lemonldap-ng issueshttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues2024-03-28T10:35:05Zhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3040Allow auto-detection of portal URL and domain2024-03-28T10:35:05ZMaxime BessonAllow auto-detection of portal URL and domainOne of my LLNG instances needs to be reached by internal and external users but on a different URL.
The portal uses $self->conf->{portal} and $self->conf->{domain} to get its own URL and cookie domain. But it doesn't work in this partic...One of my LLNG instances needs to be reached by internal and external users but on a different URL.
The portal uses $self->conf->{portal} and $self->conf->{domain} to get its own URL and cookie domain. But it doesn't work in this particular use case, because in my use case the portal and domain depends on `$req`.
This is similar to #933, but I think the fix proposed there no longer works since the migration to PSGI.
In the handler: it's probably not too difficult to do because every access to the portal URL goes through $class->tsv->portal. We just need to pass `$req` to it.
In the portal: we need to replace all calls to `$self->conf->{portal}` and `$self->conf->{domain}` to methods such as `getPortalUrl($req)` and `getDomain($req)`. This will require a lot of refactoring, but I think its a good idea because users will no longer have to define the `portal` and `domain` configuration variables anymore in most cases.
This is also a requirement of #2285
If I can find sponsorship for this feature I might implement it in 2.192.19.0Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2902Implement "OpenID Connect Native SSO for Mobile Apps 1.0"2024-03-28T07:43:42ZYaddImplement "OpenID Connect Native SSO for Mobile Apps 1.0"There is a new specification in OpenID-Connect (draft):
https://openid.net/specs/openid-connect-native-sso-1_0.htmlThere is a new specification in OpenID-Connect (draft):
https://openid.net/specs/openid-connect-native-sso-1_0.html2.20.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3127Support SAML subject-id and pairwise-id natively2024-03-27T13:29:12ZMaxime BessonSupport SAML subject-id and pairwise-id nativelysubject-id and pairwise-id are replacement for SAML NameIDs in use in Renater/Edugain federations :
https://docs.oasis-open.org/security/saml-subject-id-attr/v1.0/cs01/saml-subject-id-attr-v1.0-cs01.html
Currently, subject-id and pairwi...subject-id and pairwise-id are replacement for SAML NameIDs in use in Renater/Edugain federations :
https://docs.oasis-open.org/security/saml-subject-id-attr/v1.0/cs01/saml-subject-id-attr-v1.0-cs01.html
Currently, subject-id and pairwise-id can be enabled via a macro, but this is complex to configure. Especially pairwise-id which must be configured as a per-SP macro for all SPs
Maybe we should natively implement subject-id and pairwise-id through simple options in SAML SP configs2.20.0Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3116Restart authentication process when error is linked to token expiration2024-03-27T10:59:00ZClément OUDOTRestart authentication process when error is linked to token expirationCurrently, when the security token is expired (`Returned error: 82 (PE_TOKENEXPIRED)`), we end up on error page and user must return to portal to restart authentication process.
It could be better to display the error on the login form ...Currently, when the security token is expired (`Returned error: 82 (PE_TOKENEXPIRED)`), we end up on error page and user must return to portal to restart authentication process.
It could be better to display the error on the login form so user can directly restart the authentication process.2.20.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2925Support samlValidate in CAS 3.0 protocol2024-03-27T10:57:42ZClément OUDOTSupport samlValidate in CAS 3.0 protocolSome products rely on /samlValidate for ticket validation
https://apereo.github.io/cas/6.6.x/protocol/CAS-Protocol-Specification.html#42-samlvalidate-cas-30
We should implement itSome products rely on /samlValidate for ticket validation
https://apereo.github.io/cas/6.6.x/protocol/CAS-Protocol-Specification.html#42-samlvalidate-cas-30
We should implement itBackloghttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2700session extension hook2024-03-27T10:57:12Zdcoutadeur dcoutadeursession extension hook### Summary
This feature is asked by a customer, but can be interresting for other, especially if it is design in a generic way.
The main feature is to intercept some events and trigger a SSO session extension.
### Design proposition...### Summary
This feature is asked by a customer, but can be interresting for other, especially if it is design in a generic way.
The main feature is to intercept some events and trigger a SSO session extension.
### Design proposition
After some basic researches, I didn't found any sort of norms or standards for this.
Here is the design proposition:
1. the hook will intercept some events. Possible events are:
- when user call /ping endpoint on the portal, with a valid cookie
- when user authenticates,
- when user reauthenticates,
- when user asks for a "refresh my rights from the portal",
- when user is asked for a session upgrade (he must enter a second factor for accessing a more secure application)
- when an application sends a direct call to /ping, with the user session id passed in the Authentication header (we should think about security risks. Maybe replay attacks?)
