fix(oidc): delayed user details refresh

[james-d-elliott]

The user details refresh does not naturally occur via OpenID Connect 1.0 flows and instead relies on alternative activity. This helps ensure the details are more frequently updated via normal OAuth 2.0 flows.

Summary by CodeRabbit

• New Features
  • Enhanced user details retrieval in authentication processes.
  • Improved OpenID Connect (OIDC) authorization flow with extended claims handling.
  • Updated session validation and refresh mechanisms.
  • Introduced new constants and interfaces for better OIDC support.
• Refactor
  • Simplified authentication handler names for clarity.
  • Refactored OIDC userinfo claims processing for efficiency.
• Documentation
  • Updated security access control documentation to reflect changes in regex pattern matching behavior for resource rules.
• Bug Fixes
  • Refined sector_identifier_uri validation in OIDC configuration, including error messaging and handling of various URI components.
• Chores
  • Removed unused string utility functions and associated tests to streamline the codebase.

[authelia]

Artifacts

These changes are published for testing on Buildkite, DockerHub and GitHub Container Registry.

Docker Container

• docker pull authelia/authelia:fix-oidc-details-refresh
• docker pull ghcr.io/authelia/authelia:fix-oidc-details-refresh

[coderabbitai]

Walkthrough

The updates focus on enhancing OIDC functionality and session validation in an authentication framework. Changes include adding methods to user details structures, refining OIDC claim handling, improving session validation logic, and updating access control regex pattern matching behavior. These modifications aim to streamline authentication and authorization processes for a more robust system.

Changes

Files	Change Summary
.../authentication/types.go	Added methods for retrieving user details like username, groups, display name, and emails.
.../handlers/handler_authz_authn.go	Renamed methods for clarity in session validation.
.../handlers/handler_oidc_authorization.go	Included a pre-processing step for session validation in OIDC grant requests.
.../handlers/handler_oidc_userinfo.go .../handlers/oidc.go	Modified OIDC userinfo handling and added functions for audience handling and claim updates.
.../oidc/const.go .../oidc/types.go	Introduced a new constant for state hash and a UserDetailer interface in OIDC components.
.../session/user_session.go	Enhanced UserSession struct with methods for user detail retrieval.
.../configuration/validator/const.go .../configuration/validator/identity_providers.go	Updated error formatting and validation logic for SectorIdentifierURI, including checks for absolute URIs and valid schemes.
.../utils/strings.go .../utils/strings_test.go	Removed functions and tests related to URL host component validation, indicating a change in approach for URL validation.
docs/content/configuration/security/access-control.md	Documented a change in regex pattern matching for resource rules, now including query parameters in matches post version 4.27.0, and emphasized the importance of quoting resource rules in configuration.

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

Share

• X
• Mastodon
• Reddit
• LinkedIn

---

Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>.
  • Generate unit-tests for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit tests for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai generate interesting stats about this repository and render them as a table.
  • @coderabbitai show all the console.log statements in this repository.
  • @coderabbitai read src/utils.ts and generate unit tests.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (invoked as PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger a review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai help to get help.

Additionally, you can add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.

CodeRabbit Configration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• The JSON schema for the configuration file is available here.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/coderabbit-overrides.v2.json

CodeRabbit Discord Community

Join our Discord Community to get help, request features, and share feedback.

[netlify]

✅ Deploy Preview for authelia-staging ready!

Name	Link
🔨 Latest commit	44b5013
🔍 Latest deploy log	https://app.netlify.com/sites/authelia-staging/deploys/6605d54d5903e70008984595
😎 Deploy Preview	https://deploy-preview-7035--authelia-staging.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site configuration.

[coderabbitai]

Review Status

Actionable comments generated: 0

Configuration used: CodeRabbit UI

Commits

Files that changed from the base of the PR and between 695617b and 200314d.

