lemonldap-ng issueshttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues2024-03-27T10:08:54Zhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2851Append an option to require captcha in login form only if first attempt fails2024-03-27T10:08:54ZChristophe Maudouxchrmdx@gmail.comAppend an option to require captcha in login form only if first attempt fails### Summary
Currently, we can enable or disable captcha in forms. A security audit organization told us that asking for captcha at the first attempt is useless. To improve user experience, captcha could be required at the second or thir...### Summary
Currently, we can enable or disable captcha in forms. A security audit organization told us that asking for captcha at the first attempt is useless. To improve user experience, captcha could be required at the second or third attempt.
### Design proposition
Append an option to set how many login attempts are allowed before asking for a captcha.BacklogChristophe Maudouxchrmdx@gmail.comChristophe Maudouxchrmdx@gmail.comhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2820OIDC Authorize response varies depending on the Accept header: 200 OK if it i...2023-07-11T08:40:56ZJosé VenceslauOIDC Authorize response varies depending on the Accept header: 200 OK if it includes application/json, 302 otherwise### Concerned version
Version: 2.0.15.1
Platform: Nginx
### Summary
When calling the /oauth2/authorize endpoint, we've found that if the request header Accept has application/json, independently of other mime types, the response will...### Concerned version
Version: 2.0.15.1
Platform: Nginx
### Summary
When calling the /oauth2/authorize endpoint, we've found that if the request header Accept has application/json, independently of other mime types, the response will be a 200 OK instead of the "usual" 302 Location with the session_state, state and code.
### Logs
```
[1] Network request and response. First without the application/json:
curl -v 'https://internal-foobar-server.com/oauth2/authorize?response_type=code&client_id=APP&scope=openid+profile+roles+email&redirect_uri=https%3A%2F%2Finternal-foobar-server%2Fapp%2Flogin&state=abababababababaab30a64a0a3d98e062cd2e2973127b849e57280ffa88981198a158f68e9abababababababab' \
-H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9' \
-H 'Accept-Language: en-US,en;q=0.9,pt;q=0.8,fr;q=0.7,es;q=0.6' \
-H 'Cache-Control: no-cache' \
-H 'Connection: keep-alive' \
-H 'Content-Type: application/x-www-form-urlencoded' \
-H 'Cookie: llnglanguage=en; lemonldapqmspdata=%7B%22issuerRequestoauth2%22%3A%221668527922_53631%22%2C%22issuerTs%22%3A1668599802%2C%22issuerRequestoauth2Path%22%3A%5B%22authorize%22%5D%2C%22_url%22%3A%22aHR0cHM6Ly9hdXRoLmNvLm5vcy5wdC9vYXV0aDI%3D%22%2C%22keepPdata%22%3A%5B%22issuerRequestoauth2%22%2C%22issuerRequestoauth2Path%22%5D%7D' \
-H 'DNT: 1' \
-H 'Origin: https://internal-foobar-server.com' \
-H 'Pragma: no-cache' \
-H 'Referer: https://internal-foobar-server.com/oauth2/authorize?response_type=code&client_id=APP&scope=openid+profile+roles+email&redirect_uri=https%3A%2F%2Finternal-foobar-server.com%2Fapp%2Flogin&state=abababababababaab30a64a0a3d98e062cd2e2973127b849e57280ffa88981198a158f68e9abababababababab' \
-H 'Sec-Fetch-Dest: document' \
-H 'Sec-Fetch-Mode: navigate' \
-H 'Sec-Fetch-Site: same-origin' \
-H 'Sec-Fetch-User: ?1' \
-H 'Upgrade-Insecure-Requests: 1' \
-H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36' \
-H 'sec-ch-ua: "Google Chrome";v="107", "Chromium";v="107", "Not=A?Brand";v="24"' \
-H 'sec-ch-ua-mobile: ?0' \
-H 'sec-ch-ua-platform: "macOS"' \
--data-raw 'url=aHR0cHM6Ly9hdXRoLmNvLm5vcy5wdC9vYXV0aDI%3D&timezone=0&skin=newnos&user=username&password=mysecretpassword' \
--compressed
* Trying 10.228.56.68:443...