- when refreshing an access token with a refresk token
- any other event I haven't think about?
The list of triggering events must be customizable.
2. it possibly triggers two actions:
- if timeoutActivity is set, it performs the same actions as in `Handler/Main/Run.pm` (function `retrieveSession`): it verifies if session is valid, checks the session is not expired (timeoutActivity), and updates _lastSeen in session. Note: thus it may be interresting to factorize this code if possible.
- if triggers an AT refresh thanks to the refresh token. The list of OIDC provider on which it is triggered must be customizable. Obviously, the refresh must occurs only if the user has authenticated against the given OIDC provider.
Do not hesitate to discuss this proposition and give your ideas.2.19.0dcoutadeur dcoutadeurdcoutadeur dcoutadeurhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3023Allow mixed CAS protection mode2024-03-27T10:56:20ZClément OUDOTAllow mixed CAS protection modeCurrently we can either open CAS issuer so any CAS clients can use the LL::NG portal without being declared in configuration, or require that every CAS client is defined in configuration, and apply access rules and check authentication l...Currently we can either open CAS issuer so any CAS clients can use the LL::NG portal without being declared in configuration, or require that every CAS client is defined in configuration, and apply access rules and check authentication levels.
We could provide a mixed mode:
* Apply access rule for CAS applications defined in configuration
* Allow all other CAS applications if they are not in configuration
The goal is to enforce access control or minimum authentication level on a few CAS applications, without being forced to register all existing CAS applications in LL::NG configuration2.20.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3049Reset password with 2FA2024-03-27T10:56:07ZClément OUDOTReset password with 2FAAsked feature: if a user lost its password and has a 2FA, he could use the 2FA to reset its password.
To be discussed as we clearly loose security here: an attacker having the 2FA will be able to force the password, so it's like having ...Asked feature: if a user lost its password and has a 2FA, he could use the 2FA to reset its password.
To be discussed as we clearly loose security here: an attacker having the 2FA will be able to force the password, so it's like having only 1FA.
Maybe the idea would be to add 2FA on top on current reset feature (mail)?2.20.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3019Update fontawesome to v5 (LTS)2024-03-27T10:55:07ZBenjamin DemarteauUpdate fontawesome to v5 (LTS)### Summary
Font awesome 4 which was [added a few months ago](https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/merge_requests/322) is great, but the next LTS has been available for a long time and has a lot more icons to chose from.
...### Summary
Font awesome 4 which was [added a few months ago](https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/merge_requests/322) is great, but the next LTS has been available for a long time and has a lot more icons to chose from.
### Design proposition
Migrating from one the v4 to the v5 should be mostly painless (cf https://fontawesome.com/v5/docs/web/setup/upgrade-from-v4). Not sure if there are attention points.2.20.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3051Add messaging broker support to share instantaneously events like logout or c...2024-03-27T10:53:38ZYaddAdd messaging broker support to share instantaneously events like logout or configuration updateWe can propose here a plugin system like logger interface. Proposed plugin list:
* [Redis pub/sub](https://redis.io/docs/interact/pubsub/)
* [RabbitMQ](https://www.rabbitmq.com/)
Such system can also provide a backend for a better "stat...We can propose here a plugin system like logger interface. Proposed plugin list:
* [Redis pub/sub](https://redis.io/docs/interact/pubsub/)
* [RabbitMQ](https://www.rabbitmq.com/)
Such system can also provide a backend for a better "status" system2.20.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3048Error in Notification DBI backend2024-03-27T10:53:14ZClément OUDOTError in Notification DBI backendOna production environment, we encounter this error:
```
DBD::Pg::st execute failed: aucune connexion au serveur at /usr/share/perl5/Lemonldap/NG/Common/Notifications/DBI.pm line 283.
```
The DB is well started, so I suspect a bad conne...Ona production environment, we encounter this error:
```
DBD::Pg::st execute failed: aucune connexion au serveur at /usr/share/perl5/Lemonldap/NG/Common/Notifications/DBI.pm line 283.
```
The DB is well started, so I suspect a bad connection management in Notification DBI module.
Not easy to reproduce.2.19.0Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3091Send mail on password change doesn't work corretcly2024-03-27T10:46:54ZGabriele LicariSend mail on password change doesn't work corretcly### Affected version
Version: 2.18.1
Good Morning,
The option "Send a mail when password is changed" is activated, but users receive confirmation of the password change only when they force the reset (forgotten password) but not when ...### Affected version
Version: 2.18.1
Good Morning,
The option "Send a mail when password is changed" is activated, but users receive confirmation of the password change only when they force the reset (forgotten password) but not when they change it independently once logged in. What can I check to fix
this?
