Commit graph

92 commits

Author SHA1 Message Date
joannano
88d1e2b041 keystone: test cases, refactoring and cleanup 2019-01-11 15:14:56 +01:00
Krzysztof Balka
a965365a2b keystone: refresh token and groups 2019-01-11 15:14:11 +01:00
knangia
0774a89066 keystone: squashed changes from knangia/dex 2019-01-11 15:12:59 +01:00
Maximilian Gaß
468c74d1d2 Make expiry of auth requests configurable 2018-12-13 11:50:34 +01:00
Ed Tan
d26e23c16f Make suggested code changes 2018-10-05 10:43:49 -04:00
Ed Tan
8c75d85b60 Add Bitbucket connector 2018-09-30 15:08:07 -04:00
Stephan Renatus
b9f6594bf0 *: github.com/coreos/dex -> github.com/dexidp/dex
Signed-off-by: Stephan Renatus <srenatus@chef.io>
2018-09-05 17:57:08 +02:00
Frederic Branczyk
5f03479d29
*: Add go runtime, process, HTTP and gRPC metrics 2017-12-21 21:24:09 +01:00
Pavel Borzenkov
6193bf5566 connector: implement Microsoft connector
connector/microsoft implements authorization strategy via Microsoft's
OAuth2 endpoint + Graph API. It allows to choose what kind of tenants
are allowed to authenticate in Dex via Microsoft:
  * common - both personal and business/school accounts
  * organizations - only business/school accounts
  * consumers - only personal accounts
  * <tenant uuid> - only account of specific tenant

Signed-off-by: Pavel Borzenkov <pavel.borzenkov@gmail.com>
2017-11-23 17:01:34 +03:00
Stephan Renatus
b09a13458f password connectors: allow overriding the username attribute (password prompt)
This allows users of the LDAP connector to give users of Dex' login
prompt an idea of what they should enter for a username.

Before, irregardless of how the LDAP connector was set up, the prompt
was

    Username
    [_________________]

    Password
    [_________________]

Now, this is configurable, and can be used to say "MyCorp SSO Login" if
that's what it is.

If it's not configured, it will default to "Username".

For the passwordDB connector (local users), it is set to "Email
Address", since this is what it uses.

Signed-off-by: Stephan Renatus <srenatus@chef.io>
2017-11-09 09:30:03 +01:00
Pavel Borzenkov
ab06119431 connector: implement LinkedIn connector
connector/linkedin implements authorization strategy via LinkedIn's
OAuth2 endpoint + profile API.

It doesn't implement RefreshConnector as LinkedIn doesn't provide any
refresh token at all (https://developer.linkedin.com/docs/oauth2, Step 5
— Refresh your Access Tokens) and recommends ordinary AuthCode exchange
flow when token refresh is required.

Signed-off-by: Pavel Borzenkov <pavel.borzenkov@gmail.com>
2017-10-27 12:54:28 +03:00
Michael Stapelberg
4931f30a80 authproxy.md: strip X-Remote-User
follow-up for https://github.com/coreos/dex/pull/1100
2017-10-26 20:13:37 +02:00
Michael Stapelberg
a41d93db4a Implement the “authproxy” connector (for Apache2 mod_auth etc.) 2017-10-25 21:53:51 +02:00
Eric Stroczynski
2b354c8fdb server: set sane bcrypt cost upper bound 2017-08-21 11:53:46 -07:00
Eric Stroczynski
4bcb0aaae9 server: log bcrypt cost if > 12, error on runtime > 10s
The bcrypt hashing algorithm runtime grows exponentially with cost,
and might cause a timeout if the cost is too high. Notifying the user
of high cost and of long running calculations will help with tuning
and debugging.
2017-07-25 17:09:43 -07:00
Eric Stroczynski
4a88d0641a : update {S->s}irupsen/logrus 2017-07-25 13:46:44 -07:00
rithu john
8c9c2518f5 server: account for dynamically changing connector object in storage. 2017-04-25 09:19:02 -07:00
Lucas Serven
f3d9bd5008
server/server.go: make successful garbage collection log at info level 2017-04-04 09:47:53 -07:00
Eric Chiang
777eeafabc *: update go-oidc and use standard library's context package 2017-03-08 10:33:19 -08:00
Simon HEGE
415a68f977 Allow CORS on keys and token endpoints 2017-01-14 21:15:51 +01:00
Eric Chiang
f926d74157 server: fixes for the implicit and hybrid flow
Accept the following response_type for the implicit flow:

