defguard / defguard Goto Github PK
View Code? Open in Web Editor NEWEnterprise, fast, secure VPN & SSO platform with hardware keys, 2FA/MFA
Home Page: https://defguard.net
License: Other
Enterprise, fast, secure VPN & SSO platform with hardware keys, 2FA/MFA
Home Page: https://defguard.net
License: Other
Describe the bug
Obtaining token with method:
oauth.defguard.authorize_access_token(request)
failed with an exception:
iaas-djangoserver-1 | INFO 2023-10-04 07:25:23,091 basehttp 315 140638401312448 "GET /oauth/defguard-login/ HTTP/1.1" 302 0
iaas-djangoserver-1 | INFO 2023-10-04 07:25:23,457 basehttp 315 140638401312448 "GET /oauth/redirect?error=access_denied&state=XttZHHERXW0HIv7vEG74ZvUQHMThis HTTP/1.1" 301 0
iaas-djangoserver-1 | ERROR 2023-10-04 07:25:23,722 log 315 140638401312448 Internal Server Error: /oauth/redirect/
iaas-djangoserver-1 | Traceback (most recent call last):
iaas-djangoserver-1 | File "/usr/local/lib/python3.8/site-packages/django/core/handlers/exception.py", line 47, in inner
iaas-djangoserver-1 | response = get_response(request)
iaas-djangoserver-1 | File "/usr/local/lib/python3.8/site-packages/django/core/handlers/base.py", line 181, in _get_response
iaas-djangoserver-1 | response = wrapped_callback(request, *callback_args, **callback_kwargs)
iaas-djangoserver-1 | File "/server/django/oauth/views.py", line 43, in defguard_authorize
iaas-djangoserver-1 | token = oauth.defguard.authorize_access_token(request)
iaas-djangoserver-1 | File "/usr/local/lib/python3.8/site-packages/authlib/integrations/django_client/apps.py", line 67, in authorize_access_token
iaas-djangoserver-1 | raise OAuthError(error=error, description=description)
iaas-djangoserver-1 | authlib.integrations.base_client.errors.OAuthError: access_denied:
iaas-djangoserver-1 | ERROR 2023-10-04 07:25:23,724 basehttp 315 140638401312448 "GET /oauth/redirect/?error=access_denied&state=XttZHHERXW0HIv7vEG74ZvUQHMThis HTTP/1.1" 500 145
when http is used instead of https and defguard receives GET instead of POST
To Reproduce
Add defguard integration to Django application based on https://defguard.gitbook.io/defguard/features/openid-connect/django-rest-react-app#django-setup
Specify http instead of https links in configuration:
defguard = oauth.register(
name="defguard",
client_id=os.getenv("DEFGUARD_CLIENT_ID", "DEFGUARD_CLIENT_ID"),
client_secret=os.getenv("DEFGUARD_CLIENT_SECRET", "DEFGUARD_CLIENT_SECRET"),
access_token_url=os.getenv("DEFGUARD_ACCESS_TOKEN_URL", "https://defguard.teonite.net/api/v1/oauth/token"),
access_token_params=None,
authorize_url=os.getenv("DEFGUARD_AUTHORIZE_URL", "https://defguard.teonite.net/api/v1/oauth/authorize"),
api_base_url=os.getenv("DEFGUARD_API_BASE_URL", "https://defguard.teonite.net/api/v1/oauth/userinfo"),
client_kwargs={"scope": os.getenv("DEFGUARD_SCOPE", "openid email profile")},
server_metadata_url=os.getenv("DEFGUARD_METADATA_URL",
"https://defguard.teonite.net/.well-known/openid-configuration"),
)
Expected behavior
Login with defguard should work properly.
Additional context
Problem lies probably in our local network environment where haproxy redirects requests from http to https and changes POST to GET.
After configuring any of the MFA methods, send an email to a user:
-Subject: MFA method XYZ was activated in your account
A Multi-Factor Authorisation method: Email/TOTOP/KEY has been activated in your account:
* Date: Tuesday, August 15, 2023 at 11:16:31 AM +00:00
* Session IP Address: 10.X.Y.Z
* Device Type: IPad8,9
Add an option to choose a set of authorized groups in location editor.
When a group is selected only devices of users who belong to a given group can connect to a location.
By default the input is empty and all users are allowed to use a location.
Email:
A new device has been added to your account:
- name: **Nazwa**
- public key: XZYASDQ#@RASSD
- Szczecin: IPXYZYZ
- US: IPXUZY
- Kolejna lolakizacja: IP
* Date: Tuesday, August 15, 2023 at 11:16:31 AM +00:00
* Session IP Address: 10.X.Y.Z
* From device: IPad8,9
Follow-on question from this discussion:
Now when the time is finished to message disappears and there is an error that the time is up. But the process was successful thus the user should see the enrollment message how long they like.
Right now just by clicking "Send support data" the support email is sent. Please add a "modal" with the following message:
Please confirm that you actually want to send support debug information. None of your private information will be sent (wireguard keys, email addresses, etc. will not be sent).
then [Cancel] [Send support data]
Is your feature request related to a problem? Please describe.
Username chars are very limited and restricted.
Describe the solution you'd like
Ability to use special chars in usernames where possible - for example @ or -
Some users may want their email to be their username. Using valid email regex might be an option https://regexr.com/3e48o
Implement 2FA using email codes.
