lemonldap-ng issues
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues
2023-03-24T06:11:59Z
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2904
Implement OIDC Client-Initiated-Backchannel-Authentication
2023-03-24T06:11:59Z
Yadd
Implement OIDC Client-Initiated-Backchannel-Authentication
https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0.html
https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0.html
3.0.0
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2870
Generic API plugin
2023-02-10T13:12:04Z
Yadd
Generic API plugin
### Summary
Sometimes the Perl language can be a foil for people who want to write plugins.
### Design proposition
A new list in manager for remote plugins. When portal starts, it contacts external API to ask for its entry-points:
```...
### Summary
Sometimes the Perl language can be a foil for people who want to write plugins.
### Design proposition
A new list in manager for remote plugins. When portal starts, it contacts external API to ask for its entry-points:
```js
// POST /remote/api HTTP/1.0
{
"action":"register",
"portal":"https://auth.example.com",
"auth": "LDAP",
"userDB": "LDAP",
}
// Response
{
"action":"register",
"entryPoints": {
"afterData": {
"endpoint": "https://remote/api/afterdata",
"requestKeys": ["sessionInfo","ENV"]
}
},
"authRoutes": {
"/myapi/": {
"requestKeys": ["path","sessionInfo"]
}
}
}
```
Then during authentication, portal launch this request:
```js
// POST /remote/api HTTP/1.0
{
"action": "entryPoint",
"entryPoint": "afterData",
"requestKeys": {
"sessionInfo": {
"_session_id": "aabbcc",
"_user": "dwho"
//...
},
"ENV": {
"REQUEST_URI": "/"
//...
}
}
}
// Response
{
"action": [
"setKeysInSession": {
"_myapi_id": "zzkkvv"
}
],
"code": 0 // a portal code
}
```
If an authenticated user calls `https://auth.example.com/myapi/something`:
```js
// POST /api/afterdata HTTP/1.1
{
"action": "authRoute",
"requestKeys": {
"path": "/myapi/something",
"sessionInfo": {
"_session_id": "aabbcc",
"_user": "dwho"
//...
}
}
}
// Response: a PSGI response
[
200,
["Content-Type", "application/json"],
["{\"result\":true}"]
]
```
3.0.0
Yadd
Yadd
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2754
MDQ support
2022-05-19T14:34:21Z
Antoine Gallavardin
MDQ support
### Summary
Hello
RENATER , the french NREN wants to reduce XML transaction load between IDP and SP in frenche federation and Edugain context .
For this, they plan to use MDQ protocol :https://shibboleth.atlassian.net/wiki/spaces/SP3/p...
### Summary
Hello
RENATER , the french NREN wants to reduce XML transaction load between IDP and SP in frenche federation and Edugain context .
For this, they plan to use MDQ protocol :https://shibboleth.atlassian.net/wiki/spaces/SP3/pages/2060616133/MDQMetadataProvider
(no planning have been announced)
see slide 10 : https://conf-ng.jres.org/2021/document_revision_2174.html?download
A rewrite of metadata fetching tool is actually in progress, is it possible to integrate MDQ basis ?
Thanks in advance !
### Design proposition
Maybe convert importMetadata script into an editionnal daemon wich could interact with LL:NG instance ?
need some help ?
3.0.0
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2748
Fix UTF-8 encoding/decoding
2024-03-06T08:07:42Z
Maxime Besson
Fix UTF-8 encoding/decoding
Creating a global issue for all encoding bugs we intent to fix in 3.0 :
> In order to fully solve this issue, and the one affecting the other backends, I think LLNG should decode() UTF-8 values received by PSGI into proper Unicode stri...
Creating a global issue for all encoding bugs we intent to fix in 3.0 :
> In order to fully solve this issue, and the one affecting the other backends, I think LLNG should decode() UTF-8 values received by PSGI into proper Unicode strings, and encode() them before sending the response, this seems to be how PSGI is supposed to work:
>
> https://metacpan.org/pod/release/MIYAGAWA/PSGI-1.10/PSGI/FAQ.pod#I-want-to-send-Unicode-content-in-the-HTTP-response.-How-can-I-do-so
>
> But there are many places in the code where this will have to be done for it to have a globally positive impact on encoding issues. As long as it's not done everywhere, it will only appear to break things
We need to handle properly encoded (UTF-8 data + UTF-8 perl flag) UTF-8 strings in all LLNG methods, and only convert them to latin-1 when doing the PSGI render. Most modules (LDAP/DBI/JSON..) behave correctly when handed correct UTF-8 strings
This require a lot of refactoring and will break compatibility with saved conf/sessions. A migration step will be required when migrating to 3.0
3.0.0
Maxime Besson
Maxime Besson
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2747
Incorrect handling of custom schemes when auto-setting CSP form-action
2023-01-10T17:04:57Z
Bipul Bhattarai
Incorrect handling of custom schemes when auto-setting CSP form-action
I have another issue with mobile application(IOS) while submitting form I get "Refused to load fr.test.software.m.prd:///oauth2redirect?session_state=qvIiRZWEPp8JbyH665Q94uAY54jGBaT5gdwoa3HBjHI%3D.RUh1M3FZa3NNYmUzdzQyVldCVmxaamNDK3RKYVpz...
I have another issue with mobile application(IOS) while submitting form I get "Refused to load fr.test.software.m.prd:///oauth2redirect?session_state=qvIiRZWEPp8JbyH665Q94uAY54jGBaT5gdwoa3HBjHI%3D.RUh1M3FZa3NNYmUzdzQyVldCVmxaamNDK3RKYVpzUmlIMTNwTEpaRzNpQ1Q5Wm96VzFxdlRQbnp6WDVXelNZa0VXVkRteVNrcVhISVFjeUw4cDdrYmhtaVhrVnZVVG14S0F1em5EUlFsOU09&state=7jPhuLwZjeXuHt0rH8EDbdF0nAW7LKkNTg3MI7UIg7Q&code=6847ad06fa56984ee3f74a8c59eccc0f# because it does not appear in the form-action directive of the Content Security Policy. i changed security policy to \* for all still same error. but if i refresh the browser it works. but first time i am not being able to login. Can you help me with this please Thank you
3.0.0
Maxime Besson
Maxime Besson
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2705
uwsgi breaks special characters display on portal
2023-07-27T09:50:11Z
Albert Rinceau
uwsgi breaks special characters display on portal
Hi,
with llng 2.0.13
recently I moved from llng-fastcgi-server to uWSGI but all special characters were not encoded anymore at display, on portal.
for example, ã gives é with uwsgi, but is well displayed with llng-fastcgi-server.
I...
Hi,
with llng 2.0.13
recently I moved from llng-fastcgi-server to uWSGI but all special characters were not encoded anymore at display, on portal.
for example, ã gives é with uwsgi, but is well displayed with llng-fastcgi-server.
I tried to write it up directly into tpl files instead of translation json file but the final results are the same in both case.
EDIT: As workaround, using HTML entities into translation json file looks working. (like replacing all 'è' by `è`)
3.0.0
Maxime Besson
Maxime Besson
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2699
configuration restore from json handles \u escape sequence incorrectly
2022-05-02T15:10:23Z
Benjamin Demarteau
configuration restore from json handles \u escape sequence incorrectly
### Concerned version
Version: 2.0.13-2.el8
Platform: httpd (Apache)
### Summary
We update the config from an ansible playbook by saving the config, patching it and loading it back. When we add values with UTF-8 characters, the next ...
### Concerned version
Version: 2.0.13-2.el8
Platform: httpd (Apache)
### Summary
We update the config from an ansible playbook by saving the config, patching it and loading it back. When we add values with UTF-8 characters, the next save shows garbled data.
### Logs
Nothing relevant
### Backends used
LDAP backend using OpenLDAP 2.4.46-18.el8.
### Possible fixes
Not sure where the characters get garbled, they are fine in the LDAP:
![image](/uploads/763e428e9ae8fa70a0bd0664ec6340ae/image.png)
The cache contains valid UTF-8:
```
00003b00 79 2c 52 61 64 69 75 73 00 00 00 00 0b 61 76 61 |y,Radius.....ava|
00003b10 69 6c 61 62 6c 65 32 46 04 03 00 00 00 04 04 03 |ilable2F........|
00003b20 00 00 00 02 17 13 49 6e 74 c3 a9 72 c3 aa 74 20 |......Int..r..t |
00003b30 47 c3 a9 6e c3 a9 72 61 6c 00 00 00 07 63 61 74 |G..n..ral....cat|
00003b40 6e 61 6d 65 0a 08 63 61 74 65 67 6f 72 79 00 00 |name..category..|
00003b50 00 04 74 79 70 65 00 00 00 08 30 30 30 31 2d 63 |..type....0001-c|
00003b60 61 74 04 03 00 00 00 05 0a 13 53 61 6d 70 6c 65 |at........Sample|
00003b70 20 61 70 70 6c 69 63 61 74 69 6f 6e 73 00 00 00 | applications...|
00003b80 07 63 61 74 6e 61 6d 65 08 8b 00 00 00 05 6f 72 |.catname......or|
```
Server responds with `Content-Type: application/json; charset=utf-8`, but clearly not:
![image](/uploads/1bbcc87f0dc59cd7fcd23f9bea4b1b01/image.png)
3.0.0
Maxime Besson
Maxime Besson
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2688
Tune LLNG to allow for lack of mod_perl
2022-02-24T09:32:27Z
Xavier Bachelot
Tune LLNG to allow for lack of mod_perl
mod_perl may not be available in EL9.
See https://bugzilla.redhat.com/show_bug.cgi?id=2030601
Currently, it seems there's no clean way to build LLNG w/o mod_perl.
I tested a build of LLNG w/o the BuildRequires provided by mod_perl (APR...
mod_perl may not be available in EL9.
See https://bugzilla.redhat.com/show_bug.cgi?id=2030601
Currently, it seems there's no clean way to build LLNG w/o mod_perl.
