lemonldap-ng issueshttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues2024-02-01T17:14:32Zhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3096No more logs Session granted for *2024-02-01T17:14:32Zdcoutadeur dcoutadeurNo more logs Session granted for *As stated by the documentation:
https://lemonldap-ng.org/documentation/2.0/logs.html#user-log-samples
we should have a log displaying the user logged and his IP address:
```
[notice] Session granted for dwho by LDAP (81.20.13.21)
```
...As stated by the documentation:
https://lemonldap-ng.org/documentation/2.0/logs.html#user-log-samples
we should have a log displaying the user logged and his IP address:
```
[notice] Session granted for dwho by LDAP (81.20.13.21)
```
However, now, the log is managed by the GrantSession plugin, which is not enabled by default, as in configuration we have:
```
'grantSessionRules' => {}
```
and empty hash is considered as disabled.
This issue is just to discuss the desired behaviour:
- set a default value:
```
'grantSessionRules' => {
'always allowed##default_rule' => 1
}
```
- fix the documentation to indicate that there is no log by default, except if the admin set a grantSessionRule2.19.0Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1850No "Session granted" log if grantSession plugin not enabled2024-02-01T15:22:51ZClément OUDOTNo "Session granted" log if grantSession plugin not enabledI made a fresh installation of LL::NG, then configure it trough lemonldap-ng-cli.
With this method, we never have `grantSessionRules` set in configuration, so the plugin is never enabled. The issue is that in this case, we never have an...I made a fresh installation of LL::NG, then configure it trough lemonldap-ng-cli.
With this method, we never have `grantSessionRules` set in configuration, so the plugin is never enabled. The issue is that in this case, we never have any log when a user connect.
With:
```
'grantSessionRules' => {},
```
We have this message:
```
[Wed Jul 10 16:02:01 2019] [LLNG:1633] [notice] Session granted for clement by LDAP (81.250.130.213)
```
But if the `grantSessionRules` parameter is not in the configuration, we have no log.
I think we must add this parameter in the default provided configuration.2.0.6Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3088Extend session lifetime when refreshing session/access token2024-01-27T19:11:12ZMaxime BessonExtend session lifetime when refreshing session/access tokenRelated to #2700
Currently, when the user obtains a new access token for a RP using a refresh token, the session is not extended (timeoutActivity/_lastSeen)
This action should be considered as session activity and thus extend the sess...Related to #2700
Currently, when the user obtains a new access token for a RP using a refresh token, the session is not extended (timeoutActivity/_lastSeen)
This action should be considered as session activity and thus extend the session duration
Maybe this should also be the case when sessions are refreshed by the Refresh session API plugin ?
OK for you @guimard / @clement_oudot ?2.19.0Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3094add a portalCustomJs option2024-01-26T13:56:53ZMaxime Bessonadd a portalCustomJs optionWe already have a very simple way to add css code to the portal without creating a new theme: portalCustomCss
It can be useful to add some JS too, if you need to hook to some jquery events or just simple JS customizationWe already have a very simple way to add css code to the portal without creating a new theme: portalCustomCss
It can be useful to add some JS too, if you need to hook to some jquery events or just simple JS customization2.19.0Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2990LLNG mails flagged as spam by SpamAssassin2024-01-25T16:37:30ZBruno MATEULLNG mails flagged as spam by SpamAssassin### Affected version
Version: %2.16.2
Platform: Nginx
### Summary
The mails sent by my instance of LemonLDAP are flagged as spam by SpamAssassin.
### Details and possible fixes
Here are the detailed scores:
```plaintext
Spam detec...### Affected version
Version: %2.16.2
Platform: Nginx
### Summary
The mails sent by my instance of LemonLDAP are flagged as spam by SpamAssassin.
### Details and possible fixes
Here are the detailed scores:
```plaintext
Spam detection results: 3
ALL_TRUSTED -1 Passed through trusted hosts only via SMTP
HTML_IMAGE_ONLY_12 1.629 HTML: images with 800-1200 bytes of words
HTML_MESSAGE 0.001 HTML included in message
KAM_DMARC_NONE 0.25 DKIM has Failed or SPF has failed on the message and the domain has no DMARC policy
KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
MIME_HTML_ONLY 0.1 Message only has text/html MIME parts
MISSING_MID 0.14 Missing Message-Id: header
TO_NO_BRKTS_HTML_IMG 1.999 To: lacks brackets and HTML and one image
```
Most of this is irrelevant, because it is my internal MTA that is flagging the email so it is not yet dmark-ed and dkim-ed, but these scores are self-canceling with the ALL_TRUSTED rule.
