Commit graph

57 commits

Author SHA1 Message Date
m.nabokikh
06c8ab5aa7 Fixes of naming and code style
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
2021-02-10 23:37:57 +04:00
m.nabokikh
91de99d57e feat: Add refresh token expiration and rotation settings
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
2021-02-10 23:37:57 +04:00
Maksim Nabokikh
6664b5702d Apply suggestions from code review
Co-authored-by: Márk Sági-Kazár <sagikazarmark@users.noreply.github.com>
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
2021-02-05 13:16:41 +04:00
Maksim Nabokikh
65a8bf2af3 feat: graceful shutdown fixes
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
2021-01-26 16:45:10 +04:00
m.nabokikh
f82c217e12 feat: graceful shutdown
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
2021-01-26 12:16:30 +04:00
Mark Sagi-Kazar
c55d84b5d2
feat: add flags for bind address config options
Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com>
2021-01-14 15:50:19 +01:00
Mark Sagi-Kazar
cdefd1f788
refactor: serve command
Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com>
2021-01-14 15:30:03 +01:00
Justin Slowik
9bbdc721d5 Device flow token code exchange (#2)
* Added /device/token handler with associated business logic and storage tests.

Perform user code exchange, flag the device code as complete.

Moved device handler code into its own file for cleanliness.  Cleanup

* Removed PKCE code

* Rate limiting for /device/token endpoint based on ietf standards

* Configurable Device expiry

Signed-off-by: justin-slowik <justin.slowik@thermofisher.com>
2020-07-08 16:25:05 -04:00
Mark Sagi-Kazar
e84682d7b9
Add v2 api module 2020-07-01 14:20:57 +02:00
Tomasz Kleczek
c830d49884 allow no secret for static public clients
For statically-configured public clients it should be allowed for both
Secret and SecretEnv fields to be empty.
2020-05-05 17:09:09 +02:00
Yann Soubeyrand
99c3ec6820 Add ability to set ID and Secret from environment variables for static clients
Having ID and Secret in clear inside configuration files for static
clients is not ideal. This commit allows setting these from environment
variables.

Signed-off-by: Yann Soubeyrand <yann.soubeyrand@gmx.fr>
2020-03-03 08:27:13 +01:00
Zach Brown
13be146d2a Add support for password grant #926 2020-01-10 13:18:09 -05:00
Mark Sagi-Kazar
f141f2133b
Fix whitespace 2019-12-18 15:56:12 +01:00
Steven Danna
46f48b33a1
Use a more conservative set of CipherSuites
The default cipher suites used by Go include a number of ciphers that
have known weaknesses. In addition to leaving users open to these
weaknesses, the inclusion of these weaker ciphers causes problems with
various automated scanning tools.

This PR disables the CBC-mode, RC4, and 3DES ciphers included in the
Go standard library by passing an explicit cipher suite list.

The ciphers included here are more line with those recommended by
Mozilla for "Intermediate" compatibility. [0]

*Performance Implications*

The Go standard library does capability-based cipher ordering,
preferring AES ciphers if the underlying hardware has AES specific
instructions. [1] Since all of the relevant code is internal modules,
to do the same thing ourselves would require duplicating that
code. Here, I've placed AES based ciphers first.

*Compatibility Implications*

This does reduce the number of clients who will be able to communicate
with dex.

[0] https://ssl-config.mozilla.org/#server=nginx&server-version=1.17.0&config=intermediate&hsts=false&ocsp=false
[1] a8c2e5c6ad/src/crypto/tls/common.go (L1091)

Signed-off-by: Steven Danna <steve@chef.io>
2019-08-31 17:34:55 +01:00
Stephan Renatus
d9f6ab4a68
Merge pull request #1512 from venezia/add_reflection
Add reflection to gRPC API (configurable)
2019-08-07 13:56:33 +02:00
Michael Venezia
b65966d744
cmd/dex: adding reflection to grpc api, enabled through configuration 2019-08-07 07:37:39 -04:00
Marc-André Dufresne
0dbb642f2c
Add option to always display connector selection even if there's only one 2019-08-06 13:18:46 -04:00
Stephan Renatus
ea7fd6d470
cmd/dex: adapt to prometheus API change
Signed-off-by: Stephan Renatus <srenatus@chef.io>
2019-07-31 08:09:58 +02:00
Stephan Renatus
128d5da89e
Merge pull request #1500 from dexidp/sr/fix-some-lint-issues
*: fix some lint issues
2019-07-30 11:41:27 +02:00
Stephan Renatus
d9487e553b
*: fix some lint issues
Mostly gathered these using golangci-lint's deadcode and ineffassign
linters.

Signed-off-by: Stephan Renatus <srenatus@chef.io>
2019-07-30 11:29:08 +02:00
Sabith K Soopy
6ccb96ff74 Add some test to validate the configuration 2019-07-23 08:16:16 -07:00
Yann Soubeyrand
c5f2871ab5 cmd/dex/serve.go: log static client name instead of ID
Signed-off-by: Yann Soubeyrand <yann.soubeyrand@gmx.fr>
2019-04-18 13:56:11 +02:00
Mark Sagi-Kazar
06521ffa49
Remove the logrus logger wrapper 2019-02-22 21:31:46 +01:00
Mark Sagi-Kazar
be581fa7ff
Add logger interface and stop relying on Logrus directly 2019-02-22 13:38:57 +01:00
Steven Danna
59f8b02d47
Set minimum TLS protocol version to TLSv1.2, set PreferServerCipherSuites
Some environments are subject to strict rules about the permitted TLS
protocol verion and available ciphers. Setting TLSv1.2 as the minimum
version ensures we do not use weaker protocols. We've opted against
making this configurable given the age of TLSv1.2 and the increasing
push to deprecate TLSv1.1 and older.

