Commit graph

100 commits

Author SHA1 Message Date
Eric Chiang
87faa5a1f7 *: depricate --email-from flag and move to email config files 2016-06-27 23:36:07 -07:00
Bobby Rullo
b80dbc8975 server: support out-of-band auth flow
When "urn:ietf:wg:oauth:2.0:oob" is used as a redirect URI, redirect to
an internal dex page where the user is shown the code and instructed to
paste it into their app.
2016-06-20 17:03:13 -07:00
Bobby Rullo
cdcf08066d client, server: public client restrictions
* disallow ClientCreds for public clients
* clients can only redirect to localhost or OOB
2016-06-20 17:03:12 -07:00
Bobby Rullo
4f85f3a479 server: change ClientMetadata -> Client
Metadata is not enough these days - we're going to need access to the
Public field as well.
2016-06-20 17:03:12 -07:00
Eric Chiang
35cab93c0a *: add --enable-automatic-registration flag to worker
For remote connectors, allow users to skip registration.
2016-06-17 16:29:56 -07:00
Bobby Rullo
8942a49702 server: remove client_resource api
...and dependent code.
2016-06-15 11:42:50 -07:00
Bobby Rullo
75473b4cba refresh tokens: grant claims based on scopes
Before,  this logic was only in the OIDCServer.CodeToken() method; now it has been
pulled out so that other paths, like OIDCServer.RefreshToken() can use
it.

The net affect, is that now refresh tokens can be used to get
cross-client authenticated ID Tokens.
2016-06-14 14:14:36 -07:00
Bobby Rullo
32a1994a5e refresh tokens: store and validate scopes.
A refresh request must fail if it asks for scopes that were not
originally granted when the refresh token was obtained.

This Commit:

* changes repo to store scopes with tokens
* changes repo interface signatures so that scopes can be stored and
  verified
* updates dependent code to pass along scopes
2016-06-14 14:14:36 -07:00
Bobby Rullo
ca18efb1fe client: load full clients w/ LoadableClient
The Client object on its own doesn't fully express everything about a
single client, and so when loading clients from a static configuration
it's not enough to just (de)serialize clients.

To that end, LoadableClient contains the full representation of a client
and associated entities.
2016-06-08 11:31:50 -07:00
Bobby Rullo
5939a15d10 remove DexServer 2016-06-07 17:27:06 -07:00
Bobby Rullo
e71c5086ba server: CodeToken now does Cross-Client auth 2016-06-07 17:22:41 -07:00
Bobby Rullo
9b4740862c server: /auth accepts, validates X-client scopes 2016-06-07 17:16:11 -07:00
Bobby Rullo
f9dbc8a3d2 db, client: add data model for trusted peers
Trusted Peers are clients that are authorized to mint tokens
for another client.
2016-06-07 17:16:09 -07:00
Bobby Rullo
1b4dca80d7 client: remove ClientManagerFromClients
Replaced by ClientRepoFromClients, which makes more sense IMO. Also, it
was doing the wrong thing: it was ignoring the client_id and client_secret
passed into it as far as I can tell.
2016-06-07 16:47:30 -07:00
Bobby Rullo
a33d61c8e2 server: remove boilerplate setup code part deux
Use the test fixture setup stuff in testutil instead.
2016-06-07 16:47:30 -07:00
Bobby Rullo
ad1d5ab253 server: remove boilerplate setup code
Use the test fixture setup stuff in testutil instead.
2016-06-07 16:47:29 -07:00
Eric Chiang
4440b3a085 Merge pull request #449 from ericchiang/add-connectors-to-api
Set and list connectors from admin API
2016-06-01 10:51:30 -07:00
Eric Chiang
35ea3d9ae1 *: add ability to set and list connectors from admin API
closes #360
2016-06-01 09:31:47 -07:00
bobbyrullo
04fa835405 Merge pull request #353 from fnordahl/issue/156
vendor: update go-oidc to latest
2016-05-27 10:56:54 -04:00
Bobby Rullo
bbaea52ea6 alternate approach to fixing tests 2016-05-27 00:22:27 +02:00
Evan Cordell
73d9742c8b client manager: accept full client when creating 2016-05-24 14:44:04 -05:00
Evan Cordell
a418e1c4e7 client: add client manager
adds a client manager to handle business logic, leaving the repo
for basic crud operations. Also adds client to the test script
2016-05-19 16:20:12 -07:00
Evan Cordell
3da98fcb8e client: add transaction support 2016-05-19 16:17:01 -07:00
Bobby Rullo
847849931f Revert "Fix response_type missing param"
This reverts commit 821b242c83.
2016-05-17 13:49:14 -07:00
Bobby Rullo
e5948ab3ce *: ClientIdentityXXX -> ClientXXX
Get rid of all outdated "ClientIdentity" terminology.
2016-04-20 14:31:27 -07:00
Bobby Rullo
95757e8779 *: Client Repo now deals with custom Client object
This is instead of oidc.ClientIdentity. This makes it easier to add new
fields custom to dex to the client.
2016-04-20 14:31:27 -07:00
Eric Chiang
c2c7f03f47 Merge pull request #409 from Tecsisa/408-test-handleToken
tests: add HandleTokenFunc test
2016-04-15 08:32:53 -07:00
Adrián López Gómez
d3d2db8e05 tests: add HandleTokenFunc test
Fixes #408
2016-04-15 09:17:02 +02:00
Eric Chiang
7858da565f server: add more validation to --no-db static file parsing
In #393 the format of the static user file in --no-db mode changed.
However, the old format loads without error, which has caused
issues for developers with existing user files.