The relevant rules are:
```plaintext
HTML_IMAGE_ONLY_12 1.629 HTML: images with 800-1200 bytes of words
MIME_HTML_ONLY 0.1 Message only has text/html MIME parts
TO_NO_BRKTS_HTML_IMG 1.999 To: lacks brackets and HTML and one image
```
- For the first one, i don't see an obvious fix, it would be dumb to add content to the email just for the shake of satisfying this rule.
- The second one is not really a huge problem but it can be an easy fix, it just need to add a text/plain part to the email next to the html version.
- The last one is also an easy fix. It triggers (among other reasons) because the `To:` field of the email don't contains brackets `<>`. Currently, this contains `To: $mail`. I've fixed it temporary by editing https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/blob/v2.0/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/SMTP.pm#L145 to contains `To => '<' . $mail . '>'` and it passes the rule correctly. A prettier solution would be to use the \$cn of the user to forge a nice To field in the email, something like `$cn . '<' . $mail . '>'`.2.18.0Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3092Display an error message when issuer context is not restored2024-01-25T15:49:33ZMaxime BessonDisplay an error message when issuer context is not restored### Affected version
Version: 2.18.1
### Summary
* Configure LLNG as an SAML/OIDC or CAS issuer
* Initialize login from a SP
* Log in using 2FA, SAML or something else that longer than issuersTimeout to perform
* Login works, but yo...### Affected version
Version: 2.18.1
### Summary
* Configure LLNG as an SAML/OIDC or CAS issuer
* Initialize login from a SP
* Log in using 2FA, SAML or something else that longer than issuersTimeout to perform
* Login works, but you are redirected either to the portal (SAML/CAS) or an error message (OIDC)
### Logs
```
[INFO] Bad (or expired) token 1706124567_32351
[ERROR] Unknown response type:
```
### Possible fixes
The user often gets confused about ending up on the portal, we should at least give them an error message that says they took too long so that they can understand why the application isn't displayed2.19.0Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1690Most viewed applications category in Menu2024-01-23T13:28:23ZClément OUDOTMost viewed applications category in MenuA new feature request: have a specific category to list the most accessed applications.
We need to have update a counter from Handler and from Issuer CAS/SAML/OIDC, this counter will be stored in persistent session.
The difficulty is a...A new feature request: have a specific category to list the most accessed applications.
We need to have update a counter from Handler and from Issuer CAS/SAML/OIDC, this counter will be stored in persistent session.
The difficulty is also to map an application item in menu to a vhost/CAS/SAML/OIDC entry.3.0.0Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2540XSS protection of CAS service parameter should be removed2024-01-18T08:25:29ZMaxime BessonXSS protection of CAS service parameter should be removedIn #1795 we implemented a XSS check on the service= parameter of the CAS issuer (1a8948894d61e1f37dda5c95f2ea0a619545f5f6)
However this change breaks some applications, such as Ametys CMS, who generates login URLS that look like this:
...In #1795 we implemented a XSS check on the service= parameter of the CAS issuer (1a8948894d61e1f37dda5c95f2ea0a619545f5f6)
However this change breaks some applications, such as Ametys CMS, who generates login URLS that look like this:
```
https://cms.example.com/plugins/core/authenticate/0?contexts=%2Fsites%2Fintranet%2C%2Fsites%2Ftest-projet-b%2C%2Fsites%2Ftest-ametys%2C%2Fsites%2Fcatalogue
```
Note: `%2C` is a legitimate separator in this context.
According to discussions in #1795, this check is meant to protect against tampering with the Location: header.
