Eric Chiang
0dcf1bcf79
Merge pull request #792 from ericchiang/auth-endpoint-post
...
server: support POSTing to authorization endpoint
2017-01-27 13:36:02 -08:00
Eric Chiang
8541184afb
server: support POSTing to authorization endpoint
...
Fixes #791
2017-01-27 11:42:46 -08:00
rithu leena john
36883d0bbf
Merge pull request #789 from rithujohn191/token-revocation-proposal
...
Documentation/proposals: Add a proposal for refresh token revocation.
2017-01-27 09:39:13 -08:00
rithu john
d114b8ffc7
Documentation/proposals: Add a proposal for refresh token revocation.
2017-01-27 09:37:01 -08:00
rithu leena john
48fcf66a35
Merge pull request #783 from rithujohn191/config-validation
...
cmd/dex: make connector name field mandatory in dex configuration.
2017-01-23 17:03:50 -08:00
rithu john
31e8009441
cmd/dex: make connector name field mandatory in dex configuration.
2017-01-23 15:14:41 -08:00
Eric Chiang
613d160ad9
Merge pull request #782 from marians/patch-1
...
Docs: Added a name to the LDAP connector
2017-01-23 09:07:24 -08:00
Eric Chiang
d3f4ae2ab7
Merge pull request #781 from ajohnstone/patch-1
...
Update kubernetes.md - correct typo
2017-01-23 08:52:37 -08:00
Marian Steinbach
38a2e41e0a
Added a name to the connector
...
Without a name, the example app's login form will only show `Log in with` as a button label.
2017-01-23 10:46:29 +01:00
Andrew Johnstone
b10c0a1c87
Update kubernetes.md
2017-01-23 06:28:21 +00:00
rithu leena john
a3ef8d26bc
Merge pull request #777 from rithujohn191/update-release-doc
...
Documentation: add docs on patch release process.
2017-01-17 14:50:37 -08:00
rithu john
265cfacd17
Documentation: add docs on patch release process.
2017-01-17 11:49:09 -08:00
rithu leena john
fe93f60af4
Merge pull request #775 from xeonx/master
...
Allow CORS on keys and token endpoints
2017-01-17 10:48:06 -08:00
Simon HEGE
415a68f977
Allow CORS on keys and token endpoints
2017-01-14 21:15:51 +01:00
Eric Chiang
ca7d2b8f9e
Merge pull request #772 from ericchiang/at_hash-support
...
server: add at_hash claim support
2017-01-13 10:15:21 -08:00
Eric Chiang
1eda382789
server: add at_hash claim support
...
The "at_hash" claim, which provides hash verification for the
"access_token," is a required claim for implicit and hybrid flow
requests. Previously we did not include it (against spec). This
PR implements the "at_hash" logic and adds the claim to all
responses.
As a cleanup, it also moves some JOSE signing logic out of the
storage package and into the server package.
For details see:
https://openid.net/specs/openid-connect-core-1_0.html#ImplicitIDToken
2017-01-13 10:05:24 -08:00
Eric Chiang
79c21f9b0c
Merge pull request #773 from y2kenny/patch-1
...
Removed extra o typo
2017-01-11 13:10:57 -08:00
y2kenny
4d4cb99459
Removed extra o typo
2017-01-11 15:47:55 -05:00
Eric Chiang
3c247db00a
Merge pull request #757 from ericchiang/constant-refresh-tokens
...
*: update refresh tokens instead of deleting and creating another
2017-01-11 12:09:39 -08:00
Eric Chiang
ed20fee2b9
cmd/example-app: fix refreshing
2017-01-11 12:07:48 -08:00
Eric Chiang
f4bbab5056
server/internal: generate protobuf types
2017-01-11 12:07:48 -08:00
Eric Chiang
f778b2d33b
server: update refresh tokens instead of deleting and creating another
...
The server implements a strategy called "Refresh Token Rotation" to
ensure refresh tokens can only be claimed once.
ref: https://tools.ietf.org/html/rfc6819#section-5.2.2.3
Previously "refresh_token" values in token responses where just the
ID of the internal refresh object. To implement rotation, when a
client redeemed a refresh token, the object would be deleted, a new
one created, and the new ID returned as the new "refresh_token".
However, this means there was no consistent ID for refresh tokens
internally, making things like foreign keys very hard to implement.
This is problematic for revocation features like showing all the
refresh tokens a user or client has out.
This PR updates the "refresh_token" to be an encoded protobuf
message, which holds the internal ID and a nonce. When a refresh
token is used, the nonce is updated to prevent reuse, but the ID
remains the same. Additionally it adds the timestamp of each
token's last use.