    id_token
    token id_token

And the following for hybrid flow

    code id_token
    code token
    code token id_token

This corrects the previous behavior of the implicit flow, which
only accepted "token" (now correctly rejected).
2017-01-10 16:20:17 -08:00
Simon HEGE
b4c47910e4 Allow CORS on discovery endpoint 2017-01-08 19:22:39 +01:00
rithu john
75aa1c67ce server: add error HTML templates with error description. 2016-12-16 10:42:54 -08:00
rithu john
9949a1313c server: modify error messages to use logrus. 2016-12-13 11:52:44 -08:00
rithu john
2e22a948cf cmd/dex: add logging config and serve logger for different modules. 2016-12-12 15:56:50 -08:00
Eric Chiang
391dc51c13 *: add theme based frontend configuration
This PR reworks the web layout so static files can be provided and
a "themes" directory to allow a certain degree of control over logos,
styles, etc.

This PR does NOT add general support for frontend customization,
only enough to allow us to start exploring theming internally.
The dex binary also must now be run from the root directory since
templates are no longer "compiled into" the binary.

The docker image has been updated with frontend assets.
2016-11-30 17:20:21 -08:00
Eric Chiang
952e0f81f5 connector: add RefreshConnector interface 2016-11-22 12:53:46 -08:00
Eric Chiang
57a59d4631 *: don't error out if a username doesn't exist in the backing connector
Instead of throwing a 500 error if a user enters an invalid name,
display the same text box as if the user had entered the wrong
password.

NOTE: An invalid username now returns much quicker than an invalid
password. Consider adding an arbitrary sleep in the future if we
care about masking which was invalid.
2016-11-01 14:10:55 -07:00
Eric Chiang
a3235d022a *: verify "state" field before passing request to callback connectors
Let the server handle the state token instead of the connector. As a
result it can throw out bad requests earlier. It can also use that
token to determine which connector was used to generate the request
allowing all connectors to share the same callback URL.

Callbacks now all look like:

    https://dex.example.com/callback

Instead of:

    https://dex.example.com/callback/(connector id)

Even when multiple connectors are being used.
2016-10-27 10:23:09 -07:00
Eric Chiang
89ecfd2ede server: only print gc stats if something has been removed 2016-10-13 21:55:56 -07:00
Eric Chiang
4296604f11 {cmd,server}: move garbage collection logic to server 2016-10-12 21:50:20 -07:00
Eric Chiang
dcbe67d89c {cmd/dex,server}: expose skip approval screen option 2016-10-07 11:53:01 -07:00
Eric Chiang
cdf0b91690 server: add an option to enable emails and passwords from the database 2016-10-05 17:26:41 -07:00
Eric Chiang
98b207b59a Merge pull request #585 from ericchiang/dev-api
dev branch: add a simple gRPC API
2016-10-05 14:14:28 -07:00
Eric Chiang
e873a31b21 server: add health check endpoint 2016-10-04 17:20:17 -07:00
Eric Chiang
8b079168be server: add gRPC service implementation 2016-10-04 00:30:30 -07:00
Eric Chiang
608d8ba984 *: switch dex to the ported templates 2016-09-05 17:25:39 -07:00
Eric Chiang
571024182d *: set response types supported in discovery based on server config 2016-08-25 16:18:09 -07:00
Eric Chiang
c113df961a *: support the implicit flow 2016-08-24 11:21:39 -07:00
Eric Chiang
bfe560ee21 rename 2016-08-10 22:31:42 -07:00
Eric Chiang
4cbe9bbc82 server: cache signing keys 2016-08-10 20:51:58 -07:00
Eric Chiang
cab271f304 initial commit 2016-07-26 15:51:24 -07:00