Bob Callaway
8fd69c16f5
correctly handle path escaping for connector IDs
...
Signed-off-by: Bob Callaway <bob.callaway@gmail.com>
2021-10-01 16:04:34 -04:00
Alastair Houghton
cd0c24ec4d
fix: add an extra endpoint to avoid refresh generating AuthRequests.
...
By adding an extra endpoint and a redirect, we can avoid a situation
where it's trivially easy to generate a large number of AuthRequests
by hitting F5/refresh in the browser.
Signed-off-by: Alastair Houghton <alastair@alastairs-place.net>
2021-05-21 11:42:52 +01:00
Márk Sági-Kazár
18d1f70cee
Merge pull request #1861 from concourse/pr/bcrypt-for-client-secret-sync
...
Use constant time comparison for client secret verification
2021-05-17 17:27:42 +02:00
Rui Yang
fe8085b886
remove client secret encryption option
...
constant time compare for client secret verification will be kept
Signed-off-by: Rui Yang <ruiya@vmware.com>
2021-05-17 10:16:50 -04:00
Márk Sági-Kazár
94a2b3ed87
Merge pull request #2010 from flant/switch-device-token-endpoint-to-token
...
fix: use /token endpoint to get tokens with device flow
2021-05-01 13:24:55 +02:00
Márk Sági-Kazár
551229a986
Merge pull request #1846 from flant/refresh-token-expiration-policy
...
feat: Add refresh token expiration and rotation settings
2021-04-24 11:03:40 +02:00
Mark Sagi-Kazar
d1e8b085e2
feat: use embedded assets by default
...
Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com>
2021-03-22 15:44:03 +01:00
Rui Yang
2f28fc7451
default to ./web when Dir and WebFS are not set
...
update WebFS doc
Signed-off-by: Rui Yang <ruiya@vmware.com>
Co-authored-by: Aidan Oldershaw <aoldershaw@pivotal.io>
2021-03-20 20:05:59 +00:00
Rui Yang
4e569024fd
use go 1.16 new package io/fs
...
Unify the interface for reading web statics. Now it could read an
OS directory or get the content on live
One could use
//go:embed static
var webFiles embed.FS
anywhere and config dex server to take the file system by setting
WebConfig{WebFS: webFiles}
Signed-off-by: Rui Yang <ruiya@vmware.com>
Co-authored-by: Aidan Oldershaw <aoldershaw@pivotal.io>
2021-03-20 20:05:59 +00:00
Rui Yang
7b50cbf0ac
use pkger for embedding static contents
...
Co-authored-by: Vikram Yadav <vyadav@pivotal.io>
Signed-off-by: Rui Yang <ruiya@vmware.com>
2021-03-20 20:05:59 +00:00
Rui Yang
1eab25f89f
use web host url for asset hosting
...
Signed-off-by: Rui Yang <ruiya@vmware.com>
Co-authored-by: Aidan Oldershaw <aoldershaw@pivotal.io>
2021-03-20 20:05:59 +00:00
Rui Yang
10e9054811
Use http.FileSystem for web assets
...
Signed-off-by: Rui Yang <ryang@pivotal.io>
Co-authored-by: Aidan Oldershaw <aoldershaw@pivotal.io>
2021-03-20 20:05:59 +00:00
Rui Yang
d658c24e8f
add dex config flag for enabling client secret encryption
...
* if enabled, it will make sure client secret is bcrypted correctly
* if not, it falls back to old behaviour that allowing empty client
secret and comparing plain text, though now it will do
ConstantTimeCompare to avoid a timing attack.
So in either way it should provide more secure of client secret
verification.
Co-authored-by: Alex Surraci <suraci.alex@gmail.com>
Signed-off-by: Rui Yang <ruiya@vmware.com>
2021-03-20 20:05:56 +00:00
m.nabokikh
3bd0e91a68
Make /device/token deprecation warning more concise
...
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
2021-02-25 11:53:25 +04:00
m.nabokikh
9ed5cc00cf
Add deprecation warning for /device/token endpoint
...
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
2021-02-24 17:14:28 +04:00
m.nabokikh
1211a86d58
fix: use /token endpoint to get tokens with device flow
...
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
2021-02-24 16:03:25 +04:00
Mark Sagi-Kazar
316da70545
refactor: use new health checker
...
Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com>
2021-02-11 01:29:25 +01:00
m.nabokikh
91de99d57e
feat: Add refresh token expiration and rotation settings
...
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
2021-02-10 23:37:57 +04:00
m.nabokikh
b2e9f67edc
Enable unparam, prealloc, sqlclosecheck linters
...
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
2021-01-15 19:29:13 +04:00
Márk Sági-Kazár
afba7577bb
Merge pull request #1918 from flant/log-device-flow-gc
...
fix: log device flow entities GC result if no auth entities collected
2021-01-14 18:02:20 +01:00
Maksim Nabokikh
35da73de38
chore: add frontend section to dev config ( #1913 )
...
* chore: add frontend section to dev config
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
2021-01-12 19:20:38 +01:00
m.nabokikh
30c3d78365
fix: log device flow entities GC result if no auth entities collected
...
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
2021-01-11 12:33:10 +04:00
m.nabokikh
1d83e4749d
Add gocritic
...
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
2020-10-18 01:54:27 +04:00
Alastair Houghton
9187aa669d
fix: allow Authorization header when doing CORS
...
