Commit graph

65 commits

Author SHA1 Message Date
Bernd Eckstein
b5519695a6
PKCE implementation (#1784)
* Basic implementation of PKCE

Signed-off-by: Tadeusz Magura-Witkowski <tadeuszmw@gmail.com>

* @mfmarche on 24 Feb: when code_verifier is set, don't check client_secret

In PKCE flow, no client_secret is used, so the check for a valid client_secret
would always fail.

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* @deric on 16 Jun: return invalid_grant when wrong code_verifier

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* Enforce PKCE flow on /token when PKCE flow was started on /auth
Also dissallow PKCE on /token, when PKCE flow was not started on /auth

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* fixed error messages when mixed PKCE/no PKCE flow.

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* server_test.go: Added PKCE error cases on /token endpoint

* Added test for invalid_grant, when wrong code_verifier is sent
* Added test for mixed PKCE / no PKCE auth flows.

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* cleanup: extracted method checkErrorResponse and type TestDefinition

* fixed connector being overwritten

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* /token endpoint: skip client_secret verification only for grand type authorization_code with PKCE extension

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* Allow "Authorization" header in CORS handlers

* Adds "Authorization" to the default CORS headers{"Accept", "Accept-Language", "Content-Language", "Origin"}

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* Add "code_challenge_methods_supported" to discovery endpoint

discovery endpoint /dex/.well-known/openid-configuration
now has the following entry:

"code_challenge_methods_supported": [
  "S256",
  "plain"
]

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* Updated tests (mixed-up comments), added a PKCE test

* @asoorm added test that checks if downgrade to "plain" on /token endpoint

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* remove redefinition of providedCodeVerifier, fixed spelling (#6)

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>
Signed-off-by: Bernd Eckstein <HEllRZA@users.noreply.github.com>

* Rename struct CodeChallenge to PKCE

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* PKCE: Check clientSecret when available

In authorization_code flow with PKCE, allow empty client_secret on /auth and /token endpoints. But check the client_secret when it is given.

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* Enable PKCE with public: true

dex configuration public on staticClients now enables the following behavior in PKCE:
- Public: false, PKCE will always check client_secret. This means PKCE in it's natural form is disabled.
- Public: true, PKCE is enabled. It will only check client_secret if the client has sent one. But it allows the code flow if the client didn't sent one.

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* Redirect error on unsupported code_challenge_method

- Check for unsupported code_challenge_method after redirect uri is validated, and use newErr() to return the error.
- Add PKCE tests to oauth2_test.go

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* Reverted go.mod and go.sum to the state of master

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* Don't omit client secret check for PKCE

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* Allow public clients (e.g. with PKCE) to have redirect URIs configured

Signed-off-by: Martin Heide <martin.heide@faro.com>

* Remove "Authorization" as Accepted Headers on CORS, small fixes

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* Revert "Allow public clients (e.g. with PKCE) to have redirect URIs configured"

This reverts commit b6e297b78537dc44cd3e1374f0b4d34bf89404ac.

Signed-off-by: Martin Heide <martin.heide@faro.com>

* PKCE on client_secret client error message

* When connecting to the token endpoint with PKCE without client_secret, but the client is configured with a client_secret, generate a special error message.

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* Output info message when PKCE without client_secret used on confidential client

* removes the special error message

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* General missing/invalid client_secret message on token endpoint

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

Co-authored-by: Tadeusz Magura-Witkowski <tadeuszmw@gmail.com>
Co-authored-by: Martin Heide <martin.heide@faro.com>
Co-authored-by: M. Heide <66078329+heidemn-faro@users.noreply.github.com>
2020-10-26 11:33:40 +01:00
m.nabokikh
1d83e4749d Add gocritic
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
2020-10-18 01:54:27 +04:00
m.nabokikh
4d63e9cd68 fix: Bump golangci-lint version and fix some linter's problems
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
2020-10-18 01:02:29 +04:00
justin-slowik
1404477326 Updates based on dexidp pr
Signed-off-by: justin-slowik <justin.slowik@thermofisher.com>
2020-07-08 16:25:06 -04:00
Justin Slowik
9c699b1028 Server integration test for Device Flow (#3)
Extracted test cases from OAuth2Code flow tests to reuse in device flow

deviceHandler unit tests to test specific device endpoints

Include client secret as an optional parameter for standards compliance

Signed-off-by: justin-slowik <justin.slowik@thermofisher.com>
2020-07-08 16:25:05 -04:00
Justin Slowik
9bbdc721d5 Device flow token code exchange (#2)
* Added /device/token handler with associated business logic and storage tests.