I tested a build of LLNG w/o the BuildRequires provided by mod_perl (APR::Table; Apache2::*), but I still get Requires on mod_perl.
Specifically:
- perl-Lemonldap-NG-Handler package requires
```
perl(APR::Table)
perl(Apache2::Connection)
perl(Apache2::Const)
perl(Apache2::Filter)
perl(Apache2::Log)
perl(Apache2::RequestIO)
perl(Apache2::RequestRec)
perl(Apache2::RequestUtil)
perl(Apache2::ServerUtil)
```
- perl-Lemonldap-NG-Common package requires
```
perl(Apache2::ServerRec)
```
3.0.0
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2642
Changing `timeout` can have temporary unintended consequences for other timeo...
2021-10-15T18:13:30Z
David Mandelberg
Changing `timeout` can have temporary unintended consequences for other timeouts, I think
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/blob/0a17936a397e2ce84d2cf95c29552997798010d9/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/OpenIDConnect.pm#L972 looks like it relies on a cleanup job using the main `timeout` to inva...
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/blob/0a17936a397e2ce84d2cf95c29552997798010d9/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/OpenIDConnect.pm#L972 looks like it relies on a cleanup job using the main `timeout` to invalidate authorization codes, access tokens, and refresh tokens. That means that if an admin increases the value of `timeout`, it would also cause any of those other things that were valid before the increase to stay valid longer than they should, right? For a refresh token, that seems fine, but for an authorization code, that could extend it from 60 seconds to much longer. (After looking at the code, I found https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1879#note_48192 which mentions how the code appears to work now, but not this issue with accidentally increasing the timeout for things that should have short timeouts. Also, I haven't tested this so I might be wrong, I'm just guessing at the behavior from looking at the code.)
3.0.0
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2640
multiValuesSeparator is trimmed when set in manager
2022-05-02T19:20:15Z
Maxime Besson
multiValuesSeparator is trimmed when set in manager
### Concerned version
Version: 2.0.13
### Summary
* Set General param > advanced > separator to `, ` (with space) in manager
* using lmConfigEditor or something else, see that the value actually stored is `,` (no space)
### Concerned version
Version: 2.0.13
### Summary
* Set General param > advanced > separator to `, ` (with space) in manager
* using lmConfigEditor or something else, see that the value actually stored is `,` (no space)
3.0.0
Maxime Besson
Maxime Besson
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2636
Renew session is looping when using SAML auth on OP.
2022-06-17T07:58:48Z
Albert Rinceau
Renew session is looping when using SAML auth on OP.
### Concerned version
Version: %2.0.11
Platform: docker image
UserDB OIDC/SAMLv2/Demo
### Summary
It asks me to renew session in a loop when I use SAML module to do so.
I have 3 SSO LLNG.
The first SSO1 is an OIDC RP connected with...
### Concerned version
Version: %2.0.11
Platform: docker image
UserDB OIDC/SAMLv2/Demo
### Summary
It asks me to renew session in a loop when I use SAML module to do so.
I have 3 SSO LLNG.
The first SSO1 is an OIDC RP connected with the second.
The second SSO2 is an OIDC OP and a SAML SP in relationship with the third
The thid SSO3 is a SAML IDP.
|SSO1| | |SSO2| | |SSO3|
|--|--|--|--|--|--|--|
|RP|<->|OIDC|<->|SAML|<->|IDP|
SSO2 proposes as choices login/pwd or SAML in order to authenticate.
I want to force SAML authentication if a user wants to use OIDC RP.
In order to do that, I force to renew OIDC session. I set prompt=login into my 1st SSO configuration. And on SSO2 I force only SAML if URL is on authorize or renewsession.
In order to reproduce:
- I logged-in on the SSO2 with login/pwd or SAML (can reproduce on both). I do the same on SSO3, I logged-in.
- I go on SSO1.
- I authenticate with OIDC from SSO1
- I'm redirected to 2nd SSO, it asks me to renew my session (because I'm already connected). I agree.
- Then I choose SAML to renew my session as auth module. I'm redirected by SAML to SSO3, I'm already logged in, then I'm redirected back to the SSO2
- SSO2 asks me again to renew my session.
- If I agree again and then I choose again SAML, I have the SAML exchange with SSO3 then I will come back on SSO2 with the same message in order to renew session...
- Apparently, anyway I looged-in by login/pwd or SAML on SSO2, renewing session with SAML does not work. If I renew session with login/pwd then it works.
I also tried using upgrade session and auth level. Asking a level 4 to use the OIDC RP and trying to level-up the user by using SAML module. Same result, SSO2 asks me in a loop to upgrade my session.
### Logs
From SSO2. When I click on "Connect" on SSO1 until I loop the 2nd time on renew session page.
```
[Fri Oct 8 16:20:38 2021] [LLNG:82] [debug] Check configuration for Lemonldap::NG::Handler::PSGI::Main
[Fri Oct 8 16:20:38 2021] [LLNG:82] [debug] Get configuration 19.
[Fri Oct 8 16:20:38 2021] [LLNG:82] [debug] Lemonldap::NG::Handler::PSGI::Main: configuration is up to date
[Fri Oct 8 16:20:38 2021] [LLNG:82] [debug] Get session 283245a8eecd6364d54d52696d76cd33a517dfcc0a167432f82a9c8453d92eec from Handler::Main::Run
[Fri Oct 8 16:20:38 2021] [LLNG:82] [debug] Check session validity from Handler
[Fri Oct 8 16:20:38 2021] [LLNG:82] [debug] Session timeout -> 72000
[Fri Oct 8 16:20:38 2021] [LLNG:82] [debug] Session _utime -> 1633709493
[Fri Oct 8 16:20:38 2021] [LLNG:82] [debug] now -> 1633710038
[Fri Oct 8 16:20:38 2021] [LLNG:82] [debug] Session timeoutActivityInterval -> 60
[Fri Oct 8 16:20:38 2021] [LLNG:82] [debug] Session TTL = 71455
[Fri Oct 8 16:20:38 2021] [LLNG:82] [debug] No URL authentication level found...
[Fri Oct 8 16:20:38 2021] [LLNG:82] [debug] auth.fournisseur.intermediaire: Apply default rule
[Fri Oct 8 16:20:38 2021] [LLNG:82] [debug] removing cookie
[Fri Oct 8 16:20:38 2021] [LLNG:82] [debug] Cookies -> llnglanguage=fr; lemonldap=283245a8eecd6364d54d52696d76cd33a517dfcc0a167432f82a9c8453d92eec; lemonldappdata=%7B%22issuerRequestoauth2%22%3A%221633638008_5455%22%2C%22issuerTs%22%3A1633709888%2C%22targetAuthnLevel%22%3A1%2C%22_choice%22%3A%22SAML%22%2C%22keepPdata%22%3A%5B%22issuerRequestoauth2%22%2C%22issuerRequestoauth2Path%22%5D%7D
[Fri Oct 8 16:20:38 2021] [LLNG:82] [debug] CookieName -> lemonldap
[Fri Oct 8 16:20:38 2021] [LLNG:82] [debug] newCookies -> llnglanguage=fr; lemonldappdata=%7B%22issuerRequestoauth2%22%3A%221633638008_5455%22%2C%22issuerTs%22%3A1633709888%2C%22targetAuthnLevel%22%3A1%2C%22_choice%22%3A%22SAML%22%2C%22keepPdata%22%3A%5B%22issuerRequestoauth2%22%2C%22issuerRequestoauth2Path%22%5D%7D
[Fri Oct 8 16:20:38 2021] [LLNG:82] [debug] User dwho was granted to access to /oauth2/authorize/?lmAuth=SAML&response_type=code&client_id=fournisseur-services&scope=openid+profile&redirect_uri=http%3A%2F%2Fauth.fournisseur.services%2F%3Fopenidconnectcallback%3D1&state=1633710038_41074&nonce=1633710038_10010&display=&prompt=login
[Fri Oct 8 16:20:38 2021] [LLNG:82] [debug] Start routing oauth2
[Fri Oct 8 16:20:38 2021] [LLNG:82] [debug] Processing _forAuthUser
[Fri Oct 8 16:20:38 2021] [LLNG:82] [debug] Restoring request to oauth2 issuer
[Fri Oct 8 16:20:38 2021] [LLNG:82] [debug] Trying to load token 1633638008_5455
[Fri Oct 8 16:20:38 2021] [LLNG:82] [notice] Bad (or expired) token 1633638008_5455
[Fri Oct 8 16:20:38 2021] [LLNG:82] [debug] Cleaning pdata
[Fri Oct 8 16:20:38 2021] [LLNG:82] [debug] Removing issuerRequestoauth2 key from pdata
[Fri Oct 8 16:20:38 2021] [LLNG:82] [debug] Removing issuerRequestoauth2Path from keepPdata
[Fri Oct 8 16:20:38 2021] [LLNG:82] [debug] Processing importHandlerData
[Fri Oct 8 16:20:38 2021] [LLNG:82] [debug] Processing controlUrl
[Fri Oct 8 16:20:38 2021] [LLNG:82] [debug] Processing code ref
[Fri Oct 8 16:20:38 2021] [LLNG:82] [debug] Launching ::Auth::Choice::_forAuthUser
[Fri Oct 8 16:20:38 2021] [LLNG:82] [debug] Processing code ref
[Fri Oct 8 16:20:38 2021] [LLNG:82] [debug] Launching ::UserDB::Choice::_forAuthUser
[Fri Oct 8 16:20:38 2021] [LLNG:82] [debug] Processing code ref
[Fri Oct 8 16:20:38 2021] [LLNG:82] [debug] Launching ::Password::Demo::_modifyPassword
[Fri Oct 8 16:20:38 2021] [LLNG:82] [debug] Processing code ref
[Fri Oct 8 16:20:38 2021] [LLNG:82] [debug] Searching for previously registered Relying Parties...
[Fri Oct 8 16:20:38 2021] [LLNG:82] [debug] Convert Relying Party Consent(s)...
