Merge pull request #2620 from mayurwaghmode/master

Signed-off-by: mayurwaghmode <waghmodemayur17@gmail.com>

.dockerignore

@@ -1 +1,4 @@
-bin
+.github/
+.gitpod.yml
+bin/
+tmp/

.editorconfig

@@ -0,0 +1,21 @@
+root = true
+
+[*]
+charset = utf-8
+end_of_line = lf
+indent_size = 4
+indent_style = space
+insert_final_newline = true
+trim_trailing_whitespace = true
+
+[*.go]
+indent_style = tab
+
+[*.proto]
+indent_size = 2
+
+[{Makefile,*.mk}]
+indent_style = tab
+
+[{config.yaml.dist,config.dev.yaml}]
+indent_size = 2

.envrc

@@ -0,0 +1,6 @@
+if ! has nix_direnv_version || ! nix_direnv_version 1.5.0; then
+  source_url "https://raw.githubusercontent.com/nix-community/nix-direnv/1.5.0/direnvrc" "sha256-carKk9aUFHMuHt+IWh74hFj58nY4K3uywpZbwXX0BTI="
+fi
+use flake
+
+dotenv_if_exists

.github/.editorconfig

@@ -0,0 +1,2 @@
+[{*.yml,*.yaml}]
+indent_size = 2

.github/CODE_OF_CONDUCT.md

@@ -0,0 +1,3 @@
+## Community Code of Conduct
+
+This project follows the [CNCF Code of Conduct](https://github.com/cncf/foundation/blob/master/code-of-conduct.md).

.github/ISSUE_TEMPLATE/bug_report.yaml

@@ -0,0 +1,102 @@
+name: 🐛 Bug report
+description: Report a bug to help us improve Dex
+body:
+- type: markdown
+  attributes:
+    value: |
+      Thank you for submitting a bug report!
+
+      Please fill out the template below to make it easier to debug your problem.
+
+      If you are not sure if it is a bug or not, you can contact us via the available [support channels](https://github.com/dexidp/dex/issues/new/choose).
+- type: checkboxes
+  attributes:
+    label: Preflight Checklist
+    description: Please ensure you've completed all of the following.
+    options:
+      - label: I agree to follow the [Code of Conduct](https://github.com/dexidp/dex/blob/master/.github/CODE_OF_CONDUCT.md) that this project adheres to.
+        required: true
+      - label: I have searched the [issue tracker](https://www.github.com/dexidp/dex/issues) for an issue that matches the one I want to file, without success.
+        required: true
+      - label: I am not looking for support or already pursued the available [support channels](https://github.com/dexidp/dex/issues/new/choose) without success.
+        required: true
+- type: input
+  attributes:
+    label: Version
+    description: What version of Dex are you running?
+    placeholder: 2.29.0
+  validations:
+    required: true
+- type: dropdown
+  attributes:
+    label: Storage Type
+    description: Which persistent storage type are you using?
+    options:
+      - etcd
+      - Kubernetes
+      - In-memory
+      - Postgres
+      - MySQL
+      - SQLite
+  validations:
+    required: true
+- type: dropdown
+  attributes:
+    label: Installation Type
+    description: How did you install Dex?
+    options:
+      - Binary
+      - Official container image
+      - Official Helm chart
+      - Custom container image
+      - Custom Helm chart
+      - Other (specify below)
+    multiple: true
+  validations:
+    required: true
+- type: textarea
+  attributes:
+    label: Expected Behavior
+    description: A clear and concise description of what you expected to happen.
+  validations:
+    required: true
+- type: textarea
+  attributes:
+    label: Actual Behavior
+    description: A clear description of what actually happens.
+  validations:
+    required: true
+- type: textarea
+  attributes:
+    label: Steps To Reproduce
+    description: Steps to reproduce the behavior if it is not self-explanatory.
+    placeholder: |
+      1. In this environment...
+      2. With this config...
+      3. Run '...'
+      4. See error...
+- type: textarea
+  attributes:
+    label: Additional Information
+    description: Links? References? Anything that will give us more context about the issue that you are encountering!
+- type: textarea
+  attributes:
+    label: Configuration
+    description: Contents of your configuration file (if relevant).
+    render: yaml
+    placeholder: |
+      issuer: http://127.0.0.1:5556/dex
+
+      storage:
+        # ...
+
+      connectors:
+        # ...
+
+      staticClients:
+        # ...
+- type: textarea
+  attributes:
+    label: Logs
+    description: Dex application logs (if relevant).
+    render: shell

.github/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1,17 @@
+blank_issues_enabled: false
+contact_links:
+  - name: ❓ Ask a question
+    url: https://github.com/dexidp/dex/discussions/new?category=q-a
+    about: Ask and discuss questions with other Dex community members
+
+  - name: 📚 Documentation
+    url: https://dexidp.io/docs/
+    about: Check the documentation for help
+
+  - name: 💬 Slack channel
+    url: https://cloud-native.slack.com/messages/dexidp
+    about: Please ask and answer questions here
+
+  - name: 💡 Dex Enhancement Proposal
+    url: https://github.com/dexidp/dex/tree/master/enhancements/README.md
+    about: Open a proposal for significant architectural change

.github/ISSUE_TEMPLATE/feature_request.yaml

@@ -0,0 +1,40 @@
+name: 🎉 Feature request
+description: Suggest an idea for Dex
+body:
+- type: markdown
+  attributes:
+    value: |
+      Thank you for submitting a feature request!
+
+      Please describe what you would like to change/add and why in detail by filling out the template below.
+
+      If you are not sure if your request fits into Dex, you can contact us via the available [support channels](https://github.com/dexidp/dex/issues/new/choose).
+- type: checkboxes
+  attributes:
+    label: Preflight Checklist
+    description: Please ensure you've completed all of the following.
+    options:
+      - label: I agree to follow the [Code of Conduct](https://github.com/dexidp/dex/blob/master/.github/CODE_OF_CONDUCT.md) that this project adheres to.
+        required: true
+      - label: I have searched the [issue tracker](https://www.github.com/dexidp/dex/issues) for an issue that matches the one I want to file, without success.
+        required: true
+- type: textarea
+  attributes:
+    label: Problem Description
+    description: A clear and concise description of the problem you are seeking to solve with this feature request.
+  validations:
+    required: true
+- type: textarea
+  attributes:
+    label: Proposed Solution
+    description: A clear and concise description of what would you like to happen.
+  validations:
+    required: true
+- type: textarea
+  attributes:
+    label: Alternatives Considered
+    description: A clear and concise description of any alternative solutions or features you've considered.
+- type: textarea
+  attributes:
+    label: Additional Information
+    description: Add any other context about the problem here.

.github/PULL_REQUEST_TEMPLATE.md

@@ -0,0 +1,35 @@
+<!--
+Thank you for sending a pull request! Here are some tips for contributors:
+
+1. Fill the description template below.
+2. Sign a DCO (if you haven't already signed it).
+3. Include appropriate tests (if necessary). Make sure that all CI checks passed.
+4. If the Pull Request is a work in progress, make use of GitHub's "Draft PR" feature and mark it as such.
+-->
+
+#### Overview
+
+<!-- Describe your changes briefly here. -->
+
+#### What this PR does / why we need it
+
+<!--
+- Please state in detail why we need this PR and what it solves.
+- If your PR closes some of the existing issues, please add links to them here.
+  Mentioned issues will be automatically closed.
+  Usage: "Closes #<issue number>", or "Closes (paste link of issue)"
+-->
+
+#### Special notes for your reviewer
+
+#### Does this PR introduce a user-facing change?
+
+<!--
+If no, just write "NONE" in the release-note block below.
+If yes, a release note is required:
+Enter your extended release note in the block below. If the PR requires additional action from users switching to the new release, include the string "action required".
+-->
+
+```release-note
+
+```

.github/SECURITY.md

@@ -0,0 +1,24 @@
+# Security Policy
+
+## Reporting a vulnerability
+
+To report a vulnerability, send an email to [cncf-dex-maintainers@lists.cncf.io](mailto:cncf-dex-maintainers@lists.cncf.io)
+detailing the issue and steps to reproduce. The reporter(s) can expect a
+response within 48 hours acknowledging the issue was received. If a response is
+not received within 48 hours, please reach out to any maintainer directly
+to confirm receipt of the issue.
+
+## Review Process
+
+Once a maintainer has confirmed the relevance of the report, a draft security
+advisory will be created on Github. The draft advisory will be used to discuss
+the issue with maintainers, the reporter(s).
+If the reporter(s) wishes to participate in this discussion, then provide
+reporter Github username(s) to be invited to the discussion. If the reporter(s)
+does not wish to participate directly in the discussion, then the reporter(s)
+can request to be updated regularly via email.
+
+If the vulnerability is accepted, a timeline for developing a patch, public
+disclosure, and patch release will be determined. The reporter(s) are expected
+to participate in the discussion of the timeline and abide by agreed upon dates
+for public disclosure.

.github/dependabot.yaml

@@ -0,0 +1,30 @@
+version: 2
+
+updates:
+  - package-ecosystem: "gomod"
+    directory: "/"
+    labels:
+      - "area/dependencies"
+    schedule:
+      interval: "daily"
+
+  - package-ecosystem: "gomod"
+    directory: "/api/v2"
+    labels:
+      - "area/dependencies"
+    schedule:
+      interval: "daily"
+
+  - package-ecosystem: "docker"
+    directory: "/"
+    labels:
+      - "area/dependencies"
+    schedule:
+      interval: "daily"
+
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    labels:
+      - "area/dependencies"
+    schedule:
+      interval: "daily"

.github/release.yml

@@ -0,0 +1,30 @@
+changelog:
+  exclude:
+    labels:
+      - release-note/ignore
+  categories:
+    - title: Exciting New Features 🎉
+      labels:
+        - kind/feature
+        - release-note/new-feature
+    - title: Enhancements 🚀
+      labels:
+        - kind/enhancement
+        - release-note/enhancement
+    - title: Bug Fixes 🐛
+      labels:
+        - kind/bug
+        - release-note/bug-fix
+    - title: Breaking Changes 🛠
+      labels:
+        - release-note/breaking-change
+    - title: Deprecations ❌
+      labels:
+        - release-note/deprecation
+    - title: Dependency Updates ⬆️
+      labels:
+        - area/dependencies
+        - release-note/dependency-update
+    - title: Other Changes
+      labels:
+        - "*"

.github/workflows/artifacts.yaml

@@ -0,0 +1,97 @@
+name: Artifacts
+
+on:
+  push:
+    branches:
+      - master
+    tags:
+      - v[0-9]+.[0-9]+.[0-9]+
+  pull_request:
+
+jobs:
+  container-images:
+    name: Container images
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        variant:
+          - alpine
+          - distroless
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Gather metadata
+        id: meta
+        uses: docker/metadata-action@v4
+        with:
+          images: |
+            ghcr.io/dexidp/dex
+            dexidp/dex
+          flavor: |
+            latest = false
+          tags: |
+            type=ref,event=branch,enable=${{ matrix.variant == 'alpine' }}
+            type=ref,event=pr,enable=${{ matrix.variant == 'alpine' }}
+            type=semver,pattern={{raw}},enable=${{ matrix.variant == 'alpine' }}
+            type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', github.event.repository.default_branch) && matrix.variant == 'alpine' }}
+            type=ref,event=branch,suffix=-${{ matrix.variant }}
+            type=ref,event=pr,suffix=-${{ matrix.variant }}
+            type=semver,pattern={{raw}},suffix=-${{ matrix.variant }}
+            type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', github.event.repository.default_branch) }},suffix=-${{ matrix.variant }}
+          labels: |
+            org.opencontainers.image.documentation=https://dexidp.io/docs/
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v2
+        with:
+          platforms: all
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v2
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ github.token }}
+        if: github.event_name == 'push'
+
+      - name: Login to Docker Hub
+        uses: docker/login-action@v2
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+        if: github.event_name == 'push'
+
+      - name: Build and push
+        uses: docker/build-push-action@v3
+        with:
+          context: .
+          platforms: linux/amd64,linux/arm/v7,linux/arm64,linux/ppc64le
+          # cache-from: type=gha
+          # cache-to: type=gha,mode=max
+          push: ${{ github.event_name == 'push' }}
+          tags: ${{ steps.meta.outputs.tags }}
+          build-args: |
+            BASE_IMAGE=${{ matrix.variant }}
+            VERSION=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.version'] }}
+            COMMIT_HASH=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }}
+            BUILD_DATE=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }}
+          labels: ${{ steps.meta.outputs.labels }}
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@0.6.1
+        with:
+          image-ref: "ghcr.io/dexidp/dex:${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.version'] }}"
+          format: "sarif"
+          output: "trivy-results.sarif"
+        if: github.event_name == 'push'
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: "trivy-results.sarif"
+        if: github.event_name == 'push'

.github/workflows/checks.yaml

@@ -0,0 +1,18 @@
+name: PR Checks
+
+on:
+  pull_request:
+    types: [opened, labeled, unlabeled, synchronize]
+
+jobs:
+  release-label:
+    name: Release note label
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Check minimum labels
+        uses: mheap/github-action-required-labels@v2
+        with:
+          mode: minimum
+          count: 1
+          labels: "release-note/ignore, kind/feature, release-note/new-feature, kind/enhancement, release-note/enhancement, kind/bug, release-note/bug-fix, release-note/breaking-change, release-note/deprecation, area/dependencies, release-note/dependency-update"

.github/workflows/ci.yaml

@@ -0,0 +1,129 @@
+name: CI
+
+on:
+  push:
+    branches:
+      - master
+  pull_request:
+
+jobs:
+  build:
+    name: Build
+    runs-on: ubuntu-latest
+    env:
+      GOFLAGS: -mod=readonly
+
+    services:
+      postgres:
+        image: postgres:10.8
+        ports:
+          - 5432
+        options: --health-cmd pg_isready --health-interval 10s --health-timeout 5s --health-retries 5
+
+      postgres-ent:
+        image: postgres:10.8
+        ports:
+          - 5432
+        options: --health-cmd pg_isready --health-interval 10s --health-timeout 5s --health-retries 5
+
+      mysql:
+        image: mysql:5.7
+        env:
+          MYSQL_ROOT_PASSWORD: root
+          MYSQL_DATABASE: dex
+        ports:
+          - 3306
+        options: --health-cmd "mysql -proot -e \"show databases;\"" --health-interval 10s --health-timeout 5s --health-retries 5
+
+      mysql-ent:
+        image: mysql:5.7
+        env:
+          MYSQL_ROOT_PASSWORD: root
+          MYSQL_DATABASE: dex
+        ports:
+          - 3306
+        options: --health-cmd "mysql -proot -e \"show databases;\"" --health-interval 10s --health-timeout 5s --health-retries 5
+
+      etcd:
+        image: gcr.io/etcd-development/etcd:v3.5.0
+        ports:
+          - 2379
+        env:
+          ETCD_LISTEN_CLIENT_URLS: http://0.0.0.0:2379
+          ETCD_ADVERTISE_CLIENT_URLS: http://0.0.0.0:2379
+        options: --health-cmd "ETCDCTL_API=3 etcdctl --endpoints http://localhost:2379 endpoint health" --health-interval 10s --health-timeout 5s --health-retries 5
+
+      keystone:
+        image: openio/openstack-keystone:rocky
+        ports:
+          - 5000
+          - 35357
+        options: --health-cmd "curl --fail http://localhost:5000/v3" --health-interval 10s --health-timeout 5s --health-retries 5
+
+    steps:
+      - name: Set up Go
+        uses: actions/setup-go@v3
+        with:
+          go-version: 1.18
+
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - name: Start services
+        run: docker-compose -f docker-compose.test.yaml up -d
+
+      - name: Create kind cluster
+        uses: helm/kind-action@v1.3.0
+        with:
+          version: v0.11.1
+          node_image: kindest/node:v1.19.11@sha256:07db187ae84b4b7de440a73886f008cf903fcf5764ba8106a9fd5243d6f32729
+
+      - name: Download tool dependencies
+        run: make deps
+
+      - name: Test
+        run: make testall
+        env:
+          DEX_MYSQL_DATABASE: dex
+          DEX_MYSQL_USER: root
+          DEX_MYSQL_PASSWORD: root
+          DEX_MYSQL_HOST: 127.0.0.1
+          DEX_MYSQL_PORT: ${{ job.services.mysql.ports[3306] }}
+
+          DEX_MYSQL_ENT_DATABASE: dex
+          DEX_MYSQL_ENT_USER: root
+          DEX_MYSQL_ENT_PASSWORD: root
+          DEX_MYSQL_ENT_HOST: 127.0.0.1
+          DEX_MYSQL_ENT_PORT: ${{ job.services.mysql-ent.ports[3306] }}
+
+          DEX_POSTGRES_DATABASE: postgres
+          DEX_POSTGRES_USER: postgres
+          DEX_POSTGRES_PASSWORD: postgres
+          DEX_POSTGRES_HOST: localhost
+          DEX_POSTGRES_PORT: ${{ job.services.postgres.ports[5432] }}
+
+          DEX_POSTGRES_ENT_DATABASE: postgres
+          DEX_POSTGRES_ENT_USER: postgres
+          DEX_POSTGRES_ENT_PASSWORD: postgres
+          DEX_POSTGRES_ENT_HOST: localhost
+          DEX_POSTGRES_ENT_PORT: ${{ job.services.postgres-ent.ports[5432] }}
+
+          DEX_ETCD_ENDPOINTS: http://localhost:${{ job.services.etcd.ports[2379] }}
+
+          DEX_LDAP_HOST: localhost
+          DEX_LDAP_PORT: 389
+          DEX_LDAP_TLS_PORT: 636
+
+          DEX_KEYSTONE_URL: http://localhost:${{ job.services.keystone.ports[5000] }}
+          DEX_KEYSTONE_ADMIN_URL: http://localhost:${{ job.services.keystone.ports[35357] }}
+          DEX_KEYSTONE_ADMIN_USER: demo
+          DEX_KEYSTONE_ADMIN_PASS: DEMO_PASS
+
+          DEX_KUBERNETES_CONFIG_PATH: ~/.kube/config
+
+      - name: Lint
+        run: make lint
+
+      # Ensure proto generation doesn't depend on external packages.
+      - name: Verify proto
+        run: make verify-proto

.github/workflows/codeql-analysis.yaml

@@ -0,0 +1,67 @@
+# For most projects, this workflow file will not need changing; you simply need
+# to commit it to your repository.
+#
+# You may wish to alter this file to override the set of languages analyzed,
+# or to provide custom queries or build logic.
+#
+# ******** NOTE ********
+# We have attempted to detect the languages in your repository. Please check
+# the `language` matrix defined below to confirm you have the correct set of
+# supported CodeQL languages.
+#
+name: "CodeQL"
+
+on:
+  push:
+    branches: [ master, v1 ]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [ master ]
+  schedule:
+    - cron: '28 10 * * 6'
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ 'go' ]
+        # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python' ]
+        # Learn more:
+        # https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#changing-the-languages-that-are-analyzed
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v3
+
+    # Initializes the CodeQL tools for scanning.
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v2
+      with:
+        languages: ${{ matrix.language }}
+        # If you wish to specify custom queries, you can do so here or in a config file.
+        # By default, queries listed here will override any specified in a config file.
+        # Prefix the list here with "+" to use these queries and those in the config file.
+        # queries: ./path/to/local/query, your-org/your-repo/queries@main
+
+    # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
+    # If this step fails, then you should remove it and run the build manually (see below)
+    - name: Autobuild
+      uses: github/codeql-action/autobuild@v2
+
+    # ℹ️ Command-line programs to run using the OS shell.
+    # 📚 https://git.io/JvXDl
+
+    # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines
+    #    and modify them (or add more) to build your code if your project
+    #    uses a compiled language
+
+    #- run: |
+    #   make bootstrap
+    #   make release
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v2

.github/workflows/docker.yaml

@@ -0,0 +1,111 @@
+name: Docker
+
+on:
+  # push:
+  #   branches:
+  #     - master
+  #   tags:
+  #     - v[0-9]+.[0-9]+.[0-9]+
+  pull_request:
+
+jobs:
+  docker:
+    name: Docker
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Calculate Docker image tags
+        id: tags
+        env:
+          DOCKER_IMAGES: "ghcr.io/dexidp/dex dexidp/dex"
+        run: |
+          case $GITHUB_REF in
+            refs/tags/*)  VERSION=${GITHUB_REF#refs/tags/};;
+            refs/heads/*) VERSION=$(echo ${GITHUB_REF#refs/heads/} | sed -r 's#/+#-#g');;
+            refs/pull/*)  VERSION=pr-${{ github.event.number }};;
+            *)            VERSION=sha-${GITHUB_SHA::8};;
+          esac
+
+          TAGS=()
+          for image in $DOCKER_IMAGES; do
+            TAGS+=("${image}:${VERSION}")
+
+            if [[ "${{ github.event.repository.default_branch }}" == "$VERSION" ]]; then
+              TAGS+=("${image}:latest")
+            fi
+          done
+
+          echo ::set-output name=version::${VERSION}
+          echo ::set-output name=tags::$(IFS=,; echo "${TAGS[*]}")
+          echo ::set-output name=commit_hash::${GITHUB_SHA::8}
+          echo ::set-output name=build_date::$(git show -s --format=%cI)
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v2
+        with:
+          platforms: all
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+        with:
+          install: true
+          version: latest
+          # TODO: Remove driver-opts once fix is released docker/buildx#386
+          driver-opts: image=moby/buildkit:master
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v2
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ github.token }}
+        if: github.event_name == 'push'
+
+      - name: Login to Docker Hub
+        uses: docker/login-action@v2
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+        if: github.event_name == 'push'
+
+      - name: Build and push
+        uses: docker/build-push-action@v3
+        with:
+          context: .
+          platforms: linux/amd64,linux/arm/v7,linux/arm64,linux/ppc64le
+          # cache-from: type=gha
+          # cache-to: type=gha,mode=max
+          push: ${{ github.event_name == 'push' }}
+          tags: ${{ steps.tags.outputs.tags }}
+          build-args: |
+            VERSION=${{ steps.tags.outputs.version }}
+            COMMIT_HASH=${{ steps.tags.outputs.commit_hash }}
+            BUILD_DATE=${{ steps.tags.outputs.build_date }}
+          labels: |
+            org.opencontainers.image.title=${{ github.event.repository.name }}
+            org.opencontainers.image.description=${{ github.event.repository.description }}
+            org.opencontainers.image.url=${{ github.event.repository.html_url }}
+            org.opencontainers.image.source=${{ github.event.repository.clone_url }}
+            org.opencontainers.image.version=${{ steps.tags.outputs.version }}
+            org.opencontainers.image.created=${{ steps.tags.outputs.build_date }}
+            org.opencontainers.image.revision=${{ github.sha }}
+            org.opencontainers.image.licenses=${{ github.event.repository.license.spdx_id }}
+            org.opencontainers.image.documentation=https://dexidp.io/docs/
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@0.6.1
+        with:
+          image-ref: "ghcr.io/dexidp/dex:${{ steps.tags.outputs.version }}"
+          format: "template"
+          template: "@/contrib/sarif.tpl"
+          output: "trivy-results.sarif"
+        if: github.event_name == 'push'
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: "trivy-results.sarif"
+        if: github.event_name == 'push'

.gitignore

@@ -1,4 +1,7 @@
-bin
-dist
-_output
-.idea
+/.direnv/
+/.idea/
+/bin/
+/config.yaml
+/docker-compose.override.yaml
+/var/
+/vendor/

.gitpod.yml

@@ -0,0 +1,3 @@
+tasks:
+  - init: go get && go build ./... && go test ./... && make
+    command: go run

.golangci.yml

@@ -0,0 +1,90 @@
+run:
+    timeout: 4m
+
+linters-settings:
+    depguard:
+        list-type: blacklist
+        include-go-root: true
+        packages:
+            - io/ioutil
+        packages-with-error-message:
+            - io/ioutil: "The 'io/ioutil' package is deprecated. Use corresponding 'os' or 'io' functions instead."
+    gci:
+        local-prefixes: github.com/dexidp/dex
+    goimports:
+        local-prefixes: github.com/dexidp/dex
+
+
+linters:
+    disable-all: true
+    enable:
+        - bodyclose
+        - deadcode
+        - depguard
+        - dogsled
+        - exhaustive
+        - exportloopref
+        - gci
+        - gochecknoinits
+        - gocritic
+        - gofmt
+        - gofumpt
+        - goimports
+        - goprintffuncname
+        - gosimple
+        - govet
+        - ineffassign
+        - misspell
+        - nakedret
+        - nolintlint
+        - prealloc
+        - revive
+        - rowserrcheck
+        - sqlclosecheck
+        - staticcheck
+        - structcheck
+        - stylecheck
+        - tparallel
+        - unconvert
+        - unparam
+        - unused
+        - varcheck
+        - whitespace
+
+        # Disable temporarily until everything works with Go 1.18
+        # - typecheck
+
+        # TODO: fix linter errors before enabling
+        # - exhaustivestruct
+        # - gochecknoglobals
+        # - errorlint
+        # - gocognit
+        # - godot
+        # - nlreturn
+        # - noctx
+        # - wrapcheck
+
+        # TODO: fix linter errors before enabling (from original config)
+        # - dupl
+        # - errcheck
+        # - goconst
+        # - gocyclo
+        # - gosec
+        # - lll
+        # - scopelint
+
+        # unused
+        # - goheader
+        # - gomodguard
+
+        # don't enable:
+        # - asciicheck
+        # - funlen
+        # - godox
+        # - goerr113
+        # - gomnd
+        # - interfacer
+        # - maligned
+        # - nestif
+        # - testpackage
+        # - wsl

.travis.yml

@@ -1,55 +0,0 @@
-language: go
-
-sudo: required
-
-dist: xenial
-
-matrix:
-  include:
-    - go: '1.12.x'
-
-env:
-  global:
-    - DEX_MYSQL_DATABASE=dex
-    - DEX_MYSQL_USER=root
-    - DEX_MYSQL_HOST="localhost"
-    - DEX_MYSQL_PASSWORD=""
-    - DEX_POSTGRES_DATABASE=postgres
-    - DEX_POSTGRES_USER=postgres
-    - DEX_POSTGRES_HOST="localhost"
-    - DEX_ETCD_ENDPOINTS=http://localhost:2379
-    - DEX_LDAP_TESTS=1
-    - DEBIAN_FRONTEND=noninteractive
-    - DEX_KEYSTONE_URL=http://localhost:5000
-    - DEX_KEYSTONE_ADMIN_URL=http://localhost:35357
-    - DEX_KEYSTONE_ADMIN_USER=demo
-    - DEX_KEYSTONE_ADMIN_PASS=DEMO_PASS
-
-go_import_path: github.com/dexidp/dex
-
-services:
-  - mysql
-  - postgresql
-  - docker
-
-before_install:
-  - mysql -e 'CREATE DATABASE dex;'
-
-install:
-  - sudo -E apt-get install -y --force-yes slapd time ldap-utils
-  - sudo /etc/init.d/slapd stop
-  - docker run -d --net=host gcr.io/etcd-development/etcd:v3.2.9
-  - docker run -d -p 0.0.0.0:5000:5000 -p 0.0.0.0:35357:35357 openio/openstack-keystone:pike
-  - |
-    until curl --fail http://localhost:5000/v3; do
-      echo 'Waiting for keystone...'
-      sleep 1;
-    done;
-
-script:
-  - make testall
-  - ./scripts/test-k8s.sh
-  - make verify-proto # Ensure proto generation doesn't depend on external packages.
-
-notifications:
-  email: false

ADOPTERS.md

@@ -2,9 +2,14 @@
 
 This is a list of production adopters of Dex (in alphabetical order):
 
+- [Aspect](https://www.aspect.com/) uses Dex for authenticating users across their Kubernetes infrastructure (using Kubernetes OIDC support).
 - [Banzai Cloud](https://banzaicloud.com) is using Dex for authenticating to its Pipeline control plane and also to authenticate users against provisioned Kubernetes clusters (via Kubernetes OIDC support).
 - [Chef](https://chef.io) uses Dex for authenticating users in [Chef Automate](https://automate.chef.io/). The code is Open Source, available at [`github.com/chef/automate`](https://github.com/chef/automate).
+- [Elastisys](https://elastisys.com) uses Dex for authentication in their [Compliant Kubernetes](https://compliantkubernetes.io) distribution, including SSO to the custom dashboard, Grafana, Kibana, and Harbor.
+- [Flant](https://flant.com) uses Dex for providing access to core components of [Managed Kubernetes as a Service](https://flant.com/services/managed-kubernetes-as-a-service), integration with various authentication providers, plugging custom applications.
 - [JuliaBox](https://juliabox.com/) is leveraging federated OIDC provided by Dex for authenticating users to their compute infrastructure based on Kubernetes.
+- [Kasten](https://www.kasten.io) is using Dex for authenticating access to the dashboard of [K10](https://www.kasten.io/product/), a Kubernetes-native platform for backup, disaster recovery and mobility of Kubernetes applications. K10 is widely used by a variety of customers including large enterprises, financial services, design firms, and IT companies.
 - [Kyma](https://kyma-project.io) is using Dex to authenticate access to Kubernetes API server (even for managed Kubernetes like Google Kubernetes Engine or Azure Kubernetes Service) and for protecting web UI of [Kyma Console](https://github.com/kyma-project/console) and other UIs integrated in Kyma ([Grafana](https://github.com/grafana/grafana), [Loki](https://github.com/grafana/loki), and [Jaeger](https://github.com/jaegertracing/jaeger)). Kyma is an open-source project ([`github.com/kyma-project`](https://github.com/kyma-project/kyma)) designed natively on Kubernetes, that allows you to extend and customize your applications in a quick and modern way, using serverless computing or microservice architecture. 
 - [Pusher](https://pusher.com) uses Dex for authenticating users across their Kubernetes infrastructure (using Kubernetes OIDC support) in conjunction with the [OAuth2 Proxy](https://github.com/pusher/oauth2_proxy) for protecting web UIs.
 - [Pydio](https://pydio.com/) Pydio Cells is an open source sync & share platform written in Go. Cells is using Dex as an OIDC service for authentication and authorizations. Check out [Pydio Cells repository](https://github.com/pydio/cells) for more information and/or to contribute.
+- [sigstore](https://sigstore.dev) uses Dex for authentication in their public Fulcio instance, which is a certificate authority for code signing certificates bound to OIDC-based identities.

Dockerfile

@@ -1,26 +1,72 @@
-FROM golang:1.12.9-alpine
+ARG BASE_IMAGE=alpine
 
-RUN apk add --no-cache --update alpine-sdk
+FROM golang:1.18.4-alpine3.15 AS builder
 
-COPY . /go/src/github.com/dexidp/dex
-RUN cd /go/src/github.com/dexidp/dex && make release-binary
+WORKDIR /usr/local/src/dex
+
+RUN apk add --no-cache --update alpine-sdk ca-certificates openssl
+
+ARG TARGETOS
+ARG TARGETARCH
+ARG TARGETVARIANT=""
+
+ENV GOOS=${TARGETOS} GOARCH=${TARGETARCH} GOARM=${TARGETVARIANT}
+
+ARG GOPROXY
+
+COPY go.mod go.sum ./
+COPY api/v2/go.mod api/v2/go.sum ./api/v2/
+RUN go mod download
+
+COPY . .
+
+RUN make release-binary
+
+FROM alpine:3.16.2 AS stager
+
+RUN mkdir -p /var/dex
+RUN mkdir -p /etc/dex
+COPY config.docker.yaml /etc/dex/
+
+FROM alpine:3.16.2 AS gomplate
+
+ARG TARGETOS
+ARG TARGETARCH
+ARG TARGETVARIANT
+
+ENV GOMPLATE_VERSION=v3.11.2
+
+RUN wget -O /usr/local/bin/gomplate \
+    "https://github.com/hairyhenderson/gomplate/releases/download/${GOMPLATE_VERSION}/gomplate_${TARGETOS:-linux}-${TARGETARCH:-amd64}${TARGETVARIANT}" \
+    && chmod +x /usr/local/bin/gomplate
+
+# For Dependabot to detect base image versions
+FROM alpine:3.16.2 AS alpine
+FROM gcr.io/distroless/static:latest AS distroless
+
+FROM $BASE_IMAGE
 
-FROM alpine:3.9
 # Dex connectors, such as GitHub and Google logins require root certificates.
 # Proper installations should manage those certificates, but it's a bad user
 # experience when this doesn't work out of the box.
 #
-# OpenSSL is required so wget can query HTTPS endpoints for health checking.
-RUN apk add --update ca-certificates openssl
+# See https://go.dev/src/crypto/x509/root_linux.go for Go root CA bundle locations.
+COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
+
+COPY --from=stager --chown=1001:1001 /var/dex /var/dex
+COPY --from=stager --chown=1001:1001 /etc/dex /etc/dex
+
+# Copy module files for CVE scanning / dependency analysis.
+COPY --from=builder /usr/local/src/dex/go.mod /usr/local/src/dex/go.sum /usr/local/src/dex/
+COPY --from=builder /usr/local/src/dex/api/v2/go.mod /usr/local/src/dex/api/v2/go.sum /usr/local/src/dex/api/v2/
+
+COPY --from=builder /go/bin/dex /usr/local/bin/dex
+COPY --from=builder /go/bin/docker-entrypoint /usr/local/bin/docker-entrypoint
+COPY --from=builder /usr/local/src/dex/web /srv/dex/web
+
+COPY --from=gomplate /usr/local/bin/gomplate /usr/local/bin/gomplate
 
 USER 1001:1001
-COPY --from=0 /go/bin/dex /usr/local/bin/dex
 
-# Import frontend assets and set the correct CWD directory so the assets
-# are in the default path.
-COPY web /web
-WORKDIR /
-
-ENTRYPOINT ["dex"]
-
-CMD ["version"]
+ENTRYPOINT ["/usr/local/bin/docker-entrypoint"]
+CMD ["dex", "serve", "/etc/dex/config.docker.yaml"]

Documentation/api.md

@@ -1,119 +0,0 @@
-# The dex API
-
-Dex provides a [gRPC][grpc] service for programmatic modification of dex's state. The API is intended to expose hooks for management applications and is not expected to be used by most installations.
-
-This document is an overview of how to interact with the API.
-
-## Configuration
-
-Admins that wish to expose the gRPC service must add the following entry to the dex config file. This option is off by default.
-
-```
-grpc:
-  # Cannot be the same address as an HTTP(S) service.
-  addr: 127.0.0.1:5557
-  # Server certs. If TLS credentials aren't provided dex will run in plaintext (HTTP) mode.
-  tlsCert: /etc/dex/grpc.crt
-  tlsKey: /etc/dex/grpc.key
-  # Client auth CA.
-  tlsClientCA: /etc/dex/client.crt
-  # enable reflection
-  reflection: true
-```
-
-## Generating clients
-
-gRPC is a suite of tools for generating client and server bindings from a common declarative language. The canonical schema for dex's API can be found in the source tree at [`api/api.proto`][api-proto]. Go bindings are generated and maintained in the same directory for internal use.
-
-To generate a client for your own project install [`protoc`][protoc], install a protobuf generator for your project's language, and download the `api.proto` file. An example for a Go project:
-
-```
-# Install protoc-gen-go.
-$ go get -u github.com/golang/protobuf/{proto,protoc-gen-go}
-
-# Download api.proto for a given version.
-$ DEX_VERSION=v2.0.0-alpha.5
-$ wget https://raw.githubusercontent.com/dexidp/dex/${DEX_VERSION}/api/api.proto
-
-# Generate the Go client bindings.
-$ protoc --go_out=import_path=dexapi:. api.proto
-```
-
-Client programs can then be written using the generated code. A Go client which uses dex's internally generated code might look like the following:
-
-__NOTE:__ Because dex has the `google.golang.org/grpc` package in its `vendor` directory, gRPC code in `github.com/dexidp/dex/api` refers to the vendored copy, not copies in a developers GOPATH. Clients must either regenerate the gRPC Go code or vendor dex and remove its `vendor` directory to run this program.
-
-```
-package main
-
-import (
-    "context"
-    "fmt"
-    "log"
-
-    "github.com/dexidp/dex/api"
-    "google.golang.org/grpc"
-    "google.golang.org/grpc/credentials"
-)
-
-func newDexClient(hostAndPort, caPath string) (api.DexClient, error) {
-    creds, err := credentials.NewClientTLSFromFile(caPath, "")
-    if err != nil {
-        return nil, fmt.Errorf("load dex cert: %v", err)
-    }
-
-    conn, err := grpc.Dial(hostAndPort, grpc.WithTransportCredentials(creds))
-    if err != nil {
-        return nil, fmt.Errorf("dial: %v", err)
-    }
-    return api.NewDexClient(conn), nil
-}
-
-func main() {
-    client, err := newDexClient("127.0.0.1:5557", "/etc/dex/grpc.crt")
-    if err != nil {
-        log.Fatalf("failed creating dex client: %v ", err)
-    }
-
-    req := &api.CreateClientReq{
-        Client: &api.Client{
-            Id:           "example-app",
-            Name:         "Example App",
-            Secret:       "ZXhhbXBsZS1hcHAtc2VjcmV0",
-            RedirectUris: []string{"http://127.0.0.1:5555/callback"},
-        },
-    }
-
-    if _, err := client.CreateClient(context.TODO(), req); err != nil {
-        log.Fatalf("failed creating oauth2 client: %v", err)
-    }
-}
-```
-
-A clear working example of the Dex gRPC client can be found [here](../examples/grpc-client/README.md).
-
-## Authentication and access control
-
-The dex API does not provide any authentication or authorization beyond TLS client auth.
-
-Projects that wish to add access controls on top of the existing API should build apps which perform such checks. For example to provide a "Change password" screen, a client app could use dex's OpenID Connect flow to authenticate an end user, then call dex's API to update that user's password.
-
-## dexctl?
-
-Dex does not ship with a command line tool for interacting with the API. Command line tools are useful but hard to version, easy to design poorly, and expose another interface which can never be changed in the name of compatibility.
-
-While the dex team would be open to re-implementing `dexctl` for v2 a majority of the work is writing a design document, not the actual programming effort.
-
-## Why not REST or gRPC Gateway?
-
-Between v1 and v2, dex switched from REST to gRPC. This largely stemmed from problems generating documentation, client bindings, and server frameworks that adequately expressed REST semantics. While [Google APIs][google-apis], [Open API/Swagger][open-api], and [gRPC Gateway][grpc-gateway] were evaluated, they often became clunky when trying to use specific HTTP error codes or complex request bodies. As a result, v2's API is entirely gRPC.
-
-Many arguments _against_ gRPC cite short term convenience rather than production use cases. Though this is a recognized shortcoming, dex already implements many features for developer convenience. For instance, users who wish to manually edit clients during testing can use the `staticClients` config field instead of the API.
-
-[grpc]: http://www.grpc.io/
-[api-proto]: ../api/api.proto
-[protoc]: https://github.com/google/protobuf/releases
-[protoc-gen-go]: https://github.com/golang/protobuf
-[google-apis]: https://github.com/google/apis-client-generator
-[open-api]: https://openapis.org/
-[grpc-gateway]: https://github.com/grpc-ecosystem/grpc-gateway

Documentation/authproxy.md

@@ -1 +0,0 @@
-This document has moved to [connectors/authproxy.md](connectors/authproxy.md).

Documentation/connectors/authproxy.md

@@ -1,138 +0,0 @@
-# Authenticating proxy
-
-NOTE: This connector is experimental and may change in the future.
-
-## Overview
-
-The `authproxy` connector returns identities based on authentication which your
-front-end web server performs. Dex consumes the `X-Remote-User` header set by
-the proxy, which is then used as the user's email address.
-
-__The proxy MUST remove any `X-Remote-*` headers set by the client, for any URL
-path, before the request is forwarded to dex.__
-
-The connector does not support refresh tokens or groups.
-
-## Configuration
-
-The `authproxy` connector is used by proxies to implement login strategies not
-supported by dex. For example, a proxy could handle a different OAuth2 strategy
-such as Slack. The connector takes no configuration other than a `name` and `id`:
-
-```yaml
-connectors:
-# Slack login implemented by an authenticating proxy, not by dex.
-- type: authproxy
-  id: slack
-  name: Slack 
-```
-
-The proxy only needs to authenticate the user when they attempt to visit the
-callback URL path:
-
-```
-( dex issuer URL )/callback/( connector id )?( url query )
-```
-
-For example, if dex is running at `https://auth.example.com/dex` and the connector
-ID is `slack`, the callback URL would look like:
-
-```
-https://auth.example.com/dex/callback/slack?state=xdg3z6quhrhwaueo5iysvliqf
-``` 
-
-The proxy should login the user then return them to the exact URL (inlucing the
-query), setting `X-Remote-User` to the user's email before proxying the request
-to dex.
-
-## Configuration example - Apache 2
-
-The following is an example config file that can be used by the external
-connector to authenticate a user.
-
-```yaml
-connectors:
-- type: authproxy
-  id: myBasicAuth
-  name: HTTP Basic Auth
-```
-
-The authproxy connector assumes that you configured your front-end web server
-such that it performs authentication for the `/dex/callback/myBasicAuth`
-location and provides the result in the X-Remote-User HTTP header. The following
-configuration will work for Apache 2.4.10+:
-
-```
-<Location /dex/>
-    ProxyPass "http://localhost:5556/dex/"
-    ProxyPassReverse "http://localhost:5556/dex/"
-
-    # Strip the X-Remote-User header from all requests except for the ones
-    # where we override it.
-    RequestHeader unset X-Remote-User
-</Location>
-
-<Location /dex/callback/myBasicAuth>
-    AuthType Basic
-    AuthName "db.debian.org webPassword"
-    AuthBasicProvider file
-    AuthUserFile "/etc/apache2/debian-web-pw.htpasswd"
-    Require valid-user
-
-    # Defense in depth: clear the Authorization header so that
-    # Debian Web Passwords never even reach dex.
-    RequestHeader unset Authorization
-
-    # Requires Apache 2.4.10+
-    RequestHeader set X-Remote-User expr=%{REMOTE_USER}@debian.org
-
-    ProxyPass "http://localhost:5556/dex/callback/myBasicAuth"
-    ProxyPassReverse "http://localhost:5556/dex/callback/myBasicAuth"
-</Location>
-```
-
-## Full Apache2 setup
-
-After installing your Linux distribution’s Apache2 package, place the following
-virtual host configuration in e.g. `/etc/apache2/sites-available/sso.conf`:
-
-```
-<VirtualHost sso.example.net>
-    ServerName sso.example.net
-
-    ServerAdmin webmaster@localhost
-    DocumentRoot /var/www/html
-
-    ErrorLog ${APACHE_LOG_DIR}/error.log
-    CustomLog ${APACHE_LOG_DIR}/access.log combined
-
-    <Location /dex/>
-        ProxyPass "http://localhost:5556/dex/"
-        ProxyPassReverse "http://localhost:5556/dex/"
-
-        # Strip the X-Remote-User header from all requests except for the ones
-        # where we override it.
-        RequestHeader unset X-Remote-User
-    </Location>
-
-    <Location /dex/callback/myBasicAuth>
-        AuthType Basic
-        AuthName "db.debian.org webPassword"
-        AuthBasicProvider file
-        AuthUserFile "/etc/apache2/debian-web-pw.htpasswd"
-        Require valid-user
-
-        # Defense in depth: clear the Authorization header so that
-        # Debian Web Passwords never even reach dex.
-        RequestHeader unset Authorization
-
-        # Requires Apache 2.4.10+
-        RequestHeader set X-Remote-User expr=%{REMOTE_USER}@debian.org
-
-        ProxyPass "http://localhost:5556/dex/callback/myBasicAuth"
-        ProxyPassReverse "http://localhost:5556/dex/callback/myBasicAuth"
-    </Location>
-</VirtualHost>
-```
-
-Then, enable it using `a2ensite sso.conf`, followed by a restart of Apache2.

