Commit Graph

1827 Commits

Author SHA1 Message Date
Márk Sági-Kazár
71bbbee075
Merge pull request #1856 from dexidp/improve-docker-build
Improve docker build
2020-11-05 15:53:54 +01:00
Mark Sagi-Kazar
9b629b6568
Fix docker workflow name
Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com>
2020-11-05 15:35:31 +01:00
Mark Sagi-Kazar
0520465207
Separate docker job again
Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com>
2020-11-05 15:34:18 +01:00
Mark Sagi-Kazar
b580ffad70
Remove cache for now
Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com>
2020-11-05 15:30:17 +01:00
Mark Sagi-Kazar
4c86a5e7fe
Ignore files from docker context
Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com>
2020-11-05 14:46:32 +01:00
Mark Sagi-Kazar
85239d515d
Download dependencies in advance
Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com>
2020-11-05 14:26:39 +01:00
Mark Sagi-Kazar
10ac93d42b
Add docker layer caching
Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com>
2020-11-05 14:24:35 +01:00
Mark Sagi-Kazar
5cc8b562ec
Run build on ubuntu-latest
Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com>
2020-11-05 14:21:18 +01:00
Mark Sagi-Kazar
b9bc0b8b11
Remove unused workflow
Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com>
2020-11-05 14:12:16 +01:00
Mark Sagi-Kazar
b971415f0c
Improve Docker build
Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com>
2020-11-05 14:11:59 +01:00
Mark Sagi-Kazar
6500fdbdd1
Improve issue templates
Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com>
2020-11-05 11:44:16 +01:00
Mark Sagi-Kazar
d62f312402
Improve issue templates
Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com>
2020-11-05 11:37:58 +01:00
Mark Sagi-Kazar
fb282c3506
add documentation to contact links
Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com>
2020-11-05 11:36:38 +01:00
Mark Sagi-Kazar
1e14a33553
fix: missing frontmatter in issue templates
Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com>
2020-11-05 11:34:29 +01:00
Mark Sagi-Kazar
ef7e9e5c99
Fix issue template config
Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com>
2020-11-05 11:32:37 +01:00
Márk Sági-Kazár
170794725d
Merge pull request #1822 from faro-oss/feature/redirect-uris-for-public-clients
Allow public clients (e.g. SPAs using implicit flow or PKCE) to have redirect URLs other than localhost
2020-11-05 11:02:25 +01:00
Márk Sági-Kazár
6fcd9b4887
Merge pull request #1852 from flant/description_templates
chore: Add description templates
2020-11-05 10:43:27 +01:00
Márk Sági-Kazár
40409eafe8
Merge pull request #1847 from flant/retry-kubernetes-update-requests
feat: Retry Kubernetes update requests
2020-11-05 10:41:58 +01:00
Márk Sági-Kazár
bca77245df
Merge pull request #1853 from dexidp/linter-config
Linter config
2020-11-05 10:33:19 +01:00
Mark Sagi-Kazar
349832b380
Run fixer
Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com>
2020-11-03 20:52:14 +01:00
Mark Sagi-Kazar
84ea790885
Enable gci and gofumpt
Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com>
2020-11-03 20:52:14 +01:00
Mark Sagi-Kazar
cafea292ca
Update linter
Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com>
2020-11-03 20:52:13 +01:00
Mark Sagi-Kazar
3841f05ba4
Update linter config
Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com>
2020-11-03 20:51:29 +01:00
Mark Sagi-Kazar
ed7b71a190
chore: add editorconfig
Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com>
2020-11-03 20:37:38 +01:00
Martin Heide
162073b33e No longer allow desktop/mobile redirect URIs implicitly if RedirectURIs is set
Signed-off-by: Martin Heide <martin.heide@faro.com>
2020-11-02 14:05:47 +00:00
Martin Heide
c15e2887bc Add oob, device and localhost redirect URI tests
Signed-off-by: Martin Heide <martin.heide@faro.com>
2020-11-02 13:41:56 +00:00
Martin Heide
1ea481bb73 Fix gofmt in oauth2_test.go
Signed-off-by: Martin Heide <martin.heide@faro.com>
2020-11-02 12:52:52 +00:00
Martin Heide
b894d9c888 Allow public clients (e.g. using implicit flow or PKCE) to have redirect URIs configured
Signed-off-by: Martin Heide <martin.heide@faro.com>
2020-11-02 12:52:10 +00:00
m.nabokikh
7198f17d0e chore: Add description templates
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
2020-11-02 10:52:08 +04:00
m.nabokikh
be378dd9a7 feat: Retry Kubernetes update requests
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
2020-10-28 12:46:58 +04:00
Márk Sági-Kazár
6cdbb59406
Merge pull request #1845 from flant/minor-linter-fixes
fix: Minor style fixes after merging PKCE implementation
2020-10-26 21:37:30 +01:00
m.nabokikh
a5ad5eaf08 fix: Minor style fixes after merging PKCE implementation
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
2020-10-26 23:20:33 +04:00
Bernd Eckstein
b5519695a6
PKCE implementation (#1784)
* Basic implementation of PKCE