Perform user code exchange, flag the device code as complete.

Moved device handler code into its own file for cleanliness.  Cleanup

* Removed PKCE code

* Rate limiting for /device/token endpoint based on ietf standards

* Configurable Device expiry

Signed-off-by: justin-slowik <justin.slowik@thermofisher.com>
2020-07-08 16:25:05 -04:00
Justin Slowik
0d1a0e4129 Device token api endpoint (#1)
* Added /device/token handler with associated business logic and storage tests.

* Use crypto rand for user code

Signed-off-by: justin-slowik <justin.slowik@thermofisher.com>
2020-07-08 16:25:05 -04:00
Justin Slowik
6d343e059b Generates/Stores the device request and returns the device and user codes.
Signed-off-by: justin-slowik <justin.slowik@thermofisher.com>
2020-07-08 16:25:05 -04:00
Nandor Kracser
5b7a664e9d
add docker-compose for local testing 2020-06-30 13:46:05 +02:00
Nandor Kracser
c7e9960c7e
storage/mysql: increase auth_request.state length to 4096
Signed-off-by: Nandor Kracser <bonifaido@gmail.com>
2020-02-21 12:53:18 +01:00
Nandor Kracser
80749ffd3f
storage/sql: allow specifying sql flavor specific migrations
Signed-off-by: Nandor Kracser <bonifaido@gmail.com>
2020-02-21 12:53:18 +01:00
Aiden Andrews-McDermott
98f78db915 Updated config.go to remove the defaulting idle connection limit of 5 which is an issue for upstream https://github.com/go-sql-driver/mysql/issues/674 2019-12-27 18:08:17 +00:00
Mark Sagi-Kazar
f141f2133b
Fix whitespace 2019-12-18 15:56:12 +01:00
Mark Sagi-Kazar
367b187cf4
Fix missspell 2019-12-18 15:51:44 +01:00
Mark Sagi-Kazar
0773c6e9f3
Add github actions CI flow 2019-12-07 11:14:30 +01:00
Joel Speed
c782ac809c
Remove defaulting from connector_data column 2019-11-19 15:43:24 +00:00
Joel Speed
9ce4393156
Revert "Update SQL storage backend" 2019-11-19 15:43:15 +00:00
Joel Speed
fea048b3e8
Fix SQL updater func 2019-11-19 15:43:13 +00:00
Joel Speed
d38909831c
Fix migration in SQL connector
I didn't realise quite what the migration mechanism was. Have understood
it now.
2019-11-19 15:43:13 +00:00
Joel Speed
80995dff9b
Fix SQL storage 2019-11-19 15:43:10 +00:00
Joel Speed
7fc3f230df
Update SQL storage backend 2019-11-19 15:43:05 +00:00
Nándor István Krácser
d5d3abca6a
Merge pull request #1566 from dexidp/preferred_username
add preffered_username to idToken
2019-10-30 13:25:23 +01:00
Nandor Kracser
c1b421fa04 add preffered_username to idToken
Signed-off-by: Nandor Kracser <bonifaido@gmail.com>
2019-10-30 13:06:37 +01:00
Nandor Kracser
d2c33db8a8 storage/mysql: support pre-5.7.20 instances with tx_isolation only 2019-09-23 09:36:01 +02:00
Stephan Renatus
d9487e553b
*: fix some lint issues
Mostly gathered these using golangci-lint's deadcode and ineffassign
linters.

Signed-off-by: Stephan Renatus <srenatus@chef.io>
2019-07-30 11:29:08 +02:00
Nandor Kracser
a572ad8fec storage/sql: rework of the original MySQL PR 2019-07-23 14:27:10 +02:00
Pavel Borzenkov
e53bdfabb9 storage/sql: initial MySQL storage implementation
It will be shared by both Postgres and MySQL configs.

