m.nabokikh
578cb05f7b
fix: return invalid_grant error on claiming token of another client
...
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
2021-12-05 23:45:52 +04:00
Márk Sági-Kazár
67ba7a1c70
Merge pull request #2265 from ariary/master
...
Add parametrization of grant type supported in discovery endpoint
2021-10-06 15:54:17 +02:00
ariary
7bc966217d
sort grant type supported
...
Signed-off-by: ariary <ariary9.2@hotmail.fr>
2021-10-06 08:29:14 -04:00
Eng Zer Jun
f0186ff265
refactor: move from io/ioutil to io and os package
...
The io/ioutil package has been deprecated as of Go 1.16, see
https://golang.org/doc/go1.16#ioutil . This commit replaces the existing
io/ioutil functions with their new definitions in io and os packages.
Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>
2021-09-17 14:12:39 +08:00
ariary
c6f6dd69e9
lint comment
...
Signed-off-by: ariary <ariary9.2@hotmail.fr>
2021-09-15 03:58:27 -04:00
kali
1497e70225
Add parametrization of grant type supported in discovery endpoint
...
Signed-off-by: ariary <ariary9.2@hotmail.fr>
2021-09-03 05:50:59 -04:00
Maksim Nabokikh
3fac2ab6bc
Merge pull request #1862 from tkleczek/fix-rfc-errors
...
Improve auth flow error handling
2021-08-03 00:34:54 +04:00
Tomasz Kleczek
4ffaa60d21
Improve auth flow error handling
...
Signed-off-by: Tomasz Kleczek <tomasz.kleczek@gmail.com>
2021-07-21 09:33:39 +02:00
Henning
138364ceeb
handlePasswordGrant: insert connectorData into OfflineSession ( #2199 )
...
* handlePasswordGrant: insert connectorData into OfflineSession
This change will insert the ConnectorData from the initial Login
into the OfflineSession, as already done in handlePasswordLogin.
Signed-off-by: Henning Surmeier <h.surmeier@mittwald.de>
2021-07-21 00:05:35 +04:00
Mark Sagi-Kazar
ceb4324c18
test: quick fix flaky test
...
Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com>
2021-06-28 23:30:14 +02:00
Márk Sági-Kazár
f6904c38ef
Merge pull request #1865 from WorldProgrammingLtd/fix-1849
...
fix: defer creation of auth request.
2021-06-25 19:05:41 +02:00
m.nabokikh
21a01ee811
Add sprig v3 functions to web templates
...
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
2021-06-02 11:11:45 +04:00
m.nabokikh
4b54433ec2
Bump golag-ci lint version to 1.40.1
...
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
2021-05-27 19:27:06 +04:00
Mark Sagi-Kazar
0bef10ef80
chore(deps): update gosundheit
...
Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com>
2021-05-26 14:50:35 +02:00
Alastair Houghton
cd0c24ec4d
fix: add an extra endpoint to avoid refresh generating AuthRequests.
...
By adding an extra endpoint and a redirect, we can avoid a situation
where it's trivially easy to generate a large number of AuthRequests
by hitting F5/refresh in the browser.
Signed-off-by: Alastair Houghton <alastair@alastairs-place.net>
2021-05-21 11:42:52 +01:00
Alastair Houghton
030a6459d6
fix: reinstate TestHandleAuthCode.
...
Reinstating this test as it shouldn't have been removed.
Signed-off-by: Alastair Houghton <alastair@alastairs-place.net>
2021-05-21 11:24:30 +01:00
Alastair Houghton
88025b3d7c
fix: remove some additional dependencies.
...
Accidentally added some of these back during merge.
Signed-off-by: Alastair Houghton <alastair@alastairs-place.net>
2021-05-21 11:24:30 +01:00
Alastair Houghton
0284a4c3c9
fix: back link on password page needs to be explicit.
...
The back link on the password page was using Javascript to tell the
browser to navigate back, which won't work if the user has entered a
set of incorrect log-in details. Fix this by using an explicit URL
instead.
Fixes #1851
Signed-off-by: Alastair Houghton <alastair@alastairs-place.net>
2021-05-21 11:24:30 +01:00
Alastair Houghton
cdbb5dd94d
fix: defer creation of auth request.
...
Rather than creating the auth request when the user hits /auth, pass
the arguments through to /auth/{connector} and have the auth request
created there. This prevents a database error when using the "Select
another login method" link, and also avoids a few other error cases.
Fixes #1849 , #646 .
Signed-off-by: Alastair Houghton <alastair@alastairs-place.net>
2021-05-21 11:24:23 +01:00
Maksim Nabokikh
20875c972e
Discard package "version" ( #2107 )
...
* Discard package "version"
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
* Inject api version
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
* Pass version arg to the dex API
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
2021-05-18 00:55:24 +02:00
Márk Sági-Kazár
18d1f70cee
Merge pull request #1861 from concourse/pr/bcrypt-for-client-secret-sync
...
Use constant time comparison for client secret verification
2021-05-17 17:27:42 +02:00
Rui Yang
fe8085b886
remove client secret encryption option
...
constant time compare for client secret verification will be kept
Signed-off-by: Rui Yang <ruiya@vmware.com>
2021-05-17 10:16:50 -04:00
Rui Yang
ecea593ddd
fix a bug in hash comparison function
...
the client secret coming in should be hashed and the one in storage
is the one in plaintext
Signed-off-by: Rui Yang <ruiya@vmware.com>
2021-05-14 13:32:27 -04:00
Márk Sági-Kazár
94a2b3ed87
Merge pull request #2010 from flant/switch-device-token-endpoint-to-token
...
fix: use /token endpoint to get tokens with device flow
2021-05-01 13:24:55 +02:00
Márk Sági-Kazár
551229a986
Merge pull request #1846 from flant/refresh-token-expiration-policy
...
feat: Add refresh token expiration and rotation settings
2021-04-24 11:03:40 +02:00
Mark Sagi-Kazar
95796b04a3
chore(deps): upgrade protobuf and grpc
...
Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com>
2021-03-24 19:17:26 +01:00
Mark Sagi-Kazar
d25051c867
chore(deps): upgrade protobuf in server/internal package
...
Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com>
2021-03-22 19:27:47 +01:00
Mark Sagi-Kazar
d1e8b085e2
feat: use embedded assets by default
...
Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com>
2021-03-22 15:44:03 +01:00
Rui Yang
2f28fc7451
default to ./web when Dir and WebFS are not set
...
update WebFS doc
Signed-off-by: Rui Yang <ruiya@vmware.com>
Co-authored-by: Aidan Oldershaw <aoldershaw@pivotal.io>
2021-03-20 20:05:59 +00:00
Rui Yang
4e569024fd
use go 1.16 new package io/fs
...
Unify the interface for reading web statics. Now it could read an
OS directory or get the content on live
One could use
//go:embed static
var webFiles embed.FS
anywhere and config dex server to take the file system by setting
WebConfig{WebFS: webFiles}
Signed-off-by: Rui Yang <ruiya@vmware.com>
Co-authored-by: Aidan Oldershaw <aoldershaw@pivotal.io>
2021-03-20 20:05:59 +00:00
Rui Yang
7b50cbf0ac
use pkger for embedding static contents
...
Co-authored-by: Vikram Yadav <vyadav@pivotal.io>
Signed-off-by: Rui Yang <ruiya@vmware.com>
2021-03-20 20:05:59 +00:00
Rui Yang
1eab25f89f
use web host url for asset hosting
...
Signed-off-by: Rui Yang <ruiya@vmware.com>
Co-authored-by: Aidan Oldershaw <aoldershaw@pivotal.io>
2021-03-20 20:05:59 +00:00
Rui Yang
10e9054811
Use http.FileSystem for web assets
...
Signed-off-by: Rui Yang <ryang@pivotal.io>
Co-authored-by: Aidan Oldershaw <aoldershaw@pivotal.io>
2021-03-20 20:05:59 +00:00
Rui Yang
d658c24e8f
add dex config flag for enabling client secret encryption
...
* if enabled, it will make sure client secret is bcrypted correctly
* if not, it falls back to old behaviour that allowing empty client
secret and comparing plain text, though now it will do
ConstantTimeCompare to avoid a timing attack.
So in either way it should provide more secure of client secret
verification.
Co-authored-by: Alex Surraci <suraci.alex@gmail.com>
Signed-off-by: Rui Yang <ruiya@vmware.com>
2021-03-20 20:05:56 +00:00
Josh Winters
ec6f3a2f19
use bcrypt when comparing client secrets
...
- this assumes that the client is already bcrytped
when passed to dex. Similar to user passwords.
Signed-off-by: Josh Winters <jwinters@pivotal.io>
Co-authored-by: Vikram Yadav <vyadav@pivotal.io>
2021-03-20 20:05:56 +00:00
Maksim Nabokikh
568fc06520
Update server/refreshhandlers.go
...
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
2021-03-09 09:41:41 +04:00
m.nabokikh
3bd0e91a68
Make /device/token deprecation warning more concise
...
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
2021-02-25 11:53:25 +04:00
m.nabokikh
9ed5cc00cf
Add deprecation warning for /device/token endpoint
...
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
2021-02-24 17:14:28 +04:00
m.nabokikh
1211a86d58
fix: use /token endpoint to get tokens with device flow
...
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
2021-02-24 16:03:25 +04:00
Steffen Pøhner Henriksen
0f68fadb9a
Allow public clients created with API to have no client_secret ( #1871 )
...
Signed-off-by: Steffen Pøhner Henriksen <str3sses@gmail.com>
2021-02-19 10:18:54 +01:00
Mark Sagi-Kazar
7da0a89936
refactor: remove unused health checker
...
Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com>
2021-02-11 01:29:27 +01:00
Mark Sagi-Kazar
316da70545
refactor: use new health checker
...
Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com>
2021-02-11 01:29:25 +01:00
m.nabokikh
9340fee011
Fixes after rebasing to the actual main branch
...
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
2021-02-10 23:46:17 +04:00
m.nabokikh
89295a5b4a
More refresh token handler refactoring, more tests
...
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
2021-02-10 23:43:19 +04:00
m.nabokikh
4e73f39f57
Do not refresh id token claims if refresh token is allowed to reuse
...
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
2021-02-10 23:43:19 +04:00
m.nabokikh
0c75ed12e2
Add refresh token expiration tests and some refactoring
...
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
2021-02-10 23:43:19 +04:00
m.nabokikh
06c8ab5aa7
Fixes of naming and code style
...
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
2021-02-10 23:37:57 +04:00
m.nabokikh
91de99d57e
feat: Add refresh token expiration and rotation settings
...
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
2021-02-10 23:37:57 +04:00
Márk Sági-Kazár
5a667bbee0
Merge pull request #1773 from faro-oss/faro-upstream/add-c_hash-to-id_token
...
Add c_hash to id_token, issued on /auth endpoint, when in hybrid flow
2021-02-10 16:12:54 +01:00
Márk Sági-Kazár
9b1ecac0d9
Merge pull request #1952 from flant/auth-code-iinvalid-grant
...
fix: return invalid_grant error for invalid or expired auth codes
2021-02-10 15:50:18 +01:00