5fe1647fc7
Fix issues to make the linter happy
...
Signed-off-by: Anthony Brandelli <abrandel@cisco.com>
2022-05-19 22:35:05 -06:00
7c335e9337
Add support for IDPs that do not send ID tokens in the reply when using a refresh grant. Add tests for the aforementioned functionality.
...
Signed-off-by: Anthony Brandelli <abrandel@cisco.com>
2022-05-19 22:13:10 -06:00
f07a58a7f1
Remove google specific hd / hosted domain claim config
...
Signed-off-by: Anthony Brandelli <abrandel@cisco.com>
2022-05-06 13:54:19 -06:00
5d9d68106a
feat: Add acr_values support for OIDC
...
Signed-off-by: Engin Diri <engin.diri@mail.schwarz>
2022-03-05 09:25:27 +01:00
419db81c67
Remove overrideWithMissingCustomEmailClaim
...
Signed-off-by: Happy2C0de <46957159+Happy2C0de@users.noreply.github.com>
2022-01-19 13:38:09 +01:00
55605751f5
Add overrideWithMissingCustomEmailClaim test
...
Signed-off-by: Happy2C0de <46957159+Happy2C0de@users.noreply.github.com>
2022-01-19 13:38:09 +01:00
b28098dde8
Revert querying preferrredUsernameKey
...
Signed-off-by: Happy2C0de <46957159+Happy2C0de@users.noreply.github.com>
2022-01-19 13:38:09 +01:00
1608b473eb
Remove false failed errors.
...
Signed-off-by: Happy2C0de <46957159+Happy2C0de@users.noreply.github.com>
2022-01-19 13:38:09 +01:00
2b6bb1997c
Revert ClaimMapping struct
...
Signed-off-by: Happy2C0de <46957159+Happy2C0de@users.noreply.github.com>
2022-01-19 13:38:09 +01:00
14a0aecc81
Move claimMapping.enforce to overrideClaimMapping
...
Signed-off-by: Happy2C0de <46957159+Happy2C0de@users.noreply.github.com>
2022-01-19 13:38:09 +01:00
45143c98b3
Add claimMapping enforcement
...
Signed-off-by: Happy2C0de <46957159+Happy2C0de@users.noreply.github.com>
2022-01-19 13:38:09 +01:00
b8ac640c4f
Update oidc library
...
Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com>
2021-01-13 19:56:09 +01:00
84e9cb6947
spelling: verified
...
Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
2020-12-19 22:53:29 -05:00
058202d007
revert changes for user id and user name
...
Signed-off-by: Rui Yang <ruiya@vmware.com>
2020-09-08 13:12:59 -04:00
0494993326
update oidc documentation and email claim err msg
...
Signed-off-by: Rui Yang <ruiya@vmware.com>
2020-09-08 10:03:57 -04:00
41207ba265
Combine #1691 and #1776 to unify OIDC provider claim mapping
...
add tests for groups key mapping
Signed-off-by: Rui Yang <ruiya@vmware.com>
2020-08-11 16:26:55 -04:00
a783667c57
Add groupsClaimMapping to the OIDC connector
...
The groupsClaimMapping setting allows one to specify which claim to pull
group information from the OIDC provider. Previously it assumed group
information was always in the "groups" claim, but that isn't the case
for many OIDC providers (such as AWS Cognito using the "cognito:groups"
claim instead)
Signed-off-by: Scott Lemmon <slemmon@aurora.tech>
Signed-off-by: Rui Yang <ruiya@vmware.com>
2020-08-11 16:26:55 -04:00
61312e726e
Add parameter configuration to override email claim key
...
Signed-off-by: Rui Yang <ruiya@vmware.com>
2020-08-11 16:26:55 -04:00
52c39fb130
check if upstream contains preferrend username claim first
...
Signed-off-by: Rui Yang <ryang@pivotal.io>
Signed-off-by: Rui Yang <ruiya@vmware.com>
2020-08-11 16:26:55 -04:00
4812079647
add tests when preferred username key is not set
...
Signed-off-by: Rui Yang <ruiya@vmware.com>
2020-08-11 16:26:55 -04:00
d9afb7e59c
default to preferred_username claim
...
Signed-off-by: Rui Yang <ruiya@vmware.com>
2020-08-11 16:26:55 -04:00
9a4e0fcd00
Make OIDC username key configurable
...
Signed-off-by: Josh Winters <jwinters@pivotal.io>
Co-authored-by: Mark Huang <mhuang@pivotal.io>
Signed-off-by: Rui Yang <ruiya@vmware.com>
2020-08-11 16:26:55 -04:00
d33a76fa19
Make prompt configurable for oidc offline_access
2020-02-19 16:10:28 +02:00
383c2fe8b6
Adding oidc email scope check
...
This helps to avoid "no email claim" error if email scope was not specified.