This seems to be a bug.2.19.0Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3026Auth::OIDC : add option to get keys using jwks2024-03-27T10:40:24ZYaddAuth::OIDC : add option to get keys using jwksFor now, we fix JWKS document in configuration. We should be able to consult OIDC server dynamically (with cache of course).
### Design proposition:
If oidcOPMetaDataJWKS is empty, use jwks endpointFor now, we fix JWKS document in configuration. We should be able to consult OIDC server dynamically (with cache of course).
### Design proposition:
If oidcOPMetaDataJWKS is empty, use jwks endpoint2.19.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3123JWKS timeout is not implemented2024-03-27T10:40:19ZMaxime BessonJWKS timeout is not implemented### Affected version
Version: 2.18.2
### Summary
* Configure Auth::OpenIDConnect with a test OP
* set oidcOPMetaDataOptionsJWKSTimeout = 30 (or any non zero value)
* When restarting portal, JWKS is downloaded :white_check_mark:
* Aft...### Affected version
Version: 2.18.2
### Summary
* Configure Auth::OpenIDConnect with a test OP
* set oidcOPMetaDataOptionsJWKSTimeout = 30 (or any non zero value)
* When restarting portal, JWKS is downloaded :white_check_mark:
* After 30 seconds, JWKS is not refreshed :x:2.19.0Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1772Append a new plugin to display a custom message on portal2024-03-27T10:38:36ZChristophe Maudouxchrmdx@gmail.comAppend a new plugin to display a custom message on portal### Summary
A custom message could be displayed to authenticated or unauthenticaced users
Select background colour, set rules, set message to display, ...### Summary
A custom message could be displayed to authenticated or unauthenticaced users
Select background colour, set rules, set message to display, ...2.20.0Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2696Add TOTP-or-WebAuthn2024-03-27T10:37:03ZYaddAdd TOTP-or-WebAuthn### Summary
Since WebAuthn is going to replace U2F, we should provide a TOTP-or-WebAuthn to replace TOTP-or-U2F### Summary
Since WebAuthn is going to replace U2F, we should provide a TOTP-or-WebAuthn to replace TOTP-or-U2FIn discussionChristophe Maudouxchrmdx@gmail.comChristophe Maudouxchrmdx@gmail.comhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3078Allow transmission of extra attributes in Auth/UserDB/Password::REST2024-03-27T10:26:26ZMaxime BessonAllow transmission of extra attributes in Auth/UserDB/Password::RESTCurrently, it's possible to transmit extra attributes in 2F::REST but not in Auth::REST etc.Currently, it's possible to transmit extra attributes in 2F::REST but not in Auth::REST etc.BacklogMaxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3111Hide Code2F secrets even from debug logs2024-03-27T10:25:25ZMaxime BessonHide Code2F secrets even from debug logsCurrently, secrets such as OTP codes (Code2F.pm) are displayed in cleartext in debug logs.
This is useful for debugging
Some users want to be able to hide the values even from error logs
We should find a way to do this, maybe a special ...Currently, secrets such as OTP codes (Code2F.pm) are displayed in cleartext in debug logs.
This is useful for debugging
Some users want to be able to hide the values even from error logs
We should find a way to do this, maybe a special value in hiddenAttributes ?2.19.0Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3053Special OIDC scope to get app grid2024-03-27T10:23:56ZYaddSpecial OIDC scope to get app grid### Summary
Currently the app grid is available using `/myapplications`, only for conected users
### Problem
When using OIDC and `offline_access`scope, the relying party isn't able to get `/myapplications` result
### Proposition
Bui...### Summary
Currently the app grid is available using `/myapplications`, only for conected users
### Problem
When using OIDC and `offline_access`scope, the relying party isn't able to get `/myapplications` result
### Proposition
Build a special OIDC scope _(or macro value ?)_ to store the JSON result of the appgrid calculation, then will be available as long as offline session exists
Problem: won't be refreshed2.20.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3125Add base class for "reset password by SMS"2024-03-27T10:22:31ZYaddAdd base class for "reset password by SMS"SMS API are not standard, however we could easily have a base class to prepare that.
## Design proposition
* Move part of [MailPasswordReset](lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/MailPasswordReset.pm) into "Lib/PasswordR...SMS API are not standard, however we could easily have a base class to prepare that.
## Design proposition
* Move part of [MailPasswordReset](lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/MailPasswordReset.pm) into "Lib/PasswordReset.pm"
* Maybe create a "Lib/SMSBase.pm" that stores custom parameters somewhere and just needs a "sendSMS" method in sub classes
* Create a "Lib/SMS.pm" that requires a class that exposes a `sendSMS($phone, $text)`
* Create a "Plugins/SMSPasswordResetBase.pm" that inherits from "Lib/PasswordReset.pm" and uses "Lib/SMS.pm"2.20.0YaddYadd