Commit graph

116 commits

Author SHA1 Message Date
Adrián López Gómez
9b8ab3bdc6 ClientCredentials flow in UserAPI
Fixes #528
2016-09-01 08:34:36 +02:00
Eric Chiang
fa8f98acac server: fix registration redirect for servers listenin at non-base URLs 2016-08-19 16:25:32 -07:00
Eric Chiang
7525e5623c Merge pull request #560 from ericchiang/fix-user-api
server: fix the path registration for user APIs at non-root URLs
2016-08-18 17:03:20 -07:00
Eric Chiang
b466ae7a70 server: fix the path registration for user APIs at non-root URLs 2016-08-18 16:15:13 -07:00
Rubén Soleto Buenvarón
c91b37aa9e refresh token rotation
Update refresh token flow to revoke old refresh token and generates a new one.

Fixes #519
2016-08-16 08:05:01 +02:00
Eric Chiang
bef9f3c221 Merge pull request #542 from whitlockjc/uaa-connector
connector: add uaa connector
2016-08-11 12:56:46 -07:00
Jeremy Whitlock
27b80cbca8 connector: add uaa connector
This commit adds support for dex to authenticate users from a
CloudFoundry User Account and Authentication (UAA) Server.

Fixes: #538
2016-08-10 16:04:39 -06:00
Wyatt Anderson
26508c6bab server: when registering a user, set display name
When automatically registering a user from an IP that provides
a `DisplayName`, set it on the created user so that JWT we create
contain a meaningful `name` field.
2016-08-04 11:45:05 -04:00
Eric Chiang
0e94e76255 Merge pull request #531 from ericchiang/user-api-accept-bearer-tokens-with-multiple-audiences
user api: accept bearer tokens with multiple audiences
2016-08-02 12:34:05 -07:00
Eric Chiang
8669167b42 user api: accept bearer tokens with multiple audiences 2016-08-02 11:52:19 -07:00
Eric Chiang
435cadfc19 *: more updates to prepend the correct API path 2016-07-25 17:06:20 -07:00
Eric Chiang
854b767273 *: update handlers to include issuer url in path 2016-07-25 16:03:25 -07:00
Eric Chiang
8216a3d992 connector: fix path that connectors listen on
When Dex uses a non-root issuer URL, it current assumes that all
path prefixes will be trimmed by an upstream proxy (e.g. nginx).
This means that all paths rendered in HTML will be absolute to the
prefix, but the handlers still listen at the root.

Connectors are currently the only component that registers at a
non-root URL. Make this conform with the rest of Dex by having the
server determine the path the connector listens as rather than the
connector itself.
2016-07-25 14:32:24 -07:00
Lucas Serven
0cc0c73676 backend: add absolute path to template links
fixes: #502

Add a new template function called `absPath` that converts relative
paths to absolute paths based on the issuerURL. The template function
can be used in templates like:
````html
<a href="{{ .MyRelativePath | absPath }}">
````
2016-07-22 15:41:16 -07:00
Eric Chiang
33010e22c4 Merge pull request #487 from ericchiang/unify-email-config
*: depricate --email-from flag and move to email config files
2016-07-19 15:12:35 -07:00
Eric Chiang
b02a3a3163 *: add "groups" scope 2016-07-19 11:23:04 -07:00
Eric Chiang
87faa5a1f7 *: depricate --email-from flag and move to email config files 2016-06-27 23:36:07 -07:00
Bobby Rullo
b80dbc8975 server: support out-of-band auth flow
When "urn:ietf:wg:oauth:2.0:oob" is used as a redirect URI, redirect to
an internal dex page where the user is shown the code and instructed to
paste it into their app.
2016-06-20 17:03:13 -07:00
Bobby Rullo
cdcf08066d client, server: public client restrictions
* disallow ClientCreds for public clients
* clients can only redirect to localhost or OOB
2016-06-20 17:03:12 -07:00
Bobby Rullo
4f85f3a479 server: change ClientMetadata -> Client
Metadata is not enough these days - we're going to need access to the
Public field as well.
2016-06-20 17:03:12 -07:00
Eric Chiang
35cab93c0a *: add --enable-automatic-registration flag to worker
For remote connectors, allow users to skip registration.
2016-06-17 16:29:56 -07:00
Bobby Rullo
8942a49702 server: remove client_resource api
...and dependent code.
2016-06-15 11:42:50 -07:00
Bobby Rullo
75473b4cba refresh tokens: grant claims based on scopes
Before,  this logic was only in the OIDCServer.CodeToken() method; now it has been
pulled out so that other paths, like OIDCServer.RefreshToken() can use
it.

The net affect, is that now refresh tokens can be used to get
cross-client authenticated ID Tokens.
2016-06-14 14:14:36 -07:00
Bobby Rullo
32a1994a5e refresh tokens: store and validate scopes.
A refresh request must fail if it asks for scopes that were not
originally granted when the refresh token was obtained.

