Commit graph

61 commits

Author SHA1 Message Date
Rubén Soleto Buenvarón
c91b37aa9e refresh token rotation
Update refresh token flow to revoke old refresh token and generates a new one.

Fixes #519
2016-08-16 08:05:01 +02:00
Eric Chiang
b02a3a3163 *: add "groups" scope 2016-07-19 11:23:04 -07:00
Eric Chiang
f899cbaea8 return 409 for duplicate client ids 2016-06-28 16:09:20 -07:00
Bobby Rullo
095489d7c5 db: fix client migration test 2016-06-20 17:03:13 -07:00
Bobby Rullo
09e889e7bc client: add public client to data model 2016-06-20 11:27:47 -07:00
Bobby Rullo
75473b4cba refresh tokens: grant claims based on scopes
Before,  this logic was only in the OIDCServer.CodeToken() method; now it has been
pulled out so that other paths, like OIDCServer.RefreshToken() can use
it.

The net affect, is that now refresh tokens can be used to get
cross-client authenticated ID Tokens.
2016-06-14 14:14:36 -07:00
Bobby Rullo
32a1994a5e refresh tokens: store and validate scopes.
A refresh request must fail if it asks for scopes that were not
originally granted when the refresh token was obtained.

This Commit:

* changes repo to store scopes with tokens
* changes repo interface signatures so that scopes can be stored and
  verified
* updates dependent code to pass along scopes
2016-06-14 14:14:36 -07:00
Bobby Rullo
88142764e9 db: Don't check that trusted peers clients exist
Checking that trusted peers exist means that you have to create clients
in a certain order, or else create all the clients, then update trusted
peers. Either way, not a great experience during setup.

The downside, of course, is that you lose validation of peer
IDs.
2016-06-08 11:54:15 -07:00
Bobby Rullo
ca18efb1fe client: load full clients w/ LoadableClient
The Client object on its own doesn't fully express everything about a
single client, and so when loading clients from a static configuration
it's not enough to just (de)serialize clients.

To that end, LoadableClient contains the full representation of a client
and associated entities.
2016-06-08 11:31:50 -07:00
Bobby Rullo
f9dbc8a3d2 db, client: add data model for trusted peers
Trusted Peers are clients that are authorized to mint tokens
for another client.
2016-06-07 17:16:09 -07:00
Bobby Rullo
1b4dca80d7 client: remove ClientManagerFromClients
Replaced by ClientRepoFromClients, which makes more sense IMO. Also, it
was doing the wrong thing: it was ignoring the client_id and client_secret
passed into it as far as I can tell.
2016-06-07 16:47:30 -07:00
Evan Cordell
a418e1c4e7 client: add client manager
adds a client manager to handle business logic, leaving the repo
for basic crud operations. Also adds client to the test script
2016-05-19 16:20:12 -07:00
Evan Cordell
3da98fcb8e client: add transaction support 2016-05-19 16:17:01 -07:00
Bobby Rullo
399b15abeb integration, *: Improve tests for admin api
* TestCreateClient was missing test coverage on error cases
* Fixed bug where 500s were being reported for bad requests
* changed function signature of NewAdminAPI back to old way of passing
  in lots of repos: passing in a DbMap made it difficult to test
* added swappable ID and Secret generators when creating Clients
2016-04-20 14:31:27 -07:00
Bobby Rullo
e7141336bc db: Client() should not return the secret
It's never used by downstream code, and besides, it's not really the
secret but a Hash of the secret.
2016-04-20 14:31:27 -07:00
Bobby Rullo
e5948ab3ce *: ClientIdentityXXX -> ClientXXX
Get rid of all outdated "ClientIdentity" terminology.
2016-04-20 14:31:27 -07:00
Bobby Rullo
95757e8779 *: Client Repo now deals with custom Client object
This is instead of oidc.ClientIdentity. This makes it easier to add new
fields custom to dex to the client.
2016-04-20 14:31:27 -07:00
Eric Chiang
5c5df23a57 db: print better error messages for invalid input
When client secrets are not base64 encoded, print an error message
that's not a generic base64 decode error:

   client secrets must be base64 decodable. See issue #337.
   Please consider replaceing "secret" with "c2VjcmV0"

When a user file is missing a mandatory field print an error message.