[Fri Oct 8 16:20:38 2021] [LLNG:82] [debug] 0 consent(s) converted
[Fri Oct 8 16:20:38 2021] [LLNG:82] [debug] URL detected as an OpenID Connect AUTHORIZE URL
[Fri Oct 8 16:20:38 2021] [LLNG:82] [debug] OIDC request parameter response_type: code
[Fri Oct 8 16:20:38 2021] [LLNG:82] [debug] Store code in hidden key response_type
[Fri Oct 8 16:20:38 2021] [LLNG:82] [debug] OIDC request parameter scope: openid profile
[Fri Oct 8 16:20:38 2021] [LLNG:82] [debug] Store openid profile in hidden key scope
[Fri Oct 8 16:20:38 2021] [LLNG:82] [debug] OIDC request parameter client_id: fournisseur-services
[Fri Oct 8 16:20:38 2021] [LLNG:82] [debug] Store fournisseur-services in hidden key client_id
[Fri Oct 8 16:20:38 2021] [LLNG:82] [debug] OIDC request parameter state: 1633710038_41074
[Fri Oct 8 16:20:38 2021] [LLNG:82] [debug] Store 1633710038_41074 in hidden key state
[Fri Oct 8 16:20:38 2021] [LLNG:82] [debug] OIDC request parameter redirect_uri: http://auth.fournisseur.services/?openidconnectcallback=1
[Fri Oct 8 16:20:38 2021] [LLNG:82] [debug] Store http://auth.fournisseur.services/?openidconnectcallback=1 in hidden key redirect_uri
[Fri Oct 8 16:20:38 2021] [LLNG:82] [debug] OIDC request parameter nonce: 1633710038_10010
[Fri Oct 8 16:20:38 2021] [LLNG:82] [debug] Store 1633710038_10010 in hidden key nonce
[Fri Oct 8 16:20:38 2021] [LLNG:82] [debug] OIDC request parameter prompt: login
[Fri Oct 8 16:20:38 2021] [LLNG:82] [debug] Store login in hidden key prompt
[Fri Oct 8 16:20:38 2021] [LLNG:82] [debug] Calling hook oidcGotRequest
[Fri Oct 8 16:20:38 2021] [LLNG:82] [debug] OIDC authorizationcode flow requested (response type: code)
[Fri Oct 8 16:20:38 2021] [LLNG:82] [debug] Request from client id fournisseur-services
[Fri Oct 8 16:20:38 2021] [LLNG:82] [debug] Client id fournisseur-services matches RP fournisseur-services
[Fri Oct 8 16:20:38 2021] [LLNG:82] [notice] User dwho is authorized to access to fournisseur-services
[Fri Oct 8 16:20:38 2021] [LLNG:82] [debug] [notice] User dwho is authorized to access to fournisseur-services
[Fri Oct 8 16:20:38 2021] [LLNG:82] [debug] Reauthentication required by Relying Party in prompt parameter
[Fri Oct 8 16:20:38 2021] [LLNG:82] [debug] Store issuer request
[Fri Oct 8 16:20:38 2021] [LLNG:82] [debug] Token 1633638158_38682 created
[Fri Oct 8 16:20:38 2021] [LLNG:82] [debug] Returned error: 85 (PE_RENEWSESSION)
[Fri Oct 8 16:20:38 2021] [LLNG:82] [debug] Skin returned: upgradesession
[Fri Oct 8 16:20:38 2021] [LLNG:82] [debug] Calling sendHtml with template upgradesession
[Fri Oct 8 16:20:38 2021] [LLNG:82] [debug] Starting HTML generation using /usr/share/lemonldap-ng/portal/templates/bootstrap/upgradesession.tpl
[Fri Oct 8 16:20:38 2021] [LLNG:82] [debug] Sending /usr/share/lemonldap-ng/portal/templates/bootstrap/upgradesession.tpl
[Fri Oct 8 16:20:38 2021] [LLNG:82] [debug] Apply following CORS policy :
[Fri Oct 8 16:20:38 2021] [LLNG:82] [debug] Access-Control-Allow-Origin
[Fri Oct 8 16:20:38 2021] [LLNG:82] [debug] *
[Fri Oct 8 16:20:38 2021] [LLNG:82] [debug] Access-Control-Allow-Credentials
[Fri Oct 8 16:20:38 2021] [LLNG:82] [debug] true
[Fri Oct 8 16:20:38 2021] [LLNG:82] [debug] Access-Control-Allow-Headers
[Fri Oct 8 16:20:38 2021] [LLNG:82] [debug] *
[Fri Oct 8 16:20:38 2021] [LLNG:82] [debug] Access-Control-Allow-Methods
[Fri Oct 8 16:20:38 2021] [LLNG:82] [debug] POST,GET
[Fri Oct 8 16:20:38 2021] [LLNG:82] [debug] Access-Control-Expose-Headers
[Fri Oct 8 16:20:38 2021] [LLNG:82] [debug] *
[Fri Oct 8 16:20:38 2021] [LLNG:82] [debug] Access-Control-Max-Age
[Fri Oct 8 16:20:38 2021] [LLNG:82] [debug] 86400
[Fri Oct 8 16:20:38 2021] [LLNG:82] [debug] Required Params URL : aHR0cDovL2F1dGguZm91cm5pc3NldXIuaW50ZXJtZWRpYWlyZS8vb2F1dGgyL2F1dGhvcml6ZS8=
[Fri Oct 8 16:20:38 2021] [LLNG:82] [debug] Apply following CSP : default-src 'self';img-src 'self' data:;style-src 'self';font-src 'self';connect-src 'self';script-src 'self';form-action *;frame-ancestors 'none';
172.17.0.5 - - [08/Oct/2021:16:20:38 +0000] "GET /oauth2/authorize/?lmAuth=SAML&response_type=code&client_id=fournisseur-services&scope=openid+profile&redirect_uri=http%3A%2F%2Fauth.fournisseur.services%2F%3Fopenidconnectcallback%3D1&state=1633710038_41074&nonce=1633710038_10010&display=&prompt=login HTTP/1.1" 200 1812 "http://auth.fournisseur.services/" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:93.0) Gecko/20100101 Firefox/93.0"
[Fri Oct 8 16:21:02 2021] [LLNG:84] [debug] Check configuration for Lemonldap::NG::Handler::PSGI::Main
[Fri Oct 8 16:21:02 2021] [LLNG:84] [debug] Get configuration from cache without verification.
[Fri Oct 8 16:21:02 2021] [LLNG:84] [debug] Lemonldap::NG::Handler::PSGI::Main: configuration is up to date
[Fri Oct 8 16:21:02 2021] [LLNG:84] [debug] Get session 283245a8eecd6364d54d52696d76cd33a517dfcc0a167432f82a9c8453d92eec from Handler::Main::Run
[Fri Oct 8 16:21:02 2021] [LLNG:84] [debug] Check session validity from Handler
[Fri Oct 8 16:21:02 2021] [LLNG:84] [debug] Session timeout -> 72000
[Fri Oct 8 16:21:02 2021] [LLNG:84] [debug] Session _utime -> 1633709493
[Fri Oct 8 16:21:02 2021] [LLNG:84] [debug] now -> 1633710062
[Fri Oct 8 16:21:02 2021] [LLNG:84] [debug] Session timeoutActivityInterval -> 60
[Fri Oct 8 16:21:02 2021] [LLNG:84] [debug] Session TTL = 71431
[Fri Oct 8 16:21:02 2021] [LLNG:84] [debug] No URL authentication level found...
[Fri Oct 8 16:21:02 2021] [LLNG:84] [debug] auth.fournisseur.intermediaire: Apply default rule
[Fri Oct 8 16:21:02 2021] [LLNG:84] [debug] removing cookie
[Fri Oct 8 16:21:02 2021] [LLNG:84] [debug] Cookies -> llnglanguage=fr; lemonldap=283245a8eecd6364d54d52696d76cd33a517dfcc0a167432f82a9c8453d92eec; lemonldappdata=%7B%22issuerTs%22%3A1633710038%2C%22keepPdata%22%3A%5B%22issuerRequestoauth2%22%2C%22issuerRequestoauth2Path%22%5D%2C%22_choice%22%3A%22SAML%22%2C%22targetAuthnLevel%22%3A1%2C%22issuerRequestoauth2%22%3A%221633638158_38682%22%7D
[Fri Oct 8 16:21:02 2021] [LLNG:84] [debug] CookieName -> lemonldap
[Fri Oct 8 16:21:02 2021] [LLNG:84] [debug] newCookies -> llnglanguage=fr; lemonldappdata=%7B%22issuerTs%22%3A1633710038%2C%22keepPdata%22%3A%5B%22issuerRequestoauth2%22%2C%22issuerRequestoauth2Path%22%5D%2C%22_choice%22%3A%22SAML%22%2C%22targetAuthnLevel%22%3A1%2C%22issuerRequestoauth2%22%3A%221633638158_38682%22%7D
[Fri Oct 8 16:21:02 2021] [LLNG:84] [debug] User dwho was granted to access to /renewsession
[Fri Oct 8 16:21:02 2021] [LLNG:84] [debug] Start routing renewsession
[Fri Oct 8 16:21:02 2021] [LLNG:84] [debug] Processing controlUrl
[Fri Oct 8 16:21:02 2021] [LLNG:84] [debug] Confirm parameter accepted 1
[Fri Oct 8 16:21:02 2021] [LLNG:84] [debug] Required URL (param: urldc | value: http://auth.fournisseur.intermediaire//oauth2/authorize/ | alias: http://auth.fournisseur.intermediaire)
[Fri Oct 8 16:21:02 2021] [LLNG:84] [debug] No URL authentication level found...