* Connected to internal-foobar-server.com (10.228.56.68) port 443 (#0)
* ALPN: offers h2
* ALPN: offers http/1.1
* CAfile: /etc/ssl/cert.pem
* CApath: none
* (304) (OUT), TLS handshake, Client hello (1):
* (304) (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN: server did not agree on a protocol. Uses default.
* Server certificate:
* subject: CN=*.internal-foobar-server.com
* start date: Dec 14 00:00:00 2021 GMT
* expire date: Dec 14 23:59:59 2022 GMT
* subjectAltName: host "internal-foobar-server.com" matched cert's "*.internal-foobar-server.com"
* issuer: C=PT; ST=Lisboa; L=Lisboa; O=MarketWare - foobar certifier
* SSL certificate verify ok.
> POST /oauth2/authorize?response_type=code&client_id=APP&scope=openid+profile+roles+email&redirect_uri=https%3A%2F%2Finternal-foobar-server.com%2Fapp%2Flogin&state=abababababababaab30a64a0a3d98e062cd2e2973127b849e57280ffa88981198a158f68e9abababababababab HTTP/1.1
> Host: internal-foobar-server.com
> Accept-Encoding: deflate, gzip
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
> Accept-Language: en-US,en;q=0.9,pt;q=0.8,fr;q=0.7,es;q=0.6
> Cache-Control: no-cache
> Connection: keep-alive
> Content-Type: application/x-www-form-urlencoded
> Cookie: llnglanguage=en; lemonldapqmspdata=%7B%22issuerRequestoauth2%22%3A%221668527922_53631%22%2C%22issuerTs%22%3A1668599802%2C%22issuerRequestoauth2Path%22%3A%5B%22authorize%22%5D%2C%22_url%22%3A%22aHR0cHM6Ly9hdXRoLmNvLm5vcy5wdC9vYXV0aDI%3D%22%2C%22keepPdata%22%3A%5B%22issuerRequestoauth2%22%2C%22issuerRequestoauth2Path%22%5D%7D
> DNT: 1
> Origin: https://internal-foobar-server.com
> Pragma: no-cache
> Referer: https://internal-foobar-server.com/oauth2/authorize?response_type=code&client_id=APP&scope=openid+profile+roles+email&redirect_uri=https%3A%2F%2Finternal-foobar-server.com%2Fapp%2Flogin&state=abababababababaab30a64a0a3d98e062cd2e2973127b849e57280ffa88981198a158f68e9abababababababab
> Sec-Fetch-Dest: document
> Sec-Fetch-Mode: navigate
> Sec-Fetch-Site: same-origin
> Sec-Fetch-User: ?1
> Upgrade-Insecure-Requests: 1
> User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
> sec-ch-ua: "Google Chrome";v="107", "Chromium";v="107", "Not=A?Brand";v="24"
> sec-ch-ua-mobile: ?0
> sec-ch-ua-platform: "macOS"
> Content-Length: 114
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 302 Found
< Server: nginx/1.20.1
< Date: Wed, 16 Nov 2022 14:31:42 GMT
< Transfer-Encoding: chunked
< Connection: keep-alive
< Location: https://internal-foobar-server.com/app/login?session_state=abababababababaab30a64a0a3d98e062cd2e2973127b849e57280ffa88981198a158f68e9abababababababab&state=abababababababaab30a64a0a3d98e062cd2e2973127b849e57280ffa88981198a158f68e9abababababababab&code=abababababababaab30a64a0a3d98e062cd2e2973127b849e57280ffa88981198a158f68e9abababababababab
< Set-Cookie: lemonldapqms=0342658107147fd515ca26abf69014d8eb24cbfe6af7d23b6a490401512f88f8; domain=.internal-foobar-server.com; path=/; HttpOnly=1; SameSite=None; secure
