Commit Graph

244 Commits

Author SHA1 Message Date
Kyle Larose
ab5ea03025
handlers: do not fail login if refresh token gone
There is a chance that offline storage could fall out of sync with the
refresh token tables. One example is if dex crashes/is stopped in the
middle of handling a login request. If the old refresh token associated
with the offline session is deleted, and then the process stops, the
offline session will still refer to the old token.

Unfortunately, if this case occurs, there is no way to recover from it,
since further logins will be halted due to dex being unable to clean up
the old tokens till referenced in the offline session: the database is
essentially corrupted.

There doesn't seem to be a good reason to fail the auth request if the
old refresh token is gone. This changes the logic in `handleAuthCode` to
not fail the entire transaction if the old refresh token could not be
deleted because it was not present. This has the effect of installing
the new refresh token, and unpdating the offline storage, thereby fixing
the issue, however it occured.
2020-03-18 12:56:37 -04:00
Nándor István Krácser
b7cf701032
Merge pull request #1515 from flant/atlassian-crowd-connector
new connector for Atlassian Crowd
2020-02-24 10:09:27 +01:00
Nándor István Krácser
1160649c31
Merge pull request #1621 from concourse/pr/passowrd-grant-synced
Rework - add support for Resource Owner Password Credentials Grant
2020-02-20 08:27:50 +01:00
Ivan Mikheykin
7ef1179e75 feat: connector for Atlassian Crowd 2020-02-05 12:40:49 +04:00
Joshua Winters
76825fef8f Make logger and prometheus optional in server config
Signed-off-by: Josh Winters <jwinters@pivotal.io>
Co-authored-by: Mark Huang <mhuang@pivotal.io>
2020-01-13 15:28:41 -05:00
Rui Yang
0f9a74f1d0 Remove uneccesary client verification 2020-01-10 14:52:57 -05:00
Zach Brown
13be146d2a Add support for password grant #926 2020-01-10 13:18:09 -05:00
Nándor István Krácser
6318c105ec
Merge pull request #1599 from sabre1041/openshift-connector
OpenShift connector
2020-01-01 12:55:11 +01:00
Márk Sági-Kazár
789272a0c1
Merge pull request #1576 from flant/icons-proposal
Pick icons on login screen by connector type instead of ID
2019-12-23 13:05:19 +01:00
m.nabokikh
058e72ef50 Pick icons on login screen by connector type instead of ID
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
2019-12-23 12:38:22 +04:00
Andrew Block
92e63771ac
Added OpenShift connector 2019-12-22 02:27:09 -05:00
Mark Sagi-Kazar
050d5af937
Fix ineffassign 2019-12-18 16:07:06 +01:00
Mark Sagi-Kazar
65c77e9db2
Fix bodyclose 2019-12-18 16:04:03 +01:00
Mark Sagi-Kazar
f141f2133b
Fix whitespace 2019-12-18 15:56:12 +01:00
Mark Sagi-Kazar
9bd5ae5197
Fix goimports 2019-12-18 15:53:34 +01:00
Mark Sagi-Kazar
367b187cf4
Fix missspell 2019-12-18 15:51:44 +01:00
Mark Sagi-Kazar
8c3dc0ca66
Remove unused code (fixed: unused, structcheck, deadcode linters) 2019-12-18 15:46:49 +01:00
Joel Speed
97ffa21262
Create separate Google connector 2019-11-19 17:12:36 +00:00
Joel Speed
c4e96dda32
Fix migration of old connector data 2019-11-19 15:43:23 +00:00
Joel Speed
d9095073c8
Unindent session updates on finalizeLogin 2019-11-19 15:43:22 +00:00
Joel Speed
19ad7daa7f
Use old ConnectorData before session.ConnectorData 2019-11-19 15:43:19 +00:00
Joel Speed
176ba709a4
Revert "Remove connectordata from other structs"
This reverts commit 27f33516db343bd79b56a47ecef0fe514a35082d.
2019-11-19 15:43:14 +00:00
Joel Speed
4076eed17b
Build opts based on scope 2019-11-19 15:43:11 +00:00
Joel Speed
5c88713177
Remove connectordata from other structs 2019-11-19 15:43:03 +00:00
Joel Speed
0352258093
Update handleRefreshToken logic 2019-11-19 15:43:01 +00:00
Joel Speed
575c792156
Store most recent refresh token in offline sessions 2019-11-19 15:40:56 +00:00
serhiimakogon
b793afd375 preferred_username claim added on refresh token 2019-11-19 16:27:34 +02:00
Nándor István Krácser
0b55f121b4
Fix missing email in log message
Co-Authored-By: Felix Fontein <ff@dybuster.com>
2019-10-30 13:13:33 +01:00
Nandor Kracser
c1b421fa04 add preffered_username to idToken
Signed-off-by: Nandor Kracser <bonifaido@gmail.com>
2019-10-30 13:06:37 +01:00
Yannis Zarkadas
27944d4f8f templates: add new relativeURL function
Signed-off-by: Yannis Zarkadas <yanniszark@arrikto.com>
2019-10-02 17:08:06 +03:00
Yannis Zarkadas
839130f01c handlers: change all handlers to pass down http request
Signed-off-by: Yannis Zarkadas <yanniszark@arrikto.com>
2019-10-02 17:08:06 +03:00
Stephan Renatus
c854e760db
Merge pull request #1539 from erwinvaneyk/replace-context-import
Replace x/net/context with stdlib context
2019-08-31 17:52:18 +02:00
erwinvaneyk
3e2217b3f4 Replace x/net/context with context of stdlib 2019-08-30 11:52:46 +02:00
Nandor Kracser
bd61535cb6 connector/ldap: display login error 2019-08-22 15:55:05 +02:00
Stephan Renatus
e1afe771cb
Merge pull request #1505 from MarcDufresne/show-login-page
Add option to always display connector selection even if there's only one
2019-08-07 09:23:42 +02:00
Stephan Renatus
89e43c198b
Merge pull request #1504 from MarcDufresne/template-custom-data
Allow arbitrary data to be passed to templates
2019-08-07 09:19:14 +02:00
Marc-André Dufresne
0dbb642f2c
Add option to always display connector selection even if there's only one 2019-08-06 13:18:46 -04:00
Marc-André Dufresne
d458e882aa
Allow arbitrary data to be passed to templates 2019-08-06 13:14:53 -04:00
Mike O
43d1a044bd Add tests for some callback handler error conditions 2019-08-05 16:02:28 -07:00
Mike O
d03a43335e Return HTTP 400 for invalid state parameter 2019-08-01 16:22:53 -07:00
Stephan Renatus
291cd9e01c
regenerate protobuf code
Signed-off-by: Stephan Renatus <srenatus@chef.io>
2019-07-31 08:16:18 +02:00
Stephan Renatus
231e571c3c
server/api: fix logging in VerifyPassword
Before:

