lemonldap-ng issueshttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues2023-05-09T08:49:08Zhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2926"Federation not found on login" SAML error when NameID not specified in request2023-05-09T08:49:08ZMaxime Besson"Federation not found on login" SAML error when NameID not specified in request### Concerned version
Version: 2.16.1
### Summary
* Configure a SAML provider with samlSPMetaDataOptionsNameIDFormat=persistent
* In metadata, "persistent" must be the first available NameID format:
``` <md:NameIDFormat>urn:oasis:na...### Concerned version
Version: 2.16.1
### Summary
* Configure a SAML provider with samlSPMetaDataOptionsNameIDFormat=persistent
* In metadata, "persistent" must be the first available NameID format:
``` <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
```
* The SAMLRequest must not contain a NameIDFormat:
```
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_FDF33840F31FD21FE2C411BE524B3E94" Version="2.0" IssueInstant="2023-05-03T14:20:25Z" Destination="http://auth.idp.com/saml/singleSignOn" ForceAuthn="false" IsPassive="false">
<saml:Issuer>XXX</saml:Issuer>
</samlp:AuthnRequest>
```
### Logs
```
[Wed May 3 16:21:03 2023] [LLNG:699228] [warn] Lasso error code 601: Federation not found on login
[Wed May 3 16:21:03 2023] [LLNG:699228] [warn] Unable to validate SSO request message
```
### Possible fixes
When users set samlSPMetaDataOptionsNameIDFormat=persistent, we must assume that they also want AllowCreate=1. If the the NameIDFormat is not present in AuthnRequest, we must create it, and set its AllowCreate to 1 to avoid a failure when Lasso checks if federation is allowed2.16.2Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2922Remove | as separator for Choice configuration values2023-08-18T16:23:59ZClément OUDOTRemove | as separator for Choice configuration valuesFor now we accept both `;` and `|` as separator for choices configuration values, but this leads to a bug when using `|` in a value, for example when overriding an LDAP fitler.
We need to check that `|` separator is not needed anymore, ...For now we accept both `;` and `|` as separator for choices configuration values, but this leads to a bug when using `|` in a value, for example when overriding an LDAP fitler.
We need to check that `|` separator is not needed anymore, and remove it from the code that splits the choice value.2.17.0Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2920invalid entry in SAML IDP list after logout error2023-07-10T13:12:14ZMaxime Bessoninvalid entry in SAML IDP list after logout error### Concerned version
Version: 2.16.1
Platform: (Nginx/Apache/Node.js)
### Summary
* Configure Auth::SAML with a single IDP
* Some code paths in Auth/SAML.pm may lead to the following situation
![image](/uploads/935beb5d515cabd222ec...### Concerned version
Version: 2.16.1
Platform: (Nginx/Apache/Node.js)
### Summary
* Configure Auth::SAML with a single IDP
* Some code paths in Auth/SAML.pm may lead to the following situation
![image](/uploads/935beb5d515cabd222ec48e7e23da52a/image.png)
### Possible fixes
I was able to reproduce this issue by sending an invalid logout request:
```
# Process logout request
unless ( $self->processLogoutRequestMsg( $logout, $request ) ) {
$self->userLogger->error("Fail to process logout request");
$logout_error = 1;
}
[...]
my $idp = $logout->remote_providerID();
# IDP conf key
my $idpConfKey = $self->idpList->{$idp}->{confKey};
```
after this code, idpConfKey is not found but `$self->idpList->{$idp}` becomes defined.
That's because in Perl, reading a hash can modify it, yay!
