k-space/dex
Archived
11
0
Fork 0
Code Issues Pull Requests Packages Projects Activity
2,071 Commits 1 Branch 0 Tags
35f58dca734f3be92e8b6e7597cdb52fc98c8f84
Commit Graph

2071 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Eric Chiang
e0709dc2ac connector/saml: fix validation bug with multiple Assertion elements 
When a SAML response provided multiple Assertion elements, only the
first one is checked for a valid signature. If the Assertion is
verified, the original Assertion is removed and the canonicalized
version is prepended to the Response. However, if there were
multiple assertions, the second assertion could end up first in the
list of Assertions, even if it was unsigned.

For example this:

    <Response>
      <!--
         Response unsigned. According to SAML spec must check
         assertion signature.
      -->
      <Assertion>
        <Signature>
          <!-- Correrctly signed assertion -->
        </Signature>
      </Assertion>

      <Assertion>
        <!-- Unsigned assertion inserted by attacker-->
      </Assertion>
    </Response>

could be verified then re-ordered to the following:

    <Response>
      <!--
         Response unsigned. According to SAML spec must check
         assertion signature.
      -->
      <Assertion>
        <!-- Unsigned assertion inserted by attacker-->
      </Assertion>

      <Assertion>
        <!-- Canonicalized, correrctly signed assertion -->
      </Assertion>
    </Response>

