Commit graph

103 commits

Author SHA1 Message Date
justin-slowik
1ea2892b79 fix merge error in config.go
Signed-off-by: justin-slowik <justin.slowik@thermofisher.com>
2020-07-08 16:31:44 -04:00
Justin Slowik
9bbdc721d5 Device flow token code exchange (#2)
* Added /device/token handler with associated business logic and storage tests.

Perform user code exchange, flag the device code as complete.

Moved device handler code into its own file for cleanliness.  Cleanup

* Removed PKCE code

* Rate limiting for /device/token endpoint based on ietf standards

* Configurable Device expiry

Signed-off-by: justin-slowik <justin.slowik@thermofisher.com>
2020-07-08 16:25:05 -04:00
krishnadurai
6698f1f80a Corrects imports after merge
Signed-off-by: justin-slowik <justin.slowik@thermofisher.com>
2020-07-08 16:24:25 -04:00
krishnadurai
776aa9dd53 Option to add staticPasswords from environment variables
Signed-off-by: justin-slowik <justin.slowik@thermofisher.com>
2020-07-08 16:24:25 -04:00
Mark Sagi-Kazar
e84682d7b9
Add v2 api module 2020-07-01 14:20:57 +02:00
Tomasz Kleczek
c830d49884 allow no secret for static public clients
For statically-configured public clients it should be allowed for both
Secret and SecretEnv fields to be empty.
2020-05-05 17:09:09 +02:00
Yann Soubeyrand
99c3ec6820 Add ability to set ID and Secret from environment variables for static clients
Having ID and Secret in clear inside configuration files for static
clients is not ideal. This commit allows setting these from environment
variables.

Signed-off-by: Yann Soubeyrand <yann.soubeyrand@gmx.fr>
2020-03-03 08:27:13 +01:00
Nándor István Krácser
1160649c31
Merge pull request #1621 from concourse/pr/passowrd-grant-synced
Rework - add support for Resource Owner Password Credentials Grant
2020-02-20 08:27:50 +01:00
Zach Brown
13be146d2a Add support for password grant #926 2020-01-10 13:18:09 -05:00
krishnadurai
321790870f Fixes lint 2020-01-07 16:34:32 -08:00
krishnadurai
2d5619e4e8 Corrects imports after merge 2020-01-07 11:48:35 -08:00
Krishna Durai
9560899496
Merge branch 'master' into feature/static_password_env 2020-01-06 23:21:20 -08:00
Mark Sagi-Kazar
f141f2133b
Fix whitespace 2019-12-18 15:56:12 +01:00
Mark Sagi-Kazar
9bd5ae5197
Fix goimports 2019-12-18 15:53:34 +01:00
Mark Sagi-Kazar
142c96c210
Fix stylecheck 2019-12-18 15:50:36 +01:00
krishnadurai
1fd5dd7b0e Change env var prefix to DEX and add to ci.yaml 2019-12-13 17:03:56 -08:00
krishnadurai
af9c2880a6 Corrects validation logic for static password check 2019-12-13 16:52:10 -08:00
krishnadurai
91cbd466a5 Option to add staticPasswords from environment variables 2019-12-13 16:33:21 -08:00
Steven Danna
46f48b33a1
Use a more conservative set of CipherSuites
The default cipher suites used by Go include a number of ciphers that
have known weaknesses. In addition to leaving users open to these
weaknesses, the inclusion of these weaker ciphers causes problems with
various automated scanning tools.

This PR disables the CBC-mode, RC4, and 3DES ciphers included in the
Go standard library by passing an explicit cipher suite list.

The ciphers included here are more line with those recommended by
Mozilla for "Intermediate" compatibility. [0]

*Performance Implications*

The Go standard library does capability-based cipher ordering,
preferring AES ciphers if the underlying hardware has AES specific
instructions. [1] Since all of the relevant code is internal modules,
to do the same thing ourselves would require duplicating that
code. Here, I've placed AES based ciphers first.

*Compatibility Implications*

This does reduce the number of clients who will be able to communicate
with dex.

[0] https://ssl-config.mozilla.org/#server=nginx&server-version=1.17.0&config=intermediate&hsts=false&ocsp=false
[1] a8c2e5c6ad/src/crypto/tls/common.go (L1091)

Signed-off-by: Steven Danna <steve@chef.io>
2019-08-31 17:34:55 +01:00
Stephan Renatus
d9f6ab4a68
Merge pull request #1512 from venezia/add_reflection
Add reflection to gRPC API (configurable)
2019-08-07 13:56:33 +02:00
Michael Venezia
b65966d744
cmd/dex: adding reflection to grpc api, enabled through configuration 2019-08-07 07:37:39 -04:00
Stephan Renatus
e1afe771cb
Merge pull request #1505 from MarcDufresne/show-login-page
Add option to always display connector selection even if there's only one
2019-08-07 09:23:42 +02:00
Marc-André Dufresne
0dbb642f2c
Add option to always display connector selection even if there's only one 2019-08-06 13:18:46 -04:00
Marc-André Dufresne
d458e882aa
Allow arbitrary data to be passed to templates 2019-08-06 13:14:53 -04:00
Stephan Renatus
ea7fd6d470
cmd/dex: adapt to prometheus API change
Signed-off-by: Stephan Renatus <srenatus@chef.io>
2019-07-31 08:09:58 +02:00
Stephan Renatus
128d5da89e
Merge pull request #1500 from dexidp/sr/fix-some-lint-issues
*: fix some lint issues
2019-07-30 11:41:27 +02:00
Stephan Renatus
d9487e553b
*: fix some lint issues
Mostly gathered these using golangci-lint's deadcode and ineffassign
linters.