However, checkXSSAttack does NOT prevent header injection (it is supposed to prevent XSS in HTML documents, a completely different issue). You can try with the following example:
http://auth.example.com/cas/login?service=http://cas.example.com/test%0D%0AX-Test:%20inject%0D%0A
This attack is caught by
```
unless ( $service =~ m#^(https?://[^/]+)(/.*)?$# ) {
$self->logger->error("Bad service $service");
return PE_ERROR;
}
```
<details><summary>(click here to see what happens if I disable this code)</summary>
I'm surprised Plack does not protect you from this:
![image](/uploads/0e01c2040cb7a6992625fa20ebe3ecb8/image.png)
</details>
but this attack is NOT caught by
```
$service = '' if ( $self->p->checkXSSAttack( 'service', $service ) );
```
which makes this check counter-productive in my opinion
## Conclusion
Checking for XSS attacks should be only done for values that are displayed in HTML pages. For values used in Location: headers, we should only check:
* If they are properly formatted URLs (!185)
* If they are in the list of allowed redirection targets (trustedDomains, declared vhost, etc.)3.0.0Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3084JWT shouldn't have a "kid" when using symetric sign algorithm2024-01-17T09:54:11ZJérémie PiersonJWT shouldn't have a "kid" when using symetric sign algorithm### Affected version
Version: 2.18.1
Platform: Nginx
### Summary
When using HS256 (or 384 | 512) as ID Token signature algorithm in an OpenIDConnect Relying Party, a "kid" property is added even though no asymetric key will be used. ...### Affected version
Version: 2.18.1
Platform: Nginx
### Summary
When using HS256 (or 384 | 512) as ID Token signature algorithm in an OpenIDConnect Relying Party, a "kid" property is added even though no asymetric key will be used. This confuses Apache mod-auth-openidc (latest version in Debian), who fails to verify signature and rejects the token.
Note : this manifests only because we do have RSA signing keys with a "kid" configured in OpenID Connect Service.
### Possible fixes
I tried to remove the following three lines in Portal/Lib/OpenIDConnect.pm :
```
--- Portal/Lib/OpenIDConnect.pm.ori 2024-01-15 14:56:20.675925536 +0100
+++ Portal/Lib/OpenIDConnect.pm 2024-01-15 14:52:27.247075049 +0100
@@ -2267,9 +2267,6 @@
encode_jwt(
payload => to_json($payload),
alg => $alg,
- extra_headers => {
- kid => $self->conf->{oidcServiceKeyIdSig},
- },
@keyArg,
);
};
```
and it does seem to fix this problem (tested only with HS256 and RS256).
May be related to commit 7a407da7d8cb642fd5b5ec24fa35d5c38aab5e24 ; seems like a previous issue #3066 was fixed two times in parallel :-)2.18.2Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3081oidcDropCspHeaders shouldn't drop CORS headers2024-01-17T09:51:29ZYaddoidcDropCspHeaders shouldn't drop CORS headersWhen using this option, if relying party is inside web app, Chromium refuse to download OIDC metadata because of lack of CORS headers
Fixed by !432When using this option, if relying party is inside web app, Chromium refuse to download OIDC metadata because of lack of CORS headers
Fixed by !4322.18.2YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3079UserDB::OpenIDConnect doesn't handle arrays of values2024-01-17T08:26:28ZMaxime BessonUserDB::OpenIDConnect doesn't handle arrays of values### Affected version
Version: 2.18.1
### Summary
* Configure an OIDC OP to send multi valued claims
* Configure that claim as an exported attribute in LLNG
* Exported attribute is stored as an arrayref
### Logs
```
[debug] Store ARR...### Affected version
Version: 2.18.1
### Summary
* Configure an OIDC OP to send multi valued claims
* Configure that claim as an exported attribute in LLNG
* Exported attribute is stored as an arrayref
### Logs
```
[debug] Store ARRAY(0x6390dd0) in session key groups
```2.19.0Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3083OIDC Special-scope hook system2024-01-17T03:58:50ZYaddOIDC Special-scope hook system### Summary
The idea is to provide a plugin system to be able to add special scopes in OIDC flow (scopes not related to user's attributes
### Design proposition
Special plugin keyword### Summary
The idea is to provide a plugin system to be able to add special scopes in OIDC flow (scopes not related to user's attributes
### Design proposition
Special plugin keywordIn discussionYaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3066"kid" missing from emitted JWT2024-01-15T14:27:31ZMaxime Besson"kid" missing from emitted JWTFollowing the migration to Crypt::JWT, ID tokens no longer contain a "kid".
Some applications require them, even if we expose only one key, so this has to be considered as a regressionFollowing the migration to Crypt::JWT, ID tokens no longer contain a "kid".
Some applications require them, even if we expose only one key, so this has to be considered as a regression2.18.1Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2960Add option to drop CSP headers from OIDC response2024-01-09T07:48:44ZYaddAdd option to drop CSP headers from OIDC response## Summary
Most of mobile app that uses OIDC delegates authentication to the browser. Then the redirect list may contain "app.name://" URI.
A bug in Safari doesn't allow such URI in CSP headers. Then this feature allows one to drop CSP ...## Summary
Most of mobile app that uses OIDC delegates authentication to the browser. Then the redirect list may contain "app.name://" URI.
