docs/content/doc/setup/config.md

@@ -654,8 +654,7 @@ Default: `<empty>`
 
 Identity-Aware Proxy configuration will allow users to authenticate through an identity-aware proxy in front of Vikunja.<br/>
 The proxy needs to supply a signed JWT over HTTP headers with claims for `sub`, `iss`, and `email`.
-This JWT must be signed using ECDSA or RSA.
 It must also serve the public keys for that signed JWT in the JWKS format.
-Take a look at the [default config file](https://kolaente.dev/vikunja/api/src/branch/master/config.yml.sample) for more information about how to configure this authentication.
 
-Default: `<empty>`
+Default: `<empty>`
+

pkg/modules/auth/auth.go

@@ -106,11 +106,11 @@ func NewUserAuthTokenResponse(u *user.User, c echo.Context) error {
 func NewUserJWTAuthtoken(u *user.User) (token string, err error) {
 	// Set claims
 	claims := &AuthClaims{
-		Type:         AuthTypeUser,
-		UserID:       u.ID,
-		UserUsername: u.Username,
-		UserEmail: u.Email,
-		UserName: u.Name,
+		Type:                      AuthTypeUser,
+		UserID:                    u.ID,
+		UserUsername:              u.Username,
+		UserEmail:                 u.Email,
+		UserName:                  u.Name,
 		UserEmailRemindersEnabled: u.EmailRemindersEnabled,
 		StandardClaims: jwt.StandardClaims{
 			ExpiresAt: time.Now().Add(time.Hour * 72).Unix(),
@@ -249,7 +249,7 @@ func GetJWTConfig() middleware.JWTConfig {
 // GetOrCreateUserFromExternalAuth returns a user after finding or creating a matching user for the provided details
 func GetOrCreateUserFromExternalAuth(s *xorm.Session, issuer, subject, email, name, preferredUsername string) (u *user.User, err error) {
 	if issuer == "" || subject == "" || email == "" {
-		return nil,  echo.NewHTTPError(http.StatusBadRequest, models.Message{Message: "Missing required data."})
+		return nil, echo.NewHTTPError(http.StatusBadRequest, models.Message{Message: "Missing required data."})
 	}
 
 	// Check if the user exists for that issuer and subject

pkg/modules/auth/identityawareproxy/error.go

@@ -70,7 +70,7 @@ func (err ErrIAPPublicKeysetMissing) HTTPError() web.HTTPError {
 }
 
 // ErrIAPUserFrontendMismatch represents a "IAPUserDoesNotMatchFrontendUser" kind of error.
-type ErrIAPUserFrontendMismatch struct {}
+type ErrIAPUserFrontendMismatch struct{}
 
 // IsErrIAPPublicKeysetMissing checks if an error is a ErrIAPUserFrontendMismatch.
 func IsErrIAPUserFrontendMismatch(err error) bool {
@@ -114,7 +114,7 @@ func (err ErrIAPUnsupportedJWTSigningMethod) HTTPError() web.HTTPError {
 }
 
 // ErrIAPJWTMissingKID represents a "ErrIAPJWTMissingKID" kind of error.
-type ErrIAPJWTMissingKID struct {}
+type ErrIAPJWTMissingKID struct{}
 
 // IsErrIAPUnsupportedJWTSigningMethod checks if an error is a ErrIAPJWTMissingKID.
 func IsErrIAPJWTMissingKID(err error) bool {

pkg/modules/auth/identityawareproxy/identityawareproxy_test.go

@@ -16,4 +16,4 @@
 
 package identityawareproxy
 
-// TODO test GetWebAuth()
+// TODO test GetWebAuth()

pkg/routes/api/v1/info.go

@@ -67,7 +67,7 @@ type openIDAuthInfo struct {
 }
 
 type identityAwareProxyAuthInfo struct {
-	Enabled bool   `json:"enabled"`
+	Enabled bool `json:"enabled"`
 }
 
