mystiq
/
dex
Archived
4
0
Fork 1
Code Issues Pull Requests Packages Projects Releases Wiki Activity
This repository has been archived on 2022-08-17. You can view files and clone it, but cannot push or open issues or pull requests.
dex/storage/sql/migrate.go

295 lines
6.7 KiB
Go
Raw Normal View History

storage/sql: add a SQL storage implementation This change adds support for SQLite3, and Postgres.
2016-09-15 06:41:57 +05:30
package sql
import (
"database/sql"
"fmt"
)
func (c *conn) migrate() (int, error) {
_, err := c.Exec(`
create table if not exists migrations (
num integer not null,
storage: fix postgres timezone handling Dex's Postgres client currently uses the `timestamp` datatype for storing times. This lops of timezones with no conversion, causing times to lose locality information. We could convert all times to UTC before storing them, but this is a backward incompatible change for upgrades, since the new version of dex would still be reading times from the database with no locality. Because of this intrinsic issue that current Postgres users don't save any timezone data, we chose to treat any existing installation as corrupted and change the datatype used for times to `timestamptz`. This is a breaking change, but it seems hard to offer an alternative that's both correct and backward compatible. Additionally, an internal flag has been added to SQL flavors, `supportsTimezones`. This allows us to handle SQLite3, which doesn't support timezones, while still storing timezones in other flavors. Flavors that don't support timezones are explicitly converted to UTC.
2016-12-17 00:33:36 +05:30
at timestamptz not null
storage/sql: add a SQL storage implementation This change adds support for SQLite3, and Postgres.
2016-09-15 06:41:57 +05:30
);
`)
if err != nil {
return 0, fmt.Errorf("creating migration table: %v", err)
}
i := 0
done := false
storage/sql: allow specifying sql flavor specific migrations Signed-off-by: Nandor Kracser <bonifaido@gmail.com>
2020-02-21 16:43:38 +05:30
var flavorMigrations []migration
for _, m := range migrations {
if m.flavor == nil || m.flavor == c.flavor {
flavorMigrations = append(flavorMigrations, m)
}
}
storage/sql: add a SQL storage implementation This change adds support for SQLite3, and Postgres.
2016-09-15 06:41:57 +05:30
for {
err := c.ExecTx(func(tx *trans) error {
// Within a transaction, perform a single migration.
var (
num sql.NullInt64
n int
)
if err := tx.QueryRow(`select max(num) from migrations;`).Scan(&num); err != nil {
return fmt.Errorf("select max migration: %v", err)
}
if num.Valid {
n = int(num.Int64)
}
storage/sql: allow specifying sql flavor specific migrations Signed-off-by: Nandor Kracser <bonifaido@gmail.com>
2020-02-21 16:43:38 +05:30
if n >= len(flavorMigrations) {
storage/sql: add a SQL storage implementation This change adds support for SQLite3, and Postgres.
2016-09-15 06:41:57 +05:30
done = true
return nil
}
migrationNum := n + 1
storage/sql: allow specifying sql flavor specific migrations Signed-off-by: Nandor Kracser <bonifaido@gmail.com>
2020-02-21 16:43:38 +05:30
m := flavorMigrations[n]
storage/sql: initial MySQL storage implementation It will be shared by both Postgres and MySQL configs. Signed-off-by: Pavel Borzenkov <pavel.borzenkov@gmail.com>
2017-04-21 21:21:55 +05:30
for i := range m.stmts {
if _, err := tx.Exec(m.stmts[i]); err != nil {
return fmt.Errorf("migration %d statement %d failed: %v", migrationNum, i+1, err)
}
storage/sql: add a SQL storage implementation This change adds support for SQLite3, and Postgres.
