CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 09:12:45 +01:00
Code Issues Packages Projects Releases Wiki Activity

adjustments for support of PKCE OIDC

Browse Source
This commit is contained in:
Jason Ertel
2024-10-01 08:54:14 -04:00
parent 073fb16e20
commit 4913df2297
3 changed files with 7 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
salt/kratos/defaults.yaml
View File

@@ -6,6 +6,7 @@ kratos:
id: SSO id: SSO
mapper_url: file:///kratos-conf/oidc.jsonnet mapper_url: file:///kratos-conf/oidc.jsonnet
subject_source: userinfo subject_source: userinfo
pkce: auto
scope: scope:
- email - email
- profile - profile

5
salt/kratos/soc_kratos.yaml
View File

@@ -70,6 +70,11 @@ kratos:
global: True global: True
forcedType: "[]string" forcedType: "[]string"
helpLink: oidc.html helpLink: oidc.html
pkce:
description: Set to 'force' if the OIDC provider does not support auto-detection of PKCE, but does support PKCE. Set to `never` to disable PKCE. The default setting automatically attempts to detect if PKCE is supported. The provider's `well-known/openid-configuration` JSON response must contain the `S256` algorithm within the `code_challenge_methods_supported` list in order for the auto-detection to correctly detect PKCE is supported.
global: True
forcedType: string
helpLink: oidc.html
requested_claims: requested_claims:
id_token: id_token:
email: email:

2
salt/nginx/etc/nginx.conf
View File

@@ -193,7 +193,7 @@ http {
proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Proto $scheme;
} }
location ~ ^/auth/.*?(login|oidc/callback/) { location ~ ^/auth/.*?(login|oidc/callback) {
rewrite /auth/(.*) /$1 break; rewrite /auth/(.*) /$1 break;
limit_req zone=auth_throttle burst={{ NGINXMERGED.config.throttle_login_burst }} nodelay; limit_req zone=auth_throttle burst={{ NGINXMERGED.config.throttle_login_burst }} nodelay;
limit_req_status 429; limit_req_status 429;