< Set-Cookie: lemonldapqmspdata=; path=/; expires=Wed, 21 Oct 2015 00:00:00 GMT; HttpOnly=1; SameSite=None; secure
< Access-Control-Allow-Origin: https://internal-foobar-server.com
< Access-Control-Allow-Headers: X-Requested-With, authorization
< Access-Control-Allow-Credentials: true
<
* Connection #0 to host internal-foobar-server.com left intact
---
[2] same request but adding application/json to the Accept http header:
curl -v 'https://internal-foobar-server.com/oauth2/authorize?response_type=code&client_id=APP&scope=openid+profile+roles+email&redirect_uri=https%3A%2F%2Finternal-foobar-server.com%2Fapp%2Flogin&state=abababababababaab30a64a0a3d98e062cd2e2973127b849e57280ffa88981198a158f68e9abababababababab' \
-H 'Accept: text/html,application/xhtml+xml,application/json,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9' \
-H 'Accept-Language: en-US,en;q=0.9,pt;q=0.8,fr;q=0.7,es;q=0.6' \
-H 'Cache-Control: no-cache' \
-H 'Connection: keep-alive' \
-H 'Content-Type: application/x-www-form-urlencoded' \
-H 'Cookie: llnglanguage=en; lemonldapqmspdata=%7B%22issuerRequestoauth2%22%3A%221668527922_53631%22%2C%22issuerTs%22%3A1668599802%2C%22issuerRequestoauth2Path%22%3A%5B%22authorize%22%5D%2C%22_url%22%3A%22aHR0cHM6Ly9hdXRoLmNvLm5vcy5wdC9vYXV0aDI%3D%22%2C%22keepPdata%22%3A%5B%22issuerRequestoauth2%22%2C%22issuerRequestoauth2Path%22%5D%7D' \
-H 'DNT: 1' \
-H 'Origin: https://internal-foobar-server.com' \
-H 'Pragma: no-cache' \
-H 'Referer: https://internal-foobar-server.com/oauth2/authorize?response_type=code&client_id=APP&scope=openid+profile+roles+email&redirect_uri=https%3A%2F%2Finternal-foobar-server.com%2Fapp%2Flogin&state=abababababababaab30a64a0a3d98e062cd2e2973127b849e57280ffa88981198a158f68e9abababababababab' \
-H 'Sec-Fetch-Dest: document' \
-H 'Sec-Fetch-Mode: navigate' \
-H 'Sec-Fetch-Site: same-origin' \
-H 'Sec-Fetch-User: ?1' \
-H 'Upgrade-Insecure-Requests: 1' \
-H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36' \
-H 'sec-ch-ua: "Google Chrome";v="107", "Chromium";v="107", "Not=A?Brand";v="24"' \
-H 'sec-ch-ua-mobile: ?0' \
-H 'sec-ch-ua-platform: "macOS"' \
--data-raw 'url=aHR0cHM6Ly9hdXRoLmNvLm5vcy5wdC9vYXV0aDI%3D&timezone=0&skin=newnos&user=username&password=mysecretpassword' \
--compressed
* Trying 10.228.56.68:443...
* Connected to internal-foobar-server.com (10.228.56.68) port 443 (#0)
* ALPN: offers h2
* ALPN: offers http/1.1
* CAfile: /etc/ssl/cert.pem
* CApath: none
* (304) (OUT), TLS handshake, Client hello (1):
* (304) (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN: server did not agree on a protocol. Uses default.
* Server certificate:
* subject: CN=*.internal-foobar-server.com
* start date: Dec 14 00:00:00 2021 GMT
* expire date: Dec 14 23:59:59 2022 GMT
* subjectAltName: host "internal-foobar-server.com" matched cert's "*.internal-foobar-server.com"
* issuer: C=PT; ST=Lisboa; L=Lisboa; O=MarketWare - foobar certifier
* SSL certificate verify ok.
