BED-4768 feat: add login handler for OIDC

cmd/api/src/api/auth.go

@@ -28,6 +28,7 @@ import (
  "io"
  "net/http"
  "strconv"
+ "strings"
  "time"
 
  "github.com/gofrs/uuid"
@@ -299,6 +300,35 @@ func (s authenticator) ValidateRequestSignature(tokenID uuid.UUID, request *http
  }
 }
 
+func SetSecureBrowserCookie(request *http.Request, response http.ResponseWriter, name, value string, expires time.Time) {
+ var (
+ hostURL = *ctx.FromRequest(request).Host
+ sameSiteValue = http.SameSiteDefaultMode
+ domainValue string
+ )
+
+ if hostURL.Scheme == "https" {
+ sameSiteValue = http.SameSiteStrictMode
+ }
+
+ // NOTE: Set-Cookie should generally have the Domain field blank to ensure the cookie is only included with requests against the host, excluding subdomains; however,
+ // most browsers will ignore Set-Cookie headers from localhost responses if the Domain field is not set explicitly.
+ if strings.Contains(hostURL.Hostname(), "localhost") {
+ domainValue = hostURL.Hostname()
+ }
+
+ // Set the token cookie
+ http.SetCookie(response, &http.Cookie{
+ Name: name,
+ Value: value,
+ Expires: expires,
+ Secure: hostURL.Scheme == "https",
+ SameSite: sameSiteValue,
+ Path: "/",
+ Domain: domainValue,
+ })
+}
+
 func (s authenticator) CreateSession(ctx context.Context, user model.User, authProvider any) (string, error) {
  if user.IsDisabled {
  return "", ErrUserDisabled

cmd/api/src/api/constant.go

@@ -22,6 +22,8 @@ const (
 
  // Cookie Keys
  AuthTokenCookieName = "token"
+ AuthStateCookieName = "state"
+ AuthPKCECookieName = "pkce"
 
  // UserInterfacePath is the static path to the UI landing page
  UserInterfacePath = "/ui"
@@ -59,4 +61,5 @@ const (
  URIPathVariableTokenID = "token_id"
  URIPathVariableUserID = "user_id"
  URIPathVariableSavedQueryID = "saved_query_id"
+ URIPathVariableSSOProviderSlug = "sso_provider_slug"
 )

cmd/api/src/api/registration/v2.go

@@ -64,6 +64,7 @@ func registerV2Auth(cfg config.Configuration, db database.Database, permissions
  // SSO
  routerInst.POST("/api/v2/sso-providers/oidc", managementResource.CreateOIDCProvider).CheckFeatureFlag(db, appcfg.FeatureOIDCSupport).RequirePermissions(permissions.AuthManageProviders),
  routerInst.GET("/api/v2/sso-providers", managementResource.ListAuthProviders).CheckFeatureFlag(db, appcfg.FeatureOIDCSupport),
+ routerInst.GET(fmt.Sprintf("/api/v2/sso/{%s}/login", api.URIPathVariableSSOProviderSlug), managementResource.SSOLoginHandler).CheckFeatureFlag(db, appcfg.FeatureOIDCSupport),
 
  // Permissions
  routerInst.GET("/api/v2/permissions", managementResource.ListPermissions).RequirePermissions(permissions.AuthManageSelf),

cmd/api/src/api/v2/auth/oidc.go

@@ -17,11 +17,19 @@
 package auth
 
 import (
+ "fmt"
  "net/http"
+ "time"
 
- "github.com/specterops/bloodhound/src/utils/validation"
-
+ "github.com/coreos/go-oidc/v3/oidc"
+ "github.com/specterops/bloodhound/headers"
+ "github.com/specterops/bloodhound/log"
  "github.com/specterops/bloodhound/src/api"
+ "github.com/specterops/bloodhound/src/config"
+ "github.com/specterops/bloodhound/src/ctx"
+ "github.com/specterops/bloodhound/src/model"
+ "github.com/specterops/bloodhound/src/utils/validation"
+ "golang.org/x/oauth2"
 )
 