Signed-off-by: Tadeusz Magura-Witkowski <tadeuszmw@gmail.com>

* @mfmarche on 24 Feb: when code_verifier is set, don't check client_secret

In PKCE flow, no client_secret is used, so the check for a valid client_secret
would always fail.

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* @deric on 16 Jun: return invalid_grant when wrong code_verifier

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* Enforce PKCE flow on /token when PKCE flow was started on /auth
Also dissallow PKCE on /token, when PKCE flow was not started on /auth

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* fixed error messages when mixed PKCE/no PKCE flow.

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* server_test.go: Added PKCE error cases on /token endpoint

* Added test for invalid_grant, when wrong code_verifier is sent
* Added test for mixed PKCE / no PKCE auth flows.

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* cleanup: extracted method checkErrorResponse and type TestDefinition

* fixed connector being overwritten

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* /token endpoint: skip client_secret verification only for grand type authorization_code with PKCE extension

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* Allow "Authorization" header in CORS handlers

* Adds "Authorization" to the default CORS headers{"Accept", "Accept-Language", "Content-Language", "Origin"}

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* Add "code_challenge_methods_supported" to discovery endpoint

discovery endpoint /dex/.well-known/openid-configuration
now has the following entry:

"code_challenge_methods_supported": [
  "S256",
  "plain"
]

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* Updated tests (mixed-up comments), added a PKCE test

* @asoorm added test that checks if downgrade to "plain" on /token endpoint

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* remove redefinition of providedCodeVerifier, fixed spelling (#6)

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>
Signed-off-by: Bernd Eckstein <HEllRZA@users.noreply.github.com>

* Rename struct CodeChallenge to PKCE

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* PKCE: Check clientSecret when available

In authorization_code flow with PKCE, allow empty client_secret on /auth and /token endpoints. But check the client_secret when it is given.

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* Enable PKCE with public: true

dex configuration public on staticClients now enables the following behavior in PKCE:
- Public: false, PKCE will always check client_secret. This means PKCE in it's natural form is disabled.
- Public: true, PKCE is enabled. It will only check client_secret if the client has sent one. But it allows the code flow if the client didn't sent one.

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* Redirect error on unsupported code_challenge_method

- Check for unsupported code_challenge_method after redirect uri is validated, and use newErr() to return the error.
- Add PKCE tests to oauth2_test.go

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* Reverted go.mod and go.sum to the state of master

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* Don't omit client secret check for PKCE

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* Allow public clients (e.g. with PKCE) to have redirect URIs configured

Signed-off-by: Martin Heide <martin.heide@faro.com>

* Remove "Authorization" as Accepted Headers on CORS, small fixes

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* Revert "Allow public clients (e.g. with PKCE) to have redirect URIs configured"

This reverts commit b6e297b78537dc44cd3e1374f0b4d34bf89404ac.

Signed-off-by: Martin Heide <martin.heide@faro.com>

* PKCE on client_secret client error message

* When connecting to the token endpoint with PKCE without client_secret, but the client is configured with a client_secret, generate a special error message.