> POST /oauth2/authorize?response_type=code&client_id=APP&scope=openid+profile+roles+email&redirect_uri=https%3A%2F%2Finternal-foobar-server.com%2Fapp%2Flogin&state=abababababababaab30a64a0a3d98e062cd2e2973127b849e57280ffa88981198a158f68e9abababababababab HTTP/1.1
> Host: internal-foobar-server.com
> Accept-Encoding: deflate, gzip
> Accept: text/html,application/xhtml+xml,application/json,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
> Accept-Language: en-US,en;q=0.9,pt;q=0.8,fr;q=0.7,es;q=0.6
> Cache-Control: no-cache
> Connection: keep-alive
> Content-Type: application/x-www-form-urlencoded
> Cookie: llnglanguage=en; lemonldapqmspdata=%7B%22issuerRequestoauth2%22%3A%221668527922_53631%22%2C%22issuerTs%22%3A1668599802%2C%22issuerRequestoauth2Path%22%3A%5B%22authorize%22%5D%2C%22_url%22%3A%22aHR0cHM6Ly9hdXRoLmNvLm5vcy5wdC9vYXV0aDI%3D%22%2C%22keepPdata%22%3A%5B%22issuerRequestoauth2%22%2C%22issuerRequestoauth2Path%22%5D%7D
> DNT: 1
> Origin: https://internal-foobar-server.com
> Pragma: no-cache
> Referer: https://internal-foobar-server.com/oauth2/authorize?response_type=code&client_id=APP&scope=openid+profile+roles+email&redirect_uri=https%3A%2F%2Finternal-foobar-server.com%2Fapp%2Flogin&state=abababababababaab30a64a0a3d98e062cd2e2973127b849e57280ffa88981198a158f68e9abababababababab
> Sec-Fetch-Dest: document
> Sec-Fetch-Mode: navigate
> Sec-Fetch-Site: same-origin
> Sec-Fetch-User: ?1
> Upgrade-Insecure-Requests: 1
> User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
> sec-ch-ua: "Google Chrome";v="107", "Chromium";v="107", "Not=A?Brand";v="24"
> sec-ch-ua-mobile: ?0
> sec-ch-ua-platform: "macOS"
> Content-Length: 114
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Server: nginx/1.20.1
< Date: Wed, 16 Nov 2022 14:47:47 GMT
< Content-Type: application/json; charset=utf-8
< Transfer-Encoding: chunked
< Connection: keep-alive
< Set-Cookie: lemonldapqms=ababababababaabababa1656bc52b3f2956df81fb46cababababa; domain=.internal-foobar-server.comt; path=/; HttpOnly=1; SameSite=None; secure
< Cache-Control: no-cache, no-store, must-revalidate
< Pragma: no-cache
< Expires: 0
< Access-Control-Allow-Origin: https://internal-foobar-server.com
< Access-Control-Allow-Methods: *
< Access-Control-Allow-Credentials: true
< Set-Cookie: lemonldapqmspdata=; path=/; expires=Wed, 21 Oct 2015 00:00:00 GMT; HttpOnly=1; SameSite=None; secure
< Access-Control-Allow-Origin: https://internal-foobar-server.com
< Access-Control-Allow-Headers: X-Requested-With, authorization
< Access-Control-Allow-Credentials: true
<
* Connection #0 to host internal-foobar-server.com left intact
{"error":"-2","id":"ababababababababa6bc52b3f2956df81fb46c40230abababababababa","result":1}%
```
### Backends used
Issue is just that a response with Content-Type: application/json results in a 200 OK, completely diferent of a 302 Location if the request Accept header does not include application/json
### Possible fixesIn discussionMaxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2788improve ::Common::PSGI->templateDir2024-03-27T10:09:13ZMaxime Bessonimprove ::Common::PSGI->templateDir### Concerned version
Version: 2.0.14
### Summary
The `templateDir` attribute of PSGI objects is inconsistent and has bugs:
* Declared as `Str|ArrayRef` in ::Common::PSGI
* But concatenated as it it was always a flat string [here](ht...### Concerned version
Version: 2.0.14
### Summary
The `templateDir` attribute of PSGI objects is inconsistent and has bugs:
* Declared as `Str|ArrayRef` in ::Common::PSGI
* But concatenated as it it was always a flat string [here](https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/blob/v2.0.14/lemonldap-ng-common/lib/Lemonldap/NG/Common/PSGI.pm#L289)
* Portal's templateDir grows at every request [here](https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/blob/v2.0.14/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Run.pm#L845)
* Portal's templateDir is not even used in Portal::Main::sendHtml to locate the template, path is constructed from `$self->conf->{templateDir}`
It would be nice if templateDir could be set (in .ini or at PSGI object creation) to an arrayref. This would allow us to write unit tests that use custom skins (in t/templates + site/templates, which is not possible currently)
TODO:
* build sendHTML/loadTemplate paths from product of templateDirs x [ current_skin, bootstrap ]
* handle trOver
* replace all calls to $self->conf->{templateDir} with a path lookup method
* fix attachment in emails
After #2789 is fixed, investigate HTML_TEMPLATE_ROOT2.20.0Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2754MDQ support2022-05-19T14:34:21ZAntoine GallavardinMDQ support### Summary
Hello
RENATER , the french NREN wants to reduce XML transaction load between IDP and SP in frenche federation and Edugain context .
