Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adds max_age role parameter and auth_time claim validation #159

Merged
merged 3 commits into from
Feb 12, 2021
Merged

Adds max_age role parameter and auth_time claim validation #159

merged 3 commits into from
Feb 12, 2021

Conversation

austingebauer
Copy link
Contributor

Overview

This PR adds a new max_age parameter to roles. The max_age specifies the allowable elapsed time in seconds since the last time the user actively authenticated with the configured identity provider.

When max_age is used, the ID Token returned must include an auth_time claim value (see openid-connect-core-1_0.html#AuthRequest). Validation of the auth_time claim value is provided by the cap/oidc library (see oidc/provider.go#L414).

The max_age for a role will be included in the generated auth URL as a query parameter, similar to the following example:

https://example.auth0.com/authorize?client_id=abc&max_age=60&nonce=n_NEJOgEMl4MBXf0LX6ES4&redirect_uri=https%3A%2F%2Fexample.com&response_type=code&scope=openid&state=st_o1myOrU9vQi6uiiR6SpU

Testing

I've added a test for setting the max_age role parameter and generating an auth URL with the max_age query parameter.

I've also manually tested Azure Active Directory authentication using max_age to observe that active authentication was forced depending on the max_age and time of last active authentication.

pcman312
pcman312 reviewed Feb 11, 2021
View reviewed changes
path_role.go Show resolved Hide resolved
path_role.go Show resolved Hide resolved
path_oidc_test.go Outdated Show resolved Hide resolved
catsby
catsby approved these changes Feb 12, 2021
View reviewed changes
Copy link
Contributor

@catsby catsby left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 👍

@austingebauer austingebauer merged commit 0d0819f into master Feb 12, 2021
@austingebauer austingebauer deleted the role-max-age branch February 12, 2021 18:24
This was referenced Feb 12, 2021
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@catsby catsby catsby approved these changes

@pcman312 pcman312 pcman312 approved these changes

@Valarissa Valarissa Awaiting requested review from Valarissa

@calvn calvn Awaiting requested review from calvn

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@austingebauer @catsby @pcman312