Alastair Houghton
9187aa669d
fix: allow Authorization header when doing CORS
...
The Authorization header needs to be allowed when doing CORS because
otherwise /userinfo can't work. It isn't one of the headers
explicitly allowed by default by Gorilla, so we have to call
handlers.AllowedHeaders() to specify it.
Issues: #1532
Signed-off-by: Alastair Houghton <alastair@alastairs-place.net>
2020-10-05 15:01:54 +01:00
Rui Yang
bd2234cd12
Add constructor for static key strategy
...
Co-authored-by: Josh Winters <jwinter@pivotal.io>
Signed-off-by: Rui Yang <ruiya@vmware.com>
2020-10-01 15:32:23 -04:00
Márk Sági-Kazár
9781e56ba5
Merge pull request #1690 from flant/fix-relative-url
...
Fix templates which asset path points to external URL
2020-09-29 19:47:38 +02:00
Tomasz Kleczek
b1311baa3c
abort connector login if connector was already set #1707
...
Signed-off-by: Tomasz Kleczek <tomasz.kleczek@gmail.com>
2020-08-29 17:19:14 +02:00
Bernd Eckstein
f6cd778b60
Add c_hash to id_token, issued on /auth endpoint, when in hybrid flow
...
* fixed name collision (renamed hash->hashFunc)
Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>
2020-07-31 12:06:19 +02:00
justin-slowik
9a7926c19b
Cleaned up Device Flow test log levels
...
Signed-off-by: justin-slowik <justin.slowik@thermofisher.com>
Remove extraneous "=" from conformance.go
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
Additional test for TestHandleDeviceCode
Signed-off-by: justin-slowik <justin.slowik@thermofisher.com>
2020-07-21 16:01:08 -04:00
justin-slowik
334ecf0482
Fixes based on PR comments.
...
Signed-off-by: justin-slowik <justin.slowik@thermofisher.com>
2020-07-14 10:13:37 -04:00
justin-slowik
1404477326
Updates based on dexidp pr
...
Signed-off-by: justin-slowik <justin.slowik@thermofisher.com>
2020-07-08 16:25:06 -04:00
justin-slowik
f91f294385
gofmt
...
Signed-off-by: justin-slowik <justin.slowik@thermofisher.com>
2020-07-08 16:25:06 -04:00
justin-slowik
9882ea453f
better support for /device/callback redirect uris with public clients.
...
Signed-off-by: justin-slowik <justin.slowik@thermofisher.com>
2020-07-08 16:25:06 -04:00
Justin Slowik
9c699b1028
Server integration test for Device Flow ( #3 )
...
Extracted test cases from OAuth2Code flow tests to reuse in device flow
deviceHandler unit tests to test specific device endpoints
Include client secret as an optional parameter for standards compliance
Signed-off-by: justin-slowik <justin.slowik@thermofisher.com>
2020-07-08 16:25:05 -04:00
Justin Slowik
9bbdc721d5
Device flow token code exchange ( #2 )
...
* Added /device/token handler with associated business logic and storage tests.
Perform user code exchange, flag the device code as complete.
Moved device handler code into its own file for cleanliness. Cleanup
* Removed PKCE code
* Rate limiting for /device/token endpoint based on ietf standards
* Configurable Device expiry
Signed-off-by: justin-slowik <justin.slowik@thermofisher.com>
2020-07-08 16:25:05 -04:00
Justin Slowik
0d1a0e4129
Device token api endpoint ( #1 )
...
* Added /device/token handler with associated business logic and storage tests.
* Use crypto rand for user code
Signed-off-by: justin-slowik <justin.slowik@thermofisher.com>
2020-07-08 16:25:05 -04:00
Justin Slowik
6d343e059b
Generates/Stores the device request and returns the device and user codes.
...
Signed-off-by: justin-slowik <justin.slowik@thermofisher.com>
2020-07-08 16:25:05 -04:00
m.nabokikh
70505b258d
Fix templates with asset paths that point to external URL
...
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
2020-07-06 12:02:39 +04:00
Mark Sagi-Kazar
e84682d7b9
Add v2 api module
2020-07-01 14:20:57 +02:00
Márk Sági-Kazár
2ca992e9b3
Merge pull request #1721 from candlerb/fix-token-comment
...
Fix comment for implicit flow
2020-05-31 21:54:31 +02:00
techknowlogick
0a9f56527e
Add Gitea connector ( #1715 )
...