We should probably return immediately if processLogoutRequestMsg fails2.17.0Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2918CAS issuer can't handle urn: URIs2023-05-09T09:26:37ZMaxime BessonCAS issuer can't handle urn: URIs### Concerned version
Version: 2.16.1
Platform: (Nginx/Apache/Node.js)
### Summary
Some CAS apps (jnlp) use urn:my:app URLs, which currently don't work (PE_ERROR)### Concerned version
Version: 2.16.1
Platform: (Nginx/Apache/Node.js)
### Summary
Some CAS apps (jnlp) use urn:my:app URLs, which currently don't work (PE_ERROR)In discussionMaxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2915jsRedirect does not preserve GET parameter order2023-04-17T16:21:17ZMaxime BessonjsRedirect does not preserve GET parameter order### Concerned version
Version: 2.16.1
### Summary
Using the CAS issuer when jsRedirect=1 leads to random failures because redirection to the CAS application tends to swap parameter order### Concerned version
Version: 2.16.1
### Summary
Using the CAS issuer when jsRedirect=1 leads to random failures because redirection to the CAS application tends to swap parameter order2.16.2Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2912Non reproducible error when redirect to another url (SAML,..)2023-08-30T15:10:53ZWalter BenderNon reproducible error when redirect to another url (SAML,..)### Concerned version
Version: %2.16.1-1 (Ubuntu)
Platform: Various
### Summary
We updated from 2.0.13 to 2.16.1 and got an non-reproducible-error when redirecting to another url (as used for SAML authentification). Some perl process...### Concerned version
Version: %2.16.1-1 (Ubuntu)
Platform: Various
### Summary
We updated from 2.0.13 to 2.16.1 and got an non-reproducible-error when redirecting to another url (as used for SAML authentification). Some perl processes worked without problems. With higher load, we get more and more processes with "Bad URL" errors. After a restart of the service the error vanished first, but than grows up to about 50% redirection with an error message. We are not sure, what caused the error and if it's a security issue. Downgrading back to 2.0.13 solved the issue.
Hint: The same problem happenend in version 2.0.16
### Logs
```
Apr 6 18:34:05 XHOSTX LLNG[44612]: [debug] Required Params URL: URI::https=SCALAR(0x563e0fd10f40)
Apr 6 18:34:05 XHOSTX LLNG[44612]: [debug] Set CSP form-action with Params URL: URI::https=SCALAR(0x563e0fd10f40)
Apr 6 18:34:14 XHOSTX LLNG[44591]: [debug] [error] Bad URL URI::https=SCALAR(0x563e0fdd1838)
Apr 6 18:34:26 XHOSTX LLNG[44593]: [debug] [error] Bad URL URI::https=SCALAR(0x563e0fdedbb8)
Apr 6 18:36:22 XHOSTX LLNG[44589]: [debug] [error] Bad URL URI::https=SCALAR(0x563e0e9a2e38)
Apr 6 18:37:59 XHOSTX LLNG[44589]: [debug] Required urldc: URI::https=SCALAR(0x563e0de5de78)
Apr 6 18:37:59 XHOSTX LLNG[44589]: [debug] Set CSP form-action with urldc: URI::https=SCALAR(0x563e0de5de78)
Apr 6 18:37:59 XHOSTX LLNG[44589]: [debug] Required Params URL: URI::https=SCALAR(0x563e0de5de78)
Apr 6 18:37:59 XHOSTX LLNG[44589]: [debug] Set CSP form-action with Params URL: URI::https=SCALAR(0x563e0de5de78)
Apr 6 18:38:26 XHOSTX LLNG[44603]: [debug] [error] Bad URL URI::https=SCALAR(0x563e0fd74fd0)
Apr 6 18:39:47 XHOSTX LLNG[44589]: [debug] [error] Bad URL URI::https=SCALAR(0x563e0e8df388)
Apr 6 18:41:17 XHOSTX LLNG[44596]: [debug] [error] Bad URL URI::https=SCALAR(0x563e0fd9eb08)
Apr 6 18:44:16 XHOSTX LLNG[44611]: [debug] [error] Bad URL URI::https=SCALAR(0x55c915768d50)
```
### Backends used
We use redis as backend
### Possible fixes
Downgrade to former version2.17.0Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2909Manager viewer uses the wrong endpoints to read conf2023-05-09T08:55:38ZMaxime BessonManager viewer uses the wrong endpoints to read conf### Concerned version
Version: 2.16.1
### Summary
Configuring this:
```
[manager]
enabledModules = viewer, sessions, 2ndFA
defaultModule = viewer
```
does not work: the manager viewer uses GET /confs/xxx to read config values instea...### Concerned version
Version: 2.16.1
### Summary
Configuring this:
```
[manager]
enabledModules = viewer, sessions, 2ndFA
defaultModule = viewer
```
does not work: the manager viewer uses GET /confs/xxx to read config values instead of GET /view/xxx
This is a regression in c330347f3c20dcfa7fb26ddf0bc701283c62478f
replacing confPrefix by viewPrefix in viewer.coffee seems to fix the issue
TODO:
* [x] Fix issue
