diff --git a/CHANGELOG.md b/CHANGELOG.md index 7f1567e84..a07860476 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,7 +12,7 @@ Unreleased changes are available as `avenga/couper:edge` container. * Missing [scope or roles claims](./docs/REFERENCE.md#jwt-block), or scope or roles claim with unsupported values are now ignored instead of causing an error ([#380](https://github.com/avenga/couper/issues/380)) * Improved the validation for unique keys in all map-attributes in the config ([#403](https://github.com/avenga/couper/pull/403)) * Unbeta [OIDC block](./docs/REFERENCE.md#oidc-block) ([#400](https://github.com/avenga/couper/pull/400)) - * Unbeta [`oauth2_authorization_url()`](./docs/REFERENCE.md#functions) function. The prefix is changed from `beta_oauth_...` to `oauth2_...` ([#400](https://github.com/avenga/couper/pull/400)) + * Unbeta the `oauth2_authorization_url()` and `oauth2_verifier()` [function](./docs/REFERENCE.md#functions). The prefix is changed from `beta_oauth_...` to `oauth2_...` ([#400](https://github.com/avenga/couper/pull/400)) * **Fixed** * build-date configuration for binary and docker builds ([#396](https://github.com/avenga/couper/pull/396)) diff --git a/docs/REFERENCE.md b/docs/REFERENCE.md index 19dd1715f..fedd19cdc 100644 --- a/docs/REFERENCE.md +++ b/docs/REFERENCE.md @@ -432,7 +432,7 @@ Like all [Access Control](#access-control) types, the `beta_oauth2` block is def | `client_secret` |string|-|The client password.|⚠ required.|-| | `scope` |string|-| A space separated list of requested scopes for the access token.| - | `scope = "read write"` | | `verifier_method` | string | - | The method to verify the integrity of the authorization code flow | ⚠ required, available values: `ccm_s256` (`code_challenge` parameter with `code_challenge_method` `S256`), `state` (`state` parameter) | `verifier_method = "ccm_s256"` | -| `verifier_value` | string or expression | - | The value of the (unhashed) verifier. | ⚠ required; e.g. using cookie value created with [`beta_oauth_verifier()` function](#functions) | `verifier_value = request.cookies.verifier` | +| `verifier_value` | string or expression | - | The value of the (unhashed) verifier. | ⚠ required; e.g. using cookie value created with [`oauth2_verifier()` function](#functions) | `verifier_value = request.cookies.verifier` | | `custom_log_fields` | map | - | Defines log fields for [Custom Logging](LOGS.md#custom-logging). | ⚠ Inherited by nested blocks. | - | If the authorization server supports the `code_challenge_method` `S256` (a.k.a. PKCE, see RFC 7636), we recommend `verifier_method = "ccm_s256"`. @@ -460,7 +460,7 @@ Like all [Access Control](#access-control) types, the `oidc` block is defined in | `client_secret` |string|-|The client password.|⚠ required.|-| | `scope` |string|-| A space separated list of requested scopes for the access token.|`openid` is automatically added.| `scope = "profile read"` | | `verifier_method` | string | - | The method to verify the integrity of the authorization code flow | available values: `ccm_s256` (`code_challenge` parameter with `code_challenge_method` `S256`), `nonce` (`nonce` parameter) | `verifier_method = "nonce"` | -| `verifier_value` | string or expression | - | The value of the (unhashed) verifier. | ⚠ required; e.g. using cookie value created with [`beta_oauth_verifier()` function](#functions) | `verifier_value = request.cookies.verifier` | +| `verifier_value` | string or expression | - | The value of the (unhashed) verifier. | ⚠ required; e.g. using cookie value created with [`oauth2_verifier()` function](#functions) | `verifier_value = request.cookies.verifier` | | `custom_log_fields` | map | - | Defines log fields for [Custom Logging](LOGS.md#custom-logging). | ⚠ Inherited by nested blocks. | - | If the OpenID server supports the `code_challenge_method` `S256` the default value for `verifier_method`is `ccm_s256`, `nonce` otherwise. @@ -684,8 +684,8 @@ To access the HTTP status code of the `default` response use `backend_responses. | `json_encode` | string | Returns a JSON serialization of the given value. | `val` (various) | `json_encode(request.context.myJWT)` | | `jwt_sign` | string | jwt_sign creates and signs a JSON Web Token (JWT) from information from a referenced [JWT Signing Profile Block](#jwt-signing-profile-block) (or [JWT Block](#jwt-block) with `signing_ttl`) and additional claims provided as a function parameter. | `label` (string), `claims` (object) | `jwt_sign("myJWT")` | | `merge` | object or tuple | Deep-merges two or more of either objects or tuples. `null` arguments are ignored. A `null` attribute value in an object removes the previous attribute value. An attribute value with a different type than the current value is set as the new value. `merge()` with no parameters returns `null`. | `arg...