Commit graph

200 commits

Author SHA1 Message Date
m.nabokikh
8553309db3 Add obsolete tokens, resolve conflicts, bump ent
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
2021-05-02 12:43:21 +04:00
m.nabokikh
24fa4def5b chore: update ent
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
2021-04-30 17:48:16 +04:00
m.nabokikh
2e61860d5a Add ent autogenerated code
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
2021-04-30 17:47:54 +04:00
m.nabokikh
11859166d0 feat: Add ent-based sqlite3 storage
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
2021-04-30 17:47:54 +04:00
Mark Sagi-Kazar
e2b56d0a09
fix(storage/mysql): add missing port to the address
Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com>
2021-04-27 14:09:21 +02:00
Márk Sági-Kazár
551229a986
Merge pull request #1846 from flant/refresh-token-expiration-policy
feat: Add refresh token expiration and rotation settings
2021-04-24 11:03:40 +02:00
Mark Sagi-Kazar
356ccecc24
chore(deps): update etcd client to 3.5
Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com>
2021-03-22 22:12:35 +01:00
Mark Sagi-Kazar
024f69b2c7
feat: add health check to telemetry server
Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com>
2021-02-11 00:13:07 +01:00
m.nabokikh
0c75ed12e2 Add refresh token expiration tests and some refactoring
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
2021-02-10 23:43:19 +04:00
m.nabokikh
06c8ab5aa7 Fixes of naming and code style
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
2021-02-10 23:37:57 +04:00
m.nabokikh
91de99d57e feat: Add refresh token expiration and rotation settings
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
2021-02-10 23:37:57 +04:00
m.nabokikh
b2e9f67edc Enable unparam, prealloc, sqlclosecheck linters
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
2021-01-15 19:29:13 +04:00
Márk Sági-Kazár
afba7577bb
Merge pull request #1918 from flant/log-device-flow-gc
fix: log device flow entities GC result if no auth entities collected
2021-01-14 18:02:20 +01:00
m.nabokikh
30c3d78365 fix: log device flow entities GC result if no auth entities collected
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
2021-01-11 12:33:10 +04:00
Benjamin Ullian
b45a501c99 add PKCE roundtrip to conformance test
Signed-off-by: Benjamin Ullian <bnu@tumblr.com>
2021-01-04 22:50:05 -05:00
Benjamin Ullian
62abddca7d fix etcd pkce authcode json deserialization
Signed-off-by: Benjamin Ullian <bnu@tumblr.com>
2021-01-04 22:15:44 -05:00
Josh Soref
86526cd030 spelling: uri
Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
2020-12-19 22:53:29 -05:00
Josh Soref
fecd979bab spelling: update
Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
2020-12-19 22:53:29 -05:00
Josh Soref
b155f66785 spelling: storage
Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
2020-12-19 22:53:29 -05:00
Josh Soref
6790aea260 spelling: referenceable
Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
2020-12-19 22:53:26 -05:00
Josh Soref
119e4d66c6 spelling: indices
Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
2020-12-19 22:53:26 -05:00
Josh Soref
040abe5dc1 spelling: impersonate
Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
2020-12-19 22:53:26 -05:00
Josh Soref
1bfe2f6db2 spelling: habit
Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
2020-12-19 22:53:26 -05:00
Josh Soref
a8851ceb1b spelling: generated
Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
2020-12-19 22:53:26 -05:00
Josh Soref
0288864da7 spelling: collision
Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
2020-12-19 22:12:13 -05:00
A Gardner
19d7edd530 Don't try to build sqlite when cgo isn't enabled
Signed-off-by: A Gardner <3100188+actgardner@users.noreply.github.com>
2020-11-17 17:48:40 -05:00
Márk Sági-Kazár
40409eafe8
Merge pull request #1847 from flant/retry-kubernetes-update-requests
feat: Retry Kubernetes update requests
2020-11-05 10:41:58 +01:00
Mark Sagi-Kazar
349832b380
Run fixer
Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com>
2020-11-03 20:52:14 +01:00
m.nabokikh
be378dd9a7 feat: Retry Kubernetes update requests
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
2020-10-28 12:46:58 +04:00
Bernd Eckstein
b5519695a6
PKCE implementation (#1784)
* Basic implementation of PKCE

Signed-off-by: Tadeusz Magura-Witkowski <tadeuszmw@gmail.com>

* @mfmarche on 24 Feb: when code_verifier is set, don't check client_secret

In PKCE flow, no client_secret is used, so the check for a valid client_secret
would always fail.