Flow:
Two-factor authentication methods:
A modal popup: Enter the code that was sent by email:
Email template subject: Your Multi-Factor Authentication Activation - body:
Your are activating Multi-Factor Authentication using email verification codes.
* Your code is: **X YY ZYZ ** - use this code to complete MFA setup.
Details about the session:
* Date: Tuesday, August 15, 2023 at 11:16:31 AM +00:00
* IP Address: 10.42.0.0
* Device Type: IPad8,9
When user selects MFA using email send email - subject: Your Multi-Factor Authentication Code for Login - body:
* Your code is: **X YY ZYZ ** - use this code to complete logging in with defguard.
Details about the session:
* Date: Tuesday, August 15, 2023 at 11:16:31 AM +00:00
* IP Address: 10.42.0.0
* Device Type: IPad8,9
Describe the bug
When using the click for more info on settings and then clicking the docs link you get redirected to your instance rather than the docs.
To Reproduce
Steps to reproduce the behavior:
Expected behavior
The link should open a new tab to https://defguard.gitbook.io - preferably to the relevant section.
Version information
Describe the bug
OIDC login for min.io service via Defguard doesn't work. Error message:
Error from IDP
An error occurred, please try again
Invalid kid value <nil>
To Reproduce
In defguard add OIDC client for min.io.
Redirect URL 1: https://my-minio-instance.com/oauth_callback
Scopes: openid,profile,email
In min.io instance setup Defguard OIDC provider.
Go to Administrator -> Identity -> OpenID -> Create Configuration
Fill in the form:
Save and restart min.io server.
Expected behavior
Expected to be able to log into min.io service via Defguard OIDC. Instead the error is displayed after the OIDC flow:
Version information
Additional context
Possible reasons:
/api/v1/oauth/discovery/keys
endpoint returns emtpy key set:{
"keys": []
}
Should be the following list (and only this list):
with no labels
We already support having multiple gateways for each VPN location. A UI for displaying the connection status for each of them is incoming along with support for multiple locations.
We should now add a way to name gateways so they can be displayed in a more user friendly way.
--name
option to gateway to allow the user to set a display nameGateway now identifies by IP (and additionally by name) - now it should primarily support name (and if not specified hostname that is installed on).
Analogicznie jak gateway - DEB i RPM oraz SYSTEMD.
Kryteria Akceptacji:
Is your feature request related to a problem? Please describe.
User phone number should be optional.
Describe the solution you'd like
Remove required field for phone number.
Enrollent + DG korzysta z UI repo jako git submodule
Is your feature request related to a problem? Please describe.
A way to quickly see version of app and other useful info when reporting bugs etc.
Describe the solution you'd like
A section in settings to show useful info like version, os, env variables (secrets not included or ** out).
Describe alternatives you've considered
The side bar displaying the current version is good but more info would be great.
@dzania last thing that needs to be done is to obfuscate the JSON - there are passwords there...
export DEFGUARD_DOMAIN=xyz.com
export DEFGUARD_VPN_NAME=....
export DEFGUARD_VPN_IP...
export DEFGUARD_ENROLMENT... # jest to jest enrollment nie ma to nie ma
export DEFGUARD_HTTPS=true # CADDY - nie ma to nie ma
curl -fsSL https://get.defguard.net | bash
Email with info that login to defguard was done from new device:
Your account was just logged into from a new device:
* Date: Tuesday, August 15, 2023 at 11:16:31 AM +00:00
* IP Address: 10.X.Y.Z
* Device Type: IPad8,9
The helm chart needs to be updated it include the enrollment service deployment (probably as an option) and make sure that all the env variables that we've added over the last few months are included in ConfigMaps
The goal is to change current mock https://github.com/DefGuard/mock-vpn to support:
Implement new design of multiple gateway connection information - https://www.figma.com/file/uoFcgpOuVWa6g7tvKwB52o/defguard?type=design&mode=design
Email with info that there was a successful account login to defguard:
Subject: New login to your account
Just a quick information about new successful login to your account:
* Date: Tuesday, August 15, 2023 at 11:16:31 AM +00:00
* IP Address: 10.X.Y.Z
* Device Type: IPad8,9
Support data should not send any user information (names, emails, etc.)
Content manager capable of basic text functionalities provided by markdown.
Available options should reflect those in markdown and the toggle ability to change from preview into raw markdown text.
Library: [https://tiptap.dev/|https://tiptap.dev/|smart-link]
Example: [https://tiptap.dev/editor|https://tiptap.dev/editor|smart-link] “
Plugin for markdown support [https://github.com/aguingand/tiptap-markdown|https://github.com/aguingand/tiptap-markdown|smart-link]
Prepare listing of available template TAGS and meaning
Email with info that login using defguard was done to a new system using OIDC (the first one - after consent):
Subject: New login to XXXX application with defguard
Your account was just logged into a system: Outline using OpenID Connect authorization:
* Date: Tuesday, August 15, 2023 at 11:16:31 AM +00:00
* IP Address: 10.X.Y.Z
* Device Type: IPad8,9
* You can deauthorize all applications that have access to your account from the web vault under (My Profile > Apps)[Link do DG MY profile]
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.