 // CreateOIDCProviderRequest represents the body of the CreateOIDCProvider endpoint
@@ -49,3 +57,42 @@ func (s ManagementResource) CreateOIDCProvider(response http.ResponseWriter, req
  }
  }
 }
+
+func getRedirectURL(request *http.Request, provider model.SSOProvider) string {
+ hostUrl := *ctx.FromRequest(request).Host
+ return fmt.Sprintf("%s/api/v2/sso/%s/callback", hostUrl.String(), provider.Slug)
+}
+
+func (s ManagementResource) OIDCLoginHandler(response http.ResponseWriter, request *http.Request, ssoProvider model.SSOProvider, oidcProvider model.OIDCProvider) {
+ if state, err := config.GenerateRandomBase64String(77); err != nil {
+ api.WriteErrorResponse(request.Context(), api.BuildErrorResponse(http.StatusInternalServerError, api.ErrorResponseDetailsInternalServerError, request), response)
+ } else if provider, err := oidc.NewProvider(request.Context(), oidcProvider.Issuer); err != nil {
+ api.WriteErrorResponse(request.Context(), api.BuildErrorResponse(http.StatusInternalServerError, err.Error(), request), response)
+ } else {
+ log.Debugf("provider generated endpoints %+v", provider.Endpoint())
+
+ conf := &oauth2.Config{
+ ClientID: oidcProvider.ClientID,
+ Endpoint: provider.Endpoint(),
+ RedirectURL: getRedirectURL(request, ssoProvider),
+ }
+
+ // use PKCE to protect against CSRF attacks
+ // https://www.ietf.org/archive/id/draft-ietf-oauth-security-topics-22.html#name-countermeasures-6
+ verifier := oauth2.GenerateVerifier()
+ log.Debugf("LOGIN HANDLER - pkce verifier %s\n", verifier)
+
+ // Store PKCE on web browser in secure cookie for retrieval in callback
+ api.SetSecureBrowserCookie(request, response, api.AuthPKCECookieName, verifier, time.Now().UTC().Add(time.Hour))
+
+ // Store State on web browser in secure cookie for retrieval in callback
+ api.SetSecureBrowserCookie(request, response, api.AuthStateCookieName, state, time.Now().UTC().Add(time.Hour))
+
+ // Redirect user to consent page to ask for permission for the scopes specified above.
+ redirectURL := conf.AuthCodeURL(state, oauth2.AccessTypeOffline, oauth2.S256ChallengeOption(verifier))
+ log.Debugf("Visit the URL for the auth dialog: %v", redirectURL)
+
+ response.Header().Add(headers.Location.String(), redirectURL)
+ response.WriteHeader(http.StatusFound)
+ }
+}

cmd/api/src/api/v2/auth/sso.go

@@ -20,6 +20,8 @@ import (
  "net/http"
  "strings"
 
+ "github.com/gorilla/mux"
+ "github.com/specterops/bloodhound/log"
  "github.com/specterops/bloodhound/src/api"
  "github.com/specterops/bloodhound/src/model"
  "gorm.io/gorm/utils"
@@ -122,3 +124,26 @@ func (s ManagementResource) ListAuthProviders(response http.ResponseWriter, requ
  }
  }
 }
+
+func (s ManagementResource) SSOLoginHandler(response http.ResponseWriter, request *http.Request) {
+ ssoProviderSlug := mux.Vars(request)[api.URIPathVariableSSOProviderSlug]
+ log.Debugf("HERE I AM IN LOGIN - provider %s", ssoProviderSlug)
+
+ if ssoProvider, err := s.db.GetSSOProviderBySlug(request.Context(), ssoProviderSlug); err != nil {
+ api.HandleDatabaseError(request, response, err)
+ } else {
+ switch ssoProvider.Type {
+ case model.SessionAuthProviderSAML:
+ //todo handle saml login
+ return
+ case model.SessionAuthProviderOIDC:
+ if oidcProvider, err := s.db.GetOIDCProviderBySSOProviderID(request.Context(), ssoProvider.ID); err != nil {
+ api.HandleDatabaseError(request, response, err)
+ } else {
+ s.OIDCLoginHandler(response, request, ssoProvider, oidcProvider)
+ }
+ default:
+ return
+ }
+ }
+}

cmd/api/src/database/oidc_providers.go

@@ -30,6 +30,7 @@ const (
 // OIDCProviderData defines the interface required to interact with the oidc_providers table
 type OIDCProviderData interface {
  CreateOIDCProvider(ctx context.Context, name, issuer, clientID string) (model.OIDCProvider, error)
+ GetOIDCProviderBySSOProviderID(ctx context.Context, ssoProviderID int32) (model.OIDCProvider, error)
 }
 