Documentation/connectors/bitbucketcloud.md

@@ -1,34 +0,0 @@
-# Authentication through Bitbucket Cloud
-
-## Overview
-
-One of the login options for dex uses the Bitbucket OAuth2 flow to identify the end user through their Bitbucket account.
-
-When a client redeems a refresh token through dex, dex will re-query Bitbucket to update user information in the ID Token. To do this, __dex stores a readonly Bitbucket access token in its backing datastore.__ Users that reject dex's access through Bitbucket will also revoke all dex clients which authenticated them through Bitbucket.
-
-## Configuration
-
-Register a new OAuth consumer with [Bitbucket](https://confluence.atlassian.com/bitbucket/oauth-on-bitbucket-cloud-238027431.html) ensuring the callback URL is `(dex issuer)/callback`. For example if dex is listening at the non-root path `https://auth.example.com/dex` the callback would be `https://auth.example.com/dex/callback`.
-
-The application requires the user to grant the `Read Account` and `Read Team membership` permissions. The latter is required only if group membership is a desired claim.
-
-The following is an example of a configuration for `examples/config-dev.yaml`:
-
-```yaml
-connectors:
-- type: bitbucket-cloud
-  # Required field for connector id.
-  id: bitbucket-cloud
-  # Required field for connector name.
-  name: Bitbucket Cloud
-  config:
-    # Credentials can be string literals or pulled from the environment.
-    clientID: $BITBUCKET_CLIENT_ID
-    clientSecret: $BITBUCKET_CLIENT_SECRET
-    redirectURI: http://127.0.0.1:5556/dex/callback
-    # Optional teams whitelist, communicated through the "groups" scope.
-    # If `teams` is omitted, all of the user's Bitbucket teams are returned when the groups scope is present.
-    # If `teams` is provided, this acts as a whitelist - only the user's Bitbucket teams that are in the configured `teams` below will go into the groups claim.  Conversely, if the user is not in any of the configured `teams`, the user will not be authenticated.
-    teams:
-    - my-team
-```

Documentation/connectors/github.md

@@ -1,128 +0,0 @@
-# Authentication through GitHub
-
-## Overview
-
-One of the login options for dex uses the GitHub OAuth2 flow to identify the end user through their GitHub account.
-
-When a client redeems a refresh token through dex, dex will re-query GitHub to update user information in the ID Token. To do this, __dex stores a readonly GitHub access token in its backing datastore.__ Users that reject dex's access through GitHub will also revoke all dex clients which authenticated them through GitHub.
-
-## Caveats
-
-* A user must explicitly [request][github-request-org-access] an [organization][github-orgs] give dex [resource access][github-approve-org-access]. Dex will not have the correct permissions to determine if the user is in that organization otherwise, and the user will not be able to log in. This request mechanism is a feature of the GitHub API.
-
-## Configuration
-
-Register a new application with [GitHub][github-oauth2] ensuring the callback URL is `(dex issuer)/callback`. For example if dex is listening at the non-root path `https://auth.example.com/dex` the callback would be `https://auth.example.com/dex/callback`.
-
-The following is an example of a configuration for `examples/config-dev.yaml`:
-
-```yaml
-connectors:
-- type: github
-  # Required field for connector id.
-  id: github
-  # Required field for connector name.
-  name: GitHub
-  config:
-    # Credentials can be string literals or pulled from the environment.
-    clientID: $GITHUB_CLIENT_ID
-    clientSecret: $GITHUB_CLIENT_SECRET
-    redirectURI: http://127.0.0.1:5556/dex/callback
-
-    # Optional organizations and teams, communicated through the "groups" scope.
-    #
-    # NOTE: This is an EXPERIMENTAL config option and will likely change.
-    #
-    # Legacy 'org' field. 'org' and 'orgs' cannot be used simultaneously. A user
-    # MUST be a member of the following org to authenticate with dex.
-    # org: my-organization
-    #
-    # Dex queries the following organizations for group information if the
-    # "groups" scope is provided. Group claims are formatted as "(org):(team)".
-    # For example if a user is part of the "engineering" team of the "coreos"
-    # org, the group claim would include "coreos:engineering".
-    #
-    # If orgs are specified in the config then user MUST be a member of at least one of the specified orgs to
-    # authenticate with dex.
-    #
-    # If neither 'org' nor 'orgs' are specified in the config and 'loadAllGroups' setting set to true then user
-    # authenticate with ALL user's Github groups. Typical use case for this setup:
-    # provide read-only access to everyone and give full permissions if user has 'my-organization:admins-team' group claim.  
-    orgs:
-    - name: my-organization
-      # Include all teams as claims.
-    - name: my-organization-with-teams
-      # A white list of teams. Only include group claims for these teams.
-      teams:
-      - red-team
-      - blue-team
-    # Flag which indicates that all user groups and teams should be loaded.
-    loadAllGroups: false
-
-    # Optional choice between 'name' (default), 'slug', or 'both'.
-    #
-    # As an example, group claims for member of 'Site Reliability Engineers' in
-    # Acme organization would yield:
-    #   - ['acme:Site Reliability Engineers'] for 'name'
-    #   - ['acme:site-reliability-engineers'] for 'slug'
-    #   - ['acme:Site Reliability Engineers', 'acme:site-reliability-engineers'] for 'both'
-    teamNameField: slug
-    # flag which will switch from using the internal GitHub id to the users handle (@mention) as the user id.
-    # It is possible for a user to change their own user name but it is very rare for them to do so
-    useLoginAsID: false
-```
-
-## GitHub Enterprise
-
-Users can use their GitHub Enterprise account to login to dex. The following configuration can be used to enable a GitHub Enterprise connector on dex:
-
-```yaml
-connectors:
-- type: github
-  # Required field for connector id.
-  id: github
-  # Required field for connector name.
-  name: GitHub
-  config:
-    # Required fields. Dex must be pre-registered with GitHub Enterprise
-    # to get the following values.
-    # Credentials can be string literals or pulled from the environment.
-    clientID: $GITHUB_CLIENT_ID
-    clientSecret: $GITHUB_CLIENT_SECRET
-    redirectURI: http://127.0.0.1:5556/dex/callback
-    # Optional organizations and teams, communicated through the "groups" scope.
-    #
-    # NOTE: This is an EXPERIMENTAL config option and will likely change.
-    #
-    # Legacy 'org' field. 'org' and 'orgs' cannot be used simultaneously. A user
-    # MUST be a member of the following org to authenticate with dex.
-    # org: my-organization
-    #
-    # Dex queries the following organizations for group information if the
-    # "groups" scope is provided. Group claims are formatted as "(org):(team)".
-    # For example if a user is part of the "engineering" team of the "coreos"
-    # org, the group claim would include "coreos:engineering".
-    #
-    # A user MUST be a member of at least one of the following orgs to
-    # authenticate with dex.
-    orgs:
-    - name: my-organization
-      # Include all teams as claims.
-    - name: my-organization-with-teams
-      # A white list of teams. Only include group claims for these teams.
-      teams:
-      - red-team
-      - blue-team
-    # Required ONLY for GitHub Enterprise.
-    # This is the Hostname of the GitHub Enterprise account listed on the
-    # management console. Ensure this domain is routable on your network.
-    hostName: git.example.com
-    # ONLY for GitHub Enterprise. Optional field.
-    # Used to support self-signed or untrusted CA root certificates.
-    rootCA: /etc/dex/ca.crt
-```
-
-[github-oauth2]: https://github.com/settings/applications/new
-[github-orgs]: https://developer.github.com/v3/orgs/
-[github-request-org-access]: https://help.github.com/articles/requesting-organization-approval-for-oauth-apps/
-[github-approve-org-access]: https://help.github.com/articles/approving-oauth-apps-for-your-organization/

Documentation/connectors/gitlab.md

@@ -1,39 +0,0 @@
-# Authentication through Gitlab
-
-## Overview
-
-GitLab is a web-based Git repository manager with wiki and issue tracking features, using an open source license, developed by GitLab Inc. One of the login options for dex uses the GitLab OAuth2 flow to identify the end user through their GitLab account. You can use this option with [gitlab.com](gitlab.com), GitLab community or enterprise edition.
-
-When a client redeems a refresh token through dex, dex will re-query GitLab to update user information in the ID Token. To do this, __dex stores a readonly GitLab access token in its backing datastore.__ Users that reject dex's access through GitLab will also revoke all dex clients which authenticated them through GitLab.
-
-## Configuration
-
-Register a new application via `User Settings -> Applications` ensuring the callback URL is `(dex issuer)/callback`. For example if dex is listening at the non-root path `https://auth.example.com/dex` the callback would be `https://auth.example.com/dex/callback`.
-
-The application requires the user to grant the `read_user` and `openid` scopes. The latter is required only if group membership is a desired claim.
-
-The following is an example of a configuration for `examples/config-dev.yaml`:
-
-```yaml
-connectors:
-  - type: gitlab
-    # Required field for connector id.
-    id: gitlab
-    # Required field for connector name.
-    name: GitLab
-    config:
-      # optional, default = https://gitlab.com
-      baseURL: https://gitlab.com
-      # Credentials can be string literals or pulled from the environment.
-      clientID: $GITLAB_APPLICATION_ID
-      clientSecret: $GITLAB_CLIENT_SECRET
-      redirectURI: http://127.0.0.1:5556/dex/callback
-      # Optional groups whitelist, communicated through the "groups" scope.
-      # If `groups` is omitted, all of the user's GitLab groups are returned when the groups scope is present.
-      # If `groups` is provided, this acts as a whitelist - only the user's GitLab groups that are in the configured `groups` below will go into the groups claim.  Conversely, if the user is not in any of the configured `groups`, the user will not be authenticated.
-      groups:
-      - my-group
-      # flag which will switch from using the internal GitLab id to the users handle (@mention) as the user id.
-      # It is possible for a user to change their own user name but it is very rare for them to do so
-      useLoginAsID: false
-```

Documentation/connectors/kubelogin-activedirectory.md

@@ -1,129 +0,0 @@
-# Integration kubelogin and Active Directory
-
-## Overview
-
-kubelogin is helper tool for kubernetes and oidc integration.
-It makes easy to login Open ID Provider.
-This document describes how dex work with kubelogin and Active Directory.
-
-examples/config-ad-kubelogin.yaml is sample configuration to integrate Active Directory and kubelogin.
-
-## Precondition
-
-1. Active Directory
-You should have Active Directory or LDAP has Active Directory compatible schema such as samba ad.
-You may have user objects and group objects in AD. Please ensure TLS is enabled.
-
-2. Install kubelogin
-Download kubelogin from https://github.com/int128/kubelogin/releases.
-Install it to your terminal.
-
-## Getting started
-
-### Generate certificate and private key
-
-Create OpenSSL conf req.conf as follow:
-
-```
-[req]
-req_extensions = v3_req
-distinguished_name = req_distinguished_name
-
-[req_distinguished_name]
-
-[ v3_req ]
-basicConstraints = CA:FALSE
-keyUsage = nonRepudiation, digitalSignature, keyEncipherment
-subjectAltName = @alt_names
-
-[alt_names]
-DNS.1 = dex.example.com
-```
-
-Please replace dex.example.com to your favorite hostname.
-Generate certificate and private key by following command.
-
-```console
-$ openssl req -new -x509 -sha256 -days 3650 -newkey rsa:4096 -extensions v3_req -out openid-ca.pem -keyout openid-key.pem -config req.cnf -subj "/CN=kube-ca" -nodes
-$ ls openid*
-openid-ca.pem openid-key.pem
-```
-
-### Modify dex config
-
-Modify following host, bindDN and bindPW in examples/config-ad-kubelogin.yaml.
-
-```yaml
-connectors:
-- type: ldap
-  name: OpenLDAP
-  id: ldap
-  config:
-    host: ldap.example.com:636
-
-    # No TLS for this setup.
-    insecureNoSSL: false
-    insecureSkipVerify: true
-
-    # This would normally be a read-only user.
-    bindDN: cn=Administrator,cn=users,dc=example,dc=com
-    bindPW: admin0!
-```
-
-### Run dex
-
-```
-$ bin/dex serve examples/config-ad-kubelogin.yaml
-```
-
-### Configure kubernetes with oidc
-
-Copy openid-ca.pem to /etc/ssl/certs/openid-ca.pem on master node.
-
-Use the following flags to point your API server(s) at dex. `dex.example.com` should be replaced by whatever DNS name or IP address dex is running under.
-
-```
---oidc-issuer-url=https://dex.example.com:32000/dex
---oidc-client-id=kubernetes
---oidc-ca-file=/etc/ssl/certs/openid-ca.pem
---oidc-username-claim=email
---oidc-groups-claim=groups
-```
-
-Then restart API server(s).
-
-
-See https://kubernetes.io/docs/reference/access-authn-authz/authentication/ for more detail.
-
-### kubelogin
-
-Create context for dex authentication:
-
-```console
-$ kubectl config set-context oidc-ctx --cluster=cluster.local --user=test
-$ kubectl config set-credentials test \
-  --auth-provider=oidc \
-  --auth-provider-arg=idp-issuer-url=https://dex.example.com:32000/dex \
-  --auth-provider-arg=client-id=kubernetes \
-  --auth-provider-arg=client-secret=ZXhhbXBsZS1hcHAtc2VjcmV0 \
-  --auth-provider-arg=idp-certificate-authority-data=$(base64 -w 0 openid-ca.pem) \
-  --auth-provider-arg=extra-scopes="offline_access openid profile email groups"
-$ kubectl config use-context oidc-ctx
-```
-
-Please confirm idp-issuer-url, client-id, client-secret and idp-certificate-authority-data value is same as config-ad-kubelogin.yaml's value.
-
-Then run kubelogin:
-
-```console
-$ kubelogin
-```
-
-Access http://localhost:8000 by web browser and login with your AD account (eg. test@example.com) and password.
-After login and grant, you have following token in ~/.kube/config:
-
-```
-        id-token: eyJhbGciOiJSUzICuU4dCcilDDWlw2lfr8mg...
-        refresh-token: ChlxY2EzeGhKEB4492EzecdKJOElECK...
-```
-

Documentation/connectors/ldap.md

@@ -1,322 +0,0 @@
-# Authentication through LDAP
-
-## Overview
-
-The LDAP connector allows email/password based authentication, backed by a LDAP directory.
-
-The connector executes two primary queries:
-
-1. Finding the user based on the end user's credentials.
-2. Searching for groups using the user entry.
-
-## Getting started
-
-The dex repo contains a basic LDAP setup using [OpenLDAP][openldap].
-
-First start the LDAP server using the example script. This will run the OpenLDAP daemon and seed it with an initial set of users.
-
-```
-./scripts/slapd.sh
-```
-
-This script sets the LDAP daemon to debug mode, and is expected to print several error messages which are normal. Once the server is up, run dex.
-
-```
-./bin/dex serve examples/config-ldap.yaml
-```
-
-Then run the OAuth client in another terminal.
-
-```
-./bin/example-app
-```
-
-Go to [http://localhost:5555](http://localhost:5555), login and enter the username and password of the LDAP user: `janedoe@example.com`/`foo`. Add the "groups" scope as part of the initial redirect to add group information from the LDAP server.
-
-## Security considerations
-
-Dex attempts to bind with the backing LDAP server using the end user's _plain text password_. Though some LDAP implementations allow passing hashed passwords, dex doesn't support hashing and instead _strongly recommends that all administrators just use TLS_. This can often be achieved by using port 636 instead of 389, and administrators that choose 389 are actively leaking passwords.
-
-Dex currently allows insecure connections because the project is still verifying that dex works with the wide variety of LDAP implementations. However, dex may remove this transport option, and _users who configure LDAP login using 389 are not covered by any compatibility guarantees with future releases._
-
-## Configuration
-
-User entries are expected to have an email attribute (configurable through `emailAttr`), and a display name attribute (configurable through `nameAttr`). `*Attr` attributes could be set to "DN" in situations where it is needed but not available elsewhere, and if "DN" attribute does not exist in the record.
-
-For the purposes of configuring this connector, "DN" is case-sensitive and should always be capitalised.
-
-The following is an example config file that can be used by the LDAP connector to authenticate a user.
-
-```yaml
-connectors:
-- type: ldap
-  # Required field for connector id.
-  id: ldap
-  # Required field for connector name.
-  name: LDAP
-  config:
-    # Host and optional port of the LDAP server in the form "host:port".
-    # If the port is not supplied, it will be guessed based on "insecureNoSSL",
-    # and "startTLS" flags. 389 for insecure or StartTLS connections, 636
-    # otherwise.
-    host: ldap.example.com:636
-
-    # Following field is required if the LDAP host is not using TLS (port 389).
-    # Because this option inherently leaks passwords to anyone on the same network
-    # as dex, THIS OPTION MAY BE REMOVED WITHOUT WARNING IN A FUTURE RELEASE.
-    #
-    # insecureNoSSL: true
-
-    # If a custom certificate isn't provide, this option can be used to turn on
-    # TLS certificate checks. As noted, it is insecure and shouldn't be used outside
-    # of explorative phases.
-    #
-    # insecureSkipVerify: true
-
-    # When connecting to the server, connect using the ldap:// protocol then issue
-    # a StartTLS command. If unspecified, connections will use the ldaps:// protocol
-    #
-    # startTLS: true
-
-    # Path to a trusted root certificate file. Default: use the host's root CA.
-    rootCA: /etc/dex/ldap.ca
-
-    # A raw certificate file can also be provided inline.
-    # rootCAData: ( base64 encoded PEM file )
-
-    # The DN and password for an application service account. The connector uses
-    # these credentials to search for users and groups. Not required if the LDAP
-    # server provides access for anonymous auth.
-    # Please note that if the bind password contains a `$`, it has to be saved in an
-    # environment variable which should be given as the value to `bindPW`.
-    bindDN: uid=seviceaccount,cn=users,dc=example,dc=com
-    bindPW: password
-
-    # The attribute to display in the provided password prompt. If unset, will
-    # display "Username"
-    usernamePrompt: SSO Username
-
-    # User search maps a username and password entered by a user to a LDAP entry.
-    userSearch:
-      # BaseDN to start the search from. It will translate to the query
-      # "(&(objectClass=person)(uid=<username>))".
-      baseDN: cn=users,dc=example,dc=com
-      # Optional filter to apply when searching the directory.
-      filter: "(objectClass=person)"
-
-      # username attribute used for comparing user entries. This will be translated
-      # and combined with the other filter as "(<attr>=<username>)".
-      username: uid
-      # The following three fields are direct mappings of attributes on the user entry.
-      # String representation of the user.
-      idAttr: uid
-      # Required. Attribute to map to Email.
-      emailAttr: mail
-      # Maps to display name of users. No default value.
-      nameAttr: name
-
-    # Group search queries for groups given a user entry.
-    groupSearch:
-      # BaseDN to start the search from. It will translate to the query
-      # "(&(objectClass=group)(member=<user uid>))".
-      baseDN: cn=groups,dc=freeipa,dc=example,dc=com
-      # Optional filter to apply when searching the directory.
-      filter: "(objectClass=group)"
-
-      # Following two fields are used to match a user to a group. It adds an additional
-      # requirement to the filter that an attribute in the group must match the user's
-      # attribute value.
-      userAttr: uid
-      groupAttr: member
-
-      # Represents group name.
-      nameAttr: name
-```
-
-The LDAP connector first initializes a connection to the LDAP directory using the `bindDN` and `bindPW`. It then tries to search for the given `username` and bind as that user to verify their password.
-Searches that return multiple entries are considered ambiguous and will return an error.
-
-## Example: Mapping a schema to a search config
-
-Writing a search configuration often involves mapping an existing LDAP schema to the various options dex provides. To query an existing LDAP schema install the OpenLDAP tool `ldapsearch`. For `rpm` based distros run:
-
-```
-sudo dnf install openldap-clients
-```
-
-For `apt-get`:
-
-```
-sudo apt-get install ldap-utils
-```
-
-For smaller user directories it may be practical to dump the entire contents and search by hand.
-
-```
-ldapsearch -x -h ldap.example.org -b 'dc=example,dc=org' | less
-```
-
-First, find a user entry. User entries declare users who can login to LDAP connector using username and password.
-
-```
-dn: uid=jdoe,cn=users,cn=compat,dc=example,dc=org
-cn: Jane Doe
-objectClass: posixAccount
-objectClass: ipaOverrideTarget
-objectClass: top
-gidNumber: 200015
-gecos: Jane Doe
-uidNumber: 200015
-loginShell: /bin/bash
-homeDirectory: /home/jdoe
-mail: jane.doe@example.com
-uid: janedoe
-```
-
-Compose a user search which returns this user.
-
-```yaml
-userSearch:
-  # The directory directly above the user entry.
-  baseDN: cn=users,cn=compat,dc=example,dc=org
-  filter: "(objectClass=posixAccount)"
-
-  # Expect user to enter "janedoe" when logging in.
-  username: uid
-
-  # Use the full DN as an ID.
-  idAttr: DN
-
-  # When an email address is not available, use another value unique to the user, like uid.
-  emailAttr: mail
-  nameAttr: gecos
-```
-
-Second, find a group entry.
-
-```
-dn: cn=developers,cn=groups,cn=compat,dc=example,dc=org
-memberUid: janedoe
-memberUid: johndoe
-gidNumber: 200115
-objectClass: posixGroup
-objectClass: ipaOverrideTarget
-objectClass: top
-cn: developers
-```
-
-Group searches must match a user attribute to a group attribute. In this example, the search returns users whose uid is found in the group's list of memberUid attributes.
-
-```yaml
-groupSearch:
-  # The directory directly above the group entry.
-  baseDN: cn=groups,cn=compat,dc=example,dc=org
-  filter: "(objectClass=posixGroup)"
-
-  # The group search needs to match the "uid" attribute on
-  # the user with the "memberUid" attribute on the group.
-  userAttr: uid
-  groupAttr: memberUid
-
-  # Unique name of the group.
-  nameAttr: cn
-```
-To extract group specific information the `DN` can be used in the `userAttr` field.
-
-```
-# Top level object example.coma in LDIF file.
-dn: dc=example,dc=com
-objectClass: top
-objectClass: dcObject
-objectClass: organization
-dc: example
-```
-
-The following is an example of a group query would match any entry with member=<user DN>:
-
-```yaml
-groupSearch:
-  # BaseDN to start the search from. It will translate to the query
-  # "(&(objectClass=group)(member=<user DN>))".
-  baseDN: cn=groups,cn=compat,dc=example,dc=com
-  # Optional filter to apply when searching the directory.
-  filter: "(objectClass=group)"
-
-  userAttr: DN # Use "DN" here not "uid"
-  groupAttr: member
-
-  nameAttr: name
-```
-
-## Example: Searching a FreeIPA server with groups
-
-The following configuration will allow the LDAP connector to search a FreeIPA directory using an LDAP filter.
-
-```yaml
-connectors:
-- type: ldap
-  id: ldap
-  name: LDAP
-  config:
-    # host and port of the LDAP server in form "host:port".
-    host: freeipa.example.com:636
-    # freeIPA server's CA
-    rootCA: ca.crt
-    userSearch:
-      # Would translate to the query "(&(objectClass=posixAccount)(uid=<username>))".
-      baseDN: cn=users,dc=freeipa,dc=example,dc=com
-      filter: "(objectClass=posixAccount)"
-      username: uid
-      idAttr: uid
-      # Required. Attribute to map to Email.
-      emailAttr: mail
-      # Entity attribute to map to display name of users.
-    groupSearch:
-      # Would translate to the query "(&(objectClass=group)(member=<user uid>))".
-      baseDN: cn=groups,dc=freeipa,dc=example,dc=com
-      filter: "(objectClass=group)"
-      userAttr: uid
-      groupAttr: member
-      nameAttr: name
-```
-
-If the search finds an entry, it will attempt to use the provided password to bind as that user entry.
-
-[openldap]: https://www.openldap.org/
-
-## Example: Searching a Active Directory server with groups
-
-The following configuration will allow the LDAP connector to search a Active Directory using an LDAP filter.
-
-```yaml
-connectors:
-- type: ldap
-  name: ActiveDirectory
-  id: ad
-  config:
-    host: ad.example.com:636
-
-    insecureNoSSL: false
-    insecureSkipVerify: true
-
-    bindDN: cn=Administrator,cn=users,dc=example,dc=com
-    bindPW: admin0!
-
-    usernamePrompt: Email Address
-
-    userSearch:
-      baseDN: cn=Users,dc=example,dc=com
-      filter: "(objectClass=person)"
-      username: userPrincipalName
-      idAttr: DN
-      emailAttr: userPrincipalName
-      nameAttr: cn
-
-    groupSearch:
-      baseDN: cn=Users,dc=example,dc=com
-      filter: "(objectClass=group)"
-      userAttr: DN
-      groupAttr: member
-      nameAttr: cn
-```
-

Documentation/connectors/linkedin.md

@@ -1,27 +0,0 @@
-# Authentication through LinkedIn
-
-## Overview
-
-One of the login options for dex uses the LinkedIn OAuth2 flow to identify the end user through their LinkedIn account.
-
-When a client redeems a refresh token through dex, dex will re-query LinkedIn to update user information in the ID Token. To do this, __dex stores a readonly LinkedIn access token in its backing datastore.__ Users that reject dex's access through LinkedIn will also revoke all dex clients which authenticated them through LinkedIn.
-
-## Configuration
-
-Register a new application via `My Apps -> Create Application` ensuring the callback URL is `(dex issuer)/callback`. For example if dex is listening at the non-root path `https://auth.example.com/dex` the callback would be `https://auth.example.com/dex/callback`.
-
-The following is an example of a configuration for `examples/config-dev.yaml`:
-
-```yaml
-connectors:
-  - type: linkedin
-    # Required field for connector id.
-    id: linkedin
-    # Required field for connector name.
-    name: LinkedIn
-    config:
-      # Credentials can be string literals or pulled from the environment.
-      clientID: $LINKEDIN_APPLICATION_ID
-      clientSecret: $LINKEDIN_CLIENT_SECRET
-      redirectURI: http://127.0.0.1:5556/dex/callback
-```

Documentation/connectors/microsoft.md

@@ -1,118 +0,0 @@
-# Authentication through Microsoft
-
-## Overview
-
-One of the login options for dex uses the Microsoft OAuth2 flow to identify the
-end user through their Microsoft account.
-
-When a client redeems a refresh token through dex, dex will re-query Microsoft
-to update user information in the ID Token. To do this, __dex stores a readonly
-Microsoft access and refresh tokens in its backing datastore.__ Users that
-reject dex's access through Microsoft will also revoke all dex clients which
-authenticated them through Microsoft.
-
-### Caveats
-
-`groups` claim in dex is only supported when `tenant` is specified in Microsoft
-connector config. In order for dex to be able to list groups on behalf of
-logged in user, an explicit organization administrator consent is required. To
-obtain the consent do the following:
-
-  - when registering dex application on https://apps.dev.microsoft.com add
-    an explicit `Directory.Read.All` permission to the list of __Delegated
-    Permissions__
-  - open the following link in your browser and log in under organization
-    administrator account:
-
-`https://login.microsoftonline.com/<tenant>/adminconsent?client_id=<dex client id>`
-
-## Configuration
-
-Register a new application on https://apps.dev.microsoft.com via `Add an app`
-ensuring the callback URL is `(dex issuer)/callback`. For example if dex
-is listening at the non-root path `https://auth.example.com/dex` the callback
-would be `https://auth.example.com/dex/callback`.
-
-The following is an example of a configuration for `examples/config-dev.yaml`:
-
-```yaml
-connectors:
-  - type: microsoft
-    # Required field for connector id.
-    id: microsoft
-    # Required field for connector name.
-    name: Microsoft
-    config:
-      # Credentials can be string literals or pulled from the environment.
-      clientID: $MICROSOFT_APPLICATION_ID
-      clientSecret: $MICROSOFT_CLIENT_SECRET
-      redirectURI: http://127.0.0.1:5556/dex/callback
-```
-
-`tenant` configuration parameter controls what kinds of accounts may be
-authenticated in dex. By default, all types of Microsoft accounts (consumers
-and organizations) can authenticate in dex via Microsoft. To change this, set
-the `tenant` parameter to one of the following:
-
-- `common`- both personal and business/school accounts can authenticate in dex
-  via Microsoft (default)
-- `consumers` - only personal accounts can authenticate in dex
-- `organizations` - only business/school accounts can authenticate in dex
-- `<tenant uuid>` or `<tenant name>` - only accounts belonging to specific
-  tenant identified by either `<tenant uuid>` or `<tenant name>` can
-  authenticate in dex
-
-For example, the following snippet configures dex to only allow business/school
-accounts:
-
-```yaml
-connectors:
-  - type: microsoft
-    # Required field for connector id.
-    id: microsoft
-    # Required field for connector name.
-    name: Microsoft
-    config:
-      # Credentials can be string literals or pulled from the environment.
-      clientID: $MICROSOFT_APPLICATION_ID
-      clientSecret: $MICROSOFT_CLIENT_SECRET
-      redirectURI: http://127.0.0.1:5556/dex/callback
-      tenant: organizations
-```
-
-### Groups
-
-When the `groups` claim is present in a request to dex __and__ `tenant` is
-configured, dex will query Microsoft API to obtain a list of groups the user is
-a member of. `onlySecurityGroups` configuration option restricts the list to
-include only security groups. By default all groups (security, Office 365,
-mailing lists) are included.
-
-By default, dex resolve groups ids to groups names, to keep groups ids, you can
-specify the configuration option `groupNameFormat: id`.
-
-It is possible to require a user to be a member of a particular group in order
-to be successfully authenticated in dex. For example, with the following
-configuration file only the users who are members of at least one of the listed
-groups will be able to successfully authenticate in dex:
-
-```yaml
-connectors:
-  - type: microsoft
-    # Required field for connector id.
-    id: microsoft
-    # Required field for connector name.
-    name: Microsoft
-    config:
-      # Credentials can be string literals or pulled from the environment.
-      clientID: $MICROSOFT_APPLICATION_ID
-      clientSecret: $MICROSOFT_CLIENT_SECRET
-      redirectURI: http://127.0.0.1:5556/dex/callback
-      tenant: myorg.onmicrosoft.com
-      groups:
-        - developers
-        - devops
-```
-
-Also, `useGroupsAsWhitelist` configuration option, can restrict the groups
-claims to include only the user's groups that are in the configured `groups`.

Documentation/connectors/oidc.md

@@ -1,84 +0,0 @@
-# Authentication through an OpenID Connect provider
-
-## Overview
-
-Dex is able to use another OpenID Connect provider as an authentication source. When logging in, dex will redirect to the upstream provider and perform the necessary OAuth2 flows to determine the end users email, username, etc. More details on the OpenID Connect protocol can be found in [_An overview of OpenID Connect_](../openid-connect.md).
-
-Prominent examples of OpenID Connect providers include Google Accounts, Salesforce, and Azure AD v2 ([not v1][azure-ad-v1]).
-
-## Caveats
-
-This connector does not support the "groups" claim. Progress for this is tracked in [issue #1065][issue-1065].
-
-When using refresh tokens, changes to the upstream claims aren't propegated to the id_token returned by dex. If a user's email changes, the "email" claim returned by dex won't change unless the user logs in again. Progress for this is tracked in [issue #863][issue-863].
-
-## Configuration
-
-```yaml
-connectors:
-- type: oidc
-  id: google
-  name: Google
-  config:
-    # Canonical URL of the provider, also used for configuration discovery.
-    # This value MUST match the value returned in the provider config discovery.
-    #
-    # See: https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig
-    issuer: https://accounts.google.com
-
-    # Connector config values starting with a "$" will read from the environment.
-    clientID: $GOOGLE_CLIENT_ID
-    clientSecret: $GOOGLE_CLIENT_SECRET
-
-    # Dex's issuer URL + "/callback"
-    redirectURI: http://127.0.0.1:5556/callback
-
-
-    # Some providers require passing client_secret via POST parameters instead
-    # of basic auth, despite the OAuth2 RFC discouraging it. Many of these
-    # cases are caught internally, but some may need to uncommented the
-    # following field.
-    #
-    # basicAuthUnsupported: true
-    
-    # Google supports whitelisting allowed domains when using G Suite
-    # (Google Apps). The following field can be set to a list of domains
-    # that can log in:
-    #
-    # hostedDomains:
-    #  - example.com
-
-    # List of additional scopes to request in token response
-    # Default is profile and email
-    # Full list at https://github.com/dexidp/dex/blob/master/Documentation/custom-scopes-claims-clients.md
-    # scopes:
-    #  - profile
-    #  - email
-    #  - groups
-
-    # Some providers return claims without "email_verified", when they had no usage of emails verification in enrollement process
-    # or if they are acting as a proxy for another IDP etc AWS Cognito with an upstream SAML IDP
-    # This can be overridden with the below option
-    # insecureSkipEmailVerified: true 
-
-    # When enabled, the OpenID Connector will query the UserInfo endpoint for additional claims. UserInfo claims
-    # take priority over claims returned by the IDToken. This option should be used when the IDToken doesn't contain
-    # all the claims requested.
-    # https://openid.net/specs/openid-connect-core-1_0.html#UserInfo
-    # getUserInfo: true
-
-    # The set claim is used as user id.
-    # Default: sub
-    # Claims list at https://openid.net/specs/openid-connect-core-1_0.html#Claims
-    #
-    # userIDKey: nickname
-    
-    # The set claim is used as user name.
-    # Default: name
-    # userNameKey: nickname
-```
-
-[oidc-doc]: openid-connect.md
-[issue-863]: https://github.com/dexidp/dex/issues/863
-[issue-1065]: https://github.com/dexidp/dex/issues/1065
-[azure-ad-v1]: https://github.com/coreos/go-oidc/issues/133

Documentation/connectors/saml.md

@@ -1,113 +0,0 @@
-# Authentication through SAML 2.0
-
-## Overview
-
-The SAML provider allows authentication through the SAML 2.0 HTTP POST binding. The connector maps attribute values in the SAML assertion to user info, such as username, email, and groups.
-
-The connector uses the value of the `NameID` element as the user's unique identifier which dex assumes is both unique and never changes. Use the `nameIDPolicyFormat` to ensure this is set to a value which satisfies these requirements.
-
-Unlike some clients which will process unprompted AuthnResponses, dex must send the initial AuthnRequest and validates the response's InResponseTo value.
-
-## Caveats
-
-__The connector doesn't support refresh tokens__ since the SAML 2.0 protocol doesn't provide a way to requery a provider without interaction. If the "offline_access" scope is requested, it will be ignored.
-
-The connector doesn't support signed AuthnRequests or encrypted attributes.
-
-## Group Filtering
-
-The SAML Connector supports providing a whitelist of SAML Groups to filter access based on, and when the `groupsattr` is set with a scope including groups, Dex will check for membership based on configured groups in the `allowedGroups` config setting for the SAML connector.
-
-## Configuration
-
-```yaml
-connectors:
-- type: saml
-  # Required field for connector id.
-  id: saml
-  # Required field for connector name.
-  name: SAML
-  config:
-    # SSO URL used for POST value.
-    ssoURL: https://saml.example.com/sso
-
-    # CA to use when validating the signature of the SAML response.
-    ca: /path/to/ca.pem
-
-    # Dex's callback URL.
-    #
-    # If the response assertion status value contains a Destination element, it
-    # must match this value exactly.
-    #
-    # This is also used as the expected audience for AudienceRestriction elements
-    # if entityIssuer isn't specified.
-    redirectURI: https://dex.example.com/callback
-
-    # Name of attributes in the returned assertions to map to ID token claims.
-    usernameAttr: name
-    emailAttr: email
-    groupsAttr: groups # optional
-
-    # List of groups to filter access based on membership
-    # allowedGroups
-    #   - Admins
-
-    # CA's can also be provided inline as a base64'd blob.
-    #
-    # caData: ( RAW base64'd PEM encoded CA )
-
-    # To skip signature validation, uncomment the following field. This should
-    # only be used during testing and may be removed in the future.
-    #
-    # insecureSkipSignatureValidation: true
-
-    # Optional: Manually specify dex's Issuer value.
-    #
-    # When provided dex will include this as the Issuer value during AuthnRequest.
-    # It will also override the redirectURI as the required audience when evaluating
-    # AudienceRestriction elements in the response.
-    entityIssuer: https://dex.example.com/callback
-
-    # Optional: Issuer value expected in the SAML response.
-    ssoIssuer: https://saml.example.com/sso
-
-    # Optional: Delimiter for splitting groups returned as a single string.
-    #
-    # By default, multiple groups are assumed to be represented as multiple
-    # attributes with the same name.
-    #
-    # If "groupsDelim" is provided groups are assumed to be represented as a
-    # single attribute and the delimiter is used to split the attribute's value
-    # into multiple groups.
-    groupsDelim: ", "
-
-    # Optional: Requested format of the NameID.
-    #
-    # The NameID value is is mapped to the user ID of the user. This can be an
-    # abbreviated form of the full URI with just the last component. For example,
-    # if this value is set to "emailAddress" the format will resolve to:
-    #
-    #     urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
-    #
-    # If no value is specified, this value defaults to:
-    #
-    #     urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
-    #
-    nameIDPolicyFormat: persistent
-```
-
-A minimal working configuration might look like:
-
-```yaml
-connectors:
-- type: saml
-  id: okta
-  name: Okta
-  config:
-    ssoURL: https://dev-111102.oktapreview.com/app/foo/exk91cb99lKkKSYoy0h7/sso/saml
-    ca: /etc/dex/saml-ca.pem
-    redirectURI: http://127.0.0.1:5556/dex/callback
-    usernameAttr: name
-    emailAttr: email
-    groupsAttr: groups
-```

Documentation/custom-scopes-claims-clients.md

@@ -1,100 +0,0 @@
-# Custom scopes, claims and client features
-
-This document describes the set of OAuth2 and OpenID Connect features implemented by dex.
-
-## Scopes
-
-The following is the exhaustive list of scopes supported by dex:
-
-| Name | Description |
-| ---- | ------------|
-| `openid` | Required scope for all login requests. |
-| `email` | ID token claims should include the end user's email and if that email was verified by an upstream provider. |
-| `profile` | ID token claims should include the username of the end user. |
-| `groups` | ID token claims should include a list of groups the end user is a member of. |
-| `federated:id` | ID token claims should include information from the ID provider. The token will contain the connector ID and the user ID assigned at the provider. |
-| `offline_access` | Token response should include a refresh token. Doesn't work in combinations with some connectors, notability the [SAML connector][saml-connector] ignores this scope. |
-| `audience:server:client_id:( client-id )` | Dynamic scope indicating that the ID token should be issued on behalf of another client. See the _"Cross-client trust and authorized party"_ section below. |
-
-## Custom claims
-
-Beyond the [required OpenID Connect claims][core-claims], and a handful of [standard claims][standard-claims], dex implements the following non-standard claims.
-
-| Name | Description |
-| ---- | ------------|
-| `groups` | A list of strings representing the groups a user is a member of. |
-| `federated_claims` | The connector ID and the user ID assigned to the user at the provider. |
-| `email` | The email of the user. |
-| `email_verified` | If the upstream provider has verified the email. |
-| `name` | User's display name. |
-
-The `federated_claims` claim has the following format:
-
-```json
-"federated_claims": {
-  "connector_id": "github",
-  "user_id": "110272483197731336751"
-}
-```
-
-## Cross-client trust and authorized party
-
-Dex has the ability to issue ID tokens to clients on behalf of other clients. In OpenID Connect terms, this means the ID token's `aud` (audience) claim being a different client ID than the client that performed the login.
-
-For example, this feature could be used to allow a web app to generate an ID token on behalf of a command line tool:
-
-```yaml
-staticClients:
-- id: web-app
-  redirectURIs:
-  - 'https://web-app.example.com/callback'
-  name: 'Web app'
-  secret: web-app-secret
-
-- id: cli-app
-  redirectURIs:
-  - 'https://cli-app.example.com/callback'
-  name: 'Command line tool'
-  secret: cli-app-secret
-  # The command line tool lets the web app issue ID tokens on its behalf.
-  trustedPeers:
-  - web-app
-```
-
-Note that the command line tool must explicitly trust the web app using the `trustedPeers` field. The web app can then use the following scope to request an ID token that's issued for the command line tool.
-
-```
-audience:server:client_id:cli-app
-```
-
-The ID token claims will then include the following audience and authorized party:
-
-```
-{
-    "aud": "cli-app",
-    "azp": "web-app",
-    "email": "foo@bar.com",
-    // other claims...
-}
-``` 
-
-## Public clients
-
-Public clients are inspired by Google's [_"Installed Applications"_][installed-apps] and are meant to impose restrictions on applications that don't intend to keep their client secret private. Clients can be declared as public using the `public` config option.
-
-```yaml
-staticClients:
-- id: cli-app
-  public: true
-  name: 'CLI app'
-  secret: cli-app-secret
-```
-
-Instead of traditional redirect URIs, public clients are limited to either redirects that begin with "http://localhost" or a special "out-of-browser" URL "urn:ietf:wg:oauth:2.0:oob". The latter triggers dex to display the OAuth2 code in the browser, prompting the end user to manually copy it to their app. It's the client's responsibility to either create a screen or a prompt to receive the code, then perform a code exchange for a token response.
-
-When using the "out-of-browser" flow, an ID Token nonce is strongly recommended.
-
-[saml-connector]: saml-connector.md
-[core-claims]: https://openid.net/specs/openid-connect-core-1_0.html#IDToken
-[standard-claims]: https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims
-[installed-apps]: https://developers.google.com/api-client-library/python/auth/installed-app

Documentation/dev-become-a-maintainer.md

@@ -1,17 +0,0 @@
-# Join the fun -- become a maintainer!
-
-If a person or their company uses dex, has demonstrated an understanding of this
-project (either by submitting PRs to dex or related projects such as Helm
-charts), and the ability to work productively with the community, that person
-can have write access to this repo. We want to be liberal with this privilege
-and enable companies using dex to have a voice in its development.
-
-The first 10 PRs by new maintainers must be approved by a maintainer from a
-different company.
-
-Access to https://quay.io/dexidp will be restricted to @srenatus, @rithujohn191
-and @ericchiang to prevent new maintainers from being able to unilaterally push
-images.
-
-If you would like access, please email @ericchiang at ericchiang@google.com
-stating your case or open a public issue. Come join the fun 😃

Documentation/dev-dependencies.md

@@ -1,42 +0,0 @@
-# Managing dependencies
-
-## Go modules
-
-Dex uses [Go modules][go-modules] to manage its [`vendor` directory][go-vendor]. Go 1.11 or higher is recommended. While Go 1.12 is expected to finalize the Go modules feature, with Go 1.11 you should [activate the Go modules feature][go-modules-activate] before interacting with Go modules.
-
-Here is one way to activate the Go modules feature with Go 1.11.
-
-```
-export GO111MODULE=on  # manually active module mode
-```
-
-You should become familiar with [module-aware `go get`][module-aware-go-get] as it can be used to add version-pinned dependencies out of band of the typical `go mod tidy -v` workflow.
-
-## Adding dependencies
-
-To add a new dependency to dex or update an existing one:
-
-1. Make changes to dex's source code importing the new dependency.
-2. You have at least three options as to how to update `go.mod` to reflect the new dependency:
-  * Run `go mod tidy -v`. This is a good option if you do not wish to immediately pin to a specific Semantic Version or commit.
-  * Run, for example, `go get <package-name>@<commit-hash>`. This is a good option when you want to immediately pin to a specific Semantic Version or commit.
-  * Manually update `go.mod`.  If one of the two options above doesn't suit you, do this -- but very carefully.
-3. Create a git commit to reflect your code (not vendor) changes. See below for tips on composing commits.
-4. Once `go.mod` describes the desired state and you've create a commit for that change, run `make revendor` to update `go.mod`, `go.sum` and `vendor`. This calls `go mod tidy -v`, `go mod vendor -v` and `go mod verify`.
-5. Create a git commit to reflect the changes made by `make revendor`. Again, see below for tips on composing commits.
-
-## Composing commits
-
-When composing commits make sure that updates to `vendor` are in a separate commit from the main changes. GitHub's UI makes commits with a large number of changes unreviewable.
-
-Commit histories should look like the following:
-
-```
-connector/ldap: add a LDAP connector
-vendor: revendor
-```
-
-[go-modules]: https://github.com/golang/go/wiki/Modules
-[go-modules-activate]: https://github.com/golang/go/wiki/Modules#how-to-install-and-activate-module-support
-[go-vendor]: https://golang.org/cmd/go/#hdr-Vendor_Directories
-[module-aware-go-get]: https://tip.golang.org/cmd/go/#hdr-Module_aware_go_get

Documentation/dev-integration-tests.md

@@ -1,160 +0,0 @@
-# Running integration tests
-
-## Kubernetes
-
-Kubernetes tests run against a Kubernetes API server, and are enabled by the `DEX_KUBECONFIG` environment variable:
-
-```
-$ export DEX_KUBECONFIG=~/.kube/config
-$ go test -v -i ./storage/kubernetes
-$ go test -v ./storage/kubernetes
-```
-
-These tests can be executed locally using docker by running the following script:
-
-```
-$ ./scripts/test-k8s.sh
-```
-
-## Postgres
-
-Running database tests locally requires:
-
-* Docker
-
-To run the database integration tests:
-
-- start a postgres container:
-
-  `docker run --name dex-postgres -e POSTGRES_USER=postgres -e POSTGRES_DB=dex -p 5432:5432 -d postgres:11`
-- export the required environment variables:
-
-  `export DEX_POSTGRES_DATABASE=dex DEX_POSTGRES_USER=postgres DEX_POSTGRES_PASSWORD=postgres DEX_POSTGRES_HOST=127.0.0.1:5432`
-
-- run the storage/sql tests:
-
-  ```
-  $ # sqlite3 takes forever to compile, be sure to install test dependencies
-  $ go test -v -i ./storage/sql
-  $ go test -v ./storage/sql
-  ```
-
-- clean up the postgres container: `docker rm -f dex-postgres`
-
-## Etcd
-
-These tests can also be executed using docker:
-
-- start the container (where `NODE1` is set to the host IP address):
-
-  ```
-  $ export NODE1=0.0.0.0
-  $ docker run --name dex-etcd -p 2379:2379 -p 2380:2380 gcr.io/etcd-development/etcd:v3.3.10 \
-    /usr/local/bin/etcd --name node1 \
-    --initial-advertise-peer-urls http://${NODE1}:2380 --listen-peer-urls http://${NODE1}:2380 \
-    --advertise-client-urls http://${NODE1}:2379 --listen-client-urls http://${NODE1}:2379 \
-    --initial-cluster node1=http://${NODE1}:2380
-  ```
-
-- run the tests, passing the correct endpoint for this etcd instance in `DEX_ETCD_ENDPOINTS`:
-
-  `DEX_ETCD_ENDPOINTS=http://localhost:2379 go test -v ./storage/etcd`
-- clean up the etcd container: `docker rm -f dex-etcd`
-
-## LDAP
-
-The LDAP integration tests require [OpenLDAP][openldap] installed on the host machine. To run them, use `go test`:
-
-```
-export DEX_LDAP_TESTS=1
-go test -v ./connector/ldap/
-```
-
-To quickly stand up a LDAP server for development, see the LDAP [_"Getting started"_][ldap-getting-started] example. This also requires OpenLDAP installed on the host.
-
-To stand up a containerized LDAP server run the OpenLDAP docker image:
-
-```
-$ sudo docker run --hostname ldap.example.org --name openldap-container --detach osixia/openldap:1.1.6
-```
-
-By default TLS is enabled and a certificate is created with the container hostname, which in this case is "ldap.example.org". It will create an empty LDAP for the company Example Inc. and the domain example.org. By default the admin has the password admin.
-
-Add new users and groups (sample .ldif file included at the end):
-
-```
-$ sudo docker exec openldap-container ldapadd -x -D "cn=admin,dc=example,dc=org" -w admin -f <path to .ldif> -h ldap.example.org -ZZ
-```
-
-Verify that the added entries are in your directory with ldapsearch :
-
-```
-$ sudo docker exec openldap-container ldapsearch -x -h localhost -b dc=example,dc=org -D "cn=admin,dc=example,dc=org" -w admin
-```
-The .ldif file should contain seed data. Example file contents:
-
-```
-dn: cn=Test1,dc=example,dc=org
-objectClass: organizationalRole
-cn: Test1
-
-dn: cn=Test2,dc=example,dc=org
-objectClass: organizationalRole
-cn: Test2
-
-dn: ou=groups,dc=example,dc=org
-ou: groups
-objectClass: top
-objectClass: organizationalUnit
-
-dn: cn=tstgrp,ou=groups,dc=example,dc=org
-objectClass: top
-objectClass: groupOfNames
-member: cn=Test1,dc=example,dc=org
-cn: tstgrp
-```
-
-## SAML
-
-### Okta
-
-The Okta identity provider supports free accounts for developers to test their implementation against. This document describes configuring an Okta application to test dex's SAML connector.
-
-First, [sign up for a developer account][okta-sign-up]. Then, to create a SAML application:
-
-* Go to the admin screen.
-* Click "Add application"
-* Click "Create New App"
-* Choose "SAML 2.0" and press "Create"
-* Configure SAML
-  * Enter `http://127.0.0.1:5556/dex/callback` for "Single sign on URL"
-  * Enter `http://127.0.0.1:5556/dex/callback` for "Audience URI (SP Entity ID)"
-  * Under "ATTRIBUTE STATEMENTS (OPTIONAL)" add an "email" and "name" attribute. The values should be something like `user:email` and `user:firstName`, respectively.
-  * Under "GROUP ATTRIBUTE STATEMENTS (OPTIONAL)" add a "groups" attribute. Use the "Regexp" filter `.*`.
-
-After the application's created, assign yourself to the app.
-
-* "Applications" > "Applications"
-* Click on your application then under the "People" tab press the "Assign to People" button and add yourself.
-
-At the app, go to the "Sign On" tab and then click "View Setup Instructions". Use those values to fill out the following connector in `examples/config-dev.yaml`.
-
-```yaml
-connectors:
-- type: saml
-  id: saml
-  name: Okta
-  config:
-    ssoURL: ( "Identity Provider Single Sign-On URL" )
-    caData: ( base64'd value of "X.509 Certificate" )
-    redirectURI: http://127.0.0.1:5556/dex/callback
-    usernameAttr: name
-    emailAttr: email
-    groupsAttr: groups
-```
-
-Start both dex and the example app, and try logging in (requires not requesting a refresh token).
-
-[okta-sign-up]: https://www.okta.com/developer/signup/
-[openldap]: https://www.openldap.org/
-[ldap-getting-started]: ldap-connector.md#getting-started

Documentation/dev-releases.md

@@ -1,65 +0,0 @@
-# Releases
-
-Making a dex release involves:
-
-* Tagging a git commit and pushing the tag to GitHub.
-
-From this, Quay will build and tag an image via a build trigger.
-
-This requires the following permissions.
-
-* Push access to the github.com/dexidp/dex git repo.
-
-## Tagging the release
-
-Make sure you've [uploaded your GPG key](https://github.com/settings/keys) and
-configured git to [use that signing key](
-https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work) either globally or
-for the Dex repo. Note that the email the key is issued for must be the email
-you use for git.
-
-```
-git config [--global] user.signingkey "{{ GPG key ID }}"
-git config [--global] user.email "{{ Email associated with key }}"
-```
-
-Create a signed tag at the commit you wish to release. This action will prompt
-you to enter a tag message, which can just be the release version.
-
-```
-git tag -s v2.0.0 ea4c04fde83bd6c48f4d43862c406deb4ea9dba2
-```
-
-Push that tag to the Dex repo.
-
-```
-git push git@github.com:dexidp/dex.git v2.0.0
-```
-
-Draft releases on GitHub and summarize the changes since the last release. See
-previous releases for the expected format.
-
-https://github.com/dexidp/dex/releases
-
-## Minor releases - create a branch
-
-If the release is a minor release (2.1.0, 2.2.0, etc.) create a branch for future patch releases.
-
-```bash
-git checkout -b v2.1.x tags/v2.1.0
-git push git@github.com:dexidp/dex.git v2.1.x
-```
-
-## Patch releases - cherry pick required commits
-
-If the release is a patch release (2.0.1, 2.0.2, etc.) checkout the desired release branch and cherry pick specific commits. A patch release is only meant for urgent bug or security fixes.
-
-```bash
-RELEASE_BRANCH="v2.0.x"
-git checkout $RELEASE_BRANCH
-git checkout -b "cherry-picked-change"
-git cherry-pick (SHA of change)
-git push origin "cherry-picked-change"
-```
-
-Open a PR onto $RELEASE_BRANCH to get the changes approved.