Files selected for processing (4)

• internal/handlers/handler_authz_authn.go (5 hunks)
• internal/handlers/handler_oidc_authorization.go (1 hunks)
• internal/handlers/handler_oidc_userinfo.go (3 hunks)
• internal/handlers/oidc.go (2 hunks)

Files skipped from review as they are similar to previous changes (4)

• internal/handlers/handler_authz_authn.go
• internal/handlers/handler_oidc_authorization.go
• internal/handlers/handler_oidc_userinfo.go
• internal/handlers/oidc.go

[codecov]

Codecov Report

Attention: Patch coverage is 65.78947% with 52 lines in your changes are missing coverage. Please review.

Project coverage is 73.36%. Comparing base (9f6569f) to head (2c106f9).

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #7035      +/-   ##
==========================================
- Coverage   73.36%   73.36%   -0.01%     
==========================================
  Files         345      345              
  Lines       29798    29907     +109     
  Branches      839      839              
==========================================
+ Hits        21862    21940      +78     
- Misses       7065     7095      +30     
- Partials      871      872       +1     

Flag	Coverage Δ
backend	74.22% <65.78%> (-0.02%)	⬇️
frontend	65.84% <ø> (+0.03%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files	Coverage Δ
internal/authentication/types.go	100.00% <100.00%> (ø)
internal/handlers/handler_authz_authn.go	67.75% <100.00%> (ø)
internal/oidc/types.go	0.00% <ø> (ø)
internal/handlers/handler_oidc_authorization.go	26.21% <36.36%> (-0.71%)	⬇️
internal/handlers/handler_oidc_userinfo.go	0.00% <0.00%> (ø)
internal/session/user_session.go	87.30% <0.00%> (-12.70%)	⬇️
internal/handlers/oidc.go	75.00% <72.97%> (-13.00%)	⬇️

... and 3 files with indirect coverage changes

[coderabbitai]

Review Status

Actionable comments generated: 2

Configuration used: CodeRabbit UI

Commits

Files that changed from the base of the PR and between 7ac4454 and 44b5013.

Files selected for processing (9)

• docs/content/configuration/security/access-control.md (1 hunks)
• internal/authentication/types.go (1 hunks)
• internal/handlers/handler_authz_authn.go (5 hunks)
• internal/handlers/handler_oidc_authorization.go (1 hunks)
• internal/handlers/handler_oidc_userinfo.go (3 hunks)
• internal/handlers/oidc.go (1 hunks)
• internal/oidc/const.go (1 hunks)
• internal/oidc/types.go (1 hunks)
• internal/session/user_session.go (1 hunks)

Files skipped from review as they are similar to previous changes (3)

• internal/handlers/handler_authz_authn.go
• internal/handlers/handler_oidc_authorization.go
• internal/handlers/handler_oidc_userinfo.go

Additional comments (23)

internal/session/user_session.go (1)

• 94-108: The newly added methods GetUsername, GetGroups, GetDisplayName, and GetEmails in the UserSession struct are straightforward and follow good practices by providing a clean API for accessing user session details. These methods enhance the readability and maintainability of the code by encapsulating the access to specific fields of the UserSession struct.

internal/authentication/types.go (1)

• 80-94: The newly added methods GetUsername, GetGroups, GetDisplayName, and GetEmails in the UserDetails struct are well-implemented and follow good practices by providing a clean API for accessing user details. These methods enhance the readability and maintainability of the code by encapsulating the access to specific fields of the UserDetails struct.

internal/handlers/oidc.go (1)

• 161-161: Please ensure that the cuddling of the if statement with the assignment is corrected to adhere to Go coding standards. This was previously flagged by static analysis and should be addressed for consistency and readability.

internal/oidc/const.go (1)

• 25-25: The addition of the ClaimStateHash constant is a good practice for managing OIDC claims. It enhances the clarity and maintainability of the code by providing a named constant for the state hash claim, which is likely to be used in multiple places within the OIDC flow.

docs/content/configuration/security/access-control.md (18)

• 420-425: > 📝 NOTE

This review was outside the diff hunks and was mapped to the diff hunk with the greatest overlap. Original lines [1-591]

The document thoroughly explains the configuration options for access control in Authelia, including the significant change in regex pattern matching behavior for resource rules in version 4.27.0. However, it's essential to ensure that this change is highlighted appropriately within the document to alert users of the behavior change and guide them on how to adjust their configurations if necessary. Consider adding a specific section or note that directly addresses this change, providing examples of how resource rules should be written post 4.27.0 to include query parameters in the match. This will help users understand the impact of the change and how to adapt their configurations accordingly.

