Commit graph

1344 commits

Author SHA1 Message Date
Bernd Eckstein
b5519695a6
PKCE implementation (#1784)
* Basic implementation of PKCE

Signed-off-by: Tadeusz Magura-Witkowski <tadeuszmw@gmail.com>

* @mfmarche on 24 Feb: when code_verifier is set, don't check client_secret

In PKCE flow, no client_secret is used, so the check for a valid client_secret
would always fail.

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* @deric on 16 Jun: return invalid_grant when wrong code_verifier

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* Enforce PKCE flow on /token when PKCE flow was started on /auth
Also dissallow PKCE on /token, when PKCE flow was not started on /auth

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* fixed error messages when mixed PKCE/no PKCE flow.

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* server_test.go: Added PKCE error cases on /token endpoint

* Added test for invalid_grant, when wrong code_verifier is sent
* Added test for mixed PKCE / no PKCE auth flows.

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* cleanup: extracted method checkErrorResponse and type TestDefinition

* fixed connector being overwritten

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* /token endpoint: skip client_secret verification only for grand type authorization_code with PKCE extension

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* Allow "Authorization" header in CORS handlers

* Adds "Authorization" to the default CORS headers{"Accept", "Accept-Language", "Content-Language", "Origin"}

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* Add "code_challenge_methods_supported" to discovery endpoint

discovery endpoint /dex/.well-known/openid-configuration
now has the following entry:

"code_challenge_methods_supported": [
  "S256",
  "plain"
]

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* Updated tests (mixed-up comments), added a PKCE test

* @asoorm added test that checks if downgrade to "plain" on /token endpoint

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* remove redefinition of providedCodeVerifier, fixed spelling (#6)

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>
Signed-off-by: Bernd Eckstein <HEllRZA@users.noreply.github.com>

* Rename struct CodeChallenge to PKCE

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* PKCE: Check clientSecret when available

In authorization_code flow with PKCE, allow empty client_secret on /auth and /token endpoints. But check the client_secret when it is given.

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* Enable PKCE with public: true

dex configuration public on staticClients now enables the following behavior in PKCE:
- Public: false, PKCE will always check client_secret. This means PKCE in it's natural form is disabled.
- Public: true, PKCE is enabled. It will only check client_secret if the client has sent one. But it allows the code flow if the client didn't sent one.

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* Redirect error on unsupported code_challenge_method

- Check for unsupported code_challenge_method after redirect uri is validated, and use newErr() to return the error.
- Add PKCE tests to oauth2_test.go

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* Reverted go.mod and go.sum to the state of master

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* Don't omit client secret check for PKCE

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* Allow public clients (e.g. with PKCE) to have redirect URIs configured

Signed-off-by: Martin Heide <martin.heide@faro.com>

* Remove "Authorization" as Accepted Headers on CORS, small fixes

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* Revert "Allow public clients (e.g. with PKCE) to have redirect URIs configured"

This reverts commit b6e297b78537dc44cd3e1374f0b4d34bf89404ac.

Signed-off-by: Martin Heide <martin.heide@faro.com>

* PKCE on client_secret client error message

* When connecting to the token endpoint with PKCE without client_secret, but the client is configured with a client_secret, generate a special error message.

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* Output info message when PKCE without client_secret used on confidential client

* removes the special error message

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* General missing/invalid client_secret message on token endpoint

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

Co-authored-by: Tadeusz Magura-Witkowski <tadeuszmw@gmail.com>
Co-authored-by: Martin Heide <martin.heide@faro.com>
Co-authored-by: M. Heide <66078329+heidemn-faro@users.noreply.github.com>
2020-10-26 11:33:40 +01:00
Márk Sági-Kazár
2a282860fa
Merge pull request #1836 from lcostea/master
feat: reduce image size without apk cache
2020-10-18 18:21:39 +02:00
Márk Sági-Kazár
c82d21b155
Merge pull request #1837 from flant/bump-golangci-lint-and-fix-some-linters
fix: Bump golangci-lint version and fix some linter's problems
2020-10-18 16:05:57 +02:00
m.nabokikh
1d83e4749d Add gocritic
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
2020-10-18 01:54:27 +04:00
m.nabokikh
4d63e9cd68 fix: Bump golangci-lint version and fix some linter's problems
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
2020-10-18 01:02:29 +04:00
Liviu Costea
83673fb320 feat: reduce image size without apk cache
Signed-off-by: Liviu Costea <email.lcostea@gmail.com>
2020-10-16 19:52:21 +03:00
Nándor István Krácser
28b2350cd2
Merge pull request #1835 from flant/kubernetes-client-keys-conflicts-fix
fix: Handle Kubernetes API conflicts properly for signing keys
2020-10-13 15:16:19 +02:00
Márk Sági-Kazár
9c026107e6
Merge pull request #1830 from WorldProgrammingLtd/fix-1813
fix: log errors from login during password grant
2020-10-13 09:21:44 +02:00
m.nabokikh
4801b2c975 fix: Handle kubernetes API conflicts properly for signing keys
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
2020-10-12 09:15:00 +03:00
Tom Quarendon
4da93e75fc fix: log errors from login during password grant
Issues: #1813
Signed-off-by: Alastair Houghton <alastair@alastairs-place.net>
2020-10-07 13:36:42 +01:00
Nate W
3f41b26fb9
[WIP] Removing .md files as a part of the Dex IdP Documentation migration. (#1810)
* Removing .md files as a part of the Dex IdP Documentation migration.

