Commit graph

2153 commits

Author SHA1 Message Date
Martin Heide
162073b33e No longer allow desktop/mobile redirect URIs implicitly if RedirectURIs is set
Signed-off-by: Martin Heide <martin.heide@faro.com>
2020-11-02 14:05:47 +00:00
Martin Heide
c15e2887bc Add oob, device and localhost redirect URI tests
Signed-off-by: Martin Heide <martin.heide@faro.com>
2020-11-02 13:41:56 +00:00
Martin Heide
1ea481bb73 Fix gofmt in oauth2_test.go
Signed-off-by: Martin Heide <martin.heide@faro.com>
2020-11-02 12:52:52 +00:00
Martin Heide
b894d9c888 Allow public clients (e.g. using implicit flow or PKCE) to have redirect URIs configured
Signed-off-by: Martin Heide <martin.heide@faro.com>
2020-11-02 12:52:10 +00:00
m.nabokikh
7198f17d0e chore: Add description templates
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
2020-11-02 10:52:08 +04:00
m.nabokikh
be378dd9a7 feat: Retry Kubernetes update requests
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
2020-10-28 12:46:58 +04:00
Márk Sági-Kazár
6cdbb59406
Merge pull request #1845 from flant/minor-linter-fixes
fix: Minor style fixes after merging PKCE implementation
2020-10-26 21:37:30 +01:00
m.nabokikh
a5ad5eaf08 fix: Minor style fixes after merging PKCE implementation
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
2020-10-26 23:20:33 +04:00
Bernd Eckstein
b5519695a6
PKCE implementation (#1784)
* Basic implementation of PKCE

Signed-off-by: Tadeusz Magura-Witkowski <tadeuszmw@gmail.com>

* @mfmarche on 24 Feb: when code_verifier is set, don't check client_secret

In PKCE flow, no client_secret is used, so the check for a valid client_secret
would always fail.

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* @deric on 16 Jun: return invalid_grant when wrong code_verifier

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* Enforce PKCE flow on /token when PKCE flow was started on /auth
Also dissallow PKCE on /token, when PKCE flow was not started on /auth

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* fixed error messages when mixed PKCE/no PKCE flow.

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* server_test.go: Added PKCE error cases on /token endpoint

* Added test for invalid_grant, when wrong code_verifier is sent
* Added test for mixed PKCE / no PKCE auth flows.

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* cleanup: extracted method checkErrorResponse and type TestDefinition

* fixed connector being overwritten

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* /token endpoint: skip client_secret verification only for grand type authorization_code with PKCE extension

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* Allow "Authorization" header in CORS handlers

* Adds "Authorization" to the default CORS headers{"Accept", "Accept-Language", "Content-Language", "Origin"}

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* Add "code_challenge_methods_supported" to discovery endpoint

discovery endpoint /dex/.well-known/openid-configuration
now has the following entry:

"code_challenge_methods_supported": [
  "S256",
  "plain"
]

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* Updated tests (mixed-up comments), added a PKCE test

* @asoorm added test that checks if downgrade to "plain" on /token endpoint

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* remove redefinition of providedCodeVerifier, fixed spelling (#6)

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>
Signed-off-by: Bernd Eckstein <HEllRZA@users.noreply.github.com>

* Rename struct CodeChallenge to PKCE

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* PKCE: Check clientSecret when available

In authorization_code flow with PKCE, allow empty client_secret on /auth and /token endpoints. But check the client_secret when it is given.

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* Enable PKCE with public: true

dex configuration public on staticClients now enables the following behavior in PKCE:
- Public: false, PKCE will always check client_secret. This means PKCE in it's natural form is disabled.
- Public: true, PKCE is enabled. It will only check client_secret if the client has sent one. But it allows the code flow if the client didn't sent one.

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* Redirect error on unsupported code_challenge_method

- Check for unsupported code_challenge_method after redirect uri is validated, and use newErr() to return the error.
- Add PKCE tests to oauth2_test.go

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* Reverted go.mod and go.sum to the state of master

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* Don't omit client secret check for PKCE

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* Allow public clients (e.g. with PKCE) to have redirect URIs configured

Signed-off-by: Martin Heide <martin.heide@faro.com>

* Remove "Authorization" as Accepted Headers on CORS, small fixes

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* Revert "Allow public clients (e.g. with PKCE) to have redirect URIs configured"

This reverts commit b6e297b78537dc44cd3e1374f0b4d34bf89404ac.

Signed-off-by: Martin Heide <martin.heide@faro.com>

* PKCE on client_secret client error message

* When connecting to the token endpoint with PKCE without client_secret, but the client is configured with a client_secret, generate a special error message.