* Add Gitea connector
* Add details to readme
* resolve lint issue
2020-05-26 13:54:40 +02:00
Brian Candler
d2c9305e0f
Fix comment for implicit flow
2020-05-21 12:00:53 +01:00
Tadeusz Magura-Witkowski
7b7e2a040d
Automatic consistency fixing in case of missing refresh token in db
2020-03-25 13:43:53 +01:00
Kyle Larose
ab5ea03025
handlers: do not fail login if refresh token gone
...
There is a chance that offline storage could fall out of sync with the
refresh token tables. One example is if dex crashes/is stopped in the
middle of handling a login request. If the old refresh token associated
with the offline session is deleted, and then the process stops, the
offline session will still refer to the old token.
Unfortunately, if this case occurs, there is no way to recover from it,
since further logins will be halted due to dex being unable to clean up
the old tokens till referenced in the offline session: the database is
essentially corrupted.
There doesn't seem to be a good reason to fail the auth request if the
old refresh token is gone. This changes the logic in `handleAuthCode` to
not fail the entire transaction if the old refresh token could not be
deleted because it was not present. This has the effect of installing
the new refresh token, and unpdating the offline storage, thereby fixing
the issue, however it occured.
2020-03-18 12:56:37 -04:00
Nándor István Krácser
b7cf701032
Merge pull request #1515 from flant/atlassian-crowd-connector
...
new connector for Atlassian Crowd
2020-02-24 10:09:27 +01:00
Nándor István Krácser
1160649c31
Merge pull request #1621 from concourse/pr/passowrd-grant-synced
...
Rework - add support for Resource Owner Password Credentials Grant
2020-02-20 08:27:50 +01:00
Ivan Mikheykin
7ef1179e75
feat: connector for Atlassian Crowd
2020-02-05 12:40:49 +04:00
Joshua Winters
76825fef8f
Make logger and prometheus optional in server config
...
Signed-off-by: Josh Winters <jwinters@pivotal.io>
Co-authored-by: Mark Huang <mhuang@pivotal.io>
2020-01-13 15:28:41 -05:00
Rui Yang
0f9a74f1d0
Remove uneccesary client verification
2020-01-10 14:52:57 -05:00
Zach Brown
13be146d2a
Add support for password grant #926
2020-01-10 13:18:09 -05:00
Nándor István Krácser
6318c105ec
Merge pull request #1599 from sabre1041/openshift-connector
...
OpenShift connector
2020-01-01 12:55:11 +01:00
Márk Sági-Kazár
789272a0c1
Merge pull request #1576 from flant/icons-proposal
...
Pick icons on login screen by connector type instead of ID
2019-12-23 13:05:19 +01:00
m.nabokikh
058e72ef50
Pick icons on login screen by connector type instead of ID
...
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
2019-12-23 12:38:22 +04:00
Andrew Block
92e63771ac
Added OpenShift connector
2019-12-22 02:27:09 -05:00
Mark Sagi-Kazar
050d5af937
Fix ineffassign
2019-12-18 16:07:06 +01:00
Mark Sagi-Kazar
65c77e9db2
Fix bodyclose
2019-12-18 16:04:03 +01:00
Mark Sagi-Kazar
f141f2133b
Fix whitespace
2019-12-18 15:56:12 +01:00
Mark Sagi-Kazar
9bd5ae5197
Fix goimports
2019-12-18 15:53:34 +01:00
Mark Sagi-Kazar
367b187cf4
Fix missspell
2019-12-18 15:51:44 +01:00
Mark Sagi-Kazar
8c3dc0ca66
Remove unused code (fixed: unused, structcheck, deadcode linters)
2019-12-18 15:46:49 +01:00
Joel Speed
97ffa21262
Create separate Google connector
2019-11-19 17:12:36 +00:00
Joel Speed
c4e96dda32
Fix migration of old connector data
2019-11-19 15:43:23 +00:00
Joel Speed
d9095073c8
Unindent session updates on finalizeLogin
2019-11-19 15:43:22 +00:00
Joel Speed
19ad7daa7f
Use old ConnectorData before session.ConnectorData
2019-11-19 15:43:19 +00:00
Joel Speed
176ba709a4
Revert "Remove connectordata from other structs"
...
This reverts commit 27f33516db343bd79b56a47ecef0fe514a35082d.
2019-11-19 15:43:14 +00:00
Joel Speed
4076eed17b
Build opts based on scope
2019-11-19 15:43:11 +00:00
Joel Speed
5c88713177
Remove connectordata from other structs
2019-11-19 15:43:03 +00:00
Joel Speed
0352258093
Update handleRefreshToken logic
2019-11-19 15:43:01 +00:00
Joel Speed
575c792156
Store most recent refresh token in offline sessions
2019-11-19 15:40:56 +00:00
serhiimakogon
b793afd375
preferred_username claim added on refresh token
2019-11-19 16:27:34 +02:00
Nándor István Krácser
0b55f121b4
Fix missing email in log message
...