https://github.com/dexidp/dex/issues/1761
https://github.com/dexidp/website/issues/2
Signed-off-by: Nate Waddington <nwaddington@cncf.io>

* Updating README.md links after .md files removal.

Signed-off-by: Nate Waddington <nwaddington@cncf.io>

* Updating URL as per PR feedback. dexidp.org -> dexidp.io

Signed-off-by: Nate Waddington <nwaddington@cncf.io>

* removing errant ")"

Signed-off-by: Nate Waddington <nwaddington@cncf.io>
2020-10-06 18:02:40 +02:00
Márk Sági-Kazár
d1f599dd32
Merge pull request #1819 from al45tair/cors-auth
fix: allow Authorization header when doing CORS
2020-10-06 14:35:21 +02:00
Márk Sági-Kazár
a28f5bb218
Merge pull request #1821 from al45tair/fix-1820
fix: copy the "web" directory.
2020-10-05 17:24:51 +02:00
Alastair Houghton
3288450b3e fix: copy the "web" directory.
The Dockerfile was changed to do

    COPY web .

which is unfortunate because that means copy the *contents* of the directory
"web", rather than copying the directory itself which is what the author
intended.

Issues: #1820
Signed-off-by: Alastair Houghton <alastair@alastairs-place.net>
2020-10-05 15:52:30 +01:00
Alastair Houghton
9187aa669d fix: allow Authorization header when doing CORS
The Authorization header needs to be allowed when doing CORS because
otherwise /userinfo can't work.  It isn't one of the headers
explicitly allowed by default by Gorilla, so we have to call
handlers.AllowedHeaders() to specify it.