[Fri Oct 8 16:21:02 2021] [LLNG:84] [debug] Module Lemonldap::NG::Portal::Lib::OneTimeToken loaded
[Fri Oct 8 16:21:02 2021] [LLNG:84] [debug] Token 1633638182_62152 created
[Fri Oct 8 16:21:02 2021] [LLNG:84] [debug] Store 1633638182_62152 in hidden key upgrading
[Fri Oct 8 16:21:02 2021] [LLNG:84] [debug] Processing checkUnauthLogout
[Fri Oct 8 16:21:02 2021] [LLNG:84] [debug] Processing controlUrl
[Fri Oct 8 16:21:02 2021] [LLNG:84] [debug] Required URL (param: urldc | value: http://auth.fournisseur.intermediaire//oauth2/authorize/ | alias: http://auth.fournisseur.intermediaire)
[Fri Oct 8 16:21:02 2021] [LLNG:84] [debug] No URL authentication level found...
[Fri Oct 8 16:21:02 2021] [LLNG:84] [debug] Processing code ref
[Fri Oct 8 16:21:02 2021] [LLNG:84] [debug] Processing code ref
[Fri Oct 8 16:21:02 2021] [LLNG:84] [debug] Launching ::Issuer::OpenIDConnect::exportRequestParameters
[Fri Oct 8 16:21:02 2021] [LLNG:84] [debug] Processing extractFormInfo
[Fri Oct 8 16:21:02 2021] [LLNG:84] [debug] Choice SAML selected from pdata
[Fri Oct 8 16:21:02 2021] [LLNG:84] [debug] No IDP selected
[Fri Oct 8 16:21:02 2021] [LLNG:84] [debug] Selecting the only defined SAML IDP: http://auth.fournisseur.identites/saml/metadata
[Fri Oct 8 16:21:02 2021] [LLNG:84] [debug] http://auth.fournisseur.identites/saml/metadata match fournisseur-identites-saml IDP in configuration
[Fri Oct 8 16:21:02 2021] [LLNG:84] [debug] Use method REDIRECT with IDP fournisseur-identites-saml for SSO profile
[Fri Oct 8 16:21:02 2021] [LLNG:84] [debug] Set 97b43b5ce7d439ab21390fba5eccfa42fbd9ece31f97aa64a5d754d44b2056b4 in RelayState
[Fri Oct 8 16:21:02 2021] [LLNG:84] [debug] Do not allow this request to be proxied
[Fri Oct 8 16:21:02 2021] [LLNG:84] [debug] SSO request signature according to metadata
[Fri Oct 8 16:21:02 2021] [LLNG:84] [debug] Request urn:oasis:names:tc:SAML:2.0:ac:classes:Password context
[Fri Oct 8 16:21:02 2021] [LLNG:84] [debug] Authentication request created
[Fri Oct 8 16:21:02 2021] [LLNG:84] [debug] Keep request ID _C7A79E27998A9E848BB78ECBBF1A4CE8 in assertion session ffde38e4127c9353476b220536d8d31f4b6ad57a4012f132fdf88c56d286e62f
[Fri Oct 8 16:21:02 2021] [LLNG:84] [debug] Redirect user to http://auth.fournisseur.identites/saml/singleSignOn?SAMLRequest=fVNdj9owEPwrkd8hCTqVYEGkEDgJqR%2BIq%2FrQl8qKl7uV%2FJF6Nz3u39cJOUrb4x49u%2BOdmbWXpKxpZdXxkzvAzw6Ik5M1juRQWIkuOOkVIUmnLJDkRj5Unz7K2TSTbfDsG2%2FEFeV9hiKCwOidSHablfhRz6v5YjubLxZFtdgWd8V6PS%2B29Xp9n1d39bYQyTcIFPtXItIjiaiDnSNWjiOUzfJJnk2y4mv%2BQc5ymc2%2Bi2QTPaBTPLCemFuZpir6mx59lIZRQRemqMExMlDai04J3aOBB3x0X6K0ex8aGCJZiaMyBP3gfdSOv%2BAVKZc9UQ6CQnlzjGMIFjQqDHAeZYGVVqyW6fUFy%2FMePsfEdpu9N9i89DKs4tuB5tN8QFBPjkOrBKvQVFoHIBJJZYx%2FrgMojqo5dCDSUXXtncY%2BIBqBffCnl0MMLmDT4yNcdRrBNXDb398x%2FuPtQn%2Bd2jkus7F4Po2H%2F%2Benbwpt5fhIQQ%2F7iXWGEye1t60KSP3KLTq0nRUXD3%2F6ahOXeIBj%2Be4bbWTT90W43%2FmzD%2Fri542rzrUbwi7V6w9W%2FgY%3D&RelayState=97b43b5ce7d439ab21390fba5eccfa42fbd9ece31f97aa64a5d754d44b2056b4&SigAlg=http%3A%2F%2Fwww.w3.org%2F2001%2F04%2Fxmldsig-more%23rsa-sha256&Signature=BxxVE1MqP0yGjTtmeXlz6CJgOkAHVMMOj%2FmOGNlzLMyDXasT4NJFtvikC%2BFxJiB4ysO3dJa7R%2FnqfqkmndjXAwJJ6SgNwdIGErlq7uxIL1WlwlObvUVZfhsQZENQ73mYFY8WQp1VXk%2Fn2YoGKd1oibSZMQ9g9czxj4qVYuzSdJZR%2FeVPnmArK9kT%2B4c4RnSfi2E0a7JOxUEe%2Fy6u4E%2B49FnyinyLREUEd%2BpMQFD58rbS5UPQkSk9JJdZcW8is25Yl5QcnPghCdGF2c%2Fb4pIut1uUSm47LC0ni15a4P6CxcXgUXcpA9lEciGAcGP4KprZpMxVdVQADl46f23R3JVFmw%3D%3D
[Fri Oct 8 16:21:02 2021] [LLNG:84] [debug] Returned status: -2 (PE_REDIRECT)
[Fri Oct 8 16:21:02 2021] [LLNG:84] [debug] Calling autoredirect
[Fri Oct 8 16:21:02 2021] [LLNG:84] [debug] Building redirection to http://auth.fournisseur.identites/saml/singleSignOn?SAMLRequest=fVNdj9owEPwrkd8hCTqVYEGkEDgJqR%2BIq%2FrQl8qKl7uV%2FJF6Nz3u39cJOUrb4x49u%2BOdmbWXpKxpZdXxkzvAzw6Ik5M1juRQWIkuOOkVIUmnLJDkRj5Unz7K2TSTbfDsG2%2FEFeV9hiKCwOidSHablfhRz6v5YjubLxZFtdgWd8V6PS%2B29Xp9n1d39bYQyTcIFPtXItIjiaiDnSNWjiOUzfJJnk2y4mv%2BQc5ymc2%2Bi2QTPaBTPLCemFuZpir6mx59lIZRQRemqMExMlDai04J3aOBB3x0X6K0ex8aGCJZiaMyBP3gfdSOv%2BAVKZc9UQ6CQnlzjGMIFjQqDHAeZYGVVqyW6fUFy%2FMePsfEdpu9N9i89DKs4tuB5tN8QFBPjkOrBKvQVFoHIBJJZYx%2FrgMojqo5dCDSUXXtncY%2BIBqBffCnl0MMLmDT4yNcdRrBNXDb398x%2FuPtQn%2Bd2jkus7F4Po2H%2F%2Benbwpt5fhIQQ%2F7iXWGEye1t60KSP3KLTq0nRUXD3%2F6ahOXeIBj%2Be4bbWTT90W43%2FmzD%2Fri542rzrUbwi7V6w9W%2FgY%3D&RelayState=97b43b5ce7d439ab21390fba5eccfa42fbd9ece31f97aa64a5d754d44b2056b4&SigAlg=http%3A%2F%2Fwww.w3.org%2F2001%2F04%2Fxmldsig-more%23rsa-sha256&Signature=BxxVE1MqP0yGjTtmeXlz6CJgOkAHVMMOj%2FmOGNlzLMyDXasT4NJFtvikC%2BFxJiB4ysO3dJa7R%2FnqfqkmndjXAwJJ6SgNwdIGErlq7uxIL1WlwlObvUVZfhsQZENQ73mYFY8WQp1VXk%2Fn2YoGKd1oibSZMQ9g9czxj4qVYuzSdJZR%2FeVPnmArK9kT%2B4c4RnSfi2E0a7JOxUEe%2Fy6u4E%2B49FnyinyLREUEd%2BpMQFD58rbS5UPQkSk9JJdZcW8is25Yl5QcnPghCdGF2c%2Fb4pIut1uUSm47LC0ni15a4P6CxcXgUXcpA9lEciGAcGP4KprZpMxVdVQADl46f23R3JVFmw%3D%3D
172.17.0.5 - - [08/Oct/2021:16:21:02 +0000] "POST /renewsession HTTP/1.1" 302 5 "http://auth.fournisseur.intermediaire/oauth2/authorize/?lmAuth=SAML&response_type=code&client_id=fournisseur-services&scope=openid+profile&redirect_uri=http%3A%2F%2Fauth.fournisseur.services%2F%3Fopenidconnectcallback%3D1&state=1633710038_41074&nonce=1633710038_10010&display=&prompt=login" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:93.0) Gecko/20100101 Firefox/93.0"
[Fri Oct 8 16:21:07 2021] [LLNG:86] [debug] Check configuration for Lemonldap::NG::Handler::PSGI::Main
[Fri Oct 8 16:21:07 2021] [LLNG:86] [debug] Get configuration from cache without verification.
[Fri Oct 8 16:21:07 2021] [LLNG:86] [debug] Lemonldap::NG::Handler::PSGI::Main: configuration is up to date
[Fri Oct 8 16:21:07 2021] [LLNG:86] [debug] Get session 283245a8eecd6364d54d52696d76cd33a517dfcc0a167432f82a9c8453d92eec from Handler::Main::Run
[Fri Oct 8 16:21:07 2021] [LLNG:86] [debug] Check session validity from Handler
[Fri Oct 8 16:21:07 2021] [LLNG:86] [debug] Session timeout -> 72000
[Fri Oct 8 16:21:07 2021] [LLNG:86] [debug] Session _utime -> 1633709493
[Fri Oct 8 16:21:07 2021] [LLNG:86] [debug] now -> 1633710067
[Fri Oct 8 16:21:07 2021] [LLNG:86] [debug] Session timeoutActivityInterval -> 60
[Fri Oct 8 16:21:07 2021] [LLNG:86] [debug] Session TTL = 71426
[Fri Oct 8 16:21:07 2021] [LLNG:86] [debug] No URL authentication level found...
