mystiq/dex
Archived
4
0
Fork 1
Code Issues Pull requests Packages Projects Releases Wiki Activity
1089 commits 27 branches 73 tags 23 MiB
Commit graph

166 commits

Author SHA1 Message Date
Nándor István Krácser c41035732f
Merge pull request #1434 from jacksontj/groups 
Add option to enable groups for oidc connectors
 2019-11-27 14:00:36 +01:00
Joel Speed 658a2cc477
Make directory service during init 2019-11-19 17:12:44 +00:00
Joel Speed 554870cea0
Add todo for configurable groups key 2019-11-19 17:12:43 +00:00
Joel Speed 6a9bc889b5
Update comments 2019-11-19 17:12:40 +00:00
Joel Speed c03c98b951
Check config before getting groups 2019-11-19 17:12:39 +00:00
Joel Speed 3f55e2da72
Get groups from directory api 2019-11-19 17:12:38 +00:00
Joel Speed 36370f8f2a
No need to configure issuer 2019-11-19 17:12:37 +00:00
Joel Speed 97ffa21262
Create separate Google connector 2019-11-19 17:12:36 +00:00
Joel Speed 3156553843
OIDC: Rename refreshToken to RefreshToken 2019-11-19 15:43:25 +00:00
Joel Speed 77fcf9ad77
Use a struct for connector data within OIDC connector 2019-11-19 15:43:22 +00:00
Joel Speed f6077083c9
Identify error as failure to retrieve refresh token 2019-11-19 15:43:21 +00:00
Joel Speed 8b344fe4d3
Fix Refresh comment 2019-11-19 15:43:20 +00:00
Joel Speed 433bb2afec
Remove duplicate code 2019-11-19 15:43:12 +00:00
Joel Speed 4076eed17b
Build opts based on scope 2019-11-19 15:43:11 +00:00
Joel Speed 0857a0fe09
Implement refresh in OIDC connector 
This has added the access=offline parameter and prompt=consent parameter
to the initial request, this works with google, assuming other providers
will ignore the prompt parameter
 2019-11-19 15:43:04 +00:00
Nándor István Krácser 6d41541964
Merge pull request #1544 from kenperkins/saml-groups 
Adding support for allowed groups in SAML Connector
 2019-10-30 13:28:34 +01:00
Nándor István Krácser f2590ee07d
Merge pull request #1545 from jacksontj/getUserInfo 
Run getUserInfo prior to claim enforcement
 2019-10-30 13:26:18 +01:00
Nandor Kracser c1b421fa04 add preffered_username to idToken 
Signed-off-by: Nandor Kracser <bonifaido@gmail.com>
 2019-10-30 13:06:37 +01:00
Thomas Jackson 21ab30d207 Add option to enable groups for oidc connectors 
There's been some discussion in #1065 regarding what to do about
refreshing groups. As it stands today dex doesn't update any of the
claims on refresh (groups would just be another one). The main concern
with enabling it is that group claims may change more frequently. While
we continue to wait on the upstream refresh flows, this adds an option
to enable the group claim. This is disabled by default (so no behavioral
change) but enables those that are willing to have the delay in group
claim change to use oidc IDPs.

Workaround to #1065
 2019-09-13 15:50:33 -07:00
Thomas Jackson 512cb3169e Run getUserInfo prior to claim enforcement 
If you have an oidc connector configured *and* that IDP provides thin
tokens (e.g. okta) then the majority of the requested claims come in the
getUserInfo call (such as email_verified). So if getUserInfo is
configured it should be run before claims are validated.
 2019-09-13 11:10:44 -07:00
Ken Perkins 285c1f162e connector/saml: Adding group filtering 
- 4 new tests
- Doc changes to use the group filtering
 2019-09-10 10:53:19 -07:00
wassan128 42e8619830 Fix typo 2019-09-06 09:55:09 +09:00
Nandor Kracser ef08ad8317 gitlab: add groups scope by default when filtering is requested 2019-08-14 13:33:46 +02:00
Stephan Renatus d9487e553b
*: fix some lint issues 
Mostly gathered these using golangci-lint's deadcode and ineffassign
linters.

Signed-off-by: Stephan Renatus <srenatus@chef.io>
 2019-07-30 11:29:08 +02:00
Nandor Kracser ff34e570b4 connector/gitlab: implement useLoginAsID as in GitHub connector 2019-07-28 19:49:49 +02:00
Maxime Desrosiers 458585008b
microsoft: option for group UUIDs instead of name and group whitelist 2019-07-25 09:14:33 -04:00
Stephan Renatus 51f50fcad8
connectors: refactor filter code into a helper package 
I hope I didn't miss any :D

Signed-off-by: Stephan Renatus <srenatus@chef.io>
 2019-07-03 13:09:40 +02:00
Stephan Renatus d6fad19d95
Merge pull request #1459 from flarno11/master 
make userName configurable
 2019-06-04 09:47:19 +02:00
tan 8613c78863 update LinkedIn connector to use v2 APIs 
This updates LinkedIn connector to use the more recent v2 APIs. Necessary because v1 APIs are not able to retrieve email ids any more with the default permissions.

