1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
|
2021-04-30 Vivien Kraus <vivien@planete-kraus.eu>
* reverse-proxy.scm (make-reverse-proxy): Make the auth header
lowercase, so that all capitalizations of that header in the
incoming requests are dropped.
2021-04-26 Vivien Kraus <vivien@planete-kraus.eu>
* identity-provider.scm (make-identity-provider): while saving the
key to file, close the port so that it gets flushed.
2021-04-22 Vivien Kraus <vivien@planete-kraus.eu>
* oidc-configuration.scm (get-oidc-configuration): accept hosts as
URIs (discard everything but the host).
* token-endpoint.scm (make-token-endpoint): use (webid-oidc
oidc-id-token) to issue the ID token.
* oidc-id-token.scm (issue-id-token): fix function.
(id-token-payload?): now the std uses a "webid" claim for the
webid of the user, fix that.
* token-endpoint.scm (make-token-endpoint): also return the ID
token.
* oidc-id-token.scm (id-token-decode): this function still used a
cache and current-time arguments.
2021-03-30 Vivien Kraus <vivien@planete-kraus.eu>
* hello-world.scm (webid-oidc): remove the hello world.
* resource.scm: don’t provide a Linked Data Platform
implementation here.
* resource-server.scm (make-authenticator): The server’s public
URI is now exported, so you don’t rely on the Host header anymore.
* dpop-proof.scm (uris-compatible): Check decoded paths, so if
some characters are encoded they are equal to their decoded
counterparts.
2021-03-13 Vivien Kraus <vivien@planete-kraus.eu>
* resource.scm (default-root-acl): The root authorization
statements need not be inherited, they are by default.
2021-02-27 Vivien Kraus <vivien@planete-kraus.eu>
* hello-world.scm (main): Use an explicit caching and loggin
http-get.
(main): Add a content-type to the “unauthorized” response.
* resource-server.scm (make-authenticator): http-get and
current-time are now authenticator parameters, not request
parameters.
* provider-confirmation.scm (get-provider-confirmations): Don't
try to cache.
* identity-provider.scm (make-identity-provider): The identity
provider only uses the cache through the http-get argument.
(main): Use a caching http-get.
* token-endpoint.scm (make-token-endpoint): make the current-time
argument an endpoint parameter, not a handler parameter.
* authorization-endpoint.scm (make-authorization-endpoint): No
need for an explicit cache, since we have http-get.
(make-authorization-endpoint): Pass current-time as an endpoint
parameter, not a handler parameter, because it should be
synchronized with that of the internal http-get with cache.
(make-authorization-endpoint): get-client-manifest is simpler.
* client-manifest.scm (get-client-manifest): Same simplification
as for get-jwks.
* oidc-configuration.scm (get-oidc-configuration): Same
siplifications as for get-jwks.
* jwk.scm (get-jwks): Simplification, the cache is managed through
the http-get argument.
* Makefile.am (dist_webidoidcmod_DATA): Use the new guile web-client with cache
2021-02-17 Vivien Kraus <vivien@planete-kraus.eu>
* authorization-page.scm (with-locale): Avoid deadlock when
setlocale throws.
2021-02-07 Vivien Kraus <vivien@planete-kraus.eu>
* authorization-endpoint.scm (make-authorization-endpoint): use
the new modules.
* Makefile.am (webidoidcgo_DATA): compile the new modules to
generate the authorization pages.
* Makefile.am (dist_webidoidcmod_DATA): distribute the new modules
to generate the authorization pages.
* authorization-page.scm: wrapper of the unsafe module in a
thread-safe fashion.
* authorization-page-unsafe.scm: new module.
* dpop-proof.scm (uris-compatible): Also check userinfo for
equality.
2020-12-05 Vivien Kraus <vivien@planete-kraus.eu>
* dpop-proof.scm (dpop-proof-decode): Accept a predicate to decode
a dpop proof, so that we can use it for the token endpoint.
2020-12-02 Vivien Kraus <vivien@planete-kraus.eu>
* jws.scm (jws-decode): In order to verify OIDC ID tokens, the key
lookup function now takes a full JWS and not only the header.
2020-11-29 Vivien Kraus <vivien@planete-kraus.eu>
* jws.scm (jws-decode): The JWS can be verified using a JWKS or multiple keys.
|