2021-06-19 Vivien Kraus * http-link.scm (declare-link-header!): make sure it is only installed once. 2021-06-18 Vivien Kraus * rdf-index.scm (build-index): Normalize the URIs when building the index, so that we can’t disguise triples. (rdf-match): Normalize the URIs of the query too. 2021-05-07 Vivien Kraus * token-endpoint.scm (make-token-endpoint): The token endpoint needs to know its public URI, because if it is behind a reverse proxy we can’t rely on (request-uri request); and it will fail DPoP validation. 2021-04-30 Vivien Kraus * reverse-proxy.scm (make-reverse-proxy): Make the auth header lowercase, so that all capitalizations of that header in the incoming requests are dropped. 2021-04-26 Vivien Kraus * identity-provider.scm (make-identity-provider): while saving the key to file, close the port so that it gets flushed. 2021-04-22 Vivien Kraus * oidc-configuration.scm (get-oidc-configuration): accept hosts as URIs (discard everything but the host). * token-endpoint.scm (make-token-endpoint): use (webid-oidc oidc-id-token) to issue the ID token. * oidc-id-token.scm (issue-id-token): fix function. (id-token-payload?): now the std uses a "webid" claim for the webid of the user, fix that. * token-endpoint.scm (make-token-endpoint): also return the ID token. * oidc-id-token.scm (id-token-decode): this function still used a cache and current-time arguments. 2021-03-30 Vivien Kraus * hello-world.scm (webid-oidc): remove the hello world. * resource.scm: don’t provide a Linked Data Platform implementation here. * resource-server.scm (make-authenticator): The server’s public URI is now exported, so you don’t rely on the Host header anymore. * dpop-proof.scm (uris-compatible): Check decoded paths, so if some characters are encoded they are equal to their decoded counterparts. 2021-03-13 Vivien Kraus * resource.scm (default-root-acl): The root authorization statements need not be inherited, they are by default. 2021-02-27 Vivien Kraus * hello-world.scm (main): Use an explicit caching and loggin http-get. (main): Add a content-type to the “unauthorized” response. * resource-server.scm (make-authenticator): http-get and current-time are now authenticator parameters, not request parameters. * provider-confirmation.scm (get-provider-confirmations): Don't try to cache. * identity-provider.scm (make-identity-provider): The identity provider only uses the cache through the http-get argument. (main): Use a caching http-get. * token-endpoint.scm (make-token-endpoint): make the current-time argument an endpoint parameter, not a handler parameter. * authorization-endpoint.scm (make-authorization-endpoint): No need for an explicit cache, since we have http-get. (make-authorization-endpoint): Pass current-time as an endpoint parameter, not a handler parameter, because it should be synchronized with that of the internal http-get with cache. (make-authorization-endpoint): get-client-manifest is simpler. * client-manifest.scm (get-client-manifest): Same simplification as for get-jwks. * oidc-configuration.scm (get-oidc-configuration): Same siplifications as for get-jwks. * jwk.scm (get-jwks): Simplification, the cache is managed through the http-get argument. * Makefile.am (dist_webidoidcmod_DATA): Use the new guile web-client with cache 2021-02-17 Vivien Kraus * authorization-page.scm (with-locale): Avoid deadlock when setlocale throws. 2021-02-07 Vivien Kraus * authorization-endpoint.scm (make-authorization-endpoint): use the new modules. * Makefile.am (webidoidcgo_DATA): compile the new modules to generate the authorization pages. * Makefile.am (dist_webidoidcmod_DATA): distribute the new modules to generate the authorization pages. * authorization-page.scm: wrapper of the unsafe module in a thread-safe fashion. * authorization-page-unsafe.scm: new module. * dpop-proof.scm (uris-compatible): Also check userinfo for equality. 2020-12-05 Vivien Kraus * identity-provider.scm (make-identity-provider): Also serve a dummy resource for the subject. * dpop-proof.scm (dpop-proof-decode): Accept a predicate to decode a dpop proof, so that we can use it for the token endpoint. 2020-12-02 Vivien Kraus * jws.scm (jws-decode): In order to verify OIDC ID tokens, the key lookup function now takes a full JWS and not only the header. 2020-11-29 Vivien Kraus * jws.scm (jws-decode): The JWS can be verified using a JWKS or multiple keys.