Co-Authored-By: Felix Fontein <ff@dybuster.com>
2019-10-30 13:13:33 +01:00
Nandor Kracser
c1b421fa04
add preffered_username to idToken
...
Signed-off-by: Nandor Kracser <bonifaido@gmail.com>
2019-10-30 13:06:37 +01:00
Yannis Zarkadas
27944d4f8f
templates: add new relativeURL function
...
Signed-off-by: Yannis Zarkadas <yanniszark@arrikto.com>
2019-10-02 17:08:06 +03:00
Yannis Zarkadas
839130f01c
handlers: change all handlers to pass down http request
...
Signed-off-by: Yannis Zarkadas <yanniszark@arrikto.com>
2019-10-02 17:08:06 +03:00
Stephan Renatus
c854e760db
Merge pull request #1539 from erwinvaneyk/replace-context-import
...
Replace x/net/context with stdlib context
2019-08-31 17:52:18 +02:00
erwinvaneyk
3e2217b3f4
Replace x/net/context with context of stdlib
2019-08-30 11:52:46 +02:00
Nandor Kracser
bd61535cb6
connector/ldap: display login error
2019-08-22 15:55:05 +02:00
Stephan Renatus
e1afe771cb
Merge pull request #1505 from MarcDufresne/show-login-page
...
Add option to always display connector selection even if there's only one
2019-08-07 09:23:42 +02:00
Stephan Renatus
89e43c198b
Merge pull request #1504 from MarcDufresne/template-custom-data
...
Allow arbitrary data to be passed to templates
2019-08-07 09:19:14 +02:00
Marc-André Dufresne
0dbb642f2c
Add option to always display connector selection even if there's only one
2019-08-06 13:18:46 -04:00
Marc-André Dufresne
d458e882aa
Allow arbitrary data to be passed to templates
2019-08-06 13:14:53 -04:00
Mike O
43d1a044bd
Add tests for some callback handler error conditions
2019-08-05 16:02:28 -07:00
Mike O
d03a43335e
Return HTTP 400 for invalid state parameter
2019-08-01 16:22:53 -07:00
Stephan Renatus
291cd9e01c
regenerate protobuf code
...
Signed-off-by: Stephan Renatus <srenatus@chef.io>
2019-07-31 08:16:18 +02:00
Stephan Renatus
231e571c3c
server/api: fix logging in VerifyPassword
...
Before:
msg="api: password check failed : %vcrypto/bcrypt: hashedPassword is not the hash of the given password"
After:
msg="api: password check failed : crypto/bcrypt: hashedPassword is not the hash of the given password"
Signed-off-by: Stephan Renatus <srenatus@chef.io>
2019-07-30 14:53:33 +02:00
Stephan Renatus
d9487e553b
*: fix some lint issues
...
Mostly gathered these using golangci-lint's deadcode and ineffassign
linters.
Signed-off-by: Stephan Renatus <srenatus@chef.io>
2019-07-30 11:29:08 +02:00
Stephan Renatus
8561a66365
server/{handler,oauth2}: cleanup error returns
...
Now, we'll return a standard error, and have the caller act upon this
being an instance of authErr.
Also changes the storage.AuthRequest return to a pointer, and returns
nil in error cases.
Signed-off-by: Stephan Renatus <srenatus@chef.io>
2019-07-25 13:40:06 +02:00
Stephan Renatus
421c26fdf5
Merge pull request #1481 from LanceH/master
...
Added "connector_id" to skip straight to a connector (similar to when len(connector) is 1.
2019-07-23 11:31:25 +02:00
LanceH
07a77e0dac
Use connector_id param to skip directly to a specific connector
2019-07-22 10:47:11 -05:00
Tyler Cloke
dd84e73c0e
Add VerifyPassword to API
...
It takes in an email and plain text password to verify. If it fails to find a password stored for email, it returns not_found. If it finds the password hash stored but that hash doesn't match the password passed via the API, it returns verified = false, else it returns verified = true.
Co-authored-by: Alban Seurat <alban.seurat@me.com>
2019-07-22 10:23:07 +02:00
Andy Lindeman
5b66bf05c8
Fixed shadowed variable declaration
2019-06-27 19:12:18 -04:00
Andy Lindeman
59b6595c37
userinfo_endpoint is required
2019-06-25 12:17:03 -04:00
Andy Lindeman
8959dc4275
ctx is not used
2019-06-24 09:43:12 -04:00
Andy Lindeman
21174c06a1
Remove comment
...