Signed-off-by: Stephan Renatus <srenatus@chef.io>
2019-07-30 11:29:08 +02:00
Joel Speed
e2ddefff31
Merge pull request #1439 from sks/feature/fail_on_invalid_config
Return config validation errors in one go
2019-07-30 11:00:17 +02:00
Stephan Renatus
d7c7d42466
cmd/example-app: check all errors, pass claims as string to renderToken
Signed-off-by: Stephan Renatus <srenatus@chef.io>
2019-07-24 12:26:51 +02:00
Stephan Renatus
c4e0587df1
cmd/example-app: expose connector_id
As a piece of "living documentation" for #1481.

Signed-off-by: Stephan Renatus <srenatus@chef.io>
2019-07-24 12:17:14 +02:00
Sabith K Soopy
6769a3b18e Errors should not start with caps
- https://github.com/dexidp/dex/pull/1264#discussion_r253264017

Signed-off-by: Sabith <sabithksme@gmail.com>
2019-07-23 08:17:06 -07:00
Sabith K Soopy
6ccb96ff74 Add some test to validate the configuration 2019-07-23 08:16:16 -07:00
Nandor Kracser
a572ad8fec storage/sql: rework of the original MySQL PR 2019-07-23 14:27:10 +02:00
Pavel Borzenkov
e53bdfabb9 storage/sql: initial MySQL storage implementation
It will be shared by both Postgres and MySQL configs.

Signed-off-by: Pavel Borzenkov <pavel.borzenkov@gmail.com>
2019-07-23 14:26:21 +02:00
Yann Soubeyrand
c5f2871ab5 cmd/dex/serve.go: log static client name instead of ID
Signed-off-by: Yann Soubeyrand <yann.soubeyrand@gmx.fr>
2019-04-18 13:56:11 +02:00
Mark Sagi-Kazar
06521ffa49
Remove the logrus logger wrapper 2019-02-22 21:31:46 +01:00
Mark Sagi-Kazar
be581fa7ff
Add logger interface and stop relying on Logrus directly 2019-02-22 13:38:57 +01:00
Stephan Renatus
be171a2a53
Merge pull request #1395 from hainesc/master
Display access token in example app
2019-02-04 14:24:01 +01:00
Haines Chan
18b6b34b67 Display access token in example app 2019-02-01 15:39:35 +08:00
Steven Danna
59f8b02d47
Set minimum TLS protocol version to TLSv1.2, set PreferServerCipherSuites
Some environments are subject to strict rules about the permitted TLS
protocol verion and available ciphers. Setting TLSv1.2 as the minimum
version ensures we do not use weaker protocols. We've opted against
making this configurable given the age of TLSv1.2 and the increasing
push to deprecate TLSv1.1 and older.

The PreferServerCipherSuites setting is also commonly flagged by SSL
quality scanning tools. Since Go provides a relatively modern set of
default ciphers by default, defaulting this to true is unlikely to
make much practical difference.

Signed-off-by: Steven Danna <steve@chef.io>
2019-01-29 11:18:55 +00:00
Haines Chan
b78b8aeee0 Replace "GET", "POST" to http.MethodGet and http.MethodPost 2018-12-27 16:27:36 +08:00
Maximilian Gaß
74f84ce0be Change config test to non-default expiry settings 2018-12-13 14:47:51 +01:00
Maximilian Gaß
468c74d1d2 Make expiry of auth requests configurable 2018-12-13 11:50:34 +01:00
Stephan Renatus
73fdf4f75b
storage/sql/postgres: expose stdlib tunables, set them for tests
- adapted TestUnmarshalConfig to ensure the fields are read in
- added a test to see that at least MaxOpenConns works:
  - this is only exposed through (*db).Stats() in go 1.11, so this test
    has a build tag
  - the other two configurables can't be read back, so we've got to
    trust that the mechanism works given the one instance that's tested..

Signed-off-by: Stephan Renatus <srenatus@chef.io>
2018-11-30 09:55:01 +01:00
Stephan Renatus
b9f6594bf0 *: github.com/coreos/dex -> github.com/dexidp/dex
Signed-off-by: Stephan Renatus <srenatus@chef.io>
2018-09-05 17:57:08 +02:00
Frederic Branczyk
5f03479d29
*: Add go runtime, process, HTTP and gRPC metrics 2017-12-21 21:24:09 +01:00
Daniel Dao
ca114f7812 storage: add etcd storage
This patch adds etcd storage implementation. This should be useful in
environments where
- we dont want to depends on a separate, hard to maintain SQL cluster
- we dont want to incur the overhead of talking to kubernetes apiservers
- kubernetes is not available yet, or if kubernetes depends on dex
to perform authentication and the operator would like to remove any
circular dependency if possible.
2017-10-31 14:43:13 +00:00
Devon Barrett
eb14a8245c
fixes typo: s/suppied/supplied/ 2017-10-08 11:29:27 +01:00
rithu john
fd4f57b5f3 storage/static.go: storage backend should not explicitly lower-case email ids. 2017-08-24 15:50:32 -07:00
Eric Stroczynski
4a88d0641a : update {S->s}irupsen/logrus 2017-07-25 13:46:44 -07:00