Documentation/getting-started.md

@@ -1,53 +0,0 @@
-# Getting started
-
-## Building the dex binary
-
-Dex requires a Go installation and a GOPATH configured. For setting up a Go workspace, refer to the [official documentation][go-setup]. Clone it down the correct place, and simply type `make` to compile the dex binary.
-
-```
-$ go get github.com/dexidp/dex
-$ cd $GOPATH/src/github.com/dexidp/dex
-$ make
-```
-
-## Configuration
-
-Dex exclusively pulls configuration options from a config file. Use the [example config][example-config] file found in the `examples/` directory to start an instance of dex with an in-memory data store and a set of predefined OAuth2 clients.
-
-```
-./bin/dex serve examples/config-dev.yaml
-```
-
-The [example config][example-config] file documents many of the configuration options through inline comments. For extra config options, look at that file.
-
-## Running a client
-
-Dex operates like most other OAuth2 providers. Users are redirected from a client app to dex to login. Dex ships with an example client app (also built with the `make` command), for testing and demos.
-
-By default, the example client is configured with the same OAuth2 credentials defined in `examples/config-dev.yaml` to talk to dex. Running the example app will cause it to query dex's [discovery endpoint][oidc-discovery] and determine the OAuth2 endpoints.
-
-```
-./bin/example-app
-```
-
-Login to dex through the example app using the following steps.
-
-1. Navigate to the example app in your browser at http://localhost:5555/ in your browser.
-2. Hit "login" on the example app to be redirected to dex.
-3. Choose the "Login with Email" and enter "admin@example.com" and "password"
-4. Approve the example app's request.
-5. See the resulting token the example app claims from dex.
-
-## Further reading
-
-Dex is generally used as a building block to drive authentication for other apps. See [_"Writing apps that use dex"_][using-dex] for an overview of instrumenting apps to work with dex.
-
-For a primer on using LDAP to back dex's user store, see the OpenLDAP [_"Getting started"_][ldap-getting-started] example.
-
-Check out the Documentation directory for further reading on setting up different storages, interacting with the dex API, intros for OpenID Connect, and logging in through other identity providers such as Google, GitHub, or LDAP.
-
-[go-setup]: https://golang.org/doc/install
-[example-config]: ../examples/config-dev.yaml
-[oidc-discovery]: https://openid.net/specs/openid-connect-discovery-1_0-17.html#ProviderMetadata
-[using-dex]: using-dex.md
-[ldap-getting-started]: ldap-connector.md#getting-started

Documentation/github-connector.md

@@ -1 +0,0 @@
-This document has moved to [connectors/github.md](connectors/github.md).

Documentation/gitlab-connector.md

@@ -1 +0,0 @@
-This document has moved to [connectors/gitlab.md](connectors/gitlab.md).

Documentation/integrations.md

@@ -1,6 +0,0 @@
-# Integrations
-This document tracks the libraries and tools that are compatible with dex. [Join the community](https://github.com/dexidp/dex/), and help us keep the list up-to-date.
-
-## Tools
-
-## Projects with a dex dependency

Documentation/kubernetes.md

@@ -1,178 +0,0 @@
-# Kubernetes authentication through dex
-
-## Overview
-
-This document covers setting up the [Kubernetes OpenID Connect token authenticator plugin][k8s-oidc] with dex.
-It also contains a worked example showing how the Dex server can be deployed within Kubernetes.
-
-Token responses from OpenID Connect providers include a signed JWT called an ID Token. ID Tokens contain names, emails, unique identifiers, and in dex's case, a set of groups that can be used to identify the user. OpenID Connect providers, like dex, publish public keys; the Kubernetes API server understands how to use these to verify ID Tokens.
-
-The authentication flow looks like:
-
-1. OAuth2 client logs a user in through dex.
-2. That client uses the returned ID Token as a bearer token when talking to the Kubernetes API.
-3. Kubernetes uses dex's public keys to verify the ID Token.
-4. A claim designated as the username (and optionally group information) will be associated with that request.
-
-Username and group information can be combined with Kubernetes [authorization plugins][k8s-authz], such as role based access control (RBAC), to enforce policy.
-
-## Configuring the OpenID Connect plugin
-
-Configuring the API server to use the OpenID Connect [authentication plugin][k8s-oidc] requires:
-
-* Deploying an API server with specific flags.
-* Dex is running on HTTPS.
-  * Custom CA files must be accessible by the API server.
-* Dex is accessible to both your browser and the Kubernetes API server.
-
-Use the following flags to point your API server(s) at dex. `dex.example.com` should be replaced by whatever DNS name or IP address dex is running under.
-
-```
---oidc-issuer-url=https://dex.example.com:32000
---oidc-client-id=example-app
---oidc-ca-file=/etc/ssl/certs/openid-ca.pem
---oidc-username-claim=email
---oidc-groups-claim=groups
-```
-
-Additional notes:
-
-* The API server configured with OpenID Connect flags doesn't require dex to be available upfront.
-  * Other authenticators, such as client certs, can still be used.
-  * Dex doesn't need to be running when you start your API server.
-* Kubernetes only trusts ID Tokens issued to a single client.
-  * As a work around dex allows clients to [trust other clients][trusted-peers] to mint tokens on their behalf.
-* If a claim other than "email" is used for username, for example "sub", it will be prefixed by `"(value of --oidc-issuer-url)#"`. This is to namespace user controlled claims which may be used for privilege escalation.
-* The `/etc/ssl/certs/openid-ca.pem` used here is the CA from the [generated TLS assets](#generate-tls-assets), and is assumed to be present on the cluster nodes.
-
-## Deploying dex on Kubernetes
-
-The dex repo contains scripts for running dex on a Kubernetes cluster with authentication through GitHub. The dex service is exposed using a [node port][node-port] on port 32000. This likely requires a custom `/etc/hosts` entry pointed at one of the cluster's workers.
-
-Because dex uses [CRDs](https://kubernetes.io/docs/tasks/access-kubernetes-api/custom-resources/custom-resource-definitions/) to store state, no external database is needed. For more details see the [storage documentation](storage.md#kubernetes-third-party-resources).
-
-There are many different ways to spin up a Kubernetes development cluster, each with different host requirements and support for API server reconfiguration. At this time, this guide does not have copy-pastable examples, but can recommend the following methods for spinning up a cluster:
-
-* [coreos-kubernetes][coreos-kubernetes] repo for vagrant and VirtualBox users.
-* [coreos-baremetal][coreos-baremetal] repo for Linux QEMU/KVM users.
-
-To run dex on Kubernetes perform the following steps:
-
-1. Generate TLS assets for dex.
-2. Spin up a Kubernetes cluster with the appropriate flags and CA volume mount.
-3. Create secrets for TLS and for your [GitHub OAuth2 client credentials][github-oauth2].
-4. Deploy dex.
-
-### Generate TLS assets
-
-Running Dex with HTTPS enabled requires a valid SSL certificate, and the API server needs to trust the certificate of the signing CA using the `--oidc-ca-file` flag.
-
-For our example use case, the TLS assets can be created using the following command:
-
-```
-$ cd examples/k8s
-$ ./gencert.sh
-```
-
-This will generate several files under the `ssl` directory, the important ones being `cert.pem` ,`key.pem` and `ca.pem`. The generated SSL certificate is for 'dex.example.com', although you could change this by editing `gencert.sh` if required.
-
-### Configure the API server
-
-#### Ensure the CA certificate is available to the API server
-
-
-The CA file which was used to sign the SSL certificates for Dex needs to be copied to a location where the API server can read it, and the API server configured to look for it with the flag `--oidc-ca-file`. 
-
-There are several options here but if you run your API server as a container probably the easiest method is to use a [hostPath](https://kubernetes.io/docs/concepts/storage/volumes/#hostpath) volume to mount the CA file directly from the host.
-
-The example pod manifest below assumes that you copied the CA file into `/etc/ssl/certs`. Adjust as necessary:
-
-```
-spec:
-  containers:
-
-    [...]
-
-    volumeMounts:
-    - mountPath: /etc/ssl/certs
-      name: etc-ssl-certs
-      readOnly: true
-
-    [...]
-
-  volumes:
-   - name: ca-certs
-     hostPath:
-       path: /etc/ssl/certs
-       type: DirectoryOrCreate
-```
-
-Depending on your installation you may also find that certain folders are already mounted in this way and that you can simply copy the CA file into an existing folder for the same effect.
-
-#### Configure API server flags
-
-Configure the API server as in [Configuring the OpenID Connect Plugin](#configuring-the-openid-connect-plugin) above.
-
-Note that the `ca.pem` from above has been renamed to `openid-ca.pem` in this example - this is just to separate it from any other CA certificates that may be in use.
-
-### Create cluster secrets
-
-Once the cluster is up and correctly configured, use kubectl to add the serving certs as secrets.
-
-```
-$ kubectl create secret tls dex.example.com.tls --cert=ssl/cert.pem --key=ssl/key.pem
-```
-
-Then create a secret for the GitHub OAuth2 client.
-
-```
-$ kubectl create secret \
-    generic github-client \
-    --from-literal=client-id=$GITHUB_CLIENT_ID \
-    --from-literal=client-secret=$GITHUB_CLIENT_SECRET
-```
-
-### Deploy the Dex server
-
-Create the dex deployment, configmap, and node port service. This will also create RBAC bindings allowing the Dex pod access to manage [Custom Resource Definitions](storage.md#kubernetes-custom-resource-definitions-crds) within Kubernetes.
-
-```
-$ kubectl create -f dex.yaml
-```
-
-__Caveats:__ No health checking is configured because dex does its own TLS termination complicating the setup. This is a known issue and can be tracked [here][dex-healthz].
-
-## Logging into the cluster
-
-The `example-app` can be used to log into the cluster and get an ID Token. To build the app, you can run `make` in the root of the repo and it will build the `example-app` binary in the repo's `bin` directory. To build the `example-app` requires at least a 1.7 version of Go.
-
-```
-$ ./bin/example-app --issuer https://dex.example.com:32000 --issuer-root-ca examples/k8s/ssl/ca.pem
-```
-
-Please note that the `example-app` will listen at http://127.0.0.1:5555 and can be changed with the `--listen` flag.
-
-Once the example app is running, choose the GitHub option and grant access to dex to view your profile.
-
-The default redirect uri is http://127.0.0.1:5555/callback and can be changed with the `--redirect-uri` flag and should correspond with your configmap.
-
-Please note the redirect uri is different from the one you filled when creating `GitHub OAuth2 client credentials`. 
-When you login, GitHub first redirects to dex (https://dex.example.com:32000/callback), then dex redirects to the redirect uri of exampl-app.
-
-The printed ID Token can then be used as a bearer token to authenticate against the API server.
-
-```
-$ token='(id token)'
-$ curl -H "Authorization: Bearer $token" -k https://( API server host ):443/api/v1/nodes
-```
-
-[k8s-authz]: http://kubernetes.io/docs/admin/authorization/
-[k8s-oidc]: http://kubernetes.io/docs/admin/authentication/#openid-connect-tokens
-[trusted-peers]: https://godoc.org/github.com/dexidp/dex/storage#Client
-[coreos-kubernetes]: https://github.com/coreos/coreos-kubernetes/
-[coreos-baremetal]: https://github.com/coreos/coreos-baremetal/
-[dex-healthz]: https://github.com/dexidp/dex/issues/682
-[github-oauth2]: https://github.com/settings/applications/new
-[node-port]: http://kubernetes.io/docs/user-guide/services/#type-nodeport
-[coreos-kubernetes]: https://github.com/coreos/coreos-kubernetes
-[coreos-baremetal]: https://github.com/coreos/coreos-baremetal

Documentation/ldap-connector.md

@@ -1 +0,0 @@
-This document has moved to [connectors/ldap.md](connectors/ldap.md).

Documentation/linkedin-connector.md

@@ -1 +0,0 @@
-This document has moved to [connectors/linkedin.md](connectors/linkedin.md).

Documentation/microsoft-connector.md

@@ -1 +0,0 @@
-This document has moved to [connectors/microsoft.md](connectors/microsoft.md).

Documentation/oidc-certification-setup.md

@@ -1,176 +0,0 @@
-# OpenID Connect Provider Certification
-
-The OpenID Foundation provides a set of [conformance test profiles][oidc-conf-profiles] that test both Relying Party and OpenID Provider (OP) OpenID Connect implementations. Upon submission of [results][oidc-result-submission] and an affirmative response, the affirmed OP will be listed as a [certified OP][oidc-certified-ops] on the OpenID Connect website and allowed to use the [certification mark][oidc-cert-mark] according to the certification [terms and conditions][oidc-terms-conds], section 3(d).
-
-## Basic OpenID Provider Tests
-
-Dex is an OP that strives to implement the [mandatory set][oidc-core-spec-mandatory] of OpenID Connect features, and can be tested against the Basic OpenID Provider profile ([profile outline][oidc-conf-profiles], section 2.1.1). These tests ensure that all features required by a [basic client][oidc-basic-client-spec] work as expected.
-
-Features are currently under development to fully comply with the Basic profile, as dex currently does not. The following issues track our progress:
-
-Issue number | Relates to
-:---: | :---:
-[\#376][dex-issue-376] | userinfo_endpoint
-[\#1052][dex-issue-1052] | auth_time
-
-[dex-issue-376]: https://github.com/dexidp/dex/issues/376
-[dex-issue-1052]: https://github.com/dexidp/dex/issues/1052
-
-### Setup
-
-There are two ways to set up an OpenID test instance:
-1. Configure a test instance provided by The OpenID Foundation by following [instructions][oidc-test-config] on their website.
-1. Download their test runner from [GitHub][oidc-github] and follow the instructions in the [README][oidc-github-readme].
-    * Requires `docker` and `docker-compose`
-
-Configuration is essentially the same for either type of OpenID test instance. We will proceed with option 1 in this example, and set up an [AWS EC2 instance][aws-ec2-instance] to deploy dex:
-* Create an [AWS EC2 instance][aws-ec2-quick-start] and connect to your instance using [SSH][aws-ec2-ssh].
-* Install [dex][dex-install].
-* Ensure whatever port dex is listening on (usually 5556) is open to ingress traffic in your security group configuration.
-* In this example the public DNS name, automatically assigned to each internet-facing EC2 instance, is **my-test-ec2-server.com**. You can find your instances' in the AWS EC2 management console.
-
-### Configuring an OpenID test instance
-
-1. Navigate to [https://op.certification.openid.net:60000][oidc-test-start].
-1. Click 'New' configuration.
-1. Input your issuer url: `http://my-test-ec2-server.com:5556/dex`.
-1. Select `code` as the response type.
-1. Click 'Create' to further configure your OpenID instance.
-1. On the next page, copy and paste the `redirect_uris` into the `redirectURIs` config field (see below).
-1. At this point we can run dex, as we have all the information necessary to create a config file (`oidc-config.yaml` in this example):
-    ```yaml
-    issuer: http://my-test-ec2-server.com:5556/dex
-    storage:
-      type: sqlite3
-      config:
-        file: examples/dex.db
-    web:
-      http: 0.0.0.0:5556
-    oauth2:
-      skipApprovalScreen: true
-    staticClients:
-    - id: example-app
-      redirectURIs:
-      - 'https://op.certification.openid.net:${OPENID_SERVER_PORT}/authz_cb'
-      name: 'Example App'
-      secret: ZXhhbXBsZS1hcHAtc2VjcmV0
-    connectors:
-    - type: mockCallback
-      id: mock
-      name: Example
-    ```
-    * Substitute `OPENID_SERVER_PORT` for your OpenID test instance port number, assigned after configuring that instance.
-    * Set the `oauth2` field `skipApprovalScreen: true` to automate some clicking.
-1. Run dex:
-    ```bash
-    $ ./bin/dex serve oidc-config.yaml
-    time="2017-08-25T06:34:57Z" level=info msg="config issuer: http://my-test-ec2-server.com:5556/dex"
-    ...
-    ```
-1. Input `client_id` and `client_secret` from your config file.
-    * The `id` and `secret` used here are from the example config file [`staticClients` field](../examples/config-dev.yaml#L50-L55).
-1. Use data returned by the `GET /.well-known/openid-configuration` API call to fill in the rest of the configuration forms:
-    ```bash
-    [home@localhost ~]$ curl http://my-test-ec2-server.com:5556/dex/.well-known/openid-configuration
-    {
-      "issuer": "http://my-test-ec2-server.com:5556/dex",
-      "authorization_endpoint": "http://my-test-ec2-server.com:5556/dex/auth",
-      "token_endpoint": "http://my-test-ec2-server.com:5556/dex/token",
-      "jwks_uri": "http://my-test-ec2-server.com:5556/dex/keys",
-      "response_types_supported": [
-        "code"
-      ],
-      "subject_types_supported": [
-        "public"
-      ],
-      "id_token_signing_alg_values_supported": [
-        "RS256"
-      ],
-      "scopes_supported": [
-        "openid",
-        "email",
-        "groups",
-        "profile",
-        "offline_access"
-      ],
-      "token_endpoint_auth_methods_supported": [
-        "client_secret_basic"
-      ],
-      "claims_supported": [
-        "aud",
-        "email",
-        "email_verified",
-        "exp",
-        "iat",
-        "iss",
-        "locale",
-        "name",
-        "sub"
-      ]
-    }
-    ```
-    * Fill in all configuration information that the `/.well-known/openid-configuration` endpoint returns, althgouh this is not strictly necessary. We should give the test cases as much information about dex's OP implementation as possible.
-1. Press the 'Save and Start' button to start your OpenID test instance.
-1. Follow the provided link.
-1. Run through each test case, following all instructions given by individual cases.
-    * In order to pass certain cases, screenshots of OP responses might be required.
-
-## Results and Submission
-
-Dex does not fully pass the Basic profile test suite yet. The following table contains the current state of test results.
-
-Test case ID | Result type | Cause | Relates to
---- | --- | --- | ---
-OP-Response-Missing | Incomplete | Expected |
-OP-Response-code | Succeeded | |
-OP-Response-form_post | Succeeded | |
-OP-IDToken-C-Signature | Succeeded | |
-OP-ClientAuth-Basic-Static | Succeeded | |
-OP-ClientAuth-SecretPost-Static | Warning | Unsupported | client_secret_post
-OP-Token-refresh | Incomplete | Unsupported | userinfo_endpoint
-OP-UserInfo-Body | Incomplete | Unsupported | userinfo_endpoint
-OP-UserInfo-Endpoint | Incomplete | Unsupported | userinfo_endpoint
-OP-UserInfo-Header | Incomplete | Unsupported | userinfo_endpoint
-OP-claims-essential | Incomplete | Unsupported | userinfo_endpoint
-OP-display-page | Succeeded | |
-OP-display-popup | Succeeded | |
-OP-nonce-NoReq-code | Succeeded | |
-OP-nonce-code | Succeeded | |
-OP-prompt-login | Succeeded | |
-OP-prompt-none-LoggedIn | Succeeded | |
-OP-prompt-none-NotLoggedIn | Incomplete | Error expected
-OP-redirect_uri-NotReg | Incomplete | Requires screenshot
-OP-scope-All | Incomplete | Unsupported | address, phone
-OP-scope-address | Incomplete | Unsupported | address
-OP-scope-email | Incomplete | Unsupported | userinfo_endpoint
-OP-scope-phone | Incomplete | Unsupported | phone
-OP-scope-profile | Incomplete | Unsupported | userinfo_endpoint
-OP-Req-NotUnderstood | Succeeded | |
-OP-Req-acr_values | Warning | No acr value | id_token
-OP-Req-claims_locales | Incomplete | Unsupported | userinfo_endpoint
-OP-Req-id_token_hint | Succeeded | |
-OP-Req-login_hint | Incomplete | Missing configuration field | login_hint
-OP-Req-max_age=1 | Failed | Missing configuration field | auth_time
-OP-Req-max_age=10000 | Failed | Missing configuration field | auth_time
-OP-Req-ui_locales | Succeeded | |
-OP-OAuth-2nd | Warning | Unexpected error response | invalid_request
-OP-OAuth-2nd-30s | Warning | Unexpected error response | invalid_request
-OP-OAuth-2nd-Revokes | Incomplete | Unsupported | userinfo_endpoint
-
-Once all test cases pass, submit your results by following instructions listed [on the website][oidc-result-submission].
-
-[dex-install]: https://github.com/dexidp/dex/blob/master/Documentation/getting-started.md#building-the-dex-binary
-[aws-ec2-instance]: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/concepts.htmlSSH
-[aws-ec2-ssh]: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AccessingInstancesLinux.html
-[aws-ec2-quick-start]: http://docs.aws.amazon.com/quickstarts/latest/vmlaunch/step-1-launch-instance.html
-[oidc-core-spec-mandatory]: http://openid.net/specs/openid-connect-core-1_0.html#ServerMTI
-[oidc-basic-client-spec]: http://openid.net/specs/openid-connect-basic-1_0.html
-[oidc-conf-profiles]: http://openid.net/wordpress-content/uploads/2016/12/OpenID-Connect-Conformance-Profiles.pdf
-[oidc-test-config]: http://openid.net/certification/testing/
-[oidc-test-start]: https://op.certification.openid.net:60000
-[oidc-result-submission]: http://openid.net/certification/submission/
-[oidc-cert-mark]: http://openid.net/certification/mark/
-[oidc-certified-ops]: http://openid.net/developers/certified/
-[oidc-terms-conds]: http://openid.net/wordpress-content/uploads/2015/03/OpenID-Certification-Terms-and-Conditions.pdf
-[oidc-github]: https://github.com/openid-certification/oidctest
-[oidc-github-readme]: https://github.com/openid-certification/oidctest/blob/master/README.md

Documentation/oidc-connector.md

@@ -1 +0,0 @@
-This document has moved to [connectors/oidc.md](connectors/oidc.md).

Documentation/openid-connect.md

@@ -1,141 +0,0 @@
-# An overview of OpenID Connect
-
-This document attempts to provide a general overview of the [OpenID Connect protocol](https://openid.net/connect/), a flavor of OAuth2 that dex implements. While this document isn't complete, we hope it provides enough information to get users up and running.
-
-For an overview of custom claims, scopes, and client features implemented by dex, see [this document][scopes-claims-clients].
-
-## OAuth2
-
-OAuth2 should be familiar to anyone who's used something similar to a "Login
-with Facebook" button. In these cases an application has chosen to let an
-outside provider, in this case Facebook, attest to your identity instead of
-having you set a username and password with the app itself.
-
-The general flow for server side apps is:
-
-1. A new user visits an application.
-1. The application redirects the user to Facebook.
-1. The user logs into Facebook, then is asked if it's okay to let the
-application view the user's profile, post on their behalf, etc.
-1. If the user clicks okay, Facebook redirects the user back to the application
-with a code.
-1. The application redeems that code with provider for a token that can be used
-to access the authorized actions, such as viewing a users profile or posting on
-their wall.
-
-In these cases, dex is acting as Facebook (called the "provider" in OpenID
-Connect) while clients apps redirect to it for the end user's identity. 
-
-## ID Tokens
-
-Unfortunately the access token applications get from OAuth2 providers is
-completely opaque to the client and unique to the provider. The token you
-receive from Facebook will be completely different from the one you'd get from
-Twitter or GitHub.
-
-OpenID Connect's primary extension of OAuth2 is an additional token returned in
-the token response called the ID Token. This token is a [JSON Web Token](
-https://tools.ietf.org/html/rfc7519) signed by the OpenID Connect server, with
-well known fields for user ID, name, email, etc. A typical token response from
-an OpenID Connect looks like (with less whitespace):
-
-```
-HTTP/1.1 200 OK
-Content-Type: application/json
-Cache-Control: no-store
-Pragma: no-cache
-
-{
- "access_token": "SlAV32hkKG",
- "token_type": "Bearer",
- "refresh_token": "8xLOxBtZp8",
- "expires_in": 3600,
- "id_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6IjFlOWdkazcifQ.ewogImlzc
-   yI6ICJodHRwOi8vc2VydmVyLmV4YW1wbGUuY29tIiwKICJzdWIiOiAiMjQ4Mjg5
-   NzYxMDAxIiwKICJhdWQiOiAiczZCaGRSa3F0MyIsCiAibm9uY2UiOiAibi0wUzZ
-   fV3pBMk1qIiwKICJleHAiOiAxMzExMjgxOTcwLAogImlhdCI6IDEzMTEyODA5Nz
-   AKfQ.ggW8hZ1EuVLuxNuuIJKX_V8a_OMXzR0EHR9R6jgdqrOOF4daGU96Sr_P6q
-   Jp6IcmD3HP99Obi1PRs-cwh3LO-p146waJ8IhehcwL7F09JdijmBqkvPeB2T9CJ
-   NqeGpe-gccMg4vfKjkM8FcGvnzZUN4_KSP0aAp1tOJ1zZwgjxqGByKHiOtX7Tpd
-   QyHE5lcMiKPXfEIQILVq0pc_E2DzL7emopWoaoZTF_m0_N0YzFC6g6EJbOEoRoS
-   K5hoDalrcvRYLSrQAZZKflyuVCyixEoV9GfNQC3_osjzw2PAithfubEEBLuVVk4
-   XUVrWOLrLl0nx7RkKU8NXNHq-rvKMzqg"
-}
-```
-
-That ID Token is a JWT with three base64'd fields separated by dots. The first
-is a header, the second is a payload, and the third is a signature of the first
-two fields. When parsed we can see the payload of this value is.
-
-```
-{
-  "iss": "http://server.example.com",
-  "sub": "248289761001",
-  "aud": "s6BhdRkqt3",
-  "nonce": "n-0S6_WzA2Mj",
-  "exp": 1311281970,
-  "iat": 1311280970
-}
-```
-
-This has a few interesting fields such as
-
-* The server that issued this token (`iss`).
-* The token's subject (`sub`). In this case a unique ID of the end user.
-* The token's audience (`aud`). The ID of the OAuth2 client this was issued for.
-
-TODO: Add examples of payloads with "email" fields.
-
-## Discovery
-
-OpenID Connect servers have a discovery mechanism for OAuth2 endpoints, scopes
-supported, and indications of various other OpenID Connect features.
-
-```
-$ curl http://127.0.0.1:5556/dex/.well-known/openid-configuration
-{
-  "issuer": "http://127.0.0.1:5556",
-  "authorization_endpoint": "http://127.0.0.1:5556/auth",
-  "token_endpoint": "http://127.0.0.1:5556/token",
-  "jwks_uri": "http://127.0.0.1:5556/keys",
-  "response_types_supported": [
-    "code"
-  ],
-  "subject_types_supported": [
-    "public"
-  ],
-  "id_token_signing_alg_values_supported": [
-    "RS256"
-  ],
-  "scopes_supported": [
-    "openid",
-    "email",
-    "profile"
-  ]
-}
-```
-
-Importantly, we've discovered the authorization endpoint, token endpoint, and
-the location of the server's public keys. OAuth2 clients should be able to use
-the token and auth endpoints immediately, while a JOSE library can be used to
-parse the keys. The keys endpoint returns a [JSON Web Key](
-https://tools.ietf.org/html/rfc7517) Set of public keys that will look
-something like this:
-
-```
-$ curl http://127.0.0.1:5556/dex/keys
-{
-  "keys": [
-    {
-      "use": "sig",
-      "kty": "RSA",
-      "kid": "5d19a0fde5547960f4edaa1e1e8293e5534169ba",
-      "alg": "RS256",
-      "n": "5TAXCxkAQqHEqO0InP81z5F59PUzCe5ZNaDsD1SXzFe54BtXKn_V2a3K-BUNVliqMKhC2LByWLuI-A5ZlA5kXkbRFT05G0rusiM0rbkN2uvRmRCia4QlywE02xJKzeZV3KH6PldYqV_Jd06q1NV3WNqtcHN6MhnwRBfvkEIm7qWdPZ_mVK7vayfEnOCFRa7EZqr-U_X84T0-50wWkHTa0AfnyVvSMK1eKL-4yc26OWkmjh5ALfQFtnsz30Y2TOJdXtEfn35Y_882dNBDYBxtJV4PaSjXCxhiaIuBHp5uRS1INyMXCx2ve22ASNx_ERorv6BlXQoMDqaML2bSiN9N8Q",
-      "e": "AQAB"
-    }
-  ]
-}
-```
-
-[scopes-claims-clients]: custom-scopes-claims-clients.md

Documentation/proposals/token-revocation.md

@@ -1,82 +0,0 @@
-# Proposal: design for revoking refresh tokens.
-
-Refresh tokens are issued to the client by the authorization server and are used
-to request a new access token when the current access token becomes invalid or expires.
-It is a common usecase for the end users to revoke client access to their identity.
-This proposal defines the changes needed in Dex v2 to support refresh token revocation.
-
-## Motivation
-
-1. Currently refresh tokens are not associated with the user. Need a new "session object" for this.
-2. Need an API to list refresh tokens based on the UserID.
-3. We need a way for users to login to dex and revoke a client.
-4. Limit the number refresh tokens for each user-client pair to 1.
-
-## Details
-
-Currently in Dex when an end user successfully logs in via a connector and has the OfflineAccess
-scope set to true, a refresh token is created and stored in the backing datastore. There is no
-association between the end user and the refresh token. Hence if we want to support the functionality
-of users being able to revoke refresh tokens, the first step is to have a structure in place that allows
-us retrieve a list of refresh tokens depending on the authenticated user.
-
-```go
-// Reference object for RefreshToken containing only metadata.
-type RefreshTokenRef struct {
-	// ID of the RefreshToken
-	ID string
-	CreatedAt time.Time
-	LastUsed  time.Time
-}
-
-// Session objects pertaining to users with refresh tokens.
-//
-// Will have to handle garbage collection i.e. if no refresh token exists for a user,
-// this object must be cleaned up.
-type OfflineSession struct {
-        // UserID of an end user who has logged in to the server.
-        UserID        string
-        // The ID of the connector used to login the user.
-        ConnID     string
-        // List of pointers to RefreshTokens issued for SessionID
-        Refresh         []*RefreshTokenRef
-}
-
-// Retrieve OfflineSession obj for given userId and connID
-func getOfflineSession (userId string, connID string)
-
-```
-
-### Changes in Dex CodeFlows
-
-1. Client requests a refresh token:
-   Try to retrieve the `OfflineSession` object for the User with the given `UserID + ConnID`.
-   This leads to two possibilities:   
-	* Object exists: This means a Refresh token already exists for the user.
-          Update the existing `OffilineSession` object with the newly received token as follows:
-		* CreateRefresh() will create a new `RefreshToken` obj in the storage.
-		* Update the `Refresh` list with the new `RefreshToken` pointer.
-		* Delete the old refresh token in storage.
-
-	* No object found: This implies that this will be the first refresh token for the user.
- 		* CreateRefresh() will create a new `RefreshToken` obj in the storage.
-		* Create an OfflineSession for the user and add the new `RefreshToken` pointer to
-		  the `Refresh` list.
-                
-2. Refresh token rotation:
-   There will be no change to this codeflow. When the client refreshes a refresh token, the `TokenID`
-   still remains intact and only the `RefreshToken` obj gets updated with a new nonce. We do not need
-   any additional checks in the OfflineSession objects as the `RefreshToken` pointers still remain intact.
-
-3. User revokes a refresh token (New functionality):
-   A user that has been authenticated externally will have the ability to revoke their refresh tokens.
-   Please note that Dex's API does not perform the authentication, this will have to be done by an
-   external app.
-   Steps involved:
-	* Get `OfflineSession` obj with given UserID + ConnID. 
-	* If a refresh token exists in `Refresh`, delete the `RefreshToken` (handle this in storage)
-	  and its pointer value in `Refresh`. Clean up the OfflineSession object.
-	* If there is no refresh token found, handle error case.
-
-NOTE: To avoid race conditions between “requesting a refresh token” and “revoking a refresh token”, use
-locking mechanism when updating an `OfflineSession` object.

Documentation/proposals/upstream-refreshing.md

@@ -1,165 +0,0 @@
-# Proposal: upstream refreshing
-
-## TL;DR
-
-Today, if a user deletes their GitHub account, dex will keep allowing clients to
-refresh tokens on that user's behalf because dex never checks back in with
-GitHub.
-
-This is a proposal to change the connector package so the dex can check back
-in with GitHub.
-
-## The problem
-
-When dex is federaing to an upstream identity provider (IDP), we want to ensure
-claims being passed onto clients remain fresh. This includes data such as Google
-accounts display names, LDAP group membership, account deactivations. Changes to
-these on an upstream IDP should always be reflected in the claims dex passes to
-its own clients.
-
-Refresh tokens make this complicated. When refreshing a token, unlike normal
-logins, dex doesn't have the opportunity to prompt for user interaction. For
-example, if dex is proxying to a LDAP server, it won't have the user's username
-and passwords.
-
-Dex can't do this today because connectors have no concept of checking back in
-with an upstream provider (with the sole exception of groups). They're only 
-called during the initial login, and never consulted when dex needs to mint a
-new refresh token for a client. Additionally, connectors aren't actually aware
-of the scopes being requested by the client, so they don't know when they should
-setup the ability to check back in and have to treat every request identically.
-
-## Changes to the connector package
-
-The biggest changes proposed impact the connector package and connector
-implementations.
-
-1. Connectors should be consulted when dex attempts to refresh a token.
-2. Connectors should be aware of the scopes requested by the client.
-
-The second bullet is important because of the first. If a client isn't
-requesting a refresh token, the connector shouldn't do the extra work, such as
-requesting additional upstream scopes.
-
-to address the first point, a top level `Scopes` object will be added to the
-connector package to express the scopes requested by the client. The
-`CallbackConnector` and `PasswordConnector` will be updated accordingly.
-
-```go
-// Scopes represents additional data requested by the clients about the end user.
-type Scopes struct{
-	// The client has requested a refresh token from the server.
-	OfflineAccess bool
-
-	// The client has requested group information about the end user.
-	Groups bool
-}
-
-// CallbackConnector is an interface implemented by connectors which use an OAuth
-// style redirect flow to determine user information.
-type CallbackConnector interface {
-	// The initial URL to redirect the user to.
-	//
-	// OAuth2 implementations should request different scopes from the upstream
-	// identity provider based on the scopes requested by the downstream client.
-	// For example, if the downstream client requests a refresh token from the
-	// server, the connector should also request a token from the provider.
-	LoginURL(s Scopes, callbackURL, state string) (string, error)
-
-	// Handle the callback to the server and return an identity.
-	HandleCallback(s Scopes, r *http.Request) (identity Identity, state string, err error)
-}
-
-// PasswordConnector is an interface implemented by connectors which take a
-// username and password.
-type PasswordConnector interface {
-	Login(s Scopes, username, password string) (identity Identity, validPassword bool, err error)
-}
-```
-
-The existing `GroupsConnector` plays two roles.
-
-1. The connector only attempts to grab groups when the downstream client requests it.
-2. Allow group information to be refreshed.
-
-The first issue is remedied by the added `Scopes` struct. This proposal also
-hopes to generalize the need of the second role by adding a more general
-`RefreshConnector`:
-
-```go
-type Identity struct {
-	// Existing fields...
-
-	// Groups are added to the identity object, since connectors are now told
-	// if they're being requested.
-
-	// The set of groups a user is a member of.
-	Groups []string
-}
-
-
-// RefreshConnector is a connector that can update the client claims.
-type RefreshConnector interface {
-	// Refresh is called when a client attempts to claim a refresh token. The
-	// connector should attempt to update the identity object to reflect any
-	// changes since the token was last refreshed.
-	Refresh(s Scopes, identity Identity) (Identity, error)
-
-	// TODO(ericchiang): Should we allow connectors to indicate that the user has
-	// been delete	or an upstream token has been revoked? This would allow us to
-	// know when we should remove the downstream refresh token, and when there was
-	// just a server error, but might be hard to determine for certain protocols.
-	// Might be safer to always delete the downstream token if the Refresh()
-	// method returns an error.
-}
-```
-
-## Example changes to the "passwordDB" connector
-
-The `passwordDB` connector is the internal connector maintained by the server. 
-As an example, these are the changes to that connector if this change was
-accepted.
-
-```go
-func (db passwordDB) Login(s connector.Scopes, username, password string) (connector.Identity, bool, error) {
-	// No change to existing implementation. Scopes can be ignored since we'll
-	// always have access to the password objects.
-
-}
-
-func (db passwordDB) Refresh(s connector.Scopes, identity connector.Identity) (connector.Identity, error) {
-	// If the user has been deleted, the refresh token will be rejected.
-	p, err := db.s.GetPassword(identity.Email)
-	if err != nil {
-		if err == storage.ErrNotFound {
-			return connector.Identity{}, errors.New("user not found")
-		}
-		return connector.Identity{}, fmt.Errorf("get password: %v", err)
-	}
-
-	// User removed but a new user with the same email exists.
-	if p.UserID != identity.UserID {
-		return connector.Identity{}, errors.New("user not found")
-	}
-
-	// If a user has updated their username, that will be reflected in the
-	// refreshed token.
-	identity.Username = p.Username
-	return identity, nil
-}
-```
-
-## Caveats
-
-Certain providers, such as Google, will only grant a single refresh token for each
-client + end user pair. The second time one's requested, no refresh token is
-returned. This means refresh tokens must be stored by dex as objects on an
-upstream identity rather than part of a downstream refresh even.
-
-Right now `ConnectorData` is too general for this since it is only stored with a
-refresh token and can't be shared between sessions. This should be rethought in
-combination with the [`user-object.md`](./user-object.md) proposal to see if
-there are reasonable ways for us to do this.
-
-This isn't a problem for providers like GitHub because they return the same
-refresh token every time. We don't need to track a token per client.

Documentation/proposals/user-object.md

@@ -1,146 +0,0 @@
-# Proposal: user objects for revoking refresh tokens and merging accounts
-
-Certain operations require tracking users the have logged in through the server
-and storing them in the backend. Namely, allowing end users to revoke refresh
-tokens and merging existing accounts with upstream providers.
-
-While revoking refresh tokens is relatively easy, merging accounts is a
-difficult problem. What if display names or emails are different? What happens
-to a user with two remote identities with the same upstream service? Should
-this be presented differently for a user with remote identities for different
-upstream services? This proposal only covers a minimal merging implementation
-by guaranteeing that merged accounts will always be presented to clients with
-the same user ID.
-
-This proposal defines the following objects and methods to be added to the
-storage package to allow user information to be persisted.
-
-```go
-// User is an end user which has logged in to the server.
-//
-// Users do not hold additional data, such as emails, because claim information
-// is always supplied by an upstream provider during the auth flow. The ID is
-// the only information from this object which overrides the claims produced by
-// connectors.
-//
-// Clients which wish to associate additional data with a user must do so on
-// their own. The server only guarantees that IDs will be constant for an end
-// user, no matter what backend they use to login.
-type User struct {
-	// A string which uniquely identifies the user for the server. This overrides
-	// the ID provided by the connector in the ID Token claims.
-	ID string
-
-	// A list of clients who have been issued refresh tokens for this user.
-	//
-	// When a refresh token is redeemed, the server will check this field to
-	// ensure that the client is still on this list. To revoke a client,
-	// remove it from here.
-	AuthorizedClients []AuthorizedClient
-
-	// A set of remote identities which are able to login as this user.
-	RemoteIdentities []RemoteIdentity
-}
-
-// AuthorizedClient is a client that has a refresh token out for this user.
-type AuthorizedClient struct {
-	// The ID of the client.
-	ClientID string
-	// The last time a token was refreshed.
-	LastRefreshed time.Time
-}
-
-// RemoteIdentity is the smallest amount of information that identifies a user
-// with a remote service. It indicates which remote identities should be able
-// to login as a specific user.
-//
-// RemoteIdentity contains an username so an end user can be displayed this
-// object and reason about what upstream profile it represents. It is not used
-// to cache claims, such as groups or emails, because these are always provided
-// by the upstream identity system during login.
-type RemoteIdentity struct {
-	// The ID of the connector used to login the user.
-	ConnectorID string
-	// A string which uniquely identifies the user with the remote system.
-	ConnectorUserID stirng
-
-	// Optional, human readable name for this remote identity. Only used when
-	// displaying the remote identity to the end user (e.g. when merging
-	// accounts). NOT used for determining ID Token claims.
-	Username string
-}
-```
-
-`UserID` fields will be added to the `AuthRequest`, `AuthCode` and `RefreshToken`
-structs. When a user logs in successfully through a connector
-[here](https://github.com/dexidp/dex/blob/95a61454b522edd6643ced36b9d4b9baa8059556/server/handlers.go#L227),
-the server will attempt to either get the user, or create one if none exists with
-the remote identity.
-
-`AuthorizedClients` serves two roles. First is makes displaying the set of
-clients a user is logged into easy. Second, because we don't assume multi-object
-transactions, we can't ensure deleting all refresh tokens a client has for a
-user. Between listing the set of refresh tokens and deleting a token, a client
-may have already redeemed the token and created a new one.
-
-When an OAuth2 client exchanges a code for a token, the following steps are
-taken to populate the `AuthorizedClients`:
-
-1. Get token where the user has authorized the `offline_access` scope.
-1. Update the user checking authorized clients. If client is not in the list,
-add it.
-1. Create a refresh token and return the token.
-
-When a OAuth2 client attempts to renew a refresh token, the server ensures that
-the token hasn't been revoked.
-
-1. Check authorized clients and update the `LastRefreshed` timestamp. If client
-isn't in list error out and delete the refresh token.
-1. Continue renewing the refresh token.
-
-When the end user revokes a client, the following steps are used to.
-
-1. Update the authorized clients by removing the client from the list. This
-atomic action causes any renew attempts to fail.
-1. Iterate through list of refresh tokens and garbage collect any tokens issued
-by the user for the client. This isn't atomic, but exists so a user can
-re-authorize a client at a later time without authorizing old refresh tokens.
-
-This is clunky due to the lack of multi-object transactions. E.g. we can't delete
-all the refresh tokens at once because we don't have that guarantee.
-
-Merging accounts becomes extremely simple. Just add another remote identity to
-the user object.
-
-We hope to provide a web interface that a user can login to to perform these
-actions. Perhaps using a well known client issued exclusively for the server.
-
-The new `User` object requires adding the following methods to the storage
-interface, and (as a nice side effect) deleting the `ListRefreshTokens()` method.
-
-```go
-type Storage interface {
-	// ...
-
-	CreateUser(u User) error
-
-	DeleteUser(id string) error
-
-	GetUser(id string) error
-	GetUserByRemoteIdentity(connectorID, connectorUserID string) (User, error)
-
-	// Updates are assumed to be atomic.
-	//
-	// When a UpdateUser is called, if clients are removed from the
-	// AuthorizedClients list, the underlying storage SHOULD clean up refresh
-	// tokens issued for the removed clients. This allows backends with
-	// multi-transactional capabilities to utilize them, while key-value stores
-	// only guarantee best effort.
-	UpdateUser(id string, updater func(old User) (User, error)) error
-}
-```
-
-Importantly, this will be the first object which has a secondary index.
-The Kubernetes client will simply list all the users in memory then iterate over
-them to support this (possibly followed by a "watch" based optimization). SQL
-implementations will have an easier time.

Documentation/saml-connector.md

@@ -1 +0,0 @@
-This document has moved to [connectors/saml.md](connectors/saml.md).

