4d63e9cd68
fix: Bump golangci-lint version and fix some linter's problems
...
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
2020-10-18 01:02:29 +04:00
ec66cedfcc
feat: Add team groups support to bitbucket connector
...
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
2020-10-04 20:50:59 +03:00
4b94469547
fix: Replace teams endpoint for bitbucket connector
...
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
2020-10-03 20:30:23 +03:00
a64e7c2986
Merge pull request #1769 from batara666/master
...
ldap.go: drop else on returned if block
2020-09-16 17:47:52 +02:00
058202d007
revert changes for user id and user name
...
Signed-off-by: Rui Yang <ruiya@vmware.com>
2020-09-08 13:12:59 -04:00
0494993326
update oidc documentation and email claim err msg
...
Signed-off-by: Rui Yang <ruiya@vmware.com>
2020-09-08 10:03:57 -04:00
41207ba265
Combine #1691 and #1776 to unify OIDC provider claim mapping
...
add tests for groups key mapping
Signed-off-by: Rui Yang <ruiya@vmware.com>
2020-08-11 16:26:55 -04:00
a783667c57
Add groupsClaimMapping to the OIDC connector
...
The groupsClaimMapping setting allows one to specify which claim to pull
group information from the OIDC provider. Previously it assumed group
information was always in the "groups" claim, but that isn't the case
for many OIDC providers (such as AWS Cognito using the "cognito:groups"
claim instead)
Signed-off-by: Scott Lemmon <slemmon@aurora.tech>
Signed-off-by: Rui Yang <ruiya@vmware.com>
2020-08-11 16:26:55 -04:00
61312e726e
Add parameter configuration to override email claim key
...
Signed-off-by: Rui Yang <ruiya@vmware.com>
2020-08-11 16:26:55 -04:00
52c39fb130
check if upstream contains preferrend username claim first
...
Signed-off-by: Rui Yang <ryang@pivotal.io>
Signed-off-by: Rui Yang <ruiya@vmware.com>
2020-08-11 16:26:55 -04:00
4812079647
add tests when preferred username key is not set
...
Signed-off-by: Rui Yang <ruiya@vmware.com>
2020-08-11 16:26:55 -04:00
d9afb7e59c
default to preferred_username claim
...
Signed-off-by: Rui Yang <ruiya@vmware.com>
2020-08-11 16:26:55 -04:00
9a4e0fcd00
Make OIDC username key configurable
...
Signed-off-by: Josh Winters <jwinters@pivotal.io>
Co-authored-by: Mark Huang <mhuang@pivotal.io>
Signed-off-by: Rui Yang <ruiya@vmware.com>
2020-08-11 16:26:55 -04:00
6499f5bfd3
ldap.go: drop else on returned if block
2020-07-27 22:27:55 +07:00
62efe7bf07
Merge pull request #1441 from jimmythedog/1440-fix-msoft-refresh-token
...
dexidp#1440 Add offline_access scope, if required
2020-07-08 16:13:26 +02:00
9d7e472c63
Merge pull request #1720 from candlerb/fix-google
...
Allow the "google" connector to work without a service account
2020-06-19 17:10:23 +01:00
0a9f56527e
Add Gitea connector ( #1715 )
...
* Add Gitea connector
* Add details to readme
* resolve lint issue
2020-05-26 13:54:40 +02:00
442d3de11d
Allow the "google" connector to work without a service account
...
Fixes #1718
2020-05-22 09:24:26 +00:00
709d4169d6
Merge pull request #1694 from flant/fix-openshift-root-ca
...
Fix OpenShift connector rootCA option
2020-05-12 13:55:45 +02:00
521aa0802f
Fix OpenShift connector rootCA option
...
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
2020-05-12 15:31:27 +04:00
4a0feaf589
connector/saml: add 'FilterGroups' setting
...
This should make AllowedGroups equivalent to an LDAP group filter:
When set to true, only the groups from AllowedGroups will be included in the
user's identity.
Signed-off-by: Stephan Renatus <srenatus@chef.io>
2020-05-12 13:29:05 +02:00
d87cf1c924
create github oauthconfig with redirecturl ( #1700 )
2020-05-12 13:23:00 +02:00
0a85a97ba9
Allow preferred_username claim to be set for Crowd connector ( #1684 )
...
* Add atlassiancrowd connector to list in readme
* Add TestIdentityFromCrowdUser
* Set preferred_username claim when configured
* Add preferredUsernameField option to docs
* Log warning when mapping invalid crowd field
2020-04-23 20:14:15 +02:00
f6476b62f2
Added Email of Keystone to Identity ( #1681 )
...
