Commit graph

37 commits

Author SHA1 Message Date
Eric Chiang
435cadfc19 *: more updates to prepend the correct API path 2016-07-25 17:06:20 -07:00
Eric Chiang
854b767273 *: update handlers to include issuer url in path 2016-07-25 16:03:25 -07:00
Eric Chiang
8216a3d992 connector: fix path that connectors listen on
When Dex uses a non-root issuer URL, it current assumes that all
path prefixes will be trimmed by an upstream proxy (e.g. nginx).
This means that all paths rendered in HTML will be absolute to the
prefix, but the handlers still listen at the root.

Connectors are currently the only component that registers at a
non-root URL. Make this conform with the rest of Dex by having the
server determine the path the connector listens as rather than the
connector itself.
2016-07-25 14:32:24 -07:00
Eric Chiang
b02a3a3163 *: add "groups" scope 2016-07-19 11:23:04 -07:00
Bobby Rullo
b80dbc8975 server: support out-of-band auth flow
When "urn:ietf:wg:oauth:2.0:oob" is used as a redirect URI, redirect to
an internal dex page where the user is shown the code and instructed to
paste it into their app.
2016-06-20 17:03:13 -07:00
Bobby Rullo
cdcf08066d client, server: public client restrictions
* disallow ClientCreds for public clients
* clients can only redirect to localhost or OOB
2016-06-20 17:03:12 -07:00
Bobby Rullo
4f85f3a479 server: change ClientMetadata -> Client
Metadata is not enough these days - we're going to need access to the
Public field as well.
2016-06-20 17:03:12 -07:00
Eric Chiang
35cab93c0a *: add --enable-automatic-registration flag to worker
For remote connectors, allow users to skip registration.
2016-06-17 16:29:56 -07:00
Bobby Rullo
8942a49702 server: remove client_resource api
...and dependent code.
2016-06-15 11:42:50 -07:00
Bobby Rullo
75473b4cba refresh tokens: grant claims based on scopes
Before,  this logic was only in the OIDCServer.CodeToken() method; now it has been
pulled out so that other paths, like OIDCServer.RefreshToken() can use
it.

The net affect, is that now refresh tokens can be used to get
cross-client authenticated ID Tokens.
2016-06-14 14:14:36 -07:00
Bobby Rullo
32a1994a5e refresh tokens: store and validate scopes.
A refresh request must fail if it asks for scopes that were not
originally granted when the refresh token was obtained.

This Commit:

* changes repo to store scopes with tokens
* changes repo interface signatures so that scopes can be stored and
  verified
* updates dependent code to pass along scopes
2016-06-14 14:14:36 -07:00
Bobby Rullo
5939a15d10 remove DexServer 2016-06-07 17:27:06 -07:00
Bobby Rullo
e71c5086ba server: CodeToken now does Cross-Client auth 2016-06-07 17:22:41 -07:00
Bobby Rullo
9b4740862c server: /auth accepts, validates X-client scopes 2016-06-07 17:16:11 -07:00
Evan Cordell
a418e1c4e7 client: add client manager
adds a client manager to handle business logic, leaving the repo
for basic crud operations. Also adds client to the test script
2016-05-19 16:20:12 -07:00
Evan Cordell
3da98fcb8e client: add transaction support 2016-05-19 16:17:01 -07:00
Bobby Rullo
e5948ab3ce *: ClientIdentityXXX -> ClientXXX
Get rid of all outdated "ClientIdentity" terminology.
2016-04-20 14:31:27 -07:00
Eric Chiang
cd7d3fff85 Merge pull request #386 from ericchiang/revoke_refresh_2
add ability to revoke refresh tokens in user API
2016-04-06 13:45:23 -07:00
Eric Chiang
553e7d0167 server: add refresh token revocation API to server 2016-04-06 11:29:51 -07:00
Eric Chiang
ac73d3cdf2 *: load password infos from users file in no-db mode not connectors
In --no-db mode, load passwords from the users file instead of the
connectors file. This allows us to remove the password infos field
from the local connector and stop loading them during connector
registration, a case that was causing panics when using a real
database (see #286).

Fixes #286
Closes #340
2016-04-06 11:15:05 -07:00
Eric Chiang
7bac93aa20 *: remove in memory session repos
Move manager to it's own package so it can import db. Move all
references to the in memory session repos to use sqlite3.
2016-02-12 13:19:05 -08:00
Eric Chiang
04cd1851aa server: add dynamic client registration 2016-02-01 16:06:46 -08:00
Eric Chiang
5e44b6bc27 *: update all to accommodate changes to go-oidc
Update dex to comply with the changes to fieldnames and types of
the client and provider metadata structs in coreos/go-oidc.
2016-01-12 17:16:28 -08:00
bobbyrullo
71f5021678 Merge pull request #246 from bobbyrullo/maybe
server: better UX when remote ID already exists
2015-12-23 18:17:54 -08:00
Bobby Rullo
dc828825e6 server: better UX when remote ID already exists
Instead of cryptic message with nowhere to, give them the choice to
login with that account or register.
2015-12-23 17:11:03 -08:00
Eric Chiang
ad6e331860 server: fix flow when user logs in through wrong connector
This cleans up the code that deals with a user attempting to login
through a different connector than they registered with. The only
functional change is that `newLoginURLFromSession` is now called
with register = false when a user has an existing account.
2015-12-22 13:20:40 -08:00
Eric Chiang
d518447282 user: move user manager to it's own package
This commit moves the user.Manage to its own package (user/manager)
so it can import the connector package in a later commit.

For clarity, it renames "Manager" to "UserManager" using gorname.

This commit has no functional changes.
2015-12-07 15:34:14 -08:00
Joe Bowers
0c854a21d6 server: endpoint and system for sending invitations to dex
An invitation allows users to both verify their email address and set
a new password.
2015-11-18 14:24:19 -08:00
Bobby Rullo
bf9517fdaa server,cmd: Add flag for disabling registation
For situations where admins add users.
2015-09-30 16:35:58 -07:00
Joe Bowers
e5db302312 server: expose user disable API endpoint 2015-09-29 16:46:30 -07:00
Joe Bowers
b19adefde5 Merge pull request #138 from joeatwork/disable-users
server: disable users
2015-09-28 12:36:09 -07:00
Joe Bowers
60a36e2c2e server,db: flag for disabling user login 2015-09-25 14:25:06 -07:00
Joe Bowers
4c9bab0890 server: user management endpoints strictly conform to schema
This change disables the URL fixing behavior or the router associated
with the user management schema. After this commit, URLS routing
to /api/$VERSION/users must target exactly the specified paths. In
addition, `/api/$VERSION/users/` will serve a 404

This change allows users to hit the user create endpoint, which
would previously serve a redirect rather than actually making the
associated change.
2015-09-24 16:41:29 -07:00
Giulio Iotti
472e4a02a4 *: Remove unnecessary else statements
Whenever it makes the code easier to follow, use early return to
avoid else statements.
2015-09-04 22:45:32 +03:00
Yifan Gu
93a0830ae0 server: check scope in requests.
Require 'openid' in scope for all requests.
Require 'offline_access' for returning refresh token.
2015-08-31 13:51:59 -07:00
Yifan Gu
066fd859ec session: add 'scope' field in session. 2015-08-31 13:51:59 -07:00
Bobby Rullo
66fe201c24 *: move original project to dex 2015-08-18 11:26:57 -07:00