2016-09-15 06:41:57 +05:30
}
q := `insert into migrations (num, at) values ($1, now());`
if _, err := tx.Exec(q, migrationNum); err != nil {
return fmt.Errorf("update migration table: %v", err)
}
return nil
})
if err != nil {
return i, err
}
if done {
break
}
i++
}
return i, nil
}
type migration struct {
storage/sql: initial MySQL storage implementation It will be shared by both Postgres and MySQL configs. Signed-off-by: Pavel Borzenkov <pavel.borzenkov@gmail.com>
2017-04-21 21:21:55 +05:30
stmts []string
storage/sql: allow specifying sql flavor specific migrations Signed-off-by: Nandor Kracser <bonifaido@gmail.com>
2020-02-21 16:43:38 +05:30
// If flavor is nil the migration will take place for all database backend flavors.
// If specified, only for that corresponding flavor, in that case stmts can be written
// in the specific SQL dialect.
flavor *flavor
storage/sql: add a SQL storage implementation This change adds support for SQLite3, and Postgres.
2016-09-15 06:41:57 +05:30
}
// All SQL flavors share migration strategies.
var migrations = []migration{
{
Run fixer Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com>
2020-11-04 01:20:09 +05:30
stmts: []string{
`
storage/sql: add a SQL storage implementation This change adds support for SQLite3, and Postgres.
2016-09-15 06:41:57 +05:30
create table client (
id text not null primary key,
secret text not null,
redirect_uris bytea not null, -- JSON array of strings
trusted_peers bytea not null, -- JSON array of strings
public boolean not null,
name text not null,
logo_url text not null
storage/sql: initial MySQL storage implementation It will be shared by both Postgres and MySQL configs. Signed-off-by: Pavel Borzenkov <pavel.borzenkov@gmail.com>
2017-04-21 21:21:55 +05:30
);`,
`
storage/sql: add a SQL storage implementation This change adds support for SQLite3, and Postgres.
2016-09-15 06:41:57 +05:30
create table auth_request (
id text not null primary key,
client_id text not null,
response_types bytea not null, -- JSON array of strings
scopes bytea not null, -- JSON array of strings
redirect_uri text not null,
nonce text not null,
state text not null,
force_approval_prompt boolean not null,
Fix SQL storage
2018-01-30 16:49:08 +05:30
storage/sql: add a SQL storage implementation This change adds support for SQLite3, and Postgres.
2016-09-15 06:41:57 +05:30
logged_in boolean not null,
Fix SQL storage
2018-01-30 16:49:08 +05:30
storage/sql: add a SQL storage implementation This change adds support for SQLite3, and Postgres.
2016-09-15 06:41:57 +05:30
claims_user_id text not null,
claims_username text not null,
claims_email text not null,
claims_email_verified boolean not null,
claims_groups bytea not null, -- JSON array of strings
Fix SQL storage
2018-01-30 16:49:08 +05:30
storage/sql: add a SQL storage implementation This change adds support for SQLite3, and Postgres.
2016-09-15 06:41:57 +05:30
connector_id text not null,
Fix migration in SQL connector I didn't realise quite what the migration mechanism was. Have understood it now.
2018-02-15 15:32:03 +05:30
connector_data bytea,
Fix SQL storage
2018-01-30 16:49:08 +05:30
storage: fix postgres timezone handling Dex's Postgres client currently uses the `timestamp` datatype for storing times. This lops of timezones with no conversion, causing times to lose locality information. We could convert all times to UTC before storing them, but this is a backward incompatible change for upgrades, since the new version of dex would still be reading times from the database with no locality. Because of this intrinsic issue that current Postgres users don't save any timezone data, we chose to treat any existing installation as corrupted and change the datatype used for times to `timestamptz`. This is a breaking change, but it seems hard to offer an alternative that's both correct and backward compatible. Additionally, an internal flag has been added to SQL flavors, `supportsTimezones`. This allows us to handle SQLite3, which doesn't support timezones, while still storing timezones in other flavors. Flavors that don't support timezones are explicitly converted to UTC.
2016-12-17 00:33:36 +05:30
expiry timestamptz not null
storage/sql: initial MySQL storage implementation It will be shared by both Postgres and MySQL configs. Signed-off-by: Pavel Borzenkov <pavel.borzenkov@gmail.com>
2017-04-21 21:21:55 +05:30
);`,
`
storage/sql: add a SQL storage implementation This change adds support for SQLite3, and Postgres.