Issues: #1532
Signed-off-by: Alastair Houghton <alastair@alastairs-place.net>
2020-10-05 15:01:54 +01:00
Márk Sági-Kazár
828a1c6ec2
Merge pull request #1688 from flant/bitbucket-groups
feat: Add team groups support to bitbucket connector
2020-10-04 20:08:49 +02:00
m.nabokikh
ec66cedfcc feat: Add team groups support to bitbucket connector
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
2020-10-04 20:50:59 +03:00
Márk Sági-Kazár
3e5ff2f853
Merge pull request #1815 from dexidp/fix-docker-login
ci: do not login to docker registry in PRs
2020-10-04 15:18:44 +02:00
Mark Sagi-Kazar
4a1fd77166
ci: do not login to docker registry in PRs
Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com>
2020-10-04 15:01:45 +02:00
Márk Sági-Kazár
3b385ecf4a
Merge pull request #1812 from flant/bitbucket-replace-teams-endpoint
fix: Replace deprecated teams endpoint in bitbucket connector
2020-10-04 14:27:14 +02:00
m.nabokikh
4b94469547 fix: Replace teams endpoint for bitbucket connector
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
2020-10-03 20:30:23 +03:00
Márk Sági-Kazár
d4c3a3505d
Merge pull request #1802 from concourse/pr/static-public-key-sync
Add constructor for static key strategy
2020-10-01 22:19:15 +02:00
Rui Yang
bd2234cd12 Add constructor for static key strategy
Co-authored-by: Josh Winters <jwinter@pivotal.io>
Signed-off-by: Rui Yang <ruiya@vmware.com>
2020-10-01 15:32:23 -04:00
Márk Sági-Kazár
9781e56ba5
Merge pull request #1690 from flant/fix-relative-url
Fix templates which asset path points to external URL
2020-09-29 19:47:38 +02:00
Márk Sági-Kazár
641615ff58
Merge pull request #1806 from dexidp/go115
chore: update Go to 1.15
2020-09-28 00:45:39 +02:00
Mark Sagi-Kazar
f3fc0c5395
chore: update Go to 1.15
Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com>
2020-09-28 00:22:47 +02:00
Márk Sági-Kazár
5807011b6a
Merge pull request #1805 from dexidp/fix-dockerhub-typo
fix: typo in environment variables introduced in #1781
2020-09-28 00:22:17 +02:00
Mark Sagi-Kazar
8a1a1b8b5d
fix: typo in environment variables introduced in #1781
Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com>
2020-09-27 23:56:02 +02:00
MIℂHΛΞL FѲRИΛRѲ
549b67bccd
Adding architecture support for arm/arm64/amd64 docker images (#1781)
add multi-arch image support for armv7/arm64/amd64 architectures
2020-09-27 23:47:39 +02:00
Johan Tordsson
c64ff34d11
Add Elastisys to Adopters (#1803)
Added description Elastisys use of Dex in Compliant Kubernetes.
2020-09-18 16:40:59 +02:00
Márk Sági-Kazár
458059cc89
Merge pull request #1708 from tkleczek/fix-overwriting-connector-in-authreq
abort connector login if connector was already set #1707
2020-09-16 17:49:04 +02:00
Márk Sági-Kazár
a64e7c2986
Merge pull request #1769 from batara666/master
ldap.go: drop else on returned if block
2020-09-16 17:47:52 +02:00
Márk Sági-Kazár
e837475ca6
Merge pull request #1795 from lzeng27/master
update documentation
2020-09-09 17:47:18 +02:00
Linda Zeng
6745af7747 updated docs
Signed-off-by: Linda Zeng <linda.zeng@blackrock.com>
2020-09-09 11:01:14 -04:00
Márk Sági-Kazár
d4a67e43fa
Merge pull request #1794 from dexidp/fix-example-app
Fix building the example app
2020-09-09 14:00:27 +02:00
Mark Sagi-Kazar
63098fe9fe
Fix building the example app
Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com>
2020-09-09 13:50:19 +02:00
Márk Sági-Kazár
ca0a9e821e
Merge pull request #1634 from concourse/pr/oidc-username-key-sync
Support username, email and groups claim in OIDC connector
2020-09-08 19:19:44 +02:00
Rui Yang
058202d007 revert changes for user id and user name
Signed-off-by: Rui Yang <ruiya@vmware.com>
2020-09-08 13:12:59 -04:00
Rui Yang
0494993326 update oidc documentation and email claim err msg
Signed-off-by: Rui Yang <ruiya@vmware.com>
2020-09-08 10:03:57 -04:00
Márk Sági-Kazár
07dddc7b0e
Merge pull request #1791 from onkarbhat/adopters_kasten
Add Kasten as an adopter of Dex.
2020-09-08 09:18:05 +02:00
Onkar Bhat
c489a074c1 Add Kasten as an adopter of Dex. 2020-09-07 16:39:21 -07:00
Tomasz Kleczek
b1311baa3c abort connector login if connector was already set #1707
Signed-off-by: Tomasz Kleczek <tomasz.kleczek@gmail.com>
2020-08-29 17:19:14 +02:00
Joel Speed
336c73c0a2
Merge pull request #1706 from justin-slowik/device_flow
Implementing the OAuth2 Device Authorization Grant
2020-08-28 11:35:46 +01:00
Joel Speed
a24f73c19f
Merge pull request #1780 from tom-haines/master
Minor documentation tweaks re storage.md
2020-08-14 11:04:53 +01:00
Thomas Haines
d39b77bda3 Minor documentation tweaks re storage.md
Signed-off-by: Thomas Haines <thomas.haines@gmail.com>
2020-08-14 16:51:00 +08:00
Rui Yang
41207ba265 Combine #1691 and #1776 to unify OIDC provider claim mapping
add tests for groups key mapping

Signed-off-by: Rui Yang <ruiya@vmware.com>
2020-08-11 16:26:55 -04:00
Scott Lemmon
a783667c57 Add groupsClaimMapping to the OIDC connector
The groupsClaimMapping setting allows one to specify which claim to pull
group information from the OIDC provider.  Previously it assumed group
information was always in the "groups" claim, but that isn't the case
for many OIDC providers (such as AWS Cognito using the "cognito:groups"
claim instead)

Signed-off-by: Scott Lemmon <slemmon@aurora.tech>
Signed-off-by: Rui Yang <ruiya@vmware.com>
2020-08-11 16:26:55 -04:00
Cyrille Nofficial
61312e726e Add parameter configuration to override email claim key
Signed-off-by: Rui Yang <ruiya@vmware.com>
2020-08-11 16:26:55 -04:00
Rui Yang
52c39fb130 check if upstream contains preferrend username claim first
Signed-off-by: Rui Yang <ryang@pivotal.io>
Signed-off-by: Rui Yang <ruiya@vmware.com>
2020-08-11 16:26:55 -04:00
Rui Yang
4812079647 add tests when preferred username key is not set
Signed-off-by: Rui Yang <ruiya@vmware.com>
2020-08-11 16:26:55 -04:00