A bug in Safari doesn't allow such URI in CSP headers. Then this feature allows one to drop CSP headers from OIDC responses (at least authorization responses)2.17.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3073[OIDC] Implement optional "Passing Request Parameters as JWTs"2024-01-03T03:56:43ZYadd[OIDC] Implement optional "Passing Request Parameters as JWTs"See [OIDC Core - JWTRequests](https://openid.net/specs/openid-connect-core-1_0.html#JWTRequests)
Already implemented on OP side, missing in RP.
Needed by #3030See [OIDC Core - JWTRequests](https://openid.net/specs/openid-connect-core-1_0.html#JWTRequests)
Already implemented on OP side, missing in RP.
Needed by #30302.19.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3068Regression in configuration reload2023-12-22T22:56:15ZMaxime BessonRegression in configuration reloadI am able to reproduce a rather strange regression cause by ec8b3e30e9f38900addf96c7033d4c7d99f0d9f7
* Only when one of my vhosts uses logout_app_sso
* A config change in the manager is not immediately applied on the portal (checkConf=1 ...I am able to reproduce a rather strange regression cause by ec8b3e30e9f38900addf96c7033d4c7d99f0d9f7
* Only when one of my vhosts uses logout_app_sso
* A config change in the manager is not immediately applied on the portal (checkConf=1 in llng.ini)
* Config changes in the CLI are immediately applied
low priority but annoying2.18.1Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3067Error when verifying signature when OP uses more than one key and kid missing...2023-12-21T17:42:23ZMaxime BessonError when verifying signature when OP uses more than one key and kid missing in ID Tokencf #3065
This is not permitted in OIDC but we might want to support it for some applications / older LLNG releases
MR !423cf #3065
This is not permitted in OIDC but we might want to support it for some applications / older LLNG releases
MR !4232.18.1YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3065Error when verifying signature when OP uses more than one key and kid provide...2023-12-21T15:23:39ZClément OUDOTError when verifying signature when OP uses more than one key and kid provided in ID TokenAfter updating to 2.18, JWT issued by Google are not valid anymore:
```
[Wed Dec 20 21:51:55 2023] [LLNG:2423922] [debug] Verification of JWT signature: eyJhbGciOiJSUzI1NiIsImtpZCI6IjliMDI4NWMzMWJmZDhiMDQwZTAzMTU3YjE5YzRlOTYwYmRjMTBjNmY...After updating to 2.18, JWT issued by Google are not valid anymore:
```
[Wed Dec 20 21:51:55 2023] [LLNG:2423922] [debug] Verification of JWT signature: eyJhbGciOiJSUzI1NiIsImtpZCI6IjliMDI4NWMzMWJmZDhiMDQwZTAzMTU3YjE5YzRlOTYwYmRjMTBjNmYiLCJ0eXAiOiJKV1QifQ.eyJpc3MiOiJodHRwczovL2FjY291bnRzLmdvb2dsZS5jb20iLCJhenAiOiI3MzIwNzIwNzQ5MDAtZHZ1aDZiZ2s5bjhzNjUwYzN1bzY1ZmUwa3FyOTloMGMuYXBwcy5nb29nbGV1c2VyY29udGVudC5jb20iLCJhdWQiOiI3MzIwNzIwNzQ5MDAtZHZ1aDZiZ2s5bjhzNjUwYzN1bzY1ZmUwa3FyOTloMGMuYXBwcy5nb29nbGV1c2VyY29udGVudC5jb20iLCJzdWIiOiIxMDcwNjUyMzUyNTQxNzY4MTM4NDMiLCJlbWFpbCI6ImNsZW0ub3Vkb3RAZ21haWwuY29tIiwiZW1haWxfdmVyaWZpZWQiOnRydWUsImF0X2hhc2giOiJ4VFdOY0w1TXdUandZWjk0SGtWMmpnIiwibm9uY2UiOiJUUHNLUTBiWFFCUlVjRHZmS2h6WUlBIiwibmFtZSI6IkNsw6ltZW50IE9VRE9UIiwicGljdHVyZSI6Imh0dHBzOi8vbGgzLmdvb2dsZXVzZXJjb250ZW50LmNvbS9hL0FDZzhvY0o5bjVRdG00dFd5MUJaOWtMOTBFTmxaYkdMZlBnemJYanpnemZMdGxIRGNDUT1zOTYtYyIsImdpdmVuX25hbWUiOiJDbMOpbWVudCIsImZhbWlseV9uYW1lIjoiT1VET1QiLCJsb2NhbGUiOiJmciIsImlhdCI6MTcwMzEwOTExNSwiZXhwIjoxNzAzMTEyNzE1fQ.GOHTD7-J_zZXbqgB8bFDCX4wZ_fXChnCD4oneFrs-RBo7YK-PVd1tKdALblpBQRZ8HVV4WjrL9Q0jvfN6AKZGSDsBo2cLhZhKpN_bVS19uLmVq0EyN1YBJd_seFQpbQCeKLxPvlf3oIJQPHOKaw0Yfbpuv_Lmy1bx7QUq0VShm6gOAfUsWvYwhONfGA621UXbDl8eafn05EhrwIExGofHF37eQCBvO0_WS55F4zlxBg643f2Nbb9M5QZX4kBUiPoIY6I_qz7WRLyx9lGEK0UP9PkXWDGy87r7Sq9j4g01ybS3Q33pT26e3g68Mm_eEHk_M5qF3PlbyCmmd0lRKcP6A
[Wed Dec 20 21:51:55 2023] [LLNG:2423922] [debug] JWT signature algorithm: RS256
[Wed Dec 20 21:51:55 2023] [LLNG:2423922] [error] Unable to verify JWT: JWS: invalid signature at /usr/share/perl5/Lemonldap/NG/Portal/Lib/OpenIDConnect.pm line 1524.