For this, they plan to use MDQ protocol :https://shibboleth.atlassian.net/wiki/spaces/SP3/p...### Summary
Hello
RENATER , the french NREN wants to reduce XML transaction load between IDP and SP in frenche federation and Edugain context .
For this, they plan to use MDQ protocol :https://shibboleth.atlassian.net/wiki/spaces/SP3/pages/2060616133/MDQMetadataProvider
(no planning have been announced)
see slide 10 : https://conf-ng.jres.org/2021/document_revision_2174.html?download
A rewrite of metadata fetching tool is actually in progress, is it possible to integrate MDQ basis ?
Thanks in advance !
### Design proposition
Maybe convert importMetadata script into an editionnal daemon wich could interact with LL:NG instance ?
need some help ?3.0.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2700session extension hook2024-03-27T10:57:12Zdcoutadeur dcoutadeursession extension hook### Summary
This feature is asked by a customer, but can be interresting for other, especially if it is design in a generic way.
The main feature is to intercept some events and trigger a SSO session extension.
### Design proposition...### Summary
This feature is asked by a customer, but can be interresting for other, especially if it is design in a generic way.
The main feature is to intercept some events and trigger a SSO session extension.
### Design proposition
After some basic researches, I didn't found any sort of norms or standards for this.
Here is the design proposition:
1. the hook will intercept some events. Possible events are:
- when user call /ping endpoint on the portal, with a valid cookie
- when user authenticates,
- when user reauthenticates,
- when user asks for a "refresh my rights from the portal",
- when user is asked for a session upgrade (he must enter a second factor for accessing a more secure application)
- when an application sends a direct call to /ping, with the user session id passed in the Authentication header (we should think about security risks. Maybe replay attacks?)
- when refreshing an access token with a refresk token
- any other event I haven't think about?
The list of triggering events must be customizable.
2. it possibly triggers two actions:
- if timeoutActivity is set, it performs the same actions as in `Handler/Main/Run.pm` (function `retrieveSession`): it verifies if session is valid, checks the session is not expired (timeoutActivity), and updates _lastSeen in session. Note: thus it may be interresting to factorize this code if possible.
- if triggers an AT refresh thanks to the refresh token. The list of OIDC provider on which it is triggered must be customizable. Obviously, the refresh must occurs only if the user has authenticated against the given OIDC provider.
Do not hesitate to discuss this proposition and give your ideas.2.19.0dcoutadeur dcoutadeurdcoutadeur dcoutadeurhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2665Sessions without '_session_kind' attribute are not purged by purgeCentralCach...2024-03-27T10:09:52ZChristophe Maudouxchrmdx@gmail.comSessions without '_session_kind' attribute are not purged by purgeCentralCache script### Concerned version
Version: %2.0.X
Platform: Nginx + Browseable::PgJson BE
Furthermore, I don t know why _session_kind is not set...
```
/usr/share/lemonldap-ng/bin/purgeCentralCache -df
Configuration loaded
Timeout value: 18000
Se...### Concerned version
Version: %2.0.X
Platform: Nginx + Browseable::PgJson BE
Furthermore, I don t know why _session_kind is not set...