* Added Email of Keystone to Identity
After the successful login to keystone, the Email of the logged in user
is fetch from keystone and provided to `identity.Email`.
This is useful for upstream software that uses the Email as the primary
identification.
* Removed unnecessary code from getUsers
* Changed creation of userResponse in keystone
* Fixing linter error
Co-authored-by: Christoph Glaubitz <christoph.glaubitz@innovo-cloud.de>
2020-04-06 15:40:17 +02:00
30ea963bb6
Merge pull request #1656 from taxibeat/oidc-prompt-type
...
Make prompt configurable for oidc offline_access
2020-02-28 10:56:13 +00:00
b7cf701032
Merge pull request #1515 from flant/atlassian-crowd-connector
...
new connector for Atlassian Crowd
2020-02-24 10:09:27 +01:00
76bb453ff3
Setting email for OpenShift connector
2020-02-21 16:53:46 +01:00
d33a76fa19
Make prompt configurable for oidc offline_access
2020-02-19 16:10:28 +02:00
7ef1179e75
feat: connector for Atlassian Crowd
2020-02-05 12:40:49 +04:00
30cd592801
Merge pull request #1612 from vi7/multiple-user-to-group-mapping
...
connector/ldap: add multiple user to group mapping
2020-02-02 11:09:05 +00:00
aca67b0839
Merge pull request #1627 from jfrabaute/master
...
google: Retrieve all the groups for a user
2020-01-20 08:30:17 +01:00
1d3851b0c5
Update gitlab.go
...
fix typo
2020-01-16 11:26:57 +08:00
b85d7849ad
google: Retrieve all the groups for a user
...
The list of groups is paginated (default page is 200), so when a user
has more than 200 groups, only the first 200 are retrieve.
This change is retrieving all the groups for a user by querying all the
pages.
2020-01-14 13:26:37 -08:00
e20a795a2a
connector/ldap: backward compatibility with single user to group mapping
...
Signed-off-by: Vitaliy Dmitriev <vi7alya@gmail.com>
2020-01-14 11:00:32 +01:00
6104295d5e
microsoft: Add basic tests
...
Implemented similar to connector/github/github_test.go
2020-01-13 08:51:22 +01:00
5db29eb087
microsoft: Make interface testable
...
Enable testing by allowing overriding the API host name in tests
2020-01-13 08:15:07 +01:00
3cbba11012
Merge pull request #1610 from flant/oidc-email-scope-check
...
Adding oidc email scope check
2020-01-06 10:20:46 +01:00
f2e7823db9
connector/ldap: add multiple user to group mapping
...
Add an ability to fetch user's membership from
groups of a different type by specifying multiple
group attribute to user attribute value matchers
in the Dex config:
userMatchers:
- userAttr: uid
groupAttr: memberUid
- userAttr: DN
groupAttr: member
In other words the user's groups can be fetched now from
ldap structure similar to the following:
dn: cn=john,ou=People,dc=example,dc=org
objectClass: person
objectClass: inetOrgPerson
sn: doe
cn: john
uid: johndoe
mail: johndoe@example.com
userpassword: bar
dn: cn=qa,ou=Groups,ou=Portland,dc=example,dc=org
objectClass: groupOfNames
cn: qa
member: cn=john,ou=People,dc=example,dc=org
dn: cn=logger,ou=UnixGroups,ou=Portland,dc=example,dc=org
objectClass: posixGroup
gidNumber: 1000
cn: logger
memberUid: johndoe
Signed-off-by: Vitaliy Dmitriev <vi7alya@gmail.com>
2020-01-03 10:40:21 +01:00
383c2fe8b6
Adding oidc email scope check
...
This helps to avoid "no email claim" error if email scope was not specified.
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
2019-12-28 15:28:01 +04:00
d31f6eabd4
Corrected logic in group verification
2019-12-26 20:32:12 -06:00
296659cb50
Reduced OpenShift scopes and enhanced documentation
2019-12-26 03:14:20 -06:00
075ab0938e
Fixed formatting
2019-12-22 02:53:10 -05:00
7e89d8ca24
Resolved newline issues
2019-12-22 02:27:11 -05:00
02c8f85e4d
Resolved newline issues
2019-12-22 02:27:11 -05:00
db7711d72a
Test cleanup
2019-12-22 02:27:10 -05:00
5881a2cfca
Test cleanup
2019-12-22 02:27:10 -05:00
48954ca716
Corrected test formatting
2019-12-22 02:27:09 -05:00
92e63771ac
Added OpenShift connector
2019-12-22 02:27:09 -05:00
a901e2f204
Merge pull request #1604 from dexidp/fix-linters
...
