forked from vikunja/vikunja
Docs and formatting
This commit is contained in:
parent
2fa6523cc1
commit
27891e4492
|
@ -654,8 +654,7 @@ Default: `<empty>`
|
||||||
|
|
||||||
Identity-Aware Proxy configuration will allow users to authenticate through an identity-aware proxy in front of Vikunja.<br/>
|
Identity-Aware Proxy configuration will allow users to authenticate through an identity-aware proxy in front of Vikunja.<br/>
|
||||||
The proxy needs to supply a signed JWT over HTTP headers with claims for `sub`, `iss`, and `email`.
|
The proxy needs to supply a signed JWT over HTTP headers with claims for `sub`, `iss`, and `email`.
|
||||||
This JWT must be signed using ECDSA or RSA.
|
|
||||||
It must also serve the public keys for that signed JWT in the JWKS format.
|
It must also serve the public keys for that signed JWT in the JWKS format.
|
||||||
Take a look at the [default config file](https://kolaente.dev/vikunja/api/src/branch/master/config.yml.sample) for more information about how to configure this authentication.
|
|
||||||
|
|
||||||
Default: `<empty>`
|
Default: `<empty>`
|
||||||
|
|
||||||
|
|
|
@ -106,11 +106,11 @@ func NewUserAuthTokenResponse(u *user.User, c echo.Context) error {
|
||||||
func NewUserJWTAuthtoken(u *user.User) (token string, err error) {
|
func NewUserJWTAuthtoken(u *user.User) (token string, err error) {
|
||||||
// Set claims
|
// Set claims
|
||||||
claims := &AuthClaims{
|
claims := &AuthClaims{
|
||||||
Type: AuthTypeUser,
|
Type: AuthTypeUser,
|
||||||
UserID: u.ID,
|
UserID: u.ID,
|
||||||
UserUsername: u.Username,
|
UserUsername: u.Username,
|
||||||
UserEmail: u.Email,
|
UserEmail: u.Email,
|
||||||
UserName: u.Name,
|
UserName: u.Name,
|
||||||
UserEmailRemindersEnabled: u.EmailRemindersEnabled,
|
UserEmailRemindersEnabled: u.EmailRemindersEnabled,
|
||||||
StandardClaims: jwt.StandardClaims{
|
StandardClaims: jwt.StandardClaims{
|
||||||
ExpiresAt: time.Now().Add(time.Hour * 72).Unix(),
|
ExpiresAt: time.Now().Add(time.Hour * 72).Unix(),
|
||||||
|
@ -249,7 +249,7 @@ func GetJWTConfig() middleware.JWTConfig {
|
||||||
// GetOrCreateUserFromExternalAuth returns a user after finding or creating a matching user for the provided details
|
// GetOrCreateUserFromExternalAuth returns a user after finding or creating a matching user for the provided details
|
||||||
func GetOrCreateUserFromExternalAuth(s *xorm.Session, issuer, subject, email, name, preferredUsername string) (u *user.User, err error) {
|
func GetOrCreateUserFromExternalAuth(s *xorm.Session, issuer, subject, email, name, preferredUsername string) (u *user.User, err error) {
|
||||||
if issuer == "" || subject == "" || email == "" {
|
if issuer == "" || subject == "" || email == "" {
|
||||||
return nil, echo.NewHTTPError(http.StatusBadRequest, models.Message{Message: "Missing required data."})
|
return nil, echo.NewHTTPError(http.StatusBadRequest, models.Message{Message: "Missing required data."})
|
||||||
}
|
}
|
||||||
|
|
||||||
// Check if the user exists for that issuer and subject
|
// Check if the user exists for that issuer and subject
|
||||||
|
|
|
@ -70,7 +70,7 @@ func (err ErrIAPPublicKeysetMissing) HTTPError() web.HTTPError {
|
||||||
}
|
}
|
||||||
|
|
||||||
// ErrIAPUserFrontendMismatch represents a "IAPUserDoesNotMatchFrontendUser" kind of error.
|
// ErrIAPUserFrontendMismatch represents a "IAPUserDoesNotMatchFrontendUser" kind of error.
|
||||||
type ErrIAPUserFrontendMismatch struct {}
|
type ErrIAPUserFrontendMismatch struct{}
|
||||||
|
|
||||||
// IsErrIAPPublicKeysetMissing checks if an error is a ErrIAPUserFrontendMismatch.