This Commit:

* changes repo to store scopes with tokens
* changes repo interface signatures so that scopes can be stored and
  verified
* updates dependent code to pass along scopes
2016-06-14 14:14:36 -07:00
Bobby Rullo
ca18efb1fe client: load full clients w/ LoadableClient
The Client object on its own doesn't fully express everything about a
single client, and so when loading clients from a static configuration
it's not enough to just (de)serialize clients.

To that end, LoadableClient contains the full representation of a client
and associated entities.
2016-06-08 11:31:50 -07:00
Bobby Rullo
5939a15d10 remove DexServer 2016-06-07 17:27:06 -07:00
Bobby Rullo
e71c5086ba server: CodeToken now does Cross-Client auth 2016-06-07 17:22:41 -07:00
Bobby Rullo
9b4740862c server: /auth accepts, validates X-client scopes 2016-06-07 17:16:11 -07:00
Bobby Rullo
f9dbc8a3d2 db, client: add data model for trusted peers
Trusted Peers are clients that are authorized to mint tokens
for another client.
2016-06-07 17:16:09 -07:00
Bobby Rullo
1b4dca80d7 client: remove ClientManagerFromClients
Replaced by ClientRepoFromClients, which makes more sense IMO. Also, it
was doing the wrong thing: it was ignoring the client_id and client_secret
passed into it as far as I can tell.
2016-06-07 16:47:30 -07:00
Bobby Rullo
a33d61c8e2 server: remove boilerplate setup code part deux
Use the test fixture setup stuff in testutil instead.
2016-06-07 16:47:30 -07:00
Bobby Rullo
ad1d5ab253 server: remove boilerplate setup code
Use the test fixture setup stuff in testutil instead.
2016-06-07 16:47:29 -07:00
Eric Chiang
4440b3a085 Merge pull request #449 from ericchiang/add-connectors-to-api
Set and list connectors from admin API
2016-06-01 10:51:30 -07:00
Eric Chiang
35ea3d9ae1 *: add ability to set and list connectors from admin API
closes #360
2016-06-01 09:31:47 -07:00
bobbyrullo
04fa835405 Merge pull request #353 from fnordahl/issue/156
vendor: update go-oidc to latest
2016-05-27 10:56:54 -04:00
Bobby Rullo
bbaea52ea6 alternate approach to fixing tests 2016-05-27 00:22:27 +02:00
Evan Cordell
73d9742c8b client manager: accept full client when creating 2016-05-24 14:44:04 -05:00
Evan Cordell
a418e1c4e7 client: add client manager
adds a client manager to handle business logic, leaving the repo
for basic crud operations. Also adds client to the test script
2016-05-19 16:20:12 -07:00
Evan Cordell
3da98fcb8e client: add transaction support 2016-05-19 16:17:01 -07:00
Bobby Rullo
847849931f Revert "Fix response_type missing param"
This reverts commit 821b242c83.
2016-05-17 13:49:14 -07:00
Bobby Rullo
e5948ab3ce *: ClientIdentityXXX -> ClientXXX
Get rid of all outdated "ClientIdentity" terminology.
2016-04-20 14:31:27 -07:00
Bobby Rullo
95757e8779 *: Client Repo now deals with custom Client object
This is instead of oidc.ClientIdentity. This makes it easier to add new
fields custom to dex to the client.
2016-04-20 14:31:27 -07:00
Eric Chiang
c2c7f03f47 Merge pull request #409 from Tecsisa/408-test-handleToken
tests: add HandleTokenFunc test
2016-04-15 08:32:53 -07:00
Adrián López Gómez
d3d2db8e05 tests: add HandleTokenFunc test
Fixes #408
2016-04-15 09:17:02 +02:00
Eric Chiang
7858da565f server: add more validation to --no-db static file parsing
In #393 the format of the static user file in --no-db mode changed.
However, the old format loads without error, which has caused
issues for developers with existing user files.

Add an explicit check to ensure the file is not using the old
format. If they are, print a better error message.
2016-04-11 16:21:31 -07:00
Stephan Renatus
ed89be44ef bugfix: make getCreds work for non-admins (#396) 2016-04-08 10:14:01 -07:00
Eric Chiang
cd7d3fff85 Merge pull request #386 from ericchiang/revoke_refresh_2
add ability to revoke refresh tokens in user API
2016-04-06 13:45:23 -07:00
Eric Chiang
e6177cf307 Merge pull request #393 from ericchiang/nodb_users
remove passwordInfos from local connector
2016-04-06 11:30:08 -07:00
Eric Chiang
553e7d0167 server: add refresh token revocation API to server 2016-04-06 11:29:51 -07:00
Eric Chiang
ac73d3cdf2 *: load password infos from users file in no-db mode not connectors
In --no-db mode, load passwords from the users file instead of the
connectors file. This allows us to remove the password infos field
from the local connector and stop loading them during connector
registration, a case that was causing panics when using a real
database (see #286).

Fixes #286
Closes #340
2016-04-06 11:15:05 -07:00