Fix linters
2019-12-20 07:10:22 +01:00
8e0ae82034
connector/oidc: replace deprecated oauth2.RegisterBrokenAuthHeaderProvider with oauth2.Endpoint.AuthStyle
2019-12-18 08:27:40 -08:00
65c77e9db2
Fix bodyclose
2019-12-18 16:04:03 +01:00
2f8d1f8e42
Fix unconvert
2019-12-18 15:56:46 +01:00
f141f2133b
Fix whitespace
2019-12-18 15:56:12 +01:00
9bd5ae5197
Fix goimports
2019-12-18 15:53:34 +01:00
367b187cf4
Fix missspell
2019-12-18 15:51:44 +01:00
142c96c210
Fix stylecheck
2019-12-18 15:50:36 +01:00
8c3dc0ca66
Remove unused code (fixed: unused, structcheck, deadcode linters)
2019-12-18 15:46:49 +01:00
d2095bb2d8
Rewrite LDAP tests to use Docker
2019-12-08 20:21:28 +01:00
a38e215891
connector/google: support group whitelisting
...
Signed-off-by: Nandor Kracser <bonifaido@gmail.com>
2019-12-03 16:27:07 +01:00
c41035732f
Merge pull request #1434 from jacksontj/groups
...
Add option to enable groups for oidc connectors
2019-11-27 14:00:36 +01:00
658a2cc477
Make directory service during init
2019-11-19 17:12:44 +00:00
554870cea0
Add todo for configurable groups key
2019-11-19 17:12:43 +00:00
6a9bc889b5
Update comments
2019-11-19 17:12:40 +00:00
c03c98b951
Check config before getting groups
2019-11-19 17:12:39 +00:00
3f55e2da72
Get groups from directory api
2019-11-19 17:12:38 +00:00
36370f8f2a
No need to configure issuer
2019-11-19 17:12:37 +00:00
97ffa21262
Create separate Google connector
2019-11-19 17:12:36 +00:00
3156553843
OIDC: Rename refreshToken to RefreshToken
2019-11-19 15:43:25 +00:00
77fcf9ad77
Use a struct for connector data within OIDC connector
2019-11-19 15:43:22 +00:00
f6077083c9
Identify error as failure to retrieve refresh token
2019-11-19 15:43:21 +00:00
8b344fe4d3
Fix Refresh comment
2019-11-19 15:43:20 +00:00
433bb2afec
Remove duplicate code
2019-11-19 15:43:12 +00:00
4076eed17b
Build opts based on scope
2019-11-19 15:43:11 +00:00
0857a0fe09
Implement refresh in OIDC connector
...
This has added the access=offline parameter and prompt=consent parameter
to the initial request, this works with google, assuming other providers
will ignore the prompt parameter
2019-11-19 15:43:04 +00:00
6d41541964
Merge pull request #1544 from kenperkins/saml-groups
...
Adding support for allowed groups in SAML Connector
2019-10-30 13:28:34 +01:00
f2590ee07d
Merge pull request #1545 from jacksontj/getUserInfo
...
Run getUserInfo prior to claim enforcement
2019-10-30 13:26:18 +01:00
c1b421fa04
add preffered_username to idToken
...
Signed-off-by: Nandor Kracser <bonifaido@gmail.com>
2019-10-30 13:06:37 +01:00
21ab30d207
Add option to enable groups for oidc connectors
...
There's been some discussion in #1065 regarding what to do about
refreshing groups. As it stands today dex doesn't update any of the
claims on refresh (groups would just be another one). The main concern
with enabling it is that group claims may change more frequently. While
we continue to wait on the upstream refresh flows, this adds an option
to enable the group claim. This is disabled by default (so no behavioral
change) but enables those that are willing to have the delay in group
claim change to use oidc IDPs.
Workaround to #1065
2019-09-13 15:50:33 -07:00
512cb3169e
Run getUserInfo prior to claim enforcement
...
If you have an oidc connector configured *and* that IDP provides thin
tokens (e.g. okta) then the majority of the requested claims come in the
getUserInfo call (such as email_verified). So if getUserInfo is
configured it should be run before claims are validated.