[Fri Oct 8 16:21:07 2021] [LLNG:86] [debug] auth.fournisseur.intermediaire: Apply default rule
[Fri Oct 8 16:21:07 2021] [LLNG:86] [debug] removing cookie
[Fri Oct 8 16:21:07 2021] [LLNG:86] [debug] Cookies -> llnglanguage=fr; lemonldap=283245a8eecd6364d54d52696d76cd33a517dfcc0a167432f82a9c8453d92eec; lemonldappdata=%7B%22issuerRequestoauth2%22%3A%221633638158_38682%22%2C%22_url%22%3A%22aHR0cDovL2F1dGguZm91cm5pc3NldXIuaW50ZXJtZWRpYWlyZS8vb2F1dGgyL2F1dGhvcml6ZS8%3D%22%2C%22issuerTs%22%3A1633710038%2C%22targetAuthnLevel%22%3A1%2C%22keepPdata%22%3A%5B%22issuerRequestoauth2%22%2C%22issuerRequestoauth2Path%22%5D%2C%22_choice%22%3A%22SAML%22%7D
[Fri Oct 8 16:21:07 2021] [LLNG:86] [debug] CookieName -> lemonldap
[Fri Oct 8 16:21:07 2021] [LLNG:86] [debug] newCookies -> llnglanguage=fr; lemonldappdata=%7B%22issuerRequestoauth2%22%3A%221633638158_38682%22%2C%22_url%22%3A%22aHR0cDovL2F1dGguZm91cm5pc3NldXIuaW50ZXJtZWRpYWlyZS8vb2F1dGgyL2F1dGhvcml6ZS8%3D%22%2C%22issuerTs%22%3A1633710038%2C%22targetAuthnLevel%22%3A1%2C%22keepPdata%22%3A%5B%22issuerRequestoauth2%22%2C%22issuerRequestoauth2Path%22%5D%2C%22_choice%22%3A%22SAML%22%7D
[Fri Oct 8 16:21:07 2021] [LLNG:86] [debug] User dwho was granted to access to /saml/proxySingleSignOnPost
[Fri Oct 8 16:21:07 2021] [LLNG:86] [debug] Start routing saml
[Fri Oct 8 16:21:07 2021] [LLNG:86] [debug] Processing importHandlerData
[Fri Oct 8 16:21:07 2021] [LLNG:86] [debug] Processing restoreArgs
[Fri Oct 8 16:21:07 2021] [LLNG:86] [debug] Processing controlUrl
[Fri Oct 8 16:21:07 2021] [LLNG:86] [debug] Required URL (param: urldc | value: http://auth.fournisseur.intermediaire//oauth2/authorize/ | alias: http://auth.fournisseur.intermediaire)
[Fri Oct 8 16:21:07 2021] [LLNG:86] [debug] No URL authentication level found...
[Fri Oct 8 16:21:07 2021] [LLNG:86] [debug] Processing checkLogout
[Fri Oct 8 16:21:07 2021] [LLNG:86] [debug] Processing code ref
[Fri Oct 8 16:21:07 2021] [LLNG:86] [debug] Launching ::Auth::Choice::_forAuthUser
[Fri Oct 8 16:21:07 2021] [LLNG:86] [debug] Processing code ref
[Fri Oct 8 16:21:07 2021] [LLNG:86] [debug] Launching ::UserDB::Choice::_forAuthUser
[Fri Oct 8 16:21:07 2021] [LLNG:86] [debug] Processing code ref
[Fri Oct 8 16:21:07 2021] [LLNG:86] [debug] Launching ::Password::Demo::_modifyPassword
[Fri Oct 8 16:21:07 2021] [LLNG:86] [debug] Calling autoredirect
[Fri Oct 8 16:21:07 2021] [LLNG:86] [debug] Building redirection to http://auth.fournisseur.intermediaire//oauth2/authorize/
[Fri Oct 8 16:21:07 2021] [LLNG:86] [info] Force cleaning pdata
172.17.0.5 - - [08/Oct/2021:16:21:07 +0000] "POST /saml/proxySingleSignOnPost HTTP/1.1" 302 5 "http://auth.fournisseur.identites/" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:93.0) Gecko/20100101 Firefox/93.0"
[Fri Oct 8 16:21:07 2021] [LLNG:85] [debug] Check configuration for Lemonldap::NG::Handler::PSGI::Main
[Fri Oct 8 16:21:07 2021] [LLNG:85] [debug] Get configuration from cache without verification.
[Fri Oct 8 16:21:07 2021] [LLNG:85] [debug] Lemonldap::NG::Handler::PSGI::Main: configuration is up to date
[Fri Oct 8 16:21:07 2021] [LLNG:85] [debug] Get session 283245a8eecd6364d54d52696d76cd33a517dfcc0a167432f82a9c8453d92eec from Handler::Main::Run
[Fri Oct 8 16:21:07 2021] [LLNG:85] [debug] Check session validity from Handler
[Fri Oct 8 16:21:07 2021] [LLNG:85] [debug] Session timeout -> 72000
[Fri Oct 8 16:21:07 2021] [LLNG:85] [debug] Session _utime -> 1633709493
[Fri Oct 8 16:21:07 2021] [LLNG:85] [debug] now -> 1633710067
[Fri Oct 8 16:21:07 2021] [LLNG:85] [debug] Session timeoutActivityInterval -> 60
[Fri Oct 8 16:21:07 2021] [LLNG:85] [debug] Session TTL = 71426
[Fri Oct 8 16:21:07 2021] [LLNG:85] [debug] No URL authentication level found...
[Fri Oct 8 16:21:07 2021] [LLNG:85] [debug] auth.fournisseur.intermediaire: Apply default rule
[Fri Oct 8 16:21:07 2021] [LLNG:85] [debug] removing cookie
[Fri Oct 8 16:21:07 2021] [LLNG:85] [debug] Cookies -> llnglanguage=fr; lemonldap=283245a8eecd6364d54d52696d76cd33a517dfcc0a167432f82a9c8453d92eec; lemonldappdata=%7B%22issuerTs%22%3A1633710038%2C%22keepPdata%22%3A%5B%22issuerRequestoauth2%22%2C%22issuerRequestoauth2Path%22%5D%2C%22issuerRequestoauth2%22%3A%221633638158_38682%22%2C%22_choice%22%3A%22SAML%22%2C%22targetAuthnLevel%22%3A1%7D
[Fri Oct 8 16:21:07 2021] [LLNG:85] [debug] CookieName -> lemonldap
[Fri Oct 8 16:21:07 2021] [LLNG:85] [debug] newCookies -> llnglanguage=fr; lemonldappdata=%7B%22issuerTs%22%3A1633710038%2C%22keepPdata%22%3A%5B%22issuerRequestoauth2%22%2C%22issuerRequestoauth2Path%22%5D%2C%22issuerRequestoauth2%22%3A%221633638158_38682%22%2C%22_choice%22%3A%22SAML%22%2C%22targetAuthnLevel%22%3A1%7D
[Fri Oct 8 16:21:07 2021] [LLNG:85] [debug] User dwho was granted to access to /oauth2/authorize/
[Fri Oct 8 16:21:07 2021] [LLNG:85] [debug] Start routing oauth2
[Fri Oct 8 16:21:07 2021] [LLNG:85] [debug] Processing _forAuthUser
[Fri Oct 8 16:21:07 2021] [LLNG:85] [debug] Restoring request to oauth2 issuer
[Fri Oct 8 16:21:07 2021] [LLNG:85] [debug] Module Lemonldap::NG::Portal::Lib::OneTimeToken loaded
[Fri Oct 8 16:21:07 2021] [LLNG:85] [debug] Trying to load token 1633638158_38682
[Fri Oct 8 16:21:07 2021] [LLNG:85] [debug] Restoring request from 1633638158_38682
[Fri Oct 8 16:21:07 2021] [LLNG:85] [debug] Restore DOCUMENT_URI /index.psgi/oauth2/authorize/
[Fri Oct 8 16:21:07 2021] [LLNG:85] [debug] Restore psgix.cleanup 1
[Fri Oct 8 16:21:07 2021] [LLNG:85] [debug] Restore psgi.multithread
[Fri Oct 8 16:21:07 2021] [LLNG:85] [debug] Restore HTTP_X_FORWARDED_SSL off
[Fri Oct 8 16:21:07 2021] [LLNG:85] [debug] Restore HTTP_ACCEPT_ENCODING gzip, deflate