The Authorization header needs to be allowed when doing CORS because
otherwise /userinfo can't work. It isn't one of the headers
explicitly allowed by default by Gorilla, so we have to call
handlers.AllowedHeaders() to specify it.
Issues: #1532
Signed-off-by: Alastair Houghton <alastair@alastairs-place.net>
2020-10-05 15:01:54 +01:00
Rui Yang
bd2234cd12
Add constructor for static key strategy
...
Co-authored-by: Josh Winters <jwinter@pivotal.io>
Signed-off-by: Rui Yang <ruiya@vmware.com>
2020-10-01 15:32:23 -04:00
justin-slowik
9882ea453f
better support for /device/callback redirect uris with public clients.
...
Signed-off-by: justin-slowik <justin.slowik@thermofisher.com>
2020-07-08 16:25:06 -04:00
Justin Slowik
9c699b1028
Server integration test for Device Flow ( #3 )
...
Extracted test cases from OAuth2Code flow tests to reuse in device flow
deviceHandler unit tests to test specific device endpoints
Include client secret as an optional parameter for standards compliance
Signed-off-by: justin-slowik <justin.slowik@thermofisher.com>
2020-07-08 16:25:05 -04:00
Justin Slowik
9bbdc721d5
Device flow token code exchange ( #2 )
...
* Added /device/token handler with associated business logic and storage tests.
Perform user code exchange, flag the device code as complete.
Moved device handler code into its own file for cleanliness. Cleanup
* Removed PKCE code
* Rate limiting for /device/token endpoint based on ietf standards
* Configurable Device expiry
Signed-off-by: justin-slowik <justin.slowik@thermofisher.com>
2020-07-08 16:25:05 -04:00
Justin Slowik
0d1a0e4129
Device token api endpoint ( #1 )
...
* Added /device/token handler with associated business logic and storage tests.
* Use crypto rand for user code
Signed-off-by: justin-slowik <justin.slowik@thermofisher.com>
2020-07-08 16:25:05 -04:00
Justin Slowik
6d343e059b
Generates/Stores the device request and returns the device and user codes.
...
Signed-off-by: justin-slowik <justin.slowik@thermofisher.com>
2020-07-08 16:25:05 -04:00
techknowlogick
0a9f56527e
Add Gitea connector ( #1715 )
...
* Add Gitea connector
* Add details to readme
* resolve lint issue
2020-05-26 13:54:40 +02:00
Nándor István Krácser
b7cf701032
Merge pull request #1515 from flant/atlassian-crowd-connector
...
new connector for Atlassian Crowd
2020-02-24 10:09:27 +01:00
Nándor István Krácser
1160649c31
Merge pull request #1621 from concourse/pr/passowrd-grant-synced
...
Rework - add support for Resource Owner Password Credentials Grant
2020-02-20 08:27:50 +01:00
Ivan Mikheykin
7ef1179e75
feat: connector for Atlassian Crowd
2020-02-05 12:40:49 +04:00
Joshua Winters
76825fef8f
Make logger and prometheus optional in server config
...
Signed-off-by: Josh Winters <jwinters@pivotal.io>
Co-authored-by: Mark Huang <mhuang@pivotal.io>
2020-01-13 15:28:41 -05:00
Zach Brown
13be146d2a
Add support for password grant #926
2020-01-10 13:18:09 -05:00
Andrew Block
92e63771ac
Added OpenShift connector
2019-12-22 02:27:09 -05:00
Mark Sagi-Kazar
9bd5ae5197
Fix goimports
2019-12-18 15:53:34 +01:00
Joel Speed
97ffa21262
Create separate Google connector
2019-11-19 17:12:36 +00:00
Stephan Renatus
e1afe771cb
Merge pull request #1505 from MarcDufresne/show-login-page
...
Add option to always display connector selection even if there's only one
2019-08-07 09:23:42 +02:00
Marc-André Dufresne
0dbb642f2c
Add option to always display connector selection even if there's only one
2019-08-06 13:18:46 -04:00
Marc-André Dufresne
d458e882aa
Allow arbitrary data to be passed to templates
2019-08-06 13:14:53 -04:00
Stephan Renatus
d9487e553b
*: fix some lint issues
...
Mostly gathered these using golangci-lint's deadcode and ineffassign
linters.
Signed-off-by: Stephan Renatus <srenatus@chef.io>
2019-07-30 11:29:08 +02:00
Maarten den Braber
a8d059a237
Add userinfo endpoint
...
Co-authored-by: Yuxing Li <360983+jackielii@users.noreply.github.com>
Co-authored-by: Francisco Santiago <1737357+fjbsantiago@users.noreply.github.com>
2019-06-05 22:11:21 +02:00
Benoit Sigoure
d6ad67a6de
server: add metrics for CORS handlers.
2019-04-19 14:32:52 -07:00
Mark Sagi-Kazar
d1c8f8d095
Remove structured logging from the logger interface
2019-02-22 21:26:30 +01:00
Mark Sagi-Kazar
be581fa7ff
Add logger interface and stop relying on Logrus directly
2019-02-22 13:38:57 +01:00
Eric Chiang
8935a1479c
server: update health check endpoint to query storage periodically
...
Instead of querying the storage every time a health check is performed
query it periodically and save the result.
2019-02-04 19:02:41 +00:00
joannano
88d1e2b041
keystone: test cases, refactoring and cleanup
2019-01-11 15:14:56 +01:00
Krzysztof Balka
a965365a2b
keystone: refresh token and groups
2019-01-11 15:14:11 +01:00