Firstyear

Actually, we can't populate this list - that's a privacy leak because wed have to pre-load every oauth2 redirect target into the form-action directive. That would expose every oauth2 linked...

Kind of. After a login succeeds we redirect to the oauth2 resume handler, then the oauth2 resume handler will redirect to the oauth2 client redirect url. So my assumption here...

One of the suggested hacks is https://developer.mozilla.org/en-US/docs/Web/HTML/Reference/Elements/meta/http-equiv btw.

If we want to constrain it, we drop form-action from csp just in the login pages, because the whole reasoning is "prevent open redirector attacks", and we aren't in a...

Seems like a reasonable change to me :)

@0xC0ncord I think this should be do-able: https://github.com/kanidm/kanidm/blob/master/unix_integration/resolver/src/bin/kanidm_unixd_tasks.rs#L228 The only challenge here will be https://github.com/kanidm/kanidm/blob/master/unix_integration/resolver/src/bin/kanidm_unixd_tasks.rs#L137 because we have a separate "home mount path" compared to the "home prefix". eg homes...

> I think your solution works but I am not sure I understand why the bind mounts are needed. This way we don't have to worry about "how many levels...

Did you want to work on this? Or did you want me to do it in the future?

We tried 1. - fido refused to work with us as we are not a paying member. Simple as that, we don't matter in their eyes. Option 2. has it's...

Attestation is only useful in tightly controlled enterprise security environments, for most applications with general users it's not worth it. Most authenticators that consumers use are not - and can...