2016-09-15 06:41:57 +05:30
create table auth_code (
id text not null primary key,
client_id text not null,
scopes bytea not null, -- JSON array of strings
nonce text not null,
redirect_uri text not null,
Fix SQL storage
2018-01-30 16:49:08 +05:30
storage/sql: add a SQL storage implementation This change adds support for SQLite3, and Postgres.
2016-09-15 06:41:57 +05:30
claims_user_id text not null,
claims_username text not null,
claims_email text not null,
claims_email_verified boolean not null,
claims_groups bytea not null, -- JSON array of strings
Fix SQL storage
2018-01-30 16:49:08 +05:30
storage/sql: add a SQL storage implementation This change adds support for SQLite3, and Postgres.
2016-09-15 06:41:57 +05:30
connector_id text not null,
Fix migration in SQL connector I didn't realise quite what the migration mechanism was. Have understood it now.
2018-02-15 15:32:03 +05:30
connector_data bytea,
Fix SQL storage
2018-01-30 16:49:08 +05:30
storage: fix postgres timezone handling Dex's Postgres client currently uses the `timestamp` datatype for storing times. This lops of timezones with no conversion, causing times to lose locality information. We could convert all times to UTC before storing them, but this is a backward incompatible change for upgrades, since the new version of dex would still be reading times from the database with no locality. Because of this intrinsic issue that current Postgres users don't save any timezone data, we chose to treat any existing installation as corrupted and change the datatype used for times to `timestamptz`. This is a breaking change, but it seems hard to offer an alternative that's both correct and backward compatible. Additionally, an internal flag has been added to SQL flavors, `supportsTimezones`. This allows us to handle SQLite3, which doesn't support timezones, while still storing timezones in other flavors. Flavors that don't support timezones are explicitly converted to UTC.
2016-12-17 00:33:36 +05:30
expiry timestamptz not null
storage/sql: initial MySQL storage implementation It will be shared by both Postgres and MySQL configs. Signed-off-by: Pavel Borzenkov <pavel.borzenkov@gmail.com>
2017-04-21 21:21:55 +05:30
);`,
`
storage/sql: add a SQL storage implementation This change adds support for SQLite3, and Postgres.
2016-09-15 06:41:57 +05:30
create table refresh_token (
id text not null primary key,
client_id text not null,
scopes bytea not null, -- JSON array of strings
nonce text not null,
Fix SQL storage
2018-01-30 16:49:08 +05:30
storage/sql: add a SQL storage implementation This change adds support for SQLite3, and Postgres.
2016-09-15 06:41:57 +05:30
claims_user_id text not null,
claims_username text not null,
claims_email text not null,
claims_email_verified boolean not null,
claims_groups bytea not null, -- JSON array of strings
Fix SQL storage
2018-01-30 16:49:08 +05:30
Fix migration in SQL connector I didn't realise quite what the migration mechanism was. Have understood it now.
2018-02-15 15:32:03 +05:30
connector_id text not null,
connector_data bytea
storage/sql: initial MySQL storage implementation It will be shared by both Postgres and MySQL configs. Signed-off-by: Pavel Borzenkov <pavel.borzenkov@gmail.com>
2017-04-21 21:21:55 +05:30
);`,
`
storage/sql: add password resource
2016-10-06 04:34:11 +05:30
create table password (
email text not null primary key,
hash bytea not null,
username text not null,
user_id text not null
storage/sql: initial MySQL storage implementation It will be shared by both Postgres and MySQL configs. Signed-off-by: Pavel Borzenkov <pavel.borzenkov@gmail.com>
2017-04-21 21:21:55 +05:30
);`,
`
storage/sql: add a SQL storage implementation This change adds support for SQLite3, and Postgres.