```
/usr/share/lemonldap-ng/bin/purgeCentralCache -df
Configuration loaded
Timeout value: 18000
Session backend Apache::Session::Browseable::PgJSON will be used
SAML backend Apache::Session::Browseable::PgJSON will be used
OIDC backend Apache::Session::Browseable::PgJSON will be used
0 sessions have been purged
```
![Capture_d_écran_du_2021-11-25_10-10-11](/uploads/483faec1e93b2a9a8cae01b38926a1f2/Capture_d_écran_du_2021-11-25_10-10-11.png)BacklogChristophe Maudouxchrmdx@gmail.comChristophe Maudouxchrmdx@gmail.comhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2642Changing `timeout` can have temporary unintended consequences for other timeo...2021-10-15T18:13:30ZDavid MandelbergChanging `timeout` can have temporary unintended consequences for other timeouts, I thinkhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/blob/0a17936a397e2ce84d2cf95c29552997798010d9/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/OpenIDConnect.pm#L972 looks like it relies on a cleanup job using the main `timeout` to inva...https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/blob/0a17936a397e2ce84d2cf95c29552997798010d9/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/OpenIDConnect.pm#L972 looks like it relies on a cleanup job using the main `timeout` to invalidate authorization codes, access tokens, and refresh tokens. That means that if an admin increases the value of `timeout`, it would also cause any of those other things that were valid before the increase to stay valid longer than they should, right? For a refresh token, that seems fine, but for an authorization code, that could extend it from 60 seconds to much longer. (After looking at the code, I found https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1879#note_48192 which mentions how the code appears to work now, but not this issue with accidentally increasing the timeout for things that should have short timeouts. Also, I haven't tested this so I might be wrong, I'm just guessing at the behavior from looking at the code.)3.0.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2633Add graceful reload to llng-fastcgi-server2022-01-14T16:27:46ZMaxime BessonAdd graceful reload to llng-fastcgi-server### Summary
We should add a hot-reload feature to llng-fastcgi-server for users who don't want to install uwsgi
### Design proposition
Not easy to do: plackup -s FCGI does not gracefully stop, so Server::Starter can't help us### Summary
We should add a hot-reload feature to llng-fastcgi-server for users who don't want to install uwsgi
### Design proposition
Not easy to do: plackup -s FCGI does not gracefully stop, so Server::Starter can't help us3.0.0Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2545Consolidate login timeout settings2021-07-01T20:59:27ZMaxime BessonConsolidate login timeout settings### Summary
We have too many different timeout for "waiting for the user to do something"
* formTimeout
* issuersTimeout
* mail2fTimeout
* mailTimeout
* registerTimeout
* oidcRPStateTimeout
* samlRelayStateTimeout
All these timeout ha...### Summary
We have too many different timeout for "waiting for the user to do something"
* formTimeout
* issuersTimeout
* mail2fTimeout
* mailTimeout
* registerTimeout
* oidcRPStateTimeout
* samlRelayStateTimeout
All these timeout have different, sometimes inconsistent values (samlRelayStateTimeout vs issuersTimeout in SAML-to-SAML scenario) of values that are too short by default (formTimeout, #2544)
### Design proposition
We should consolidate all these timeouts into broader categories.
For example:
* "User action that should be done quickly" => validating an info message, etc, could be 2 minutes by default
* "User action that takes some time" => filling a complex form, installing an OTP app, remembering their password => could be 5 or even 10 minutes by default
* etc.
As an example, this is how Keycloak does it:
![image](/uploads/4ff574a514b5f6667214a537c80b7e6c/image.png)3.0.0Christophe Maudouxchrmdx@gmail.comChristophe Maudouxchrmdx@gmail.comhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2514improve Content-Security-Policy handling2022-05-01T09:37:03ZMaxime Bessonimprove Content-Security-Policy handling### Summary
The way CSP currently works could be improved. Currently all the work is done in sendHtml()
Heuristics, feature tests and regexps are used to populate the CSP, combined with user-defined options
We should instead let each ...### Summary
The way CSP currently works could be improved. Currently all the work is done in sendHtml()
Heuristics, feature tests and regexps are used to populate the CSP, combined with user-defined options
We should instead let each module/LLNG feature handle its own CSP (see `$req->data->{cspFormAction}`).