2019-09-13 11:10:44 -07:00
285c1f162e
connector/saml: Adding group filtering
...
- 4 new tests
- Doc changes to use the group filtering
2019-09-10 10:53:19 -07:00
42e8619830
Fix typo
2019-09-06 09:55:09 +09:00
ef08ad8317
gitlab: add groups scope by default when filtering is requested
2019-08-14 13:33:46 +02:00
d9487e553b
*: fix some lint issues
...
Mostly gathered these using golangci-lint's deadcode and ineffassign
linters.
Signed-off-by: Stephan Renatus <srenatus@chef.io>
2019-07-30 11:29:08 +02:00
ff34e570b4
connector/gitlab: implement useLoginAsID as in GitHub connector
2019-07-28 19:49:49 +02:00
458585008b
microsoft: option for group UUIDs instead of name and group whitelist
2019-07-25 09:14:33 -04:00
51f50fcad8
connectors: refactor filter code into a helper package
...
I hope I didn't miss any :D
Signed-off-by: Stephan Renatus <srenatus@chef.io>
2019-07-03 13:09:40 +02:00
d6fad19d95
Merge pull request #1459 from flarno11/master
...
make userName configurable
2019-06-04 09:47:19 +02:00
8613c78863
update LinkedIn connector to use v2 APIs
...
This updates LinkedIn connector to use the more recent v2 APIs. Necessary because v1 APIs are not able to retrieve email ids any more with the default permissions.
The API URLs are now different. Fetching the email address is now a separate call, made after fetching the profile details. The `r_basicprofile` permission is not needed any more, and `r_liteprofile` (which seems to be the one assigned by default) is sufficient.
The relevant API specifications are at:
- https://docs.microsoft.com/en-us/linkedin/shared/integrations/people/profile-api
- https://docs.microsoft.com/en-us/linkedin/shared/integrations/people/primary-contact-api
- https://docs.microsoft.com/en-us/linkedin/consumer/integrations/self-serve/migration-faq#how-do-i-retrieve-the-members-email-address
2019-06-03 22:59:37 +05:30
8c1716d356
make userName configurable
2019-06-03 14:09:07 +02:00
4e8cbf0f61
connectors/oidc: truely ignore "email_verified" claim if configured that way
...
Fixes #1455 , I hope.
Signed-off-by: Stephan Renatus <srenatus@chef.io>
2019-05-28 16:15:06 +02:00
9650836851
make userID configurable
2019-05-24 19:52:33 +09:00
52d09a2dfa
Add option in oidc to hit the optional userinfo endpoint
...
Some oauth providers return "thin tokens" which won't include all of the
claims requested. This simply adds an option which will make the oidc
connector use the userinfo endpoint to fetch all the claims.
2019-05-23 09:20:48 -07:00
b189d07d53
dexidp#1440 Add offline_access scope, if required
...
Without this scope, a refresh token will not be returned from Microsoft
2019-05-14 05:15:13 +01:00
35f51957c0
Merge pull request #1430 from mkontani/fix/typo
...
fix typo
2019-05-12 10:39:18 -07:00
7b416b5a8e
gitlab: add tests
2019-05-02 08:06:56 +02:00
a08a5811d4
gitlab: support for group whitelist
2019-04-25 12:50:29 +02:00
6ae76662de
fix ssoURL
2019-04-20 21:12:01 +09:00
fc723af0fe
Add option to OIDC connecter to override email_verified to true
2019-03-05 21:24:02 +00:00
06521ffa49
Remove the logrus logger wrapper
2019-02-22 21:31:46 +01:00
be581fa7ff
Add logger interface and stop relying on Logrus directly
2019-02-22 13:38:57 +01:00
m.nabokikh
Márk Sági-Kazár
Rui Yang
Scott Lemmon
Cyrille Nofficial
Rui Yang
Josh Winters
batara666
Nándor István Krácser
Joel Speed
techknowlogick
Brian Candler
Stephan Renatus
poh chiat
Martijn
Ken Perkins
Andrew Block
Chris Loukas
Ivan Mikheykin
Nándor István Krácser
linzhaoming
Fabrice Rabaute
Vitaliy Dmitriev
Carl Henrik Lunde
Lars Lehtonen
Mark Sagi-Kazar
Thomas Jackson
wassan128
Maxime Desrosiers
tan
flarno11
cappyzawa
jimmythedog
Eric Chiang
mkontani
Gerald Barker