Documentation/storage.md

@@ -1,244 +0,0 @@
-# Storage options
-
-Dex requires persisting state to perform various tasks such as track refresh tokens, preventing replays, and rotating keys. This document is a summary of the storage configurations supported by dex.
-
-Storage breaches are serious as they can affect applications that rely on dex. Dex saves sensitive data in its backing storage, including signing keys and bcrypt'd passwords. As such, transport security and database ACLs should both be used, no matter which storage option is chosen.
-
-## Etcd
-
-Dex supports persisting state to [etcd v3](https://github.com/coreos/etcd).
-
-An example etcd configuration is using these values:
-
-```
-storage:
-  type: etcd
-  config:
-    # list of etcd endpoints we should connect to
-    endpoints:
-      - http://localhost:2379
-    namespace: my-etcd-namespace/
-```
-
-Etcd storage can be customized further using the following options:
-
-* `endpoints`: list of etcd endpoints we should connect to
-* `namespace`: etcd namespace to be set for the connection. All keys created by
-  etcd storage will be prefixed with the namespace. This is useful when you
-  share your etcd cluster amongst several applications. Another approach for
-  setting namespace is to use [etcd proxy](https://coreos.com/etcd/docs/latest/op-guide/grpc_proxy.html#namespacing)
-* `username`: username for etcd authentication
-* `password`: password for etcd authentication
-* `ssl`: ssl setup for etcd connection
-  * `serverName`: ensures that the certificate matches the given hostname the
-    client is connecting to.
-  * `caFile`: path to the ca
-  * `keyFile`: path to the private key
-  * `certFile`: path to the certificate
-
-## Kubernetes custom resource definitions (CRDs)
-
-Kubernetes [custom resource definitions](crd) are a way for applications to create new resources types in the Kubernetes API.
-
-The Custom Resource Definition (CRD) API object was introduced in Kubernetes version 1.7 to replace the Third Party Resource (TPR) extension. CRDs allow dex to run on top of an existing Kubernetes cluster without the need for an external database. While this storage may not be appropriate for a large number of users, it's extremely effective for many Kubernetes use cases.
-
-The rest of this section will explore internal details of how dex uses CRDs. __Admins should not interact with these resources directly__, except while debugging. These resources are only designed to store state and aren't meant to be consumed by end users. For modifying dex's state dynamically see the [API documentation](api.md).
-
-The following is an example of the AuthCode resource managed by dex:
-
-```
-apiVersion: apiextensions.k8s.io/v1beta1
-kind: CustomResourceDefinition
-metadata:
-  creationTimestamp: 2017-09-13T19:56:28Z
-  name: authcodes.dex.coreos.com
-  resourceVersion: "288893"
-  selfLink: /apis/apiextensions.k8s.io/v1beta1/customresourcedefinitions/authcodes.dex.coreos.com
-  uid: a1cb72dc-98bd-11e7-8f6a-02d13336a01e
-spec:
-  group: dex.coreos.com
-  names:
-    kind: AuthCode
-    listKind: AuthCodeList
-    plural: authcodes
-    singular: authcode
-  scope: Namespaced
-  version: v1
-status:
-  acceptedNames:
-    kind: AuthCode
-    listKind: AuthCodeList
-    plural: authcodes
-    singular: authcode
-  conditions:
-  - lastTransitionTime: null
-    message: no conflicts found
-    reason: NoConflicts
-    status: "True"
-    type: NamesAccepted
-  - lastTransitionTime: 2017-09-13T19:56:28Z
-    message: the initial names have been accepted
-    reason: InitialNamesAccepted
-    status: "True"
-    type: Established
-```
-
-Once the `CustomResourceDefinition` is created, custom resources can be created and stored at a namespace level. The CRD type and the custom resources can be queried, deleted, and edited like any other resource using `kubectl`.
-
-dex requires access to the non-namespaced `CustomResourceDefinition` type. For example, clusters using RBAC authorization would need to create the following roles and bindings:
-```
-apiVersion: rbac.authorization.k8s.io/v1beta1
-kind: ClusterRole
-metadata:
-  name: dex
-rules:
-- apiGroups: ["dex.coreos.com"] # API group created by dex
-  resources: ["*"]
-  verbs: ["*"]
-- apiGroups: ["apiextensions.k8s.io"]
-  resources: ["customresourcedefinitions"]
-  verbs: ["create"] # To manage its own resources identity must be able to create customresourcedefinitions.
----
-apiVersion: rbac.authorization.k8s.io/v1beta1
-kind: ClusterRoleBinding
-metadata:
-  name: dex
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: dex
-subjects:
-- kind: ServiceAccount
-  name: dex                 # Service account assigned to the dex pod.
-  namespace: dex-namespace  # The namespace dex is running in.
-
-```
-
-
-### Removed: Kubernetes third party resources(TPRs)
-
-TPR support in dex has been removed.  The last version to support TPR
-is [v2.17.0](https://github.com/dexidp/dex/tree/v2.17.0)
-
-If you are currently running dex using TPRs, you will need to [migrate to CRDs](https://github.com/dexidp/dex/blob/v2.17.0/Documentation/storage.md#migrating-from-tprs-to-crds)
-before you upgrade to a post v2.17 dex.  The script mentioned in the instructions can be [found here](https://github.com/dexidp/dex/blob/v2.17.0/scripts/dump-tprs)
-
-
-### Configuration
-
-The storage configuration is extremely limited since installations running outside a Kubernetes cluster would likely prefer a different storage option. An example configuration for dex running inside Kubernetes:
-
-```
-storage:
-  type: kubernetes
-  config:
-    inCluster: true
-```
-
-Dex determines the namespace it's running in by parsing the service account token automatically mounted into its pod.
-
-## SQL
-
-Dex supports two flavors of SQL: SQLite3 and Postgres.
-
-Migrations are performed automatically on the first connection to the SQL server (it does not support rolling back). Because of this dex requires privileges to add and alter the tables for its database.
-
-__NOTE:__ Previous versions of dex required symmetric keys to encrypt certain values before sending them to the database. This feature has not yet been ported to dex v2. If it is added later there may not be a migration path for current v2 users.
-
-### SQLite3
-
-SQLite3 is the recommended storage for users who want to stand up dex quickly. It is __not__ appropriate for real workloads.
-
-The SQLite3 configuration takes a single argument, the database file.
-
-```
-storage:
-  type: sqlite3
-  config:
-    file: /var/dex/dex.db
-```
-
-Because SQLite3 uses file locks to prevent race conditions, if the ":memory:" value is provided dex will automatically disable support for concurrent database queries.
-
-### Postgres
-
-When using Postgres, admins may want to dedicate a database to dex for the following reasons:
-
-1. Dex requires privileged access to its database because it performs migrations.
-2. Dex's database table names are not configurable; when shared with other applications there may be table name clashes.
-
-```
-CREATE DATABASE dex_db;
-CREATE USER dex WITH PASSWORD '66964843358242dbaaa7778d8477c288';
-GRANT ALL PRIVILEGES ON DATABASE dex_db TO dex;
-```
-
-An example config for Postgres setup using these values:
-
-```
-storage:
-  type: postgres
-  config:
-    database: dex_db
-    user: dex
-    password: 66964843358242dbaaa7778d8477c288
-    ssl:
-      mode: verify-ca
-      caFile: /etc/dex/postgres.ca
-```
-
-The SSL "mode" corresponds to the `github.com/lib/pq` package [connection options][psql-conn-options]. If unspecified, dex defaults to the strictest mode "verify-full".
-
-### MySQL
-
-Dex requires MySQL 5.7 or later version. When using MySQL, admins may want to dedicate a database to dex for the following reasons:
-
-1. Dex requires privileged access to its database because it performs migrations.
-2. Dex's database table names are not configurable; when shared with other applications there may be table name clashes.
-
-```
-CREATE DATABASE dex_db;
-CREATE USER dex IDENTIFIED BY '66964843358242dbaaa7778d8477c288';
-GRANT ALL PRIVILEGES ON dex_db.* TO dex;
-```
-
-An example config for MySQL setup using these values:
-
-```
-storage:
-  type: mysql
-  config:
-    database: dex_db
-    user: dex
-    password: 66964843358242dbaaa7778d8477c288
-    ssl:
-      mode: custom
-      caFile: /etc/dex/mysql.ca
-```
-
-The SSL "mode" corresponds to the `github.com/go-sql-driver/mysql` package [connection options][mysql-conn-options]. If unspecified, dex defaults to the strictest mode "true".
-
-## Adding a new storage options
-
-Each storage implementation bears a large ongoing maintenance cost and needs to be updated every time a feature requires storing a new type. Bugs often require in depth knowledge of the backing software, and much of this work will be done by developers who are not the original author. Changes to dex which add new storage implementations are not merged lightly.
-
-### New storage option references
-
-Those who still want to construct a proposal for a new storage should review the following packages:
-
-* `github.com/dexidp/dex/storage`: Interface definitions which the storage must implement. __NOTE:__ This package is not stable.
-* `github.com/dexidp/dex/storage/conformance`: Conformance tests which storage implementations must pass.
-
-### New storage option requirements
-
-Any proposal to add a new implementation must address the following:
-
-* Integration testing setups (Travis and developer workstations).
-* Transactional requirements: atomic deletes, updates, etc.
-* Is there an established and reasonable Go client?
-
-[issues-transaction-tests]: https://github.com/dexidp/dex/issues/600
-[k8s-api]: https://github.com/kubernetes/kubernetes/blob/master/docs/devel/api-conventions.md#concurrency-control-and-consistency
-[psql-conn-options]: https://godoc.org/github.com/lib/pq#hdr-Connection_String_Parameters
-[mysql-conn-options]: https://github.com/go-sql-driver/mysql#tls
-[crd]: https://kubernetes.io/docs/tasks/access-kubernetes-api/extend-api-custom-resource-definitions/

Documentation/templates.md

@@ -1,24 +0,0 @@
-# Templates
-
-## Using your own templates
-
-Dex supports using your own templates and passing arbitrary data to them to help customize your installation.
-
-Steps:
-
-1. Copy contents of the `web` directory over to a new directory.
-2. Customize the templates as needed, be sure to retain all the existing variables so Dex continues working correctly.
-  a. Use this syntax `{{ "your_key" | extra }}` to use values from `frontend.extra`.
-3. Write a theme for your templates in the `themes` directory.
-4. Add your custom data to the Dex configuration `frontend.extra`.
-   ```yaml
-   frontend:
-     dir: /path/to/custom/web
-     extra:
-       tos_footer_link: "https://example.com/terms"
-       client_logo_url: "../theme/client-logo.png"
-       foo: "bar"
-   ```
-5. Set the `frontend.dir` value to your own `web` directory.
-
-To test your templates simply run Dex with a valid configuration and go through a login flow.

Documentation/using-dex.md

@@ -1,191 +0,0 @@
-# Writing apps that use dex
-
-Once you have dex up and running, the next step is to write applications that use dex to drive authentication. Apps that interact with dex generally fall into one of two categories:
-
-1. Apps that request OpenID Connect ID tokens to authenticate users.
-    * Used for authenticating an end user.
-    * Must be web based.
-2. Apps that consume ID tokens from other apps.
-    * Needs to verify that a client is acting on behalf of a user.
-
-The first category of apps are standard OAuth2 clients. Users show up at a website, and the application wants to authenticate those end users by pulling claims out of the ID token.
-
-The second category of apps consume ID tokens as credentials. This lets another service handle OAuth2 flows, then use the ID token retrieved from dex to act on the end user's behalf with the app. An example of an app that falls into this category is the [Kubernetes API server][api-server].
-
-## Requesting an ID token from dex
-
-Apps that directly use dex to authenticate a user use OAuth2 code flows to request a token response. The exact steps taken are:
-
-* User visits client app.
-* Client app redirects user to dex with an OAuth2 request.
-* Dex determines user's identity.
-* Dex redirects user to client with a code.
-* Client exchanges code with dex for an id_token.
-
-![][dex-flow]
-
-The dex repo contains a small [example app][example-app] as a working, self contained app that performs this flow.
-
-The rest of this section explores the code sections which to help explain how to implementing this logic in your own app.
-
-### Configuring your app
-
-The example app uses the following Go packages to perform the code flow:
-
-* [github.com/coreos/go-oidc][go-oidc]
-* [golang.org/x/oauth2][go-oauth2]
-
-First, client details should be present in the dex configuration. For example, we could register an app with dex with the following section:
-
-```yaml
-staticClients:
-- id: example-app
-  secret: example-app-secret
-  name: 'Example App'
-  # Where the app will be running.
-  redirectURIs:
-  - 'http://127.0.0.1:5555/callback'
-```
-
-In this case, the Go code would be configured as:
-
-```go
-// Initialize a provider by specifying dex's issuer URL.
-provider, err := oidc.NewProvider(ctx, "https://dex-issuer-url.com")
-if err != nil {
-    // handle error
-}
-
-// Configure the OAuth2 config with the client values.
-oauth2Config := oauth2.Config{
-    // client_id and client_secret of the client.
-    ClientID:     "example-app",
-    ClientSecret: "example-app-secret",
-
-    // The redirectURL.
-    RedirectURL: "http://127.0.0.1:5555/callback",
-
-    // Discovery returns the OAuth2 endpoints.
-    Endpoint: provider.Endpoint(),
-
-    // "openid" is a required scope for OpenID Connect flows.
-    //
-    // Other scopes, such as "groups" can be requested.
-    Scopes: []string{oidc.ScopeOpenID, "profile", "email", "groups"},
-}
-
-// Create an ID token parser.
-idTokenVerifier := provider.Verifier(&oidc.Config{ClientID: "example-app"})
-```
-
-The HTTP server should then redirect unauthenticated users to dex to initialize the OAuth2 flow.
-
-```go
-// handleRedirect is used to start an OAuth2 flow with the dex server.
-func handleRedirect(w http.ResponseWriter, r *http.Request) {
-    state := newState()
-    http.Redirect(w, r, oauth2Config.AuthCodeURL(state), http.StatusFound)
-}
-```
-
-After dex verifies the user's identity it redirects the user back to the client app with a code that can be exchanged for an ID token. The ID token can then be parsed by the verifier created above. This immediately 
-
-```go
-func handleOAuth2Callback(w http.ResponseWriter, r *http.Request) {
-    state := r.URL.Query().Get("state")
-
-    // Verify state.
-
-    oauth2Token, err := oauth2Config.Exchange(ctx, r.URL.Query().Get("code"))
-    if err != nil {
-        // handle error
-    }
-
-    // Extract the ID Token from OAuth2 token.
-    rawIDToken, ok := oauth2Token.Extra("id_token").(string)
-    if !ok {
-        // handle missing token
-    }
-
-    // Parse and verify ID Token payload.
-    idToken, err := idTokenVerifier.Verify(ctx, rawIDToken)
-    if err != nil {
-        // handle error
-    }
-
-    // Extract custom claims.
-    var claims struct {
-        Email    string   `json:"email"`
-        Verified bool     `json:"email_verified"`
-        Groups   []string `json:"groups"`
-    }
-    if err := idToken.Claims(&claims); err != nil {
-        // handle error
-    }
-}
-```
-
-### State tokens
-
-The state parameter is an arbitrary string that dex will always return with the callback. It plays a security role, preventing certain kinds of OAuth2 attacks. Specifically it can be used by clients to ensure:
-
-* The user who started the flow is the one who finished it, by linking the user's session with the state token. For example, by setting the state as an HTTP cookie, then comparing it when the user returns to the app.
-* The request hasn't been replayed. This could be accomplished by associating some nonce in the state.
-
-A more thorough discussion of these kinds of best practices can be found in the [_"OAuth 2.0 Threat Model and Security Considerations"_][oauth2-threat-model] RFC.
-
-## Consuming ID tokens
-
-Apps can also choose to consume ID tokens, letting other trusted clients handle the web flows for login. Clients pass along the ID tokens they receive from dex, usually as a bearer token, letting them act as the user to the backend service.
-
-![][dex-backend-flow]
-
-To accept ID tokens as user credentials, an app would construct an OpenID Connect verifier similarly to the above example. The verifier validates the ID token's signature, ensures it hasn't expired, etc. An important part of this code is that the verifier only trusts the example app's client. This ensures the example app is the one who's using the ID token, and not another, untrusted client.
-
-```go
-// Initialize a provider by specifying dex's issuer URL.
-provider, err := oidc.NewProvider(ctx, "https://dex-issuer-url.com")
-if err != nil {
-    // handle error
-}
-// Create an ID token parser, but only trust ID tokens issued to "example-app"
-idTokenVerifier := provider.Verifier(&oidc.Config{ClientID: "example-app"})
-```
-
-The verifier can then be used to pull user info out of tokens:
-
-```go
-type user struct {
-    email  string
-    groups []string
-}
-
-// authorize verifies a bearer token and pulls user information form the claims.
-func authorize(ctx context.Context, bearerToken string) (*user, error) {
-    idToken, err := idTokenVerifier.Verify(ctx, bearerToken)
-    if err != nil {
-        return nil, fmt.Errorf("could not verify bearer token: %v", err)
-    }
-    // Extract custom claims.
-    var claims struct {
-        Email    string   `json:"email"`
-        Verified bool     `json:"email_verified"`
-        Groups   []string `json:"groups"`
-    }
-    if err := idToken.Claims(&claims); err != nil {
-        return nil, fmt.Errorf("failed to parse claims: %v", err)
-    }
-    if !claims.Verified {
-        return nil, fmt.Errorf("email (%q) in returned claims was not verified", claims.Email)
-    }
-    return &user{claims.Email, claims.Groups}, nil
-}
-```
-
-[api-server]: https://kubernetes.io/docs/admin/authentication/#openid-connect-tokens
-[dex-flow]: img/dex-flow.png
-[dex-backend-flow]: img/dex-backend-flow.png
-[example-app]: ../cmd/example-app
-[oauth2-threat-model]: https://tools.ietf.org/html/rfc6819
-[go-oidc]: https://godoc.org/github.com/coreos/go-oidc
-[go-oauth2]: https://godoc.org/golang.org/x/oauth2

Documentation/v2.md

@@ -1,47 +0,0 @@
-# Dex v2
-
-## Streamlined deployments
-
-Many of the changes between v1 and v2 were aimed at making dex easier to deploy and manage, perhaps the biggest pain point for dex v1. Dex is now a single, scalable binary with a sole source of configuration. Many components which previously had to be set through the API, such as OAuth2 clients and IDP connectors can now be specified statically. The new architecture lacks a singleton component eliminating deployment ordering. There are no more special development modes; instructions for running dex on a workstation translate with minimal changes to a production system.
-
-All of this results in a much simpler deployment story. Write a config file, run the dex binary, and that's it.
-
-## More storage backends
-
-Dex's internal storage interface has been improved to support multiple backing databases including Postgres, SQLite3, and the Kubernetes API through Third Party Resources. This allows dex to meet a more diverse set of use cases instead of insisting on one particular deployment pattern. For example, The Kubernetes API implementation, a [key value store][k8s-api-docs], allows dex to be run natively on top of a Kubernetes cluster with extremely little administrative overhead. Starting with support for multiple storage backends also should help ensure that the dex storage interface is actually pluggable, rather than being coupled too tightly with a single implementation.
-
-A more in depth discussion of existing storage options and how to add new ones can be found [here][storage-docs].
-
-## Additional improvements
-
-The rewrite came with several, miscellaneous improvements including:
-
-* More powerful connectors. For example the GitHub connector can now query for teams.
-* Combined the two APIs into a single [gRPC API][api-docs] with no complex authorization rules.
-* Expanded OAuth2 capabilities such as the implicit flow. 
-* Simplified codebase and improved testing.
-
-## Rethinking registration
-
-Dex v1 performed well when it could manage users. It provided features such as registration, email invites, password resets, administrative abilities, etc. However, login flows and APIs remain tightly coupled with concepts like registration and admin users even when v1 federated to an upstream identity provider (IDP) where it likely only had read only access to the actual user database.
-
-Many of v2's use cases focus on federation to other IPDs rather than managing users itself. Because of this, options associated with registration, such as SMTP credentials, have been removed. We hope to add registration and user management back into the project through orthogonal applications using the [gRPC API][api-docs], but in a way that doesn't impact other use cases.
-
-## Removed features
-
-Dex v2 lacks certain features present in v1. For the most part _we aim to add most of these features back into v2_, but in a way that installations have to _opt in_ to a feature instead of burdening every deployment with extra configuration.
-
-Notable missing features include:
-
-* Registration flows.
-* Local user management.
-* SMTP configuration and email verification.
-* Several of the login connectors that have yet to be ported.
-
-## Support for dex v1
-
-Dex v1 will continue to live under the `github.com/dexidp/dex` repo on a branch. Bug fixes and minor changes will continue to be accepted, but development of new features by the dex team will largely cease.
-
-[k8s-api-docs]: http://kubernetes.io/docs/api/
-[storage-docs]: ./storage.md
-[api-docs]: ./api.md

MAINTAINERS

@@ -1,4 +1,6 @@
-Rithu John <rithujohn191@gmail.com> (@rithujohn191)
-Stephan Renatus <srenatus@chef.io> (@srenatus)
 Joel Speed <Joel.speed@hotmail.co.uk> (@JoelSpeed)
+Maksim Nabokikh <max.nabokih@gmail.com> (@nabokihms)
+Mark Sagi-Kazar <mark.sagikazar@gmail.com> (@sagikazarmark)
 Nandor Kracser <bonifaido@gmail.com> (@bonifaido)
+Rithu John <rithujohn191@gmail.com> (@rithujohn191)
+Stephen Augustus <foo@auggie.dev> (@justaugustus)

Makefile

@@ -1,8 +1,10 @@
+OS = $(shell uname | tr A-Z a-z)
+
+export PATH := $(abspath bin/protoc/bin/):$(abspath bin/):${PATH}
+
 PROJ=dex
 ORG_PATH=github.com/dexidp
 REPO_PATH=$(ORG_PATH)/$(PROJ)
-export PATH := $(PWD)/bin:$(PATH)
-THIS_DIRECTORY:=$(shell dirname $(realpath $(lastword $(MAKEFILE_LIST))))
 
 VERSION ?= $(shell ./scripts/git-version)
 
@@ -16,28 +18,50 @@ group=$(shell id -g -n)
 
 export GOBIN=$(PWD)/bin
 
-LD_FLAGS="-w -X $(REPO_PATH)/version.Version=$(VERSION)"
+LD_FLAGS="-w -X main.version=$(VERSION)"
 
-build: bin/dex bin/example-app bin/grpc-client
+# Dependency versions
+
+KIND_NODE_IMAGE = "kindest/node:v1.19.11@sha256:07db187ae84b4b7de440a73886f008cf903fcf5764ba8106a9fd5243d6f32729"
+KIND_TMP_DIR = "$(PWD)/bin/test/dex-kind-kubeconfig"
+
+.PHONY: generate
+generate:
+	@go generate $(REPO_PATH)/storage/ent/
+
+build: generate bin/dex
 
 bin/dex:
+	@mkdir -p bin/
 	@go install -v -ldflags $(LD_FLAGS) $(REPO_PATH)/cmd/dex
 
-bin/example-app:
-	@go install -v -ldflags $(LD_FLAGS) $(REPO_PATH)/cmd/example-app
+examples: bin/grpc-client bin/example-app
 
 bin/grpc-client:
-	@go install -v -ldflags $(LD_FLAGS) $(REPO_PATH)/examples/grpc-client
+	@mkdir -p bin/
+	@cd examples/ && go install -v -ldflags $(LD_FLAGS) $(REPO_PATH)/examples/grpc-client
+
+bin/example-app:
+	@mkdir -p bin/
+	@cd examples/ && go install -v -ldflags $(LD_FLAGS) $(REPO_PATH)/examples/example-app
 
 .PHONY: release-binary
-release-binary:
+release-binary: LD_FLAGS = "-w -X main.version=$(VERSION) -extldflags \"-static\""
+release-binary: generate
 	@go build -o /go/bin/dex -v -ldflags $(LD_FLAGS) $(REPO_PATH)/cmd/dex
+	@go build -o /go/bin/docker-entrypoint -v -ldflags $(LD_FLAGS) $(REPO_PATH)/cmd/docker-entrypoint
 
-.PHONY: revendor
-revendor:
-	@go mod tidy -v
-	@go mod vendor -v
-	@go mod verify
+docker-compose.override.yaml:
+	cp docker-compose.override.yaml.dist docker-compose.override.yaml
+
+.PHONY: up
+up: docker-compose.override.yaml ## Launch the development environment
+	@ if [ docker-compose.override.yaml -ot docker-compose.override.yaml.dist ]; then diff -u docker-compose.override.yaml docker-compose.override.yaml.dist || (echo "!!! The distributed docker-compose.override.yaml example changed. Please update your file accordingly (or at least touch it). !!!" && false); fi
+	docker-compose up -d
+
+.PHONY: down
+down: clear ## Destroy the development environment
+	docker-compose down --volumes --remove-orphans --rmi local
 
 test:
 	@go test -v ./...
@@ -45,42 +69,94 @@ test:
 testrace:
 	@go test -v --race ./...
 
-vet:
-	@go vet ./...
+.PHONY: kind-up kind-down kind-tests
+kind-up:
+	@mkdir -p bin/test
+	@kind create cluster --image ${KIND_NODE_IMAGE} --kubeconfig ${KIND_TMP_DIR}
 
-fmt:
-	@./scripts/gofmt ./...
+kind-down:
+	@kind delete cluster
+	rm ${KIND_TMP_DIR}
 
-lint: bin/golint
-	@./bin/golint -set_exit_status $(shell go list ./...)
+kind-tests: export DEX_KUBERNETES_CONFIG_PATH=${KIND_TMP_DIR}
+kind-tests: testall
+
+.PHONY: lint lint-fix
+lint: ## Run linter
+	golangci-lint run
+
+.PHONY: fix
+fix: ## Fix lint violations
+	golangci-lint run --fix
 
 .PHONY: docker-image
 docker-image:
 	@sudo docker build -t $(DOCKER_IMAGE) .
 
-.PHONY: proto
-proto: bin/protoc bin/protoc-gen-go
-	@./bin/protoc --go_out=plugins=grpc:. --plugin=protoc-gen-go=./bin/protoc-gen-go api/*.proto
-	@./bin/protoc --go_out=. --plugin=protoc-gen-go=./bin/protoc-gen-go server/internal/*.proto
-
 .PHONY: verify-proto
 verify-proto: proto
 	@./scripts/git-diff
 
-bin/protoc: scripts/get-protoc
-	@./scripts/get-protoc bin/protoc
-
-bin/protoc-gen-go:
-	@go install -v $(REPO_PATH)/vendor/github.com/golang/protobuf/protoc-gen-go
-
-bin/golint:
-	@go install -v $(THIS_DIRECTORY)/vendor/golang.org/x/lint/golint
-
 clean:
 	@rm -rf bin/
 
-testall: testrace vet fmt lint
+testall: testrace
 
 FORCE:
 
-.PHONY: test testrace vet fmt lint testall
+.PHONY: test testrace testall
+
+.PHONY: proto
+proto:
+	@protoc --go_out=paths=source_relative:. --go-grpc_out=paths=source_relative:. api/v2/*.proto
+	@protoc --go_out=paths=source_relative:. --go-grpc_out=paths=source_relative:. api/*.proto
+	#@cp api/v2/*.proto api/
+
+.PHONY: proto-internal
+proto-internal:
+	@protoc --go_out=paths=source_relative:. server/internal/*.proto
+
+# Dependency versions
+GOLANGCI_VERSION = 1.46.0
+GOTESTSUM_VERSION ?= 1.7.0
+PROTOC_VERSION = 3.15.6
+PROTOC_GEN_GO_VERSION = 1.26.0
+PROTOC_GEN_GO_GRPC_VERSION = 1.1.0
+KIND_VERSION = 0.11.1
+
+deps: bin/gotestsum bin/golangci-lint bin/protoc bin/protoc-gen-go bin/protoc-gen-go-grpc bin/kind
+
+bin/gotestsum:
+	@mkdir -p bin
+	curl -L https://github.com/gotestyourself/gotestsum/releases/download/v${GOTESTSUM_VERSION}/gotestsum_${GOTESTSUM_VERSION}_$(shell uname | tr A-Z a-z)_amd64.tar.gz | tar -zOxf - gotestsum > ./bin/gotestsum
+	@chmod +x ./bin/gotestsum
+
+bin/golangci-lint:
+	@mkdir -p bin
+	curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | BINARY=golangci-lint bash -s -- v${GOLANGCI_VERSION}
+
+bin/protoc:
+	@mkdir -p bin/protoc
+ifeq ($(shell uname | tr A-Z a-z), darwin)
+	curl -L https://github.com/protocolbuffers/protobuf/releases/download/v${PROTOC_VERSION}/protoc-${PROTOC_VERSION}-osx-x86_64.zip > bin/protoc.zip
+endif
+ifeq ($(shell uname | tr A-Z a-z), linux)
+	curl -L https://github.com/protocolbuffers/protobuf/releases/download/v${PROTOC_VERSION}/protoc-${PROTOC_VERSION}-linux-x86_64.zip > bin/protoc.zip
+endif
+	unzip bin/protoc.zip -d bin/protoc
+	rm bin/protoc.zip
+
+bin/protoc-gen-go:
+	@mkdir -p bin
+	curl -L https://github.com/protocolbuffers/protobuf-go/releases/download/v${PROTOC_GEN_GO_VERSION}/protoc-gen-go.v${PROTOC_GEN_GO_VERSION}.$(shell uname | tr A-Z a-z).amd64.tar.gz | tar -zOxf - protoc-gen-go > ./bin/protoc-gen-go
+	@chmod +x ./bin/protoc-gen-go
+
+bin/protoc-gen-go-grpc:
+	@mkdir -p bin
+	curl -L https://github.com/grpc/grpc-go/releases/download/cmd/protoc-gen-go-grpc/v${PROTOC_GEN_GO_GRPC_VERSION}/protoc-gen-go-grpc.v${PROTOC_GEN_GO_GRPC_VERSION}.$(shell uname | tr A-Z a-z).amd64.tar.gz | tar -zOxf - ./protoc-gen-go-grpc > ./bin/protoc-gen-go-grpc
+	@chmod +x ./bin/protoc-gen-go-grpc
+
+bin/kind:
+	@mkdir -p bin
+	curl -L https://github.com/kubernetes-sigs/kind/releases/download/v${KIND_VERSION}/kind-$(shell uname | tr A-Z a-z)-amd64 > ./bin/kind
+	@chmod +x ./bin/kind

NOTICE

@@ -1,5 +0,0 @@
-CoreOS Project
-Copyright 2018 CoreOS, Inc
-
-This product includes software developed at CoreOS, Inc.
-(http://www.coreos.com/).

README.md

@@ -1,10 +1,10 @@
 # dex - A federated OpenID Connect provider
 
-[![Travis](https://api.travis-ci.org/dexidp/dex.svg)](https://travis-ci.org/dexidp/dex)
-[![GoDoc](https://godoc.org/github.com/dexidp/dex?status.svg)](https://godoc.org/github.com/dexidp/dex)
-[![Go Report Card](https://goreportcard.com/badge/github.com/dexidp/dex)](https://goreportcard.com/report/github.com/dexidp/dex)
+![GitHub Workflow Status](https://img.shields.io/github/workflow/status/dexidp/dex/CI?style=flat-square)
+[![Go Report Card](https://goreportcard.com/badge/github.com/dexidp/dex?style=flat-square)](https://goreportcard.com/report/github.com/dexidp/dex)
+[![Gitpod ready-to-code](https://img.shields.io/badge/Gitpod-ready--to--code-blue?logo=gitpod&style=flat-square)](https://gitpod.io/#https://github.com/dexidp/dex)
 
-![logo](Documentation/logos/dex-horizontal-color.png)
+![logo](docs/logos/dex-horizontal-color.png)
 
 Dex is an identity service that uses [OpenID Connect][openid-connect] to drive authentication for other apps.
 
@@ -45,17 +45,18 @@ Because these tokens are signed by dex and [contain standard-based claims][stand
 
 For details on how to request or validate an ID Token, see [_"Writing apps that use dex"_][using-dex].
 
-## Kubernetes + dex
+## Kubernetes and Dex
 
-Dex's main production use is as an auth-N addon in CoreOS's enterprise Kubernetes solution, [Tectonic][tectonic]. Dex runs natively on top of any Kubernetes cluster using Third Party Resources and can drive API server authentication through the OpenID Connect plugin. Clients, such as the [Tectonic Console][tectonic-console] and `kubectl`, can act on behalf users who can login to the cluster through any identity provider dex supports.
+Dex runs natively on top of any Kubernetes cluster using Custom Resource Definitions and can drive API server authentication through the OpenID Connect plugin. Clients, such as the [`kubernetes-dashboard`](https://github.com/kubernetes/dashboard) and `kubectl`, can act on behalf of users who can login to the cluster through any identity provider dex supports.
 
-More docs for running dex as a Kubernetes authenticator can be found [here](Documentation/kubernetes.md).
+* More docs for running dex as a Kubernetes authenticator can be found [here](https://dexidp.io/docs/kubernetes/).
+* You can find more about companies and projects, which uses dex, [here](./ADOPTERS.md).
 
 ## Connectors
 
 When a user logs in through dex, the user's identity is usually stored in another user-management system: a LDAP directory, a GitHub org, etc. Dex acts as a shim between a client app and the upstream identity provider. The client only needs to understand OpenID Connect to query dex, while dex implements an array of protocols for querying other user-management systems.
 
-![](Documentation/img/dex-flow.png)
+![](docs/img/dex-flow.png)
 
 A "connector" is a strategy used by dex for authenticating a user against another identity provider. Dex implements connectors that target specific platforms such as GitHub, LinkedIn, and Microsoft as well as established protocols like LDAP and SAML.
 
@@ -65,15 +66,21 @@ Dex implements the following connectors:
 
 | Name | supports refresh tokens | supports groups claim | supports preferred_username claim | status | notes |
 | ---- | ----------------------- | --------------------- | --------------------------------- | ------ | ----- |
-| [LDAP](Documentation/connectors/ldap.md) | yes | yes | yes | stable | |
-| [GitHub](Documentation/connectors/github.md) | yes | yes | yes | stable | |
-| [SAML 2.0](Documentation/connectors/saml.md) | no | yes | no | stable |
-| [GitLab](Documentation/connectors/gitlab.md) | yes | yes | yes | beta | |
-| [OpenID Connect](Documentation/connectors/oidc.md) | yes | no ([#1065][issue-1065]) | no | beta | Includes Google, Salesforce, Azure, etc. |
-| [LinkedIn](Documentation/connectors/linkedin.md) | yes | no | no | beta | |
-| [Microsoft](Documentation/connectors/microsoft.md) | yes | yes | no | beta | |
-| [AuthProxy](Documentation/connectors/authproxy.md) | no | no | no | alpha | Authentication proxies such as Apache2 mod_auth, etc. |
-| [Bitbucket Cloud](Documentation/connectors/bitbucketcloud.md) | yes | yes | no | alpha | |
+| [LDAP](https://dexidp.io/docs/connectors/ldap/) | yes | yes | yes | stable | |
+| [GitHub](https://dexidp.io/docs/connectors/github/) | yes | yes | yes | stable | |
+| [SAML 2.0](https://dexidp.io/docs/connectors/saml/) | no | yes | no | stable | WARNING: Unmaintained and likely vulnerable to auth bypasses ([#1884](https://github.com/dexidp/dex/discussions/1884)) |
+| [GitLab](https://dexidp.io/docs/connectors/gitlab/) | yes | yes | yes | beta | |
+| [OpenID Connect](https://dexidp.io/docs/connectors/oidc/) | yes | yes | yes | beta | Includes Salesforce, Azure, etc. |
+| [OAuth 2.0](https://dexidp.io/docs/connectors/oauth/) | no | yes | yes | alpha | |
+| [Google](https://dexidp.io/docs/connectors/google/) | yes | yes | yes | alpha | |
+| [LinkedIn](https://dexidp.io/docs/connectors/linkedin/) | yes | no | no | beta | |
+| [Microsoft](https://dexidp.io/docs/connectors/microsoft/) | yes | yes | no | beta | |
+| [AuthProxy](https://dexidp.io/docs/connectors/authproxy/) | no | yes | no | alpha | Authentication proxies such as Apache2 mod_auth, etc. |
+| [Bitbucket Cloud](https://dexidp.io/docs/connectors/bitbucketcloud/) | yes | yes | no | alpha | |
+| [OpenShift](https://dexidp.io/docs/connectors/openshift/) | no | yes | no | alpha | |
+| [Atlassian Crowd](https://dexidp.io/docs/connectors/atlassiancrowd/) | yes | yes | yes * | beta | preferred_username claim must be configured through config |
+| [Gitea](https://dexidp.io/docs/connectors/gitea/) | yes | no | yes | beta | |
+| [OpenStack Keystone](https://dexidp.io/docs/connectors/keystone/) | yes | yes | no | alpha | |
 
 Stable, beta, and alpha are defined as:
 
@@ -85,38 +92,52 @@ All changes or deprecations of connector features will be announced in the [rele
 
 ## Documentation
 
-* [Getting started](Documentation/getting-started.md)
-* [Intro to OpenID Connect](Documentation/openid-connect.md)
+* [Getting started](https://dexidp.io/docs/getting-started/)
+* [Intro to OpenID Connect](https://dexidp.io/docs/openid-connect/)
 * [Writing apps that use dex][using-dex]
-* [What's new in v2](Documentation/v2.md)
-* [Custom scopes, claims, and client features](Documentation/custom-scopes-claims-clients.md)
-* [Storage options](Documentation/storage.md)
-* [gRPC API](Documentation/api.md)
-* [Using Kubernetes with dex](Documentation/kubernetes.md)
+* [What's new in v2](https://dexidp.io/docs/v2/)
+* [Custom scopes, claims, and client features](https://dexidp.io/docs/custom-scopes-claims-clients/)
+* [Storage options](https://dexidp.io/docs/storage/)
+* [gRPC API](https://dexidp.io/docs/api/)
+* [Using Kubernetes with dex](https://dexidp.io/docs/kubernetes/)
 * Client libraries
   * [Go][go-oidc]
 
-## Reporting a security vulnerability
+## Reporting a vulnerability
 
-Due to their public nature, GitHub and mailing lists are NOT appropriate places for reporting vulnerabilities. Please refer to CoreOS's [security disclosure][disclosure] process when reporting issues that may be security related.
+Please see our [security policy](.github/SECURITY.md) for details about reporting vulnerabilities.
 
 ## Getting help
 
-* For feature requests and bugs, file an [issue][issues].
-* For general discussion about both using and developing dex, join the [dex-dev][dex-dev] mailing list.
+- For feature requests and bugs, file an [issue](https://github.com/dexidp/dex/issues).
+- For general discussion about both using and developing Dex:
+    - join the [#dexidp](https://cloud-native.slack.com/messages/dexidp) on the CNCF Slack
+    - open a new [discussion](https://github.com/dexidp/dex/discussions)
+    - join the [dex-dev](https://groups.google.com/forum/#!forum/dex-dev) mailing list
 
 [openid-connect]: https://openid.net/connect/
 [standard-claims]: https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims
-[scopes]: Documentation/custom-scopes-claims-clients.md#scopes
-[using-dex]: Documentation/using-dex.md
+[scopes]: https://dexidp.io/docs/custom-scopes-claims-clients/#scopes
+[using-dex]: https://dexidp.io/docs/using-dex/
 [jwt-io]: https://jwt.io/
 [kubernetes]: http://kubernetes.io/docs/admin/authentication/#openid-connect-tokens
 [aws-sts]: https://docs.aws.amazon.com/STS/latest/APIReference/Welcome.html
-[tectonic]: https://tectonic.com/
-[tectonic-console]: https://tectonic.com/enterprise/docs/latest/usage/index.html#tectonic-console
 [go-oidc]: https://github.com/coreos/go-oidc
 [issue-1065]: https://github.com/dexidp/dex/issues/1065
 [release-notes]: https://github.com/dexidp/dex/releases
-[issues]: https://github.com/dexidp/dex/issues
-[dex-dev]: https://groups.google.com/forum/#!forum/dex-dev
-[disclosure]: https://coreos.com/security/disclosure/
+
+## Development
+
+When all coding and testing is done, please run the test suite:
+
+```shell
+make testall
+```
+
+For the best developer experience, install [Nix](https://builtwithnix.org/) and [direnv](https://direnv.net/).
+
+Alternatively, install Go and Docker manually or using a package manager. Install the rest of the dependencies by running `make deps`.
+
+## License
+
+The project is licensed under the [Apache License, Version 2.0](LICENSE).

api/api.proto

@@ -1,8 +1,10 @@
 syntax = "proto3";
-option java_package = "com.coreos.dex.api";
 
 package api;
 
+option java_package = "com.coreos.dex.api";
+option go_package = "github.com/dexidp/dex/api";
+
 // Client represents an OAuth2 client.
 message Client {
   string id = 1;
@@ -22,7 +24,7 @@ message CreateClientReq {
 // CreateClientResp returns the response from creating a client.
 message CreateClientResp {
   bool already_exists = 1;
-  Client client = 2; 
+  Client client = 2;
 }
 
 // DeleteClientReq is a request to delete a client.
@@ -31,12 +33,12 @@ message DeleteClientReq {
   string id = 1;
 }
 
-// DeleteClientResp determines if the client is deleted successfully. 
+// DeleteClientResp determines if the client is deleted successfully.
 message DeleteClientResp {
   bool not_found = 1;
 }
 
-// UpdateClientReq is a request to update an exisitng client.
+// UpdateClientReq is a request to update an existing client.
 message UpdateClientReq {
     string id = 1;
     repeated string redirect_uris = 2;
@@ -45,7 +47,7 @@ message UpdateClientReq {
     string logo_url = 5;
 }
 
-// UpdateClientResp returns the reponse form updating a client.
+// UpdateClientResp returns the response from updating a client.
 message UpdateClientResp {
     bool not_found = 1;
 }
@@ -80,7 +82,7 @@ message UpdatePasswordReq {
   string new_username = 3;
 }
 
-// UpdatePasswordResp returns the response from modifying an existing password. 
+// UpdatePasswordResp returns the response from modifying an existing password.
 message UpdatePasswordResp {
   bool not_found = 1;
 }
@@ -90,7 +92,7 @@ message DeletePasswordReq {
   string email = 1;
 }
 
-// DeletePasswordResp returns the response from deleting a password. 
+// DeletePasswordResp returns the response from deleting a password.
 message DeletePasswordResp {
   bool not_found = 1;
 }
@@ -142,7 +144,7 @@ message RevokeRefreshReq {
   string client_id = 2;
 }
 
-// RevokeRefreshResp determines if the refresh token is revoked successfully. 
+// RevokeRefreshResp determines if the refresh token is revoked successfully.
 message RevokeRefreshResp {
   // Set to true is refresh token was not found and token could not be revoked.
   bool not_found = 1;

api/api_grpc.pb.go

@@ -0,0 +1,487 @@
+// Code generated by protoc-gen-go-grpc. DO NOT EDIT.
+
+package api
+
+import (
+	context "context"
+	grpc "google.golang.org/grpc"
+	codes "google.golang.org/grpc/codes"
+	status "google.golang.org/grpc/status"
+)
+
+// This is a compile-time assertion to ensure that this generated file
+// is compatible with the grpc package it is being compiled against.
+// Requires gRPC-Go v1.32.0 or later.
+const _ = grpc.SupportPackageIsVersion7
+
+// DexClient is the client API for Dex service.
+//
+// For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream.
+type DexClient interface {
+	// CreateClient creates a client.
+	CreateClient(ctx context.Context, in *CreateClientReq, opts ...grpc.CallOption) (*CreateClientResp, error)
+	// UpdateClient updates an existing client
+	UpdateClient(ctx context.Context, in *UpdateClientReq, opts ...grpc.CallOption) (*UpdateClientResp, error)
+	// DeleteClient deletes the provided client.
+	DeleteClient(ctx context.Context, in *DeleteClientReq, opts ...grpc.CallOption) (*DeleteClientResp, error)
+	// CreatePassword creates a password.
+	CreatePassword(ctx context.Context, in *CreatePasswordReq, opts ...grpc.CallOption) (*CreatePasswordResp, error)
+	// UpdatePassword modifies existing password.
+	UpdatePassword(ctx context.Context, in *UpdatePasswordReq, opts ...grpc.CallOption) (*UpdatePasswordResp, error)
+	// DeletePassword deletes the password.
+	DeletePassword(ctx context.Context, in *DeletePasswordReq, opts ...grpc.CallOption) (*DeletePasswordResp, error)
+	// ListPassword lists all password entries.
+	ListPasswords(ctx context.Context, in *ListPasswordReq, opts ...grpc.CallOption) (*ListPasswordResp, error)
+	// GetVersion returns version information of the server.
+	GetVersion(ctx context.Context, in *VersionReq, opts ...grpc.CallOption) (*VersionResp, error)
+	// ListRefresh lists all the refresh token entries for a particular user.
+	ListRefresh(ctx context.Context, in *ListRefreshReq, opts ...grpc.CallOption) (*ListRefreshResp, error)
+	// RevokeRefresh revokes the refresh token for the provided user-client pair.
+	//
+	// Note that each user-client pair can have only one refresh token at a time.
+	RevokeRefresh(ctx context.Context, in *RevokeRefreshReq, opts ...grpc.CallOption) (*RevokeRefreshResp, error)
+	// VerifyPassword returns whether a password matches a hash for a specific email or not.
+	VerifyPassword(ctx context.Context, in *VerifyPasswordReq, opts ...grpc.CallOption) (*VerifyPasswordResp, error)
+}
+
+type dexClient struct {
+	cc grpc.ClientConnInterface
+}
+
+func NewDexClient(cc grpc.ClientConnInterface) DexClient {
+	return &dexClient{cc}
+}
+
+func (c *dexClient) CreateClient(ctx context.Context, in *CreateClientReq, opts ...grpc.CallOption) (*CreateClientResp, error) {
+	out := new(CreateClientResp)
+	err := c.cc.Invoke(ctx, "/api.Dex/CreateClient", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *dexClient) UpdateClient(ctx context.Context, in *UpdateClientReq, opts ...grpc.CallOption) (*UpdateClientResp, error) {
+	out := new(UpdateClientResp)
+	err := c.cc.Invoke(ctx, "/api.Dex/UpdateClient", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *dexClient) DeleteClient(ctx context.Context, in *DeleteClientReq, opts ...grpc.CallOption) (*DeleteClientResp, error) {
+	out := new(DeleteClientResp)
+	err := c.cc.Invoke(ctx, "/api.Dex/DeleteClient", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *dexClient) CreatePassword(ctx context.Context, in *CreatePasswordReq, opts ...grpc.CallOption) (*CreatePasswordResp, error) {
+	out := new(CreatePasswordResp)
+	err := c.cc.Invoke(ctx, "/api.Dex/CreatePassword", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *dexClient) UpdatePassword(ctx context.Context, in *UpdatePasswordReq, opts ...grpc.CallOption) (*UpdatePasswordResp, error) {
+	out := new(UpdatePasswordResp)
+	err := c.cc.Invoke(ctx, "/api.Dex/UpdatePassword", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *dexClient) DeletePassword(ctx context.Context, in *DeletePasswordReq, opts ...grpc.CallOption) (*DeletePasswordResp, error) {
+	out := new(DeletePasswordResp)
+	err := c.cc.Invoke(ctx, "/api.Dex/DeletePassword", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *dexClient) ListPasswords(ctx context.Context, in *ListPasswordReq, opts ...grpc.CallOption) (*ListPasswordResp, error) {
+	out := new(ListPasswordResp)
+	err := c.cc.Invoke(ctx, "/api.Dex/ListPasswords", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *dexClient) GetVersion(ctx context.Context, in *VersionReq, opts ...grpc.CallOption) (*VersionResp, error) {
+	out := new(VersionResp)
+	err := c.cc.Invoke(ctx, "/api.Dex/GetVersion", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *dexClient) ListRefresh(ctx context.Context, in *ListRefreshReq, opts ...grpc.CallOption) (*ListRefreshResp, error) {
+	out := new(ListRefreshResp)
+	err := c.cc.Invoke(ctx, "/api.Dex/ListRefresh", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *dexClient) RevokeRefresh(ctx context.Context, in *RevokeRefreshReq, opts ...grpc.CallOption) (*RevokeRefreshResp, error) {
+	out := new(RevokeRefreshResp)
+	err := c.cc.Invoke(ctx, "/api.Dex/RevokeRefresh", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *dexClient) VerifyPassword(ctx context.Context, in *VerifyPasswordReq, opts ...grpc.CallOption) (*VerifyPasswordResp, error) {
+	out := new(VerifyPasswordResp)
+	err := c.cc.Invoke(ctx, "/api.Dex/VerifyPassword", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+// DexServer is the server API for Dex service.
+// All implementations must embed UnimplementedDexServer
+// for forward compatibility
+type DexServer interface {
+	// CreateClient creates a client.
+	CreateClient(context.Context, *CreateClientReq) (*CreateClientResp, error)
+	// UpdateClient updates an existing client
+	UpdateClient(context.Context, *UpdateClientReq) (*UpdateClientResp, error)
+	// DeleteClient deletes the provided client.
+	DeleteClient(context.Context, *DeleteClientReq) (*DeleteClientResp, error)
+	// CreatePassword creates a password.
+	CreatePassword(context.Context, *CreatePasswordReq) (*CreatePasswordResp, error)
+	// UpdatePassword modifies existing password.
+	UpdatePassword(context.Context, *UpdatePasswordReq) (*UpdatePasswordResp, error)
+	// DeletePassword deletes the password.
+	DeletePassword(context.Context, *DeletePasswordReq) (*DeletePasswordResp, error)
+	// ListPassword lists all password entries.
+	ListPasswords(context.Context, *ListPasswordReq) (*ListPasswordResp, error)
+	// GetVersion returns version information of the server.
+	GetVersion(context.Context, *VersionReq) (*VersionResp, error)
+	// ListRefresh lists all the refresh token entries for a particular user.
+	ListRefresh(context.Context, *ListRefreshReq) (*ListRefreshResp, error)
+	// RevokeRefresh revokes the refresh token for the provided user-client pair.
+	//
+	// Note that each user-client pair can have only one refresh token at a time.
+	RevokeRefresh(context.Context, *RevokeRefreshReq) (*RevokeRefreshResp, error)
+	// VerifyPassword returns whether a password matches a hash for a specific email or not.
+	VerifyPassword(context.Context, *VerifyPasswordReq) (*VerifyPasswordResp, error)
+	mustEmbedUnimplementedDexServer()
+}
+
+// UnimplementedDexServer must be embedded to have forward compatible implementations.
+type UnimplementedDexServer struct {
+}
+
+func (UnimplementedDexServer) CreateClient(context.Context, *CreateClientReq) (*CreateClientResp, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method CreateClient not implemented")
+}
+func (UnimplementedDexServer) UpdateClient(context.Context, *UpdateClientReq) (*UpdateClientResp, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method UpdateClient not implemented")
+}
+func (UnimplementedDexServer) DeleteClient(context.Context, *DeleteClientReq) (*DeleteClientResp, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method DeleteClient not implemented")
+}
+func (UnimplementedDexServer) CreatePassword(context.Context, *CreatePasswordReq) (*CreatePasswordResp, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method CreatePassword not implemented")
+}
+func (UnimplementedDexServer) UpdatePassword(context.Context, *UpdatePasswordReq) (*UpdatePasswordResp, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method UpdatePassword not implemented")
+}
+func (UnimplementedDexServer) DeletePassword(context.Context, *DeletePasswordReq) (*DeletePasswordResp, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method DeletePassword not implemented")
+}
+func (UnimplementedDexServer) ListPasswords(context.Context, *ListPasswordReq) (*ListPasswordResp, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method ListPasswords not implemented")
+}
+func (UnimplementedDexServer) GetVersion(context.Context, *VersionReq) (*VersionResp, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method GetVersion not implemented")
+}
+func (UnimplementedDexServer) ListRefresh(context.Context, *ListRefreshReq) (*ListRefreshResp, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method ListRefresh not implemented")
+}
+func (UnimplementedDexServer) RevokeRefresh(context.Context, *RevokeRefreshReq) (*RevokeRefreshResp, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method RevokeRefresh not implemented")
+}
+func (UnimplementedDexServer) VerifyPassword(context.Context, *VerifyPasswordReq) (*VerifyPasswordResp, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method VerifyPassword not implemented")
+}
+func (UnimplementedDexServer) mustEmbedUnimplementedDexServer() {}
+
+// UnsafeDexServer may be embedded to opt out of forward compatibility for this service.
+// Use of this interface is not recommended, as added methods to DexServer will
+// result in compilation errors.
+type UnsafeDexServer interface {
+	mustEmbedUnimplementedDexServer()
+}
+
+func RegisterDexServer(s grpc.ServiceRegistrar, srv DexServer) {
+	s.RegisterService(&Dex_ServiceDesc, srv)
+}
+
+func _Dex_CreateClient_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(CreateClientReq)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(DexServer).CreateClient(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/api.Dex/CreateClient",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(DexServer).CreateClient(ctx, req.(*CreateClientReq))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _Dex_UpdateClient_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(UpdateClientReq)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(DexServer).UpdateClient(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/api.Dex/UpdateClient",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(DexServer).UpdateClient(ctx, req.(*UpdateClientReq))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _Dex_DeleteClient_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(DeleteClientReq)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(DexServer).DeleteClient(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/api.Dex/DeleteClient",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(DexServer).DeleteClient(ctx, req.(*DeleteClientReq))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _Dex_CreatePassword_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(CreatePasswordReq)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(DexServer).CreatePassword(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/api.Dex/CreatePassword",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(DexServer).CreatePassword(ctx, req.(*CreatePasswordReq))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _Dex_UpdatePassword_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(UpdatePasswordReq)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(DexServer).UpdatePassword(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/api.Dex/UpdatePassword",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(DexServer).UpdatePassword(ctx, req.(*UpdatePasswordReq))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _Dex_DeletePassword_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(DeletePasswordReq)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(DexServer).DeletePassword(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/api.Dex/DeletePassword",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(DexServer).DeletePassword(ctx, req.(*DeletePasswordReq))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _Dex_ListPasswords_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(ListPasswordReq)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(DexServer).ListPasswords(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/api.Dex/ListPasswords",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(DexServer).ListPasswords(ctx, req.(*ListPasswordReq))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _Dex_GetVersion_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(VersionReq)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(DexServer).GetVersion(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/api.Dex/GetVersion",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(DexServer).GetVersion(ctx, req.(*VersionReq))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _Dex_ListRefresh_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(ListRefreshReq)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(DexServer).ListRefresh(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/api.Dex/ListRefresh",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(DexServer).ListRefresh(ctx, req.(*ListRefreshReq))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _Dex_RevokeRefresh_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(RevokeRefreshReq)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(DexServer).RevokeRefresh(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/api.Dex/RevokeRefresh",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(DexServer).RevokeRefresh(ctx, req.(*RevokeRefreshReq))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _Dex_VerifyPassword_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(VerifyPasswordReq)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(DexServer).VerifyPassword(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/api.Dex/VerifyPassword",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(DexServer).VerifyPassword(ctx, req.(*VerifyPasswordReq))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+// Dex_ServiceDesc is the grpc.ServiceDesc for Dex service.
+// It's only intended for direct use with grpc.RegisterService,
+// and not to be introspected or modified (even as a copy)
+var Dex_ServiceDesc = grpc.ServiceDesc{
+	ServiceName: "api.Dex",
+	HandlerType: (*DexServer)(nil),
+	Methods: []grpc.MethodDesc{
+		{
+			MethodName: "CreateClient",
+			Handler:    _Dex_CreateClient_Handler,
+		},
+		{
+			MethodName: "UpdateClient",
+			Handler:    _Dex_UpdateClient_Handler,
+		},
+		{
+			MethodName: "DeleteClient",
+			Handler:    _Dex_DeleteClient_Handler,
+		},
+		{
+			MethodName: "CreatePassword",
+			Handler:    _Dex_CreatePassword_Handler,
+		},
+		{
+			MethodName: "UpdatePassword",
+			Handler:    _Dex_UpdatePassword_Handler,
+		},
+		{
+			MethodName: "DeletePassword",
+			Handler:    _Dex_DeletePassword_Handler,
+		},
+		{
+			MethodName: "ListPasswords",
+			Handler:    _Dex_ListPasswords_Handler,
+		},
+		{
+			MethodName: "GetVersion",
+			Handler:    _Dex_GetVersion_Handler,
+		},
+		{
+			MethodName: "ListRefresh",
+			Handler:    _Dex_ListRefresh_Handler,
+		},
+		{
+			MethodName: "RevokeRefresh",
+			Handler:    _Dex_RevokeRefresh_Handler,
+		},
+		{
+			MethodName: "VerifyPassword",
+			Handler:    _Dex_VerifyPassword_Handler,
+		},
+	},
+	Streams:  []grpc.StreamDesc{},
+	Metadata: "api/api.proto",
+}