    msg="api: password check failed : %vcrypto/bcrypt: hashedPassword is not the hash of the given password"

After:

    msg="api: password check failed : crypto/bcrypt: hashedPassword is not the hash of the given password"

Signed-off-by: Stephan Renatus <srenatus@chef.io>
2019-07-30 14:53:33 +02:00
Stephan Renatus
d9487e553b
*: fix some lint issues
Mostly gathered these using golangci-lint's deadcode and ineffassign
linters.

Signed-off-by: Stephan Renatus <srenatus@chef.io>
2019-07-30 11:29:08 +02:00
Stephan Renatus
8561a66365
server/{handler,oauth2}: cleanup error returns
Now, we'll return a standard error, and have the caller act upon this
being an instance of authErr.

Also changes the storage.AuthRequest return to a pointer, and returns
nil in error cases.

Signed-off-by: Stephan Renatus <srenatus@chef.io>
2019-07-25 13:40:06 +02:00
Stephan Renatus
421c26fdf5
Merge pull request #1481 from LanceH/master
Added "connector_id" to skip straight to a connector (similar to when len(connector) is 1.
2019-07-23 11:31:25 +02:00
LanceH
07a77e0dac Use connector_id param to skip directly to a specific connector 2019-07-22 10:47:11 -05:00
Tyler Cloke
dd84e73c0e Add VerifyPassword to API
It takes in an email and plain text password to verify. If it fails to find a password stored for email, it returns not_found. If it finds the password hash stored but that hash doesn't match the password passed via the API, it returns verified = false, else it returns verified = true.

