lemonldap-ng issueshttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues2024-03-27T04:30:33Zhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3103Add a plugin/issuer for Jitsi Meet JWT authentication2024-03-27T04:30:33ZMaxime BessonAdd a plugin/issuer for Jitsi Meet JWT authenticationThe popular Jitsi Meet application does not use OIDC or SAML, but relies on a custom JWT format.
Some projects already bridge the gap between Jitsi and standard SSO protocols
https://github.com/Renater/Jitsi-SAML2JWT
(and others)
But ...The popular Jitsi Meet application does not use OIDC or SAML, but relies on a custom JWT format.
Some projects already bridge the gap between Jitsi and standard SSO protocols
https://github.com/Renater/Jitsi-SAML2JWT
(and others)
But they require deploying yet another piece of software, usually from Docker
We could include a plugin that does the same job, directly inside LLNG2.19.0Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2767Implement OAuth 2.0 Device Authorization Grant (RFC8628)2022-06-17T13:28:23ZMaxime BessonImplement OAuth 2.0 Device Authorization Grant (RFC8628)### Summary
[RFC8628](https://datatracker.ietf.org/doc/html/rfc8628) allows a device such as a TV, Game console, etc. to receive an Access Token. It is also used for securely authenticating non-HTTP protocols (FreeIPA)
### Design propo...### Summary
[RFC8628](https://datatracker.ietf.org/doc/html/rfc8628) allows a device such as a TV, Game console, etc. to receive an Access Token. It is also used for securely authenticating non-HTTP protocols (FreeIPA)
### Design proposition
The protocol works like this:
* TV hits a portal URL (/oauth2/authorize_device)
=> issuer unauth route
* LLNG returns a user code, device code, URL ( https://auth.example.com/device )
* TV displays the URL and user code
* TV starts polling LLNG on the unauth route, waiting for the user to complete the process, using the device code
* Users browses to URL https://auth.example.com/device on their phone/laptop and enters user code. SSO session is established or reused.
=> issuer auth route
* TV eventually obtains the access token
This flow looks rather easy to implement in the OIDC issuer. We just need to be careful to prevent bruteforce attacks, and develop a small UI for the user to input the user code. We need to store a temporary OIDC session during the flow indexed by user code and device code.Backloghttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3000Implement continuations in the portal login flow2023-10-10T13:31:15ZMaxime BessonImplement continuations in the portal login flow### Summary
The LemonLDAP::NG portal is centered around the idea of running a list of methods (with `do`) in order.
(extractFormInfo, getUser, etc)
But this flow generally needs to be interrupted at some point for user interaction:
*...### Summary
The LemonLDAP::NG portal is centered around the idea of running a list of methods (with `do`) in order.
(extractFormInfo, getUser, etc)
But this flow generally needs to be interrupted at some point for user interaction:
* Entering credentials
* Entering 2FA
* Showing notifications
* Showing info
* etc.
Each component of LemonLDAP::NG has its own way of doing that. Generally a OneTimeToken is used, but not always.
* Issuer saves the request environment
* 2FA saves sessionInfo + a couple other fields
* Notifications encrypt the session cookie but require $req->data->{url} to be persisted
* etc.
There are literally dozens of bugs, maybe more, caused by the fact that the
current `$req` object needs to be serialized before the interaction and
restored after, and this is done incorrectly.
There are many bugs caused by interactions that arise for the fact that some
early part of the processing sets something in `$req->data` that is needed
later, but not restored correctly.
There are also many bugs caused by the fact that some extra steps are stored in
`$req->steps` but not restored after an interaction.
### Design proposition
We need to create a generic system for storing the request state during a user
interaction, including `$req->steps`. This system should be used by every part
of LemonLDAP::NG that needs to interrupt the current flow to display a page.