[Fri Oct 8 16:21:07 2021] [LLNG:85] [debug] Restore psgi.multiprocess 1
[Fri Oct 8 16:21:07 2021] [LLNG:85] [debug] Restore ipAddr 172.17.0.5
[Fri Oct 8 16:21:07 2021] [LLNG:85] [debug] Restore REQUEST_METHOD GET
[Fri Oct 8 16:21:07 2021] [LLNG:85] [debug] Restore GATEWAY_INTERFACE CGI/1.1
[Fri Oct 8 16:21:07 2021] [LLNG:85] [debug] Restore REQUEST_SCHEME http
[Fri Oct 8 16:21:07 2021] [LLNG:85] [debug] Restore plack.cookie.string llnglanguage=fr; lemonldappdata=%7B%22issuerRequestoauth2%22%3A%221633638008_5455%22%2C%22issuerTs%22%3A1633709888%2C%22targetAuthnLevel%22%3A1%2C%22_choice%22%3A%22SAML%22%2C%22keepPdata%22%3A%5B%22issuerRequestoauth2%22%2C%22issuerRequestoauth2Path%22%5D%7D
[Fri Oct 8 16:21:07 2021] [LLNG:85] [debug] Restore REQUEST_URI /oauth2/authorize/?lmAuth=SAML&response_type=code&client_id=fournisseur-services&scope=openid+profile&redirect_uri=http%3A%2F%2Fauth.fournisseur.services%2F%3Fopenidconnectcallback%3D1&state=1633710038_41074&nonce=1633710038_10010&display=&prompt=login
[Fri Oct 8 16:21:07 2021] [LLNG:85] [debug] Restore tokenSessionStartTimestamp 1633710038
[Fri Oct 8 16:21:07 2021] [LLNG:85] [debug] Restore SERVER_ADDR 172.17.0.2
[Fri Oct 8 16:21:07 2021] [LLNG:85] [debug] Restore SERVER_SOFTWARE nginx/1.14.2
[Fri Oct 8 16:21:07 2021] [LLNG:85] [debug] Restore HTTP_X_REAL_IP 172.17.0.1
[Fri Oct 8 16:21:07 2021] [LLNG:85] [debug] Restore DOCUMENT_ROOT /usr/share/lemonldap-ng/portal/htdocs
[Fri Oct 8 16:21:07 2021] [LLNG:85] [debug] Restore HTTP_SEC_GPC 1
[Fri Oct 8 16:21:07 2021] [LLNG:85] [debug] Restore SCRIPT_FILENAME /usr/share/lemonldap-ng/portal/htdocs/index.psgi
[Fri Oct 8 16:21:07 2021] [LLNG:85] [debug] Restore HTTP_CONNECTION close
[Fri Oct 8 16:21:07 2021] [LLNG:85] [debug] Restore SERVER_PORT 80
[Fri Oct 8 16:21:07 2021] [LLNG:85] [debug] Restore HTTP_HOST auth.fournisseur.intermediaire
[Fri Oct 8 16:21:07 2021] [LLNG:85] [debug] Restore _utime 1633638158
[Fri Oct 8 16:21:07 2021] [LLNG:85] [debug] Restore REMOTE_PORT 60658
[Fri Oct 8 16:21:07 2021] [LLNG:85] [debug] Restore REMOTE_ADDR 172.17.0.5
[Fri Oct 8 16:21:07 2021] [LLNG:85] [debug] Restore psgi.nonblocking
[Fri Oct 8 16:21:07 2021] [LLNG:85] [debug] Restore HTTP_ACCEPT_LANGUAGE fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3
[Fri Oct 8 16:21:07 2021] [LLNG:85] [debug] Restore SERVER_NAME auth.fournisseur.intermediaire
[Fri Oct 8 16:21:07 2021] [LLNG:85] [debug] Restore HTTP_X_FORWARDED_PORT 80
[Fri Oct 8 16:21:07 2021] [LLNG:85] [debug] Restore HTTP_DNT 1
[Fri Oct 8 16:21:07 2021] [LLNG:85] [debug] Restore HTTP_ACCEPT text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
[Fri Oct 8 16:21:07 2021] [LLNG:85] [debug] Restore SCRIPT_NAME /index.psgi
[Fri Oct 8 16:21:07 2021] [LLNG:85] [debug] Restore HTTP_USER_AGENT Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:93.0) Gecko/20100101 Firefox/93.0
[Fri Oct 8 16:21:07 2021] [LLNG:85] [debug] Restore PATH_INFO /oauth2/authorize/
[Fri Oct 8 16:21:07 2021] [LLNG:85] [debug] Restore REDIRECT_STATUS 200
[Fri Oct 8 16:21:07 2021] [LLNG:85] [debug] Restore HTTP_X_FORWARDED_FOR 172.17.0.1
[Fri Oct 8 16:21:07 2021] [LLNG:85] [debug] Restore HTTP_UPGRADE_INSECURE_REQUESTS 1
[Fri Oct 8 16:21:07 2021] [LLNG:85] [debug] Restore psgi.run_once
[Fri Oct 8 16:21:07 2021] [LLNG:85] [debug] Restore HTTP_REFERER http://auth.fournisseur.services/
[Fri Oct 8 16:21:07 2021] [LLNG:85] [debug] Restore _type token
[Fri Oct 8 16:21:07 2021] [LLNG:85] [debug] Restore psgi.url_scheme http
[Fri Oct 8 16:21:07 2021] [LLNG:85] [debug] Restore QUERY_STRING lmAuth=SAML&response_type=code&client_id=fournisseur-services&scope=openid+profile&redirect_uri=http%3A%2F%2Fauth.fournisseur.services%2F%3Fopenidconnectcallback%3D1&state=1633710038_41074&nonce=1633710038_10010&display=&prompt=login
[Fri Oct 8 16:21:07 2021] [LLNG:85] [debug] Restore FCGI_ROLE RESPONDER
[Fri Oct 8 16:21:07 2021] [LLNG:85] [debug] Restore psgi.streaming 1
[Fri Oct 8 16:21:07 2021] [LLNG:85] [debug] Restore SERVER_PROTOCOL HTTP/1.1
[Fri Oct 8 16:21:07 2021] [LLNG:85] [debug] Restore tokenTimeoutTimestamp 1633710158
[Fri Oct 8 16:21:07 2021] [LLNG:85] [debug] Restore HTTP_COOKIE llnglanguage=fr; lemonldappdata=%7B%22issuerRequestoauth2%22%3A%221633638008_5455%22%2C%22issuerTs%22%3A1633709888%2C%22targetAuthnLevel%22%3A1%2C%22_choice%22%3A%22SAML%22%2C%22keepPdata%22%3A%5B%22issuerRequestoauth2%22%2C%22issuerRequestoauth2Path%22%5D%7D
[Fri Oct 8 16:21:07 2021] [LLNG:85] [debug] Restore HTTP_X_FORWARDED_PROTO http
[Fri Oct 8 16:21:07 2021] [LLNG:85] [debug] Restore LLTYPE psgi
[Fri Oct 8 16:21:07 2021] [LLNG:85] [debug] Restore psgix.harakiri 1
[Fri Oct 8 16:21:07 2021] [LLNG:85] [debug] Cleaning pdata
[Fri Oct 8 16:21:07 2021] [LLNG:85] [debug] Removing issuerRequestoauth2 key from pdata
[Fri Oct 8 16:21:07 2021] [LLNG:85] [debug] Removing issuerRequestoauth2Path from keepPdata
[Fri Oct 8 16:21:07 2021] [LLNG:85] [debug] Processing importHandlerData
[Fri Oct 8 16:21:07 2021] [LLNG:85] [debug] Processing controlUrl
[Fri Oct 8 16:21:07 2021] [LLNG:85] [debug] Processing code ref
[Fri Oct 8 16:21:07 2021] [LLNG:85] [debug] Launching ::Auth::Choice::_forAuthUser
[Fri Oct 8 16:21:07 2021] [LLNG:85] [debug] Processing code ref
[Fri Oct 8 16:21:07 2021] [LLNG:85] [debug] Launching ::UserDB::Choice::_forAuthUser
[Fri Oct 8 16:21:07 2021] [LLNG:85] [debug] Processing code ref
[Fri Oct 8 16:21:07 2021] [LLNG:85] [debug] Launching ::Password::Demo::_modifyPassword
[Fri Oct 8 16:21:07 2021] [LLNG:85] [debug] Processing code ref
[Fri Oct 8 16:21:07 2021] [LLNG:85] [debug] Searching for previously registered Relying Parties...
[Fri Oct 8 16:21:07 2021] [LLNG:85] [debug] Convert Relying Party Consent(s)...
