!DnzGDOEluSXwfOUoKI:matrix.org

Contributing (Authelia)

1441 Members
Discuss Contributing to the Authelia Open Source project24 Servers

Load older messages


SenderMessageTime
23 Mar 2024
@crowley723:matrix.orgBrynnits a good pattern.07:18:50
25 Mar 2024
@tomz_plug:matrix.org@tomz_plug:matrix.org left the room.15:38:07
26 Mar 2024
@crowley723:matrix.orgBrynnShould I assume that asking for oauth consent just once requires the config database for oidc? I see implict, explicit, auto, and pre-configured. It would be nice to ask the first time then not ask again.20:15:15
@james:authelia.comJamesThat's the pre-configured option. The user can pre-configure consent for the requested client id + scope + audience option.21:43:47
@james:authelia.comJamesvia a "remember" option.21:44:00
@crowley723:matrix.orgBrynnApologies, I probably should have asked in support. Is there an existing way to ask the user once and remember forever?21:45:53
@james:authelia.comJamesNo and there wont be one21:46:23
@james:authelia.comJamesYou can configure the pre-configured duration however you want21:46:43
@james:authelia.comJamesBut the user has to provide consent and consent to remember the consent21:46:58
@james:authelia.comJamesIf they provide the consent to remember it then that specific consent scenario will be remembered for the duration configured21:47:21
@crowley723:matrix.orgBrynnOh, I just realized that's probably against standards. Its bad to never rotate secrets.21:47:23
@james:authelia.comJamesYeah the spec allows for pre-configured consent but has wording from memory which indicates that the user must explicitly consent to remember it21:48:23
@james:authelia.comJames * Yeah the spec allows for pre-configured consent but has wording from memory which indicates that the user must explicitly consent to pre-configure it21:48:33
@james:authelia.comJames * No and there wont be one most likely21:48:53
@james:authelia.comJames * No and there probably wont be one21:49:02
@james:authelia.comJamesIn addition if the client ID, scopes, or audience change the user must provide consent again21:49:34
@crowley723:matrix.orgBrynnOnly reason I'm asking is that Google oath (to my knowledge) never asks again for consent for a specific oath service.21:49:57
@crowley723:matrix.orgBrynnIE once you give consent to use your Google account, you never get asked again. Unless I'm misremembering.21:52:36
@james:authelia.comJamesThat's a pre-configured consent21:54:16
@crowley723:matrix.orgBrynnOh! Ok I got it now. I wasn't equating creating the config for authelia with accepting consent the first time on Google.21:55:50
@james:authelia.comJamesThink of consent like this, the user is providing consent for the client to access information known about them via the resource servers API in this case the /api/oidc/userinfo endpoint, using the provided tokens. The information the client is allowed to access is part of the consent process. The only difference between what Google does and us is we give the admin choice to enable pre-configurations, and the user has to explicitly allow implicit consent for the consent in the future (via the remember option). 22:00:49
27 Mar 2024
@crowley723:matrix.orgBrynn
In reply to @james:authelia.com
Yeah so my basic "end goal" when implementing OpenID Connect 1.0 and SAML 2.0 providers is to allow multiple issuers, and potentially.. I can't recall what the terminology is for sub-issuers. Either way, issuers which can have their properties adjusted on a per issuer basis, and clients be registered by admins in the UI. Basically every setting for clients, most settings for an issuer. Though clients probably are going to be the lowest barrier to begin with. I had planned to implement all of this via CLI then work on the UI after that.

All of these values are already mostly obtained by the provider pattern via an interface already (i.e. we can very easily dynamically load them).

Provider Information: https://www.authelia.com/configuration/identity-providers/openid-connect/provider/
Registered Client Information: https://www.authelia.com/configuration/identity-providers/openid-connect/clients/
You mention an interface to get oidc client info. Would you mind pointing that out to me?
06:08:47
28 Mar 2024
@crowley723:matrix.orgBrynnimage.png
Download image.png
01:55:46
@crowley723:matrix.orgBrynnoverall format shamelessly stolen from the existing user settings pages.01:56:32
@crowley723:matrix.orgBrynnnot sure how to format the content/which content should actually be shown01:56:59
@james:authelia.comJamesI'm rather flat out but will get back to you soon02:22:39
@crowley723:matrix.orgBrynnhey no problem. Everyone is entitled to be busy.02:23:08
@james:authelia.comJames
In reply to @crowley723:matrix.org
You mention an interface to get oidc client info. Would you mind pointing that out to me?
22:58:29
@james:authelia.comJames We can adjust the NewStore signature to take a ClientManger and implement two, one in-memory like it is now, and one in SQL. 23:00:59
@james:authelia.comJames Here's an abstraction that makes this easier, we just need to ensure we add a StorageClientStore and accompanying NewStorageClientStore: https://github.com/authelia/authelia/pull/7041/files#diff-33477abe4b572dab542eab82c130a0e4625cd907c0c4a9ca92e5c62852706433R24 23:13:17

There are no newer messages yet.


Back to Room ListRoom Version: 6