The API URLs are now different. Fetching the email address is now a separate call, made after fetching the profile details. The `r_basicprofile` permission is not needed any more, and `r_liteprofile` (which seems to be the one assigned by default) is sufficient.

The relevant API specifications are at:
- https://docs.microsoft.com/en-us/linkedin/shared/integrations/people/profile-api
- https://docs.microsoft.com/en-us/linkedin/shared/integrations/people/primary-contact-api
- https://docs.microsoft.com/en-us/linkedin/consumer/integrations/self-serve/migration-faq#how-do-i-retrieve-the-members-email-address
 2019-06-03 22:59:37 +05:30
flarno11 8c1716d356 make userName configurable 2019-06-03 14:09:07 +02:00
Stephan Renatus 4e8cbf0f61
connectors/oidc: truely ignore "email_verified" claim if configured that way 
Fixes #1455, I hope.

Signed-off-by: Stephan Renatus <srenatus@chef.io>
 2019-05-28 16:15:06 +02:00
cappyzawa 9650836851 make userID configurable 2019-05-24 19:52:33 +09:00
Thomas Jackson 52d09a2dfa Add option in oidc to hit the optional userinfo endpoint 
Some oauth providers return "thin tokens" which won't include all of the
claims requested. This simply adds an option which will make the oidc
connector use the userinfo endpoint to fetch all the claims.
 2019-05-23 09:20:48 -07:00
Eric Chiang 35f51957c0
Merge pull request #1430 from mkontani/fix/typo 
fix typo
 2019-05-12 10:39:18 -07:00
Nandor Kracser 7b416b5a8e gitlab: add tests 2019-05-02 08:06:56 +02:00
Nandor Kracser a08a5811d4 gitlab: support for group whitelist 2019-04-25 12:50:29 +02:00
mkontani 6ae76662de
fix ssoURL 2019-04-20 21:12:01 +09:00
Gerald Barker fc723af0fe Add option to OIDC connecter to override email_verified to true 2019-03-05 21:24:02 +00:00
Mark Sagi-Kazar 06521ffa49
Remove the logrus logger wrapper 2019-02-22 21:31:46 +01:00
Mark Sagi-Kazar be581fa7ff
Add logger interface and stop relying on Logrus directly 2019-02-22 13:38:57 +01:00
Stephan Renatus 7bd4071b4c
Merge pull request #1396 from jtnord/useLoginId-dexidp 
Use github login as the id
 2019-02-05 13:54:49 +01:00
James Nord fe247b106b remove blank line that tripped up make verify-proto 2019-02-04 14:06:06 +00:00
James Nord 9840fccdbb rename useLoginAsId -> useLoginAsID 2019-02-04 14:05:57 +00:00
Stephan Renatus df18cb0c22
ldap_test: add filter tests 
The filters for user and group searches hadn't been included in our LDAP
tests. Now they are.

The concrete test cases are somewhat contrived, but that shouldn't
matter too much. Also note that the example queries I've used are not
supported in AD: https://stackoverflow.com/a/10043452

Signed-off-by: Stephan Renatus <srenatus@chef.io>
 2019-02-03 11:06:11 +01:00
James Nord 5822a5ce9e fix formatting of connector/github/github_test.go 2019-02-01 11:47:45 +00:00
James Nord 03ffd0798c Allow an option to use the github user handle rather than an id. 
For downstream apps using a github handle is much simpler than working
with numbers.

WHilst the number is stable and the handle is not - GitHUb does give you
a big scary wanring if you try and change it that bad things may happen
to you, and generally few users ever change it.

This can be enabled with a configuration option `useLoginAsId`
 2019-02-01 11:37:40 +00:00
Krzysztof Balka e8ba848907 keystone: fetching groups only if requested, refactoring. 2019-01-11 15:14:59 +01:00
joannano 88d1e2b041 keystone: test cases, refactoring and cleanup 2019-01-11 15:14:56 +01:00
Krzysztof Balka a965365a2b keystone: refresh token and groups 2019-01-11 15:14:11 +01:00
knangia 0774a89066 keystone: squashed changes from knangia/dex 2019-01-11 15:12:59 +01:00