Add an explicit check to ensure the file is not using the old
format. If they are, print a better error message.
2016-04-11 16:21:31 -07:00
Stephan Renatus
ed89be44ef bugfix: make getCreds work for non-admins (#396) 2016-04-08 10:14:01 -07:00
Eric Chiang
cd7d3fff85 Merge pull request #386 from ericchiang/revoke_refresh_2
add ability to revoke refresh tokens in user API
2016-04-06 13:45:23 -07:00
Eric Chiang
e6177cf307 Merge pull request #393 from ericchiang/nodb_users
remove passwordInfos from local connector
2016-04-06 11:30:08 -07:00
Eric Chiang
553e7d0167 server: add refresh token revocation API to server 2016-04-06 11:29:51 -07:00
Eric Chiang
ac73d3cdf2 *: load password infos from users file in no-db mode not connectors
In --no-db mode, load passwords from the users file instead of the
connectors file. This allows us to remove the password infos field
from the local connector and stop loading them during connector
registration, a case that was causing panics when using a real
database (see #286).

Fixes #286
Closes #340
2016-04-06 11:15:05 -07:00
Eric Chiang
b10645f58d *: add client registration endpoint to admin API 2016-04-05 11:37:26 -07:00
Eric Chiang
6120f7ac05 *: add isAdmin option to client repo when creating a client 2016-04-05 11:29:58 -07:00
Rubén Soleto Buenvarón
821b242c83 Fix response_type missing param
This commit fix problem with response_type param, which is required according to OIDC spec, when it is missing.
 At now, when connector_id url query param is not set, connector view use response_type that client request instead of default "code".

Fixes #370
2016-03-17 08:00:49 +01:00
Eric Chiang
1dd831700d Merge pull request #348 from ericchiang/db_health
server: add db heatlh checker to server checkers
2016-03-14 13:17:19 -07:00
Eric Chiang
c3aa6a1ee3 server: correctly decode oauth2 basic auth credentials
Fixes #336
2016-03-02 21:31:54 -08:00
Eric Chiang
c92aae647c Merge pull request #331 from Tecsisa/184-resend-email-invitation
add support for resend an invite email
2016-03-02 16:53:17 -08:00
Eric Chiang
60b843e78b Merge pull request #339 from ericchiang/case_insensitive_emails
db: email comparison should be case insensitive
2016-03-02 16:51:47 -08:00
Eric Chiang
01a24542e9 *: fix tests that care about email case sensitivity 2016-03-01 14:09:10 -08:00
Eric Chiang
3f4a42eefd *: remove unused code
This change has no functional changes, it only removes dead code.
2016-02-29 11:29:36 -08:00
Eric Chiang
067ccee145 server: add db heatlh checker to server checkers 2016-02-29 11:27:17 -08:00
Rubén Soleto Buenvarón
8156870862 add support for resend an invite email
This change solves the User's API problem when you want to create an user that its email hasn't been verified yet but it exist.
At now, you can resend invitation email using endpoint /users/{id}/resend-invitation

Fixes #184
2016-02-26 09:55:28 +01:00
Eric Chiang
07af73f367 *: don't allow sqlite3 if --no-db flag not specified 2016-02-12 13:19:05 -08:00
Eric Chiang
3b125d6073 *: fix --no-db client decoding 2016-02-12 13:19:05 -08:00
Eric Chiang
dcf5835189 *: remove in memory connector config repo 2016-02-12 13:19:05 -08:00
Eric Chiang
b572b8dd6c *: remove in memory client repo
The DB implementation expects secrets to be base64 encoded blobs.
Because of this a bunch of tests broke moving to sqlite.

A lot of this commit is fixing those tests.
2016-02-12 13:19:05 -08:00
Eric Chiang
72d1ecab64 *: remove in memory password info repo 2016-02-12 13:19:05 -08:00