` (object or tuple) | `merge(request.headers, { x-additional = "myval" })` | -| `oauth2_authorization_url` | string | Creates an OAuth2 authorization URL from a referenced [OAuth2 AC Block](#oauth2-ac-block-beta) or [OIDC Block](#oidc-block). | `label` (string) | `oauth2_authorization_url("myOAuth2")` | -| `beta_oauth_verifier` | string | Creates a cryptographically random key as specified in RFC 7636, applicable for all verifier methods; e.g. to be set as a cookie and read into `verifier_value`. Multiple calls of this function in the same client request context return the same value. | | `beta_oauth_verifier()` | +| `oauth2_authorization_url` | string | Creates an OAuth2 authorization URL from a referenced [OAuth2 AC Block](#oauth2-ac-block-beta) or [OIDC Block](#oidc-block). | `label` (string) | `oauth2_authorization_url("myOAuth2")` | +| `oauth2_verifier` | string | Creates a cryptographically random key as specified in RFC 7636, applicable for all verifier methods; e.g. to be set as a cookie and read into `verifier_value`. Multiple calls of this function in the same client request context return the same value. | | `oauth2_verifier()` | | `relative_url` | string | Returns a relative URL by retaining `path`, `query` and `fragment` components. The input URL `s` must begin with `/`, `//`, `http://` or `https://`, otherwise an error is thrown. | s (string) | `relative_url("https://httpbin.org/anything?query#fragment") // returns "/anything?query#fragment"` | | `saml_sso_url` | string | Creates a SAML SingleSignOn URL (including the `SAMLRequest` parameter) from a referenced [SAML Block](#saml-block). | `label` (string) | `saml_sso_url("mySAML")` | | `split` | tuple | Divides a given string by a given separator, returning a list of strings containing the characters between the separator sequences. | `sep` (string), `str` (string) | `split(" ", "foo bar qux")` | diff --git a/eval/lib/oauth2.go b/eval/lib/oauth2.go index f31879950..e31b1109e 100644 --- a/eval/lib/oauth2.go +++ b/eval/lib/oauth2.go @@ -17,7 +17,7 @@ const ( RedirectURI = "redirect_uri" CodeVerifier = "code_verifier" FnOAuthAuthorizationUrl = "oauth2_authorization_url" - FnOAuthVerifier = "beta_oauth_verifier" + FnOAuthVerifier = "oauth2_verifier" InternalFnOAuthHashedVerifier = "internal_oauth_hashed_verifier" ) diff --git a/server/http_integration_test.go b/server/http_integration_test.go index 892844fc5..52ae5854b 100644 --- a/server/http_integration_test.go +++ b/server/http_integration_test.go @@ -3973,7 +3973,7 @@ func TestOAuthPKCEFunctions(t *testing.T) { v2 := res.Header.Get("x-v-2") hv := res.Header.Get("x-hv") if v2 != v1 { - t.Errorf("multiple calls to beta_oauth_verifier() must return the same value:\n\t%s\n\t%s", v1, v2) + t.Errorf("multiple calls to oauth2_verifier() must return the same value:\n\t%s\n\t%s", v1, v2) } s256 := oauth2.Base64urlSha256(v1) if hv != s256 { @@ -4021,7 +4021,7 @@ func TestOAuthPKCEFunctions(t *testing.T) { cv1_n := res.Header.Get("x-v-1") if cv1_n == v1 { - t.Errorf("calls to beta_oauth_verifier() on different requests must not return the same value:\n\t%s\n\t%s", v1, cv1_n) + t.Errorf("calls to oauth2_verifier() on different requests must not return the same value:\n\t%s\n\t%s", v1, cv1_n) } } diff --git a/server/testdata/integration/functions/02_couper.hcl b/server/testdata/integration/functions/02_couper.hcl index b3ea8bdc8..00b1fab2e 100644 --- a/server/testdata/integration/functions/02_couper.hcl +++ b/server/testdata/integration/functions/02_couper.hcl @@ -2,8 +2,8 @@ server "oauth-functions" { endpoint "/pkce" { response { headers = { - x-v-1 = beta_oauth_verifier() - x-v-2 = beta_oauth_verifier() + x-v-1 = oauth2_verifier() + x-v-2 = oauth2_verifier() x-hv = internal_oauth_hashed_verifier() x-au-pkce = oauth2_authorization_url("ac-pkce") x-au-pkce-rel = oauth2_authorization_url("ac-pkce-relative")