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* Output info message when PKCE without client_secret used on confidential client

* removes the special error message

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* General missing/invalid client_secret message on token endpoint

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

Co-authored-by: Tadeusz Magura-Witkowski <tadeuszmw@gmail.com>
Co-authored-by: Martin Heide <martin.heide@faro.com>
Co-authored-by: M. Heide <66078329+heidemn-faro@users.noreply.github.com>
2020-10-26 11:33:40 +01:00
Márk Sági-Kazár
2a282860fa
Merge pull request #1836 from lcostea/master
feat: reduce image size without apk cache
2020-10-18 18:21:39 +02:00
Márk Sági-Kazár
c82d21b155
Merge pull request #1837 from flant/bump-golangci-lint-and-fix-some-linters
fix: Bump golangci-lint version and fix some linter's problems
2020-10-18 16:05:57 +02:00
m.nabokikh
1d83e4749d Add gocritic
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
2020-10-18 01:54:27 +04:00
m.nabokikh
4d63e9cd68 fix: Bump golangci-lint version and fix some linter's problems
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
2020-10-18 01:02:29 +04:00
Liviu Costea
83673fb320 feat: reduce image size without apk cache
Signed-off-by: Liviu Costea <email.lcostea@gmail.com>
2020-10-16 19:52:21 +03:00
Nándor István Krácser
28b2350cd2
Merge pull request #1835 from flant/kubernetes-client-keys-conflicts-fix
fix: Handle Kubernetes API conflicts properly for signing keys
2020-10-13 15:16:19 +02:00
Márk Sági-Kazár
9c026107e6
Merge pull request #1830 from WorldProgrammingLtd/fix-1813
fix: log errors from login during password grant
2020-10-13 09:21:44 +02:00
m.nabokikh
4801b2c975 fix: Handle kubernetes API conflicts properly for signing keys
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
2020-10-12 09:15:00 +03:00
Tom Quarendon
4da93e75fc fix: log errors from login during password grant
Issues: #1813
Signed-off-by: Alastair Houghton <alastair@alastairs-place.net>
2020-10-07 13:36:42 +01:00
Nate W
3f41b26fb9
[WIP] Removing .md files as a part of the Dex IdP Documentation migration. (#1810)
* Removing .md files as a part of the Dex IdP Documentation migration.

https://github.com/dexidp/dex/issues/1761
https://github.com/dexidp/website/issues/2
Signed-off-by: Nate Waddington <nwaddington@cncf.io>

* Updating README.md links after .md files removal.

Signed-off-by: Nate Waddington <nwaddington@cncf.io>

* Updating URL as per PR feedback. dexidp.org -> dexidp.io

Signed-off-by: Nate Waddington <nwaddington@cncf.io>

* removing errant ")"

Signed-off-by: Nate Waddington <nwaddington@cncf.io>
2020-10-06 18:02:40 +02:00
Márk Sági-Kazár
d1f599dd32
Merge pull request #1819 from al45tair/cors-auth
fix: allow Authorization header when doing CORS
2020-10-06 14:35:21 +02:00
Márk Sági-Kazár
a28f5bb218
Merge pull request #1821 from al45tair/fix-1820
fix: copy the "web" directory.
2020-10-05 17:24:51 +02:00
Alastair Houghton
3288450b3e fix: copy the "web" directory.
The Dockerfile was changed to do

    COPY web .

which is unfortunate because that means copy the *contents* of the directory
"web", rather than copying the directory itself which is what the author
intended.

Issues: #1820
Signed-off-by: Alastair Houghton <alastair@alastairs-place.net>
2020-10-05 15:52:30 +01:00
Alastair Houghton
9187aa669d fix: allow Authorization header when doing CORS
The Authorization header needs to be allowed when doing CORS because
otherwise /userinfo can't work.  It isn't one of the headers
explicitly allowed by default by Gorilla, so we have to call
handlers.AllowedHeaders() to specify it.