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* @deric on 16 Jun: return invalid_grant when wrong code_verifier

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* Enforce PKCE flow on /token when PKCE flow was started on /auth
Also dissallow PKCE on /token, when PKCE flow was not started on /auth

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* fixed error messages when mixed PKCE/no PKCE flow.

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* server_test.go: Added PKCE error cases on /token endpoint

* Added test for invalid_grant, when wrong code_verifier is sent
* Added test for mixed PKCE / no PKCE auth flows.

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* cleanup: extracted method checkErrorResponse and type TestDefinition

* fixed connector being overwritten

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* /token endpoint: skip client_secret verification only for grand type authorization_code with PKCE extension

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* Allow "Authorization" header in CORS handlers

* Adds "Authorization" to the default CORS headers{"Accept", "Accept-Language", "Content-Language", "Origin"}

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* Add "code_challenge_methods_supported" to discovery endpoint

discovery endpoint /dex/.well-known/openid-configuration
now has the following entry:

"code_challenge_methods_supported": [
  "S256",
  "plain"
]

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* Updated tests (mixed-up comments), added a PKCE test

* @asoorm added test that checks if downgrade to "plain" on /token endpoint

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* remove redefinition of providedCodeVerifier, fixed spelling (#6)

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>
Signed-off-by: Bernd Eckstein <HEllRZA@users.noreply.github.com>

* Rename struct CodeChallenge to PKCE

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* PKCE: Check clientSecret when available

In authorization_code flow with PKCE, allow empty client_secret on /auth and /token endpoints. But check the client_secret when it is given.

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* Enable PKCE with public: true

dex configuration public on staticClients now enables the following behavior in PKCE:
- Public: false, PKCE will always check client_secret. This means PKCE in it's natural form is disabled.
- Public: true, PKCE is enabled. It will only check client_secret if the client has sent one. But it allows the code flow if the client didn't sent one.

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* Redirect error on unsupported code_challenge_method

- Check for unsupported code_challenge_method after redirect uri is validated, and use newErr() to return the error.
- Add PKCE tests to oauth2_test.go

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* Reverted go.mod and go.sum to the state of master

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* Don't omit client secret check for PKCE

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* Allow public clients (e.g. with PKCE) to have redirect URIs configured

Signed-off-by: Martin Heide <martin.heide@faro.com>

* Remove "Authorization" as Accepted Headers on CORS, small fixes

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* Revert "Allow public clients (e.g. with PKCE) to have redirect URIs configured"

This reverts commit b6e297b78537dc44cd3e1374f0b4d34bf89404ac.

Signed-off-by: Martin Heide <martin.heide@faro.com>

* PKCE on client_secret client error message

* When connecting to the token endpoint with PKCE without client_secret, but the client is configured with a client_secret, generate a special error message.

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* Output info message when PKCE without client_secret used on confidential client

* removes the special error message

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* General missing/invalid client_secret message on token endpoint

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

Co-authored-by: Tadeusz Magura-Witkowski <tadeuszmw@gmail.com>
Co-authored-by: Martin Heide <martin.heide@faro.com>
Co-authored-by: M. Heide <66078329+heidemn-faro@users.noreply.github.com>
2020-10-26 11:33:40 +01:00
m.nabokikh
1d83e4749d Add gocritic
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
2020-10-18 01:54:27 +04:00
m.nabokikh
4d63e9cd68 fix: Bump golangci-lint version and fix some linter's problems
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
2020-10-18 01:02:29 +04:00
m.nabokikh
4801b2c975 fix: Handle kubernetes API conflicts properly for signing keys
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
2020-10-12 09:15:00 +03:00
justin-slowik
9a7926c19b Cleaned up Device Flow test log levels
Signed-off-by: justin-slowik <justin.slowik@thermofisher.com>