### Design proposition
Example of a better API, in Choice.pm
<pre>
$req->setCSP("form-action", $url);
</pre>
or when embedding an iframe:
<pre>
$req->setCSP("frame-src", $url);
</pre>
( see also #2513 )3.0.0Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2485SAML : support eduPersonTargetedID attributes2023-06-19T13:58:10ZAntoine GallavardinSAML : support eduPersonTargetedID attributes### Summary
When LemonLDAP::NG act as a SAML2 IDP It should be enable to deliver the eduPersonTargetedID attribute.
This attribute is very used inside the Inter Research and Educational Federation
see :
- https://www.switch.ch/aai/s...### Summary
When LemonLDAP::NG act as a SAML2 IDP It should be enable to deliver the eduPersonTargetedID attribute.
This attribute is very used inside the Inter Research and Educational Federation
see :
- https://www.switch.ch/aai/support/documents/attributes/edupersontargetedid/
- https://services.renater.fr/documentation/supann/supann2020/recommandations2020/attributs/edupersontargetedid
This attribute is based on the
- SP entityId
- IDP entityID
- user ID
see example value on french website.
### Design proposition
I've no idea of implementation and complexity.
One of solution is allow lemonldap to get the entityID of both IDP ans SP during the SAML Session.
Based on those fetched values, we could use the macros system like :
$idpEntityID."!".$idpEntitySP."!".$userPrincipaleName or
$idpEntityID."!".$idpEntitySP."!".encrypt($userPrincipaleName)Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2466GD::SecurityImage seems unmaintained2021-02-18T08:17:25ZYaddGD::SecurityImage seems unmaintained### Concerned version
Version: %2.0.x
Platform: any
### Summary
Looking at [GD::SecurityImage upstream repo](https://github.com/burak/CPAN-GD-SecurityImage) _(and the [lack of responses](https://github.com/burak/CPAN-GD-SecurityImage...### Concerned version
Version: %2.0.x
Platform: any
### Summary
Looking at [GD::SecurityImage upstream repo](https://github.com/burak/CPAN-GD-SecurityImage) _(and the [lack of responses](https://github.com/burak/CPAN-GD-SecurityImage/issues) to our bugs)_, this library looks unmaintained. I think we should replace it either by a better maintained library, either building our own _(using a fork of GD::Security ?)_.
For now, there are no known security issue, that's why I assigned this issue to %"3.0.0"3.0.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2464OpenId Connect access token expiration2021-06-24T13:46:18ZHeinz MayerOpenId Connect access token expirationVersion: 2.0.9
We use LemonLDAP with Keycloak as Identity Provider (OpenID Connect)
LemonLDAP ignores the "Expiration time" in the OIDC access token
I would it expect that LemonLDAP reauthenticates if the keycloak session endedVersion: 2.0.9
We use LemonLDAP with Keycloak as Identity Provider (OpenID Connect)
LemonLDAP ignores the "Expiration time" in the OIDC access token
I would it expect that LemonLDAP reauthenticates if the keycloak session endedFAQhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2431Rework CAS service URL matching2021-01-05T18:15:44ZMaxime BessonRework CAS service URL matching### Summary
With #2321 we modified the way CAS service URLs are matched.
In the interest of compatibility, we kept the previous behavior or matching on hostname only, but added the possibility of specifying a URL prefix (for people who...### Summary
With #2321 we modified the way CAS service URLs are matched.
In the interest of compatibility, we kept the previous behavior or matching on hostname only, but added the possibility of specifying a URL prefix (for people who have all their apps behind the same host)
This behavior is complex, and somewhat insecure (because of the host-only fallback). We need to fix this in 3.0 by breaking compatibility with the hostname-only match and enforcing a stricter match on CAS service URLs.