2016-09-15 06:41:57 +05:30
-- keys is a weird table because we only ever expect there to be a single row
create table keys (
id text not null primary key,
verification_keys bytea not null, -- JSON array
signing_key bytea not null, -- JSON object
signing_key_pub bytea not null, -- JSON object
storage: fix postgres timezone handling Dex's Postgres client currently uses the `timestamp` datatype for storing times. This lops of timezones with no conversion, causing times to lose locality information. We could convert all times to UTC before storing them, but this is a backward incompatible change for upgrades, since the new version of dex would still be reading times from the database with no locality. Because of this intrinsic issue that current Postgres users don't save any timezone data, we chose to treat any existing installation as corrupted and change the datatype used for times to `timestamptz`. This is a breaking change, but it seems hard to offer an alternative that's both correct and backward compatible. Additionally, an internal flag has been added to SQL flavors, `supportsTimezones`. This allows us to handle SQLite3, which doesn't support timezones, while still storing timezones in other flavors. Flavors that don't support timezones are explicitly converted to UTC.
2016-12-17 00:33:36 +05:30
next_rotation timestamptz not null
storage/sql: initial MySQL storage implementation It will be shared by both Postgres and MySQL configs. Signed-off-by: Pavel Borzenkov <pavel.borzenkov@gmail.com>
2017-04-21 21:21:55 +05:30
);`,
},
storage/sql: add a SQL storage implementation This change adds support for SQLite3, and Postgres.
2016-09-15 06:41:57 +05:30
},
storage: add extra fields to refresh token and update method
2016-12-23 05:26:09 +05:30
{
Run fixer Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com>
2020-11-04 01:20:09 +05:30
stmts: []string{
`
storage: add extra fields to refresh token and update method
2016-12-23 05:26:09 +05:30
alter table refresh_token
storage/sql: initial MySQL storage implementation It will be shared by both Postgres and MySQL configs. Signed-off-by: Pavel Borzenkov <pavel.borzenkov@gmail.com>
2017-04-21 21:21:55 +05:30
add column token text not null default '';`,
`
storage: add extra fields to refresh token and update method
2016-12-23 05:26:09 +05:30
alter table refresh_token
storage/sql: initial MySQL storage implementation It will be shared by both Postgres and MySQL configs. Signed-off-by: Pavel Borzenkov <pavel.borzenkov@gmail.com>
2017-04-21 21:21:55 +05:30
add column created_at timestamptz not null default '0001-01-01 00:00:00 UTC';`,
`
storage: add extra fields to refresh token and update method
2016-12-23 05:26:09 +05:30
alter table refresh_token
storage/sql: initial MySQL storage implementation It will be shared by both Postgres and MySQL configs. Signed-off-by: Pavel Borzenkov <pavel.borzenkov@gmail.com>
2017-04-21 21:21:55 +05:30
add column last_used timestamptz not null default '0001-01-01 00:00:00 UTC';`,
},
storage: add extra fields to refresh token and update method
2016-12-23 05:26:09 +05:30
},
storage: Add OfflineSession object to backend storage.
2017-02-01 05:41:59 +05:30
{
Run fixer Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com>
2020-11-04 01:20:09 +05:30
stmts: []string{
`
storage: Add OfflineSession object to backend storage.
2017-02-01 05:41:59 +05:30
create table offline_session (
user_id text not null,
conn_id text not null,
refresh bytea not null,
PRIMARY KEY (user_id, conn_id)
storage/sql: initial MySQL storage implementation It will be shared by both Postgres and MySQL configs. Signed-off-by: Pavel Borzenkov <pavel.borzenkov@gmail.com>
2017-04-21 21:21:55 +05:30
);`,
},
storage: Add OfflineSession object to backend storage.
2017-02-01 05:41:59 +05:30
},
storage: add connector object to backend storage.
2017-03-23 22:29:33 +05:30
{
Run fixer Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com>
2020-11-04 01:20:09 +05:30
stmts: []string{
`
storage: add connector object to backend storage.
2017-03-23 22:29:33 +05:30
create table connector (
id text not null primary key,
type text not null,
name text not null,
resource_version text not null,
config bytea
storage/sql: initial MySQL storage implementation It will be shared by both Postgres and MySQL configs. Signed-off-by: Pavel Borzenkov <pavel.borzenkov@gmail.com>
2017-04-21 21:21:55 +05:30
);`,
},
storage: add connector object to backend storage.
