Eric Chiang
59cefd987b
connector/saml: fix validation bug with multiple Assertion elements
...
When a SAML response provided multiple Assertion elements, only the
first one is checked for a valid signature. If the Assertion is
verified, the original Assertion is removed and the canonicalized
version is prepended to the Response. However, if there were
multiple assertions, the second assertion could end up first in the
list of Assertions, even if it was unsigned.
For example this:
<Response>
<!--
Response unsigned. According to SAML spec must check
assertion signature.
-->
<Assertion>
<Signature>
<!-- Correrctly signed assertion -->
</Signature>
</Assertion>
<Assertion>
<!-- Unsigned assertion inserted by attacker-->
</Assertion>
</Response>
could be verified then re-ordered to the following:
<Response>
<!--
Response unsigned. According to SAML spec must check
assertion signature.
-->
<Assertion>
<!-- Unsigned assertion inserted by attacker-->
</Assertion>
<Assertion>
<!-- Canonicalized, correrctly signed assertion -->
</Assertion>
</Response>
Fix this by removing all unverified child elements of the Response,
not just the original assertion.
2017-04-04 11:18:40 -07:00
Eric Chiang
6e50c18458
Merge pull request #875 from ericchiang/fix-example-app-custom-ca
...
cmd/example-app: fix custom CA behavior
2017-03-24 13:21:20 -07:00
Eric Chiang
9b0e9ab2ca
cmd/example-app: fix custom CA behavior
2017-03-24 11:53:28 -07:00
Eric Chiang
2a6ae0a6ea
Merge pull request #870 from Calpicow/fix_assertion_fallback
...
Fix assertion fallback
2017-03-24 11:34:30 -07:00
Phu Kieu
6f9ef961bb
Use etreeutils.NSSelectOne to select Assertion element
2017-03-24 11:20:53 -07:00
Phu Kieu
4b457d8c82
vendor: revendor
2017-03-24 11:03:30 -07:00
Phu Kieu
b5f70dac36
glide.yaml: update goxmldsig
2017-03-24 11:02:55 -07:00
rithu leena john
5d49e18478
Merge pull request #873 from rithujohn191/client-example
...
examples/grpc-client: clean up the example and add tlsClientCA to ConfigMap.
2017-03-23 17:24:11 -07:00
rithu john
562eae3fc7
examples/grpc-client: clean up the example and add tlsClientCA to ConfigMap.
2017-03-23 16:57:23 -07:00
rithu leena john
6146e23396
Merge pull request #872 from rithujohn191/offline-access-error
...
connector: Connectors without a RefreshConnector should not error out
2017-03-23 16:11:45 -07:00
rithu john
59502850f0
connector: Connectors without a RefreshConnector should not return a refresh token instead of erroring
2017-03-23 14:56:34 -07:00
Eric Chiang
b112aa2ecd
Merge pull request #869 from ericchiang/saml-response-to
...
*: validate InResponseTo SAML response field and make issuer optional
2017-03-22 13:04:41 -07:00
Eric Chiang
50b223a9db
*: validate InResponseTo SAML response field and make issuer optional
2017-03-22 13:02:44 -07:00
Eric Chiang
8b2956ddbc
Merge pull request #867 from ericchiang/xml-validation
...
glide.yaml: update goxmldsig
2017-03-21 10:27:04 -07:00
Eric Chiang
910d59865b
vendor: revendor
2017-03-21 09:27:22 -07:00
Eric Chiang
5888220965
glide.yaml: update goxmldsig
2017-03-21 09:25:56 -07:00
Eric Chiang
95d237003a
Merge pull request #855 from ericchiang/static-storage-fallthrough
...
storage: make static storages query real storages for some actions
2017-03-20 10:42:34 -07:00
Eric Chiang
af54f59202
Merge pull request #864 from ericchiang/spelling
...
*: fix spelling using github.com/client9/misspell
2017-03-20 10:20:16 -07:00
Eric Chiang
25fdaa67a7
Merge pull request #860 from ericchiang/oidc-broken-auth-header
...
connector/oidc: expose oauth2.RegisterBrokenAuthHeaderProvider
2017-03-20 09:56:09 -07:00
Eric Chiang
4c39bc20ae
storage: make static storages query real storages for some actions
...
If dex is configured with static passwords or clients, let the API
still add or modify objects in the backing storage, so long as
their IDs don't conflict with the static ones. List options now
aggregate resources from the static list and backing storage.
2017-03-20 09:39:38 -07:00
Eric Chiang
33f0199077
*: fix spelling using github.com/client9/misspell
2017-03-20 09:16:56 -07:00
Eric Chiang
f503ff7950
*: add documentation for the OpenID Connect provider
2017-03-20 08:47:02 -07:00
Eric Chiang
ac032e99f0
connector/oidc: expose oauth2.RegisterBrokenAuthHeaderProvider
2017-03-20 08:47:02 -07:00
rithu leena john
4bf74d8ac3
Merge pull request #862 from rithujohn191/update-api
...
api: Update timestamp type for RefreshTokenRef to int64.