Issues: #1532
Signed-off-by: Alastair Houghton <alastair@alastairs-place.net>
2020-10-05 15:01:54 +01:00
Márk Sági-Kazár
828a1c6ec2
Merge pull request #1688 from flant/bitbucket-groups
feat: Add team groups support to bitbucket connector
2020-10-04 20:08:49 +02:00
m.nabokikh
ec66cedfcc feat: Add team groups support to bitbucket connector
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
2020-10-04 20:50:59 +03:00
Márk Sági-Kazár
3e5ff2f853
Merge pull request #1815 from dexidp/fix-docker-login
ci: do not login to docker registry in PRs
2020-10-04 15:18:44 +02:00
Mark Sagi-Kazar
4a1fd77166
ci: do not login to docker registry in PRs
Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com>
2020-10-04 15:01:45 +02:00
Márk Sági-Kazár
3b385ecf4a
Merge pull request #1812 from flant/bitbucket-replace-teams-endpoint
fix: Replace deprecated teams endpoint in bitbucket connector
2020-10-04 14:27:14 +02:00
m.nabokikh
4b94469547 fix: Replace teams endpoint for bitbucket connector
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
2020-10-03 20:30:23 +03:00
Márk Sági-Kazár
d4c3a3505d
Merge pull request #1802 from concourse/pr/static-public-key-sync
Add constructor for static key strategy
2020-10-01 22:19:15 +02:00
Rui Yang
bd2234cd12 Add constructor for static key strategy
Co-authored-by: Josh Winters <jwinter@pivotal.io>
Signed-off-by: Rui Yang <ruiya@vmware.com>
2020-10-01 15:32:23 -04:00
Márk Sági-Kazár
9781e56ba5
Merge pull request #1690 from flant/fix-relative-url
Fix templates which asset path points to external URL
2020-09-29 19:47:38 +02:00
Márk Sági-Kazár
641615ff58
Merge pull request #1806 from dexidp/go115
chore: update Go to 1.15
2020-09-28 00:45:39 +02:00
Mark Sagi-Kazar
f3fc0c5395
chore: update Go to 1.15
Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com>
2020-09-28 00:22:47 +02:00
Márk Sági-Kazár
5807011b6a
Merge pull request #1805 from dexidp/fix-dockerhub-typo
fix: typo in environment variables introduced in #1781
2020-09-28 00:22:17 +02:00
Mark Sagi-Kazar
8a1a1b8b5d
fix: typo in environment variables introduced in #1781
Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com>
2020-09-27 23:56:02 +02:00
MIℂHΛΞL FѲRИΛRѲ
549b67bccd
Adding architecture support for arm/arm64/amd64 docker images (#1781)
add multi-arch image support for armv7/arm64/amd64 architectures
2020-09-27 23:47:39 +02:00
Johan Tordsson
c64ff34d11
Add Elastisys to Adopters (#1803)
Added description Elastisys use of Dex in Compliant Kubernetes.
2020-09-18 16:40:59 +02:00
Márk Sági-Kazár
458059cc89
Merge pull request #1708 from tkleczek/fix-overwriting-connector-in-authreq
abort connector login if connector was already set #1707
2020-09-16 17:49:04 +02:00
Márk Sági-Kazár
a64e7c2986
Merge pull request #1769 from batara666/master
ldap.go: drop else on returned if block
2020-09-16 17:47:52 +02:00
Márk Sági-Kazár
e837475ca6
Merge pull request #1795 from lzeng27/master
update documentation
2020-09-09 17:47:18 +02:00
Linda Zeng
6745af7747 updated docs
Signed-off-by: Linda Zeng <linda.zeng@blackrock.com>
2020-09-09 11:01:14 -04:00
Márk Sági-Kazár
d4a67e43fa
Merge pull request #1794 from dexidp/fix-example-app
Fix building the example app
2020-09-09 14:00:27 +02:00
Mark Sagi-Kazar
63098fe9fe
Fix building the example app
Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com>
2020-09-09 13:50:19 +02:00
Márk Sági-Kazár
ca0a9e821e
Merge pull request #1634 from concourse/pr/oidc-username-key-sync
Support username, email and groups claim in OIDC connector
2020-09-08 19:19:44 +02:00
Rui Yang
058202d007 revert changes for user id and user name
Signed-off-by: Rui Yang <ruiya@vmware.com>
2020-09-08 13:12:59 -04:00
Rui Yang
0494993326 update oidc documentation and email claim err msg
Signed-off-by: Rui Yang <ruiya@vmware.com>
2020-09-08 10:03:57 -04:00
Márk Sági-Kazár
07dddc7b0e
Merge pull request #1791 from onkarbhat/adopters_kasten
Add Kasten as an adopter of Dex.
2020-09-08 09:18:05 +02:00
Onkar Bhat
c489a074c1 Add Kasten as an adopter of Dex. 2020-09-07 16:39:21 -07:00
Tomasz Kleczek
b1311baa3c abort connector login if connector was already set #1707
Signed-off-by: Tomasz Kleczek <tomasz.kleczek@gmail.com>
2020-08-29 17:19:14 +02:00