Accept the following response_type for the implicit flow:
id_token
token id_token
And the following for hybrid flow
code id_token
code token
code token id_token
This corrects the previous behavior of the implicit flow, which
only accepted "token" (now correctly rejected).
This PR reworks the web layout so static files can be provided and
a "themes" directory to allow a certain degree of control over logos,
styles, etc.
This PR does NOT add general support for frontend customization,
only enough to allow us to start exploring theming internally.
The dex binary also must now be run from the root directory since
templates are no longer "compiled into" the binary.
The docker image has been updated with frontend assets.
Ensure compared times are within a second of one another instead of
rounding, which can flake if the two times are different enough to
do round to different values.
Tested using the golang.org/x/tools/cmd/stress tool.
The following set of commands fail without this patch:
$ go get golang.org/x/tools/cmd/stress
$ go test -o server.test github.com/coreos/dex/server
$ stress ./server.test -test.run=TestOAuth2CodeFlow
219 runs so far, 0 failures
425 runs so far, 0 failures
618 runs so far, 0 failures
802 runs so far, 0 failures
^C
Closes#699
Instead of throwing a 500 error if a user enters an invalid name,
display the same text box as if the user had entered the wrong
password.
NOTE: An invalid username now returns much quicker than an invalid
password. Consider adding an arbitrary sleep in the future if we
care about masking which was invalid.
go-oidc sends an extra space before the list of scopes. This is bad
but we have to support it, so we'll be more lenient and ignore
duplicated whitespace.
As we've seen on master it's very easy mistakenly make changes that
assume root URL paths. Run server integration tests at a non-root
issuer URL to prevent this.