feat: Experimental FedCM compatibility

Cargo.toml

@@ -11,7 +11,7 @@ members = [
 exclude = ["rauthy-client"]
 
 [workspace.package]
-version = "0.23.1"
+version = "0.23.2-20240524"
 edition = "2021"
 authors = ["Sebastian Dobe <sebastiandobe@mailbox.org>"]
 license = "Apache-2.0"

dev_notes.md

@@ -2,15 +2,12 @@
 
 ## CURRENT WORK
 
-- bug when setting attribute - after set -> undefined instead of ''
-
 ## Stage 1 - essentials
 
 [x] finished
 
 ## Stage 2 - features - do before v1.0.0
 
-- migrate from `rusty_s3` to `s3_simple` to get rid of presigned URLs
 - prettify the UI
 - check out the possibility to include SCIM
 - update the book with all the new features
@@ -24,8 +21,6 @@
 
 ### `rauthy-client` TODO's
 
-- automatic `refresh_token` handler for `device_code` grant flow
-- add `fetch_userinfo()` for a `PrincipalOidc`
 - when implementing userinfo lookup, add an fn to validate the `at_hash` as well
 
 ## Stage 3 - Possible nice to haves

docs/config/config.html

@@ -760,20 +760,20 @@ <h1 id="reference-config"><a class="header" href="#reference-config">Reference C
 # for more information:
 # https://sebadob.github.io/rauthy/config/argon2.html
 # M_COST should never be below 32768 in production
-ARGON2_M_COST=32768
+ARGON2_M_COST=131072
 # T_COST should never be below 1 in production
-ARGON2_T_COST=3
+ARGON2_T_COST=4
 # P_COST should never be below 2 in production
-ARGON2_P_COST=2
+ARGON2_P_COST=8
 
 # Limits the maximum amount of parallel password hashes at
 # the exact same time to never exceed system memory while
 # still allowing a good amount of memory for the argon2id
 # algorithm (default: 2)
 #
 # CAUTION: You must make sure, that you have at least
-# (MAX_HASH_THREADS * ARGON2_M_COST / 1024) + ~30 MB of memory
-# available.
+# (MAX_HASH_THREADS * ARGON2_M_COST / 1024) + idle memory
+# of your deployment available
 MAX_HASH_THREADS=1
 
 # The time in ms when to log a warning, if a request waited

docs/getting_started/k8s.html

@@ -235,17 +235,17 @@ <h3 id="create-and-apply-secrets"><a class="header" href="#create-and-apply-secr
   # The CACHE_AUTH_TOKEN is only needed for a deployment with HA_MODE == true
   # Secret token, which is used to authenticate the cache members
   #CACHE_AUTH_TOKEN:
-  
+
   # The database driver will be chosen at runtime depending on the given DATABASE_URL format. Examples:
   # Sqlite: 'sqlite:data/rauthy.db' or 'sqlite::memory:'
   # Postgres: 'postgresql://User:PasswordWithoutSpecialCharacters@localhost:5432/DatabaseName'
-  DATABASE_URL: 
-    
+  DATABASE_URL:
+
   # Format: "key_id/enc_key another_key_id/another_enc_key" - the enc_key itself must be exactly 32 characters long and
   # and should not contain special characters.
   # The ID must match '[a-zA-Z0-9]{2,20}'
   ENC_KEYS:
-  
+
   # Needed for sending E-Mails for password resets and so on
   SMTP_PASSWORD:
 </code></pre>
@@ -384,10 +384,8 @@ <h3 id="create-and-apply-the-stateful-set"><a class="header" href="#create-and-a
             requests:
               # Tune the memory requests value carefully. Make sure, that the
               # pods request at least:
-              # `ARGON2_M_COST` / 1024 * `MAX_HASH_THREADS` Mi
-              # With SQLite: for small deployments, add additional ~20-30Mi for
-              # "the rest", for larger ones ~50-70 Mi should be enough.
-              memory: 64Mi
+              # `ARGON2_M_COST` / 1024 * `MAX_HASH_THREADS` Mi + idle memory
+              memory: 164Mi
               # The CPU needs to be adjusted during runtime. This heavily
               # depends on your use case.
               cpu: 100m

docs/print.html

@@ -573,17 +573,17 @@ <h3 id="create-and-apply-secrets"><a class="header" href="#create-and-apply-secr
   # The CACHE_AUTH_TOKEN is only needed for a deployment with HA_MODE == true
   # Secret token, which is used to authenticate the cache members
   #CACHE_AUTH_TOKEN:
-  
+
   # The database driver will be chosen at runtime depending on the given DATABASE_URL format. Examples:
   # Sqlite: 'sqlite:data/rauthy.db' or 'sqlite::memory:'
   # Postgres: 'postgresql://User:PasswordWithoutSpecialCharacters@localhost:5432/DatabaseName'
-  DATABASE_URL: 
-    
+  DATABASE_URL:
+
   # Format: "key_id/enc_key another_key_id/another_enc_key" - the enc_key itself must be exactly 32 characters long and
   # and should not contain special characters.
   # The ID must match '[a-zA-Z0-9]{2,20}'
   ENC_KEYS:
-  
+
   # Needed for sending E-Mails for password resets and so on
   SMTP_PASSWORD:
 </code></pre>
@@ -722,10 +722,8 @@ <h3 id="create-and-apply-the-stateful-set"><a class="header" href="#create-and-a
             requests:
               # Tune the memory requests value carefully. Make sure, that the
               # pods request at least:
-              # `ARGON2_M_COST` / 1024 * `MAX_HASH_THREADS` Mi
-              # With SQLite: for small deployments, add additional ~20-30Mi for
-              # "the rest", for larger ones ~50-70 Mi should be enough.
-              memory: 64Mi
+              # `ARGON2_M_COST` / 1024 * `MAX_HASH_THREADS` Mi + idle memory
+              memory: 164Mi
               # The CPU needs to be adjusted during runtime. This heavily
               # depends on your use case.
               cpu: 100m
@@ -2072,20 +2070,20 @@ <h2 id="finish"><a class="header" href="#finish">Finish</a></h2>
 # for more information:
 # https://sebadob.github.io/rauthy/config/argon2.html
 # M_COST should never be below 32768 in production
-ARGON2_M_COST=32768
+ARGON2_M_COST=131072
 # T_COST should never be below 1 in production
-ARGON2_T_COST=3
+ARGON2_T_COST=4
 # P_COST should never be below 2 in production
-ARGON2_P_COST=2
+ARGON2_P_COST=8
 
 # Limits the maximum amount of parallel password hashes at
 # the exact same time to never exceed system memory while
 # still allowing a good amount of memory for the argon2id
 # algorithm (default: 2)
 #
 # CAUTION: You must make sure, that you have at least
-# (MAX_HASH_THREADS * ARGON2_M_COST / 1024) + ~30 MB of memory
-# available.
+# (MAX_HASH_THREADS * ARGON2_M_COST / 1024) + idle memory
+# of your deployment available
 MAX_HASH_THREADS=1
 
 # The time in ms when to log a warning, if a request waited