* [x] Update viewer.rst doc to give a working example of vhost rules2.16.2Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2907Manager customCSS not available with minified files2023-04-02T10:25:47ZChristophe Maudouxchrmdx@gmail.comManager customCSS not available with minified files### Concerned version
Version: %2.X
Platform: All
### Summary
customCSS file is not included in manager/header.tlp### Concerned version
Version: %2.X
Platform: All
### Summary
customCSS file is not included in manager/header.tlp2.16.2Christophe Maudouxchrmdx@gmail.comChristophe Maudouxchrmdx@gmail.comhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2905No applications displayed in menu for all users when one of the user has no r...2023-03-30T14:52:05ZClément OUDOTNo applications displayed in menu for all users when one of the user has no rights to see themSteps to repoduce :
* Connect with a user that can see applications in menu : applications are displayed :white_check_mark:
* Connect with a user that cannot see applications in menu (because no access to any of them) : no applications ...Steps to repoduce :
* Connect with a user that can see applications in menu : applications are displayed :white_check_mark:
* Connect with a user that cannot see applications in menu (because no access to any of them) : no applications are displayed :white_check_mark:
* Connect with a user that can see applications in menu : no applications are displayed :no_entry:
This is a regression linked to issue #2833
The problem is in the code of Lemonldap::NG::Portal::Main::Menu
```perl
# Display noApp message
$res{NO_APP_ALLOWED} = $self->noApp;
```
Of course storing the state of applications visibility in a class parameter is wrong, as this is linked to request context.2.16.2Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2899When Portal language is configured to follow browser language, change in brow...2023-04-07T09:31:19ZAki KemppainenWhen Portal language is configured to follow browser language, change in browser language requires clearing a cookie### Concerned version
Version: 2.0.16
Platform: Nginx
### Summary
Preconditions / test setup:
- LemonLDAP configured not to display language selection buttons in the Portal UI => Portal should follow the browser's language
- Firefox...### Concerned version
Version: 2.0.16
Platform: Nginx
### Summary
Preconditions / test setup:
- LemonLDAP configured not to display language selection buttons in the Portal UI => Portal should follow the browser's language
- Firefox set to prefer English for web pages
Steps to reproduce:
- Open LemonLDAP portal page => Page is in English
- Change Firefox to prefer French for web pages
- Reload LemonLDAP portal page
Expected result:
- LemonLDAP should show the page in French
Actual result:
- The page is still shown in English (because LemonLDAP stores the language to a cookie named llnglanguage)
Workaround:
- Click the padlock icon next to the address in address bar and select "clear cookies and site data" and press "remove"
- Then reload the page and it is shown in French2.16.2Christophe Maudouxchrmdx@gmail.comChristophe Maudouxchrmdx@gmail.comhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2896[Security][CVE-2023-28862] AuthBasic does not handle failure correctly2023-10-08T16:40:55ZMaxime Besson[Security][CVE-2023-28862] AuthBasic does not handle failure correctly### Concerned version
Version: 2.0.16
### Summary
The AuthBasic handler works like this:
* It computes a sessionid from login+password
* If sessionid already exists in the session DB, authenticate user
* Else, try to create the corr...### Concerned version
Version: 2.0.16
### Summary
The AuthBasic handler works like this:
* It computes a sessionid from login+password
* If sessionid already exists in the session DB, authenticate user
* Else, try to create the corresponding session by sending the login+pass to the portal RESTServer plugin
However, the only required step in the login flow is `store`, if anything happens after the`store` step, AuthBasic will succeed because the fixed-id session has been successfully created, which means:
* Accounts that are supposed to be 2FA-protected are not 2FA protected when AuthBasic is used
* If a 2FA module returns an error, the *first* AuthBasic request will 401, but the *second* AuthBasic request will work correctly => *VERY CONFUSING*
* Any plugin that tries to deny session *after* the `store` step will not deny AuthBasic sessions
This is probably a security issue
