Add check for inexistent macSerial attribute on the token.

This version introduces the macSerial attribute to the sso tokens. This isn't used as of now, but the goal is to introduce a check on later version to make sure the device signing is the device the generated the token.

Some changes were made on the PSSO Registration Authenticator, which is now deprecated. Use the standard Platform SSO authenticator when using a flow for the Setup Assistant, and switch on the "Ignore reauthentication requests".

This version fixes a few things:

• sub attribute of refresh token was wrongly configured
• a new authenticator was created in order to allow quick authentication during the Setup Assistant

This version introduces:

• Conditional authentication, so that other authenticators can be used based on the type of PSSO authentication. For example, the authentication flow can evaluate if the authentication used was password, and then requests the user to use 2FA. This is still a bit experimental because we need to introduce some checks on the companion app to detect if the webview should be used or not. It works as of now, but introduces a slight delay between the authentication and showing the webview
• The authentication and token retrieval now checks if the user is disabled or not. If the user is disable, authentication, login requests and key request/exchange will fail.

What's Changed

New features:

• Password Authentication Method is now supported

Improvements:

• Better handling of reauthentication requests
• More secure authentications by adding a nonce to each authentication request to avoid replays

What's Changed

• Added support for Registration Tokens (see https://github.com/unioslo/keycloak-psso-extension/wiki/Using-a-Registration-Token)
• Refactoring of Attestation code (thanks Noam)
• Other small changes

Note: : To use Registration Tokens, your Keycloak must have the Declarative UI feature enabled.

This releases fix a problem that came up after a Keycloak method has been changed.

What's Changed

• Added API for device query and deletion by @oculos in #19

Full Changelog: 0.34b...0.36b

This version adds the possibility of skipping Microsoft 2FA by setting two user session notes:

 authSession.setUserSessionNote("ms-authentication-method", "http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password");
                                            authSession.setUserSessionNote("ms-authentication-method-references", "http://schemas.microsoft.com/claims/multipleauthn");

Just add the ms-authentication-method and ms-authentication-method-references to a mapper for UserSession Notes, with the desired claim names, for example:

http://schemas.microsoft.com/claims/authnmethodsreferences to read the attribute ms-authentication-method-references
http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod to read the attribute ms-authentication-method.

This release includes better checks for the user-device combination during authentication.

What's Changed

• Feature/reauthentication by @oculos in #3

Full Changelog: 0.12b...latest

Fixed bug with double slash on the base url

What's Changed

• Feature/reauthentication by @oculos in #3

Full Changelog: 0.12b...latest

This release includes better checks for the user-device combination during authentication.

What's Changed

• Feature/reauthentication by @oculos in #3

Full Changelog: 0.12b...latest

This release adds better handling of Offline session times.

Breaking changes!

This release won't work if you have installed this extension before.

Please drop the psso_device and DATABASECHANGELOG_PSSO_DEVIC from your database before installing this version.

This was necessary in order to bring postgresql compatibility. We hope now that the database schema will be stable.

Fixed datatype problems with Postgresql installs.

What's Changed

• Feature/reauthentication by @oculos in #3

Full Changelog: 0.12b...latest

What's Changed

This now adds signature verification for the tokens used during the registration process.

• Fix/offline tokens by @oculos in #6
• Added token signature verification for the registration flows by @oculos in #7

Full Changelog: 0.16b...0.18b

This release fixes the handling of offline tokens so that a local authentication is forced instead of falling back to username/password.

What's Changed

• Feature/reauthentication by @oculos in #3

Full Changelog: 0.12b...latest

Added support to expired tokens and login with local authentication.

Added check for existing credentials for better handling of users who need registration repair.

Fixed the nonce endpoint

This release brings reauthentication. When Keycloak demands a fresh authentication, the user can then send a new token. This change was also implemented on the SSO extension.

Full Changelog: 0.11b...0.12b

This version implements LoA checks, organization handling just like the CookieAuthenticator, and an option to ignore force authentication requests.

This release:

• Adds license files to all classes
• Removes logging of sensitive data

This is the first release of the Keycloak Platform SSO extension.

Known limitations

• Secure Enclave-only: this extension only implements the Secure Enclave authentication method.
• Fixed client: to use this extension, you need to create a client called psso. In the future we will make this configure. The client needs to be public and it needs to include the urn:apple:platformsso scope.
• Revoke Refresh Token needs to be off: the refresh token is used for login, as it is used as an opaque token to authenticate and identify the user. In the future we might change this. This is the default option in Keycloak.
• Missing ACR/LoA and other checks: If you use ACS/LoA, there are no checks on this authenticator. It will be implemented.
• Might be incompatible with the Organizations feature: We based our Authenticator on the Cookies Authenticator, which does a series of checks, including organization checks. These are not implemented here yet.