[Fri Oct 8 16:21:07 2021] [LLNG:85] [debug] 0 consent(s) converted
[Fri Oct 8 16:21:07 2021] [LLNG:85] [debug] URL detected as an OpenID Connect AUTHORIZE URL
[Fri Oct 8 16:21:07 2021] [LLNG:85] [debug] OIDC request parameter response_type: code
[Fri Oct 8 16:21:07 2021] [LLNG:85] [debug] Store code in hidden key response_type
[Fri Oct 8 16:21:07 2021] [LLNG:85] [debug] OIDC request parameter scope: openid profile
[Fri Oct 8 16:21:07 2021] [LLNG:85] [debug] Store openid profile in hidden key scope
[Fri Oct 8 16:21:07 2021] [LLNG:85] [debug] OIDC request parameter client_id: fournisseur-services
[Fri Oct 8 16:21:07 2021] [LLNG:85] [debug] Store fournisseur-services in hidden key client_id
[Fri Oct 8 16:21:07 2021] [LLNG:85] [debug] OIDC request parameter state: 1633710038_41074
[Fri Oct 8 16:21:07 2021] [LLNG:85] [debug] Store 1633710038_41074 in hidden key state
[Fri Oct 8 16:21:07 2021] [LLNG:85] [debug] OIDC request parameter redirect_uri: http://auth.fournisseur.services/?openidconnectcallback=1
[Fri Oct 8 16:21:07 2021] [LLNG:85] [debug] Store http://auth.fournisseur.services/?openidconnectcallback=1 in hidden key redirect_uri
[Fri Oct 8 16:21:07 2021] [LLNG:85] [debug] OIDC request parameter nonce: 1633710038_10010
[Fri Oct 8 16:21:07 2021] [LLNG:85] [debug] Store 1633710038_10010 in hidden key nonce
[Fri Oct 8 16:21:07 2021] [LLNG:85] [debug] OIDC request parameter prompt: login
[Fri Oct 8 16:21:07 2021] [LLNG:85] [debug] Store login in hidden key prompt
[Fri Oct 8 16:21:07 2021] [LLNG:85] [debug] Calling hook oidcGotRequest
[Fri Oct 8 16:21:07 2021] [LLNG:85] [debug] OIDC authorizationcode flow requested (response type: code)
[Fri Oct 8 16:21:07 2021] [LLNG:85] [debug] Request from client id fournisseur-services
[Fri Oct 8 16:21:07 2021] [LLNG:85] [debug] Client id fournisseur-services matches RP fournisseur-services
[Fri Oct 8 16:21:07 2021] [LLNG:85] [notice] User dwho is authorized to access to fournisseur-services
[Fri Oct 8 16:21:07 2021] [LLNG:85] [debug] [notice] User dwho is authorized to access to fournisseur-services
[Fri Oct 8 16:21:07 2021] [LLNG:85] [debug] Reauthentication required by Relying Party in prompt parameter
[Fri Oct 8 16:21:07 2021] [LLNG:85] [debug] Store issuer request
[Fri Oct 8 16:21:07 2021] [LLNG:85] [debug] Token 1633638187_10781 created
[Fri Oct 8 16:21:07 2021] [LLNG:85] [debug] Returned error: 85 (PE_RENEWSESSION)
[Fri Oct 8 16:21:07 2021] [LLNG:85] [debug] Skin returned: upgradesession
[Fri Oct 8 16:21:07 2021] [LLNG:85] [debug] Calling sendHtml with template upgradesession
[Fri Oct 8 16:21:07 2021] [LLNG:85] [debug] Starting HTML generation using /usr/share/lemonldap-ng/portal/templates/bootstrap/upgradesession.tpl
[Fri Oct 8 16:21:07 2021] [LLNG:85] [debug] Sending /usr/share/lemonldap-ng/portal/templates/bootstrap/upgradesession.tpl
[Fri Oct 8 16:21:07 2021] [LLNG:85] [debug] Apply following CORS policy :
[Fri Oct 8 16:21:07 2021] [LLNG:85] [debug] Access-Control-Allow-Origin
[Fri Oct 8 16:21:07 2021] [LLNG:85] [debug] *
[Fri Oct 8 16:21:07 2021] [LLNG:85] [debug] Access-Control-Allow-Credentials
[Fri Oct 8 16:21:07 2021] [LLNG:85] [debug] true
[Fri Oct 8 16:21:07 2021] [LLNG:85] [debug] Access-Control-Allow-Headers
[Fri Oct 8 16:21:07 2021] [LLNG:85] [debug] *
[Fri Oct 8 16:21:07 2021] [LLNG:85] [debug] Access-Control-Allow-Methods
[Fri Oct 8 16:21:07 2021] [LLNG:85] [debug] POST,GET
[Fri Oct 8 16:21:07 2021] [LLNG:85] [debug] Access-Control-Expose-Headers
[Fri Oct 8 16:21:07 2021] [LLNG:85] [debug] *
[Fri Oct 8 16:21:07 2021] [LLNG:85] [debug] Access-Control-Max-Age
[Fri Oct 8 16:21:07 2021] [LLNG:85] [debug] 86400
[Fri Oct 8 16:21:07 2021] [LLNG:85] [debug] Required Params URL : aHR0cDovL2F1dGguZm91cm5pc3NldXIuaW50ZXJtZWRpYWlyZS8vb2F1dGgyL2F1dGhvcml6ZS8=
[Fri Oct 8 16:21:07 2021] [LLNG:85] [debug] Apply following CSP : default-src 'self';img-src 'self' data:;style-src 'self';font-src 'self';connect-src 'self';script-src 'self';form-action *;frame-ancestors 'none';
172.17.0.5 - - [08/Oct/2021:16:21:07 +0000] "GET //oauth2/authorize/ HTTP/1.1" 200 1809 "http://auth.fournisseur.identites/" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:93.0) Gecko/20100101 Firefox/93.0"
172.17.0.5 - - [08/Oct/2021:16:21:09 +0000] "GET /static/common/favicon.ico HTTP/1.1" 200 99678 "http://auth.fournisseur.intermediaire//oauth2/authorize/" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:93.0) Gecko/20100101 Firefox/93.0"
```
### Backends used
Auth/userDB:
OIDC/OIDC on SSO1
SAML/Demo (also tried with SAML/SAML) or Demo/Demo on SSO2
Demo/Demo on SSO3
3.0.0
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2633
Add graceful reload to llng-fastcgi-server
2022-01-14T16:27:46Z
Maxime Besson
Add graceful reload to llng-fastcgi-server
### Summary
We should add a hot-reload feature to llng-fastcgi-server for users who don't want to install uwsgi
### Design proposition
Not easy to do: plackup -s FCGI does not gracefully stop, so Server::Starter can't help us
### Summary
We should add a hot-reload feature to llng-fastcgi-server for users who don't want to install uwsgi
### Design proposition
Not easy to do: plackup -s FCGI does not gracefully stop, so Server::Starter can't help us
3.0.0
Maxime Besson
Maxime Besson
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2630
Alert for SQL Injection in URL : manager.fcgi/notifications/actives?groupBy=s...
2021-10-05T14:07:51Z
Clément J
Alert for SQL Injection in URL : manager.fcgi/notifications/actives?groupBy=substr(uid,1)
### Summary
I wish that another word would be used to filter notification's display behavior
### Design proposition
The actual design triggers URL protection. We have alerts about potential SQL injection because of the used semantic.
...
### Summary
I wish that another word would be used to filter notification's display behavior
### Design proposition
The actual design triggers URL protection. We have alerts about potential SQL injection because of the used semantic.
I've take a look at the code and it seems to be safely handled. But I'm no Perl expert.
Still, automated inspection are not happy with it.
And it's a little scary to see SQL keyword as URL parameters.
Maybe, you could wrap those as simple parameters :
sort=(group|order)&sort_parameter=uid&length=1
Regards,
Clément
3.0.0
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2563
remove jquery-ui
2021-07-16T16:05:21Z
dcoutadeur dcoutadeur
remove jquery-ui
### Summary
remove jquery-ui
### Design proposition
Bootstrap if providing the main features we need.
We should:
- analyse the implication of removing jquery-ui
- check for alternatives
- remove it if possible
For the record, jquery...
### Summary
remove jquery-ui
### Design proposition
Bootstrap if providing the main features we need.
We should:
- analyse the implication of removing jquery-ui
- check for alternatives
- remove it if possible
For the record, jquery-ui is still used for "sortable" which is used to let users reorder categories in menu
3.0.0
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2559
Implement Biscuit tokens
2021-07-06T16:02:50Z
Clément OUDOT
Implement Biscuit tokens
Biscuit is an alternative to JWT and macaroons to pass user identity and permissions to an API.
See https://github.com/clevercloud/biscuit
We could then avoid to pass the OIDC access token or ID token to third parties
Biscuit is an alternative to JWT and macaroons to pass user identity and permissions to an API.
See https://github.com/clevercloud/biscuit
We could then avoid to pass the OIDC access token or ID token to third parties
3.0.0
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2556
Unable to use second factor with Kerberos authentication
2021-07-01T21:32:27Z
Clément OUDOT
Unable to use second factor with Kerberos authentication
When using Kerberos and a second factor, the Kerberos authentication fails and the screen to enter the OTP is not shown.
Some logs:
```
[Thu Jul 1 18:04:14 2021] [LLNG:49880] [debug] Build URL https://xxxx/?kerberos=1
[Thu Jul 1 18:0...
When using Kerberos and a second factor, the Kerberos authentication fails and the screen to enter the OTP is not shown.