api/v2/api.proto

@@ -0,0 +1,189 @@
+syntax = "proto3";
+
+package api;
+
+option java_package = "com.coreos.dex.api";
+option go_package = "github.com/dexidp/dex/api/v2;api";
+
+// Client represents an OAuth2 client.
+message Client {
+  string id = 1;
+  string secret = 2;
+  repeated string redirect_uris = 3;
+  repeated string trusted_peers = 4;
+  bool public = 5;
+  string name = 6;
+  string logo_url = 7;
+}
+
+// CreateClientReq is a request to make a client.
+message CreateClientReq {
+  Client client = 1;
+}
+
+// CreateClientResp returns the response from creating a client.
+message CreateClientResp {
+  bool already_exists = 1;
+  Client client = 2;
+}
+
+// DeleteClientReq is a request to delete a client.
+message DeleteClientReq {
+  // The ID of the client.
+  string id = 1;
+}
+
+// DeleteClientResp determines if the client is deleted successfully.
+message DeleteClientResp {
+  bool not_found = 1;
+}
+
+// UpdateClientReq is a request to update an existing client.
+message UpdateClientReq {
+    string id = 1;
+    repeated string redirect_uris = 2;
+    repeated string trusted_peers = 3;
+    string name = 4;
+    string logo_url = 5;
+}
+
+// UpdateClientResp returns the response from updating a client.
+message UpdateClientResp {
+    bool not_found = 1;
+}
+
+// TODO(ericchiang): expand this.
+
+// Password is an email for password mapping managed by the storage.
+message Password {
+  string email = 1;
+
+  // Currently we do not accept plain text passwords. Could be an option in the future.
+  bytes hash = 2;
+  string username = 3;
+  string user_id = 4;
+}
+
+// CreatePasswordReq is a request to make a password.
+message CreatePasswordReq {
+  Password password = 1;
+}
+
+// CreatePasswordResp returns the response from creating a password.
+message CreatePasswordResp {
+  bool already_exists = 1;
+}
+
+// UpdatePasswordReq is a request to modify an existing password.
+message UpdatePasswordReq {
+  // The email used to lookup the password. This field cannot be modified
+  string email = 1;
+  bytes new_hash = 2;
+  string new_username = 3;
+}
+
+// UpdatePasswordResp returns the response from modifying an existing password.
+message UpdatePasswordResp {
+  bool not_found = 1;
+}
+
+// DeletePasswordReq is a request to delete a password.
+message DeletePasswordReq {
+  string email = 1;
+}
+
+// DeletePasswordResp returns the response from deleting a password.
+message DeletePasswordResp {
+  bool not_found = 1;
+}
+
+// ListPasswordReq is a request to enumerate passwords.
+message ListPasswordReq {}
+
+// ListPasswordResp returns a list of passwords.
+message ListPasswordResp {
+  repeated Password passwords = 1;
+}
+
+// VersionReq is a request to fetch version info.
+message VersionReq {}
+
+// VersionResp holds the version info of components.
+message VersionResp {
+  // Semantic version of the server.
+  string server = 1;
+  // Numeric version of the API. It increases everytime a new call is added to the API.
+  // Clients should use this info to determine if the server supports specific features.
+  int32 api = 2;
+}
+
+// RefreshTokenRef contains the metadata for a refresh token that is managed by the storage.
+message RefreshTokenRef {
+  // ID of the refresh token.
+  string id = 1;
+  string client_id = 2;
+  int64 created_at = 5;
+  int64 last_used = 6;
+}
+
+// ListRefreshReq is a request to enumerate the refresh tokens of a user.
+message ListRefreshReq {
+  // The "sub" claim returned in the ID Token.
+  string user_id = 1;
+}
+
+// ListRefreshResp returns a list of refresh tokens for a user.
+message ListRefreshResp {
+  repeated RefreshTokenRef refresh_tokens = 1;
+}
+
+// RevokeRefreshReq is a request to revoke the refresh token of the user-client pair.
+message RevokeRefreshReq {
+  // The "sub" claim returned in the ID Token.
+  string user_id = 1;
+  string client_id = 2;
+}
+
+// RevokeRefreshResp determines if the refresh token is revoked successfully.
+message RevokeRefreshResp {
+  // Set to true is refresh token was not found and token could not be revoked.
+  bool not_found = 1;
+}
+
+message VerifyPasswordReq {
+  string email = 1;
+  string password = 2;
+}
+
+message VerifyPasswordResp {
+  bool verified = 1;
+  bool not_found = 2;
+}
+
+// Dex represents the dex gRPC service.
+service Dex {
+  // CreateClient creates a client.
+  rpc CreateClient(CreateClientReq) returns (CreateClientResp) {};
+  // UpdateClient updates an existing client
+  rpc UpdateClient(UpdateClientReq) returns (UpdateClientResp) {};
+  // DeleteClient deletes the provided client.
+  rpc DeleteClient(DeleteClientReq) returns (DeleteClientResp) {};
+  // CreatePassword creates a password.
+  rpc CreatePassword(CreatePasswordReq) returns (CreatePasswordResp) {};
+  // UpdatePassword modifies existing password.
+  rpc UpdatePassword(UpdatePasswordReq) returns (UpdatePasswordResp) {};
+  // DeletePassword deletes the password.
+  rpc DeletePassword(DeletePasswordReq) returns (DeletePasswordResp) {};
+  // ListPassword lists all password entries.
+  rpc ListPasswords(ListPasswordReq) returns (ListPasswordResp) {};
+  // GetVersion returns version information of the server.
+  rpc GetVersion(VersionReq) returns (VersionResp) {};
+  // ListRefresh lists all the refresh token entries for a particular user.
+  rpc ListRefresh(ListRefreshReq) returns (ListRefreshResp) {};
+  // RevokeRefresh revokes the refresh token for the provided user-client pair.
+  //
+  // Note that each user-client pair can have only one refresh token at a time.
+  rpc RevokeRefresh(RevokeRefreshReq) returns (RevokeRefreshResp) {};
+  // VerifyPassword returns whether a password matches a hash for a specific email or not.
+  rpc VerifyPassword(VerifyPasswordReq) returns (VerifyPasswordResp) {};
+}

api/v2/api_grpc.pb.go

@@ -0,0 +1,487 @@
+// Code generated by protoc-gen-go-grpc. DO NOT EDIT.
+
+package api
+
+import (
+	context "context"
+	grpc "google.golang.org/grpc"
+	codes "google.golang.org/grpc/codes"
+	status "google.golang.org/grpc/status"
+)
+
+// This is a compile-time assertion to ensure that this generated file
+// is compatible with the grpc package it is being compiled against.
+// Requires gRPC-Go v1.32.0 or later.
+const _ = grpc.SupportPackageIsVersion7
+
+// DexClient is the client API for Dex service.
+//
+// For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream.
+type DexClient interface {
+	// CreateClient creates a client.
+	CreateClient(ctx context.Context, in *CreateClientReq, opts ...grpc.CallOption) (*CreateClientResp, error)
+	// UpdateClient updates an existing client
+	UpdateClient(ctx context.Context, in *UpdateClientReq, opts ...grpc.CallOption) (*UpdateClientResp, error)
+	// DeleteClient deletes the provided client.
+	DeleteClient(ctx context.Context, in *DeleteClientReq, opts ...grpc.CallOption) (*DeleteClientResp, error)
+	// CreatePassword creates a password.
+	CreatePassword(ctx context.Context, in *CreatePasswordReq, opts ...grpc.CallOption) (*CreatePasswordResp, error)
+	// UpdatePassword modifies existing password.
+	UpdatePassword(ctx context.Context, in *UpdatePasswordReq, opts ...grpc.CallOption) (*UpdatePasswordResp, error)
+	// DeletePassword deletes the password.
+	DeletePassword(ctx context.Context, in *DeletePasswordReq, opts ...grpc.CallOption) (*DeletePasswordResp, error)
+	// ListPassword lists all password entries.
+	ListPasswords(ctx context.Context, in *ListPasswordReq, opts ...grpc.CallOption) (*ListPasswordResp, error)
+	// GetVersion returns version information of the server.
+	GetVersion(ctx context.Context, in *VersionReq, opts ...grpc.CallOption) (*VersionResp, error)
+	// ListRefresh lists all the refresh token entries for a particular user.
+	ListRefresh(ctx context.Context, in *ListRefreshReq, opts ...grpc.CallOption) (*ListRefreshResp, error)
+	// RevokeRefresh revokes the refresh token for the provided user-client pair.
+	//
+	// Note that each user-client pair can have only one refresh token at a time.
+	RevokeRefresh(ctx context.Context, in *RevokeRefreshReq, opts ...grpc.CallOption) (*RevokeRefreshResp, error)
+	// VerifyPassword returns whether a password matches a hash for a specific email or not.
+	VerifyPassword(ctx context.Context, in *VerifyPasswordReq, opts ...grpc.CallOption) (*VerifyPasswordResp, error)
+}
+
+type dexClient struct {
+	cc grpc.ClientConnInterface
+}
+
+func NewDexClient(cc grpc.ClientConnInterface) DexClient {
+	return &dexClient{cc}
+}
+
+func (c *dexClient) CreateClient(ctx context.Context, in *CreateClientReq, opts ...grpc.CallOption) (*CreateClientResp, error) {
+	out := new(CreateClientResp)
+	err := c.cc.Invoke(ctx, "/api.Dex/CreateClient", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *dexClient) UpdateClient(ctx context.Context, in *UpdateClientReq, opts ...grpc.CallOption) (*UpdateClientResp, error) {
+	out := new(UpdateClientResp)
+	err := c.cc.Invoke(ctx, "/api.Dex/UpdateClient", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *dexClient) DeleteClient(ctx context.Context, in *DeleteClientReq, opts ...grpc.CallOption) (*DeleteClientResp, error) {
+	out := new(DeleteClientResp)
+	err := c.cc.Invoke(ctx, "/api.Dex/DeleteClient", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *dexClient) CreatePassword(ctx context.Context, in *CreatePasswordReq, opts ...grpc.CallOption) (*CreatePasswordResp, error) {
+	out := new(CreatePasswordResp)
+	err := c.cc.Invoke(ctx, "/api.Dex/CreatePassword", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *dexClient) UpdatePassword(ctx context.Context, in *UpdatePasswordReq, opts ...grpc.CallOption) (*UpdatePasswordResp, error) {
+	out := new(UpdatePasswordResp)
+	err := c.cc.Invoke(ctx, "/api.Dex/UpdatePassword", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *dexClient) DeletePassword(ctx context.Context, in *DeletePasswordReq, opts ...grpc.CallOption) (*DeletePasswordResp, error) {
+	out := new(DeletePasswordResp)
+	err := c.cc.Invoke(ctx, "/api.Dex/DeletePassword", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *dexClient) ListPasswords(ctx context.Context, in *ListPasswordReq, opts ...grpc.CallOption) (*ListPasswordResp, error) {
+	out := new(ListPasswordResp)
+	err := c.cc.Invoke(ctx, "/api.Dex/ListPasswords", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *dexClient) GetVersion(ctx context.Context, in *VersionReq, opts ...grpc.CallOption) (*VersionResp, error) {
+	out := new(VersionResp)
+	err := c.cc.Invoke(ctx, "/api.Dex/GetVersion", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *dexClient) ListRefresh(ctx context.Context, in *ListRefreshReq, opts ...grpc.CallOption) (*ListRefreshResp, error) {
+	out := new(ListRefreshResp)
+	err := c.cc.Invoke(ctx, "/api.Dex/ListRefresh", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *dexClient) RevokeRefresh(ctx context.Context, in *RevokeRefreshReq, opts ...grpc.CallOption) (*RevokeRefreshResp, error) {
+	out := new(RevokeRefreshResp)
+	err := c.cc.Invoke(ctx, "/api.Dex/RevokeRefresh", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *dexClient) VerifyPassword(ctx context.Context, in *VerifyPasswordReq, opts ...grpc.CallOption) (*VerifyPasswordResp, error) {
+	out := new(VerifyPasswordResp)
+	err := c.cc.Invoke(ctx, "/api.Dex/VerifyPassword", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+// DexServer is the server API for Dex service.
+// All implementations must embed UnimplementedDexServer
+// for forward compatibility
+type DexServer interface {
+	// CreateClient creates a client.
+	CreateClient(context.Context, *CreateClientReq) (*CreateClientResp, error)
+	// UpdateClient updates an existing client
+	UpdateClient(context.Context, *UpdateClientReq) (*UpdateClientResp, error)
+	// DeleteClient deletes the provided client.
+	DeleteClient(context.Context, *DeleteClientReq) (*DeleteClientResp, error)
+	// CreatePassword creates a password.
+	CreatePassword(context.Context, *CreatePasswordReq) (*CreatePasswordResp, error)
+	// UpdatePassword modifies existing password.
+	UpdatePassword(context.Context, *UpdatePasswordReq) (*UpdatePasswordResp, error)
+	// DeletePassword deletes the password.
+	DeletePassword(context.Context, *DeletePasswordReq) (*DeletePasswordResp, error)
+	// ListPassword lists all password entries.
+	ListPasswords(context.Context, *ListPasswordReq) (*ListPasswordResp, error)
+	// GetVersion returns version information of the server.
+	GetVersion(context.Context, *VersionReq) (*VersionResp, error)
+	// ListRefresh lists all the refresh token entries for a particular user.
+	ListRefresh(context.Context, *ListRefreshReq) (*ListRefreshResp, error)
+	// RevokeRefresh revokes the refresh token for the provided user-client pair.
+	//
+	// Note that each user-client pair can have only one refresh token at a time.
+	RevokeRefresh(context.Context, *RevokeRefreshReq) (*RevokeRefreshResp, error)
+	// VerifyPassword returns whether a password matches a hash for a specific email or not.
+	VerifyPassword(context.Context, *VerifyPasswordReq) (*VerifyPasswordResp, error)
+	mustEmbedUnimplementedDexServer()
+}
+
+// UnimplementedDexServer must be embedded to have forward compatible implementations.
+type UnimplementedDexServer struct {
+}
+
+func (UnimplementedDexServer) CreateClient(context.Context, *CreateClientReq) (*CreateClientResp, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method CreateClient not implemented")
+}
+func (UnimplementedDexServer) UpdateClient(context.Context, *UpdateClientReq) (*UpdateClientResp, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method UpdateClient not implemented")
+}
+func (UnimplementedDexServer) DeleteClient(context.Context, *DeleteClientReq) (*DeleteClientResp, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method DeleteClient not implemented")
+}
+func (UnimplementedDexServer) CreatePassword(context.Context, *CreatePasswordReq) (*CreatePasswordResp, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method CreatePassword not implemented")
+}
+func (UnimplementedDexServer) UpdatePassword(context.Context, *UpdatePasswordReq) (*UpdatePasswordResp, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method UpdatePassword not implemented")
+}
+func (UnimplementedDexServer) DeletePassword(context.Context, *DeletePasswordReq) (*DeletePasswordResp, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method DeletePassword not implemented")
+}
+func (UnimplementedDexServer) ListPasswords(context.Context, *ListPasswordReq) (*ListPasswordResp, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method ListPasswords not implemented")
+}
+func (UnimplementedDexServer) GetVersion(context.Context, *VersionReq) (*VersionResp, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method GetVersion not implemented")
+}
+func (UnimplementedDexServer) ListRefresh(context.Context, *ListRefreshReq) (*ListRefreshResp, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method ListRefresh not implemented")
+}
+func (UnimplementedDexServer) RevokeRefresh(context.Context, *RevokeRefreshReq) (*RevokeRefreshResp, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method RevokeRefresh not implemented")
+}
+func (UnimplementedDexServer) VerifyPassword(context.Context, *VerifyPasswordReq) (*VerifyPasswordResp, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method VerifyPassword not implemented")
+}
+func (UnimplementedDexServer) mustEmbedUnimplementedDexServer() {}
+
+// UnsafeDexServer may be embedded to opt out of forward compatibility for this service.
+// Use of this interface is not recommended, as added methods to DexServer will
+// result in compilation errors.
+type UnsafeDexServer interface {
+	mustEmbedUnimplementedDexServer()
+}
+
+func RegisterDexServer(s grpc.ServiceRegistrar, srv DexServer) {
+	s.RegisterService(&Dex_ServiceDesc, srv)
+}
+
+func _Dex_CreateClient_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(CreateClientReq)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(DexServer).CreateClient(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/api.Dex/CreateClient",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(DexServer).CreateClient(ctx, req.(*CreateClientReq))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _Dex_UpdateClient_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(UpdateClientReq)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(DexServer).UpdateClient(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/api.Dex/UpdateClient",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(DexServer).UpdateClient(ctx, req.(*UpdateClientReq))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _Dex_DeleteClient_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(DeleteClientReq)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(DexServer).DeleteClient(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/api.Dex/DeleteClient",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(DexServer).DeleteClient(ctx, req.(*DeleteClientReq))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _Dex_CreatePassword_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(CreatePasswordReq)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(DexServer).CreatePassword(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/api.Dex/CreatePassword",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(DexServer).CreatePassword(ctx, req.(*CreatePasswordReq))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _Dex_UpdatePassword_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(UpdatePasswordReq)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(DexServer).UpdatePassword(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/api.Dex/UpdatePassword",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(DexServer).UpdatePassword(ctx, req.(*UpdatePasswordReq))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _Dex_DeletePassword_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(DeletePasswordReq)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(DexServer).DeletePassword(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/api.Dex/DeletePassword",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(DexServer).DeletePassword(ctx, req.(*DeletePasswordReq))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _Dex_ListPasswords_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(ListPasswordReq)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(DexServer).ListPasswords(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/api.Dex/ListPasswords",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(DexServer).ListPasswords(ctx, req.(*ListPasswordReq))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _Dex_GetVersion_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(VersionReq)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(DexServer).GetVersion(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/api.Dex/GetVersion",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(DexServer).GetVersion(ctx, req.(*VersionReq))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _Dex_ListRefresh_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(ListRefreshReq)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(DexServer).ListRefresh(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/api.Dex/ListRefresh",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(DexServer).ListRefresh(ctx, req.(*ListRefreshReq))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _Dex_RevokeRefresh_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(RevokeRefreshReq)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(DexServer).RevokeRefresh(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/api.Dex/RevokeRefresh",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(DexServer).RevokeRefresh(ctx, req.(*RevokeRefreshReq))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _Dex_VerifyPassword_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(VerifyPasswordReq)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(DexServer).VerifyPassword(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/api.Dex/VerifyPassword",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(DexServer).VerifyPassword(ctx, req.(*VerifyPasswordReq))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+// Dex_ServiceDesc is the grpc.ServiceDesc for Dex service.
+// It's only intended for direct use with grpc.RegisterService,
+// and not to be introspected or modified (even as a copy)
+var Dex_ServiceDesc = grpc.ServiceDesc{
+	ServiceName: "api.Dex",
+	HandlerType: (*DexServer)(nil),
+	Methods: []grpc.MethodDesc{
+		{
+			MethodName: "CreateClient",
+			Handler:    _Dex_CreateClient_Handler,
+		},
+		{
+			MethodName: "UpdateClient",
+			Handler:    _Dex_UpdateClient_Handler,
+		},
+		{
+			MethodName: "DeleteClient",
+			Handler:    _Dex_DeleteClient_Handler,
+		},
+		{
+			MethodName: "CreatePassword",
+			Handler:    _Dex_CreatePassword_Handler,
+		},
+		{
+			MethodName: "UpdatePassword",
+			Handler:    _Dex_UpdatePassword_Handler,
+		},
+		{
+			MethodName: "DeletePassword",
+			Handler:    _Dex_DeletePassword_Handler,
+		},
+		{
+			MethodName: "ListPasswords",
+			Handler:    _Dex_ListPasswords_Handler,
+		},
+		{
+			MethodName: "GetVersion",
+			Handler:    _Dex_GetVersion_Handler,
+		},
+		{
+			MethodName: "ListRefresh",
+			Handler:    _Dex_ListRefresh_Handler,
+		},
+		{
+			MethodName: "RevokeRefresh",
+			Handler:    _Dex_RevokeRefresh_Handler,
+		},
+		{
+			MethodName: "VerifyPassword",
+			Handler:    _Dex_VerifyPassword_Handler,
+		},
+	},
+	Streams:  []grpc.StreamDesc{},
+	Metadata: "api/v2/api.proto",
+}

api/v2/go.mod

@@ -0,0 +1,16 @@
+module github.com/dexidp/dex/api/v2
+
+go 1.17
+
+require (
+	google.golang.org/grpc v1.47.0
+	google.golang.org/protobuf v1.28.0
+)
+
+require (
+	github.com/golang/protobuf v1.5.2 // indirect
+	golang.org/x/net v0.0.0-20220607020251-c690dde0001d // indirect
+	golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a // indirect
+	golang.org/x/text v0.3.7 // indirect
+	google.golang.org/genproto v0.0.0-20220602131408-e326c6e8e9c8 // indirect
+)

api/v2/go.sum

@@ -0,0 +1,141 @@
+cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
+cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
+github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
+github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kdvxnR2qWY=
+github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
+github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
+github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
+github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
+github.com/cncf/udpa/go v0.0.0-20201120205902-5459f2c99403/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk=
+github.com/cncf/udpa/go v0.0.0-20210930031921-04548b0d99d4/go.mod h1:6pvJx4me5XPnfI9Z40ddWsdw2W/uZgQLFXToKeRcDiI=
+github.com/cncf/xds/go v0.0.0-20210922020428-25de7278fc84/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
+github.com/cncf/xds/go v0.0.0-20211001041855-01bcc9b48dfe/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
+github.com/cncf/xds/go v0.0.0-20211011173535-cb28da3451f1/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
+github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
+github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
+github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98=
+github.com/envoyproxy/go-control-plane v0.9.9-0.20201210154907-fd9021fe5dad/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk=
+github.com/envoyproxy/go-control-plane v0.10.2-0.20220325020618-49ff273808a1/go.mod h1:KJwIaB5Mv44NWtYuAOFCVOjcI94vtpEz2JU/D2v6IjE=
+github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
+github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
+github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
+github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
+github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
+github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
+github.com/golang/protobuf v1.3.3/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw=
+github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8=
+github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA=
+github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs=
+github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:WU3c8KckQ9AFe+yFwt9sWVRKCVIyN9cPHBJSNnbL67w=
+github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0=
+github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QDs8UjoX8=
+github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
+github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
+github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
+github.com/golang/protobuf v1.5.2 h1:ROPKBNFfQgOUMifHyP+KYbvpjbdoFNs+aK7DXlji0Tw=
+github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
+github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
+github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
+github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
+github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.5.6 h1:BKbKCqvP6I+rmFHt06ZmyQtvB8xAkWdhFyr0ZUNZcxQ=
+github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
+github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ=
+github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
+github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+go.opentelemetry.io/proto/otlp v0.7.0/go.mod h1:PqfVotwruBrMGOCsRd/89rSnXhoiJIqeYNgFYFoEGnI=
+golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
+golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
+golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
+golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
+golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
+golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20200822124328-c89045814202/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
+golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
+golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
+golang.org/x/net v0.0.0-20220607020251-c690dde0001d h1:4SFsTMi4UahlKoloni7L4eYzhFRifURQLw+yv0QDCx8=
+golang.org/x/net v0.0.0-20220607020251-c690dde0001d/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
+golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
+golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
+golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210119212857-b64e53b001e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a h1:dGzPydgVsqGcTRVwiLJ1jVbufYwmzD3LfVPLKsKg+0k=
+golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
+golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
+golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.3.7 h1:olpwvP2KacW1ZWvsR7uQhoyTYvKAupfQrRGBFM352Gk=
+golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
+golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY=
+golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
+golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
+golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 h1:go1bK/D/BFZV2I8cIQd1NKEZ+0owSTG1fDTci4IqFcE=
+golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
+google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
+google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
+google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
+google.golang.org/genproto v0.0.0-20200513103714-09dca8ec2884/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
+google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo=
+google.golang.org/genproto v0.0.0-20220602131408-e326c6e8e9c8 h1:qRu95HZ148xXw+XeZ3dvqe85PxH4X8+jIo0iRPKcEnM=
+google.golang.org/genproto v0.0.0-20220602131408-e326c6e8e9c8/go.mod h1:yKyY4AMRwFiC8yMMNaMi+RkCnjZJt9LoWuvhXjMs+To=
+google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
+google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
+google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY=
+google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
+google.golang.org/grpc v1.33.1/go.mod h1:fr5YgcSWrqhRRxogOsw7RzIpsmvOZ6IcH4kBYTpR3n0=
+google.golang.org/grpc v1.36.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU=
+google.golang.org/grpc v1.46.2/go.mod h1:vN9eftEi1UMyUsIF80+uQXhHjbXYbm0uXoFCACuMGWk=
+google.golang.org/grpc v1.47.0 h1:9n77onPX5F3qfFCqjy9dhn8PbNQsIKeVU04J9G7umt8=
+google.golang.org/grpc v1.47.0/go.mod h1:vN9eftEi1UMyUsIF80+uQXhHjbXYbm0uXoFCACuMGWk=
+google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
+google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
+google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=
+google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miEFZTKqfCUM6K7xSMQL9OKL/b6hQv+e19PK+JZNE=
+google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo=
+google.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
+google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
+google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
+google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c=
+google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
+google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
+google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
+google.golang.org/protobuf v1.28.0 h1:w43yiav+6bVFTBQFZX0r7ipe9JQ1QsbMgHwbBziscLw=
+google.golang.org/protobuf v1.28.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.2.3/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
+honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=

cmd/dex/config.go

@@ -5,6 +5,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"os"
+	"strconv"
 	"strings"
 
 	"golang.org/x/crypto/bcrypt"
@@ -12,6 +13,7 @@ import (
 	"github.com/dexidp/dex/pkg/log"
 	"github.com/dexidp/dex/server"
 	"github.com/dexidp/dex/storage"
+	"github.com/dexidp/dex/storage/ent"
 	"github.com/dexidp/dex/storage/etcd"
 	"github.com/dexidp/dex/storage/kubernetes"
 	"github.com/dexidp/dex/storage/memory"
@@ -49,7 +51,7 @@ type Config struct {
 	StaticPasswords []password `json:"staticPasswords"`
 }
 
-//Validate the configuration
+// Validate the configuration
 func (c Config) Validate() error {
 	// Fast checks. Perform these first for a more responsive CLI.
 	checks := []struct {
@@ -85,10 +87,11 @@ type password storage.Password
 
 func (p *password) UnmarshalJSON(b []byte) error {
 	var data struct {
-		Email    string `json:"email"`
-		Username string `json:"username"`
-		UserID   string `json:"userID"`
-		Hash     string `json:"hash"`
+		Email       string `json:"email"`
+		Username    string `json:"username"`
+		UserID      string `json:"userID"`
+		Hash        string `json:"hash"`
+		HashFromEnv string `json:"hashFromEnv"`
 	}
 	if err := json.Unmarshal(b, &data); err != nil {
 		return err
@@ -98,6 +101,9 @@ func (p *password) UnmarshalJSON(b []byte) error {
 		Username: data.Username,
 		UserID:   data.UserID,
 	})
+	if len(data.Hash) == 0 && len(data.HashFromEnv) > 0 {
+		data.Hash = os.Getenv(data.HashFromEnv)
+	}
 	if len(data.Hash) == 0 {
 		return fmt.Errorf("no password hash provided")
 	}
@@ -129,6 +135,8 @@ type OAuth2 struct {
 	SkipApprovalScreen bool `json:"skipApprovalScreen"`
 	// If specified, show the connector selection screen even if there's only one
 	AlwaysShowLoginScreen bool `json:"alwaysShowLoginScreen"`
+	// This is the connector that can be used for password grant
+	PasswordConnector string `json:"passwordConnector"`
 }
 
 // Web is the config format for the HTTP server.
@@ -143,6 +151,8 @@ type Web struct {
 // Telemetry is the config format for telemetry including the HTTP server config.
 type Telemetry struct {
 	HTTP string `json:"http"`
+	// EnableProfiling makes profiling endpoints available via web interface host:port/debug/pprof/
+	EnableProfiling bool `json:"enableProfiling"`
 }
 
 // GRPC is the config for the gRPC API.
@@ -166,13 +176,49 @@ type StorageConfig interface {
 	Open(logger log.Logger) (storage.Storage, error)
 }
 
+var (
+	_ StorageConfig = (*etcd.Etcd)(nil)
+	_ StorageConfig = (*kubernetes.Config)(nil)
+	_ StorageConfig = (*memory.Config)(nil)
+	_ StorageConfig = (*sql.SQLite3)(nil)
+	_ StorageConfig = (*sql.Postgres)(nil)
+	_ StorageConfig = (*sql.MySQL)(nil)
+	_ StorageConfig = (*ent.SQLite3)(nil)
+	_ StorageConfig = (*ent.Postgres)(nil)
+	_ StorageConfig = (*ent.MySQL)(nil)
+)
+
+func getORMBasedSQLStorage(normal, entBased StorageConfig) func() StorageConfig {
+	return func() StorageConfig {
+		switch os.Getenv("DEX_ENT_ENABLED") {
+		case "true", "yes":
+			return entBased
+		default:
+			return normal
+		}
+	}
+}
+
 var storages = map[string]func() StorageConfig{
 	"etcd":       func() StorageConfig { return new(etcd.Etcd) },
 	"kubernetes": func() StorageConfig { return new(kubernetes.Config) },
 	"memory":     func() StorageConfig { return new(memory.Config) },
-	"sqlite3":    func() StorageConfig { return new(sql.SQLite3) },
-	"postgres":   func() StorageConfig { return new(sql.Postgres) },
-	"mysql":      func() StorageConfig { return new(sql.MySQL) },
+	"sqlite3":    getORMBasedSQLStorage(&sql.SQLite3{}, &ent.SQLite3{}),
+	"postgres":   getORMBasedSQLStorage(&sql.Postgres{}, &ent.Postgres{}),
+	"mysql":      getORMBasedSQLStorage(&sql.MySQL{}, &ent.MySQL{}),
+}
+
+// isExpandEnvEnabled returns if os.ExpandEnv should be used for each storage and connector config.
+// Disabling this feature avoids surprises e.g. if the LDAP bind password contains a dollar character.
+// Returns false if the env variable "DEX_EXPAND_ENV" is a falsy string, e.g. "false".
+// Returns true if the env variable is unset or a truthy string, e.g. "true", or can't be parsed as bool.
+func isExpandEnvEnabled() bool {
+	enabled, err := strconv.ParseBool(os.Getenv("DEX_EXPAND_ENV"))
+	if err != nil {
+		// Unset, empty string or can't be parsed as bool: Default = true.
+		return true
+	}
+	return enabled
 }
 
 // UnmarshalJSON allows Storage to implement the unmarshaler interface to
@@ -192,7 +238,11 @@ func (s *Storage) UnmarshalJSON(b []byte) error {
 
 	storageConfig := f()
 	if len(store.Config) != 0 {
-		data := []byte(os.ExpandEnv(string(store.Config)))
+		data := []byte(store.Config)
+		if isExpandEnvEnabled() {
+			// Caution, we're expanding in the raw JSON/YAML source. This may not be what the admin expects.
+			data = []byte(os.ExpandEnv(string(store.Config)))
+		}
 		if err := json.Unmarshal(data, storageConfig); err != nil {
 			return fmt.Errorf("parse storage config: %v", err)
 		}
@@ -234,7 +284,11 @@ func (c *Connector) UnmarshalJSON(b []byte) error {
 
 	connConfig := f()
 	if len(conn.Config) != 0 {
-		data := []byte(os.ExpandEnv(string(conn.Config)))
+		data := []byte(conn.Config)
+		if isExpandEnvEnabled() {
+			// Caution, we're expanding in the raw JSON/YAML source. This may not be what the admin expects.
+			data = []byte(os.ExpandEnv(string(conn.Config)))
+		}
 		if err := json.Unmarshal(data, connConfig); err != nil {
 			return fmt.Errorf("parse connector config: %v", err)
 		}
@@ -273,6 +327,12 @@ type Expiry struct {
 
 	// AuthRequests defines the duration of time for which the AuthRequests will be valid.
 	AuthRequests string `json:"authRequests"`
+
+	// DeviceRequests defines the duration of time for which the DeviceRequests will be valid.
+	DeviceRequests string `json:"deviceRequests"`
+
+	// RefreshTokens defines refresh tokens expiry policy
+	RefreshTokens RefreshToken `json:"refreshTokens"`
 }
 
 // Logger holds configuration required to customize logging for dex.
@@ -283,3 +343,10 @@ type Logger struct {
 	// Format specifies the format to be used for logging.
 	Format string `json:"format"`
 }
+
+type RefreshToken struct {
+	DisableRotation   bool   `json:"disableRotation"`
+	ReuseInterval     string `json:"reuseInterval"`
+	AbsoluteLifetime  string `json:"absoluteLifetime"`
+	ValidIfNotUsedFor string `json:"validIfNotUsedFor"`
+}

cmd/dex/config_test.go

@@ -1,7 +1,7 @@
 package main
 
 import (
-	"github.com/dexidp/dex/server"
+	"os"
 	"testing"
 
 	"github.com/ghodss/yaml"
@@ -9,6 +9,7 @@ import (
 
 	"github.com/dexidp/dex/connector/mock"
 	"github.com/dexidp/dex/connector/oidc"
+	"github.com/dexidp/dex/server"
 	"github.com/dexidp/dex/storage"
 	"github.com/dexidp/dex/storage/sql"
 )
@@ -56,6 +57,7 @@ func TestInvalidConfiguration(t *testing.T) {
 		t.Fatalf("Expected error message to be %q, got %q", wanted, got)
 	}
 }
+
 func TestUnmarshalConfig(t *testing.T) {
 	rawConfig := []byte(`
 issuer: http://127.0.0.1:5556/dex
@@ -106,7 +108,7 @@ staticPasswords:
   hash: "$2a$10$33EMT0cVYVlPy6WAMCLsceLYjWhuHpbz5yuZxu/GAFj03J9Lytjuy"
   username: "admin"
   userID: "08a8684b-db88-4b73-90a9-3cd1661f5466"
-- email: "foo@example.com"  
+- email: "foo@example.com"
   # base64'd value of the same bcrypt hash above. We want to be able to parse both of these
   hash: "JDJhJDEwJDMzRU1UMGNWWVZsUHk2V0FNQ0xzY2VMWWpXaHVIcGJ6NXl1Wnh1L0dBRmowM0o5THl0anV5"
   username: "foo"
@@ -116,6 +118,7 @@ expiry:
   signingKeys: "7h"
   idTokens: "25h"
   authRequests: "25h"
+  deviceRequests: "10m"
 
 logger:
   level: "debug"
@@ -193,6 +196,214 @@ logger:
 				UserID:   "41331323-6f44-45e6-b3b9-2c4b60c02be5",
 			},
 		},
+		Expiry: Expiry{
+			SigningKeys:    "7h",
+			IDTokens:       "25h",
+			AuthRequests:   "25h",
+			DeviceRequests: "10m",
+		},
+		Logger: Logger{
+			Level:  "debug",
+			Format: "json",
+		},
+	}
+
+	var c Config
+	if err := yaml.Unmarshal(rawConfig, &c); err != nil {
+		t.Fatalf("failed to decode config: %v", err)
+	}
+	if diff := pretty.Compare(c, want); diff != "" {
+		t.Errorf("got!=want: %s", diff)
+	}
+}
+
+func TestUnmarshalConfigWithEnvNoExpand(t *testing.T) {
+	// If the env variable DEX_EXPAND_ENV is set and has a "falsy" value, os.ExpandEnv is disabled.
+	// ParseBool: "It accepts 1, t, T, TRUE, true, True, 0, f, F, FALSE, false, False."
+	checkUnmarshalConfigWithEnv(t, "0", false)
+	checkUnmarshalConfigWithEnv(t, "f", false)
+	checkUnmarshalConfigWithEnv(t, "F", false)
+	checkUnmarshalConfigWithEnv(t, "FALSE", false)
+	checkUnmarshalConfigWithEnv(t, "false", false)
+	checkUnmarshalConfigWithEnv(t, "False", false)
+	os.Unsetenv("DEX_EXPAND_ENV")
+}
+
+func TestUnmarshalConfigWithEnvExpand(t *testing.T) {
+	// If the env variable DEX_EXPAND_ENV is unset or has a "truthy" or unknown value, os.ExpandEnv is enabled.
+	// ParseBool: "It accepts 1, t, T, TRUE, true, True, 0, f, F, FALSE, false, False."
+	checkUnmarshalConfigWithEnv(t, "1", true)
+	checkUnmarshalConfigWithEnv(t, "t", true)
+	checkUnmarshalConfigWithEnv(t, "T", true)
+	checkUnmarshalConfigWithEnv(t, "TRUE", true)
+	checkUnmarshalConfigWithEnv(t, "true", true)
+	checkUnmarshalConfigWithEnv(t, "True", true)
+	// Values that can't be parsed as bool:
+	checkUnmarshalConfigWithEnv(t, "UNSET", true)
+	checkUnmarshalConfigWithEnv(t, "", true)
+	checkUnmarshalConfigWithEnv(t, "whatever - true is default", true)
+	os.Unsetenv("DEX_EXPAND_ENV")
+}
+
+func checkUnmarshalConfigWithEnv(t *testing.T, dexExpandEnv string, wantExpandEnv bool) {
+	// For hashFromEnv:
+	os.Setenv("DEX_FOO_USER_PASSWORD", "$2a$10$33EMT0cVYVlPy6WAMCLsceLYjWhuHpbz5yuZxu/GAFj03J9Lytjuy")
+	// For os.ExpandEnv ($VAR -> value_of_VAR):
+	os.Setenv("DEX_FOO_POSTGRES_HOST", "10.0.0.1")
+	os.Setenv("DEX_FOO_OIDC_CLIENT_SECRET", "bar")
+	if dexExpandEnv != "UNSET" {
+		os.Setenv("DEX_EXPAND_ENV", dexExpandEnv)
+	} else {
+		os.Unsetenv("DEX_EXPAND_ENV")
+	}
+
+	rawConfig := []byte(`
+issuer: http://127.0.0.1:5556/dex
+storage:
+  type: postgres
+  config:
+    # Env variables are expanded in raw YAML source.
+    # Single quotes work fine, as long as the env variable doesn't contain any.
+    host: '$DEX_FOO_POSTGRES_HOST'
+    port: 65432
+    maxOpenConns: 5
+    maxIdleConns: 3
+    connMaxLifetime: 30
+    connectionTimeout: 3
+web:
+  http: 127.0.0.1:5556
+
+frontend:
+  dir: ./web
+  extra:
+    foo: bar
+
+staticClients:
+- id: example-app
+  redirectURIs:
+  - 'http://127.0.0.1:5555/callback'
+  name: 'Example App'
+  secret: ZXhhbXBsZS1hcHAtc2VjcmV0
+
+oauth2:
+  alwaysShowLoginScreen: true
+
+connectors:
+- type: mockCallback
+  id: mock
+  name: Example
+- type: oidc
+  id: google
+  name: Google
+  config:
+    issuer: https://accounts.google.com
+    clientID: foo
+    # Env variables are expanded in raw YAML source.
+    # Single quotes work fine, as long as the env variable doesn't contain any.
+    clientSecret: '$DEX_FOO_OIDC_CLIENT_SECRET'
+    redirectURI: http://127.0.0.1:5556/dex/callback/google
+
+enablePasswordDB: true
+staticPasswords:
+- email: "admin@example.com"
+  # bcrypt hash of the string "password"
+  hash: "$2a$10$33EMT0cVYVlPy6WAMCLsceLYjWhuHpbz5yuZxu/GAFj03J9Lytjuy"
+  username: "admin"
+  userID: "08a8684b-db88-4b73-90a9-3cd1661f5466"
+- email: "foo@example.com"
+  hashFromEnv: "DEX_FOO_USER_PASSWORD"
+  username: "foo"
+  userID: "41331323-6f44-45e6-b3b9-2c4b60c02be5"
+
+expiry:
+  signingKeys: "7h"
+  idTokens: "25h"
+  authRequests: "25h"
+
+logger:
+  level: "debug"
+  format: "json"
+`)
+
+	// This is not a valid hostname. It's only used to check whether os.ExpandEnv was applied or not.
+	wantPostgresHost := "$DEX_FOO_POSTGRES_HOST"
+	wantOidcClientSecret := "$DEX_FOO_OIDC_CLIENT_SECRET"
+	if wantExpandEnv {
+		wantPostgresHost = "10.0.0.1"
+		wantOidcClientSecret = "bar"
+	}
+
+	want := Config{
+		Issuer: "http://127.0.0.1:5556/dex",
+		Storage: Storage{
+			Type: "postgres",
+			Config: &sql.Postgres{
+				NetworkDB: sql.NetworkDB{
+					Host:              wantPostgresHost,
+					Port:              65432,
+					MaxOpenConns:      5,
+					MaxIdleConns:      3,
+					ConnMaxLifetime:   30,
+					ConnectionTimeout: 3,
+				},
+			},
+		},
+		Web: Web{
+			HTTP: "127.0.0.1:5556",
+		},
+		Frontend: server.WebConfig{
+			Dir: "./web",
+			Extra: map[string]string{
+				"foo": "bar",
+			},
+		},
+		StaticClients: []storage.Client{
+			{
+				ID:     "example-app",
+				Secret: "ZXhhbXBsZS1hcHAtc2VjcmV0",
+				Name:   "Example App",
+				RedirectURIs: []string{
+					"http://127.0.0.1:5555/callback",
+				},
+			},
+		},
+		OAuth2: OAuth2{
+			AlwaysShowLoginScreen: true,
+		},
+		StaticConnectors: []Connector{
+			{
+				Type:   "mockCallback",
+				ID:     "mock",
+				Name:   "Example",
+				Config: &mock.CallbackConfig{},
+			},
+			{
+				Type: "oidc",
+				ID:   "google",
+				Name: "Google",
+				Config: &oidc.Config{
+					Issuer:       "https://accounts.google.com",
+					ClientID:     "foo",
+					ClientSecret: wantOidcClientSecret,
+					RedirectURI:  "http://127.0.0.1:5556/dex/callback/google",
+				},
+			},
+		},
+		EnablePasswordDB: true,
+		StaticPasswords: []password{
+			{
+				Email:    "admin@example.com",
+				Hash:     []byte("$2a$10$33EMT0cVYVlPy6WAMCLsceLYjWhuHpbz5yuZxu/GAFj03J9Lytjuy"),
+				Username: "admin",
+				UserID:   "08a8684b-db88-4b73-90a9-3cd1661f5466",
+			},
+			{
+				Email:    "foo@example.com",
+				Hash:     []byte("$2a$10$33EMT0cVYVlPy6WAMCLsceLYjWhuHpbz5yuZxu/GAFj03J9Lytjuy"),
+				Username: "foo",
+				UserID:   "41331323-6f44-45e6-b3b9-2c4b60c02be5",
+			},
+		},
 		Expiry: Expiry{
 			SigningKeys:  "7h",
 			IDTokens:     "25h",
@@ -211,5 +422,4 @@ logger:
 	if diff := pretty.Compare(c, want); diff != "" {
 		t.Errorf("got!=want: %s", diff)
 	}
-
 }

cmd/dex/serve.go

@@ -6,16 +6,23 @@ import (
 	"crypto/x509"
 	"errors"
 	"fmt"
-	"io/ioutil"
 	"net"
 	"net/http"
+	"net/http/pprof"
 	"os"
+	"runtime"
 	"strings"
+	"syscall"
 	"time"
 