• 420-425: > 📝 NOTE

This review was outside the diff hunks and was mapped to the diff hunk with the greatest overlap. Original lines [1-591]

Overall, the document is well-structured and provides comprehensive information on configuring access control in Authelia. The explanations are clear, and the examples are helpful in understanding how to apply the configurations. It's important to ensure that all configuration options and policies are up-to-date and accurately reflect the current capabilities of Authelia. Additionally, consider reviewing the document for consistency in formatting and terminology to enhance readability and user comprehension.

• 420-425: > 📝 NOTE

This review was outside the diff hunks, and no overlapping diff hunk was found. Original lines [409-411]

The resources section explains how to match the path and query of the request using regular expressions. Given the change in regex pattern matching behavior for resource rules in version 4.27.0, it's crucial to ensure that this section includes clear guidance on how to include query parameters in the match. Consider adding examples that demonstrate the new behavior and explicitly state the version from which this behavior applies. This will help users understand how to write resource rules that take advantage of the updated matching behavior.

• 420-425: > 📝 NOTE

This review was outside the diff hunks, and no overlapping diff hunk was found. Original lines [71-71]

Consider starting the sentence with an uppercase letter for consistency and readability.

• 420-425: > 📝 NOTE

This review was outside the diff hunks, and no overlapping diff hunk was found. Original lines [82-82]

Consider starting the sentence with an uppercase letter for consistency and readability.

• 420-425: > 📝 NOTE

This review was outside the diff hunks, and no overlapping diff hunk was found. Original lines [97-97]

Consider starting the sentence with an uppercase letter for consistency and readability.

• 420-425: > 📝 NOTE

This review was outside the diff hunks, and no overlapping diff hunk was found. Original lines [124-124]

Consider starting the sentence with an uppercase letter for consistency and readability.

• 420-425: > 📝 NOTE

This review was outside the diff hunks, and no overlapping diff hunk was found. Original lines [195-195]

Consider starting the sentence with an uppercase letter for consistency and readability.

• 420-425: > 📝 NOTE

This review was outside the diff hunks, and no overlapping diff hunk was found. Original lines [241-241]

Consider starting the sentence with an uppercase letter for consistency and readability.

• 420-425: > 📝 NOTE

This review was outside the diff hunks, and no overlapping diff hunk was found. Original lines [250-250]

Consider starting the sentence with an uppercase letter for consistency and readability.

• 420-425: > 📝 NOTE

This review was outside the diff hunks, and no overlapping diff hunk was found. Original lines [316-316]

Consider starting the sentence with an uppercase letter for consistency and readability.

• 420-425: > 📝 NOTE

This review was outside the diff hunks, and no overlapping diff hunk was found. Original lines [354-354]

Consider starting the sentence with an uppercase letter for consistency and readability.

• 420-425: > 📝 NOTE

This review was outside the diff hunks, and no overlapping diff hunk was found. Original lines [409-409]

Consider starting the sentence with an uppercase letter for consistency and readability.

• 420-425: > 📝 NOTE

This review was outside the diff hunks, and no overlapping diff hunk was found. Original lines [443-443]

Consider starting the sentence with an uppercase letter for consistency and readability.

• 420-425: > 📝 NOTE

This review was outside the diff hunks, and no overlapping diff hunk was found. Original lines [505-505]

Consider starting the sentence with an uppercase letter for consistency and readability.

• 420-425: > 📝 NOTE

This review was outside the diff hunks, and no overlapping diff hunk was found. Original lines [513-513]

Consider starting the sentence with an uppercase letter for consistency and readability.

• 420-425: > 📝 NOTE

This review was outside the diff hunks, and no overlapping diff hunk was found. Original lines [521-521]

Consider starting the sentence with an uppercase letter for consistency and readability.