	Unable to build Server: user elroy-foo is missing email field

For #400
2016-04-11 16:31:50 -07:00
Eric Chiang
7416929455 *: add revocation methods to refresh repo 2016-04-06 11:25:50 -07:00
Eric Chiang
6120f7ac05 *: add isAdmin option to client repo when creating a client 2016-04-05 11:29:58 -07:00
Eric Chiang
60b843e78b Merge pull request #339 from ericchiang/case_insensitive_emails
db: email comparison should be case insensitive
2016-03-02 16:51:47 -08:00
Eric Chiang
09069a51a7 Merge pull request #356 from ericchiang/fix_cross_compilation
Fix cross compilation
2016-03-02 14:47:39 -08:00
Eric Chiang
875d5d09bf db: regenerate migrations 2016-03-02 14:47:17 -08:00
Eric Chiang
4feaae98b0 db: add better comment about migration 2016-03-02 14:47:00 -08:00
Eric Chiang
93b89ad0e9 db: protect the sqlite3 import with a cgo tag 2016-03-02 12:02:55 -08:00
Eric Chiang
2a0cc47419 db: generate in-memory migration assets 2016-03-01 10:59:25 -08:00
Eric Chiang
f738188c13 db: switch migration source to use in-memory migration
When reading migrations from files, sql-migrate attempts to split
SQL statements. The parsing logic does not handle $BODY$ statements
and broke when the migration included one.

Replace go-bindata with a small migration generation script and use
in memory migrations instead.
2016-03-01 10:55:05 -08:00
Eric Chiang
208afd3b01 *: add functional tests for case insensitive emails 2016-03-01 10:54:12 -08:00
Eric Chiang
9bc68edae7 *: add migration to convert all emails to lowercase
Fixes #338
2016-03-01 10:51:50 -08:00
Eric Chiang
22180c697f db: only allow one open connection for in memory databases
sqlite3 in memory databases do not support concurrent writes. Limit
number of open connections to prevent race conditions.
2016-02-22 16:30:48 -08:00
Eric Chiang
ed5dee9960 db: clean up quote and executor function calls, improve translate docs 2016-02-16 18:19:23 -08:00
Eric Chiang
1658e86b2a *: fix govet warnings 2016-02-12 13:19:05 -08:00
Eric Chiang
72d1ecab64 *: remove in memory password info repo 2016-02-12 13:19:05 -08:00
Eric Chiang
95560404a3 *: remove in memory refresh repo 2016-02-12 13:19:05 -08:00
Eric Chiang
7bac93aa20 *: remove in memory session repos
Move manager to it's own package so it can import db. Move all
references to the in memory session repos to use sqlite3.
2016-02-12 13:19:05 -08:00
Eric Chiang
bfd63b7514 db: add sqlite3 support 2016-02-12 13:19:05 -08:00
Eric Chiang
af790e46bb Merge pull request #267 from ericchiang/metadata
add dynamic client registration
2016-02-01 16:25:57 -08:00
Eric Chiang
d255007ed9 db: log ignored base64 decode error
Closes #270
2016-01-15 15:31:46 -08:00
Eric Chiang
9796a1e648 *: add migration to update JSON fields and require postgres 9.4+
The "redirectURLs" field in the client metadata has been updated
to the correct "redirect_uris". To allow backwards compatibility
use Postgres' JSON features to update the actual JSON in the text
field.

json_build_object was introduced in Postgres 9.4. So update the
documentations to require at least this version.
2016-01-12 17:19:07 -08:00
Bobby Rullo
c1f8effe1a db, functional: make value column in key not pkey
go-oidc increased the size of the generated keys, which were too large
to be used as primary keys in postgres.
2015-12-28 16:02:16 -08:00
Eric Chiang
a7138b3cfd db: rebuild miration assets using go generate 2015-12-21 09:45:53 -08:00
Eric Chiang
6cb3146b09 build,db: don't call go-bindata on every build
Add go generate rule to generate migration assets.
2015-12-21 09:43:45 -08:00
Eric Chiang
49389c9b90 cmd, db: verify at least one secret is passed to --key-secrets
Passing an empty list to the overlord or worker's --key-secrets
flag currently causes an out of range panic. Always check to ensure
there's at least one element passed.

Fixes #130
Fixes #217
2015-12-16 20:28:21 -08:00
Eric Chiang
9f3bf0d160 db: strconv.ParseInt specify base 10
closes #99
2015-12-09 14:47:21 -08:00
Eric Chiang
5295344f9e db: fixed missing return statement GetConnectorByID
Added missing err return introduced by #199
2015-12-07 20:58:36 -08:00
Eric Chiang
f43655a8c3 user/manager: connector must exists when creating remote identity
Add ConnectorConfigRepo to UserManager. When trying to create a
RemoteIdentity, validate that the connector ID exists.

Fixes #198
2015-12-07 17:34:08 -08:00
George Tankersley
07a4d4441e pkg/crypto: replace old crypto with new crypto 2015-10-29 13:45:25 -07:00
Joe Bowers
c70b29f83d db: log schema errors, distinguish them from nil results where needed 2015-09-29 20:07:36 -07:00
Joe Bowers
2ed2859896 repo: functional repo tests
includes changes to ensure uniform errors for DB and in-memory repos
2015-09-29 16:46:48 -07:00
Joe Bowers
e5db302312 server: expose user disable API endpoint 2015-09-29 16:46:30 -07:00