I will update this issue with a design proposal later, but it will take a lot
of time to implement this correctly, and require many preliminary steps.Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2747Incorrect handling of custom schemes when auto-setting CSP form-action2023-01-10T17:04:57ZBipul BhattaraiIncorrect handling of custom schemes when auto-setting CSP form-actionI have another issue with mobile application(IOS) while submitting form I get "Refused to load fr.test.software.m.prd:///oauth2redirect?session_state=qvIiRZWEPp8JbyH665Q94uAY54jGBaT5gdwoa3HBjHI%3D.RUh1M3FZa3NNYmUzdzQyVldCVmxaamNDK3RKYVpz...I have another issue with mobile application(IOS) while submitting form I get "Refused to load fr.test.software.m.prd:///oauth2redirect?session_state=qvIiRZWEPp8JbyH665Q94uAY54jGBaT5gdwoa3HBjHI%3D.RUh1M3FZa3NNYmUzdzQyVldCVmxaamNDK3RKYVpzUmlIMTNwTEpaRzNpQ1Q5Wm96VzFxdlRQbnp6WDVXelNZa0VXVkRteVNrcVhISVFjeUw4cDdrYmhtaVhrVnZVVG14S0F1em5EUlFsOU09&state=7jPhuLwZjeXuHt0rH8EDbdF0nAW7LKkNTg3MI7UIg7Q&code=6847ad06fa56984ee3f74a8c59eccc0f# because it does not appear in the form-action directive of the Content Security Policy. i changed security policy to \* for all still same error. but if i refresh the browser it works. but first time i am not being able to login. Can you help me with this please Thank you3.0.0Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2696Add TOTP-or-WebAuthn2024-03-27T10:37:03ZYaddAdd TOTP-or-WebAuthn### Summary
Since WebAuthn is going to replace U2F, we should provide a TOTP-or-WebAuthn to replace TOTP-or-U2F### Summary
Since WebAuthn is going to replace U2F, we should provide a TOTP-or-WebAuthn to replace TOTP-or-U2FIn discussionChristophe Maudouxchrmdx@gmail.comChristophe Maudouxchrmdx@gmail.comhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2540XSS protection of CAS service parameter should be removed2024-01-18T08:25:29ZMaxime BessonXSS protection of CAS service parameter should be removedIn #1795 we implemented a XSS check on the service= parameter of the CAS issuer (1a8948894d61e1f37dda5c95f2ea0a619545f5f6)
However this change breaks some applications, such as Ametys CMS, who generates login URLS that look like this:
...In #1795 we implemented a XSS check on the service= parameter of the CAS issuer (1a8948894d61e1f37dda5c95f2ea0a619545f5f6)
However this change breaks some applications, such as Ametys CMS, who generates login URLS that look like this:
```
https://cms.example.com/plugins/core/authenticate/0?contexts=%2Fsites%2Fintranet%2C%2Fsites%2Ftest-projet-b%2C%2Fsites%2Ftest-ametys%2C%2Fsites%2Fcatalogue
```
Note: `%2C` is a legitimate separator in this context.
According to discussions in #1795, this check is meant to protect against tampering with the Location: header.
However, checkXSSAttack does NOT prevent header injection (it is supposed to prevent XSS in HTML documents, a completely different issue). You can try with the following example:
http://auth.example.com/cas/login?service=http://cas.example.com/test%0D%0AX-Test:%20inject%0D%0A
This attack is caught by
```
unless ( $service =~ m#^(https?://[^/]+)(/.*)?$# ) {
$self->logger->error("Bad service $service");
return PE_ERROR;
}
```
<details><summary>(click here to see what happens if I disable this code)</summary>
I'm surprised Plack does not protect you from this:
![image](/uploads/0e01c2040cb7a6992625fa20ebe3ecb8/image.png)
</details>
but this attack is NOT caught by
```
$service = '' if ( $self->p->checkXSSAttack( 'service', $service ) );
```
which makes this check counter-productive in my opinion
## Conclusion
Checking for XSS attacks should be only done for values that are displayed in HTML pages. For values used in Location: headers, we should only check:
* If they are properly formatted URLs (!185)
* If they are in the list of allowed redirection targets (trustedDomains, declared vhost, etc.)3.0.0Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2514improve Content-Security-Policy handling2022-05-01T09:37:03ZMaxime Bessonimprove Content-Security-Policy handling### Summary
The way CSP currently works could be improved. Currently all the work is done in sendHtml()
Heuristics, feature tests and regexps are used to populate the CSP, combined with user-defined options
We should instead let each ...### Summary
The way CSP currently works could be improved. Currently all the work is done in sendHtml()
Heuristics, feature tests and regexps are used to populate the CSP, combined with user-defined options
We should instead let each module/LLNG feature handle its own CSP (see `$req->data->{cspFormAction}`).