Co-authored-by: Alban Seurat <alban.seurat@me.com>
2019-07-22 10:23:07 +02:00
Andy Lindeman
5b66bf05c8 Fixed shadowed variable declaration 2019-06-27 19:12:18 -04:00
Andy Lindeman
59b6595c37 userinfo_endpoint is required 2019-06-25 12:17:03 -04:00
Andy Lindeman
8959dc4275 ctx is not used 2019-06-24 09:43:12 -04:00
Andy Lindeman
21174c06a1 Remove comment
We have a story around user info now
2019-06-24 09:42:46 -04:00
Andy Lindeman
840065faaf Assert something about the returned userinfo 2019-06-24 09:39:54 -04:00
Andy Lindeman
46f5726d11 Use oidc.Verifier to verify tokens 2019-06-22 13:18:35 -04:00
Andy Lindeman
157c359f3e Bump go-oidc to latest v2 2019-06-20 12:27:47 -04:00
mdbraber
3dd1bac821 Fix comments 2019-06-05 22:14:31 +02:00
Maarten den Braber
74f4e749b9 Formatting 2019-06-05 22:14:31 +02:00
Maarten den Braber
d7750b1e26 Fix changes 2019-06-05 22:14:31 +02:00
Maarten den Braber
a8d059a237 Add userinfo endpoint
Co-authored-by: Yuxing Li <360983+jackielii@users.noreply.github.com>
Co-authored-by: Francisco Santiago <1737357+fjbsantiago@users.noreply.github.com>
2019-06-05 22:11:21 +02:00
Eric Chiang
cd3c6983da
Merge pull request #1429 from tsuna/master
server: add metrics for CORS handlers.
2019-05-12 10:40:23 -07:00
Tomas Barton
55cebd58a8
print appropriate error 2019-05-03 14:19:54 +02:00
Benoit Sigoure
d6ad67a6de server: add metrics for CORS handlers. 2019-04-19 14:32:52 -07:00
Mark Sagi-Kazar
06521ffa49
Remove the logrus logger wrapper 2019-02-22 21:31:46 +01:00
Mark Sagi-Kazar
d1c8f8d095
Remove structured logging from the logger interface 2019-02-22 21:26:30 +01:00
Mark Sagi-Kazar
be581fa7ff
Add logger interface and stop relying on Logrus directly 2019-02-22 13:38:57 +01:00
Eric Chiang
8935a1479c server: update health check endpoint to query storage periodically
Instead of querying the storage every time a health check is performed
query it periodically and save the result.
2019-02-04 19:02:41 +00:00
joannano
88d1e2b041 keystone: test cases, refactoring and cleanup 2019-01-11 15:14:56 +01:00
Krzysztof Balka
a965365a2b keystone: refresh token and groups 2019-01-11 15:14:11 +01:00
knangia
0774a89066 keystone: squashed changes from knangia/dex 2019-01-11 15:12:59 +01:00
Haines Chan
b78b8aeee0 Replace "GET", "POST" to http.MethodGet and http.MethodPost 2018-12-27 16:27:36 +08:00
Maximilian Gaß
468c74d1d2 Make expiry of auth requests configurable 2018-12-13 11:50:34 +01:00
Stephan Renatus
f3acec0b1b
Merge pull request #1275 from ccojocar/client-update-api
Extend the API with a function which updates the client configuration
2018-11-27 11:47:16 +01:00
Cosmin Cojocar
01c6b9dd91 Remove the 'public' field from UpdateClientReq proto message 2018-11-26 19:07:59 +01:00
Alexander Matyushentsev
ff8b44558e Issue #1263 - Render error message provided by connector if user authentication failed 2018-11-13 15:44:28 -08:00
Cosmin Cojocar
281ec27118 Update also to a list of empty redirect URIs and Peers 2018-11-13 09:59:45 +01:00
Cosmin Cojocar
9d1ec6c36b Revert "Avoid overwriting exiting redirect URI and trusted peers when updating the client"
This reverts commit 49fa5ee6e8.
2018-11-13 09:58:17 +01:00
Cosmin Cojocar
49fa5ee6e8 Avoid overwriting exiting redirect URI and trusted peers when updating the client
Also skip configure the Public field.
2018-11-12 21:48:14 +01:00
Cosmin Cojocar
c9b18b2785 Add tests for UpateClient API 2018-11-12 18:43:48 +01:00
Cosmin Cojocar
9926a0dced Extend the API with a function which updates the client configuration 2018-11-12 17:33:06 +01:00
Stephan Renatus
e1acb6d577
Merge pull request #1307 from edtan/upstream-add-bitbucket-connector
Add Bitbucket connector
2018-10-12 09:02:21 +02:00
Danny Sauer
74bfbcefbc
minor spelling correction 2018-10-09 15:57:37 -05:00
Ed Tan
d26e23c16f Make suggested code changes 2018-10-05 10:43:49 -04:00
Ed Tan
8c75d85b60 Add Bitbucket connector 2018-09-30 15:08:07 -04:00
Stephan Renatus
b9f6594bf0 *: github.com/coreos/dex -> github.com/dexidp/dex
Signed-off-by: Stephan Renatus <srenatus@chef.io>
2018-09-05 17:57:08 +02:00
Eric Chiang
01d63b086f
Merge pull request #1176 from vyshane/master
New id_provider scope that adds the connector ID and user ID to the ID token claims
2018-02-03 11:47:42 -08:00
Vy-Shane Xie
b03c85e56e Add new federated:id scope that causes Dex to add a federated_claims claim containing the connector_id and user_id to the ID token 2018-02-03 18:40:03 +08:00
Eric Chiang
ce686390a5
Merge pull request #1144 from srenatus/sr/support-direct-post-without-get-first
handlers/connector_login: update AuthRequest irregardless of method
2018-02-01 11:26:57 -08:00
Frederic Branczyk
5f03479d29
*: Add go runtime, process, HTTP and gRPC metrics 2017-12-21 21:24:09 +01:00
Eric Buth
da45adcb6e email scope only allows access to a user's email address 2017-12-17 12:08:19 -05:00
Stephan Renatus
f013a44581 handlers/connector_login: check before update (optimization)
Signed-off-by: Stephan Renatus <srenatus@chef.io>
2017-12-11 08:32:22 +01:00
Stephan Renatus
f18d7afc6f handlers/connector_login: update AuthRequest irregardless of method
Before, you could not POST your credentials to a password-connector's
endpoint without GETing that endpoint first. While this makes sense for
browser clients; automated interactions with Dex don't need to look at
the password form to fill it in.