 // CreateOIDCProvider creates a new entry for an OIDC provider as well as the associated SSO provider
@@ -61,3 +62,9 @@ func (s *BloodhoundDB) CreateOIDCProvider(ctx context.Context, name, issuer, cli
 
  return oidcProvider, err
 }
+
+func (s *BloodhoundDB) GetOIDCProviderBySSOProviderID(ctx context.Context, ssoProviderID int32) (model.OIDCProvider, error) {
+ var oidcProvider model.OIDCProvider
+ result := s.db.WithContext(ctx).Table(oidcProvidersTableName).Where("sso_provider_id = ?", ssoProviderID).First(&oidcProvider)
+ return oidcProvider, CheckError(result)
+}

cmd/api/src/database/sso_providers.go

@@ -18,6 +18,7 @@ package database
 
 import (
  "context"
+ "fmt"
  "strings"
 
  "github.com/specterops/bloodhound/src/model"
@@ -31,6 +32,7 @@ const (
 type SSOProviderData interface {
  CreateSSOProvider(ctx context.Context, name string, authProvider model.SessionAuthProvider) (model.SSOProvider, error)
  GetAllSSOProviders(ctx context.Context, order string, sqlFilter model.SQLFilter) ([]model.SSOProvider, error)
+ GetSSOProviderBySlug(ctx context.Context, slug string) (model.SSOProvider, error)
 }
 
 // CreateSSOProvider creates an entry in the sso_providers table
@@ -69,3 +71,12 @@ func (s *BloodhoundDB) GetAllSSOProviders(ctx context.Context, order string, sql
  result := query.Find(&providers)
  return providers, CheckError(result)
 }
+
+func (s *BloodhoundDB) GetSSOProviderBySlug(ctx context.Context, slug string) (model.SSOProvider, error) {
+ var provider model.SSOProvider
+ if tx := s.db.WithContext(ctx).Raw(fmt.Sprintf("SELECT id, type, name, slug, created_at, updated_at FROM %s WHERE slug = ?;", ssoProviderTableName), slug).Scan(&provider); tx.RowsAffected == 0 {
+ return provider, ErrNotFound
+ }
+
+ return provider, nil
+}

cmd/api/src/go.mod

@@ -22,6 +22,7 @@ require (
  github.com/beevik/etree v1.2.0
  github.com/bloodhoundad/azurehound/v2 v2.0.1
  github.com/channelmeter/iso8601duration v0.0.0-20150204201828-8da3af7a2a61
+ github.com/coreos/go-oidc/v3 v3.11.0
  github.com/crewjam/saml v0.4.14
  github.com/didip/tollbooth/v6 v6.1.2
  github.com/go-chi/chi/v5 v5.0.8
@@ -45,7 +46,8 @@ require (
  github.com/unrolled/secure v1.13.0
  github.com/zenazn/goji v1.0.1
  go.uber.org/mock v0.2.0
- golang.org/x/crypto v0.24.0
+ golang.org/x/crypto v0.25.0
+ golang.org/x/oauth2 v0.23.0
  gorm.io/driver/postgres v1.3.8
  gorm.io/gorm v1.23.8
 )
@@ -58,6 +60,7 @@ require (
  github.com/crewjam/httperr v0.2.0 // indirect
  github.com/davecgh/go-spew v1.1.1 // indirect
  github.com/felixge/httpsnoop v1.0.3 // indirect
+ github.com/go-jose/go-jose/v4 v4.0.2 // indirect
  github.com/go-pkgz/expirable-cache v1.0.0 // indirect
  github.com/golang/protobuf v1.5.3 // indirect
  github.com/google/go-cmp v0.6.0 // indirect
@@ -80,7 +83,7 @@ require (
  github.com/prometheus/common v0.44.0 // indirect
  github.com/prometheus/procfs v0.11.0 // indirect
  github.com/rivo/uniseg v0.4.4 // indirect
- golang.org/x/sys v0.21.0 // indirect
+ golang.org/x/sys v0.22.0 // indirect
  golang.org/x/text v0.17.0 // indirect
  golang.org/x/time v0.3.0 // indirect
  google.golang.org/protobuf v1.34.1 // indirect