### Design proposition
Example of a better API, in Choice.pm
<pre>
$req->setCSP("form-action", $url);
</pre>
or when embedding an iframe:
<pre>
$req->setCSP("frame-src", $url);
</pre>
( see also #2513 )3.0.0Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2023Manage prompt=none in OIDC2019-11-21T17:01:46ZClément OUDOTManage prompt=none in OIDCSection 3.1.2 from OpenID Connect core specification
We should redirect when user is not authenticatedSection 3.1.2 from OpenID Connect core specification
We should redirect when user is not authenticated3.0.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1786Combination: merge Attributes from different UserDB-Sources2019-11-21T11:28:33ZHermann WehnerCombination: merge Attributes from different UserDB-Sources### Summary
When using "Combination" and chaining userdbs, (e.g. [myDBI,myDBI and myLDAP]), attributes from myDBI are overwritten in LDAP's get_user-function.
### Design proposition
Merging the sets of attributes should be a configur...### Summary
When using "Combination" and chaining userdbs, (e.g. [myDBI,myDBI and myLDAP]), attributes from myDBI are overwritten in LDAP's get_user-function.
### Design proposition
Merging the sets of attributes should be a configurable option.3.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1772Append a new plugin to display a custom message on portal2024-03-27T10:38:36ZChristophe Maudouxchrmdx@gmail.comAppend a new plugin to display a custom message on portal### Summary
A custom message could be displayed to authenticated or unauthenticaced users
Select background colour, set rules, set message to display, ...### Summary
A custom message could be displayed to authenticated or unauthenticaced users
Select background colour, set rules, set message to display, ...2.20.0Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1456Create account and reset paswword with SQL/DBI module2018-06-18T12:55:03Zacool acoolCreate account and reset paswword with SQL/DBI module### Summary
Hello,
I allow myself to post a message for you because I use Lemonldap-ng, everything works perfectly except to create an account and reset the password
For the creation it takes a smtp server but i receive a bad token be...### Summary
Hello,
I allow myself to post a message for you because I use Lemonldap-ng, everything works perfectly except to create an account and reset the password
For the creation it takes a smtp server but i receive a bad token because the DBI module is not here, there is only the demo module, ldap and active directory and not the DBI module..
For reinitialization I use the DBI module to store my accounts in my database to.
Regards,Backloghttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/809Reset password by questions2019-11-21T17:45:09ZClément OUDOTReset password by questionsBackloghttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3127Support SAML subject-id and pairwise-id natively2024-03-27T13:29:12ZMaxime BessonSupport SAML subject-id and pairwise-id nativelysubject-id and pairwise-id are replacement for SAML NameIDs in use in Renater/Edugain federations :
https://docs.oasis-open.org/security/saml-subject-id-attr/v1.0/cs01/saml-subject-id-attr-v1.0-cs01.html
Currently, subject-id and pairwi...subject-id and pairwise-id are replacement for SAML NameIDs in use in Renater/Edugain federations :
https://docs.oasis-open.org/security/saml-subject-id-attr/v1.0/cs01/saml-subject-id-attr-v1.0-cs01.html
Currently, subject-id and pairwise-id can be enabled via a macro, but this is complex to configure. Especially pairwise-id which must be configured as a per-SP macro for all SPs
Maybe we should natively implement subject-id and pairwise-id through simple options in SAML SP configs2.20.0Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3126Allow multiple TOTP devices to be registered2024-03-27T10:11:12ZMaxime BessonAllow multiple TOTP devices to be registered### Summary
Currently it is possible to register multiple Webauthn devices, but not multiple TOTP### Summary
Currently it is possible to register multiple Webauthn devices, but not multiple TOTP2.20.0Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3125Add base class for "reset password by SMS"2024-03-27T10:22:31ZYaddAdd base class for "reset password by SMS"SMS API are not standard, however we could easily have a base class to prepare that.
## Design proposition
* Move part of [MailPasswordReset](lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/MailPasswordReset.pm) into "Lib/PasswordR...SMS API are not standard, however we could easily have a base class to prepare that.
