do in the "Refresh my rights" feature:
keep existing session keys, refresh, and update the session with the new keys. This will remove some code duplication between OIDC and Main2.19.0Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3100Add PKCE option inside Auth::OpenIDConnect2024-02-28T04:51:07ZYaddAdd PKCE option inside Auth::OpenIDConnectYes this is strange but required by some IDP even if login/password is also required.Yes this is strange but required by some IDP even if login/password is also required.2.19.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3099second factor type is not stored in history in case of a 2FA failure2024-03-26T12:32:06ZMaxime Bessonsecond factor type is not stored in history in case of a 2FA failure### Summary
If you add the `_2f` session variable to `sessionDataToRemember`, you will only see the _2f variable in your login history if it succeeded
1FA failure:
```
# 'failedLogin' => [
# ...### Summary
If you add the `_2f` session variable to `sessionDataToRemember`, you will only see the _2f variable in your login history if it succeeded
1FA failure:
```
# 'failedLogin' => [
# {
# '_auth' => 'Demo',
# ...
# },
```
2FA failure:
```
# 'failedLogin' => [
# {
# '_auth' => 'Demo',
# '_2f' => undef,
# ...
# },
```
### Design proposition
We should set the _2f variable even if 2FA failed, so it can be displayed in history2.19.0Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3088Extend session lifetime when refreshing session/access token2024-01-27T19:11:12ZMaxime BessonExtend session lifetime when refreshing session/access tokenRelated to #2700
Currently, when the user obtains a new access token for a RP using a refresh token, the session is not extended (timeoutActivity/_lastSeen)
This action should be considered as session activity and thus extend the sess...Related to #2700
Currently, when the user obtains a new access token for a RP using a refresh token, the session is not extended (timeoutActivity/_lastSeen)
This action should be considered as session activity and thus extend the session duration
Maybe this should also be the case when sessions are refreshed by the Refresh session API plugin ?
OK for you @guimard / @clement_oudot ?2.19.0Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3067Error when verifying signature when OP uses more than one key and kid missing...2023-12-21T17:42:23ZMaxime BessonError when verifying signature when OP uses more than one key and kid missing in ID Tokencf #3065
This is not permitted in OIDC but we might want to support it for some applications / older LLNG releases
MR !423cf #3065
This is not permitted in OIDC but we might want to support it for some applications / older LLNG releases
MR !4232.18.1YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3057Generate OpenAPI spec from Manager::Build2024-02-29T16:44:06ZMaxime BessonGenerate OpenAPI spec from Manager::BuildThe current openapi-spec.yaml is maintained manually and is very out of sync
I will implement a build step in "make json" to update itThe current openapi-spec.yaml is maintained manually and is very out of sync
I will implement a build step in "make json" to update it2.19.0Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3054Cannot get the full otpauth URL when registering a new TOTP2024-03-27T09:19:28ZSoisik FrogerCannot get the full otpauth URL when registering a new TOTPAs a user, I'd like to copy the content of the QR code when enrolling a new TOTP. This URL is useful if you use any device/software that do no rely on scanning a image.
Right now, the URL as to be built from scratch from the displayed s...As a user, I'd like to copy the content of the QR code when enrolling a new TOTP. This URL is useful if you use any device/software that do no rely on scanning a image.
Right now, the URL as to be built from scratch from the displayed secret (if put in lowercase and without space).
Some kind of way to retrieve this URL (in the HREF attribute of the image ?) would make it easier to register TOTP without scans.2.19.0Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3046Conf::Backends::LDAP permanently fails to connect after an error2023-12-20T10:29:30ZMaxime BessonConf::Backends::LDAP permanently fails to connect after an errorIn unstable network conditions, the LDAP connection may become invalid:
```
LDAP error 82: Broken pipe
```
There is no way to recover from this except restart httpd. We need to add a healthcheck on connection reuse like in Apache::Ses...In unstable network conditions, the LDAP connection may become invalid:
```
LDAP error 82: Broken pipe
```
There is no way to recover from this except restart httpd. We need to add a healthcheck on connection reuse like in Apache::Session::LDAP2.18.0Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3044Allow logout_app and logout_app_sso in Nginx2023-12-14T16:30:19Zdcoutadeur dcoutadeurAllow logout_app and logout_app_sso in Nginx### Summary
Currently, logout_app and logout_app_sso are only working on Apache.
It would be nice to have the same feature in Nginx. Maybe we can use lua for this purpose### Summary
Currently, logout_app and logout_app_sso are only working on Apache.
