Commit graph

1109 commits

Author SHA1 Message Date
Jeff Schroeder
58d80547ef [storage.md] Fix the ThirdPartyResource syntax
This makes manually creating the `o-auth2-client.oidc.coreos.com` actually work.
2017-02-24 15:35:29 -06:00
Eric Chiang
cd93930934 Merge pull request #817 from ericchiang/fix-hash-bug
storage/kubernetes: fix hash initialization bug
2017-02-24 12:58:22 -08:00
Eric Chiang
1da2ae279c storage/kubernetes: fix hash initialization bug 2017-02-24 12:55:04 -08:00
Eric Chiang
25b902b0c2 Merge pull request #815 from ericchiang/fix-k8s-storage
storage/kubernetes: fix kubernetes storage conformance test failures
2017-02-23 19:31:45 -08:00
Eric Chiang
4be029c6c1 storage/kubernetes: fix kubernetes storage conformance test failures 2017-02-23 19:23:19 -08:00
Eric Chiang
58eb25aa60 Merge pull request #813 from SEJeff/patch-1
[Makefile] Allow specifying VERSION as an env var
2017-02-23 10:44:25 -08:00
Jeff Schroeder
4630f69f17 [Makefile] Allow specifying VERSION as an env var
This makes specifying the VERSION when building native operating system packages require less hacks.

Refs: #811
2017-02-23 12:23:33 -06:00
Eric Chiang
af0d9cebd1 Merge pull request #810 from caarlos0/patch-1
simplified clone: using go get
2017-02-22 08:38:13 -08:00
Carlos Alexandro Becker
f57e19e6ab simplified clone: using go get 2017-02-22 09:33:01 -03:00
rithu leena john
c76832eaea Merge pull request #809 from rithujohn191/set-error-flag
storage: Surface "already exists" errors.
2017-02-21 16:09:48 -08:00
rithu john
3df1db1864 storage: Surface "already exists" errors. 2017-02-21 15:00:22 -08:00
rithu leena john
90c80e700a Merge pull request #807 from rithujohn191/fix-typo
web/static/main.css: fix typo.
2017-02-21 13:30:07 -08:00
rithu john
0ee40865a2 web/static/main.css: fix typo. 2017-02-20 08:48:36 -08:00
rithu leena john
7e9dc836eb Merge pull request #802 from rithujohn191/token-revocation
api: adding a gRPC call for revoking refresh tokens.
2017-02-15 08:43:58 -08:00
rithu john
1ec19d4fbf api: adding a gRPC call for revoking refresh tokens. 2017-02-15 07:48:20 -08:00
rithu leena john
b119ffddcb Merge pull request #801 from rithujohn191/token-revocation
api: adding a gRPC call for listing refresh tokens.
2017-02-13 18:36:56 -08:00
rithu john
d201e49248 api: adding a gRPC call for listing refresh tokens. 2017-02-13 16:12:16 -08:00
rithu leena john
53e383670a Merge pull request #793 from rithujohn191/token-revocation
storage: Add OfflineSession object to backend storage.
2017-02-09 19:46:00 -08:00
rithu john
d928ac0677 storage: Add OfflineSession object to backend storage. 2017-02-09 19:01:28 -08:00
rithu leena john
49f446c1a7 Merge pull request #800 from ericchiang/server-test-comments
server: clean up test comments and code flow
2017-02-07 10:37:32 -08:00
Eric Chiang
80038847de server: clean up test comments and code flow 2017-02-07 10:31:51 -08:00
Eric Chiang
dd415f5e2f Merge pull request #799 from ericchiang/thirdpartyresources
Documentation: warn admins not to edit dex ThirdPartyResources manually
2017-02-06 15:04:40 -08:00
rithu leena john
167d7be281 Merge pull request #790 from givia/github-teams-pagination
Fixes #706
2017-02-06 11:13:03 -08:00
Eric Chiang
adf3703962 Documentation: warn admins not to edit dex ThirdPartyResources manually 2017-02-06 10:35:27 -08:00
Eric Chiang
7f860e09b5 Merge pull request #796 from ericchiang/html-template
{web,server}: use html/template and reduce use of auth request ID
2017-02-02 17:33:06 -08:00
Eric Chiang
72a431dd4b {web,server}: use html/template and reduce use of auth request ID
Switch from using "text/template" to "html/template", which provides
basic XSS preventions. We haven't identified any particular place
where unsanitized user data is rendered to the frontend. This is
just a preventative step.

At the same time, make more templates take pure URL instead of
forming an URL themselves using an "authReqID" argument. This will
help us stop using the auth req ID in certain places, preventing
garbage collection from killing login flows that wait too long at
the login screen.

Also increase the login session window (time between initial
redirect and the user logging in) from 30 minutes to 24 hours,
and display a more helpful error message when the session expires.