## Design proposition
* Move part of [MailPasswordReset](lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/MailPasswordReset.pm) into "Lib/PasswordReset.pm"
* Maybe create a "Lib/SMSBase.pm" that stores custom parameters somewhere and just needs a "sendSMS" method in sub classes
* Create a "Lib/SMS.pm" that requires a class that exposes a `sendSMS($phone, $text)`
* Create a "Plugins/SMSPasswordResetBase.pm" that inherits from "Lib/PasswordReset.pm" and uses "Lib/SMS.pm"2.20.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3124Allow users to configure WebAuthn relying party ID2024-03-20T13:29:26ZMaxime BessonAllow users to configure WebAuthn relying party ID### Summary
Some users want to use an external system to register WebAuthn credentials
This requires a given WebAuthn device to share credentials between the portal and the registration system
### Design proposition
Allow the RP ID t...### Summary
Some users want to use an external system to register WebAuthn credentials
This requires a given WebAuthn device to share credentials between the portal and the registration system
### Design proposition
Allow the RP ID to be configured in 2F::WebAuthn2.19.0Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3123JWKS timeout is not implemented2024-03-27T10:40:19ZMaxime BessonJWKS timeout is not implemented### Affected version
Version: 2.18.2
### Summary
* Configure Auth::OpenIDConnect with a test OP
* set oidcOPMetaDataOptionsJWKSTimeout = 30 (or any non zero value)
* When restarting portal, JWKS is downloaded :white_check_mark:
* Aft...### Affected version
Version: 2.18.2
### Summary
* Configure Auth::OpenIDConnect with a test OP
* set oidcOPMetaDataOptionsJWKSTimeout = 30 (or any non zero value)
* When restarting portal, JWKS is downloaded :white_check_mark:
* After 30 seconds, JWKS is not refreshed :x:2.19.0Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3118Minimal LDAP server load-balancing2024-03-08T14:10:26ZYaddMinimal LDAP server load-balancing[Net::LDAP](https://metacpan.org/pod/Net::LDAP) provide a way to have more than one LDAP server, this permits to have a fallback. However it tries servers always in the same order. This has some issues:
- only one server is used
- when...[Net::LDAP](https://metacpan.org/pod/Net::LDAP) provide a way to have more than one LDAP server, this permits to have a fallback. However it tries servers always in the same order. This has some issues:
- only one server is used
- when the first server is down, all LDAP connections are slowed down to wait for first failure
# Design proposition
This should be pushed to [Lemonldap::NG::Portal::Lib::Net::LDAP](lemonldap-ng-portal/blib/lib/Lemonldap/NG/Portal/Lib/Net/LDAP.pm) and [Apache::Session::Browseable](https://metacpan.org/pod/Apache::Session::Browseable).
```perl
our %knownDown;
our %knownLdapServerStrings;
sub sortDead {
return 1 if $knownDown{$a} and !$knownDown{$b};
return -1 if $knownDown{$b} and !$knownDown{$a};
return 0;
}
# ...
sub new {
# ...
$knownLdapServerStrings{$conf->ldapServer} ||= [ split( /\s+/, $conf->ldapServer ) || 'localhost' ];
# Simple round-robbin if asked
if ($conf->{ldapRoundRobbin}) {
my $last = shift @{ $knownLdapServerStrings{$conf->ldapServer} };
push @{ $knownLdapServerStrings{$conf->ldapServer} }, $last;
}
# Push server which have failed to the end of the list
my @uris = sort pushDeadToEnd @uris;
my $first = $uris[0];
# ... create LDAP object using \@uris
# Update knownDone list:
# The server chosen by Net::LDAP is up
delete $knownDown{ $self->{net_ldap_uri} };
# If Net::LDAP changed, this means that first LDAP is down
if ( $self->{net_ldap_uri} != $first ) {
$knownDown{ $first } = 1;
}
# ...
}
```
@clement_oudot, @maxbes: what do you think ?In discussionYaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3116Restart authentication process when error is linked to token expiration2024-03-27T10:59:00ZClément OUDOTRestart authentication process when error is linked to token expirationCurrently, when the security token is expired (`Returned error: 82 (PE_TOKENEXPIRED)`), we end up on error page and user must return to portal to restart authentication process.
It could be better to display the error on the login form ...Currently, when the security token is expired (`Returned error: 82 (PE_TOKENEXPIRED)`), we end up on error page and user must return to portal to restart authentication process.
It could be better to display the error on the login form so user can directly restart the authentication process.2.20.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3111Hide Code2F secrets even from debug logs2024-03-27T10:25:25ZMaxime BessonHide Code2F secrets even from debug logsCurrently, secrets such as OTP codes (Code2F.pm) are displayed in cleartext in debug logs.
This is useful for debugging
Some users want to be able to hide the values even from error logs
We should find a way to do this, maybe a special ...Currently, secrets such as OTP codes (Code2F.pm) are displayed in cleartext in debug logs.
This is useful for debugging
Some users want to be able to hide the values even from error logs
We should find a way to do this, maybe a special value in hiddenAttributes ?2.19.0Clément OUDOTClément OUDOT