|
// IsErrIAPPublicKeysetMissing checks if an error is a ErrIAPUserFrontendMismatch.
|
||||||
func IsErrIAPUserFrontendMismatch(err error) bool {
|
func IsErrIAPUserFrontendMismatch(err error) bool {
|
||||||
|
@ -114,7 +114,7 @@ func (err ErrIAPUnsupportedJWTSigningMethod) HTTPError() web.HTTPError {
|
||||||
}
|
}
|
||||||
|
|
||||||
// ErrIAPJWTMissingKID represents a "ErrIAPJWTMissingKID" kind of error.
|
// ErrIAPJWTMissingKID represents a "ErrIAPJWTMissingKID" kind of error.
|
||||||
type ErrIAPJWTMissingKID struct {}
|
type ErrIAPJWTMissingKID struct{}
|
||||||
|
|
||||||
// IsErrIAPUnsupportedJWTSigningMethod checks if an error is a ErrIAPJWTMissingKID.
|
// IsErrIAPUnsupportedJWTSigningMethod checks if an error is a ErrIAPJWTMissingKID.
|
||||||
func IsErrIAPJWTMissingKID(err error) bool {
|
func IsErrIAPJWTMissingKID(err error) bool {
|
||||||
|
|
|
@ -16,4 +16,4 @@
|
||||||
|
|
||||||
package identityawareproxy
|
package identityawareproxy
|
||||||
|
|
||||||
// TODO test GetWebAuth()
|
// TODO test GetWebAuth()
|
||||||
|
|
|
@ -67,7 +67,7 @@ type openIDAuthInfo struct {
|
||||||
}
|
}
|
||||||
|
|
||||||
type identityAwareProxyAuthInfo struct {
|
type identityAwareProxyAuthInfo struct {
|
||||||
Enabled bool `json:"enabled"`
|
Enabled bool `json:"enabled"`
|
||||||
}
|
}
|
||||||
|
|
||||||
type legalInfo struct {
|
type legalInfo struct {
|
||||||
|
|
|
@ -99,7 +99,7 @@ func RenewToken(c echo.Context) (err error) {
|
||||||
newToken, err := auth.RenewToken(s, c)
|
newToken, err := auth.RenewToken(s, c)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
_ = s.Rollback()
|
_ = s.Rollback()
|
||||||
return handler.HandleHTTPError(err, c)
|
return handler.HandleHTTPError(err, c)
|
||||||
}
|
}
|
||||||
|
|
||||||
if err := s.Commit(); err != nil {
|
if err := s.Commit(); err != nil {
|
||||||
|
|
|
@ -32,16 +32,11 @@ var doc = `{
|
||||||
"host": "{{.Host}}",
|
"host": "{{.Host}}",
|
||||||
"basePath": "{{.BasePath}}",
|
"basePath": "{{.BasePath}}",
|
||||||
"paths": {
|
"paths": {
|
||||||
"/auth/identityawareproxy/login": {
|
"/auth/identityawareproxy/token": {
|
||||||
"post": {
|
"get": {
|
||||||
"security": [
|
"description": "Generates a short-lived JWT based on the identity from the identity-aware proxy in order to provide the front-end with user id and username info",
|
||||||
{
|
|
||||||
"JWTKeyAuth": []
|
|
||||||
}
|
|
||||||
],
|
|
||||||
"description": "After a redirect from the OpenID Connect provider to the frontend has been made with the authentication ` + "`" + `code` + "`" + `, this endpoint can be used to obtain a jwt token for that user and thus log them in.",
|
|
||||||
"consumes": [
|
"consumes": [
|
||||||
"application/json"
|
"N/A"
|
||||||
],
|
],
|
||||||
"produces": [
|
"produces": [
|
||||||
"application/json"
|
"application/json"
|
||||||
|
@ -49,7 +44,7 @@ var doc = `{
|
||||||
"tags": [
|
"tags": [
|
||||||
"auth"
|
"auth"
|
||||||
],
|
],
|
||||||
"summary": "Authenticate a user with OpenID Connect",
|
"summary": "Authenticate a user from the Identity-Aware Proxy",
|
||||||
"responses": {
|
"responses": {
|
||||||
"200": {
|
"200": {
|
||||||
"description": "OK",
|
"description": "OK",
|
||||||
|
@ -8631,9 +8626,6 @@ var doc = `{
|
||||||
"properties": {
|
"properties": {
|
||||||
"enabled": {
|
"enabled": {
|
||||||