+	gosundheit "github.com/AppsFlyer/go-sundheit"
+	"github.com/AppsFlyer/go-sundheit/checks"
+	gosundheithttp "github.com/AppsFlyer/go-sundheit/http"
 	"github.com/ghodss/yaml"
 	grpcprometheus "github.com/grpc-ecosystem/go-grpc-prometheus"
+	"github.com/oklog/run"
 	"github.com/prometheus/client_golang/prometheus"
+	"github.com/prometheus/client_golang/prometheus/collectors"
 	"github.com/prometheus/client_golang/prometheus/promhttp"
 	"github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
@@ -23,39 +30,54 @@ import (
 	"google.golang.org/grpc/credentials"
 	"google.golang.org/grpc/reflection"
 
-	"github.com/dexidp/dex/api"
+	"github.com/dexidp/dex/api/v2"
 	"github.com/dexidp/dex/pkg/log"
 	"github.com/dexidp/dex/server"
 	"github.com/dexidp/dex/storage"
 )
 
-func commandServe() *cobra.Command {
-	return &cobra.Command{
-		Use:     "serve [ config file ]",
-		Short:   "Connect to the storage and begin serving requests.",
-		Long:    ``,
-		Example: "dex serve config.yaml",
-		Run: func(cmd *cobra.Command, args []string) {
-			if err := serve(cmd, args); err != nil {
-				fmt.Fprintln(os.Stderr, err)
-				os.Exit(2)
-			}
-		},
-	}
+type serveOptions struct {
+	// Config file path
+	config string
+
+	// Flags
+	webHTTPAddr   string
+	webHTTPSAddr  string
+	telemetryAddr string
+	grpcAddr      string
 }
 
-func serve(cmd *cobra.Command, args []string) error {
-	switch len(args) {
-	default:
-		return errors.New("surplus arguments")
-	case 0:
-		// TODO(ericchiang): Consider having a default config file location.
-		return errors.New("no arguments provided")
-	case 1:
+func commandServe() *cobra.Command {
+	options := serveOptions{}
+
+	cmd := &cobra.Command{
+		Use:     "serve [flags] [config file]",
+		Short:   "Launch Dex",
+		Example: "dex serve config.yaml",
+		Args:    cobra.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			cmd.SilenceUsage = true
+			cmd.SilenceErrors = true
+
+			options.config = args[0]
+
+			return runServe(options)
+		},
 	}
 
-	configFile := args[0]
-	configData, err := ioutil.ReadFile(configFile)
+	flags := cmd.Flags()
+
+	flags.StringVar(&options.webHTTPAddr, "web-http-addr", "", "Web HTTP address")
+	flags.StringVar(&options.webHTTPSAddr, "web-https-addr", "", "Web HTTPS address")
+	flags.StringVar(&options.telemetryAddr, "telemetry-addr", "", "Telemetry address")
+	flags.StringVar(&options.grpcAddr, "grpc-addr", "", "gRPC API address")
+
+	return cmd
+}
+
+func runServe(options serveOptions) error {
+	configFile := options.config
+	configData, err := os.ReadFile(configFile)
 	if err != nil {
 		return fmt.Errorf("failed to read config file %s: %v", configFile, err)
 	}
@@ -65,10 +87,21 @@ func serve(cmd *cobra.Command, args []string) error {
 		return fmt.Errorf("error parse config file %s: %v", configFile, err)
 	}
 
+	applyConfigOverrides(options, &c)
+
 	logger, err := newLogger(c.Logger.Level, c.Logger.Format)
 	if err != nil {
 		return fmt.Errorf("invalid config: %v", err)
 	}
+
+	logger.Infof(
+		"Dex Version: %s, Go Version: %s, Go OS/ARCH: %s %s",
+		version,
+		runtime.Version(),
+		runtime.GOOS,
+		runtime.GOARCH,
+	)
+
 	if c.Logger.Level != "" {
 		logger.Infof("config using log level: %s", c.Logger.Level)
 	}
@@ -79,12 +112,12 @@ func serve(cmd *cobra.Command, args []string) error {
 	logger.Infof("config issuer: %s", c.Issuer)
 
 	prometheusRegistry := prometheus.NewRegistry()
-	err = prometheusRegistry.Register(prometheus.NewGoCollector())
+	err = prometheusRegistry.Register(collectors.NewGoCollector())
 	if err != nil {
 		return fmt.Errorf("failed to register Go runtime metrics: %v", err)
 	}
 
-	err = prometheusRegistry.Register(prometheus.NewProcessCollector(prometheus.ProcessCollectorOpts{}))
+	err = prometheusRegistry.Register(collectors.NewProcessCollector(collectors.ProcessCollectorOpts{}))
 	if err != nil {
 		return fmt.Errorf("failed to register process metrics: %v", err)
 	}
@@ -125,7 +158,7 @@ func serve(cmd *cobra.Command, args []string) error {
 		if c.GRPC.TLSClientCA != "" {
 			// Parse certificates from client CA file to a new CertPool.
 			cPool := x509.NewCertPool()
-			clientCert, err := ioutil.ReadFile(c.GRPC.TLSClientCA)
+			clientCert, err := os.ReadFile(c.GRPC.TLSClientCA)
 			if err != nil {
 				return fmt.Errorf("invalid config: reading from client CA file: %v", err)
 			}
@@ -150,10 +183,33 @@ func serve(cmd *cobra.Command, args []string) error {
 	if err != nil {
 		return fmt.Errorf("failed to initialize storage: %v", err)
 	}
+	defer s.Close()
+
 	logger.Infof("config storage: %s", c.Storage.Type)
 
 	if len(c.StaticClients) > 0 {
-		for _, client := range c.StaticClients {
+		for i, client := range c.StaticClients {
+			if client.Name == "" {
+				return fmt.Errorf("invalid config: Name field is required for a client")
+			}
+			if client.ID == "" && client.IDEnv == "" {
+				return fmt.Errorf("invalid config: ID or IDEnv field is required for a client")
+			}
+			if client.IDEnv != "" {
+				if client.ID != "" {
+					return fmt.Errorf("invalid config: ID and IDEnv fields are exclusive for client %q", client.ID)
+				}
+				c.StaticClients[i].ID = os.Getenv(client.IDEnv)
+			}
+			if client.Secret == "" && client.SecretEnv == "" && !client.Public {
+				return fmt.Errorf("invalid config: Secret or SecretEnv field is required for client %q", client.ID)
+			}
+			if client.SecretEnv != "" {
+				if client.Secret != "" {
+					return fmt.Errorf("invalid config: Secret and SecretEnv fields are exclusive for client %q", client.ID)
+				}
+				c.StaticClients[i].Secret = os.Getenv(client.SecretEnv)
+			}
 			logger.Infof("config static client: %s", client.Name)
 		}
 		s = storage.WithStaticClients(s, c.StaticClients)
@@ -182,7 +238,6 @@ func serve(cmd *cobra.Command, args []string) error {
 			return fmt.Errorf("failed to initialize storage connectors: %v", err)
 		}
 		storageConnectors[i] = conn
-
 	}
 
 	if c.EnablePasswordDB {
@@ -202,6 +257,9 @@ func serve(cmd *cobra.Command, args []string) error {
 	if c.OAuth2.SkipApprovalScreen {
 		logger.Infof("config skipping approval screen")
 	}
+	if c.OAuth2.PasswordConnector != "" {
+		logger.Infof("config using password grant connector: %s", c.OAuth2.PasswordConnector)
+	}
 	if len(c.Web.AllowedOrigins) > 0 {
 		logger.Infof("config allowed origins: %s", c.Web.AllowedOrigins)
 	}
@@ -209,10 +267,13 @@ func serve(cmd *cobra.Command, args []string) error {
 	// explicitly convert to UTC.
 	now := func() time.Time { return time.Now().UTC() }
 
+	healthChecker := gosundheit.New()
+
 	serverConfig := server.Config{
 		SupportedResponseTypes: c.OAuth2.ResponseTypes,
 		SkipApprovalScreen:     c.OAuth2.SkipApprovalScreen,
 		AlwaysShowLoginScreen:  c.OAuth2.AlwaysShowLoginScreen,
+		PasswordConnector:      c.OAuth2.PasswordConnector,
 		AllowedOrigins:         c.Web.AllowedOrigins,
 		Issuer:                 c.Issuer,
 		Storage:                s,
@@ -220,6 +281,7 @@ func serve(cmd *cobra.Command, args []string) error {
 		Logger:                 logger,
 		Now:                    now,
 		PrometheusRegistry:     prometheusRegistry,
+		HealthChecker:          healthChecker,
 	}
 	if c.Expiry.SigningKeys != "" {
 		signingKeys, err := time.ParseDuration(c.Expiry.SigningKeys)
@@ -245,33 +307,131 @@ func serve(cmd *cobra.Command, args []string) error {
 		logger.Infof("config auth requests valid for: %v", authRequests)
 		serverConfig.AuthRequestsValidFor = authRequests
 	}
+	if c.Expiry.DeviceRequests != "" {
+		deviceRequests, err := time.ParseDuration(c.Expiry.DeviceRequests)
+		if err != nil {
+			return fmt.Errorf("invalid config value %q for device request expiry: %v", c.Expiry.AuthRequests, err)
+		}
+		logger.Infof("config device requests valid for: %v", deviceRequests)
+		serverConfig.DeviceRequestsValidFor = deviceRequests
+	}
+	refreshTokenPolicy, err := server.NewRefreshTokenPolicy(
+		logger,
+		c.Expiry.RefreshTokens.DisableRotation,
+		c.Expiry.RefreshTokens.ValidIfNotUsedFor,
+		c.Expiry.RefreshTokens.AbsoluteLifetime,
+		c.Expiry.RefreshTokens.ReuseInterval,
+	)
+	if err != nil {
+		return fmt.Errorf("invalid refresh token expiration policy config: %v", err)
+	}
 
+	serverConfig.RefreshTokenPolicy = refreshTokenPolicy
 	serv, err := server.NewServer(context.Background(), serverConfig)
 	if err != nil {
 		return fmt.Errorf("failed to initialize server: %v", err)
 	}
 
-	telemetryServ := http.NewServeMux()
-	telemetryServ.Handle("/metrics", promhttp.HandlerFor(prometheusRegistry, promhttp.HandlerOpts{}))
+	telemetryRouter := http.NewServeMux()
+	telemetryRouter.Handle("/metrics", promhttp.HandlerFor(prometheusRegistry, promhttp.HandlerOpts{}))
 
-	errc := make(chan error, 3)
+	// Configure health checker
+	{
+		handler := gosundheithttp.HandleHealthJSON(healthChecker)
+		telemetryRouter.Handle("/healthz", handler)
+
+		// Kubernetes style health checks
+		telemetryRouter.HandleFunc("/healthz/live", func(w http.ResponseWriter, _ *http.Request) {
+			_, _ = w.Write([]byte("ok"))
+		})
+		telemetryRouter.Handle("/healthz/ready", handler)
+	}
+
+	healthChecker.RegisterCheck(
+		&checks.CustomCheck{
+			CheckName: "storage",
+			CheckFunc: storage.NewCustomHealthCheckFunc(serverConfig.Storage, serverConfig.Now),
+		},
+		gosundheit.ExecutionPeriod(15*time.Second),
+		gosundheit.InitiallyPassing(true),
+	)
+
+	var group run.Group
+
+	// Set up telemetry server
 	if c.Telemetry.HTTP != "" {
-		logger.Infof("listening (http/telemetry) on %s", c.Telemetry.HTTP)
-		go func() {
-			err := http.ListenAndServe(c.Telemetry.HTTP, telemetryServ)
-			errc <- fmt.Errorf("listening on %s failed: %v", c.Telemetry.HTTP, err)
-		}()
+		const name = "telemetry"
+
+		logger.Infof("listening (%s) on %s", name, c.Telemetry.HTTP)
+
+		l, err := net.Listen("tcp", c.Telemetry.HTTP)
+		if err != nil {
+			return fmt.Errorf("listening (%s) on %s: %v", name, c.Telemetry.HTTP, err)
+		}
+
+		if c.Telemetry.EnableProfiling {
+			pprofHandler(telemetryRouter)
+		}
+
+		server := &http.Server{
+			Handler: telemetryRouter,
+		}
+		defer server.Close()
+
+		group.Add(func() error {
+			return server.Serve(l)
+		}, func(err error) {
+			ctx, cancel := context.WithTimeout(context.Background(), time.Minute)
+			defer cancel()
+
+			logger.Debugf("starting graceful shutdown (%s)", name)
+			if err := server.Shutdown(ctx); err != nil {
+				logger.Errorf("graceful shutdown (%s): %v", name, err)
+			}
+		})
 	}
+
+	// Set up http server
 	if c.Web.HTTP != "" {
-		logger.Infof("listening (http) on %s", c.Web.HTTP)
-		go func() {
-			err := http.ListenAndServe(c.Web.HTTP, serv)
-			errc <- fmt.Errorf("listening on %s failed: %v", c.Web.HTTP, err)
-		}()
+		const name = "http"
+
+		logger.Infof("listening (%s) on %s", name, c.Web.HTTP)
+
+		l, err := net.Listen("tcp", c.Web.HTTP)
+		if err != nil {
+			return fmt.Errorf("listening (%s) on %s: %v", name, c.Web.HTTP, err)
+		}
+
+		server := &http.Server{
+			Handler: serv,
+		}
+		defer server.Close()
+
+		group.Add(func() error {
+			return server.Serve(l)
+		}, func(err error) {
+			ctx, cancel := context.WithTimeout(context.Background(), time.Minute)
+			defer cancel()
+
+			logger.Debugf("starting graceful shutdown (%s)", name)
+			if err := server.Shutdown(ctx); err != nil {
+				logger.Errorf("graceful shutdown (%s): %v", name, err)
+			}
+		})
 	}
+
+	// Set up https server
 	if c.Web.HTTPS != "" {
-		httpsSrv := &http.Server{
-			Addr:    c.Web.HTTPS,
+		const name = "https"
+
+		logger.Infof("listening (%s) on %s", name, c.Web.HTTPS)
+
+		l, err := net.Listen("tcp", c.Web.HTTPS)
+		if err != nil {
+			return fmt.Errorf("listening (%s) on %s: %v", name, c.Web.HTTPS, err)
+		}
+
+		server := &http.Server{
 			Handler: serv,
 			TLSConfig: &tls.Config{
 				CipherSuites:             allowedTLSCiphers,
@@ -279,35 +439,55 @@ func serve(cmd *cobra.Command, args []string) error {
 				MinVersion:               tls.VersionTLS12,
 			},
 		}
+		defer server.Close()
 
-		logger.Infof("listening (https) on %s", c.Web.HTTPS)
-		go func() {
-			err = httpsSrv.ListenAndServeTLS(c.Web.TLSCert, c.Web.TLSKey)
-			errc <- fmt.Errorf("listening on %s failed: %v", c.Web.HTTPS, err)
-		}()
+		group.Add(func() error {
+			return server.ServeTLS(l, c.Web.TLSCert, c.Web.TLSKey)
+		}, func(err error) {
+			ctx, cancel := context.WithTimeout(context.Background(), time.Minute)
+			defer cancel()
+
+			logger.Debugf("starting graceful shutdown (%s)", name)
+			if err := server.Shutdown(ctx); err != nil {
+				logger.Errorf("graceful shutdown (%s): %v", name, err)
+			}
+		})
 	}
+
+	// Set up grpc server
 	if c.GRPC.Addr != "" {
 		logger.Infof("listening (grpc) on %s", c.GRPC.Addr)
-		go func() {
-			errc <- func() error {
-				list, err := net.Listen("tcp", c.GRPC.Addr)
-				if err != nil {
-					return fmt.Errorf("listening on %s failed: %v", c.GRPC.Addr, err)
-				}
-				s := grpc.NewServer(grpcOptions...)
-				api.RegisterDexServer(s, server.NewAPI(serverConfig.Storage, logger))
-				grpcMetrics.InitializeMetrics(s)
-				if c.GRPC.Reflection {
-					logger.Info("enabling reflection in grpc service")
-					reflection.Register(s)
-				}
-				err = s.Serve(list)
-				return fmt.Errorf("listening on %s failed: %v", c.GRPC.Addr, err)
-			}()
-		}()
+
+		grpcListener, err := net.Listen("tcp", c.GRPC.Addr)
+		if err != nil {
+			return fmt.Errorf("listening (grcp) on %s: %w", c.GRPC.Addr, err)
+		}
+
+		grpcSrv := grpc.NewServer(grpcOptions...)
+		api.RegisterDexServer(grpcSrv, server.NewAPI(serverConfig.Storage, logger, version))
+
+		grpcMetrics.InitializeMetrics(grpcSrv)
+		if c.GRPC.Reflection {
+			logger.Info("enabling reflection in grpc service")
+			reflection.Register(grpcSrv)
+		}
+
+		group.Add(func() error {
+			return grpcSrv.Serve(grpcListener)
+		}, func(err error) {
+			logger.Debugf("starting graceful shutdown (grpc)")
+			grpcSrv.GracefulStop()
+		})
 	}
 
-	return <-errc
+	group.Add(run.SignalHandler(context.Background(), os.Interrupt, syscall.SIGTERM))
+	if err := group.Run(); err != nil {
+		if _, ok := err.(run.SignalError); !ok {
+			return fmt.Errorf("run groups: %w", err)
+		}
+		logger.Infof("%v, shutdown now", err)
+	}
+	return nil
 }
 
 var (
@@ -353,3 +533,33 @@ func newLogger(level string, format string) (log.Logger, error) {
 		Level:     logLevel,
 	}, nil
 }
+
+func applyConfigOverrides(options serveOptions, config *Config) {
+	if options.webHTTPAddr != "" {
+		config.Web.HTTP = options.webHTTPAddr
+	}
+
+	if options.webHTTPSAddr != "" {
+		config.Web.HTTPS = options.webHTTPSAddr
+	}
+
+	if options.telemetryAddr != "" {
+		config.Telemetry.HTTP = options.telemetryAddr
+	}
+
+	if options.grpcAddr != "" {
+		config.GRPC.Addr = options.grpcAddr
+	}
+
+	if config.Frontend.Dir == "" {
+		config.Frontend.Dir = os.Getenv("DEX_FRONTEND_DIR")
+	}
+}
+
+func pprofHandler(router *http.ServeMux) {
+	router.HandleFunc("/debug/pprof/", pprof.Index)
+	router.HandleFunc("/debug/pprof/cmdline", pprof.Cmdline)
+	router.HandleFunc("/debug/pprof/profile", pprof.Profile)
+	router.HandleFunc("/debug/pprof/symbol", pprof.Symbol)
+	router.HandleFunc("/debug/pprof/trace", pprof.Trace)
+}

cmd/dex/version.go

@@ -5,19 +5,22 @@ import (
 	"runtime"
 
 	"github.com/spf13/cobra"
-
-	"github.com/dexidp/dex/version"
 )
 
+var version = "DEV"
+
 func commandVersion() *cobra.Command {
 	return &cobra.Command{
 		Use:   "version",
 		Short: "Print the version and exit",
-		Run: func(cmd *cobra.Command, args []string) {
-			fmt.Printf(`dex Version: %s
-Go Version: %s
-Go OS/ARCH: %s %s
-`, version.Version, runtime.Version(), runtime.GOOS, runtime.GOARCH)
+		Run: func(_ *cobra.Command, _ []string) {
+			fmt.Printf(
+				"Dex Version: %s\nGo Version: %s\nGo OS/ARCH: %s %s\n",
+				version,
+				runtime.Version(),
+				runtime.GOOS,
+				runtime.GOARCH,
+			)
 		},
 	}
 }

cmd/docker-entrypoint/main.go

@@ -0,0 +1,92 @@
+// Package main provides a utility program to launch the Dex container process with an optional
+// templating step (provided by gomplate).
+//
+// This was originally written as a shell script, but we rewrote it as a Go program so that it could
+// run as a raw binary in a distroless container.
+package main
+
+import (
+	"fmt"
+	"os"
+	"os/exec"
+	"strings"
+	"syscall"
+)
+
+func main() {
+	// Note that this docker-entrypoint program is args[0], and it is provided with the true process
+	// args.
+	args := os.Args[1:]
+
+	if err := run(args, realExec, realWhich); err != nil {
+		fmt.Println("error:", err.Error())
+		os.Exit(1)
+	}
+}
+
+func realExec(fork bool, args ...string) error {
+	if fork {
+		if output, err := exec.Command(args[0], args[1:]...).CombinedOutput(); err != nil {
+			return fmt.Errorf("cannot fork/exec command %s: %w (output: %q)", args, err, string(output))
+		}
+		return nil
+	}
+
+	argv0, err := exec.LookPath(args[0])
+	if err != nil {
+		return fmt.Errorf("cannot lookup path for command %s: %w", args[0], err)
+	}
+
+	if err := syscall.Exec(argv0, args, os.Environ()); err != nil {
+		return fmt.Errorf("cannot exec command %s (%q): %w", args, argv0, err)
+	}
+
+	return nil
+}
+
+func realWhich(path string) string {
+	fullPath, err := exec.LookPath(path)
+	if err != nil {
+		return ""
+	}
+	return fullPath
+}
+
+func run(args []string, execFunc func(bool, ...string) error, whichFunc func(string) string) error {
+	if args[0] != "dex" && args[0] != whichFunc("dex") {
+		return execFunc(false, args...)
+	}
+
+	if args[1] != "serve" {
+		return execFunc(false, args...)
+	}
+
+	newArgs := []string{}
+	for _, tplCandidate := range args {
+		if hasSuffixes(tplCandidate, ".tpl", ".tmpl", ".yaml") {
+			tmpFile, err := os.CreateTemp("/tmp", "dex.config.yaml-*")
+			if err != nil {
+				return fmt.Errorf("cannot create temp file: %w", err)
+			}
+
+			if err := execFunc(true, "gomplate", "-f", tplCandidate, "-o", tmpFile.Name()); err != nil {
+				return err
+			}
+
+			newArgs = append(newArgs, tmpFile.Name())
+		} else {
+			newArgs = append(newArgs, tplCandidate)
+		}
+	}
+
+	return execFunc(false, newArgs...)
+}
+
+func hasSuffixes(s string, suffixes ...string) bool {
+	for _, suffix := range suffixes {
+		if strings.HasSuffix(s, suffix) {
+			return true
+		}
+	}
+	return false
+}

cmd/docker-entrypoint/main_test.go

@@ -0,0 +1,113 @@
+package main
+
+import (
+	"strings"
+	"testing"
+)
+
+type execArgs struct {
+	fork        bool
+	argPrefixes []string
+}
+
+func TestRun(t *testing.T) {
+	tests := []struct {
+		name         string
+		args         []string
+		execReturns  error
+		whichReturns string
+		wantExecArgs []execArgs
+		wantErr      error
+	}{
+		{
+			name:         "executable not dex",
+			args:         []string{"tuna", "fish"},
+			wantExecArgs: []execArgs{{fork: false, argPrefixes: []string{"tuna", "fish"}}},
+		},
+		{
+			name:         "executable is full path to dex",
+			args:         []string{"/usr/local/bin/dex", "marshmallow", "zelda"},
+			whichReturns: "/usr/local/bin/dex",
+			wantExecArgs: []execArgs{{fork: false, argPrefixes: []string{"/usr/local/bin/dex", "marshmallow", "zelda"}}},
+		},
+		{
+			name:         "command is not serve",
+			args:         []string{"dex", "marshmallow", "zelda"},
+			wantExecArgs: []execArgs{{fork: false, argPrefixes: []string{"dex", "marshmallow", "zelda"}}},
+		},
+		{
+			name:         "no templates",
+			args:         []string{"dex", "serve", "config.yaml.not-a-template"},
+			wantExecArgs: []execArgs{{fork: false, argPrefixes: []string{"dex", "serve", "config.yaml.not-a-template"}}},
+		},
+		{
+			name:         "no templates",
+			args:         []string{"dex", "serve", "config.yaml.not-a-template"},
+			wantExecArgs: []execArgs{{fork: false, argPrefixes: []string{"dex", "serve", "config.yaml.not-a-template"}}},
+		},
+		{
+			name: ".tpl template",
+			args: []string{"dex", "serve", "config.tpl"},
+			wantExecArgs: []execArgs{
+				{fork: true, argPrefixes: []string{"gomplate", "-f", "config.tpl", "-o", "/tmp/dex.config.yaml-"}},
+				{fork: false, argPrefixes: []string{"dex", "serve", "/tmp/dex.config.yaml-"}},
+			},
+		},
+		{
+			name: ".tmpl template",
+			args: []string{"dex", "serve", "config.tmpl"},
+			wantExecArgs: []execArgs{
+				{fork: true, argPrefixes: []string{"gomplate", "-f", "config.tmpl", "-o", "/tmp/dex.config.yaml-"}},
+				{fork: false, argPrefixes: []string{"dex", "serve", "/tmp/dex.config.yaml-"}},
+			},
+		},
+		{
+			name: ".yaml template",
+			args: []string{"dex", "serve", "some/path/config.yaml"},
+			wantExecArgs: []execArgs{
+				{fork: true, argPrefixes: []string{"gomplate", "-f", "some/path/config.yaml", "-o", "/tmp/dex.config.yaml-"}},
+				{fork: false, argPrefixes: []string{"dex", "serve", "/tmp/dex.config.yaml-"}},
+			},
+		},
+	}
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			var gotExecForks []bool
+			var gotExecArgs [][]string
+			fakeExec := func(fork bool, args ...string) error {
+				gotExecForks = append(gotExecForks, fork)
+				gotExecArgs = append(gotExecArgs, args)
+				return test.execReturns
+			}
+
+			fakeWhich := func(_ string) string { return test.whichReturns }
+
+			gotErr := run(test.args, fakeExec, fakeWhich)
+			if (test.wantErr == nil) != (gotErr == nil) {
+				t.Errorf("wanted error %s, got %s", test.wantErr, gotErr)
+			}
+			if !execArgsMatch(test.wantExecArgs, gotExecForks, gotExecArgs) {
+				t.Errorf("wanted exec args %+v, got %+v %+v", test.wantExecArgs, gotExecForks, gotExecArgs)
+			}
+		})
+	}
+}
+
+func execArgsMatch(wantExecArgs []execArgs, gotForks []bool, gotExecArgs [][]string) bool {
+	if len(wantExecArgs) != len(gotForks) {
+		return false
+	}
+
+	for i := range wantExecArgs {
+		if wantExecArgs[i].fork != gotForks[i] {
+			return false
+		}
+		for j := range wantExecArgs[i].argPrefixes {
+			if !strings.HasPrefix(gotExecArgs[i][j], wantExecArgs[i].argPrefixes[j]) {
+				return false
+			}
+		}
+	}
+
+	return true
+}

code-of-conduct.md

@@ -1,61 +0,0 @@
-## CoreOS Community Code of Conduct
-
-### Contributor Code of Conduct
-
-As contributors and maintainers of this project, and in the interest of
-fostering an open and welcoming community, we pledge to respect all people who
-contribute through reporting issues, posting feature requests, updating
-documentation, submitting pull requests or patches, and other activities.
-
-We are committed to making participation in this project a harassment-free
-experience for everyone, regardless of level of experience, gender, gender
-identity and expression, sexual orientation, disability, personal appearance,
-body size, race, ethnicity, age, religion, or nationality.
-
-Examples of unacceptable behavior by participants include:
-
-* The use of sexualized language or imagery
-* Personal attacks
-* Trolling or insulting/derogatory comments
-* Public or private harassment
-* Publishing others' private information, such as physical or electronic addresses, without explicit permission
-* Other unethical or unprofessional conduct.
-
-Project maintainers have the right and responsibility to remove, edit, or
-reject comments, commits, code, wiki edits, issues, and other contributions
-that are not aligned to this Code of Conduct. By adopting this Code of Conduct,
-project maintainers commit themselves to fairly and consistently applying these
-principles to every aspect of managing this project. Project maintainers who do
-not follow or enforce the Code of Conduct may be permanently removed from the
-project team.
-
-This code of conduct applies both within project spaces and in public spaces
-when an individual is representing the project or its community.
-
-Instances of abusive, harassing, or otherwise unacceptable behavior may be
-reported by contacting a project maintainer, Brandon Philips
-<brandon.philips@coreos.com>, and/or Rithu John <rithu.john@coreos.com>.
-
-This Code of Conduct is adapted from the Contributor Covenant
-(http://contributor-covenant.org), version 1.2.0, available at
-http://contributor-covenant.org/version/1/2/0/
-
-### CoreOS Events Code of Conduct
-
-CoreOS events are working conferences intended for professional networking and
-collaboration in the CoreOS community. Attendees are expected to behave
-according to professional standards and in accordance with their employer’s
-policies on appropriate workplace behavior.
-
-While at CoreOS events or related social networking opportunities, attendees
-should not engage in discriminatory or offensive speech or actions including
-but not limited to gender, sexuality, race, age, disability, or religion.
-Speakers should be especially aware of these concerns.
-
-CoreOS does not condone any statements by speakers contrary to these standards.
-CoreOS reserves the right to deny entrance and/or eject from an event (without
-refund) any individual found to be engaging in discriminatory or offensive
-speech or actions.
-
-Please bring any concerns to the immediate attention of designated on-site
-staff, Brandon Philips <brandon.philips@coreos.com>, and/or Rithu John <rithu.john@coreos.com>.

config.dev.yaml

@@ -0,0 +1,35 @@
+issuer: http://127.0.0.1:5556/dex
+
+storage:
+  type: sqlite3
+  config:
+    file: var/sqlite/dex.db
+
+web:
+  http: 127.0.0.1:5556
+
+telemetry:
+  http: 127.0.0.1:5558
+
+grpc:
+  addr: 127.0.0.1:5557
+
+staticClients:
+  - id: example-app
+    redirectURIs:
+      - 'http://127.0.0.1:5555/callback'
+    name: 'Example App'
+    secret: ZXhhbXBsZS1hcHAtc2VjcmV0
+
+connectors:
+  - type: mockCallback
+    id: mock
+    name: Example
+
+enablePasswordDB: true
+
+staticPasswords:
+  - email: "admin@example.com"
+    hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W"
+    username: "admin"
+    userID: "08a8684b-db88-4b73-90a9-3cd1661f5466"

config.docker.yaml

@@ -0,0 +1,48 @@
+{{- /* NOTE: This configuration file is an example and exists only for development purposes. */ -}}
+{{- /* To find more about gomplate formatting, please visit its documentation site - https://docs.gomplate.ca/ */ -}}
+issuer: {{ getenv "DEX_ISSUER" "http://127.0.0.1:5556/dex" }}
+
+storage:
+  type: sqlite3
+  config:
+    file: {{ getenv "DEX_STORAGE_SQLITE3_CONFIG_FILE" "/var/dex/dex.db" }}
+
+web:
+{{- if getenv "DEX_WEB_HTTPS" "" }}
+  https: {{ .Env.DEX_WEB_HTTPS }}
+  tlsKey: {{ getenv "DEX_WEB_TLS_KEY" | required "$DEX_WEB_TLS_KEY in case of web.https is enabled" }}
+  tlsCert: {{ getenv "DEX_WEB_TLS_CERT" | required "$DEX_WEB_TLS_CERT in case of web.https is enabled" }}
+{{- end }}
+  http: {{ getenv "DEX_WEB_HTTP" "0.0.0.0:5556" }}
+
+{{- if getenv "DEX_TELEMETRY_HTTP" }}
+telemetry:
+  http: {{ .Env.DEX_TELEMETRY_HTTP }}
+{{- end }}
+
+expiry:
+  deviceRequests: {{ getenv "DEX_EXPIRY_DEVICE_REQUESTS" "5m" }}
+  signingKeys: {{ getenv "DEX_EXPIRY_SIGNING_KEYS" "6h" }}
+  idTokens: {{ getenv "DEX_EXPIRY_ID_TOKENS" "24h" }}
+  authRequests: {{ getenv "DEX_EXPIRY_AUTH_REQUESTS" "24h" }}
+
+logger:
+  level: {{ getenv "DEX_LOG_LEVEL" "info" }}
+  format: {{ getenv "DEX_LOG_FORMAT" "text" }}
+
+oauth2:
+  responseTypes: {{ getenv "DEX_OAUTH2_RESPONSE_TYPES" "[code]" }}
+  skipApprovalScreen: {{ getenv "DEX_OAUTH2_SKIP_APPROVAL_SCREEN" "false" }}
+  alwaysShowLoginScreen: {{ getenv "DEX_OAUTH2_ALWAYS_SHOW_LOGIN_SCREEN" "false" }}
+{{- if getenv "DEX_OAUTH2_PASSWORD_CONNECTOR" "" }}
+  passwordConnector: {{ .Env.DEX_OAUTH2_PASSWORD_CONNECTOR }}
+{{- end }}
+
+enablePasswordDB: {{ getenv "DEX_ENABLE_PASSWORD_DB" "true" }}
+
+connectors:
+{{- if getenv "DEX_CONNECTORS_ENABLE_MOCK" }}
+- type: mockCallback
+  id: mock
+  name: Example
+{{- end }}

config.yaml.dist

@@ -0,0 +1,136 @@
+# The base path of Dex and the external name of the OpenID Connect service.
+# This is the canonical URL that all clients MUST use to refer to Dex. If a
+# path is provided, Dex's HTTP service will listen at a non-root URL.
+issuer: http://127.0.0.1:5556/dex
+
+# The storage configuration determines where Dex stores its state.
+# Supported options include:
+#   - SQL flavors
+#   - key-value stores (eg. etcd)
+#   - Kubernetes Custom Resources
+#
+# See the documentation (https://dexidp.io/docs/storage/) for further information.
+storage:
+  type: memory
+
+  # type: sqlite3
+  # config:
+  #   file: /var/dex/dex.db
+
+  # type: mysql
+  # config:
+  #   host: 127.0.0.1
+  #   port: 3306
+  #   database: dex
+  #   user: mysql
+  #   password: mysql
+  #   ssl:
+  #     mode: "false"
+
+  # type: postgres
+  # config:
+  #   host: 127.0.0.1
+  #   port: 5432
+  #   database: dex
+  #   user: postgres
+  #   password: postgres
+  #   ssl:
+  #     mode: disable
+
+  # type: etcd
+  # config:
+  #   endpoints:
+  #     - http://127.0.0.1:2379
+  #   namespace: dex/
+
+  # type: kubernetes
+  # config:
+  #   kubeConfigFile: $HOME/.kube/config
+
+# HTTP service configuration
+web:
+  http: 127.0.0.1:5556
+
+  # Uncomment to enable HTTPS endpoint.
+  # https: 127.0.0.1:5554
+  # tlsCert: /etc/dex/tls.crt
+  # tlsKey: /etc/dex/tls.key
+
+# Dex UI configuration
+# frontend:
+#   issuer: dex
+#   logoURL: theme/logo.png
+#   dir: ""
+#   theme: light
+
+# Telemetry configuration
+# telemetry:
+#   http: 127.0.0.1:5558
+
+# logger:
+#   level: "debug"
+#   format: "text" # can also be "json"
+
+# gRPC API configuration
+# Uncomment this block to enable the gRPC API.
+# See the documentation (https://dexidp.io/docs/api/) for further information.
+# grpc:
+#   addr: 127.0.0.1:5557
+#   tlsCert: examples/grpc-client/server.crt
+#   tlsKey: examples/grpc-client/server.key
+#   tlsClientCA: examples/grpc-client/ca.crt
+
+# Expiration configuration for tokens, signing keys, etc.
+# expiry:
+#   deviceRequests: "5m"
+#   signingKeys: "6h"
+#   idTokens: "24h"
+#   refreshTokens:
+#     disableRotation: false
+#     reuseInterval: "3s"
+#     validIfNotUsedFor: "2160h" # 90 days
+#     absoluteLifetime: "3960h" # 165 days
+
+# OAuth2 configuration
+# oauth2:
+#   # use ["code", "token", "id_token"] to enable implicit flow for web-only clients
+#   responseTypes: [ "code" ] # also allowed are "token" and "id_token"
+#
+#   # By default, Dex will ask for approval to share data with application
+#   # (approval for sharing data from connected IdP to Dex is separate process on IdP)
+#   skipApprovalScreen: false
+#
+#   # If only one authentication method is enabled, the default behavior is to
+#   # go directly to it. For connected IdPs, this redirects the browser away
+#   # from application to upstream provider such as the Google login page
+#   alwaysShowLoginScreen: false
+#
+#   # Uncomment to use a specific connector for password grants
+#   passwordConnector: local
+
+# Static clients registered in Dex by default.
+#
+# Alternatively, clients may be added through the gRPC API.
+# staticClients:
+#   - id: example-app
+#     redirectURIs:
+#       - 'http://127.0.0.1:5555/callback'
+#     name: 'Example App'
+#     secret: ZXhhbXBsZS1hcHAtc2VjcmV0
+
+# Connectors are used to authenticate users agains upstream identity providers.
+#
+# See the documentation (https://dexidp.io/docs/connectors/) for further information.
+# connectors: []
+
+# Enable the password database.
+#
+# It's a "virtual" connector (identity provider) that stores
+# login credentials in Dex's store.
+enablePasswordDB: true
+
+# If this option isn't chosen users may be added through the gRPC API.
+# A static list of passwords for the password connector.
+#
+# Alternatively, passwords my be added/updated through the gRPC API.
+# staticPasswords: []

connector/atlassiancrowd/atlassiancrowd.go

@@ -0,0 +1,449 @@
+// Package atlassiancrowd provides authentication strategies using Atlassian Crowd.
+package atlassiancrowd
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"fmt"
+	"io"
+	"net"
+	"net/http"
+	"strings"
+	"time"
+
+	"github.com/dexidp/dex/connector"
+	"github.com/dexidp/dex/pkg/groups"
+	"github.com/dexidp/dex/pkg/log"
+)
+
+// Config holds configuration options for Atlassian Crowd connector.
+// Crowd connectors require executing two queries, the first to find
+// the user based on the username and password given to the connector.
+// The second to use the user entry to search for groups.
+//
+// An example config:
+//
+//     type: atlassian-crowd
+//     config:
+//       baseURL: https://crowd.example.com/context
+//       clientID: applogin
+//       clientSecret: appP4$$w0rd
+//       # users can be restricted by a list of groups
+//       groups:
+//       - admin
+//       # Prompt for username field
+//       usernamePrompt: Login
+//		 preferredUsernameField: name
+//
+type Config struct {
+	BaseURL      string   `json:"baseURL"`
+	ClientID     string   `json:"clientID"`
+	ClientSecret string   `json:"clientSecret"`
+	Groups       []string `json:"groups"`
+
+	// PreferredUsernameField allows users to set the field to any of the
+	// following values: "key", "name" or "email".
+	// If unset, the preferred_username field will remain empty.
+	PreferredUsernameField string `json:"preferredUsernameField"`
+
+	// UsernamePrompt allows users to override the username attribute (displayed
+	// in the username/password prompt). If unset, the handler will use.
+	// "Username".
+	UsernamePrompt string `json:"usernamePrompt"`
+}
+
+type crowdUser struct {
+	Key    string
+	Name   string
+	Active bool
+	Email  string
+}
+
+type crowdGroups struct {
+	Groups []struct {
+		Name string
+	} `json:"groups"`
+}
+
+type crowdAuthentication struct {
+	Token string
+	User  struct {
+		Name string
+	} `json:"user"`
+	CreatedDate uint64 `json:"created-date"`
+	ExpiryDate  uint64 `json:"expiry-date"`
+}
+
+type crowdAuthenticationError struct {
+	Reason  string
+	Message string
+}
+
+// Open returns a strategy for logging in through Atlassian Crowd
+func (c *Config) Open(_ string, logger log.Logger) (connector.Connector, error) {
+	if c.BaseURL == "" {
+		return nil, fmt.Errorf("crowd: no baseURL provided for crowd connector")
+	}
+	return &crowdConnector{Config: *c, logger: logger}, nil
+}
+
+type crowdConnector struct {
+	Config
+	logger log.Logger
+}
+
+var (
+	_ connector.PasswordConnector = (*crowdConnector)(nil)
+	_ connector.RefreshConnector  = (*crowdConnector)(nil)
+)
+
+type refreshData struct {
+	Username string `json:"username"`
+}
+
+func (c *crowdConnector) Login(ctx context.Context, s connector.Scopes, username, password string) (ident connector.Identity, validPass bool, err error) {
+	// make this check to avoid empty passwords.
+	if password == "" {
+		return connector.Identity{}, false, nil
+	}
+
+	// We want to return a different error if the user's password is incorrect vs
+	// if there was an error.
+	var incorrectPass bool
+	var user crowdUser
+
+	client := c.crowdAPIClient()
+
+	if incorrectPass, err = c.authenticateWithPassword(ctx, client, username, password); err != nil {
+		return connector.Identity{}, false, err
+	}
+
+	if incorrectPass {
+		return connector.Identity{}, false, nil
+	}
+
+	if user, err = c.user(ctx, client, username); err != nil {
+		return connector.Identity{}, false, err
+	}
+
+	ident = c.identityFromCrowdUser(user)
+	if s.Groups {
+		userGroups, err := c.getGroups(ctx, client, s.Groups, ident.Username)
+		if err != nil {
+			return connector.Identity{}, false, fmt.Errorf("crowd: failed to query groups: %v", err)
+		}
+		ident.Groups = userGroups
+	}
+
+	if s.OfflineAccess {
+		refresh := refreshData{Username: username}
+		// Encode entry for following up requests such as the groups query and refresh attempts.
+		if ident.ConnectorData, err = json.Marshal(refresh); err != nil {
+			return connector.Identity{}, false, fmt.Errorf("crowd: marshal refresh data: %v", err)
+		}
+	}
+
+	return ident, true, nil
+}
+
+func (c *crowdConnector) Refresh(ctx context.Context, s connector.Scopes, ident connector.Identity) (connector.Identity, error) {
+	var data refreshData
+	if err := json.Unmarshal(ident.ConnectorData, &data); err != nil {
+		return ident, fmt.Errorf("crowd: failed to unmarshal internal data: %v", err)
+	}
+
+	var user crowdUser
+	client := c.crowdAPIClient()
+
+	user, err := c.user(ctx, client, data.Username)
+	if err != nil {
+		return ident, fmt.Errorf("crowd: get user %q: %v", data.Username, err)
+	}
+
+	newIdent := c.identityFromCrowdUser(user)
+	newIdent.ConnectorData = ident.ConnectorData
+
+	// If user exists, authenticate it to prolong sso session.
+	err = c.authenticateUser(ctx, client, data.Username)
+	if err != nil {
+		return ident, fmt.Errorf("crowd: authenticate user: %v", err)
+	}
+
+	if s.Groups {
+		userGroups, err := c.getGroups(ctx, client, s.Groups, newIdent.Username)
+		if err != nil {
+			return connector.Identity{}, fmt.Errorf("crowd: failed to query groups: %v", err)
+		}
+		newIdent.Groups = userGroups
+	}
+	return newIdent, nil
+}
+
+func (c *crowdConnector) Prompt() string {
+	return c.UsernamePrompt
+}
+
+func (c *crowdConnector) crowdAPIClient() *http.Client {
+	return &http.Client{
+		Transport: &http.Transport{
+			Proxy: http.ProxyFromEnvironment,
+			DialContext: (&net.Dialer{
+				Timeout:   30 * time.Second,
+				KeepAlive: 30 * time.Second,
+			}).DialContext,
+			MaxIdleConns:          100,
+			IdleConnTimeout:       90 * time.Second,
+			TLSHandshakeTimeout:   10 * time.Second,
+			ExpectContinueTimeout: 1 * time.Second,
+		},
+	}
+}
+
+// authenticateWithPassword creates a new session for user and validates a password with Crowd API
+func (c *crowdConnector) authenticateWithPassword(ctx context.Context, client *http.Client, username string, password string) (invalidPass bool, err error) {
+	req, err := c.crowdUserManagementRequest(ctx,
+		"POST",
+		"/session",
+		struct {
+			Username string `json:"username"`
+			Password string `json:"password"`
+		}{Username: username, Password: password},
+	)
+	if err != nil {
+		return false, fmt.Errorf("crowd: new auth pass api request %v", err)
+	}
+
+	resp, err := client.Do(req)
+	if err != nil {
+		return false, fmt.Errorf("crowd: api request %v", err)
+	}
+	defer resp.Body.Close()
+
+	body, err := c.validateCrowdResponse(resp)
+	if err != nil {
+		return false, err
+	}
+
+	if resp.StatusCode != http.StatusCreated {
+		var authError crowdAuthenticationError
+		if err := json.Unmarshal(body, &authError); err != nil {
+			return false, fmt.Errorf("unmarshal auth pass response: %d %v %q", resp.StatusCode, err, string(body))
+		}
+
+		if authError.Reason == "INVALID_USER_AUTHENTICATION" {
+			return true, nil
+		}
+
+		return false, fmt.Errorf("%s: %s", resp.Status, authError.Message)
+	}
+
+	var authResponse crowdAuthentication
+
+	if err := json.Unmarshal(body, &authResponse); err != nil {
+		return false, fmt.Errorf("decode auth response: %v", err)
+	}
+
+	return false, nil
+}
+
+// authenticateUser creates a new session for user without password validations with Crowd API
+func (c *crowdConnector) authenticateUser(ctx context.Context, client *http.Client, username string) error {
+	req, err := c.crowdUserManagementRequest(ctx,
+		"POST",
+		"/session?validate-password=false",
+		struct {
+			Username string `json:"username"`
+		}{Username: username},
+	)
+	if err != nil {
+		return fmt.Errorf("crowd: new auth api request %v", err)
+	}
+
+	resp, err := client.Do(req)
+	if err != nil {
+		return fmt.Errorf("crowd: api request %v", err)
+	}
+	defer resp.Body.Close()
+
+	body, err := c.validateCrowdResponse(resp)
+	if err != nil {
+		return err
+	}
+
+	if resp.StatusCode != http.StatusCreated {
+		return fmt.Errorf("%s: %s", resp.Status, body)
+	}
+
+	var authResponse crowdAuthentication
+
+	if err := json.Unmarshal(body, &authResponse); err != nil {
+		return fmt.Errorf("decode auth response: %v", err)
+	}
+
+	return nil
+}
+
+// user retrieves user info from Crowd API
+func (c *crowdConnector) user(ctx context.Context, client *http.Client, username string) (crowdUser, error) {
+	var user crowdUser
+
+	req, err := c.crowdUserManagementRequest(ctx,
+		"GET",
+		fmt.Sprintf("/user?username=%s", username),
+		nil,
+	)
+	if err != nil {
+		return user, fmt.Errorf("crowd: new user api request %v", err)
+	}
+
+	resp, err := client.Do(req)
+	if err != nil {
+		return user, fmt.Errorf("crowd: api request %v", err)
+	}
+	defer resp.Body.Close()
+
+	body, err := c.validateCrowdResponse(resp)
+	if err != nil {
+		return user, err
+	}
+
+	if resp.StatusCode != http.StatusOK {
+		return user, fmt.Errorf("%s: %s", resp.Status, body)
+	}
+
+	if err := json.Unmarshal(body, &user); err != nil {
+		return user, fmt.Errorf("failed to decode response: %v", err)
+	}
+
+	return user, nil
+}
+
+// groups retrieves groups from Crowd API
+func (c *crowdConnector) groups(ctx context.Context, client *http.Client, username string) (userGroups []string, err error) {
+	var crowdGroups crowdGroups
+
+	req, err := c.crowdUserManagementRequest(ctx,
+		"GET",
+		fmt.Sprintf("/user/group/nested?username=%s", username),
+		nil,
+	)
+	if err != nil {
+		return nil, fmt.Errorf("crowd: new groups api request %v", err)
+	}
+
+	resp, err := client.Do(req)
+	if err != nil {
+		return nil, fmt.Errorf("crowd: api request %v", err)
+	}
+	defer resp.Body.Close()
+
+	body, err := c.validateCrowdResponse(resp)
+	if err != nil {
+		return nil, err
+	}
+
+	if resp.StatusCode != http.StatusOK {
+		return nil, fmt.Errorf("%s: %s", resp.Status, body)
+	}
+
+	if err := json.Unmarshal(body, &crowdGroups); err != nil {
+		return nil, fmt.Errorf("failed to decode response: %v", err)
+	}
+
+	for _, group := range crowdGroups.Groups {
+		userGroups = append(userGroups, group.Name)
+	}
+
+	return userGroups, nil
+}
+
+// identityFromCrowdUser converts crowdUser to Identity
+func (c *crowdConnector) identityFromCrowdUser(user crowdUser) connector.Identity {
+	identity := connector.Identity{
+		Username:      user.Name,
+		UserID:        user.Key,
+		Email:         user.Email,
+		EmailVerified: true,
+	}
+
+	switch c.PreferredUsernameField {
+	case "key":
+		identity.PreferredUsername = user.Key
+	case "name":
+		identity.PreferredUsername = user.Name
+	case "email":
+		identity.PreferredUsername = user.Email
+	default:
+		if c.PreferredUsernameField != "" {
+			c.logger.Warnf("preferred_username left empty. Invalid crowd field mapped to preferred_username: %s", c.PreferredUsernameField)
+		}
+	}
+
+	return identity
+}
+
+// getGroups retrieves a list of user's groups and filters it
+func (c *crowdConnector) getGroups(ctx context.Context, client *http.Client, groupScope bool, userLogin string) ([]string, error) {
+	crowdGroups, err := c.groups(ctx, client, userLogin)
+	if err != nil {
+		return nil, err
+	}
+
+	if len(c.Groups) > 0 {
+		filteredGroups := groups.Filter(crowdGroups, c.Groups)
+		if len(filteredGroups) == 0 {
+			return nil, fmt.Errorf("crowd: user %q is not in any of the required groups", userLogin)
+		}
+		return filteredGroups, nil
+	} else if groupScope {
+		return crowdGroups, nil
+	}
+
+	return nil, nil
+}
+
+// crowdUserManagementRequest create a http.Request with basic auth, json payload and Accept header
+func (c *crowdConnector) crowdUserManagementRequest(ctx context.Context, method string, apiURL string, jsonPayload interface{}) (*http.Request, error) {
+	var body io.Reader
+	if jsonPayload != nil {
+		jsonData, err := json.Marshal(jsonPayload)
+		if err != nil {
+			return nil, fmt.Errorf("crowd: marshal API json payload: %v", err)
+		}
+		body = bytes.NewReader(jsonData)
+	}
+
+	req, err := http.NewRequest(method, fmt.Sprintf("%s/rest/usermanagement/1%s", c.BaseURL, apiURL), body)
+	if err != nil {
+		return nil, fmt.Errorf("new API req: %v", err)
+	}
+	req = req.WithContext(ctx)
+
+	// Crowd API requires a basic auth
+	req.SetBasicAuth(c.ClientID, c.ClientSecret)
+	req.Header.Set("Accept", "application/json")
+	if jsonPayload != nil {
+		req.Header.Set("Content-type", "application/json")
+	}
+	return req, nil
+}
+
+// validateCrowdResponse validates unique not JSON responses from API
+func (c *crowdConnector) validateCrowdResponse(resp *http.Response) ([]byte, error) {
+	body, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return nil, fmt.Errorf("crowd: read user body: %v", err)
+	}
+
+	if resp.StatusCode == http.StatusForbidden && strings.Contains(string(body), "The server understood the request but refuses to authorize it.") {
+		c.logger.Debugf("crowd response validation failed: %s", string(body))
+		return nil, fmt.Errorf("dex is forbidden from making requests to the Atlassian Crowd application by URL %q", c.BaseURL)
+	}
+
+	if resp.StatusCode == http.StatusUnauthorized && string(body) == "Application failed to authenticate" {
+		c.logger.Debugf("crowd response validation failed: %s", string(body))
+		return nil, fmt.Errorf("dex failed to authenticate Crowd Application with ID %q", c.ClientID)
+	}
+	return body, nil
+}