Remove extraneous "=" from conformance.go

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

Additional test for TestHandleDeviceCode

Signed-off-by: justin-slowik <justin.slowik@thermofisher.com>
2020-07-21 16:01:08 -04:00
justin-slowik
1404477326 Updates based on dexidp pr
Signed-off-by: justin-slowik <justin.slowik@thermofisher.com>
2020-07-08 16:25:06 -04:00
Justin Slowik
9c699b1028 Server integration test for Device Flow (#3)
Extracted test cases from OAuth2Code flow tests to reuse in device flow

deviceHandler unit tests to test specific device endpoints

Include client secret as an optional parameter for standards compliance

Signed-off-by: justin-slowik <justin.slowik@thermofisher.com>
2020-07-08 16:25:05 -04:00
Justin Slowik
9bbdc721d5 Device flow token code exchange (#2)
* Added /device/token handler with associated business logic and storage tests.

Perform user code exchange, flag the device code as complete.

Moved device handler code into its own file for cleanliness.  Cleanup

* Removed PKCE code

* Rate limiting for /device/token endpoint based on ietf standards

* Configurable Device expiry

Signed-off-by: justin-slowik <justin.slowik@thermofisher.com>
2020-07-08 16:25:05 -04:00
Justin Slowik
0d1a0e4129 Device token api endpoint (#1)
* Added /device/token handler with associated business logic and storage tests.

* Use crypto rand for user code

Signed-off-by: justin-slowik <justin.slowik@thermofisher.com>
2020-07-08 16:25:05 -04:00
Justin Slowik
6d343e059b Generates/Stores the device request and returns the device and user codes.
Signed-off-by: justin-slowik <justin.slowik@thermofisher.com>
2020-07-08 16:25:05 -04:00
Nándor István Krácser
371df97cbf
Merge pull request #1743 from dexidp/docker-compose
add docker-compose.yaml for local testing
2020-06-30 14:12:49 +02:00
Nandor Kracser
5b7a664e9d
add docker-compose for local testing 2020-06-30 13:46:05 +02:00
Mark Sagi-Kazar
af9dfd4a29
Remove copypasta dependency 2020-06-30 13:12:36 +02:00
Kyle Travis
cfae2eb720
storage/kubernetes: remove shadowed ResourceVersion from Connector (#1673) 2020-04-07 11:02:44 +02:00
Nándor István Krácser
ec57e31103
Merge pull request #1645 from JerrySunWRS/master
Wrap Kubernetes host address in square brackets
2020-03-27 08:35:30 +01:00
Yann Soubeyrand
99c3ec6820 Add ability to set ID and Secret from environment variables for static clients
Having ID and Secret in clear inside configuration files for static
clients is not ideal. This commit allows setting these from environment
variables.

Signed-off-by: Yann Soubeyrand <yann.soubeyrand@gmx.fr>
2020-03-03 08:27:13 +01:00
Nandor Kracser
c7e9960c7e
storage/mysql: increase auth_request.state length to 4096
Signed-off-by: Nandor Kracser <bonifaido@gmail.com>
2020-02-21 12:53:18 +01:00
Nandor Kracser
80749ffd3f
storage/sql: allow specifying sql flavor specific migrations
Signed-off-by: Nandor Kracser <bonifaido@gmail.com>
2020-02-21 12:53:18 +01:00
Jerry Sun
3a3a2bcc86 Wrap Kubernetes host address in square brackets
When constructing the host address string, the address is
not wrapped in square brackets. This does not work in IPv6
Kubernetes deployments. This commit adds square brackets
around the address. IPv4 was also tested to ensure it works
with wrapped address.

Signed-off-by: Jerry Sun <jerry.sun@windriver.com>
2020-02-06 14:52:54 -05:00
Mark Sagi-Kazar
55b49063f8
Update etcd 2020-01-30 17:50:22 +01:00
Krishna Durai
9560899496
Merge branch 'master' into feature/static_password_env 2020-01-06 23:21:20 -08:00