### Possible fixes
If the AuthBasic login process fails (not PE_OK), we need to remove the session created by `store` and return an error
This will cause a regression: users who relied on AuthBasic working for 2FA protected account will now see failures
Possible solution: use an env variable in 2FA activation rules if desired:
```
has2f("TOTP") and not $env->{"AuthBasic"}
```
or something of that sort2.16.1Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2894Captcha broken with latest Debian-Buster ImageMagick package (8:6.9.10.23+dfs...2023-03-19T08:43:57ZClément OUDOTCaptcha broken with latest Debian-Buster ImageMagick package (8:6.9.10.23+dfsg-2.1+deb10u)With latest ImageMagick package, Captcha is broken:
![image](/uploads/272684d0d12e84b3f3bf17de3d8ac1b4/image.png)
```
# dpkg -l | grep libimage-magick
ii libimage-magick-perl 8:6.9.10.23+dfsg-2.1+deb10u2 ...With latest ImageMagick package, Captcha is broken:
![image](/uploads/272684d0d12e84b3f3bf17de3d8ac1b4/image.png)
```
# dpkg -l | grep libimage-magick
ii libimage-magick-perl 8:6.9.10.23+dfsg-2.1+deb10u2 all Perl interface to the ImageMagick graphics routines
ii libimage-magick-q16-perl 8:6.9.10.23+dfsg-2.1+deb10u2 amd64 Perl interface to the ImageMagick graphics routines -- Q16 version
```
Downgrading the packages is the current workaround:
```
# apt install libimage-magick-perl=8:6.9.10.23+dfsg-2.1+deb10u1 imagemagick-6-common=8:6.9.10.23+dfsg-2.1+deb10u1
```FAQhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2887URL parameter for Register and CertificateResetByMail plugins are not taken i...2023-03-07T22:07:22ZChristophe Maudouxchrmdx@gmail.comURL parameter for Register and CertificateResetByMail plugins are not taken into account### Concerned version
Version: %2.X
Platform: (Nginx/Apache/Node.js)
### Summary
```
has registerUrl => (
is => 'rw',
lazy => 1,
default => sub {
my $p = $_[0]->conf->{portal};
$p =~ s#/*$##;
...### Concerned version
Version: %2.X
Platform: (Nginx/Apache/Node.js)
### Summary
```
has registerUrl => (
is => 'rw',
lazy => 1,
default => sub {
my $p = $_[0]->conf->{portal};
$p =~ s#/*$##;
return "$p/register";
}
);
```
$self->conf->{registerUrl}, $self->conf->{certificateResetUrl} and are not used during init. step2.16.1Christophe Maudouxchrmdx@gmail.comChristophe Maudouxchrmdx@gmail.comhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2882SAML signature validation fails in RHEL9 + Lasso 2.8.02023-02-27T09:45:15ZMaxime BessonSAML signature validation fails in RHEL9 + Lasso 2.8.0Possibly an upstream bug, but I'm opening it here for reference:
```
[debug] Lasso error [ critical ]: 2023-02-24 09:11:17 (tools.c/:1562) Error: failed to limit allowed sha1 signature transforms
[debug] Lasso error [ critical ]: 2023-0...Possibly an upstream bug, but I'm opening it here for reference:
```
[debug] Lasso error [ critical ]: 2023-02-24 09:11:17 (tools.c/:1562) Error: failed to limit allowed sha1 signature transforms
[debug] Lasso error [ critical ]: 2023-02-24 09:11:17 (tools.c/:1562) Error: failed to limit allowed sha1 signature transforms
[error] Lasso error code -111: Failed to verify signature.
```
Reproduced on Alma9 and Rocky9
Related:
https://dev.entrouvert.org/issues/74121
https://github.com/latchset/mod_auth_mellon/issues/1152.17.0Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2879llnglanguage cookie should set "Secure" flag2023-03-20T14:36:19ZMaxime Bessonllnglanguage cookie should set "Secure" flagOpening the portal with any recent version of Chrome and SameSite=None shows this message:
![image](/uploads/c50f51c30cca3adfeeda3d2c4f77e9e9/image.png)
> Mark cross-site cookies as Secure to allow setting them in cross-site contexts
C...Opening the portal with any recent version of Chrome and SameSite=None shows this message:
![image](/uploads/c50f51c30cca3adfeeda3d2c4f77e9e9/image.png)
> Mark cross-site cookies as Secure to allow setting them in cross-site contexts
Cookies marked with SameSite=None must also be marked with Secure to allow setting them in a cross-site context. This behavior protects user data from being sent over an insecure connection.
We need to extend #2605 and also set the Secure flag on `llnglanguage`2.16.1Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2877Captcha in login form is not displayed in case of back-end error2023-02-21T21:29:03ZChristophe Maudouxchrmdx@gmail.comCaptcha in login form is not displayed in case of back-end error### Concerned version
Version: %2.0.16
Platform: All
### Summary
Enable captcha in login form.
Auth module = LDAP without LDAP installed to throw an error
Try to login => dwho/dwho + captcha
Login form without captcha
![1](/uploa...### Concerned version
Version: %2.0.16
Platform: All
### Summary
Enable captcha in login form.
Auth module = LDAP without LDAP installed to throw an error
Try to login => dwho/dwho + captcha
Login form without captcha
![1](/uploads/4401cc47179b93357a96e41e40b09030/1.png)
![2](/uploads/f166b29dfb660c5a5a304c430e0a3ddd/2.png)
### Logs
```
[Wed Feb 15 21:10:15 2023] [LLNG:10365] [info] No cookie found
[Wed Feb 15 21:10:15 2023] [LLNG:10365] [debug] Build URL http://auth.example.com:19876/
[Wed Feb 15 21:10:15 2023] [LLNG:10365] [debug] Redirect 127.0.0.1 to portal (url was /)
[Wed Feb 15 21:10:15 2023] [LLNG:10365] [debug] User not authenticated, Try in use, cancel redirection
[Wed Feb 15 21:10:15 2023] [LLNG:10365] [debug] Start routing default route
[Wed Feb 15 21:10:15 2023] [LLNG:10365] [debug] Processing checkUnauthLogout
[Wed Feb 15 21:10:15 2023] [LLNG:10365] [debug] Processing restoreArgs
[Wed Feb 15 21:10:15 2023] [LLNG:10365] [debug] Processing controlUrl
[Wed Feb 15 21:10:15 2023] [LLNG:10365] [debug] Processing code ref
[Wed Feb 15 21:10:15 2023] [LLNG:10365] [debug] Processing extractFormInfo
[Wed Feb 15 21:10:15 2023] [LLNG:10365] [debug] Trying to load token 1676419902_16514
[Wed Feb 15 21:10:15 2023] [LLNG:10365] [debug] Good captcha response
[Wed Feb 15 21:10:15 2023] [LLNG:10365] [debug] Captcha code verified
[Wed Feb 15 21:10:15 2023] [LLNG:10365] [debug] Processing getUser
[Wed Feb 15 21:10:15 2023] [LLNG:10365] [error] LDAP Search error 32: No such object
[Wed Feb 15 21:10:15 2023] [LLNG:10365] [debug] Returned error: 7 (PE_LDAPERROR)
[Wed Feb 15 21:10:15 2023] [LLNG:10365] [debug] Display type standardform
[Wed Feb 15 21:10:15 2023] [LLNG:10365] [debug] Skin returned: login
[Wed Feb 15 21:10:15 2023] [LLNG:10365] [debug] Calling sendHtml with template login
[Wed Feb 15 21:10:15 2023] [LLNG:10365] [debug] Skin bootstrap selected from GET/POST parameter
[Wed Feb 15 21:10:15 2023] [LLNG:10365] [debug] Starting HTML generation using /home/christophe/lemonldap-ng/lemonldap-ng-portal/site/templates/bootstrap/login.tpl
[Wed Feb 15 21:10:15 2023] [LLNG:10365] [debug] Skin bootstrap selected from GET/POST parameter
[Wed Feb 15 21:10:15 2023] [LLNG:10365] [debug] Sending /home/christophe/lemonldap-ng/lemonldap-ng-portal/site/templates/bootstrap/login.tpl
[Wed Feb 15 21:10:15 2023] [LLNG:10365] [debug] Apply following CORS policy:
[Wed Feb 15 21:10:15 2023] [LLNG:10365] [debug] Access-Control-Allow-Origin
[Wed Feb 15 21:10:15 2023] [LLNG:10365] [debug] *
[Wed Feb 15 21:10:15 2023] [LLNG:10365] [debug] Access-Control-Allow-Credentials
[Wed Feb 15 21:10:15 2023] [LLNG:10365] [debug] true
[Wed Feb 15 21:10:15 2023] [LLNG:10365] [debug] Access-Control-Allow-Headers
[Wed Feb 15 21:10:15 2023] [LLNG:10365] [debug] *
[Wed Feb 15 21:10:15 2023] [LLNG:10365] [debug] Access-Control-Allow-Methods
[Wed Feb 15 21:10:15 2023] [LLNG:10365] [debug] POST,GET
[Wed Feb 15 21:10:15 2023] [LLNG:10365] [debug] Access-Control-Expose-Headers
[Wed Feb 15 21:10:15 2023] [LLNG:10365] [debug] *
[Wed Feb 15 21:10:15 2023] [LLNG:10365] [debug] Access-Control-Max-Age
[Wed Feb 15 21:10:15 2023] [LLNG:10365] [debug] 86400
[Wed Feb 15 21:10:15 2023] [LLNG:10365] [debug] Apply following CSP: default-src 'self';img-src 'self' data:;style-src 'self';font-src 'self';connect-src 'self';script-src 'self';form-action *;frame-ancestors 'none';