How to test:

1. Spin up dex and example with examples/config-dev.yaml.
2. Login through both the password prompt and the direct redirect.
3. Edit examples/config-dev.yaml removing the "connectors" section.
4. Ensure you can still login with a password.

(email/password is "admin@example.com" and "password")
2017-02-02 11:11:00 -08:00
rithu leena john
12f969364e Merge pull request #794 from rithujohn191/saml-doc
Documentation: Minor changes to SAML connector doc.
2017-02-02 09:49:00 -08:00
rithu john
fecd596ae2 Documentation: Minor changes to SAML connector doc. 2017-02-01 11:28:46 -08:00
rithu leena john
42d0728048 Merge pull request #785 from holgerkoser/master
Improve SAML Signature and Response Validation
2017-02-01 11:14:13 -08:00
rithu leena john
27224cdc98 Merge pull request #788 from givia/gitlab-connector
connector: add GitLab connecor
2017-02-01 09:39:37 -08:00
Ali Javadi
e623ad4d35 connector: add GitLab connector 2017-01-28 01:36:02 +03:30
Eric Chiang
0dcf1bcf79 Merge pull request #792 from ericchiang/auth-endpoint-post
server: support POSTing to authorization endpoint
2017-01-27 13:36:02 -08:00
Eric Chiang
8541184afb server: support POSTing to authorization endpoint
Fixes #791
2017-01-27 11:42:46 -08:00
rithu leena john
36883d0bbf Merge pull request #789 from rithujohn191/token-revocation-proposal
Documentation/proposals: Add a proposal for refresh token revocation.
2017-01-27 09:39:13 -08:00
rithu john
d114b8ffc7 Documentation/proposals: Add a proposal for refresh token revocation. 2017-01-27 09:37:01 -08:00
Ali Javadi
98bfa4fbb1 Fixes #706 2017-01-27 05:12:58 +03:30
Holger Koser
27a1e9f1bd vendor: revendor 2017-01-26 19:06:54 +01:00
Holger Koser
e46f2ebe40 Improve SAML Signature and Response Validation
* Improve Order of Namespace Declarations and Attributes in Canonical XML. This is related to an issue in goxmldsig for which I created an [pull request](https://github.com/russellhaering/goxmldsig/pull/17).
* Do not compress the AuthnRequest if `HTTP-POST` binding is used.
* SAML Response is valid if the Message and/or the Assertion is signed.
* Add `AssertionConsumerServiceURL` to `AuthnRequest`
* Validate Status on the Response
* Validate Conditions on the Assertion
* Validation SubjectConfirmation on the Subject
2017-01-26 19:05:40 +01:00
rithu leena john
48fcf66a35 Merge pull request #783 from rithujohn191/config-validation
cmd/dex: make connector name field mandatory in dex configuration.
2017-01-23 17:03:50 -08:00
rithu john
31e8009441 cmd/dex: make connector name field mandatory in dex configuration. 2017-01-23 15:14:41 -08:00
Eric Chiang
613d160ad9 Merge pull request #782 from marians/patch-1
Docs: Added a name to the LDAP connector
2017-01-23 09:07:24 -08:00
Eric Chiang
d3f4ae2ab7 Merge pull request #781 from ajohnstone/patch-1
Update kubernetes.md - correct typo
2017-01-23 08:52:37 -08:00
Marian Steinbach
38a2e41e0a Added a name to the connector
Without a name, the example app's login form will only show `Log in with` as a button label.
2017-01-23 10:46:29 +01:00
Andrew Johnstone
b10c0a1c87 Update kubernetes.md 2017-01-23 06:28:21 +00:00
rithu leena john
a3ef8d26bc Merge pull request #777 from rithujohn191/update-release-doc
Documentation: add docs on patch release process.
2017-01-17 14:50:37 -08:00
rithu john
265cfacd17 Documentation: add docs on patch release process. 2017-01-17 11:49:09 -08:00
rithu leena john
fe93f60af4 Merge pull request #775 from xeonx/master
Allow CORS on keys and token endpoints
2017-01-17 10:48:06 -08:00
Simon HEGE
415a68f977 Allow CORS on keys and token endpoints 2017-01-14 21:15:51 +01:00
Eric Chiang
ca7d2b8f9e Merge pull request #772 from ericchiang/at_hash-support
server: add at_hash claim support
2017-01-13 10:15:21 -08:00
Eric Chiang
1eda382789 server: add at_hash claim support
The "at_hash" claim, which provides hash verification for the
"access_token," is a required claim for implicit and hybrid flow
requests. Previously we did not include it (against spec). This
PR implements the "at_hash" logic and adds the claim to all
responses.

As a cleanup, it also moves some JOSE signing logic out of the
storage package and into the server package.

For details see:

https://openid.net/specs/openid-connect-core-1_0.html#ImplicitIDToken
2017-01-13 10:05:24 -08:00