The PreferServerCipherSuites setting is also commonly flagged by SSL
quality scanning tools. Since Go provides a relatively modern set of
default ciphers by default, defaulting this to true is unlikely to
make much practical difference.

Signed-off-by: Steven Danna <steve@chef.io>
2019-01-29 11:18:55 +00:00
Maximilian Gaß
468c74d1d2 Make expiry of auth requests configurable 2018-12-13 11:50:34 +01:00
Stephan Renatus
b9f6594bf0 *: github.com/coreos/dex -> github.com/dexidp/dex
Signed-off-by: Stephan Renatus <srenatus@chef.io>
2018-09-05 17:57:08 +02:00
Frederic Branczyk
5f03479d29
*: Add go runtime, process, HTTP and gRPC metrics 2017-12-21 21:24:09 +01:00
Devon Barrett
eb14a8245c
fixes typo: s/suppied/supplied/ 2017-10-08 11:29:27 +01:00
rithu john
fd4f57b5f3 storage/static.go: storage backend should not explicitly lower-case email ids. 2017-08-24 15:50:32 -07:00
Eric Stroczynski
4a88d0641a : update {S->s}irupsen/logrus 2017-07-25 13:46:44 -07:00
rithu john
dc4b97b851 cmd/dex/serve: add local connector directly to static connectors in storage 2017-05-01 15:53:37 -07:00
rithu john
8c9c2518f5 server: account for dynamically changing connector object in storage. 2017-04-25 09:19:02 -07:00
Eric Chiang
777eeafabc *: update go-oidc and use standard library's context package 2017-03-08 10:33:19 -08:00
rithu john
31e8009441 cmd/dex: make connector name field mandatory in dex configuration. 2017-01-23 15:14:41 -08:00
Simon HEGE
415a68f977 Allow CORS on keys and token endpoints 2017-01-14 21:15:51 +01:00
Simon HEGE
b4c47910e4 Allow CORS on discovery endpoint 2017-01-08 19:22:39 +01:00
rithu john
135b71727d server: use UTC timestamps in dex. 2016-12-16 16:13:51 -08:00
Eric Chiang
50086e6863 cmd/dex: provide better feedback when parsing config 2016-12-15 13:47:25 -08:00
rithu john
8b7f810bb8 cmd/dex: modify error messages to info messages. 2016-12-13 14:26:08 -08:00
rithu john
9949a1313c server: modify error messages to use logrus. 2016-12-13 11:52:44 -08:00
rithu john
2e22a948cf cmd/dex: add logging config and serve logger for different modules. 2016-12-12 15:56:50 -08:00
Eric Chiang
391dc51c13 *: add theme based frontend configuration
This PR reworks the web layout so static files can be provided and
a "themes" directory to allow a certain degree of control over logos,
styles, etc.

This PR does NOT add general support for frontend customization,
only enough to allow us to start exploring theming internally.
The dex binary also must now be run from the root directory since
templates are no longer "compiled into" the binary.

The docker image has been updated with frontend assets.
2016-11-30 17:20:21 -08:00
Chris Jones
a2b78c28fc cmd/dex: validate that connectors have an ID. 2016-11-15 11:39:45 -07:00
Eric Chiang
015e7cf606 cmd/dex: only expand from env for storages and connectors
Bcrypt'd hashes have "$" characters in them. This means that #667
(accepting actually bcrypted values) combined with #627 (expanding
config with environment variables) broke the example config.

For now, allow storages and connectors to expand their configs from
the environment, but don't do this anywhere else.
2016-11-03 21:38:32 -07:00
rithu leena john
600e761266 cmd/dex: expose IDTokensValidFor and RotateKeysAfter server options in config. 2016-11-03 17:25:36 -07:00
Eric Chiang
ebe51e736d cmd/dex: accept raw bcrypt'd hash as well as base64'd version of hash 2016-11-03 15:23:56 -07:00
Eric Chiang
aa7f304bc1 *: switch to github.com/ghodss/yaml for more consistent YAML parsing
ghodss/yaml converts from YAML to JSON before attempting to unmarshal.
This allows us to:

* Get the correct behavor when decoding base64'd []byte slices.
* Use *json.RawMessage.
* Not have to support extravagant YAML features.
* Let our structs use `json:` tags
2016-11-03 14:39:32 -07:00
rithu leena john
42dfd3ecec cmd/dex: add option for gRPC client auth CA. 2016-11-02 14:51:22 -07:00
Eric Chiang
a11db557b4 *: expand environment variables in config
Allow users to define config values which are read form environemnt
variables. Helpful for sensitive variables such as OAuth2 client IDs
or LDAP credentials.
2016-10-22 13:49:40 -07:00