Signed-off-by: Pavel Borzenkov <pavel.borzenkov@gmail.com>
2019-07-23 14:26:21 +02:00
Mark Sagi-Kazar
d877fca092
Fix coding style 2019-02-22 21:43:55 +01:00
Mark Sagi-Kazar
06521ffa49
Remove the logrus logger wrapper 2019-02-22 21:31:46 +01:00
Mark Sagi-Kazar
be581fa7ff
Add logger interface and stop relying on Logrus directly 2019-02-22 13:38:57 +01:00
Stephan Renatus
73fdf4f75b
storage/sql/postgres: expose stdlib tunables, set them for tests
- adapted TestUnmarshalConfig to ensure the fields are read in
- added a test to see that at least MaxOpenConns works:
  - this is only exposed through (*db).Stats() in go 1.11, so this test
    has a build tag
  - the other two configurables can't be read back, so we've got to
    trust that the mechanism works given the one instance that's tested..

Signed-off-by: Stephan Renatus <srenatus@chef.io>
2018-11-30 09:55:01 +01:00
Stephan Renatus
8f3cca7ba4
Revert "retry on serialization errors" 2018-11-29 08:24:13 +01:00
Stephan Renatus
5f054fcf2e
Merge pull request #1342 from concourse/pr/retry-on-pg-serialization-error
retry on serialization errors
2018-11-21 10:29:46 +01:00
Alex Suraci
85dd0684ba extract and document serialization failure check 2018-11-20 10:50:55 -05:00
Alex Suraci
587081a643 postgres: refactor error handling to fix retrying
prior to this change, many of the functions in the ExecTx callback would
wrap the error before returning it. this made it impossible to check
for the error code.

instead, the error wrapping has been moved to be external to the
`ExecTx` callback, so that the error code can be checked and
serialization failures can be retried.
2018-11-20 10:50:55 -05:00
Alex Suraci
aa068b667a postgres: improve readability of error check 2018-11-20 10:50:55 -05:00
Alex Suraci
9b9013a560 postgres: use stdlib to set serializable tx level
also use a context for the rollback, which is a bit cleaner since it
only results in one 'defer', rather than N from the loop
2018-11-20 10:50:55 -05:00
Alex Suraci
7e96021428 retry on serialization errors 2018-11-20 10:50:55 -05:00
Stephan Renatus
1d0568efe9
storage/sql: remove standup.sh
Signed-off-by: Stephan Renatus <srenatus@chef.io>
2018-11-20 16:41:12 +01:00
Alex Suraci
0b856d1a75 pg: support host:port for backwards-compatibility 2018-11-20 10:22:39 -05:00
Stephan Renatus
b1fd2fa8b1
Merge pull request #1346 from concourse/pr/postgres-unix-sockets
Use pq connection parameters instead of URLs for postgres connections

This enables the use of socket paths like /var/run/postgresql for the 'host' instead of requiring TCP. Also, we know allow using a non-default port.
2018-11-20 15:52:40 +01:00
Divya Dadlani
f82b904d05 postgres: use connection string instead of url
otherwise it's impossible to use a Unix socket, as the path gets escaped
awkwardly.

Signed-off-by: Ciro S. Costa <cscosta@pivotal.io>
Signed-off-by: Alex Suraci <suraci.alex@gmail.com>
2018-11-20 09:32:44 -05:00
Alex Suraci
7c63be4104 remove incomplete mysql and cockroachdb support 2018-11-16 18:07:20 +00:00
Stephan Renatus
b9f6594bf0 *: github.com/coreos/dex -> github.com/dexidp/dex
Signed-off-by: Stephan Renatus <srenatus@chef.io>
2018-09-05 17:57:08 +02:00
Eric Stroczynski
4a88d0641a : update {S->s}irupsen/logrus 2017-07-25 13:46:44 -07:00
rithu john
bc55b86d0d storage: add connector object to backend storage. 2017-03-28 14:12:38 -07:00
Eric Chiang
0481fccd76 storage/sql: add missing WHERE statement to refresh token update 2017-03-13 15:53:28 -07:00
rithu john
3df1db1864 storage: Surface "already exists" errors. 2017-02-21 15:00:22 -08:00
rithu john
d928ac0677 storage: Add OfflineSession object to backend storage. 2017-02-09 19:01:28 -08:00
Eric Chiang
312ca7491e storage: add extra fields to refresh token and update method 2017-01-11 12:07:48 -08:00