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
2019-12-28 15:28:01 +04:00
a901e2f204
Merge pull request #1604 from dexidp/fix-linters
...
Fix linters
2019-12-20 07:10:22 +01:00
8e0ae82034
connector/oidc: replace deprecated oauth2.RegisterBrokenAuthHeaderProvider with oauth2.Endpoint.AuthStyle
2019-12-18 08:27:40 -08:00
9bd5ae5197
Fix goimports
2019-12-18 15:53:34 +01:00
c41035732f
Merge pull request #1434 from jacksontj/groups
...
Add option to enable groups for oidc connectors
2019-11-27 14:00:36 +01:00
3156553843
OIDC: Rename refreshToken to RefreshToken
2019-11-19 15:43:25 +00:00
77fcf9ad77
Use a struct for connector data within OIDC connector
2019-11-19 15:43:22 +00:00
f6077083c9
Identify error as failure to retrieve refresh token
2019-11-19 15:43:21 +00:00
8b344fe4d3
Fix Refresh comment
2019-11-19 15:43:20 +00:00
433bb2afec
Remove duplicate code
2019-11-19 15:43:12 +00:00
4076eed17b
Build opts based on scope
2019-11-19 15:43:11 +00:00
0857a0fe09
Implement refresh in OIDC connector
...
This has added the access=offline parameter and prompt=consent parameter
to the initial request, this works with google, assuming other providers
will ignore the prompt parameter
2019-11-19 15:43:04 +00:00
21ab30d207
Add option to enable groups for oidc connectors
...
There's been some discussion in #1065 regarding what to do about
refreshing groups. As it stands today dex doesn't update any of the
claims on refresh (groups would just be another one). The main concern
with enabling it is that group claims may change more frequently. While
we continue to wait on the upstream refresh flows, this adds an option
to enable the group claim. This is disabled by default (so no behavioral
change) but enables those that are willing to have the delay in group
claim change to use oidc IDPs.
Workaround to #1065
2019-09-13 15:50:33 -07:00
512cb3169e
Run getUserInfo prior to claim enforcement
...
If you have an oidc connector configured *and* that IDP provides thin
tokens (e.g. okta) then the majority of the requested claims come in the
getUserInfo call (such as email_verified). So if getUserInfo is
configured it should be run before claims are validated.
2019-09-13 11:10:44 -07:00
d9487e553b
*: fix some lint issues
...
Mostly gathered these using golangci-lint's deadcode and ineffassign
linters.
Signed-off-by: Stephan Renatus <srenatus@chef.io>
2019-07-30 11:29:08 +02:00
8c1716d356
make userName configurable
2019-06-03 14:09:07 +02:00
4e8cbf0f61
connectors/oidc: truely ignore "email_verified" claim if configured that way
...
Fixes #1455 , I hope.
Signed-off-by: Stephan Renatus <srenatus@chef.io>
2019-05-28 16:15:06 +02:00
9650836851
make userID configurable
2019-05-24 19:52:33 +09:00
52d09a2dfa
Add option in oidc to hit the optional userinfo endpoint
...
Some oauth providers return "thin tokens" which won't include all of the
claims requested. This simply adds an option which will make the oidc
connector use the userinfo endpoint to fetch all the claims.
2019-05-23 09:20:48 -07:00
fc723af0fe
Add option to OIDC connecter to override email_verified to true
2019-03-05 21:24:02 +00:00
be581fa7ff
Add logger interface and stop relying on Logrus directly
2019-02-22 13:38:57 +01:00
b9f6594bf0
*: github.com/coreos/dex -> github.com/dexidp/dex
...
Signed-off-by: Stephan Renatus <srenatus@chef.io>
2018-09-05 17:57:08 +02:00
6475ce1f62
connector/oidc: remove test that talks to the internet
2017-10-27 13:40:50 -07:00
a41d93db4a
Implement the “authproxy” connector (for Apache2 mod_auth etc.)
2017-10-25 21:53:51 +02:00
05e8d50eca
Merge pull request #1000 from rithujohn191/fix-hosted-domain
...
connector/oidc: fix hosted domain support.
2017-07-31 13:29:26 -07:00
4a88d0641a
: update {S->s}irupsen/logrus
2017-07-25 13:46:44 -07:00
5e0bf8b65f
connector/oidc: fix hosted domain support.
2017-07-25 13:46:12 -07:00
Anthony Brandelli
Engin Diri
Happy2C0de
Mark Sagi-Kazar
Josh Soref
Rui Yang
Scott Lemmon
Cyrille Nofficial
Rui Yang
Josh Winters
Chris Loukas
m.nabokikh
Nándor István Krácser
Lars Lehtonen
Nándor István Krácser
Joel Speed
Thomas Jackson
Stephan Renatus
flarno11
cappyzawa
Gerald Barker
Eric Chiang
Michael Stapelberg
rithu leena john
Eric Stroczynski