A symptom of that missing GET was that the POST succeeded (!) with

    login successful: connector "", username="admin", email="admin@example.com", groups=[]

Note the connector "". A subsequent call to finalizeLogin would then
fail with

    connector with ID "" not found: failed to get connector object from storage: not found

Now, the connector ID of an auth request will be updated for both GETs
and POSTs.

Signed-off-by: Stephan Renatus <srenatus@chef.io>
2017-12-08 11:49:52 +01:00
Eric Chiang
18da628842
Merge pull request #1142 from zlabjp/status-code
Bugfix: Set a proper status code before sending an error status page
2017-12-04 00:04:28 -05:00
Eric Chiang
c5de6fa733 *: regenerate proto 2017-12-01 11:29:33 -08:00
Kazumasa Kohtaka
9948228e5b Set a proper status code before sending an error status page 2017-12-01 14:23:45 +09:00
Pavel Borzenkov
6193bf5566 connector: implement Microsoft connector
connector/microsoft implements authorization strategy via Microsoft's
OAuth2 endpoint + Graph API. It allows to choose what kind of tenants
are allowed to authenticate in Dex via Microsoft:
  * common - both personal and business/school accounts
  * organizations - only business/school accounts
  * consumers - only personal accounts
  * <tenant uuid> - only account of specific tenant

Signed-off-by: Pavel Borzenkov <pavel.borzenkov@gmail.com>
2017-11-23 17:01:34 +03:00
Stephan Renatus
41f663f70c show "back" link for password connectors
This way, the user who has selected, say, "Log in with Email" can make up
their mind, and select a different connector instead.

However, if there's only one connector set up, none of this makes sense -- and
the link will thus not be displayed.

Signed-off-by: Stephan Renatus <srenatus@chef.io>
2017-11-13 08:39:59 +01:00
Stephan Renatus
b09a13458f password connectors: allow overriding the username attribute (password prompt)
This allows users of the LDAP connector to give users of Dex' login
prompt an idea of what they should enter for a username.

Before, irregardless of how the LDAP connector was set up, the prompt
was

    Username
    [_________________]

    Password
    [_________________]

Now, this is configurable, and can be used to say "MyCorp SSO Login" if
that's what it is.

If it's not configured, it will default to "Username".

For the passwordDB connector (local users), it is set to "Email
Address", since this is what it uses.

Signed-off-by: Stephan Renatus <srenatus@chef.io>
2017-11-09 09:30:03 +01:00
Pavel Borzenkov
ab06119431 connector: implement LinkedIn connector
connector/linkedin implements authorization strategy via LinkedIn's
OAuth2 endpoint + profile API.

It doesn't implement RefreshConnector as LinkedIn doesn't provide any
refresh token at all (https://developer.linkedin.com/docs/oauth2, Step 5
— Refresh your Access Tokens) and recommends ordinary AuthCode exchange
flow when token refresh is required.

Signed-off-by: Pavel Borzenkov <pavel.borzenkov@gmail.com>
2017-10-27 12:54:28 +03:00
Michael Stapelberg
4931f30a80 authproxy.md: strip X-Remote-User
follow-up for https://github.com/coreos/dex/pull/1100
2017-10-26 20:13:37 +02:00
Michael Stapelberg
a41d93db4a Implement the “authproxy” connector (for Apache2 mod_auth etc.) 2017-10-25 21:53:51 +02:00
Damian Pacierpnik
e3c9b49299 Cross clients improvement - requesting client ID always added to the audience claim 2017-09-28 18:30:15 +02:00