cmd/api/src/go.sum

@@ -18,6 +18,8 @@ github.com/channelmeter/iso8601duration v0.0.0-20150204201828-8da3af7a2a61 h1:o6
 github.com/channelmeter/iso8601duration v0.0.0-20150204201828-8da3af7a2a61/go.mod h1:Rp8e0DCtEKwXFOC6JPJQVTz8tuGoGvw6Xfexggh/ed0=
 github.com/cockroachdb/apd v1.1.0 h1:3LFP3629v+1aKXU5Q37mxmRxX/pIu1nijXydLShEq5I=
 github.com/cockroachdb/apd v1.1.0/go.mod h1:8Sl8LxpKi29FqWXR16WEFZRNSz3SoPzUzeMeY4+DwBQ=
+github.com/coreos/go-oidc/v3 v3.11.0 h1:Ia3MxdwpSw702YW0xgfmP1GVCMA9aEFWu12XUZ3/OtI=
+github.com/coreos/go-oidc/v3 v3.11.0/go.mod h1:gE3LgjOgFoHi9a4ce4/tJczr0Ai2/BoDhf0r5lltWI0=
 github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=
 github.com/coreos/go-systemd v0.0.0-20190719114852-fd7a80b32e1f/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=
 github.com/creack/pty v1.1.7/go.mod h1:lj5s0c3V2DBrqTV7llrYr5NG6My20zk30Fl46Y7DoTY=
@@ -36,6 +38,8 @@ github.com/felixge/httpsnoop v1.0.3 h1:s/nj+GCswXYzN5v2DpNMuMQYe+0DDwt5WVCU6CWBd
 github.com/felixge/httpsnoop v1.0.3/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
 github.com/go-chi/chi/v5 v5.0.8 h1:lD+NLqFcAi1ovnVZpsnObHGW4xb4J8lNmoYVfECH1Y0=
 github.com/go-chi/chi/v5 v5.0.8/go.mod h1:DslCQbL2OYiznFReuXYUmQ2hGd1aDpCnlMNITLSKoi8=
+github.com/go-jose/go-jose/v4 v4.0.2 h1:R3l3kkBds16bO7ZFAEEcofK0MkrAJt3jlJznWZG0nvk=
+github.com/go-jose/go-jose/v4 v4.0.2/go.mod h1:WVf9LFMHh/QVrmqrOfqun0C45tMe3RoiKJMPvgWwLfY=
 github.com/go-kit/log v0.1.0/go.mod h1:zbhenjAZHb184qTLMA9ZjW7ThYL0H2mk7Q6pNt4vbaY=
 github.com/go-logfmt/logfmt v0.5.0/go.mod h1:wCYkCAKZfumFQihp8CzCvQ3paCTfi41vtzG1KdI/P7A=
 github.com/go-pkgz/expirable-cache v0.0.3/go.mod h1:+IauqN00R2FqNRLCLA+X5YljQJrwB179PfiAoMPlTlQ=
@@ -211,6 +215,7 @@ github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.4/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
+github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/teambition/rrule-go v1.8.2 h1:lIjpjvWTj9fFUZCmuoVDrKVOtdiyzbzc93qTmRVe/J8=
 github.com/unrolled/secure v1.13.0 h1:sdr3Phw2+f8Px8HE5sd1EHdj1aV3yUwed/uZXChLFsk=
 github.com/unrolled/secure v1.13.0/go.mod h1:BmF5hyM6tXczk3MpQkFf1hpKSRqCyhqcbiQtiAF7+40=
@@ -241,8 +246,8 @@ golang.org/x/crypto v0.0.0-20201203163018-be400aefbc4c/go.mod h1:jdWPYTVW3xRLrWP
 golang.org/x/crypto v0.0.0-20210616213533-5ff15b29337e/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.0.0-20210711020723-a769d52b0f97/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
-golang.org/x/crypto v0.24.0 h1:mnl8DM0o513X8fdIkmyFE/5hTYxbwYOjDS/+rK6qpRI=
-golang.org/x/crypto v0.24.0/go.mod h1:Z1PMYSOR5nyMcyAVAIQSKCDwalqy85Aqn1x3Ws4L5DM=
+golang.org/x/crypto v0.25.0 h1:ypSNr+bnYL2YhwoMt2zPxHFmbAN1KZs/njMG3hxUp30=
+golang.org/x/crypto v0.25.0/go.mod h1:T+wALwcMOSE0kXgUAnPAHqTLW+XHgcELELW8VaDgm/M=
 golang.org/x/lint v0.0.0-20190930215403-16217165b5de/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
 golang.org/x/mod v0.0.0-20190513183733-4bf6d317e70e/go.mod h1:mXi4GBBbnImb6dmsKGUJ2LatrhH/nqhxcFungHvyanc=
 golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
@@ -253,6 +258,8 @@ golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLL
 golang.org/x/net v0.0.0-20190813141303-74dc4d7220e7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
+golang.org/x/oauth2 v0.23.0 h1:PbgcYx2W7i4LvjJWEbf0ngHV6qJYr86PkAV3bXdLEbs=
+golang.org/x/oauth2 v0.23.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -272,8 +279,8 @@ golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.21.0 h1:rF+pYz3DAGSQAxAu1CbC7catZg4ebC4UIeIhKxBZvws=
-golang.org/x/sys v0.21.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.22.0 h1:RI27ohtqKCnwULzJLqkv897zojh5/DwS/ENaMzUOaWI=
+golang.org/x/sys v0.22.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
@@ -283,6 +290,7 @@ golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/text v0.17.0 h1:XtiM5bkSOt+ewxlOE/aE/AKEHibwj/6gvWMl9Rsh0Qc=
+golang.org/x/text v0.17.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY=
 golang.org/x/time v0.0.0-20200416051211-89c76fbcd5d1/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.3.0 h1:rg5rLMjNzMS1RkNLzCG38eapWhnYLFYXDXj2gOlr8j4=
 golang.org/x/time v0.3.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=