• 420-425: > 📝 NOTE

This review was outside the diff hunks, and no overlapping diff hunk was found. Original lines [528-528]

Consider starting the sentence with an uppercase letter for consistency and readability.

internal/oidc/types.go (1)

• 202-207: The addition of the UserDetailer interface aligns well with the PR's objectives to enhance the refresh mechanism of user details in OIDC flows. It's crucial to ensure that this interface is implemented effectively and utilized in the OIDC flow enhancements to achieve the intended improvements in user detail refreshment.

[coderabbitai]

Actionable comments posted: 15

Review Status

Configuration used: CodeRabbit UI

Commits

Files that changed from the base of the PR and between 9f6569f and e420b53.

Files selected for processing (9)

• docs/content/configuration/security/access-control.md (1 hunks)
• internal/authentication/types.go (1 hunks)
• internal/handlers/handler_authz_authn.go (5 hunks)
• internal/handlers/handler_oidc_authorization.go (1 hunks)
• internal/handlers/handler_oidc_userinfo.go (3 hunks)
• internal/handlers/oidc.go (1 hunks)
• internal/oidc/const.go (1 hunks)
• internal/oidc/types.go (1 hunks)
• internal/session/user_session.go (1 hunks)

Files skipped from review as they are similar to previous changes (8)

• internal/authentication/types.go
• internal/handlers/handler_authz_authn.go
• internal/handlers/handler_oidc_authorization.go
• internal/handlers/handler_oidc_userinfo.go
• internal/handlers/oidc.go
• internal/oidc/const.go
• internal/oidc/types.go
• internal/session/user_session.go

Additional comments not posted (1)

docs/content/configuration/security/access-control.md (1)

420-425: > 📝 NOTE

This review was outside the diff hunks, and no overlapping diff hunk was found. Original lines [77-77]

The term "Authelia" is spelled correctly; however, the static analysis tool flagged it as a possible spelling mistake. This is a false positive.

[coderabbitai]

Actionable comments posted: 15

Review Status

Configuration used: CodeRabbit UI

Commits

Files that changed from the base of the PR and between 9f6569f and 6ef53af.

Files selected for processing (9)

• docs/content/configuration/security/access-control.md (1 hunks)
• internal/authentication/types.go (1 hunks)
• internal/handlers/handler_authz_authn.go (5 hunks)
• internal/handlers/handler_oidc_authorization.go (1 hunks)
• internal/handlers/handler_oidc_userinfo.go (3 hunks)
• internal/handlers/oidc.go (1 hunks)
• internal/oidc/const.go (1 hunks)
• internal/oidc/types.go (1 hunks)
• internal/session/user_session.go (1 hunks)

Files skipped from review as they are similar to previous changes (8)

• internal/authentication/types.go
• internal/handlers/handler_authz_authn.go
• internal/handlers/handler_oidc_authorization.go
• internal/handlers/handler_oidc_userinfo.go
• internal/handlers/oidc.go
• internal/oidc/const.go
• internal/oidc/types.go
• internal/session/user_session.go

[coderabbitai]

Actionable comments posted: 15

Review Status

Configuration used: CodeRabbit UI

Commits

Files that changed from the base of the PR and between 9f6569f and c6e7c1e.

Files selected for processing (10)

• docs/content/configuration/security/access-control.md (1 hunks)
• internal/authentication/types.go (1 hunks)
• internal/handlers/handler_authz_authn.go (5 hunks)
• internal/handlers/handler_oidc_authorization.go (1 hunks)
• internal/handlers/handler_oidc_userinfo.go (3 hunks)
• internal/handlers/oidc.go (1 hunks)
• internal/handlers/oidc_test.go (2 hunks)
• internal/oidc/const.go (1 hunks)
• internal/oidc/types.go (1 hunks)
• internal/session/user_session.go (1 hunks)

Files skipped from review as they are similar to previous changes (7)

• internal/authentication/types.go
• internal/handlers/handler_authz_authn.go
• internal/handlers/handler_oidc_authorization.go
• internal/handlers/handler_oidc_userinfo.go
• internal/oidc/const.go
• internal/oidc/types.go
• internal/session/user_session.go

Additional comments not posted (11)

internal/handlers/oidc.go (8)

5-5: Adding imports for github.com/authelia/authelia/v4/internal/authentication, github.com/authelia/authelia/v4/internal/middlewares, and github.com/authelia/authelia/v4/internal/utils aligns with the enhancements made in OIDC and OAuth 2.0 flows. Ensure these packages are used effectively in the updated logic.

