1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
|
2021-05-07 Vivien Kraus <vivien@planete-kraus.eu>
* token-endpoint.scm (make-token-endpoint): The token endpoint
needs to know its public URI, because if it is behind a reverse
proxy we can’t rely on (request-uri request); and it will fail
DPoP validation.
2021-04-30 Vivien Kraus <vivien@planete-kraus.eu>
* reverse-proxy.scm (make-reverse-proxy): Make the auth header
lowercase, so that all capitalizations of that header in the
incoming requests are dropped.
2021-04-26 Vivien Kraus <vivien@planete-kraus.eu>
* identity-provider.scm (make-identity-provider): while saving the
key to file, close the port so that it gets flushed.
2021-04-22 Vivien Kraus <vivien@planete-kraus.eu>
* oidc-configuration.scm (get-oidc-configuration): accept hosts as
URIs (discard everything but the host).
* token-endpoint.scm (make-token-endpoint): use (webid-oidc
oidc-id-token) to issue the ID token.
* oidc-id-token.scm (issue-id-token): fix function.
(id-token-payload?): now the std uses a "webid" claim for the
webid of the user, fix that.
* token-endpoint.scm (make-token-endpoint): also return the ID
token.
* oidc-id-token.scm (id-token-decode): this function still used a
cache and current-time arguments.
2021-03-30 Vivien Kraus <vivien@planete-kraus.eu>
* hello-world.scm (webid-oidc): remove the hello world.
* resource.scm: don’t provide a Linked Data Platform
implementation here.
* resource-server.scm (make-authenticator): The server’s public
URI is now exported, so you don’t rely on the Host header anymore.
* dpop-proof.scm (uris-compatible): Check decoded paths, so if
some characters are encoded they are equal to their decoded
counterparts.
2021-03-13 Vivien Kraus <vivien@planete-kraus.eu>
* resource.scm (default-root-acl): The root authorization
statements need not be inherited, they are by default.
2021-02-27 Vivien Kraus <vivien@planete-kraus.eu>
* hello-world.scm (main): Use an explicit caching and loggin
http-get.
(main): Add a content-type to the “unauthorized” response.
* resource-server.scm (make-authenticator): http-get and
current-time are now authenticator parameters, not request
parameters.
* provider-confirmation.scm (get-provider-confirmations): Don't
try to cache.
* identity-provider.scm (make-identity-provider): The identity
provider only uses the cache through the http-get argument.
(main): Use a caching http-get.
* token-endpoint.scm (make-token-endpoint): make the current-time
argument an endpoint parameter, not a handler parameter.
* authorization-endpoint.scm (make-authorization-endpoint): No
need for an explicit cache, since we have http-get.
(make-authorization-endpoint): Pass current-time as an endpoint
parameter, not a handler parameter, because it should be
synchronized with that of the internal http-get with cache.
(make-authorization-endpoint): get-client-manifest is simpler.
* client-manifest.scm (get-client-manifest): Same simplification
as for get-jwks.
* oidc-configuration.scm (get-oidc-configuration): Same
siplifications as for get-jwks.
* jwk.scm (get-jwks): Simplification, the cache is managed through
the http-get argument.
* Makefile.am (dist_webidoidcmod_DATA): Use the new guile web-client with cache
2021-02-17 Vivien Kraus <vivien@planete-kraus.eu>
* authorization-page.scm (with-locale): Avoid deadlock when
setlocale throws.
2021-02-07 Vivien Kraus <vivien@planete-kraus.eu>
* authorization-endpoint.scm (make-authorization-endpoint): use
the new modules.
* Makefile.am (webidoidcgo_DATA): compile the new modules to
generate the authorization pages.
* Makefile.am (dist_webidoidcmod_DATA): distribute the new modules
to generate the authorization pages.
* authorization-page.scm: wrapper of the unsafe module in a
thread-safe fashion.
* authorization-page-unsafe.scm: new module.
* dpop-proof.scm (uris-compatible): Also check userinfo for
equality.
2020-12-05 Vivien Kraus <vivien@planete-kraus.eu>
* dpop-proof.scm (dpop-proof-decode): Accept a predicate to decode
a dpop proof, so that we can use it for the token endpoint.
2020-12-02 Vivien Kraus <vivien@planete-kraus.eu>
* jws.scm (jws-decode): In order to verify OIDC ID tokens, the key
lookup function now takes a full JWS and not only the header.
2020-11-29 Vivien Kraus <vivien@planete-kraus.eu>
* jws.scm (jws-decode): The JWS can be verified using a JWKS or multiple keys.
|