docker-compose.dev.yml

@@ -204,6 +204,7 @@ services:
  restart: unless-stopped
  command: server
  environment:
+ AUTHENTIK_LISTEN__HTTP: 0.0.0.0:80
  AUTHENTIK_REDIS__HOST: authentik-valkey
  AUTHENTIK_POSTGRESQL__HOST: authentik-db
  AUTHENTIK_POSTGRESQL__USER: ${ATK_BH_PG_USER:-authentik}
@@ -214,9 +215,9 @@ services:
  - traefik.enable=true
  - traefik.http.routers.authentik.rule=Host(`${BH_AUTHENTIK_HOSTNAME:-authentik.localhost}`)
  - traefik.http.routers.authentik.service=authentik
- - traefik.http.services.authentik.loadbalancer.server.port=9000
+ - traefik.http.services.authentik.loadbalancer.server.port=80
  ports:
- - "${COMPOSE_PORT_HTTP:-9000}:9000"
+ - "${COMPOSE_PORT_HTTP:-9000}:80"
  - "${COMPOSE_PORT_HTTPS:-9443}:9443"
  depends_on:
  - authentik-db

packages/go/crypto/go.mod

@@ -21,7 +21,7 @@ go 1.23
 require (
  github.com/shirou/gopsutil/v3 v3.23.5
  go.uber.org/mock v0.2.0
- golang.org/x/crypto v0.24.0
+ golang.org/x/crypto v0.25.0
 )
 
 require (
@@ -33,5 +33,5 @@ require (
  github.com/tklauser/go-sysconf v0.3.11 // indirect
  github.com/tklauser/numcpus v0.6.1 // indirect
  github.com/yusufpapurcu/wmi v1.2.3 // indirect
- golang.org/x/sys v0.21.0 // indirect
+ golang.org/x/sys v0.22.0 // indirect
 )