### Design proposition
* Maybe keeping the current prefix-matching system
* Maybe using regexps like Apereo, to allow more control3.0.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2423LLNG cli tools are not in PATH after package install2021-01-08T17:21:51ZMaxime BessonLLNG cli tools are not in PATH after package installlemonldap-ng-cli, lemonldap-ng-sessions, convertConfig, convertSessions, etc, are not in PATH after a package install. This hurts the discoverability of these tools, and makes using them more inconvenient in general.
We should decide on...lemonldap-ng-cli, lemonldap-ng-sessions, convertConfig, convertSessions, etc, are not in PATH after a package install. This hurts the discoverability of these tools, and makes using them more inconvenient in general.
We should decide on a consistant naming scheme (lemonldap-ng-convert-sessions for example) and install all these commands in /usr/sbin when using RPMs and DEBs3.0.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2421Logo files should be packaged within skins2020-12-21T15:31:51ZMaxime BessonLogo files should be packaged within skinsSee #2388 for background
Most custom deployments will want to change the default logos with there own and they should do this using skins. But default templates look for logos in common/ explicitelySee #2388 for background
Most custom deployments will want to change the default logos with there own and they should do this using skins. But default templates look for logos in common/ explicitely3.0.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2418Start date displayed in Manager is based on _utime, which may be not the real...2024-03-27T10:12:02ZClément OUDOTStart date displayed in Manager is based on _utime, which may be not the real start dateWhen displaying sessions in Manager, we displayed "Sessions started", which is based on _utime. But value of _utime can be modified to extend the lifetime of the session, so the information displayed is not accurate. This is the case for...When displaying sessions in Manager, we displayed "Sessions started", which is based on _utime. But value of _utime can be modified to extend the lifetime of the session, so the information displayed is not accurate. This is the case for offline sessions where start date will always be in the future (as offline session lifetime is often greater than session timeout).
* First option: do not display start date, or just for SSO sessions, based on _startTime
* Second option: change the purge mechanism so we can handle different timeout values for different sessions kindBacklogChristophe Maudouxchrmdx@gmail.comChristophe Maudouxchrmdx@gmail.comhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2416Use the same terminology in base and in manager2020-12-15T17:03:18ZPaul CurieUse the same terminology in base and in managerToday I found out that "None" in the manager, is "Null" in db for "passwordDB" (this is an example).
We document a "Null" auth : https://lemonldap-ng.org/documentation/latest/authnull.html
I think I would be a good idea to use "Null" i...Today I found out that "None" in the manager, is "Null" in db for "passwordDB" (this is an example).
We document a "Null" auth : https://lemonldap-ng.org/documentation/latest/authnull.html
I think I would be a good idea to use "Null" inside the manager instead of "None"
I will try to provide a PR later, let me know what to you think.In discussionPaul CuriePaul Curiehttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2402Append an option to hide identities provider (SAML, CAS, OIDC)2022-09-06T16:54:01ZChristophe Maudouxchrmdx@gmail.comAppend an option to hide identities provider (SAML, CAS, OIDC)### Summary
Sometimes It can be useful to be able to hide an IdP.
### Design proposition
Append a hideIdP option### Summary
Sometimes It can be useful to be able to hide an IdP.
### Design proposition
Append a hideIdP option3.0.0Christophe Maudouxchrmdx@gmail.comChristophe Maudouxchrmdx@gmail.comhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2362unprotect rule does not recognize existing sessions when using CDA2020-10-30T17:33:31ZGhost Userunprotect rule does not recognize existing sessions when using CDAI am trying to setup a subdomain where an authenticated user would be authenticated to the app with a HTTP header.
For that I used the `unprotect` rule like so:
```json
"locationRules": {
"example.com": {
"default": "unprotec...I am trying to setup a subdomain where an authenticated user would be authenticated to the app with a HTTP header.
For that I used the `unprotect` rule like so:
```json
"locationRules": {
"example.com": {
"default": "unprotect"
}
},
"vhostOptions": {
"example.com": {
"vhostType": "CDA"
}
}
```
But authenticated users are not detected.
I was expecting that lemonLDAP would make a redirection to the portal to check if a session exist and then come back and set a cookie to identify the user.
Am I wrong somewhere ?FAQ