connector/atlassiancrowd/atlassiancrowd_test.go

@@ -0,0 +1,189 @@
+// Package atlassiancrowd provides authentication strategies using Atlassian Crowd.
+package atlassiancrowd
+
+import (
+	"context"
+	"crypto/tls"
+	"encoding/json"
+	"fmt"
+	"io"
+	"net/http"
+	"net/http/httptest"
+	"reflect"
+	"testing"
+
+	"github.com/sirupsen/logrus"
+)
+
+func TestUserGroups(t *testing.T) {
+	s := newTestServer(map[string]TestServerResponse{
+		"/rest/usermanagement/1/user/group/nested?username=testuser": {
+			Body: crowdGroups{Groups: []struct{ Name string }{{Name: "group1"}, {Name: "group2"}}},
+			Code: 200,
+		},
+	})
+	defer s.Close()
+
+	c := newTestCrowdConnector(s.URL)
+	groups, err := c.getGroups(context.Background(), newClient(), true, "testuser")
+
+	expectNil(t, err)
+	expectEquals(t, groups, []string{"group1", "group2"})
+}
+
+func TestUserGroupsWithFiltering(t *testing.T) {
+	s := newTestServer(map[string]TestServerResponse{
+		"/rest/usermanagement/1/user/group/nested?username=testuser": {
+			Body: crowdGroups{Groups: []struct{ Name string }{{Name: "group1"}, {Name: "group2"}}},
+			Code: 200,
+		},
+	})
+	defer s.Close()
+
+	c := newTestCrowdConnector(s.URL)
+	c.Groups = []string{"group1"}
+	groups, err := c.getGroups(context.Background(), newClient(), true, "testuser")
+
+	expectNil(t, err)
+	expectEquals(t, groups, []string{"group1"})
+}
+
+func TestUserLoginFlow(t *testing.T) {
+	s := newTestServer(map[string]TestServerResponse{
+		"/rest/usermanagement/1/session?validate-password=false": {
+			Body: crowdAuthentication{},
+			Code: 201,
+		},
+		"/rest/usermanagement/1/user?username=testuser": {
+			Body: crowdUser{Active: true, Name: "testuser", Email: "testuser@example.com"},
+			Code: 200,
+		},
+		"/rest/usermanagement/1/user?username=testuser2": {
+			Body: `<html>The server understood the request but refuses to authorize it.</html>`,
+			Code: 403,
+		},
+	})
+	defer s.Close()
+
+	c := newTestCrowdConnector(s.URL)
+	user, err := c.user(context.Background(), newClient(), "testuser")
+	expectNil(t, err)
+	expectEquals(t, user.Name, "testuser")
+	expectEquals(t, user.Email, "testuser@example.com")
+
+	err = c.authenticateUser(context.Background(), newClient(), "testuser")
+	expectNil(t, err)
+
+	_, err = c.user(context.Background(), newClient(), "testuser2")
+	expectEquals(t, err, fmt.Errorf("dex is forbidden from making requests to the Atlassian Crowd application by URL %q", s.URL))
+}
+
+func TestUserPassword(t *testing.T) {
+	s := newTestServer(map[string]TestServerResponse{
+		"/rest/usermanagement/1/session": {
+			Body: crowdAuthenticationError{Reason: "INVALID_USER_AUTHENTICATION", Message: "test"},
+			Code: 401,
+		},
+		"/rest/usermanagement/1/session?validate-password=false": {
+			Body: crowdAuthentication{},
+			Code: 201,
+		},
+	})
+	defer s.Close()
+
+	c := newTestCrowdConnector(s.URL)
+	invalidPassword, err := c.authenticateWithPassword(context.Background(), newClient(), "testuser", "testpassword")
+
+	expectNil(t, err)
+	expectEquals(t, invalidPassword, true)
+
+	err = c.authenticateUser(context.Background(), newClient(), "testuser")
+	expectNil(t, err)
+}
+
+func TestIdentityFromCrowdUser(t *testing.T) {
+	user := crowdUser{
+		Key:    "12345",
+		Name:   "testuser",
+		Active: true,
+		Email:  "testuser@example.com",
+	}
+
+	c := newTestCrowdConnector("/")
+
+	// Sanity checks
+	expectEquals(t, user.Name, "testuser")
+	expectEquals(t, user.Email, "testuser@example.com")
+
+	// Test unconfigured behaviour
+	i := c.identityFromCrowdUser(user)
+	expectEquals(t, i.UserID, "12345")
+	expectEquals(t, i.Username, "testuser")
+	expectEquals(t, i.Email, "testuser@example.com")
+	expectEquals(t, i.EmailVerified, true)
+
+	// Test for various PreferredUsernameField settings
+	// unset
+	expectEquals(t, i.PreferredUsername, "")
+
+	c.Config.PreferredUsernameField = "key"
+	i = c.identityFromCrowdUser(user)
+	expectEquals(t, i.PreferredUsername, "12345")
+
+	c.Config.PreferredUsernameField = "name"
+	i = c.identityFromCrowdUser(user)
+	expectEquals(t, i.PreferredUsername, "testuser")
+
+	c.Config.PreferredUsernameField = "email"
+	i = c.identityFromCrowdUser(user)
+	expectEquals(t, i.PreferredUsername, "testuser@example.com")
+
+	c.Config.PreferredUsernameField = "invalidstring"
+	i = c.identityFromCrowdUser(user)
+	expectEquals(t, i.PreferredUsername, "")
+}
+
+type TestServerResponse struct {
+	Body interface{}
+	Code int
+}
+
+func newTestCrowdConnector(baseURL string) crowdConnector {
+	connector := crowdConnector{}
+	connector.BaseURL = baseURL
+	connector.logger = &logrus.Logger{
+		Out:       io.Discard,
+		Level:     logrus.DebugLevel,
+		Formatter: &logrus.TextFormatter{DisableColors: true},
+	}
+	return connector
+}
+
+func newTestServer(responses map[string]TestServerResponse) *httptest.Server {
+	s := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		response := responses[r.RequestURI]
+		w.Header().Add("Content-Type", "application/json")
+		w.WriteHeader(response.Code)
+		json.NewEncoder(w).Encode(response.Body)
+	}))
+	return s
+}
+
+func newClient() *http.Client {
+	tr := &http.Transport{
+		TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
+	}
+	return &http.Client{Transport: tr}
+}
+
+func expectNil(t *testing.T, a interface{}) {
+	if a != nil {
+		t.Errorf("Expected %+v to equal nil", a)
+	}
+}
+
+func expectEquals(t *testing.T, a interface{}, b interface{}) {
+	if !reflect.DeepEqual(a, b) {
+		t.Errorf("Expected %+v to equal %+v", a, b)
+	}
+}

connector/authproxy/authproxy.go

@@ -13,19 +13,38 @@ import (
 )
 
 // Config holds the configuration parameters for a connector which returns an
-// identity with the HTTP header X-Remote-User as verified email.
-type Config struct{}
+// identity with the HTTP header X-Remote-User as verified email,
+// X-Remote-Group and configured staticGroups as user's group.
+// Headers retrieved to fetch user's email and group can be configured
+// with userHeader and groupHeader.
+type Config struct {
+	UserHeader  string   `json:"userHeader"`
+	GroupHeader string   `json:"groupHeader"`
+	Groups      []string `json:"staticGroups"`
+}
 
 // Open returns an authentication strategy which requires no user interaction.
 func (c *Config) Open(id string, logger log.Logger) (connector.Connector, error) {
-	return &callback{logger: logger, pathSuffix: "/" + id}, nil
+	userHeader := c.UserHeader
+	if userHeader == "" {
+		userHeader = "X-Remote-User"
+	}
+	groupHeader := c.GroupHeader
+	if groupHeader == "" {
+		groupHeader = "X-Remote-Group"
+	}
+
+	return &callback{userHeader: userHeader, groupHeader: groupHeader, logger: logger, pathSuffix: "/" + id, groups: c.Groups}, nil
 }
 
 // Callback is a connector which returns an identity with the HTTP header
 // X-Remote-User as verified email.
 type callback struct {
-	logger     log.Logger
-	pathSuffix string
+	userHeader  string
+	groupHeader string
+	groups      []string
+	logger      log.Logger
+	pathSuffix  string
 }
 
 // LoginURL returns the URL to redirect the user to login with.
@@ -34,7 +53,7 @@ func (m *callback) LoginURL(s connector.Scopes, callbackURL, state string) (stri
 	if err != nil {
 		return "", fmt.Errorf("failed to parse callbackURL %q: %v", callbackURL, err)
 	}
-	u.Path = u.Path + m.pathSuffix
+	u.Path += m.pathSuffix
 	v := u.Query()
 	v.Set("state", state)
 	u.RawQuery = v.Encode()
@@ -43,15 +62,19 @@ func (m *callback) LoginURL(s connector.Scopes, callbackURL, state string) (stri
 
 // HandleCallback parses the request and returns the user's identity
 func (m *callback) HandleCallback(s connector.Scopes, r *http.Request) (connector.Identity, error) {
-	remoteUser := r.Header.Get("X-Remote-User")
+	remoteUser := r.Header.Get(m.userHeader)
 	if remoteUser == "" {
-		return connector.Identity{}, fmt.Errorf("required HTTP header X-Remote-User is not set")
+		return connector.Identity{}, fmt.Errorf("required HTTP header %s is not set", m.userHeader)
+	}
+	groups := m.groups
+	headerGroup := r.Header.Get(m.groupHeader)
+	if headerGroup != "" {
+		groups = append(groups, headerGroup)
 	}
-	// TODO: add support for X-Remote-Group, see
-	// https://kubernetes.io/docs/admin/authentication/#authenticating-proxy
 	return connector.Identity{
 		UserID:        remoteUser, // TODO: figure out if this is a bad ID value.
 		Email:         remoteUser,
 		EmailVerified: true,
+		Groups:        groups,
 	}, nil
 }

connector/bitbucketcloud/bitbucketcloud.go

@@ -6,7 +6,7 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
-	"io/ioutil"
+	"io"
 	"net/http"
 	"sync"
 	"time"
@@ -21,7 +21,8 @@ import (
 
 const (
 	apiURL = "https://api.bitbucket.org/2.0"
-
+	// Switch to API v2.0 when the Atlassian platform services are fully available in Bitbucket
+	legacyAPIURL = "https://api.bitbucket.org/1.0"
 	// Bitbucket requires this scope to access '/user' API endpoints.
 	scopeAccount = "account"
 	// Bitbucket requires this scope to access '/user/emails' API endpoints.
@@ -33,22 +34,24 @@ const (
 
 // Config holds configuration options for Bitbucket logins.
 type Config struct {
-	ClientID     string   `json:"clientID"`
-	ClientSecret string   `json:"clientSecret"`
-	RedirectURI  string   `json:"redirectURI"`
-	Teams        []string `json:"teams"`
+	ClientID          string   `json:"clientID"`
+	ClientSecret      string   `json:"clientSecret"`
+	RedirectURI       string   `json:"redirectURI"`
+	Teams             []string `json:"teams"`
+	IncludeTeamGroups bool     `json:"includeTeamGroups,omitempty"`
 }
 
 // Open returns a strategy for logging in through Bitbucket.
-func (c *Config) Open(id string, logger log.Logger) (connector.Connector, error) {
-
+func (c *Config) Open(_ string, logger log.Logger) (connector.Connector, error) {
 	b := bitbucketConnector{
-		redirectURI:  c.RedirectURI,
-		teams:        c.Teams,
-		clientID:     c.ClientID,
-		clientSecret: c.ClientSecret,
-		apiURL:       apiURL,
-		logger:       logger,
+		redirectURI:       c.RedirectURI,
+		teams:             c.Teams,
+		clientID:          c.ClientID,
+		clientSecret:      c.ClientSecret,
+		includeTeamGroups: c.IncludeTeamGroups,
+		apiURL:            apiURL,
+		legacyAPIURL:      legacyAPIURL,
+		logger:            logger,
 	}
 
 	return &b, nil
@@ -72,10 +75,13 @@ type bitbucketConnector struct {
 	clientSecret string
 	logger       log.Logger
 	apiURL       string
+	legacyAPIURL string
 
 	// the following are used only for tests
 	hostName   string
 	httpClient *http.Client
+
+	includeTeamGroups bool
 }
 
 // groupsRequired returns whether dex requires Bitbucket's 'team' scope.
@@ -345,7 +351,7 @@ func (b *bitbucketConnector) userEmail(ctx context.Context, client *http.Client)
 
 // getGroups retrieves Bitbucket teams a user is in, if any.
 func (b *bitbucketConnector) getGroups(ctx context.Context, client *http.Client, groupScope bool, userLogin string) ([]string, error) {
-	bitbucketTeams, err := b.userTeams(ctx, client)
+	bitbucketTeams, err := b.userWorkspaces(ctx, client)
 	if err != nil {
 		return nil, err
 	}
@@ -363,30 +369,33 @@ func (b *bitbucketConnector) getGroups(ctx context.Context, client *http.Client,
 	return nil, nil
 }
 
-type team struct {
-	Name string `json:"username"` // The "username" from Bitbucket Cloud is actually the team name here
+type workspaceSlug struct {
+	Slug string `json:"slug"`
 }
 
-type userTeamsResponse struct {
+type workspace struct {
+	Workspace workspaceSlug `json:"workspace"`
+}
+
+type userWorkspacesResponse struct {
 	pagedResponse
-	Values []team
+	Values []workspace `json:"values"`
 }
 
-func (b *bitbucketConnector) userTeams(ctx context.Context, client *http.Client) ([]string, error) {
-
+func (b *bitbucketConnector) userWorkspaces(ctx context.Context, client *http.Client) ([]string, error) {
 	var teams []string
-	apiURL := b.apiURL + "/teams?role=member"
+	apiURL := b.apiURL + "/user/permissions/workspaces"
 
 	for {
-		// https://developer.atlassian.com/bitbucket/api/2/reference/resource/teams
-		var response userTeamsResponse
+		// https://developer.atlassian.com/cloud/bitbucket/rest/api-group-workspaces/#api-workspaces-get
+		var response userWorkspacesResponse
 
 		if err := get(ctx, client, apiURL, &response); err != nil {
 			return nil, fmt.Errorf("bitbucket: get user teams: %v", err)
 		}
 
-		for _, team := range response.Values {
-			teams = append(teams, team.Name)
+		for _, value := range response.Values {
+			teams = append(teams, value.Workspace.Slug)
 		}
 
 		if response.Next == nil {
@@ -394,9 +403,39 @@ func (b *bitbucketConnector) userTeams(ctx context.Context, client *http.Client)
 		}
 	}
 
+	if b.includeTeamGroups {
+		for _, team := range teams {
+			teamGroups, err := b.userTeamGroups(ctx, client, team)
+			if err != nil {
+				return nil, fmt.Errorf("bitbucket: %v", err)
+			}
+			teams = append(teams, teamGroups...)
+		}
+	}
+
 	return teams, nil
 }
 
+type group struct {
+	Slug string `json:"slug"`
+}
+
+func (b *bitbucketConnector) userTeamGroups(ctx context.Context, client *http.Client, teamName string) ([]string, error) {
+	apiURL := b.legacyAPIURL + "/groups/" + teamName
+
+	var response []group
+	if err := get(ctx, client, apiURL, &response); err != nil {
+		return nil, fmt.Errorf("get user team %q groups: %v", teamName, err)
+	}
+
+	teamGroups := make([]string, 0, len(response))
+	for _, group := range response {
+		teamGroups = append(teamGroups, teamName+"/"+group.Slug)
+	}
+
+	return teamGroups, nil
+}
+
 // get creates a "GET `apiURL`" request with context, sends the request using
 // the client, and decodes the resulting response body into v.
 // Any errors encountered when building requests, sending requests, and
@@ -414,7 +453,7 @@ func get(ctx context.Context, client *http.Client, apiURL string, v interface{})
 	defer resp.Body.Close()
 
 	if resp.StatusCode != http.StatusOK {
-		body, err := ioutil.ReadAll(resp.Body)
+		body, err := io.ReadAll(resp.Body)
 		if err != nil {
 			return fmt.Errorf("bitbucket: read body: %s: %v", resp.Status, err)
 		}

connector/bitbucketcloud/bitbucketcloud_test.go

@@ -14,26 +14,28 @@ import (
 )
 
 func TestUserGroups(t *testing.T) {
-
-	teamsResponse := userTeamsResponse{
+	teamsResponse := userWorkspacesResponse{
 		pagedResponse: pagedResponse{
 			Size:    3,
 			Page:    1,
 			PageLen: 10,
 		},
-		Values: []team{
-			{Name: "team-1"},
-			{Name: "team-2"},
-			{Name: "team-3"},
+		Values: []workspace{
+			{Workspace: workspaceSlug{Slug: "team-1"}},
+			{Workspace: workspaceSlug{Slug: "team-2"}},
+			{Workspace: workspaceSlug{Slug: "team-3"}},
 		},
 	}
 
 	s := newTestServer(map[string]interface{}{
-		"/teams?role=member": teamsResponse,
+		"/user/permissions/workspaces": teamsResponse,
+		"/groups/team-1":               []group{{Slug: "administrators"}, {Slug: "members"}},
+		"/groups/team-2":               []group{{Slug: "everyone"}},
+		"/groups/team-3":               []group{},
 	})
 
-	connector := bitbucketConnector{apiURL: s.URL}
-	groups, err := connector.userTeams(context.Background(), newClient())
+	connector := bitbucketConnector{apiURL: s.URL, legacyAPIURL: s.URL}
+	groups, err := connector.userWorkspaces(context.Background(), newClient())
 
 	expectNil(t, err)
 	expectEquals(t, groups, []string{
@@ -42,17 +44,29 @@ func TestUserGroups(t *testing.T) {
 		"team-3",
 	})
 
+	connector.includeTeamGroups = true
+	groups, err = connector.userWorkspaces(context.Background(), newClient())
+
+	expectNil(t, err)
+	expectEquals(t, groups, []string{
+		"team-1",
+		"team-2",
+		"team-3",
+		"team-1/administrators",
+		"team-1/members",
+		"team-2/everyone",
+	})
+
 	s.Close()
 }
 
 func TestUserWithoutTeams(t *testing.T) {
-
 	s := newTestServer(map[string]interface{}{
-		"/teams?role=member": userTeamsResponse{},
+		"/user/permissions/workspaces": userWorkspacesResponse{},
 	})
 
 	connector := bitbucketConnector{apiURL: s.URL}
-	groups, err := connector.userTeams(context.Background(), newClient())
+	groups, err := connector.userWorkspaces(context.Background(), newClient())
 
 	expectNil(t, err)
 	expectEquals(t, len(groups), 0)
@@ -61,7 +75,6 @@ func TestUserWithoutTeams(t *testing.T) {
 }
 
 func TestUsernameIncludedInFederatedIdentity(t *testing.T) {
-
 	s := newTestServer(map[string]interface{}{
 		"/user": user{Username: "some-login"},
 		"/user/emails": userEmailResponse{

connector/gitea/gitea.go

@@ -0,0 +1,424 @@
+// Package gitea provides authentication strategies using Gitea.
+package gitea
+
+import (
+	"context"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"io"
+	"net/http"
+	"strconv"
+	"sync"
+	"time"
+
+	"golang.org/x/oauth2"
+
+	"github.com/dexidp/dex/connector"
+	"github.com/dexidp/dex/pkg/log"
+)
+
+// Config holds configuration options for gitea logins.
+type Config struct {
+	BaseURL       string `json:"baseURL"`
+	ClientID      string `json:"clientID"`
+	ClientSecret  string `json:"clientSecret"`
+	RedirectURI   string `json:"redirectURI"`
+	Orgs          []Org  `json:"orgs"`
+	LoadAllGroups bool   `json:"loadAllGroups"`
+	UseLoginAsID  bool   `json:"useLoginAsID"`
+}
+
+// Org holds org-team filters, in which teams are optional.
+type Org struct {
+	// Organization name in gitea (not slug, full name). Only users in this gitea
+	// organization can authenticate.
+	Name string `json:"name"`
+
+	// Names of teams in a gitea organization. A user will be able to
+	// authenticate if they are members of at least one of these teams. Users
+	// in the organization can authenticate if this field is omitted from the
+	// config file.
+	Teams []string `json:"teams,omitempty"`
+}
+
+type giteaUser struct {
+	ID       int    `json:"id"`
+	Name     string `json:"full_name"`
+	Username string `json:"login"`
+	Email    string `json:"email"`
+	IsAdmin  bool   `json:"is_admin"`
+}
+
+// Open returns a strategy for logging in through Gitea
+func (c *Config) Open(id string, logger log.Logger) (connector.Connector, error) {
+	if c.BaseURL == "" {
+		c.BaseURL = "https://gitea.com"
+	}
+	return &giteaConnector{
+		baseURL:       c.BaseURL,
+		redirectURI:   c.RedirectURI,
+		orgs:          c.Orgs,
+		clientID:      c.ClientID,
+		clientSecret:  c.ClientSecret,
+		logger:        logger,
+		loadAllGroups: c.LoadAllGroups,
+		useLoginAsID:  c.UseLoginAsID,
+	}, nil
+}
+
+type connectorData struct {
+	AccessToken  string    `json:"accessToken"`
+	RefreshToken string    `json:"refreshToken"`
+	Expiry       time.Time `json:"expiry"`
+}
+
+var (
+	_ connector.CallbackConnector = (*giteaConnector)(nil)
+	_ connector.RefreshConnector  = (*giteaConnector)(nil)
+)
+
+type giteaConnector struct {
+	baseURL      string
+	redirectURI  string
+	orgs         []Org
+	clientID     string
+	clientSecret string
+	logger       log.Logger
+	httpClient   *http.Client
+	// if set to true and no orgs are configured then connector loads all user claims (all orgs and team)
+	loadAllGroups bool
+	// if set to true will use the user's handle rather than their numeric id as the ID
+	useLoginAsID bool
+}
+
+func (c *giteaConnector) oauth2Config(_ connector.Scopes) *oauth2.Config {
+	giteaEndpoint := oauth2.Endpoint{AuthURL: c.baseURL + "/login/oauth/authorize", TokenURL: c.baseURL + "/login/oauth/access_token"}
+	return &oauth2.Config{
+		ClientID:     c.clientID,
+		ClientSecret: c.clientSecret,
+		Endpoint:     giteaEndpoint,
+		RedirectURL:  c.redirectURI,
+	}
+}
+
+func (c *giteaConnector) LoginURL(scopes connector.Scopes, callbackURL, state string) (string, error) {
+	if c.redirectURI != callbackURL {
+		return "", fmt.Errorf("expected callback URL %q did not match the URL in the config %q", c.redirectURI, callbackURL)
+	}
+	return c.oauth2Config(scopes).AuthCodeURL(state), nil
+}
+
+type oauth2Error struct {
+	error            string
+	errorDescription string
+}
+
+func (e *oauth2Error) Error() string {
+	if e.errorDescription == "" {
+		return e.error
+	}
+	return e.error + ": " + e.errorDescription
+}
+
+func (c *giteaConnector) HandleCallback(s connector.Scopes, r *http.Request) (identity connector.Identity, err error) {
+	q := r.URL.Query()
+	if errType := q.Get("error"); errType != "" {
+		return identity, &oauth2Error{errType, q.Get("error_description")}
+	}
+
+	oauth2Config := c.oauth2Config(s)
+
+	ctx := r.Context()
+	if c.httpClient != nil {
+		ctx = context.WithValue(r.Context(), oauth2.HTTPClient, c.httpClient)
+	}
+
+	token, err := oauth2Config.Exchange(ctx, q.Get("code"))
+	if err != nil {
+		return identity, fmt.Errorf("gitea: failed to get token: %v", err)
+	}
+
+	client := oauth2Config.Client(ctx, token)
+
+	user, err := c.user(ctx, client)
+	if err != nil {
+		return identity, fmt.Errorf("gitea: get user: %v", err)
+	}
+
+	username := user.Name
+	if username == "" {
+		username = user.Email
+	}
+
+	identity = connector.Identity{
+		UserID:            strconv.Itoa(user.ID),
+		Username:          username,
+		PreferredUsername: user.Username,
+		Email:             user.Email,
+		EmailVerified:     true,
+	}
+	if c.useLoginAsID {
+		identity.UserID = user.Username
+	}
+
+	// Only set identity.Groups if 'orgs', 'org', or 'groups' scope are specified.
+	if c.groupsRequired() {
+		groups, err := c.getGroups(ctx, client)
+		if err != nil {
+			return identity, err
+		}
+		identity.Groups = groups
+	}
+
+	if s.OfflineAccess {
+		data := connectorData{
+			AccessToken:  token.AccessToken,
+			RefreshToken: token.RefreshToken,
+			Expiry:       token.Expiry,
+		}
+		connData, err := json.Marshal(data)
+		if err != nil {
+			return identity, fmt.Errorf("gitea: marshal connector data: %v", err)
+		}
+		identity.ConnectorData = connData
+	}
+
+	return identity, nil
+}
+
+// Refreshing tokens
+// https://github.com/golang/oauth2/issues/84#issuecomment-332860871
+type tokenNotifyFunc func(*oauth2.Token) error
+
+// notifyRefreshTokenSource is essentially `oauth2.ReuseTokenSource` with `TokenNotifyFunc` added.
+type notifyRefreshTokenSource struct {
+	new oauth2.TokenSource
+	mu  sync.Mutex // guards t
+	t   *oauth2.Token
+	f   tokenNotifyFunc // called when token refreshed so new refresh token can be persisted
+}
+
+// Token returns the current token if it's still valid, else will
+// refresh the current token (using r.Context for HTTP client
+// information) and return the new one.
+func (s *notifyRefreshTokenSource) Token() (*oauth2.Token, error) {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+	if s.t.Valid() {
+		return s.t, nil
+	}
+	t, err := s.new.Token()
+	if err != nil {
+		return nil, err
+	}
+	s.t = t
+	return t, s.f(t)
+}
+
+func (c *giteaConnector) Refresh(ctx context.Context, s connector.Scopes, ident connector.Identity) (connector.Identity, error) {
+	if len(ident.ConnectorData) == 0 {
+		return ident, errors.New("gitea: no upstream access token found")
+	}
+
+	var data connectorData
+	if err := json.Unmarshal(ident.ConnectorData, &data); err != nil {
+		return ident, fmt.Errorf("gitea: unmarshal access token: %v", err)
+	}
+
+	tok := &oauth2.Token{
+		AccessToken:  data.AccessToken,
+		RefreshToken: data.RefreshToken,
+		Expiry:       data.Expiry,
+	}
+
+	client := oauth2.NewClient(ctx, &notifyRefreshTokenSource{
+		new: c.oauth2Config(s).TokenSource(ctx, tok),
+		t:   tok,
+		f: func(tok *oauth2.Token) error {
+			data := connectorData{
+				AccessToken:  tok.AccessToken,
+				RefreshToken: tok.RefreshToken,
+				Expiry:       tok.Expiry,
+			}
+			connData, err := json.Marshal(data)
+			if err != nil {
+				return fmt.Errorf("gitea: marshal connector data: %v", err)
+			}
+			ident.ConnectorData = connData
+			return nil
+		},
+	})
+	user, err := c.user(ctx, client)
+	if err != nil {
+		return ident, fmt.Errorf("gitea: get user: %v", err)
+	}
+
+	username := user.Name
+	if username == "" {
+		username = user.Email
+	}
+	ident.Username = username
+	ident.PreferredUsername = user.Username
+	ident.Email = user.Email
+
+	// Only set identity.Groups if 'orgs', 'org', or 'groups' scope are specified.
+	if c.groupsRequired() {
+		groups, err := c.getGroups(ctx, client)
+		if err != nil {
+			return ident, err
+		}
+		ident.Groups = groups
+	}
+
+	return ident, nil
+}
+
+// getGroups retrieves Gitea orgs and teams a user is in, if any.
+func (c *giteaConnector) getGroups(ctx context.Context, client *http.Client) ([]string, error) {
+	if len(c.orgs) > 0 {
+		return c.groupsForOrgs(ctx, client)
+	} else if c.loadAllGroups {
+		return c.userGroups(ctx, client)
+	}
+	return nil, nil
+}
+
+// formatTeamName returns unique team name.
+// Orgs might have the same team names. To make team name unique it should be prefixed with the org name.
+func formatTeamName(org string, team string) string {
+	return fmt.Sprintf("%s:%s", org, team)
+}
+
+// groupsForOrgs returns list of groups that user belongs to in approved list
+func (c *giteaConnector) groupsForOrgs(ctx context.Context, client *http.Client) ([]string, error) {
+	groups, err := c.userGroups(ctx, client)
+	if err != nil {
+		return groups, err
+	}
+
+	keys := make(map[string]bool)
+	for _, o := range c.orgs {
+		keys[o.Name] = true
+		if o.Teams != nil {
+			for _, t := range o.Teams {
+				keys[formatTeamName(o.Name, t)] = true
+			}
+		}
+	}
+	atLeastOne := false
+	filteredGroups := make([]string, 0)
+	for _, g := range groups {
+		if _, value := keys[g]; value {
+			filteredGroups = append(filteredGroups, g)
+			atLeastOne = true
+		}
+	}
+
+	if !atLeastOne {
+		return []string{}, fmt.Errorf("gitea: User does not belong to any of the approved groups")
+	}
+	return filteredGroups, nil
+}
+
+type organization struct {
+	ID   int64  `json:"id"`
+	Name string `json:"username"`
+}
+
+type team struct {
+	ID           int64         `json:"id"`
+	Name         string        `json:"name"`
+	Organization *organization `json:"organization"`
+}
+
+func (c *giteaConnector) userGroups(ctx context.Context, client *http.Client) ([]string, error) {
+	apiURL := c.baseURL + "/api/v1/user/teams"
+	groups := make([]string, 0)
+	page := 1
+	limit := 20
+	for {
+		var teams []team
+		req, err := http.NewRequest("GET", fmt.Sprintf("%s?page=%d&limit=%d", apiURL, page, limit), nil)
+		if err != nil {
+			return groups, fmt.Errorf("gitea: new req: %v", err)
+		}
+
+		req = req.WithContext(ctx)
+		resp, err := client.Do(req)
+		if err != nil {
+			return groups, fmt.Errorf("gitea: get URL %v", err)
+		}
+		defer resp.Body.Close()
+
+		if resp.StatusCode != http.StatusOK {
+			body, err := io.ReadAll(resp.Body)
+			if err != nil {
+				return groups, fmt.Errorf("gitea: read body: %v", err)
+			}
+			return groups, fmt.Errorf("%s: %s", resp.Status, body)
+		}
+
+		if err := json.NewDecoder(resp.Body).Decode(&teams); err != nil {
+			return groups, fmt.Errorf("failed to decode response: %v", err)
+		}
+
+		if len(teams) == 0 {
+			break
+		}
+
+		for _, t := range teams {
+			groups = append(groups, t.Organization.Name)
+			groups = append(groups, formatTeamName(t.Organization.Name, t.Name))
+		}
+
+		page++
+	}
+
+	// remove duplicate slice variables
+	keys := make(map[string]struct{})
+	list := []string{}
+	for _, group := range groups {
+		if _, exists := keys[group]; !exists {
+			keys[group] = struct{}{}
+			list = append(list, group)
+		}
+	}
+	groups = list
+	return groups, nil
+}
+
+// user queries the Gitea API for profile information using the provided client. The HTTP
+// client is expected to be constructed by the golang.org/x/oauth2 package, which inserts
+// a bearer token as part of the request.
+func (c *giteaConnector) user(ctx context.Context, client *http.Client) (giteaUser, error) {
+	var u giteaUser
+	req, err := http.NewRequest("GET", c.baseURL+"/api/v1/user", nil)
+	if err != nil {
+		return u, fmt.Errorf("gitea: new req: %v", err)
+	}
+	req = req.WithContext(ctx)
+	resp, err := client.Do(req)
+	if err != nil {
+		return u, fmt.Errorf("gitea: get URL %v", err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		body, err := io.ReadAll(resp.Body)
+		if err != nil {
+			return u, fmt.Errorf("gitea: read body: %v", err)
+		}
+		return u, fmt.Errorf("%s: %s", resp.Status, body)
+	}
+
+	if err := json.NewDecoder(resp.Body).Decode(&u); err != nil {
+		return u, fmt.Errorf("failed to decode response: %v", err)
+	}
+	return u, nil
+}
+
+// groupsRequired returns whether dex needs to request groups from Gitea.
+func (c *giteaConnector) groupsRequired() bool {
+	return len(c.orgs) > 0 || c.loadAllGroups
+}

connector/gitea/gitea_test.go

@@ -0,0 +1,72 @@
+package gitea
+
+import (
+	"crypto/tls"
+	"encoding/json"
+	"net/http"
+	"net/http/httptest"
+	"net/url"
+	"reflect"
+	"testing"
+
+	"github.com/dexidp/dex/connector"
+)
+
+// tests that the email is used as their username when they have no username set
+func TestUsernameIncludedInFederatedIdentity(t *testing.T) {
+	s := newTestServer(map[string]interface{}{
+		"/api/v1/user": giteaUser{Email: "some@email.com", ID: 12345678},
+		"/login/oauth/access_token": map[string]interface{}{
+			"access_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9",
+			"expires_in":   "30",
+		},
+	})
+	defer s.Close()
+
+	hostURL, err := url.Parse(s.URL)
+	expectNil(t, err)
+
+	req, err := http.NewRequest("GET", hostURL.String(), nil)
+	expectNil(t, err)
+
+	c := giteaConnector{baseURL: s.URL, httpClient: newClient()}
+	identity, err := c.HandleCallback(connector.Scopes{}, req)
+
+	expectNil(t, err)
+	expectEquals(t, identity.Username, "some@email.com")
+	expectEquals(t, identity.UserID, "12345678")
+
+	c = giteaConnector{baseURL: s.URL, httpClient: newClient()}
+	identity, err = c.HandleCallback(connector.Scopes{}, req)
+
+	expectNil(t, err)
+	expectEquals(t, identity.Username, "some@email.com")
+	expectEquals(t, identity.UserID, "12345678")
+}
+
+func newTestServer(responses map[string]interface{}) *httptest.Server {
+	return httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		response := responses[r.RequestURI]
+		w.Header().Add("Content-Type", "application/json")
+		json.NewEncoder(w).Encode(response)
+	}))
+}
+
+func newClient() *http.Client {
+	tr := &http.Transport{
+		TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
+	}
+	return &http.Client{Transport: tr}
+}
+
+func expectNil(t *testing.T, a interface{}) {
+	if a != nil {
+		t.Errorf("Expected %+v to equal nil", a)
+	}
+}
+
+func expectEquals(t *testing.T, a interface{}, b interface{}) {
+	if !reflect.DeepEqual(a, b) {
+		t.Errorf("Expected %+v to equal %+v", a, b)
+	}
+}

connector/github/github.go

@@ -8,9 +8,10 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
-	"io/ioutil"
+	"io"
 	"net"
 	"net/http"
+	"os"
 	"regexp"
 	"strconv"
 	"strings"
@@ -35,8 +36,10 @@ const (
 
 // Pagination URL patterns
 // https://developer.github.com/v3/#pagination
-var reNext = regexp.MustCompile("<([^>]+)>; rel=\"next\"")
-var reLast = regexp.MustCompile("<([^>]+)>; rel=\"last\"")
+var (
+	reNext = regexp.MustCompile("<([^>]+)>; rel=\"next\"")
+	reLast = regexp.MustCompile("<([^>]+)>; rel=\"last\"")
+)
 
 // Config holds configuration options for github logins.
 type Config struct {
@@ -67,7 +70,6 @@ type Org struct {
 
 // Open returns a strategy for logging in through GitHub.
 func (c *Config) Open(id string, logger log.Logger) (connector.Connector, error) {
-
 	if c.Org != "" {
 		// Return error if both 'org' and 'orgs' fields are used.
 		if len(c.Orgs) > 0 {
@@ -107,7 +109,6 @@ func (c *Config) Open(id string, logger log.Logger) (connector.Connector, error)
 		if g.httpClient, err = newHTTPClient(g.rootCA); err != nil {
 			return nil, fmt.Errorf("failed to create HTTP client: %v", err)
 		}
-
 	}
 	g.loadAllGroups = c.LoadAllGroups
 
@@ -144,7 +145,7 @@ type githubConnector struct {
 	hostName string
 	// Used to support untrusted/self-signed CA certs.
 	rootCA string
-	// HTTP Client that trusts the custom delcared rootCA cert.
+	// HTTP Client that trusts the custom declared rootCA cert.
 	httpClient *http.Client
 	// optional choice between 'name' (default) or 'slug'
 	teamNameField string
@@ -183,6 +184,7 @@ func (c *githubConnector) oauth2Config(scopes connector.Scopes) *oauth2.Config {
 		ClientSecret: c.clientSecret,
 		Endpoint:     endpoint,
 		Scopes:       githubScopes,
+		RedirectURL:  c.redirectURI,
 	}
 }
 
@@ -206,10 +208,10 @@ func (e *oauth2Error) Error() string {
 	return e.error + ": " + e.errorDescription
 }
 
-// newHTTPClient returns a new HTTP client that trusts the custom delcared rootCA cert.
+// newHTTPClient returns a new HTTP client that trusts the custom declared rootCA cert.
 func newHTTPClient(rootCA string) (*http.Client, error) {
 	tlsConfig := tls.Config{RootCAs: x509.NewCertPool()}
-	rootCABytes, err := ioutil.ReadFile(rootCA)
+	rootCABytes, err := os.ReadFile(rootCA)
 	if err != nil {
 		return nil, fmt.Errorf("failed to read root-ca: %v", err)
 	}
@@ -335,11 +337,12 @@ func (c *githubConnector) Refresh(ctx context.Context, s connector.Scopes, ident
 
 // getGroups retrieves GitHub orgs and teams a user is in, if any.
 func (c *githubConnector) getGroups(ctx context.Context, client *http.Client, groupScope bool, userLogin string) ([]string, error) {
-	if len(c.orgs) > 0 {
+	switch {
+	case len(c.orgs) > 0:
 		return c.groupsForOrgs(ctx, client, userLogin)
-	} else if c.org != "" {
+	case c.org != "":
 		return c.teamsForOrg(ctx, client, c.org)
-	} else if groupScope && c.loadAllGroups {
+	case groupScope && c.loadAllGroups:
 		return c.userGroups(ctx, client)
 	}
 	return nil, nil
@@ -486,7 +489,7 @@ func get(ctx context.Context, client *http.Client, apiURL string, v interface{})
 	defer resp.Body.Close()
 
 	if resp.StatusCode != http.StatusOK {
-		body, err := ioutil.ReadAll(resp.Body)
+		body, err := io.ReadAll(resp.Body)
 		if err != nil {
 			return "", fmt.Errorf("github: read body: %v", err)
 		}
@@ -626,7 +629,6 @@ func (c *githubConnector) userInOrg(ctx context.Context, client *http.Client, us
 	apiURL := fmt.Sprintf("%s/orgs/%s/members/%s", c.apiURL, orgName, userName)
 
 	req, err := http.NewRequest("GET", apiURL, nil)
-
 	if err != nil {
 		return false, fmt.Errorf("github: new req: %v", err)
 	}

connector/github/github_test.go

@@ -126,7 +126,6 @@ func TestUserGroupsWithTeamNameAndSlugFieldConfig(t *testing.T) {
 
 // tests that the users login is used as their username when they have no username set
 func TestUsernameIncludedInFederatedIdentity(t *testing.T) {
-
 	s := newTestServer(map[string]testResponse{
 		"/user": {data: user{Login: "some-login", ID: 12345678}},
 		"/user/emails": {data: []userEmail{{
@@ -168,7 +167,6 @@ func TestUsernameIncludedInFederatedIdentity(t *testing.T) {
 }
 
 func TestLoginUsedAsIDWhenConfigured(t *testing.T) {
-
 	s := newTestServer(map[string]testResponse{
 		"/user": {data: user{Login: "some-login", ID: 12345678, Name: "Joe Bloggs"}},
 		"/user/emails": {data: []userEmail{{

connector/gitlab/gitlab.go

@@ -6,9 +6,10 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
-	"io/ioutil"
+	"io"
 	"net/http"
 	"strconv"
+	"time"
 
 	"golang.org/x/oauth2"
 
@@ -25,7 +26,7 @@ const (
 	scopeOpenID = "openid"
 )
 
-// Config holds configuration options for gilab logins.
+// Config holds configuration options for gitlab logins.
 type Config struct {
 	BaseURL      string   `json:"baseURL"`
 	ClientID     string   `json:"clientID"`
@@ -61,8 +62,9 @@ func (c *Config) Open(id string, logger log.Logger) (connector.Connector, error)
 }
 
 type connectorData struct {
-	// GitLab's OAuth2 tokens never expire. We don't need a refresh token.
-	AccessToken string `json:"accessToken"`
+	// Support GitLab's Access Tokens and Refresh tokens.
+	AccessToken  string `json:"accessToken"`
+	RefreshToken string `json:"refreshToken"`
 }
 
 var (
@@ -135,6 +137,11 @@ func (c *gitlabConnector) HandleCallback(s connector.Scopes, r *http.Request) (i
 		return identity, fmt.Errorf("gitlab: failed to get token: %v", err)
 	}
 
+	return c.identity(ctx, s, token)
+}
+
+func (c *gitlabConnector) identity(ctx context.Context, s connector.Scopes, token *oauth2.Token) (identity connector.Identity, err error) {
+	oauth2Config := c.oauth2Config(s)
 	client := oauth2Config.Client(ctx, token)
 
 	user, err := c.user(ctx, client)
@@ -146,6 +153,7 @@ func (c *gitlabConnector) HandleCallback(s connector.Scopes, r *http.Request) (i
 	if username == "" {
 		username = user.Email
 	}
+
 	identity = connector.Identity{
 		UserID:            strconv.Itoa(user.ID),
 		Username:          username,
@@ -166,10 +174,10 @@ func (c *gitlabConnector) HandleCallback(s connector.Scopes, r *http.Request) (i
 	}
 
 	if s.OfflineAccess {
-		data := connectorData{AccessToken: token.AccessToken}
+		data := connectorData{RefreshToken: token.RefreshToken, AccessToken: token.AccessToken}
 		connData, err := json.Marshal(data)
 		if err != nil {
-			return identity, fmt.Errorf("marshal connector data: %v", err)
+			return identity, fmt.Errorf("gitlab: marshal connector data: %v", err)
 		}
 		identity.ConnectorData = connData
 	}
@@ -178,37 +186,39 @@ func (c *gitlabConnector) HandleCallback(s connector.Scopes, r *http.Request) (i
 }
 
 func (c *gitlabConnector) Refresh(ctx context.Context, s connector.Scopes, ident connector.Identity) (connector.Identity, error) {
-	if len(ident.ConnectorData) == 0 {
-		return ident, errors.New("no upstream access token found")
-	}
-
 	var data connectorData
 	if err := json.Unmarshal(ident.ConnectorData, &data); err != nil {
-		return ident, fmt.Errorf("gitlab: unmarshal access token: %v", err)
+		return ident, fmt.Errorf("gitlab: unmarshal connector data: %v", err)
+	}
+	oauth2Config := c.oauth2Config(s)
+
+	if c.httpClient != nil {
+		ctx = context.WithValue(ctx, oauth2.HTTPClient, c.httpClient)
 	}
 