We have a story around user info now
2019-06-24 09:42:46 -04:00
Andy Lindeman
840065faaf
Assert something about the returned userinfo
2019-06-24 09:39:54 -04:00
Andy Lindeman
46f5726d11
Use oidc.Verifier to verify tokens
2019-06-22 13:18:35 -04:00
Andy Lindeman
157c359f3e
Bump go-oidc to latest v2
2019-06-20 12:27:47 -04:00
mdbraber
3dd1bac821
Fix comments
2019-06-05 22:14:31 +02:00
Maarten den Braber
74f4e749b9
Formatting
2019-06-05 22:14:31 +02:00
Maarten den Braber
d7750b1e26
Fix changes
2019-06-05 22:14:31 +02:00
Maarten den Braber
a8d059a237
Add userinfo endpoint
...
Co-authored-by: Yuxing Li <360983+jackielii@users.noreply.github.com>
Co-authored-by: Francisco Santiago <1737357+fjbsantiago@users.noreply.github.com>
2019-06-05 22:11:21 +02:00
Eric Chiang
cd3c6983da
Merge pull request #1429 from tsuna/master
...
server: add metrics for CORS handlers.
2019-05-12 10:40:23 -07:00
Tomas Barton
55cebd58a8
print appropriate error
2019-05-03 14:19:54 +02:00
Benoit Sigoure
d6ad67a6de
server: add metrics for CORS handlers.
2019-04-19 14:32:52 -07:00
Mark Sagi-Kazar
06521ffa49
Remove the logrus logger wrapper
2019-02-22 21:31:46 +01:00
Mark Sagi-Kazar
d1c8f8d095
Remove structured logging from the logger interface
2019-02-22 21:26:30 +01:00
Mark Sagi-Kazar
be581fa7ff
Add logger interface and stop relying on Logrus directly
2019-02-22 13:38:57 +01:00
Eric Chiang
8935a1479c
server: update health check endpoint to query storage periodically
...
Instead of querying the storage every time a health check is performed
query it periodically and save the result.
2019-02-04 19:02:41 +00:00
joannano
88d1e2b041
keystone: test cases, refactoring and cleanup
2019-01-11 15:14:56 +01:00
Krzysztof Balka
a965365a2b
keystone: refresh token and groups
2019-01-11 15:14:11 +01:00
knangia
0774a89066
keystone: squashed changes from knangia/dex
2019-01-11 15:12:59 +01:00
Haines Chan
b78b8aeee0
Replace "GET", "POST" to http.MethodGet and http.MethodPost
2018-12-27 16:27:36 +08:00
Maximilian Gaß
468c74d1d2
Make expiry of auth requests configurable
2018-12-13 11:50:34 +01:00
Stephan Renatus
f3acec0b1b
Merge pull request #1275 from ccojocar/client-update-api
...
Extend the API with a function which updates the client configuration
2018-11-27 11:47:16 +01:00
Cosmin Cojocar
01c6b9dd91
Remove the 'public' field from UpdateClientReq proto message
2018-11-26 19:07:59 +01:00
Alexander Matyushentsev
ff8b44558e
Issue #1263 - Render error message provided by connector if user authentication failed
2018-11-13 15:44:28 -08:00
Cosmin Cojocar
281ec27118
Update also to a list of empty redirect URIs and Peers
2018-11-13 09:59:45 +01:00
Cosmin Cojocar
9d1ec6c36b
Revert "Avoid overwriting exiting redirect URI and trusted peers when updating the client"
...
This reverts commit 49fa5ee6e8
.
2018-11-13 09:58:17 +01:00
Cosmin Cojocar
49fa5ee6e8
Avoid overwriting exiting redirect URI and trusted peers when updating the client
...
Also skip configure the Public field.
2018-11-12 21:48:14 +01:00
Cosmin Cojocar
c9b18b2785
Add tests for UpateClient API
2018-11-12 18:43:48 +01:00
Cosmin Cojocar
9926a0dced
Extend the API with a function which updates the client configuration
2018-11-12 17:33:06 +01:00
Stephan Renatus
e1acb6d577
Merge pull request #1307 from edtan/upstream-add-bitbucket-connector
...
Add Bitbucket connector
2018-10-12 09:02:21 +02:00
Danny Sauer
74bfbcefbc
minor spelling correction
2018-10-09 15:57:37 -05:00