Some logs:
```
[Thu Jul 1 18:04:14 2021] [LLNG:49880] [debug] Build URL https://xxxx/?kerberos=1
[Thu Jul 1 18:04:14 2021] [LLNG:49880] [debug] Redirect xxxx to portal (url was /?kerberos=1)
[Thu Jul 1 18:04:14 2021] [LLNG:49880] [debug] User not authenticated, Try in use, cancel redirection
[Thu Jul 1 18:04:14 2021] [LLNG:49880] [debug] Start routing default route
[Thu Jul 1 18:04:14 2021] [LLNG:49880] [debug] Processing checkUnauthLogout
[Thu Jul 1 18:04:14 2021] [LLNG:49880] [debug] Processing controlUrl
[Thu Jul 1 18:04:14 2021] [LLNG:49880] [debug] Processing code ref
[Thu Jul 1 18:04:14 2021] [LLNG:49880] [debug] Processing code ref
[Thu Jul 1 18:04:14 2021] [LLNG:49880] [debug] Launching ::Issuer::SAML::storeEnv
[Thu Jul 1 18:04:14 2021] [LLNG:49880] [debug] Processing extractFormInfo
[Thu Jul 1 18:04:14 2021] [LLNG:49880] [debug] Kerberos ticket received: xxxx
[Thu Jul 1 18:04:14 2021] [LLNG:49880] [debug] Set KRB5_KTNAME env to FILE:/etc/lemonldap-ng/xxxx.KEYTAB
[Thu Jul 1 18:04:14 2021] [LLNG:49880] [debug] Processing getUser
[Thu Jul 1 18:04:14 2021] [LLNG:49880] [debug] Processing authenticate
[Thu Jul 1 18:04:14 2021] [LLNG:49880] [debug] -> authResult = 0
[Thu Jul 1 18:04:14 2021] [LLNG:49880] [debug] Processing setAuthSessionInfo
[Thu Jul 1 18:04:14 2021] [LLNG:49880] [debug] Processing setSessionInfo
[Thu Jul 1 18:04:14 2021] [LLNG:49880] [debug] Processing setMacros
[Thu Jul 1 18:04:14 2021] [LLNG:49880] [debug] Processing setGroups
[Thu Jul 1 18:04:14 2021] [LLNG:49880] [debug] Searching LDAP groups in ou=groups,xxxx for uid=xxxx
[Thu Jul 1 18:04:14 2021] [LLNG:49880] [debug] Group search filter: (&(objectClass=groupOfNames)(|(member=uid=xxxx)))
[Thu Jul 1 18:04:14 2021] [LLNG:49880] [debug] Processing setPersistentSessionInfo
[Thu Jul 1 18:04:14 2021] [LLNG:49880] [debug] Persistent session found for xxxx
[Thu Jul 1 18:04:14 2021] [LLNG:49880] [debug] Restore persistent parameter _loginHistory
[Thu Jul 1 18:04:14 2021] [LLNG:49880] [debug] Restore persistent parameter _updateTime
[Thu Jul 1 18:04:14 2021] [LLNG:49880] [debug] Processing setLocalGroups
[Thu Jul 1 18:04:14 2021] [LLNG:49880] [debug] Processing store
[Thu Jul 1 18:04:14 2021] [LLNG:49880] [debug] Store xxxx
[Thu Jul 1 18:04:14 2021] [LLNG:49880] [debug] Try to get a new SSO session
[Thu Jul 1 18:04:14 2021] [LLNG:49880] [debug] Return SSO session d138efbfce3c39d3848060724d1d5443979be09b422914a9887b0cee4a6530e8
[Thu Jul 1 18:04:14 2021] [LLNG:49880] [debug] Looking if ext2F is available
[Thu Jul 1 18:04:14 2021] [LLNG:49880] [debug] -> OK
[Thu Jul 1 18:04:14 2021] [LLNG:49880] [debug] Processing secondFactor
[Thu Jul 1 18:04:14 2021] [LLNG:49880] [debug] Looking if ext2F is available
[Thu Jul 1 18:04:14 2021] [LLNG:49880] [debug] -> OK
[Thu Jul 1 18:04:14 2021] [LLNG:49880] [info] Second factor required for xxxx
[Thu Jul 1 18:04:14 2021] [LLNG:49880] [debug] [info] Second factor required for xxxx
[Thu Jul 1 18:04:14 2021] [LLNG:49880] [debug] Module Lemonldap::NG::Portal::Lib::OneTimeToken loaded
[Thu Jul 1 18:04:14 2021] [LLNG:49880] [debug] Token 1625083574_62763 created
[Thu Jul 1 18:04:14 2021] [LLNG:49880] [debug] Generated ext2f code : 059908
[Thu Jul 1 18:04:14 2021] [LLNG:49880] [debug] Module Lemonldap::NG::Portal::Lib::OneTimeToken loaded
[Thu Jul 1 18:04:14 2021] [LLNG:49880] [debug] Launching "Send" external 2F command -> /usr/local/bin/send_sms.sh $mobile $code
[Thu Jul 1 18:04:14 2021] [LLNG:49880] [debug] Executing command: /usr/local/bin/send_sms.sh xxxx 059908
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] Starting HTML generation using /usr/share/lemonldap-ng/portal/templates/avem/ext2fcheck.tpl
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] Sending /usr/share/lemonldap-ng/portal/templates/avem/ext2fcheck.tpl
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] Apply following CORS policy :
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] Access-Control-Allow-Origin
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] *
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] Access-Control-Allow-Credentials
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] true
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] Access-Control-Allow-Headers
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] *
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] Access-Control-Allow-Methods
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] POST,GET
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] Access-Control-Expose-Headers
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] *
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] Access-Control-Max-Age
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] 86400
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] Apply following CSP : default-src 'self';img-src 'self' data:;style-src 'self';font-src 'self';connect-src 'self';script-src 'self';form-action *;frame-ancestors 'none';
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] Prepare external 2F verification
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] Returned status: -4 (PE_SENDRESPONSE)
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [info] No cookie found
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] Build URL https://xxxx/?cancel=1&skin=xxxx
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] Redirect xxxx to portal (url was /?cancel=1&skin=xxxx)
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] User not authenticated, Try in use, cancel redirection
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] Start routing default route
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] Processing checkUnauthLogout
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] Processing restoreArgs
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] Processing controlUrl
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] Processing code ref
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] Cancel called, push authCancel calls
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] Processing code ref
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] Launching ::Issuer::SAML::storeEnv
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] Processing extractFormInfo
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [notice] Combination (Lemonldap::NG::Portal::Auth::Kerberos): Kerberos authentication has failed, back to portal
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] [notice] Combination (Lemonldap::NG::Portal::Auth::Kerberos): Kerberos authentication has failed, back to portal
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] Store 0 in hidden key kerberos
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [info] Scheme "Kerberos" returned 5, trying next
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] Processing extractFormInfo
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] Prepare token
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] Token 1625083575_27425 created
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] Returned error: 9 (PE_FIRSTACCESS)
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] Returned userId: anonymous
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] Display type standardform
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] Skin returned: login
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] Calling sendHtml with template login
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] Skin avem selected from GET/POST parameter
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] Starting HTML generation using /usr/share/lemonldap-ng/portal/templates/avem/login.tpl
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] Skin avem selected from GET/POST parameter
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] Sending /usr/share/lemonldap-ng/portal/templates/avem/login.tpl
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] Apply following CORS policy :
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] Access-Control-Allow-Origin
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] *
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] Access-Control-Allow-Credentials
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] true
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] Access-Control-Allow-Headers
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] *
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] Access-Control-Allow-Methods
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] POST,GET
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] Access-Control-Expose-Headers
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] *
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] Access-Control-Max-Age
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] 86400
3.0.0
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2545
Consolidate login timeout settings
2021-07-01T20:59:27Z
Maxime Besson
Consolidate login timeout settings
### Summary
We have too many different timeout for "waiting for the user to do something"
* formTimeout
* issuersTimeout
* mail2fTimeout
* mailTimeout
* registerTimeout
* oidcRPStateTimeout
* samlRelayStateTimeout
All these timeout ha...
### Summary
We have too many different timeout for "waiting for the user to do something"
* formTimeout
* issuersTimeout
* mail2fTimeout
* mailTimeout
* registerTimeout
* oidcRPStateTimeout
* samlRelayStateTimeout
All these timeout have different, sometimes inconsistent values (samlRelayStateTimeout vs issuersTimeout in SAML-to-SAML scenario) of values that are too short by default (formTimeout, #2544)
### Design proposition
We should consolidate all these timeouts into broader categories.
For example:
* "User action that should be done quickly" => validating an info message, etc, could be 2 minutes by default
* "User action that takes some time" => filling a complex form, installing an OTP app, remembering their password => could be 5 or even 10 minutes by default
* etc.
As an example, this is how Keycloak does it:
![image](/uploads/4ff574a514b5f6667214a537c80b7e6c/image.png)
3.0.0
Christophe Maudoux
chrmdx@gmail.com
Christophe Maudoux
chrmdx@gmail.com
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2540
XSS protection of CAS service parameter should be removed
2024-01-18T08:25:29Z
Maxime Besson
XSS protection of CAS service parameter should be removed
In #1795 we implemented a XSS check on the service= parameter of the CAS issuer (1a8948894d61e1f37dda5c95f2ea0a619545f5f6)
However this change breaks some applications, such as Ametys CMS, who generates login URLS that look like this:
...
In #1795 we implemented a XSS check on the service= parameter of the CAS issuer (1a8948894d61e1f37dda5c95f2ea0a619545f5f6)
However this change breaks some applications, such as Ametys CMS, who generates login URLS that look like this:
```
https://cms.example.com/plugins/core/authenticate/0?contexts=%2Fsites%2Fintranet%2C%2Fsites%2Ftest-projet-b%2C%2Fsites%2Ftest-ametys%2C%2Fsites%2Fcatalogue
```
Note: `%2C` is a legitimate separator in this context.
According to discussions in #1795, this check is meant to protect against tampering with the Location: header.
However, checkXSSAttack does NOT prevent header injection (it is supposed to prevent XSS in HTML documents, a completely different issue). You can try with the following example:
http://auth.example.com/cas/login?service=http://cas.example.com/test%0D%0AX-Test:%20inject%0D%0A
This attack is caught by
```
unless ( $service =~ m#^(https?://[^/]+)(/.*)?$# ) {
$self->logger->error("Bad service $service");
return PE_ERROR;
}
```
<details><summary>(click here to see what happens if I disable this code)</summary>
I'm surprised Plack does not protect you from this:
![image](/uploads/0e01c2040cb7a6992625fa20ebe3ecb8/image.png)
</details>
but this attack is NOT caught by
```
$service = '' if ( $self->p->checkXSSAttack( 'service', $service ) );
```
which makes this check counter-productive in my opinion
## Conclusion
Checking for XSS attacks should be only done for values that are displayed in HTML pages. For values used in Location: headers, we should only check:
* If they are properly formatted URLs (!185)
* If they are in the list of allowed redirection targets (trustedDomains, declared vhost, etc.)
3.0.0
Maxime Besson
Maxime Besson
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2514
improve Content-Security-Policy handling
2022-05-01T09:37:03Z
Maxime Besson
improve Content-Security-Policy handling
### Summary
The way CSP currently works could be improved. Currently all the work is done in sendHtml()
Heuristics, feature tests and regexps are used to populate the CSP, combined with user-defined options
We should instead let each ...
### Summary
The way CSP currently works could be improved. Currently all the work is done in sendHtml()
Heuristics, feature tests and regexps are used to populate the CSP, combined with user-defined options
We should instead let each module/LLNG feature handle its own CSP (see `$req->data->{cspFormAction}`).
### Design proposition
Example of a better API, in Choice.pm
<pre>
$req->setCSP("form-action", $url);
</pre>
or when embedding an iframe:
<pre>
$req->setCSP("frame-src", $url);
</pre>
( see also #2513 )
3.0.0
Maxime Besson
Maxime Besson
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2473
Manager-ConfigEditor-Display the new config when storageBackend does not allo...
2021-02-23T15:34:05Z
Téo GODDET
Manager-ConfigEditor-Display the new config when storageBackend does not allow changes.
### Summary
It would be great to display the new config in a text box when the configBackend (or a parameter) does no allow edit.
This would allow to track the config in version control or use other read-only source.
See grafana examp...
### Summary
It would be great to display the new config in a text box when the configBackend (or a parameter) does no allow edit.
This would allow to track the config in version control or use other read-only source.
See grafana example :
![image](/uploads/db5731cd6d6232e7abe6d4ef15f3890a/image.png)
### Design proposition
I'm unclear how it works exactly, but I think we can add a route that parse the tree and return the new config as json. (As the parsing logic is already implemented in the editor)
3.0.0