-	client := c.oauth2Config(s).Client(ctx, &oauth2.Token{AccessToken: data.AccessToken})
-	user, err := c.user(ctx, client)
-	if err != nil {
-		return ident, fmt.Errorf("gitlab: get user: %v", err)
-	}
-
-	username := user.Name
-	if username == "" {
-		username = user.Email
-	}
-	ident.Username = username
-	ident.PreferredUsername = user.Username
-	ident.Email = user.Email
-
-	if c.groupsRequired(s.Groups) {
-		groups, err := c.getGroups(ctx, client, s.Groups, user.Username)
-		if err != nil {
-			return ident, fmt.Errorf("gitlab: get groups: %v", err)
+	switch {
+	case data.RefreshToken != "":
+		{
+			t := &oauth2.Token{
+				RefreshToken: data.RefreshToken,
+				Expiry:       time.Now().Add(-time.Hour),
+			}
+			token, err := oauth2Config.TokenSource(ctx, t).Token()
+			if err != nil {
+				return ident, fmt.Errorf("gitlab: failed to get refresh token: %v", err)
+			}
+			return c.identity(ctx, s, token)
 		}
-		ident.Groups = groups
+	case data.AccessToken != "":
+		{
+			token := &oauth2.Token{
+				AccessToken: data.AccessToken,
+			}
+			return c.identity(ctx, s, token)
+		}
+	default:
+		return ident, errors.New("no refresh or access token found")
 	}
-	return ident, nil
 }
 
 func (c *gitlabConnector) groupsRequired(groupScope bool) bool {
@@ -232,7 +242,7 @@ func (c *gitlabConnector) user(ctx context.Context, client *http.Client) (gitlab
 	defer resp.Body.Close()
 
 	if resp.StatusCode != http.StatusOK {
-		body, err := ioutil.ReadAll(resp.Body)
+		body, err := io.ReadAll(resp.Body)
 		if err != nil {
 			return u, fmt.Errorf("gitlab: read body: %v", err)
 		}
@@ -266,7 +276,7 @@ func (c *gitlabConnector) userGroups(ctx context.Context, client *http.Client) (
 	defer resp.Body.Close()
 
 	if resp.StatusCode != http.StatusOK {
-		body, err := ioutil.ReadAll(resp.Body)
+		body, err := io.ReadAll(resp.Body)
 		if err != nil {
 			return nil, fmt.Errorf("gitlab: read body: %v", err)
 		}

connector/gitlab/gitlab_test.go

@@ -65,7 +65,6 @@ func TestUserGroupsWithoutOrgs(t *testing.T) {
 
 // tests that the email is used as their username when they have no username set
 func TestUsernameIncludedInFederatedIdentity(t *testing.T) {
-
 	s := newTestServer(map[string]interface{}{
 		"/api/v4/user": gitlabUser{Email: "some@email.com", ID: 12345678},
 		"/oauth/token": map[string]interface{}{
@@ -102,7 +101,6 @@ func TestUsernameIncludedInFederatedIdentity(t *testing.T) {
 }
 
 func TestLoginUsedAsIDWhenConfigured(t *testing.T) {
-
 	s := newTestServer(map[string]interface{}{
 		"/api/v4/user": gitlabUser{Email: "some@email.com", ID: 12345678, Name: "Joe Bloggs", Username: "joebloggs"},
 		"/oauth/token": map[string]interface{}{
@@ -130,7 +128,6 @@ func TestLoginUsedAsIDWhenConfigured(t *testing.T) {
 }
 
 func TestLoginWithTeamWhitelisted(t *testing.T) {
-
 	s := newTestServer(map[string]interface{}{
 		"/api/v4/user": gitlabUser{Email: "some@email.com", ID: 12345678, Name: "Joe Bloggs"},
 		"/oauth/token": map[string]interface{}{
@@ -158,7 +155,6 @@ func TestLoginWithTeamWhitelisted(t *testing.T) {
 }
 
 func TestLoginWithTeamNonWhitelisted(t *testing.T) {
-
 	s := newTestServer(map[string]interface{}{
 		"/api/v4/user": gitlabUser{Email: "some@email.com", ID: 12345678, Name: "Joe Bloggs", Username: "joebloggs"},
 		"/oauth/token": map[string]interface{}{
@@ -184,6 +180,75 @@ func TestLoginWithTeamNonWhitelisted(t *testing.T) {
 	expectEquals(t, err.Error(), "gitlab: get groups: gitlab: user \"joebloggs\" is not in any of the required groups")
 }
 
+func TestRefresh(t *testing.T) {
+	s := newTestServer(map[string]interface{}{
+		"/api/v4/user": gitlabUser{Email: "some@email.com", ID: 12345678},
+		"/oauth/token": map[string]interface{}{
+			"access_token":  "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9",
+			"refresh_token": "oRzxVjCnohYRHEYEhZshkmakKmoyVoTjfUGC",
+			"expires_in":    "30",
+		},
+		"/oauth/userinfo": userInfo{
+			Groups: []string{"team-1"},
+		},
+	})
+	defer s.Close()
+
+	hostURL, err := url.Parse(s.URL)
+	expectNil(t, err)
+
+	req, err := http.NewRequest("GET", hostURL.String(), nil)
+	expectNil(t, err)
+
+	c := gitlabConnector{baseURL: s.URL, httpClient: newClient()}
+
+	expectedConnectorData, err := json.Marshal(connectorData{
+		RefreshToken: "oRzxVjCnohYRHEYEhZshkmakKmoyVoTjfUGC",
+		AccessToken:  "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9",
+	})
+	expectNil(t, err)
+
+	identity, err := c.HandleCallback(connector.Scopes{OfflineAccess: true}, req)
+	expectNil(t, err)
+	expectEquals(t, identity.Username, "some@email.com")
+	expectEquals(t, identity.UserID, "12345678")
+	expectEquals(t, identity.ConnectorData, expectedConnectorData)
+
+	identity, err = c.Refresh(context.Background(), connector.Scopes{OfflineAccess: true}, identity)
+	expectNil(t, err)
+	expectEquals(t, identity.Username, "some@email.com")
+	expectEquals(t, identity.UserID, "12345678")
+	expectEquals(t, identity.ConnectorData, expectedConnectorData)
+}
+
+func TestRefreshWithEmptyConnectorData(t *testing.T) {
+	s := newTestServer(map[string]interface{}{
+		"/api/v4/user": gitlabUser{Email: "some@email.com", ID: 12345678},
+		"/oauth/token": map[string]interface{}{
+			"access_token":  "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9",
+			"refresh_token": "oRzxVjCnohYRHEYEhZshkmakKmoyVoTjfUGC",
+			"expires_in":    "30",
+		},
+		"/oauth/userinfo": userInfo{
+			Groups: []string{"team-1"},
+		},
+	})
+	defer s.Close()
+
+	emptyConnectorData, err := json.Marshal(connectorData{
+		RefreshToken: "",
+		AccessToken:  "",
+	})
+	expectNil(t, err)
+
+	c := gitlabConnector{baseURL: s.URL, httpClient: newClient()}
+	emptyIdentity := connector.Identity{ConnectorData: emptyConnectorData}
+
+	identity, err := c.Refresh(context.Background(), connector.Scopes{OfflineAccess: true}, emptyIdentity)
+	expectNotNil(t, err, "Refresh error")
+	expectEquals(t, emptyIdentity, identity)
+}
+
 func newTestServer(responses map[string]interface{}) *httptest.Server {
 	return httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		response := responses[r.RequestURI]

connector/google/google.go

@@ -0,0 +1,326 @@
+// Package google implements logging in through Google's OpenID Connect provider.
+package google
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"net/http"
+	"os"
+	"time"
+
+	"github.com/coreos/go-oidc/v3/oidc"
+	"golang.org/x/oauth2"
+	"golang.org/x/oauth2/google"
+	admin "google.golang.org/api/admin/directory/v1"
+	"google.golang.org/api/option"
+
+	"github.com/dexidp/dex/connector"
+	pkg_groups "github.com/dexidp/dex/pkg/groups"
+	"github.com/dexidp/dex/pkg/log"
+)
+
+const (
+	issuerURL = "https://accounts.google.com"
+)
+
+// Config holds configuration options for Google logins.
+type Config struct {
+	ClientID     string `json:"clientID"`
+	ClientSecret string `json:"clientSecret"`
+	RedirectURI  string `json:"redirectURI"`
+
+	Scopes []string `json:"scopes"` // defaults to "profile" and "email"
+
+	// Optional list of whitelisted domains
+	// If this field is nonempty, only users from a listed domain will be allowed to log in
+	HostedDomains []string `json:"hostedDomains"`
+
+	// Optional list of whitelisted groups
+	// If this field is nonempty, only users from a listed group will be allowed to log in
+	Groups []string `json:"groups"`
+
+	// Optional path to service account json
+	// If nonempty, and groups claim is made, will use authentication from file to
+	// check groups with the admin directory api
+	ServiceAccountFilePath string `json:"serviceAccountFilePath"`
+
+	// Required if ServiceAccountFilePath
+	// The email of a GSuite super user which the service account will impersonate
+	// when listing groups
+	AdminEmail string
+
+	// If this field is true, fetch direct group membership and transitive group membership
+	FetchTransitiveGroupMembership bool `json:"fetchTransitiveGroupMembership"`
+}
+
+// Open returns a connector which can be used to login users through Google.
+func (c *Config) Open(id string, logger log.Logger) (conn connector.Connector, err error) {
+	ctx, cancel := context.WithCancel(context.Background())
+
+	provider, err := oidc.NewProvider(ctx, issuerURL)
+	if err != nil {
+		cancel()
+		return nil, fmt.Errorf("failed to get provider: %v", err)
+	}
+
+	scopes := []string{oidc.ScopeOpenID}
+	if len(c.Scopes) > 0 {
+		scopes = append(scopes, c.Scopes...)
+	} else {
+		scopes = append(scopes, "profile", "email")
+	}
+
+	srv, err := createDirectoryService(c.ServiceAccountFilePath, c.AdminEmail)
+	if err != nil {
+		cancel()
+		return nil, fmt.Errorf("could not create directory service: %v", err)
+	}
+
+	clientID := c.ClientID
+	return &googleConnector{
+		redirectURI: c.RedirectURI,
+		oauth2Config: &oauth2.Config{
+			ClientID:     clientID,
+			ClientSecret: c.ClientSecret,
+			Endpoint:     provider.Endpoint(),
+			Scopes:       scopes,
+			RedirectURL:  c.RedirectURI,
+		},
+		verifier: provider.Verifier(
+			&oidc.Config{ClientID: clientID},
+		),
+		logger:                         logger,
+		cancel:                         cancel,
+		hostedDomains:                  c.HostedDomains,
+		groups:                         c.Groups,
+		serviceAccountFilePath:         c.ServiceAccountFilePath,
+		adminEmail:                     c.AdminEmail,
+		fetchTransitiveGroupMembership: c.FetchTransitiveGroupMembership,
+		adminSrv:                       srv,
+	}, nil
+}
+
+var (
+	_ connector.CallbackConnector = (*googleConnector)(nil)
+	_ connector.RefreshConnector  = (*googleConnector)(nil)
+)
+
+type googleConnector struct {
+	redirectURI                    string
+	oauth2Config                   *oauth2.Config
+	verifier                       *oidc.IDTokenVerifier
+	cancel                         context.CancelFunc
+	logger                         log.Logger
+	hostedDomains                  []string
+	groups                         []string
+	serviceAccountFilePath         string
+	adminEmail                     string
+	fetchTransitiveGroupMembership bool
+	adminSrv                       *admin.Service
+}
+
+func (c *googleConnector) Close() error {
+	c.cancel()
+	return nil
+}
+
+func (c *googleConnector) LoginURL(s connector.Scopes, callbackURL, state string) (string, error) {
+	if c.redirectURI != callbackURL {
+		return "", fmt.Errorf("expected callback URL %q did not match the URL in the config %q", callbackURL, c.redirectURI)
+	}
+
+	var opts []oauth2.AuthCodeOption
+	if len(c.hostedDomains) > 0 {
+		preferredDomain := c.hostedDomains[0]
+		if len(c.hostedDomains) > 1 {
+			preferredDomain = "*"
+		}
+		opts = append(opts, oauth2.SetAuthURLParam("hd", preferredDomain))
+	}
+
+	if s.OfflineAccess {
+		opts = append(opts, oauth2.AccessTypeOffline, oauth2.SetAuthURLParam("prompt", "consent"))
+	}
+	return c.oauth2Config.AuthCodeURL(state, opts...), nil
+}
+
+type oauth2Error struct {
+	error            string
+	errorDescription string
+}
+
+func (e *oauth2Error) Error() string {
+	if e.errorDescription == "" {
+		return e.error
+	}
+	return e.error + ": " + e.errorDescription
+}
+
+func (c *googleConnector) HandleCallback(s connector.Scopes, r *http.Request) (identity connector.Identity, err error) {
+	q := r.URL.Query()
+	if errType := q.Get("error"); errType != "" {
+		return identity, &oauth2Error{errType, q.Get("error_description")}
+	}
+	token, err := c.oauth2Config.Exchange(r.Context(), q.Get("code"))
+	if err != nil {
+		return identity, fmt.Errorf("google: failed to get token: %v", err)
+	}
+
+	return c.createIdentity(r.Context(), identity, s, token)
+}
+
+func (c *googleConnector) Refresh(ctx context.Context, s connector.Scopes, identity connector.Identity) (connector.Identity, error) {
+	t := &oauth2.Token{
+		RefreshToken: string(identity.ConnectorData),
+		Expiry:       time.Now().Add(-time.Hour),
+	}
+	token, err := c.oauth2Config.TokenSource(ctx, t).Token()
+	if err != nil {
+		return identity, fmt.Errorf("google: failed to get token: %v", err)
+	}
+
+	return c.createIdentity(ctx, identity, s, token)
+}
+
+func (c *googleConnector) createIdentity(ctx context.Context, identity connector.Identity, s connector.Scopes, token *oauth2.Token) (connector.Identity, error) {
+	rawIDToken, ok := token.Extra("id_token").(string)
+	if !ok {
+		return identity, errors.New("google: no id_token in token response")
+	}
+	idToken, err := c.verifier.Verify(ctx, rawIDToken)
+	if err != nil {
+		return identity, fmt.Errorf("google: failed to verify ID Token: %v", err)
+	}
+
+	var claims struct {
+		Username      string `json:"name"`
+		Email         string `json:"email"`
+		EmailVerified bool   `json:"email_verified"`
+		HostedDomain  string `json:"hd"`
+	}
+	if err := idToken.Claims(&claims); err != nil {
+		return identity, fmt.Errorf("oidc: failed to decode claims: %v", err)
+	}
+
+	if len(c.hostedDomains) > 0 {
+		found := false
+		for _, domain := range c.hostedDomains {
+			if claims.HostedDomain == domain {
+				found = true
+				break
+			}
+		}
+
+		if !found {
+			return identity, fmt.Errorf("oidc: unexpected hd claim %v", claims.HostedDomain)
+		}
+	}
+
+	var groups []string
+	if s.Groups && c.adminSrv != nil {
+		groups, err = c.getGroups(claims.Email, c.fetchTransitiveGroupMembership)
+		if err != nil {
+			return identity, fmt.Errorf("google: could not retrieve groups: %v", err)
+		}
+
+		if len(c.groups) > 0 {
+			groups = pkg_groups.Filter(groups, c.groups)
+			if len(groups) == 0 {
+				return identity, fmt.Errorf("google: user %q is not in any of the required groups", claims.Username)
+			}
+		}
+	}
+
+	identity = connector.Identity{
+		UserID:        idToken.Subject,
+		Username:      claims.Username,
+		Email:         claims.Email,
+		EmailVerified: claims.EmailVerified,
+		ConnectorData: []byte(token.RefreshToken),
+		Groups:        groups,
+	}
+	return identity, nil
+}
+
+// getGroups creates a connection to the admin directory service and lists
+// all groups the user is a member of
+func (c *googleConnector) getGroups(email string, fetchTransitiveGroupMembership bool) ([]string, error) {
+	var userGroups []string
+	var err error
+	groupsList := &admin.Groups{}
+	for {
+		groupsList, err = c.adminSrv.Groups.List().
+			UserKey(email).PageToken(groupsList.NextPageToken).Do()
+		if err != nil {
+			return nil, fmt.Errorf("could not list groups: %v", err)
+		}
+
+		for _, group := range groupsList.Groups {
+			// TODO (joelspeed): Make desired group key configurable
+			userGroups = append(userGroups, group.Email)
+
+			// getGroups takes a user's email/alias as well as a group's email/alias
+			if fetchTransitiveGroupMembership {
+				transitiveGroups, err := c.getGroups(group.Email, fetchTransitiveGroupMembership)
+				if err != nil {
+					return nil, fmt.Errorf("could not list transitive groups: %v", err)
+				}
+
+				userGroups = append(userGroups, transitiveGroups...)
+			}
+		}
+
+		if groupsList.NextPageToken == "" {
+			break
+		}
+	}
+
+	return uniqueGroups(userGroups), nil
+}
+
+// createDirectoryService loads a google service account credentials file,
+// sets up super user impersonation and creates an admin client for calling
+// the google admin api
+func createDirectoryService(serviceAccountFilePath string, email string) (*admin.Service, error) {
+	if serviceAccountFilePath == "" && email == "" {
+		return nil, nil
+	}
+	if serviceAccountFilePath == "" || email == "" {
+		return nil, fmt.Errorf("directory service requires both serviceAccountFilePath and adminEmail")
+	}
+	jsonCredentials, err := os.ReadFile(serviceAccountFilePath)
+	if err != nil {
+		return nil, fmt.Errorf("error reading credentials from file: %v", err)
+	}
+
+	config, err := google.JWTConfigFromJSON(jsonCredentials, admin.AdminDirectoryGroupReadonlyScope)
+	if err != nil {
+		return nil, fmt.Errorf("unable to parse client secret file to config: %v", err)
+	}
+
+	// Impersonate an admin. This is mandatory for the admin APIs.
+	config.Subject = email
+
+	ctx := context.Background()
+	client := config.Client(ctx)
+
+	srv, err := admin.NewService(ctx, option.WithHTTPClient(client))
+	if err != nil {
+		return nil, fmt.Errorf("unable to create directory service %v", err)
+	}
+	return srv, nil
+}
+
+// uniqueGroups returns the unique groups of a slice
+func uniqueGroups(groups []string) []string {
+	keys := make(map[string]struct{})
+	unique := []string{}
+	for _, group := range groups {
+		if _, exists := keys[group]; !exists {
+			keys[group] = struct{}{}
+			unique = append(unique, group)
+		}
+	}
+	return unique
+}

connector/keystone/keystone.go

@@ -6,7 +6,7 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
-	"io/ioutil"
+	"io"
 	"net/http"
 
 	"github.com/dexidp/dex/connector"
@@ -42,8 +42,8 @@ type domainKeystone struct {
 //		config:
 //			keystoneHost: http://example:5000
 //			domain: default
-//      keystoneUsername: demo
-//      keystonePassword: DEMO_PASS
+//			keystoneUsername: demo
+//			keystonePassword: DEMO_PASS
 type Config struct {
 	Domain        string `json:"domain"`
 	Host          string `json:"keystoneHost"`
@@ -95,6 +95,14 @@ type groupsResponse struct {
 	Groups []group `json:"groups"`
 }
 
+type userResponse struct {
+	User struct {
+		Name  string `json:"name"`
+		Email string `json:"email"`
+		ID    string `json:"id"`
+	} `json:"user"`
+}
+
 var (
 	_ connector.PasswordConnector = &conn{}
 	_ connector.RefreshConnector  = &conn{}
@@ -107,7 +115,8 @@ func (c *Config) Open(id string, logger log.Logger) (connector.Connector, error)
 		c.Host,
 		c.AdminUsername,
 		c.AdminPassword,
-		logger}, nil
+		logger,
+	}, nil
 }
 
 func (p *conn) Close() error { return nil }
@@ -124,12 +133,12 @@ func (p *conn) Login(ctx context.Context, scopes connector.Scopes, username, pas
 		return identity, false, nil
 	}
 	token := resp.Header.Get("X-Subject-Token")
-	data, err := ioutil.ReadAll(resp.Body)
+	data, err := io.ReadAll(resp.Body)
 	if err != nil {
 		return identity, false, err
 	}
 	defer resp.Body.Close()
-	var tokenResp = new(tokenResponse)
+	tokenResp := new(tokenResponse)
 	err = json.Unmarshal(data, &tokenResp)
 	if err != nil {
 		return identity, false, fmt.Errorf("keystone: invalid token response: %v", err)
@@ -143,14 +152,24 @@ func (p *conn) Login(ctx context.Context, scopes connector.Scopes, username, pas
 	}
 	identity.Username = username
 	identity.UserID = tokenResp.Token.User.ID
+
+	user, err := p.getUser(ctx, tokenResp.Token.User.ID, token)
+	if err != nil {
+		return identity, false, err
+	}
+	if user.User.Email != "" {
+		identity.Email = user.User.Email
+		identity.EmailVerified = true
+	}
+
 	return identity, true, nil
 }
 
 func (p *conn) Prompt() string { return "username" }
 
 func (p *conn) Refresh(
-	ctx context.Context, scopes connector.Scopes, identity connector.Identity) (connector.Identity, error) {
-
+	ctx context.Context, scopes connector.Scopes, identity connector.Identity,
+) (connector.Identity, error) {
 	token, err := p.getAdminToken(ctx)
 	if err != nil {
 		return identity, fmt.Errorf("keystone: failed to obtain admin token: %v", err)
@@ -210,30 +229,50 @@ func (p *conn) getAdminToken(ctx context.Context) (string, error) {
 	if err != nil {
 		return "", err
 	}
+	defer resp.Body.Close()
+
 	token := resp.Header.Get("X-Subject-Token")
 	return token, nil
 }
 
 func (p *conn) checkIfUserExists(ctx context.Context, userID string, token string) (bool, error) {
+	user, err := p.getUser(ctx, userID, token)
+	return user != nil, err
+}
+
+func (p *conn) getUser(ctx context.Context, userID string, token string) (*userResponse, error) {
 	// https://developer.openstack.org/api-ref/identity/v3/#show-user-details
 	userURL := p.Host + "/v3/users/" + userID
 	client := &http.Client{}
 	req, err := http.NewRequest("GET", userURL, nil)
 	if err != nil {
-		return false, err
+		return nil, err
 	}
 
 	req.Header.Set("X-Auth-Token", token)
 	req = req.WithContext(ctx)
 	resp, err := client.Do(req)
 	if err != nil {
-		return false, err
+		return nil, err
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != 200 {
+		return nil, err
 	}
 
-	if resp.StatusCode == 200 {
-		return true, nil
+	data, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return nil, err
 	}
-	return false, err
+
+	user := userResponse{}
+	err = json.Unmarshal(data, &user)
+	if err != nil {
+		return nil, err
+	}
+
+	return &user, nil
 }
 
 func (p *conn) getUserGroups(ctx context.Context, userID string, token string) ([]string, error) {
@@ -252,13 +291,13 @@ func (p *conn) getUserGroups(ctx context.Context, userID string, token string) (
 		return nil, err
 	}
 
-	data, err := ioutil.ReadAll(resp.Body)
+	data, err := io.ReadAll(resp.Body)
 	if err != nil {
 		return nil, err
 	}
 	defer resp.Body.Close()
 
-	var groupsResp = new(groupsResponse)
+	groupsResp := new(groupsResponse)
 
 	err = json.Unmarshal(data, &groupsResp)
 	if err != nil {

connector/keystone/keystone_test.go

@@ -4,8 +4,7 @@ import (
 	"bytes"
 	"context"
 	"encoding/json"
-	"fmt"
-	"io/ioutil"
+	"io"
 	"net/http"
 	"os"
 	"reflect"
@@ -35,12 +34,6 @@ var (
 	groupsURL        = ""
 )
 
-type userResponse struct {
-	User struct {
-		ID string `json:"id"`
-	} `json:"user"`
-}
-
 type groupResponse struct {
 	Group struct {
 		ID string `json:"id"`
@@ -84,13 +77,13 @@ func getAdminToken(t *testing.T, adminName, adminPass string) (token, id string)
 
 	token = resp.Header.Get("X-Subject-Token")
 
-	data, err := ioutil.ReadAll(resp.Body)
+	data, err := io.ReadAll(resp.Body)
 	if err != nil {
 		t.Fatal(err)
 	}
 	defer resp.Body.Close()
 
-	var tokenResp = new(tokenResponse)
+	tokenResp := new(tokenResponse)
 	err = json.Unmarshal(data, &tokenResp)
 	if err != nil {
 		t.Fatal(err)
@@ -128,13 +121,13 @@ func createUser(t *testing.T, token, userName, userEmail, userPass string) strin
 		t.Fatal(err)
 	}
 
-	data, err := ioutil.ReadAll(resp.Body)
+	data, err := io.ReadAll(resp.Body)
 	if err != nil {
 		t.Fatal(err)
 	}
 	defer resp.Body.Close()
 
-	var userResp = new(userResponse)
+	userResp := new(userResponse)
 	err = json.Unmarshal(data, &userResp)
 	if err != nil {
 		t.Fatal(err)
@@ -144,7 +137,7 @@ func createUser(t *testing.T, token, userName, userEmail, userPass string) strin
 }
 
 // delete group or user
-func delete(t *testing.T, token, id, uri string) {
+func deleteResource(t *testing.T, token, id, uri string) {
 	t.Helper()
 	client := &http.Client{}
 
@@ -154,7 +147,12 @@ func delete(t *testing.T, token, id, uri string) {
 		t.Fatalf("error: %v", err)
 	}
 	req.Header.Set("X-Auth-Token", token)
-	client.Do(req)
+
+	resp, err := client.Do(req)
+	if err != nil {
+		t.Fatalf("error: %v", err)
+	}
+	defer resp.Body.Close()
 }
 
 func createGroup(t *testing.T, token, description, name string) string {
@@ -184,13 +182,13 @@ func createGroup(t *testing.T, token, description, name string) string {
 		t.Fatal(err)
 	}
 
-	data, err := ioutil.ReadAll(resp.Body)
+	data, err := io.ReadAll(resp.Body)
 	if err != nil {
 		t.Fatal(err)
 	}
 	defer resp.Body.Close()
 
-	var groupResp = new(groupResponse)
+	groupResp := new(groupResponse)
 	err = json.Unmarshal(data, &groupResp)
 	if err != nil {
 		t.Fatal(err)
@@ -208,14 +206,22 @@ func addUserToGroup(t *testing.T, token, groupID, userID string) error {
 		return err
 	}
 	req.Header.Set("X-Auth-Token", token)
-	client.Do(req)
+
+	resp, err := client.Do(req)
+	if err != nil {
+		t.Fatalf("error: %v", err)
+	}
+	defer resp.Body.Close()
+
 	return nil
 }
 
 func TestIncorrectCredentialsLogin(t *testing.T) {
 	setupVariables(t)
-	c := conn{Host: keystoneURL, Domain: testDomain,
-		AdminUsername: adminUser, AdminPassword: adminPass}
+	c := conn{
+		Host: keystoneURL, Domain: testDomain,
+		AdminUsername: adminUser, AdminPassword: adminPass,
+	}
 	s := connector.Scopes{OfflineAccess: true, Groups: true}
 	_, validPW, err := c.Login(context.Background(), s, adminUser, invalidPass)
 
@@ -235,20 +241,88 @@ func TestIncorrectCredentialsLogin(t *testing.T) {
 func TestValidUserLogin(t *testing.T) {
 	setupVariables(t)
 	token, _ := getAdminToken(t, adminUser, adminPass)
-	userID := createUser(t, token, testUser, testEmail, testPass)
-	c := conn{Host: keystoneURL, Domain: testDomain,
-		AdminUsername: adminUser, AdminPassword: adminPass}
-	s := connector.Scopes{OfflineAccess: true, Groups: true}
-	identity, validPW, err := c.Login(context.Background(), s, testUser, testPass)
-	if err != nil {
-		t.Fatal(err.Error())
-	}
-	t.Log(identity)
 
-	if !validPW {
-		t.Fatal("Valid password was not accepted")
+	type tUser struct {
+		username string
+		domain   string
+		email    string
+		password string
+	}
+
+	type expect struct {
+		username      string
+		email         string
+		verifiedEmail bool
+	}
+
+	tests := []struct {
+		name     string
+		input    tUser
+		expected expect
+	}{
+		{
+			name: "test with email address",
+			input: tUser{
+				username: testUser,
+				domain:   testDomain,
+				email:    testEmail,
+				password: testPass,
+			},
+			expected: expect{
+				username:      testUser,
+				email:         testEmail,
+				verifiedEmail: true,
+			},
+		},
+		{
+			name: "test without email address",
+			input: tUser{
+				username: testUser,
+				domain:   testDomain,
+				email:    "",
+				password: testPass,
+			},
+			expected: expect{
+				username:      testUser,
+				email:         "",
+				verifiedEmail: false,
+			},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			userID := createUser(t, token, tt.input.username, tt.input.email, tt.input.password)
+			defer deleteResource(t, token, userID, usersURL)
+
+			c := conn{
+				Host: keystoneURL, Domain: tt.input.domain,
+				AdminUsername: adminUser, AdminPassword: adminPass,
+			}
+			s := connector.Scopes{OfflineAccess: true, Groups: true}
+			identity, validPW, err := c.Login(context.Background(), s, tt.input.username, tt.input.password)
+			if err != nil {
+				t.Fatal(err.Error())
+			}
+			t.Log(identity)
+			if identity.Username != tt.expected.username {
+				t.Fatalf("Invalid user. Got: %v. Wanted: %v", identity.Username, tt.expected.username)
+			}
+			if identity.UserID == "" {
+				t.Fatalf("Didn't get any UserID back")
+			}
+			if identity.Email != tt.expected.email {
+				t.Fatalf("Invalid email. Got: %v. Wanted: %v", identity.Email, tt.expected.email)
+			}
+			if identity.EmailVerified != tt.expected.verifiedEmail {
+				t.Fatalf("Invalid verifiedEmail. Got: %v. Wanted: %v", identity.EmailVerified, tt.expected.verifiedEmail)
+			}
+
+			if !validPW {
+				t.Fatal("Valid password was not accepted")
+			}
+		})
 	}
-	delete(t, token, userID, usersURL)
 }
 
 func TestUseRefreshToken(t *testing.T) {
@@ -256,9 +330,12 @@ func TestUseRefreshToken(t *testing.T) {
 	token, adminID := getAdminToken(t, adminUser, adminPass)
 	groupID := createGroup(t, token, "Test group description", testGroup)
 	addUserToGroup(t, token, groupID, adminID)
+	defer deleteResource(t, token, groupID, groupsURL)
 
-	c := conn{Host: keystoneURL, Domain: testDomain,
-		AdminUsername: adminUser, AdminPassword: adminPass}
+	c := conn{
+		Host: keystoneURL, Domain: testDomain,
+		AdminUsername: adminUser, AdminPassword: adminPass,
+	}
 	s := connector.Scopes{OfflineAccess: true, Groups: true}
 
 	identityLogin, _, err := c.Login(context.Background(), s, adminUser, adminPass)
@@ -271,10 +348,8 @@ func TestUseRefreshToken(t *testing.T) {
 		t.Fatal(err.Error())
 	}
 
-	delete(t, token, groupID, groupsURL)
-
 	expectEquals(t, 1, len(identityRefresh.Groups))
-	expectEquals(t, testGroup, string(identityRefresh.Groups[0]))
+	expectEquals(t, testGroup, identityRefresh.Groups[0])
 }
 
 func TestUseRefreshTokenUserDeleted(t *testing.T) {
@@ -282,8 +357,10 @@ func TestUseRefreshTokenUserDeleted(t *testing.T) {
 	token, _ := getAdminToken(t, adminUser, adminPass)
 	userID := createUser(t, token, testUser, testEmail, testPass)
 
-	c := conn{Host: keystoneURL, Domain: testDomain,
-		AdminUsername: adminUser, AdminPassword: adminPass}
+	c := conn{
+		Host: keystoneURL, Domain: testDomain,
+		AdminUsername: adminUser, AdminPassword: adminPass,
+	}
 	s := connector.Scopes{OfflineAccess: true, Groups: true}
 
 	identityLogin, _, err := c.Login(context.Background(), s, testUser, testPass)
@@ -296,7 +373,7 @@ func TestUseRefreshTokenUserDeleted(t *testing.T) {
 		t.Fatal(err.Error())
 	}
 
-	delete(t, token, userID, usersURL)
+	deleteResource(t, token, userID, usersURL)
 	_, err = c.Refresh(context.Background(), s, identityLogin)
 
 	if !strings.Contains(err.Error(), "does not exist") {
@@ -308,9 +385,12 @@ func TestUseRefreshTokenGroupsChanged(t *testing.T) {
 	setupVariables(t)
 	token, _ := getAdminToken(t, adminUser, adminPass)
 	userID := createUser(t, token, testUser, testEmail, testPass)
+	defer deleteResource(t, token, userID, usersURL)
 
-	c := conn{Host: keystoneURL, Domain: testDomain,
-		AdminUsername: adminUser, AdminPassword: adminPass}
+	c := conn{
+		Host: keystoneURL, Domain: testDomain,
+		AdminUsername: adminUser, AdminPassword: adminPass,
+	}
 	s := connector.Scopes{OfflineAccess: true, Groups: true}
 
 	identityLogin, _, err := c.Login(context.Background(), s, testUser, testPass)
@@ -327,15 +407,13 @@ func TestUseRefreshTokenGroupsChanged(t *testing.T) {
 
 	groupID := createGroup(t, token, "Test group", testGroup)
 	addUserToGroup(t, token, groupID, userID)
+	defer deleteResource(t, token, groupID, groupsURL)
 
 	identityRefresh, err = c.Refresh(context.Background(), s, identityLogin)
 	if err != nil {
 		t.Fatal(err.Error())
 	}
 
-	delete(t, token, groupID, groupsURL)
-	delete(t, token, userID, usersURL)
-
 	expectEquals(t, 1, len(identityRefresh.Groups))
 }
 
@@ -343,13 +421,17 @@ func TestNoGroupsInScope(t *testing.T) {
 	setupVariables(t)
 	token, _ := getAdminToken(t, adminUser, adminPass)
 	userID := createUser(t, token, testUser, testEmail, testPass)
+	defer deleteResource(t, token, userID, usersURL)
 
-	c := conn{Host: keystoneURL, Domain: testDomain,
-		AdminUsername: adminUser, AdminPassword: adminPass}
+	c := conn{
+		Host: keystoneURL, Domain: testDomain,
+		AdminUsername: adminUser, AdminPassword: adminPass,
+	}
 	s := connector.Scopes{OfflineAccess: true, Groups: false}
 
 	groupID := createGroup(t, token, "Test group", testGroup)
 	addUserToGroup(t, token, groupID, userID)
+	defer deleteResource(t, token, groupID, groupsURL)
 
 	identityLogin, _, err := c.Login(context.Background(), s, testUser, testPass)
 	if err != nil {
@@ -362,9 +444,6 @@ func TestNoGroupsInScope(t *testing.T) {
 		t.Fatal(err.Error())
 	}
 	expectEquals(t, 0, len(identityRefresh.Groups))
-
-	delete(t, token, groupID, groupsURL)
-	delete(t, token, userID, usersURL)
 }
 
 func setupVariables(t *testing.T) {
@@ -374,22 +453,22 @@ func setupVariables(t *testing.T) {
 	keystoneAdminPassEnv := "DEX_KEYSTONE_ADMIN_PASS"
 	keystoneURL = os.Getenv(keystoneURLEnv)
 	if keystoneURL == "" {
-		t.Skip(fmt.Sprintf("variable %q not set, skipping keystone connector tests\n", keystoneURLEnv))
+		t.Skipf("variable %q not set, skipping keystone connector tests\n", keystoneURLEnv)
 		return
 	}
 	keystoneAdminURL = os.Getenv(keystoneAdminURLEnv)
 	if keystoneAdminURL == "" {
-		t.Skip(fmt.Sprintf("variable %q not set, skipping keystone connector tests\n", keystoneAdminURLEnv))
+		t.Skipf("variable %q not set, skipping keystone connector tests\n", keystoneAdminURLEnv)
 		return
 	}
 	adminUser = os.Getenv(keystoneAdminUserEnv)
 	if adminUser == "" {
-		t.Skip(fmt.Sprintf("variable %q not set, skipping keystone connector tests\n", keystoneAdminUserEnv))
+		t.Skipf("variable %q not set, skipping keystone connector tests\n", keystoneAdminUserEnv)
 		return
 	}
 	adminPass = os.Getenv(keystoneAdminPassEnv)
 	if adminPass == "" {
-		t.Skip(fmt.Sprintf("variable %q not set, skipping keystone connector tests\n", keystoneAdminPassEnv))
+		t.Skipf("variable %q not set, skipping keystone connector tests\n", keystoneAdminPassEnv)
 		return
 	}
 	authTokenURL = keystoneURL + "/v3/auth/tokens/"

connector/ldap/ldap.go

@@ -7,10 +7,10 @@ import (
 	"crypto/x509"
 	"encoding/json"
 	"fmt"
-	"io/ioutil"
 	"net"
+	"os"
 
-	"gopkg.in/ldap.v2"
+	"github.com/go-ldap/ldap/v3"
 
 	"github.com/dexidp/dex/connector"
 	"github.com/dexidp/dex/pkg/log"
@@ -29,7 +29,7 @@ import (
 //       # The following field is required if using port 389.
 //       # insecureNoSSL: true
 //       rootCA: /etc/dex/ldap.ca
-//       bindDN: uid=seviceaccount,cn=users,dc=example,dc=com
+//       bindDN: uid=serviceaccount,cn=users,dc=example,dc=com
 //       bindPW: password
 //       userSearch:
 //         # Would translate to the query "(&(objectClass=person)(uid=<username>))"
@@ -41,16 +41,28 @@ import (
 //         nameAttr: name
 //         preferredUsernameAttr: uid
 //       groupSearch:
-//         # Would translate to the query "(&(objectClass=group)(member=<user uid>))"
+//         # Would translate to the separate query per user matcher pair and aggregate results into a single group list:
+//         #  "(&(|(objectClass=posixGroup)(objectClass=groupOfNames))(memberUid=<user uid>))"
+//         #  "(&(|(objectClass=posixGroup)(objectClass=groupOfNames))(member=<user DN>))"
 //         baseDN: cn=groups,dc=example,dc=com
-//         filter: "(objectClass=group)"
-//         userAttr: uid
-//         # Use if full DN is needed and not available as any other attribute
-//         # Will only work if "DN" attribute does not exist in the record
-//         # userAttr: DN
-//         groupAttr: member
+//         filter: "(|(objectClass=posixGroup)(objectClass=groupOfNames))"
+//         userMatchers:
+//         - userAttr: uid
+//           groupAttr: memberUid
+//           # Use if full DN is needed and not available as any other attribute
+//           # Will only work if "DN" attribute does not exist in the record:
+//         - userAttr: DN
+//           groupAttr: member
 //         nameAttr: name
 //
+
+// UserMatcher holds information about user and group matching.
+type UserMatcher struct {
+	UserAttr  string `json:"userAttr"`
+	GroupAttr string `json:"groupAttr"`
+}
+
+// Config holds configuration options for LDAP logins.
 type Config struct {
 	// The host and optional port of the LDAP server. If port isn't supplied, it will be
 	// guessed based on the TLS configuration. 389 or 636.
@@ -124,16 +136,22 @@ type Config struct {
 
 		Scope string `json:"scope"` // Defaults to "sub"
 
-		// These two fields are use to match a user to a group.
+		// DEPRECATED config options. Those are left for backward compatibility.
+		// See "UserMatchers" below for the current group to user matching implementation
+		// TODO: should be eventually removed from the code
+		UserAttr  string `json:"userAttr"`
+		GroupAttr string `json:"groupAttr"`
+
+		// Array of the field pairs used to match a user to a group.
+		// See the "UserMatcher" struct for the exact field names
 		//
-		// It adds an additional requirement to the filter that an attribute in the group
+		// Each pair adds an additional requirement to the filter that an attribute in the group
 		// match the user's attribute value. For example that the "members" attribute of
 		// a group matches the "uid" of the user. The exact filter being added is:
 		//
-		//   (<groupAttr>=<userAttr value>)
+		//   (userMatchers[n].<groupAttr>=userMatchers[n].<userAttr value>)
 		//
-		UserAttr  string `json:"userAttr"`
-		GroupAttr string `json:"groupAttr"`
+		UserMatchers []UserMatcher `json:"userMatchers"`
 
 		// The attribute of the group that represents its name.
 		NameAttr string `json:"nameAttr"`
@@ -165,6 +183,24 @@ func parseScope(s string) (int, bool) {
 	return 0, false
 }
 
+// Build a list of group attr name to user attr value matchers.
+// Function exists here to allow backward compatibility between old and new
+// group to user matching implementations.
+// See "Config.GroupSearch.UserMatchers" comments for the details
+func userMatchers(c *Config, logger log.Logger) []UserMatcher {
+	if len(c.GroupSearch.UserMatchers) > 0 && c.GroupSearch.UserMatchers[0].UserAttr != "" {
+		return c.GroupSearch.UserMatchers
+	}
+
+	log.Deprecated(logger, `LDAP: use groupSearch.userMatchers option instead of "userAttr/groupAttr" fields.`)
+	return []UserMatcher{
+		{
+			UserAttr:  c.GroupSearch.UserAttr,
+			GroupAttr: c.GroupSearch.GroupAttr,
+		},
+	}
+}
+
 // Open returns an authentication strategy using LDAP.
 func (c *Config) Open(id string, logger log.Logger) (connector.Connector, error) {
 	conn, err := c.OpenConnector(logger)
@@ -184,12 +220,12 @@ func (c *Config) OpenConnector(logger log.Logger) (interface {
 	connector.Connector
 	connector.PasswordConnector
 	connector.RefreshConnector
-}, error) {
+}, error,
+) {
 	return c.openConnector(logger)
 }
 
 func (c *Config) openConnector(logger log.Logger) (*ldapConnector, error) {
-
 	requiredFields := []struct {
 		name string
 		val  string
@@ -212,9 +248,9 @@ func (c *Config) openConnector(logger log.Logger) (*ldapConnector, error) {
 	if host, _, err = net.SplitHostPort(c.Host); err != nil {
 		host = c.Host
 		if c.InsecureNoSSL {
-			c.Host = c.Host + ":389"
+			c.Host += ":389"
 		} else {
-			c.Host = c.Host + ":636"
+			c.Host += ":636"
 		}
 	}
 
@@ -223,7 +259,7 @@ func (c *Config) openConnector(logger log.Logger) (*ldapConnector, error) {
 		data := c.RootCAData
 		if len(data) == 0 {
 			var err error
-			if data, err = ioutil.ReadFile(c.RootCA); err != nil {
+			if data, err = os.ReadFile(c.RootCA); err != nil {
 				return nil, fmt.Errorf("ldap: read ca file: %v", err)
 			}
 		}
@@ -249,6 +285,9 @@ func (c *Config) openConnector(logger log.Logger) (*ldapConnector, error) {
 	if !ok {
 		return nil, fmt.Errorf("groupSearch.Scope unknown value %q", c.GroupSearch.Scope)
 	}
+
+	// TODO(nabokihms): remove it after deleting deprecated groupSearch options
+	c.GroupSearch.UserMatchers = userMatchers(c, logger)
 	return &ldapConnector{*c, userSearchScope, groupSearchScope, tlsConfig, logger}, nil
 }
 
@@ -271,7 +310,7 @@ var (
 // do initializes a connection to the LDAP directory and passes it to the
 // provided function. It then performs appropriate teardown or reuse before
 // returning.
-func (c *ldapConnector) do(ctx context.Context, f func(c *ldap.Conn) error) error {
+func (c *ldapConnector) do(_ context.Context, f func(c *ldap.Conn) error) error {
 	// TODO(ericchiang): support context here
 	var (
 		conn *ldap.Conn
@@ -297,10 +336,11 @@ func (c *ldapConnector) do(ctx context.Context, f func(c *ldap.Conn) error) erro
 	defer conn.Close()
 
 	// If bindDN and bindPW are empty this will default to an anonymous bind.
-	if err := conn.Bind(c.BindDN, c.BindPW); err != nil {
-		if c.BindDN == "" && c.BindPW == "" {
+	if c.BindDN == "" && c.BindPW == "" {
+		if err := conn.UnauthenticatedBind(""); err != nil {
 			return fmt.Errorf("ldap: initial anonymous bind failed: %v", err)
 		}
+	} else if err := conn.Bind(c.BindDN, c.BindPW); err != nil {
 		return fmt.Errorf("ldap: initial bind for user %q failed: %v", c.BindDN, err)
 	}
 
@@ -365,7 +405,6 @@ func (c *ldapConnector) identityFromEntry(user ldap.Entry) (ident connector.Iden
 }
 
 func (c *ldapConnector) userEntry(conn *ldap.Conn, username string) (user ldap.Entry, found bool, err error) {
-
 	filter := fmt.Sprintf("(%s=%s)", c.UserSearch.Username, ldap.EscapeFilter(username))
 	if c.UserSearch.Filter != "" {
 		filter = fmt.Sprintf("(&%s%s)", c.UserSearch.Filter, filter)
@@ -380,11 +419,14 @@ func (c *ldapConnector) userEntry(conn *ldap.Conn, username string) (user ldap.E
 		Attributes: []string{
 			c.UserSearch.IDAttr,
 			c.UserSearch.EmailAttr,
-			c.GroupSearch.UserAttr,
 			// TODO(ericchiang): what if this contains duplicate values?
 		},
 	}
 
+	for _, matcher := range c.GroupSearch.UserMatchers {
+		req.Attributes = append(req.Attributes, matcher.UserAttr)
+	}
+
 	if c.UserSearch.NameAttr != "" {
 		req.Attributes = append(req.Attributes, c.UserSearch.NameAttr)
 	}
@@ -538,40 +580,42 @@ func (c *ldapConnector) groups(ctx context.Context, user ldap.Entry) ([]string,
 	}
 
 	var groups []*ldap.Entry
-	for _, attr := range getAttrs(user, c.GroupSearch.UserAttr) {
-		filter := fmt.Sprintf("(%s=%s)", c.GroupSearch.GroupAttr, ldap.EscapeFilter(attr))
-		if c.GroupSearch.Filter != "" {
-			filter = fmt.Sprintf("(&%s%s)", c.GroupSearch.Filter, filter)
-		}
-
-		req := &ldap.SearchRequest{
-			BaseDN:     c.GroupSearch.BaseDN,
-			Filter:     filter,
-			Scope:      c.groupSearchScope,
-			Attributes: []string{c.GroupSearch.NameAttr},
-		}
-
-		gotGroups := false
-		if err := c.do(ctx, func(conn *ldap.Conn) error {
-			c.logger.Infof("performing ldap search %s %s %s",
-				req.BaseDN, scopeString(req.Scope), req.Filter)
-			resp, err := conn.Search(req)
-			if err != nil {
-				return fmt.Errorf("ldap: search failed: %v", err)
+	for _, matcher := range c.GroupSearch.UserMatchers {
+		for _, attr := range getAttrs(user, matcher.UserAttr) {
+			filter := fmt.Sprintf("(%s=%s)", matcher.GroupAttr, ldap.EscapeFilter(attr))
+			if c.GroupSearch.Filter != "" {
+				filter = fmt.Sprintf("(&%s%s)", c.GroupSearch.Filter, filter)
+			}
+
+			req := &ldap.SearchRequest{
+				BaseDN:     c.GroupSearch.BaseDN,
+				Filter:     filter,
+				Scope:      c.groupSearchScope,
+				Attributes: []string{c.GroupSearch.NameAttr},
+			}
+
+			gotGroups := false
+			if err := c.do(ctx, func(conn *ldap.Conn) error {
+				c.logger.Infof("performing ldap search %s %s %s",
+					req.BaseDN, scopeString(req.Scope), req.Filter)
+				resp, err := conn.Search(req)
+				if err != nil {
+					return fmt.Errorf("ldap: search failed: %v", err)
+				}
+				gotGroups = len(resp.Entries) != 0
+				groups = append(groups, resp.Entries...)
+				return nil
+			}); err != nil {
+				return nil, err
+			}
+			if !gotGroups {
+				// TODO(ericchiang): Is this going to spam the logs?
+				c.logger.Errorf("ldap: groups search with filter %q returned no groups", filter)
 			}
-			gotGroups = len(resp.Entries) != 0
-			groups = append(groups, resp.Entries...)
-			return nil
-		}); err != nil {
-			return nil, err
-		}
-		if !gotGroups {
-			// TODO(ericchiang): Is this going to spam the logs?
-			c.logger.Errorf("ldap: groups search with filter %q returned no groups", filter)
 		}
 	}
 
-	var groupNames []string
+	groupNames := make([]string, 0, len(groups))
 	for _, group := range groups {
 		name := getAttr(*group, c.GroupSearch.NameAttr)
 		if name == "" {