"type": "boolean"
|
"type": "boolean"
|
||||||
},
|
|
||||||
"name": {
|
|
||||||
"type": "string"
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
|
|
@ -15,16 +15,11 @@
|
||||||
},
|
},
|
||||||
"basePath": "/api/v1",
|
"basePath": "/api/v1",
|
||||||
"paths": {
|
"paths": {
|
||||||
"/auth/identityawareproxy/login": {
|
"/auth/identityawareproxy/token": {
|
||||||
"post": {
|
"get": {
|
||||||
"security": [
|
"description": "Generates a short-lived JWT based on the identity from the identity-aware proxy in order to provide the front-end with user id and username info",
|
||||||
{
|
|
||||||
"JWTKeyAuth": []
|
|
||||||
}
|
|
||||||
],
|
|
||||||
"description": "After a redirect from the OpenID Connect provider to the frontend has been made with the authentication `code`, this endpoint can be used to obtain a jwt token for that user and thus log them in.",
|
|
||||||
"consumes": [
|
"consumes": [
|
||||||
"application/json"
|
"N/A"
|
||||||
],
|
],
|
||||||
"produces": [
|
"produces": [
|
||||||
"application/json"
|
"application/json"
|
||||||
|
@ -32,7 +27,7 @@
|
||||||
"tags": [
|
"tags": [
|
||||||
"auth"
|
"auth"
|
||||||
],
|
],
|
||||||
"summary": "Authenticate a user with OpenID Connect",
|
"summary": "Authenticate a user from the Identity-Aware Proxy",
|
||||||
"responses": {
|
"responses": {
|
||||||
"200": {
|
"200": {
|
||||||
"description": "OK",
|
"description": "OK",
|
||||||
|
@ -8614,9 +8609,6 @@
|
||||||
"properties": {
|
"properties": {
|
||||||
"enabled": {
|
"enabled": {
|
||||||
"type": "boolean"
|
"type": "boolean"
|
||||||
},
|
|
||||||
"name": {
|
|
||||||
"type": "string"
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
|
|
@ -1210,8 +1210,6 @@ definitions:
|
||||||
properties:
|
properties:
|
||||||
enabled:
|
enabled:
|
||||||
type: boolean
|
type: boolean
|
||||||
name:
|
|
||||||
type: string
|
|
||||||
type: object
|
type: object
|
||||||
v1.legalInfo:
|
v1.legalInfo:
|
||||||
properties:
|
properties:
|
||||||
|
@ -1338,11 +1336,11 @@ paths:
|
||||||
summary: User Avatar
|
summary: User Avatar
|
||||||
tags:
|
tags:
|
||||||
- user
|
- user
|
||||||
/auth/identityawareproxy/login:
|
/auth/identityawareproxy/token:
|
||||||
post:
|
get:
|
||||||
consumes:
|
consumes:
|
||||||
- application/json
|
- N/A
|
||||||
description: After a redirect from the OpenID Connect provider to the frontend has been made with the authentication `code`, this endpoint can be used to obtain a jwt token for that user and thus log them in.
|
description: Generates a short-lived JWT based on the identity from the identity-aware proxy in order to provide the front-end with user id and username info
|
||||||
produces:
|
produces:
|
||||||
- application/json
|
- application/json
|
||||||
responses:
|
responses:
|
||||||
|
@ -1354,9 +1352,7 @@ paths:
|
||||||
description: Internal error
|
description: Internal error
|
||||||
schema:
|
schema:
|
||||||
$ref: '#/definitions/models.Message'
|
$ref: '#/definitions/models.Message'
|
||||||
security:
|
summary: Authenticate a user from the Identity-Aware Proxy
|
||||||
- JWTKeyAuth: []
|
|
||||||
summary: Authenticate a user with OpenID Connect
|
|
||||||
tags:
|
tags:
|
||||||
- auth
|
- auth
|
||||||
/auth/openid/{provider}/callback:
|
/auth/openid/{provider}/callback:
|
||||||
|
|
Loading…
Reference in New Issue