[Wed Dec 20 21:51:55 2023] [LLNG:2423922] [error] Jwt was: eyJhbGciOiJSUzI1NiIsImtpZCI6IjliMDI4NWMzMWJmZDhiMDQwZTAzMTU3YjE5YzRlOTYwYmRjMTBjNmYiLCJ0eXAiOiJKV1QifQ.eyJpc3MiOiJodHRwczovL2FjY291bnRzLmdvb2dsZS5jb20iLCJhenAiOiI3MzIwNzIwNzQ5MDAtZHZ1aDZiZ2s5bjhzNjUwYzN1bzY1ZmUwa3FyOTloMGMuYXBwcy5nb29nbGV1c2VyY29udGVudC5jb20iLCJhdWQiOiI3MzIwNzIwNzQ5MDAtZHZ1aDZiZ2s5bjhzNjUwYzN1bzY1ZmUwa3FyOTloMGMuYXBwcy5nb29nbGV1c2VyY29udGVudC5jb20iLCJzdWIiOiIxMDcwNjUyMzUyNTQxNzY4MTM4NDMiLCJlbWFpbCI6ImNsZW0ub3Vkb3RAZ21haWwuY29tIiwiZW1haWxfdmVyaWZpZWQiOnRydWUsImF0X2hhc2giOiJ4VFdOY0w1TXdUandZWjk0SGtWMmpnIiwibm9uY2UiOiJUUHNLUTBiWFFCUlVjRHZmS2h6WUlBIiwibmFtZSI6IkNsw6ltZW50IE9VRE9UIiwicGljdHVyZSI6Imh0dHBzOi8vbGgzLmdvb2dsZXVzZXJjb250ZW50LmNvbS9hL0FDZzhvY0o5bjVRdG00dFd5MUJaOWtMOTBFTmxaYkdMZlBnemJYanpnemZMdGxIRGNDUT1zOTYtYyIsImdpdmVuX25hbWUiOiJDbMOpbWVudCIsImZhbWlseV9uYW1lIjoiT1VET1QiLCJsb2NhbGUiOiJmciIsImlhdCI6MTcwMzEwOTExNSwiZXhwIjoxNzAzMTEyNzE1fQ.GOHTD7-J_zZXbqgB8bFDCX4wZ_fXChnCD4oneFrs-RBo7YK-PVd1tKdALblpBQRZ8HVV4WjrL9Q0jvfN6AKZGSDsBo2cLhZhKpN_bVS19uLmVq0EyN1YBJd_seFQpbQCeKLxPvlf3oIJQPHOKaw0Yfbpuv_Lmy1bx7QUq0VShm6gOAfUsWvYwhONfGA621UXbDl8eafn05EhrwIExGofHF37eQCBvO0_WS55F4zlxBg643f2Nbb9M5QZX4kBUiPoIY6I_qz7WRLyx9lGEK0UP9PkXWDGy87r7Sq9j4g01ybS3Q33pT26e3g68Mm_eEHk_M5qF3PlbyCmmd0lRKcP6A
[Wed Dec 20 21:51:55 2023] [LLNG:2423922] [error] JWT signature verification failed
```
But the JWT is valid: https://oauth2.googleapis.com/tokeninfo?id_token=eyJhbGciOiJSUzI1NiIsImtpZCI6IjliMDI4NWMzMWJmZDhiMDQwZTAzMTU3YjE5YzRlOTYwYmRjMTBjNmYiLCJ0eXAiOiJKV1QifQ.eyJpc3MiOiJodHRwczovL2FjY291bnRzLmdvb2dsZS5jb20iLCJhenAiOiI3MzIwNzIwNzQ5MDAtZHZ1aDZiZ2s5bjhzNjUwYzN1bzY1ZmUwa3FyOTloMGMuYXBwcy5nb29nbGV1c2VyY29udGVudC5jb20iLCJhdWQiOiI3MzIwNzIwNzQ5MDAtZHZ1aDZiZ2s5bjhzNjUwYzN1bzY1ZmUwa3FyOTloMGMuYXBwcy5nb29nbGV1c2VyY29udGVudC5jb20iLCJzdWIiOiIxMDcwNjUyMzUyNTQxNzY4MTM4NDMiLCJlbWFpbCI6ImNsZW0ub3Vkb3RAZ21haWwuY29tIiwiZW1haWxfdmVyaWZpZWQiOnRydWUsImF0X2hhc2giOiJ4VFdOY0w1TXdUandZWjk0SGtWMmpnIiwibm9uY2UiOiJUUHNLUTBiWFFCUlVjRHZmS2h6WUlBIiwibmFtZSI6IkNsw6ltZW50IE9VRE9UIiwicGljdHVyZSI6Imh0dHBzOi8vbGgzLmdvb2dsZXVzZXJjb250ZW50LmNvbS9hL0FDZzhvY0o5bjVRdG00dFd5MUJaOWtMOTBFTmxaYkdMZlBnemJYanpnemZMdGxIRGNDUT1zOTYtYyIsImdpdmVuX25hbWUiOiJDbMOpbWVudCIsImZhbWlseV9uYW1lIjoiT1VET1QiLCJsb2NhbGUiOiJmciIsImlhdCI6MTcwMzEwOTExNSwiZXhwIjoxNzAzMTEyNzE1fQ.GOHTD7-J_zZXbqgB8bFDCX4wZ_fXChnCD4oneFrs-RBo7YK-PVd1tKdALblpBQRZ8HVV4WjrL9Q0jvfN6AKZGSDsBo2cLhZhKpN_bVS19uLmVq0EyN1YBJd_seFQpbQCeKLxPvlf3oIJQPHOKaw0Yfbpuv_Lmy1bx7QUq0VShm6gOAfUsWvYwhONfGA621UXbDl8eafn05EhrwIExGofHF37eQCBvO0_WS55F4zlxBg643f2Nbb9M5QZX4kBUiPoIY6I_qz7WRLyx9lGEK0UP9PkXWDGy87r7Sq9j4g01ybS3Q33pT26e3g68Mm_eEHk_M5qF3PlbyCmmd0lRKcP6A
So there should be a problem on LL::NG side but I don't se what.2.18.1YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2490Possibility to remember second factor / 2FA on a device, to avoid entering it...2023-12-20T11:13:08ZClément OUDOTPossibility to remember second factor / 2FA on a device, to avoid entering it at each authenticationThe goal is to remember that the user already connected with a 2FA on a device, which become a "trusted device", and 2FA is not requested anymore
This could be a permanent/long lifetime cookie with a ciphered value that will be checked ...The goal is to remember that the user already connected with a 2FA on a device, which become a "trusted device", and 2FA is not requested anymore
This could be a permanent/long lifetime cookie with a ciphered value that will be checked by the portal to validate the second factor step. The portal should check that the cookie is valid for the connected user.
Code from StayConnected plugin could be reused here.
This may imply a new portal menu to allow a use to revoke a trusted device.2.18.0Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3017Handle acr_values in Issuer::OpenIDConnect2023-12-20T10:30:55ZMaxime BessonHandle acr_values in Issuer::OpenIDConnect### Summary
* We should allow RPs to request a particular authentication level with the acr_values parameter
### Design proposition
* Parse acr_values and set targetAuthnLevel accordingly
* Allow targetAuthnLevel to be customized in a...### Summary
* We should allow RPs to request a particular authentication level with the acr_values parameter
### Design proposition
* Parse acr_values and set targetAuthnLevel accordingly
* Allow targetAuthnLevel to be customized in a hook2.18.0Maxime BessonMaxime Besson