2017-03-23 22:29:33 +05:30
},
add preffered_username to idToken Signed-off-by: Nandor Kracser <bonifaido@gmail.com>
2019-10-10 20:13:41 +05:30
{
Run fixer Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com>
2020-11-04 01:20:09 +05:30
stmts: []string{
`
add preffered_username to idToken Signed-off-by: Nandor Kracser <bonifaido@gmail.com>
2019-10-10 20:13:41 +05:30
alter table auth_code
add column claims_preferred_username text not null default '';`,
`
alter table auth_request
add column claims_preferred_username text not null default '';`,
`
alter table refresh_token
add column claims_preferred_username text not null default '';`,
},
},
Fix migration in SQL connector I didn't realise quite what the migration mechanism was. Have understood it now.
2018-02-15 15:32:03 +05:30
{
Run fixer Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com>
2020-11-04 01:20:09 +05:30
stmts: []string{
`
Fix migration in SQL connector I didn't realise quite what the migration mechanism was. Have understood it now.
2018-02-15 15:32:03 +05:30
alter table offline_session
Remove defaulting from connector_data column
2019-09-26 20:00:44 +05:30
add column connector_data bytea;
Fix migration in SQL connector I didn't realise quite what the migration mechanism was. Have understood it now.
2018-02-15 15:32:03 +05:30
`,
},
},
storage/mysql: increase auth_request.state length to 4096 Signed-off-by: Nandor Kracser <bonifaido@gmail.com>
2020-02-21 16:44:42 +05:30
{
Run fixer Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com>
2020-11-04 01:20:09 +05:30
stmts: []string{
`
storage/mysql: increase auth_request.state length to 4096 Signed-off-by: Nandor Kracser <bonifaido@gmail.com>
2020-02-21 16:44:42 +05:30
alter table auth_request
modify column state varchar(4096);
`,
},
flavor: &flavorMySQL,
},
Generates/Stores the device request and returns the device and user codes. Signed-off-by: justin-slowik <justin.slowik@thermofisher.com>
2020-01-16 21:25:07 +05:30
{
Run fixer Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com>
2020-11-04 01:20:09 +05:30
stmts: []string{
`
Generates/Stores the device request and returns the device and user codes. Signed-off-by: justin-slowik <justin.slowik@thermofisher.com>
2020-01-16 21:25:07 +05:30
create table device_request (
user_code text not null primary key,
device_code text not null,
client_id text not null,
Server integration test for Device Flow (#3) Extracted test cases from OAuth2Code flow tests to reuse in device flow deviceHandler unit tests to test specific device endpoints Include client secret as an optional parameter for standards compliance Signed-off-by: justin-slowik <justin.slowik@thermofisher.com>
2020-02-04 20:37:18 +05:30
client_secret text ,
Generates/Stores the device request and returns the device and user codes. Signed-off-by: justin-slowik <justin.slowik@thermofisher.com>
2020-01-16 21:25:07 +05:30
scopes bytea not null, -- JSON array of strings
expiry timestamptz not null
);`,
`
create table device_token (
device_code text not null primary key,
status text not null,
Updates based on dexidp pr Signed-off-by: justin-slowik <justin.slowik@thermofisher.com>
2020-06-03 00:09:30 +05:30
token bytea,
Device flow token code exchange (#2) * Added /device/token handler with associated business logic and storage tests. Perform user code exchange, flag the device code as complete. Moved device handler code into its own file for cleanliness. Cleanup * Removed PKCE code * Rate limiting for /device/token endpoint based on ietf standards * Configurable Device expiry Signed-off-by: justin-slowik <justin.slowik@thermofisher.com>
2020-01-29 00:44:30 +05:30
expiry timestamptz not null,
last_request timestamptz not null,
poll_interval integer not null
Generates/Stores the device request and returns the device and user codes. Signed-off-by: justin-slowik <justin.slowik@thermofisher.com>
2020-01-16 21:25:07 +05:30
);`,
},
},
PKCE implementation (#1784) * Basic implementation of PKCE Signed-off-by: Tadeusz Magura-Witkowski <tadeuszmw@gmail.com> * @mfmarche on 24 Feb: when code_verifier is set, don't check client_secret In PKCE flow, no client_secret is used, so the check for a valid client_secret would always fail. Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com> * @deric on 16 Jun: return invalid_grant when wrong code_verifier Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com> * Enforce PKCE flow on /token when PKCE flow was started on /auth Also dissallow PKCE on /token, when PKCE flow was not started on /auth Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com> * fixed error messages when mixed PKCE/no PKCE flow. Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com> * server_test.go: Added PKCE error cases on /token endpoint * Added test for invalid_grant, when wrong code_verifier is sent * Added test for mixed PKCE / no PKCE auth flows. Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com> * cleanup: extracted method checkErrorResponse and type TestDefinition * fixed connector being overwritten Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com> * /token endpoint: skip client_secret verification only for grand type authorization_code with PKCE extension Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com> * Allow "Authorization" header in CORS handlers * Adds "Authorization" to the default CORS headers{"Accept", "Accept-Language", "Content-Language", "Origin"} Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com> * Add "code_challenge_methods_supported" to discovery endpoint discovery endpoint /dex/.well-known/openid-configuration now has the following entry: "code_challenge_methods_supported": [ "S256", "plain" ] Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com> * Updated tests (mixed-up comments), added a PKCE test * @asoorm added test that checks if downgrade to "plain" on /token endpoint Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com> * remove redefinition of providedCodeVerifier, fixed spelling (#6) Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com> Signed-off-by: Bernd Eckstein <HEllRZA@users.noreply.github.com> * Rename struct CodeChallenge to PKCE Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com> * PKCE: Check clientSecret when available In authorization_code flow with PKCE, allow empty client_secret on /auth and /token endpoints. But check the client_secret when it is given. Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com> * Enable PKCE with public: true dex configuration public on staticClients now enables the following behavior in PKCE: - Public: false, PKCE will always check client_secret. This means PKCE in it's natural form is disabled. - Public: true, PKCE is enabled. It will only check client_secret if the client has sent one. But it allows the code flow if the client didn't sent one. Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com> * Redirect error on unsupported code_challenge_method - Check for unsupported code_challenge_method after redirect uri is validated, and use newErr() to return the error. - Add PKCE tests to oauth2_test.go Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com> * Reverted go.mod and go.sum to the state of master Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com> * Don't omit client secret check for PKCE Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com> * Allow public clients (e.g. with PKCE) to have redirect URIs configured Signed-off-by: Martin Heide <martin.heide@faro.com> * Remove "Authorization" as Accepted Headers on CORS, small fixes Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com> * Revert "Allow public clients (e.g. with PKCE) to have redirect URIs configured" This reverts commit b6e297b78537dc44cd3e1374f0b4d34bf89404ac. Signed-off-by: Martin Heide <martin.heide@faro.com> * PKCE on client_secret client error message * When connecting to the token endpoint with PKCE without client_secret, but the client is configured with a client_secret, generate a special error message. Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com> * Output info message when PKCE without client_secret used on confidential client * removes the special error message Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com> * General missing/invalid client_secret message on token endpoint Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com> Co-authored-by: Tadeusz Magura-Witkowski <tadeuszmw@gmail.com> Co-authored-by: Martin Heide <martin.heide@faro.com> Co-authored-by: M. Heide <66078329+heidemn-faro@users.noreply.github.com>
2020-10-26 16:03:40 +05:30
{
Run fixer Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com>
2020-11-04 01:20:09 +05:30
stmts: []string{
`
PKCE implementation (#1784) * Basic implementation of PKCE Signed-off-by: Tadeusz Magura-Witkowski <tadeuszmw@gmail.com> * @mfmarche on 24 Feb: when code_verifier is set, don't check client_secret In PKCE flow, no client_secret is used, so the check for a valid client_secret would always fail. Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com> * @deric on 16 Jun: return invalid_grant when wrong code_verifier Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com> * Enforce PKCE flow on /token when PKCE flow was started on /auth Also dissallow PKCE on /token, when PKCE flow was not started on /auth Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com> * fixed error messages when mixed PKCE/no PKCE flow. Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com> * server_test.go: Added PKCE error cases on /token endpoint * Added test for invalid_grant, when wrong code_verifier is sent * Added test for mixed PKCE / no PKCE auth flows. Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com> * cleanup: extracted method checkErrorResponse and type TestDefinition * fixed connector being overwritten Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com> * /token endpoint: skip client_secret verification only for grand type authorization_code with PKCE extension Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com> * Allow "Authorization" header in CORS handlers * Adds "Authorization" to the default CORS headers{"Accept", "Accept-Language", "Content-Language", "Origin"} Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com> * Add "code_challenge_methods_supported" to discovery endpoint discovery endpoint /dex/.well-known/openid-configuration now has the following entry: "code_challenge_methods_supported": [ "S256", "plain" ] Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com> * Updated tests (mixed-up comments), added a PKCE test * @asoorm added test that checks if downgrade to "plain" on /token endpoint Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com> * remove redefinition of providedCodeVerifier, fixed spelling (#6) Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com> Signed-off-by: Bernd Eckstein <HEllRZA@users.noreply.github.com> * Rename struct CodeChallenge to PKCE Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com> * PKCE: Check clientSecret when available In authorization_code flow with PKCE, allow empty client_secret on /auth and /token endpoints. But check the client_secret when it is given. Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com> * Enable PKCE with public: true dex configuration public on staticClients now enables the following behavior in PKCE: - Public: false, PKCE will always check client_secret. This means PKCE in it's natural form is disabled. - Public: true, PKCE is enabled. It will only check client_secret if the client has sent one. But it allows the code flow if the client didn't sent one. Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com> * Redirect error on unsupported code_challenge_method - Check for unsupported code_challenge_method after redirect uri is validated, and use newErr() to return the error. - Add PKCE tests to oauth2_test.go Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com> * Reverted go.mod and go.sum to the state of master Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com> * Don't omit client secret check for PKCE Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com> * Allow public clients (e.g. with PKCE) to have redirect URIs configured Signed-off-by: Martin Heide <martin.heide@faro.com> * Remove "Authorization" as Accepted Headers on CORS, small fixes Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com> * Revert "Allow public clients (e.g. with PKCE) to have redirect URIs configured" This reverts commit b6e297b78537dc44cd3e1374f0b4d34bf89404ac. Signed-off-by: Martin Heide <martin.heide@faro.com> * PKCE on client_secret client error message * When connecting to the token endpoint with PKCE without client_secret, but the client is configured with a client_secret, generate a special error message. Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com> * Output info message when PKCE without client_secret used on confidential client * removes the special error message Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com> * General missing/invalid client_secret message on token endpoint Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com> Co-authored-by: Tadeusz Magura-Witkowski <tadeuszmw@gmail.com> Co-authored-by: Martin Heide <martin.heide@faro.com> Co-authored-by: M. Heide <66078329+heidemn-faro@users.noreply.github.com>
2020-10-26 16:03:40 +05:30
alter table auth_request
add column code_challenge text not null default '';`,
`
alter table auth_request
add column code_challenge_method text not null default '';`,
`
alter table auth_code
add column code_challenge text not null default '';`,
`
alter table auth_code
add column code_challenge_method text not null default '';`,
},
},
Fixes of naming and code style Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
2020-11-15 23:56:34 +05:30
{
stmts: []string{
`
alter table refresh_token
add column obsolete_token text default '';`,
},
},
add PKCE support to device code flow (#2575) Signed-off-by: Bob Callaway <bobcallaway@users.noreply.github.com>
2022-07-27 21:32:18 +05:30
{
stmts: []string{
`
alter table device_token
add column code_challenge text not null default '';`,
`
alter table device_token
add column code_challenge_method text not null default '';`,
},
},
storage/sql: add a SQL storage implementation This change adds support for SQLite3, and Postgres.
2016-09-15 06:41:57 +05:30
}