2017-03-17 15:58:09 -07:00
rithu john
921090f05f
api: Update timestamp type for RefreshTokenRef to int64.
2017-03-17 15:46:39 -07:00
rithu leena john
84af5273c8
Merge pull request #854 from rithujohn191/conformance-tests
...
storage/conformance: update conformance tests with multiple entries per resource
2017-03-17 10:51:24 -07:00
rithu john
9e88924577
storage/conformance: update conformance tests with multiple entries per resource
2017-03-16 16:35:51 -07:00
rithu leena john
7a798844cc
Merge pull request #852 from ericchiang/fix-log-level
...
storage/kubernetes: log INFO level if TPR already exists, not ERROR
2017-03-15 10:50:00 -07:00
Eric Chiang
6cb38604d9
storage/kubernetes: log INFO level if TPR already exists, not ERROR
2017-03-15 10:30:10 -07:00
Eric Chiang
d31bb1c8d5
Merge pull request #848 from ericchiang/fix-sql-where-statement
...
storage/sql: add missing WHERE statement to refresh token update
2017-03-13 16:54:58 -07:00
Eric Chiang
0481fccd76
storage/sql: add missing WHERE statement to refresh token update
2017-03-13 15:53:28 -07:00
Eric Chiang
d6f4fa5d98
Merge pull request #844 from dmmcquay/master
...
update kubernetes example-app explanation
2017-03-10 09:59:10 -08:00
Derek McQuay
9b052f37c9
clearified redirect-uri and make cmd location
2017-03-09 22:36:37 -08:00
Derek McQuay
a6ab82d6c0
update kubernetes example-app explanation
...
Clarify some potentially confusing issues with how to run and build the
example-app binary.
2017-03-09 17:17:07 -08:00
Eric Chiang
90e9225e05
Merge pull request #842 from ericchiang/go-1-8
...
*: only use docker when releasing, update to Go 1.8, remove aci scripts
2017-03-09 11:04:18 -08:00
Eric Chiang
ee27a4f9f4
*: only use docker when releasing, update to Go 1.8, remove aci scripts
...
This change modifies our release process to only require Docker
when building a release and updates our released binary to use Go
1.8. It also removes our .aci scripts, which we've not been
regularly building.
A nice consequence is that OSX users can now build a release image.
2017-03-09 10:46:09 -08:00
Eric Chiang
95d54956e9
Merge pull request #840 from ericchiang/oidc-bump
...
*: update go-oidc and use standard library's context package
2017-03-08 11:46:40 -08:00
Eric Chiang
e5f60fe9dd
vendor: revendor
2017-03-08 10:33:36 -08:00
Eric Chiang
777eeafabc
*: update go-oidc and use standard library's context package
2017-03-08 10:33:19 -08:00
rithu leena john
6dd415997a
Merge pull request #835 from rithujohn191/fix-client-example
...
examples/grpc-client: minor corrections in the dex client example.
2017-03-07 13:35:44 -08:00
rithu john
08db0eb5ce
examples/grpc-client: minor corrections in the dex client example.
2017-03-03 15:58:30 -08:00
Eric Chiang
afe2e47e3d
Merge pull request #834 from pgburt/paulb-prod-users-integrations
...
Added produciton-users and integrations pages
2017-03-03 11:57:14 -08:00
Paul Burt
a660e7cd7a
Added produciton-users and integrations pages
2017-03-03 13:49:22 -05:00
Eric Chiang
3e5480a859
Merge pull request #829 from ericchiang/fix-keys-expiry
...
server: fix expiry detection for verification keys
2017-03-01 12:46:23 -08:00
Eric Chiang
920f6fb5cd
Merge pull request #825 from ericchiang/http2
...
storage/kubernetes: enable HTTP/2 support
2017-03-01 12:46:07 -08:00
Eric Chiang
2c4752d5d4
server: fix expiry detection for verification keys
2017-03-01 12:43:45 -08:00
rithu leena john
3797a71ec9
Merge pull request #812 from rithujohn191/example-client
...
examples: adding a gRPC client example.
2017-02-28 13:34:23 -08:00
Eric Chiang
38c77e0f33
storage/kubernetes: enable HTTP/2 support
2017-02-28 12:42:06 -08:00
rithu john
fa2f76bcdb
examples: adding a gRPC client example.
2017-02-28 12:06:44 -08:00
rithu leena john
bb896a8222
Merge pull request #823 from ericchiang/tpr-already-exists
...
storage/kubernetes: fix conflict error detection in TRP creation
2017-02-27 11:21:43 -08:00