It would be nice to have the same feature in Nginx. Maybe we can use lua for this purpose2.18.0dcoutadeur dcoutadeurdcoutadeur dcoutadeurhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3043Return to 2FA manager after registration2023-11-21T08:52:56ZMaxime BessonReturn to 2FA manager after registrationCurrently, after registering a TOTP (or any other 2FA), the user remains on the TOTP screen:
![image](/uploads/33886c54eba6ab62c72a986f1aedb83a/image.png)
![image](/uploads/df3b7d37cd8b47704cf061a7319ec5ee/image.png)
This is consisten...Currently, after registering a TOTP (or any other 2FA), the user remains on the TOTP screen:
![image](/uploads/33886c54eba6ab62c72a986f1aedb83a/image.png)
![image](/uploads/df3b7d37cd8b47704cf061a7319ec5ee/image.png)
This is consistently reported by my users as confusing.
A better flow would be to take them back to the list of registered 2FA:
![image](/uploads/d0f8b7e1ae333be4afe8ce7f0740436c/image.png)
Similar to #2610 but for all 2FA types2.18.0Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3031OIDC: implement client_secret_jwt and private_key_jwt authentication mechanis...2023-12-14T15:55:58ZYaddOIDC: implement client_secret_jwt and private_key_jwt authentication mechanisms for endpoints accessRef: https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication
Related to #3030
MR: !397Ref: https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication
Related to #3030
MR: !3972.18.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3029Set a UserAgent for requests done by LemonLDAP::NG2023-12-14T14:51:55ZClément OUDOTSet a UserAgent for requests done by LemonLDAP::NGWe can easily set a UserAgent string in Common/UserAgent.pm to avoid using the default LWP::UserAgent sting.
It is only cosmetic. My question is: would it add some security issue? Not sure of it because there not so many SSO products u...We can easily set a UserAgent string in Common/UserAgent.pm to avoid using the default LWP::UserAgent sting.
It is only cosmetic. My question is: would it add some security issue? Not sure of it because there not so many SSO products using perl LWP module, so it won't really disclose information.2.18.0Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3025Accept EC algorithms in OpenIDConnect2023-12-01T10:56:16ZYaddAccept EC algorithms in OpenIDConnectThe `verifyJWTSignature()` returns 0 if algorithm isn't HS* or RS*.
It could be easy to support any algorithms by replacing our internal algorithm by [Crypt::JWT](https://metacpan.org/pod/Crypt::JWT) which supports all algorithms and al...The `verifyJWTSignature()` returns 0 if algorithm isn't HS* or RS*.
It could be easy to support any algorithms by replacing our internal algorithm by [Crypt::JWT](https://metacpan.org/pod/Crypt::JWT) which supports all algorithms and also JWE. The library is available in Debian and is the base of !389.
As usual, not available on rpm distributions.2.18.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3022Add a log to give details if CAS SLO request returns an error2023-10-11T09:38:10ZClément OUDOTAdd a log to give details if CAS SLO request returns an errorWhen using CAS SLO, we don't get any message in log if SLO request returns an error.When using CAS SLO, we don't get any message in log if SLO request returns an error.2.18.0Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2988Do not store password in clear text in session when password store option is ...2023-12-16T14:21:41ZClément OUDOTDo not store password in clear text in session when password store option is enabledWe currently have an option to store the password in session (disabled by default), which could be used to replay password with Auth Basic or Form replay.
Even if we strongly discourage the usage of this option, we could improve it by s...We currently have an option to store the password in session (disabled by default), which could be used to replay password with Auth Basic or Form replay.
Even if we strongly discourage the usage of this option, we could improve it by storing a ciphered value of the password in session, and decrypt it when needed.
So far, what need to be done:
* Have a new option to cipher the password (should be true by default)
* Have a new option to set a key (if no key, the default key will be used)
* Add a decrypt extended function (the reverse of https://lemonldap-ng.org/documentation/latest/extendedfunctions.html#encrypt)2.18.0Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2982Allow specifying a Radius failover server2023-10-10T15:15:47ZMaxime BessonAllow specifying a Radius failover server### Summary
Currently, Auth::Radius and 2F::Radius can only point to one server. Authen::Radius allows a NodeList to be specified
### Design proposition
split radiusServer/radius2fServer on space and populate NodeList### Summary
Currently, Auth::Radius and 2F::Radius can only point to one server. Authen::Radius allows a NodeList to be specified
### Design proposition
split radiusServer/radius2fServer on space and populate NodeList2.18.0Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2975Allow admin to choose key size during certificate generation2023-07-24T09:47:00ZYaddAllow admin to choose key size during certificate generation### Summary
The helper to generate new SAML certificates use fixed key size (2048)
### Design proposition
The idea here is to add a parameter in the manager UI to change this size### Summary
The helper to generate new SAML certificates use fixed key size (2048)
### Design proposition
The idea here is to add a parameter in the manager UI to change this size2.17.0YaddYadd