2017-01-11 12:07:48 -08:00
Eric Chiang
312ca7491e
storage: add extra fields to refresh token and update method
2017-01-11 12:07:48 -08:00
Eric Chiang
c66cce8b40
Merge pull request #766 from ericchiang/implicit-flow
...
server: fixes for the implicit and hybrid flow
2017-01-10 16:50:29 -08:00
Eric Chiang
f926d74157
server: fixes for the implicit and hybrid flow
...
Accept the following response_type for the implicit flow:
id_token
token id_token
And the following for hybrid flow
code id_token
code token
code token id_token
This corrects the previous behavior of the implicit flow, which
only accepted "token" (now correctly rejected).
2017-01-10 16:20:17 -08:00
Eric Chiang
7f72ea786d
Merge pull request #752 from ericchiang/saml
...
Add an experimental SAML connector
2017-01-09 18:33:00 -08:00
Eric Chiang
7ea2d24011
vendor: revendor
2017-01-09 18:30:58 -08:00
Eric Chiang
78665074ed
cmd/example-app: add option to not request a refresh token
2017-01-09 18:30:58 -08:00
Eric Chiang
0f4a1f69c5
*: wire up SAML POST binding
2017-01-09 18:30:58 -08:00
Eric Chiang
31dfb54b6f
connector: add a SAML connector
2017-01-09 18:30:58 -08:00
Eric Chiang
15fadeaf86
Merge pull request #767 from rithujohn191/fix-refresh
...
storage: Add ConnectorData to storage RefreshToken.
2017-01-09 15:16:18 -08:00
rithu john
2c03693972
storage: Add ConnectorData to storage RefreshToken.
2017-01-09 15:01:29 -08:00
Eric Chiang
ec9d1607b2
Merge pull request #760 from xeonx/master
...
Allow CORS on discovery endpoint
2017-01-08 11:17:38 -08:00
Simon HEGE
6cbf7125e0
vendor: revendor
2017-01-08 19:28:18 +01:00
Simon HEGE
b4c47910e4
Allow CORS on discovery endpoint
2017-01-08 19:22:39 +01:00
rithu leena john
4ddc5eb061
Merge pull request #765 from rithujohn191/bump-oidc
...
Bump go-oidc package
2017-01-06 16:06:44 -08:00
rithu john
05cef99a31
vendor: revendor
2017-01-06 15:39:36 -08:00
rithu john
984b2934fe
*: update vendored go-oidc
2017-01-06 15:36:56 -08:00
rithu leena john
fb5199c958
Merge pull request #759 from rithujohn191/ldap-grpsearch
...
connector/ldap: enable groupSearch to be empty
2016-12-28 14:20:37 -08:00
rithu john
6a728f107e
connector/ldap: enable groupSearch to be empty
2016-12-27 11:07:03 -08:00
rithu leena john
3e2d857928
Merge pull request #756 from ericchiang/revendor
...
*: add 'make revendor' and tests to catch incorrect glide usage
2016-12-22 12:05:57 -08:00
Eric Chiang
1451213dd7
vendor: revendor
2016-12-22 11:52:37 -08:00
Eric Chiang
d87a4c35b9
*: add 'make revendor' and tests to catch incorrect glide usage
...
Introducing glide-vc caused us to unknowingly removed our Go
protobuf compiler (since it's a main). Add flags to glide-vc usage
to remedy this.
Since we now require several glide and glide-vc flags, add a Makfile
target and tests to catch when PRs don't use the correct flags.
2016-12-22 11:52:24 -08:00
Eric Chiang
54afc8f1d2
Merge pull request #754 from szuecs/bugfix/wrong-shell
...
build fails
2016-12-22 09:08:01 -08:00
Sandor Szuecs
626f205f8f
sh has no arrays
2016-12-22 14:29:04 +01:00
Eric Chiang
3c9ab50ddf
Merge pull request #751 from h0me/patch-1
...
replace bcrypt hash with a working one
2016-12-20 11:05:02 -08:00
h0me
9bf491befc
replace bcrypt hash with a working one
...
replace bcrypt hash with an appropriate value for the string "password"
2016-12-20 15:21:05 +01:00
rithu leena john
03033e5e44
Merge pull request #750 from rithujohn191/use-utc
...
server: use UTC timestamps in dex.
2016-12-16 16:44:00 -08:00
rithu john
135b71727d
server: use UTC timestamps in dex.
2016-12-16 16:13:51 -08:00
Eric Chiang
c58dd948c7
Merge pull request #749 from ericchiang/postgres-timezones
...
storage: fix postgres timezone handling
2016-12-16 15:36:12 -08:00