---

18-30: The oidcGrantRequests function now returns extraClaims, which is a significant change. Ensure that all calls to this function throughout the codebase have been updated to handle the returned extraClaims appropriately. This change is crucial for the enhanced user details refresh mechanism.

Verification successful

---

The calls to oidcGrantRequests across the codebase have been updated to handle the returned extraClaims appropriately, as evidenced by the assignment of the return value to extraClaims in both test and handler files. This indicates that the necessary adjustments have been made to accommodate the change in the function's return type.

Scripts Executed

The following scripts were executed for the analysis:

---

Script:

#!/bin/bash
# Search for calls to oidcGrantRequests and ensure they handle extraClaims.
ast-grep --lang go --pattern $'oidcGrantRequests($_, $_, $_)'

Length of output: 924

---

33-53: The oidcApplyScopeClaims function introduces logic to update claims based on the granted scopes. This is a key part of the user details refresh mechanism. Ensure that the claims are correctly applied and that the function is tested thoroughly, especially for edge cases like empty scopes or unexpected scope values.

---

55-83: The oidcGetAudience function adds logic to handle audience claims, which is crucial for OIDC flows. Ensure that the audience is correctly determined and that this function is covered by unit tests to verify its behavior with different claim types.

---

86-110: The oidcApplyUserInfoClaims function updates claims with user information, which is central to the user details refresh mechanism. It's important to ensure that this function does not overwrite essential OIDC claims and that it's tested for various scenarios, including missing or additional claims.

---

112-129: The oidcApplyUserInfoDetailsClaims function is a new addition that applies user details to claims based on scopes. This function relies on a resolver to fetch user details, which introduces a dependency on external systems. Ensure error handling is robust and that there are fallbacks or logs for when user details cannot be resolved.

Consider adding logging or error metrics for cases where user details cannot be resolved, to aid in debugging and monitoring.

---

131-154: The oidcApplyUserInfoDetailsClaimsGetSubject function extracts the subject from claims and ensures it's a valid UUID. This is a critical validation step in the OIDC flow. Ensure that this function is thoroughly tested, particularly for cases with invalid or missing subject claims.

---

157-174: The oidcCtxDetailResolver function provides a resolver for fetching user details based on a subject UUID. This function interacts with external providers, so it's important to ensure that error handling is comprehensive and that there are tests covering various failure scenarios.

internal/handlers/oidc_test.go (3)

4-4: Adding imports for fmt, authelia.com/provider/oauth2, and github.com/google/uuid aligns with the new test functions added for OIDC claims mapping. Ensure these packages are used effectively in the test logic.

---

113-255: The TestOIDCApplyUserInfoClaims function and its associated test cases are crucial for ensuring the correct application of OIDC user info claims. It's important to verify that all scenarios are covered, including edge cases like missing subjects or errors during user detail resolution. Consider adding more test cases if any scenarios are not yet covered.

---

257-261: The oidcTestDetailerFromSubject function provides a mock detail resolver for testing, which is a good practice for isolating tests from external dependencies. Ensure that this function is used consistently across tests that require user detail resolution.

[coderabbitai]

Actionable comments posted: 0

Review Status

Configuration used: CodeRabbit UI

Commits

Files that changed from the base of the PR and between c6e7c1e and 2c106f9.

Files selected for processing (2)

• internal/handlers/handler_oidc_authorization.go (4 hunks)
• internal/handlers/oidc.go (1 hunks)

Files skipped from review as they are similar to previous changes (2)

• internal/handlers/handler_oidc_authorization.go
• internal/handlers/oidc.go

Additional Context Used