auth.example.com:80 127.0.0.1 - - [15/Feb/2023:21:10:15 +0100] "POST / HTTP/1.1" 200 9573 -
```
### Backends used
LDAP
### Possible fixes
Pass token2.16.1Christophe Maudouxchrmdx@gmail.comChristophe Maudouxchrmdx@gmail.comhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2876Errors in Manager FR translations2023-03-31T20:45:25ZChristophe Maudouxchrmdx@gmail.comErrors in Manager FR translations### Concerned version
Version: %2.0.16
Platform: All
### Summary
Bad FR options translation
![image](/uploads/5c5b20aac5e4d1a2d972c13e564db1aa/image.png)
Maybe duplicated entries### Concerned version
Version: %2.0.16
Platform: All
### Summary
Bad FR options translation
![image](/uploads/5c5b20aac5e4d1a2d972c13e564db1aa/image.png)
Maybe duplicated entries2.16.1Christophe Maudouxchrmdx@gmail.comChristophe Maudouxchrmdx@gmail.comhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2875[Security:Low] incorrect parsing of OP-provided acr2023-05-12T17:56:15ZMaxime Besson[Security:Low] incorrect parsing of OP-provided acr### Concerned version
Version: 2.0.16
### Summary
* Configure Auth::OIDC with an OP that always returns `acr: 1` in the ID token
* Set oidcOPMetaDataOptionsAcrValues to `loa-1`
* `ACR` value `1` is accepted despite not being part of t...### Concerned version
Version: 2.0.16
### Summary
* Configure Auth::OIDC with an OP that always returns `acr: 1` in the ID token
* Set oidcOPMetaDataOptionsAcrValues to `loa-1`
* `ACR` value `1` is accepted despite not being part of the list `['loa-1']`
### Possible fixes
```
unless ( $acr_values =~ /\b$acr\b/i ) {
```
it not a good way to test because `\b` matches too many things (in the example: it matches `-`)2.16.2Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2874Removing oidcOPMetaDataOptionsAcrValues causes OIDC auth to fail2023-05-09T07:15:43ZMaxime BessonRemoving oidcOPMetaDataOptionsAcrValues causes OIDC auth to fail### Concerned version
Version: 2.0.16
### Summary
* Configure Auth::OIDC with a provider that doesn't support ACR values
* set oidcOPMetaDataOptionsAcrValues to something
* authentication fails :white_check_mark:
* unset oidcOPMetaDa...### Concerned version
Version: 2.0.16
### Summary
* Configure Auth::OIDC with a provider that doesn't support ACR values
* set oidcOPMetaDataOptionsAcrValues to something
* authentication fails :white_check_mark:
* unset oidcOPMetaDataOptionsAcrValues in manager
* authentication still fails :x:
### Logs
```
ACR was not returned by OP xxx
```2.17.0Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2873AjaxInitScript/InitCmd not called after Choice error2023-05-05T13:18:39ZMaxime BessonAjaxInitScript/InitCmd not called after Choice error### Concerned version
Version: 2.0.16
### Summary
* Configure a Choice with Demo | SSL
* Fail Demo
* Choice is displayed again
* But SSL Initscript is not called :x:
* Try SSL => fail :x:
### Possible fixes
Choice `extractFormInfo`...### Concerned version
Version: 2.0.16
### Summary
* Configure a Choice with Demo | SSL
* Fail Demo
* Choice is displayed again
* But SSL Initscript is not called :x:
* Try SSL => fail :x:
### Possible fixes
Choice `extractFormInfo` only calls AjaxInitScript + InitCmd when no choice is already selected.
In the case described above, a choice is selected, but fails, and the Choice form is displayed again. We should call AjaxInitScript+InitCmd everytime we call `extractFormInfo` instead.
Other possibility: call these methods in `_buildAuthLoop` ?2.17.0