 type legalInfo struct {

pkg/routes/api/v1/login.go

@@ -99,7 +99,7 @@ func RenewToken(c echo.Context) (err error) {
 	newToken, err := auth.RenewToken(s, c)
 	if err != nil {
 		_ = s.Rollback()
-		return handler.HandleHTTPError(err, c) 
+		return handler.HandleHTTPError(err, c)
 	}
 
 	if err := s.Commit(); err != nil {

pkg/swagger/docs.go

@@ -32,16 +32,11 @@ var doc = `{
     "host": "{{.Host}}",
     "basePath": "{{.BasePath}}",
     "paths": {
-        "/auth/identityawareproxy/login": {
-            "post": {
-                "security": [
-                    {
-                        "JWTKeyAuth": []
-                    }
-                ],
-                "description": "After a redirect from the OpenID Connect provider to the frontend has been made with the authentication ` + "`" + `code` + "`" + `, this endpoint can be used to obtain a jwt token for that user and thus log them in.",
+        "/auth/identityawareproxy/token": {
+            "get": {
+                "description": "Generates a short-lived JWT based on the identity from the identity-aware proxy in order to provide the front-end with user id and username info",
                 "consumes": [
-                    "application/json"
+                    "N/A"
                 ],
                 "produces": [
                     "application/json"
@@ -49,7 +44,7 @@ var doc = `{
                 "tags": [
                     "auth"
                 ],
-                "summary": "Authenticate a user with OpenID Connect",
+                "summary": "Authenticate a user from the Identity-Aware Proxy",
                 "responses": {
                     "200": {
                         "description": "OK",
@@ -8631,9 +8626,6 @@ var doc = `{
             "properties": {
                 "enabled": {
                     "type": "boolean"
-                },
-                "name": {
-                    "type": "string"
                 }
             }
         },

pkg/swagger/swagger.json

@@ -15,16 +15,11 @@
     },
     "basePath": "/api/v1",
     "paths": {
-        "/auth/identityawareproxy/login": {
-            "post": {
-                "security": [
-                    {
-                        "JWTKeyAuth": []
-                    }
-                ],
-                "description": "After a redirect from the OpenID Connect provider to the frontend has been made with the authentication `code`, this endpoint can be used to obtain a jwt token for that user and thus log them in.",
+        "/auth/identityawareproxy/token": {
+            "get": {
+                "description": "Generates a short-lived JWT based on the identity from the identity-aware proxy in order to provide the front-end with user id and username info",
                 "consumes": [
-                    "application/json"
+                    "N/A"
                 ],
                 "produces": [
                     "application/json"
@@ -32,7 +27,7 @@
                 "tags": [
                     "auth"
                 ],
-                "summary": "Authenticate a user with OpenID Connect",
+                "summary": "Authenticate a user from the Identity-Aware Proxy",
                 "responses": {
                     "200": {
                         "description": "OK",
@@ -8614,9 +8609,6 @@
             "properties": {
                 "enabled": {
                     "type": "boolean"
-                },
-                "name": {
-                    "type": "string"
                 }
             }
         },

pkg/swagger/swagger.yaml

@@ -1210,8 +1210,6 @@ definitions:
     properties:
       enabled:
         type: boolean
-      name:
-        type: string
     type: object
   v1.legalInfo:
     properties:
@@ -1338,11 +1336,11 @@ paths:
       summary: User Avatar
       tags:
       - user
-  /auth/identityawareproxy/login:
-    post:
+  /auth/identityawareproxy/token:
+    get:
       consumes:
-      - application/json
-      description: After a redirect from the OpenID Connect provider to the frontend has been made with the authentication `code`, this endpoint can be used to obtain a jwt token for that user and thus log them in.
+      - N/A
+      description: Generates a short-lived JWT based on the identity from the identity-aware proxy in order to provide the front-end with user id and username info
       produces:
       - application/json
       responses:
@@ -1354,9 +1352,7 @@ paths:
           description: Internal error
           schema:
             $ref: '#/definitions/models.Message'
-      security:
-      - JWTKeyAuth: []
-      summary: Authenticate a user with OpenID Connect
+      summary: Authenticate a user from the Identity-Aware Proxy
       tags:
       - auth
   /auth/openid/{provider}/callback: