stages/user_login: session binding (#7881)

* start with user_login stage Signed-off-by: Jens Langhammer <jens@goauthentik.io> # Conflicts: # authentik/root/settings.py * fix and improve logout event Signed-off-by: Jens Langhammer <jens@goauthentik.io> * lint pass Signed-off-by: Jens Langhammer <jens@goauthentik.io> * update authenticated session when IP changes and binding doesn't break Signed-off-by: Jens Langhammer <jens@goauthentik.io> * update docs, always keep old and new IP in event Signed-off-by: Jens Langhammer <jens@goauthentik.io> * re-gen api schema Signed-off-by: Jens Langhammer <jens@goauthentik.io> --------- Signed-off-by: Jens Langhammer <jens@goauthentik.io>
2023-12-23 01:20:23 +01:00
parent 9a261c52d1
commit 02869d8173
16 changed files with 595 additions and 25 deletions
--- a/website/docs/flow/stages/user_login/index.md
+++ b/website/docs/flow/stages/user_login/index.md
@ -32,6 +32,51 @@ When this is set to a higher value than the default _seconds=0_, a prompt is sho

 ![](./stay_signed_in.png)

+## Network binding/GeoIP binding
+
+When configured, all sessions authenticated by this stage will be bound to the selected network/GeoIP criteria.
+
+Sessions which break this binding will be terminated on use. The created [`logout`](../../../events/index.md#logout) event will contain additional data related to what caused the binding to be broken:
+
+```json
+
+Context
+{
+    "asn": {
+        "asn": 6805,
+        "as_org": "Telefonica Germany",
+        "network": "5.4.0.0/14"
+    },
+    "geo": {
+        "lat": 51.2993,
+        "city": "",
+        "long": 9.491,
+        "country": "DE",
+        "continent": "EU"
+    },
+    "binding": {
+        "reason": "network.missing",
+        "new_value": {
+            "asn": 6805,
+            "as_org": "Telefonica Germany",
+            "network": "5.4.0.0/14"
+        },
+        "previous_value": {}
+    },
+    "ip": {
+        "previous": "1.2.3.4",
+        "new": "5.6.7.8",
+    },
+    "http_request": {
+        "args": {},
+        "path": "/if/admin/",
+        "method": "GET",
+        "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36"
+    },
+    "logout_reason": "Session binding broken"
+}
+```
+
 ## Terminate other sessions

 When enabled, previous sessions of the user logging in will be revoked. This has no affect on OAuth refresh tokens.