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* Output info message when PKCE without client_secret used on confidential client

* removes the special error message

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* General missing/invalid client_secret message on token endpoint

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

Co-authored-by: Tadeusz Magura-Witkowski <tadeuszmw@gmail.com>
Co-authored-by: Martin Heide <martin.heide@faro.com>
Co-authored-by: M. Heide <66078329+heidemn-faro@users.noreply.github.com>
2020-10-26 11:33:40 +01:00
Márk Sági-Kazár
2a282860fa
Merge pull request #1836 from lcostea/master
feat: reduce image size without apk cache
2020-10-18 18:21:39 +02:00
Márk Sági-Kazár
c82d21b155
Merge pull request #1837 from flant/bump-golangci-lint-and-fix-some-linters
fix: Bump golangci-lint version and fix some linter's problems
2020-10-18 16:05:57 +02:00
m.nabokikh
1d83e4749d Add gocritic
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
2020-10-18 01:54:27 +04:00
m.nabokikh
4d63e9cd68 fix: Bump golangci-lint version and fix some linter's problems
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
2020-10-18 01:02:29 +04:00
Liviu Costea
83673fb320 feat: reduce image size without apk cache
Signed-off-by: Liviu Costea <email.lcostea@gmail.com>
2020-10-16 19:52:21 +03:00
Nándor István Krácser
28b2350cd2
Merge pull request #1835 from flant/kubernetes-client-keys-conflicts-fix
fix: Handle Kubernetes API conflicts properly for signing keys
2020-10-13 15:16:19 +02:00
Márk Sági-Kazár
9c026107e6
Merge pull request #1830 from WorldProgrammingLtd/fix-1813
fix: log errors from login during password grant
2020-10-13 09:21:44 +02:00
m.nabokikh
4801b2c975 fix: Handle kubernetes API conflicts properly for signing keys
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
2020-10-12 09:15:00 +03:00
Tom Quarendon
4da93e75fc fix: log errors from login during password grant
Issues: #1813
Signed-off-by: Alastair Houghton <alastair@alastairs-place.net>
2020-10-07 13:36:42 +01:00
Nate W
3f41b26fb9
[WIP] Removing .md files as a part of the Dex IdP Documentation migration. (#1810)
* Removing .md files as a part of the Dex IdP Documentation migration.

https://github.com/dexidp/dex/issues/1761
https://github.com/dexidp/website/issues/2
Signed-off-by: Nate Waddington <nwaddington@cncf.io>

* Updating README.md links after .md files removal.

Signed-off-by: Nate Waddington <nwaddington@cncf.io>

* Updating URL as per PR feedback. dexidp.org -> dexidp.io

Signed-off-by: Nate Waddington <nwaddington@cncf.io>

* removing errant ")"

Signed-off-by: Nate Waddington <nwaddington@cncf.io>
2020-10-06 18:02:40 +02:00
Márk Sági-Kazár
d1f599dd32
Merge pull request #1819 from al45tair/cors-auth
fix: allow Authorization header when doing CORS
2020-10-06 14:35:21 +02:00
Márk Sági-Kazár
a28f5bb218
Merge pull request #1821 from al45tair/fix-1820
fix: copy the "web" directory.
2020-10-05 17:24:51 +02:00
Alastair Houghton
3288450b3e fix: copy the "web" directory.
The Dockerfile was changed to do

    COPY web .

which is unfortunate because that means copy the *contents* of the directory
"web", rather than copying the directory itself which is what the author
intended.

Issues: #1820
Signed-off-by: Alastair Houghton <alastair@alastairs-place.net>
2020-10-05 15:52:30 +01:00
Alastair Houghton
9187aa669d fix: allow Authorization header when doing CORS
The Authorization header needs to be allowed when doing CORS because
otherwise /userinfo can't work.  It isn't one of the headers
explicitly allowed by default by Gorilla, so we have to call
handlers.AllowedHeaders() to specify it.

Issues: #1532
Signed-off-by: Alastair Houghton <alastair@alastairs-place.net>
2020-10-05 15:01:54 +01:00
Márk Sági-Kazár
828a1c6ec2
Merge pull request #1688 from flant/bitbucket-groups
feat: Add team groups support to bitbucket connector
2020-10-04 20:08:49 +02:00
m.nabokikh
ec66cedfcc feat: Add team groups support to bitbucket connector
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
2020-10-04 20:50:59 +03:00
Márk Sági-Kazár
3e5ff2f853
Merge pull request #1815 from dexidp/fix-docker-login
ci: do not login to docker registry in PRs
2020-10-04 15:18:44 +02:00