search

ueberauth / guardian

Elixir Authentication
MIT License
3.43k stars 382 forks source link

add auth_time and max_age features #622

Closed mwri closed 4 years ago

mwri commented 4 years ago

Introduces the auth_time config and equivalent option, which makes auth_time an essential claim, and the max_age config and equivalent option, which introduces enforcement of a maximum time since end user authentication. The max_age config is the same format as ttl and sliding_cookie. The auth_time is maintained cross token exchange, though of course creating a new token outside such a context will by default reset it to the current (iat) time.

Configuring max_age: {24, :hours}, which implies auth_time: true will mean Guardian.Plug.SlidingCookie will only be able to chain tokens for 24 hours before verify is failed and end user authentication is mandated.

codecov-io commented 4 years ago

Codecov Report

Merging #622 into master will increase coverage by 0.28%. The diff coverage is 94.44%.

Impacted file tree graph

@@            Coverage Diff             @@
##           master     #622      +/-   ##
==========================================
+ Coverage   86.52%   86.81%   +0.28%     
==========================================
  Files          22       22              
  Lines         438      455      +17     
==========================================
+ Hits          379      395      +16     
- Misses         59       60       +1
Impacted Files Coverage Δ
lib/guardian/plug/ensure_authenticated.ex 88.88% <ø> (ø) :arrow_up:
lib/guardian/plug/verify_header.ex 70.83% <ø> (ø) :arrow_up:
lib/guardian/plug/verify_cookie.ex 90% <ø> (ø) :arrow_up:
lib/guardian/token/jwt/verify.ex 92.3% <100%> (+4.8%) :arrow_up:
lib/guardian/plug/sliding_cookie.ex 93.75% <100%> (+1.44%) :arrow_up:
lib/guardian/token/jwt.ex 86.04% <88.88%> (+0.33%) :arrow_up:

Continue to review full report at Codecov.

Legend - Click here to learn more Δ = absolute <relative> (impact), ø = not affected, ? = missing data Powered by Codecov. Last update 957f006...7e0bc9d. Read the comment docs.

Hanspagh commented 4 years ago

I like the idea of this, and just wanted to ask if this specification is taken directly from the OpenID spec defined here https://openid.net/specs/openid-connect-core-1_0.html. If this is the case maybe it could make sense to somehow note that.

mwri commented 4 years ago

Yes exactly, it's implemented per that spec. There is some orthogonal context, like max_age is configuration in this implementation, rather than a request in the spec, but I think a Guardian backed token service will naturally conform to the spec in an unsurprising way if max_age or auth_time is configured, or if the options are used according to some request parameters or other.

So, I think you're right, it's reasonable to reference the spec, but I'm not sure where particularly. I could add it to the README near the config documentation...

mwri commented 4 years ago

Added link to OpenID Connect Core spec and rebased.

mwri commented 4 years ago

You're very welcome.