Fix this by removing all unverified child elements of the Response,
not just the original assertion.
 2017-04-04 11:11:35 -07:00
Lucas Servén
a7d443ea2b Merge pull request #891 from squat/garbage_log_info 
server/server.go: make successful garbage collection log at info level
 2017-04-04 10:14:43 -07:00
Lucas Serven
f3d9bd5008 server/server.go: make successful garbage collection log at info level 2017-04-04 09:47:53 -07:00
rithu leena john
f4865a354c Merge pull request #886 from rithujohn191/error-msg-update 
storage/static.go: correct the error message that gets displayed.
 2017-03-29 11:54:00 -07:00
rithu john
5abb4b3df6 storage/static.go: correct the error message that gets displayed. 2017-03-29 11:32:02 -07:00
Eric Chiang
5eb8210eb4 Merge pull request #883 from ericchiang/scopes-docs 
Documentation: document dex scopes, claims, and client features
 2017-03-28 21:26:01 -07:00
Eric Chiang
8902ddc061 Merge pull request #881 from ericchiang/api-test-use-client 
server: use client connected to remove server for gRPC tests
 2017-03-28 21:25:55 -07:00
Eric Chiang
5e34f0d1a6 Documentation: document dex scopes, claims, and client features 2017-03-28 16:53:06 -07:00
Eric Chiang
f734b140cd server: use client connected to remove server for gRPC tests 2017-03-28 16:41:39 -07:00
rithu leena john
42c1eed231 Merge pull request #880 from rithujohn191/connector-object 
storage: add connector object to backend storage.
 2017-03-28 14:31:08 -07:00
rithu john
bc55b86d0d storage: add connector object to backend storage. 2017-03-28 14:12:38 -07:00
Eric Chiang
6e50c18458 Merge pull request #875 from ericchiang/fix-example-app-custom-ca 
cmd/example-app: fix custom CA behavior
 2017-03-24 13:21:20 -07:00
Eric Chiang
9b0e9ab2ca cmd/example-app: fix custom CA behavior 2017-03-24 11:53:28 -07:00
Eric Chiang
2a6ae0a6ea Merge pull request #870 from Calpicow/fix_assertion_fallback 
Fix assertion fallback
 2017-03-24 11:34:30 -07:00
Phu Kieu
6f9ef961bb Use etreeutils.NSSelectOne to select Assertion element 2017-03-24 11:20:53 -07:00
Phu Kieu
4b457d8c82 vendor: revendor 2017-03-24 11:03:30 -07:00
Phu Kieu
b5f70dac36 glide.yaml: update goxmldsig 2017-03-24 11:02:55 -07:00
rithu leena john
5d49e18478 Merge pull request #873 from rithujohn191/client-example 
examples/grpc-client: clean up the example and add tlsClientCA to ConfigMap.
 2017-03-23 17:24:11 -07:00
rithu john
562eae3fc7 examples/grpc-client: clean up the example and add tlsClientCA to ConfigMap. 2017-03-23 16:57:23 -07:00
rithu leena john
6146e23396 Merge pull request #872 from rithujohn191/offline-access-error 
connector: Connectors without a RefreshConnector should not error out
 2017-03-23 16:11:45 -07:00
rithu john
59502850f0 connector: Connectors without a RefreshConnector should not return a refresh token instead of erroring 2017-03-23 14:56:34 -07:00
Eric Chiang
b112aa2ecd Merge pull request #869 from ericchiang/saml-response-to 
*: validate InResponseTo SAML response field and make issuer optional
 2017-03-22 13:04:41 -07:00
Eric Chiang
50b223a9db *: validate InResponseTo SAML response field and make issuer optional 2017-03-22 13:02:44 -07:00
Eric Chiang
8b2956ddbc Merge pull request #867 from ericchiang/xml-validation 
glide.yaml: update goxmldsig
 2017-03-21 10:27:04 -07:00
Eric Chiang
910d59865b vendor: revendor 2017-03-21 09:27:22 -07:00
Eric Chiang
5888220965 glide.yaml: update goxmldsig 2017-03-21 09:25:56 -07:00
Eric Chiang
95d237003a Merge pull request #855 from ericchiang/static-storage-fallthrough 
storage: make static storages query real storages for some actions
 2017-03-20 10:42:34 -07:00
Eric Chiang
af54f59202 Merge pull request #864 from ericchiang/spelling 
*: fix spelling using github.com/client9/misspell
 2017-03-20 10:20:16 -07:00
Eric Chiang
25fdaa67a7 Merge pull request #860 from ericchiang/oidc-broken-auth-header 
connector/oidc: expose oauth2.RegisterBrokenAuthHeaderProvider
 2017-03-20 09:56:09 -07:00
Eric Chiang
4c39bc20ae storage: make static storages query real storages for some actions 
If dex is configured with static passwords or clients, let the API
still add or modify objects in the backing storage, so long as
their IDs don't conflict with the static ones. List options now
aggregate resources from the static list and backing storage.
 2017-03-20 09:39:38 -07:00
Eric Chiang
33f0199077 *: fix spelling using github.com/client9/misspell 2017-03-20 09:16:56 -07:00
Eric Chiang
f503ff7950 *: add documentation for the OpenID Connect provider 2017-03-20 08:47:02 -07:00
Eric Chiang
ac032e99f0 connector/oidc: expose oauth2.RegisterBrokenAuthHeaderProvider 2017-03-20 08:47:02 -07:00
rithu leena john
4bf74d8ac3 Merge pull request #862 from rithujohn191/update-api 
api: Update timestamp type for RefreshTokenRef to int64.
 2017-03-17 15:58:09 -07:00
rithu john
921090f05f api: Update timestamp type for RefreshTokenRef to int64. 2017-03-17 15:46:39 -07:00
rithu leena john
84af5273c8 Merge pull request #854 from rithujohn191/conformance-tests 
storage/conformance: update conformance tests with multiple entries per resource
 2017-03-17 10:51:24 -07:00
rithu john
9e88924577 storage/conformance: update conformance tests with multiple entries per resource 2017-03-16 16:35:51 -07:00
rithu leena john
7a798844cc Merge pull request #852 from ericchiang/fix-log-level 
storage/kubernetes: log INFO level if TPR already exists, not ERROR
 2017-03-15 10:50:00 -07:00
Eric Chiang
6cb38604d9 storage/kubernetes: log INFO level if TPR already exists, not ERROR 2017-03-15 10:30:10 -07:00
Eric Chiang
d31bb1c8d5 Merge pull request #848 from ericchiang/fix-sql-where-statement 
storage/sql: add missing WHERE statement to refresh token update
 2017-03-13 16:54:58 -07:00
Eric Chiang
0481fccd76 storage/sql: add missing WHERE statement to refresh token update 2017-03-13 15:53:28 -07:00
Eric Chiang
d6f4fa5d98 Merge pull request #844 from dmmcquay/master 
update kubernetes example-app explanation
 2017-03-10 09:59:10 -08:00
Derek McQuay
9b052f37c9 clearified redirect-uri and make cmd location 2017-03-09 22:36:37 -08:00
Derek McQuay
a6ab82d6c0 update kubernetes example-app explanation 
Clarify some potentially confusing issues with how to run and build the
example-app binary.
 2017-03-09 17:17:07 -08:00
Eric Chiang
90e9225e05 Merge pull request #842 from ericchiang/go-1-8 
*: only use docker when releasing, update to Go 1.8, remove aci scripts
 2017-03-09 11:04:18 -08:00
Eric Chiang
ee27a4f9f4 *: only use docker when releasing, update to Go 1.8, remove aci scripts 
This change modifies our release process to only require Docker
when building a release and updates our released binary to use Go
1.8. It also removes our .aci scripts, which we've not been
regularly building.

A nice consequence is that OSX users can now build a release image.
 2017-03-09 10:46:09 -08:00
Eric Chiang
95d54956e9 Merge pull request #840 from ericchiang/oidc-bump 
*: update go-oidc and use standard library's context package
 2017-03-08 11:46:40 -08:00
Eric Chiang
e5f60fe9dd vendor: revendor 2017-03-08 10:33:36 -08:00
Eric Chiang
777eeafabc *: update go-oidc and use standard library's context package 2017-03-08 10:33:19 -08:00
rithu leena john
6dd415997a Merge pull request #835 from rithujohn191/fix-client-example 
examples/grpc-client: minor corrections in the dex client example.
 2017-03-07 13:35:44 -08:00