Some oauth providers return "thin tokens" which won't include all of the
claims requested. This simply adds an option which will make the oidc
connector use the userinfo endpoint to fetch all the claims.
The filters for user and group searches hadn't been included in our LDAP
tests. Now they are.
The concrete test cases are somewhat contrived, but that shouldn't
matter too much. Also note that the example queries I've used are not
supported in AD: https://stackoverflow.com/a/10043452
Signed-off-by: Stephan Renatus <srenatus@chef.io>
For downstream apps using a github handle is much simpler than working
with numbers.
WHilst the number is stable and the handle is not - GitHUb does give you
a big scary wanring if you try and change it that bad things may happen
to you, and generally few users ever change it.
This can be enabled with a configuration option `useLoginAsId`
this will result in both the team name *and* the team slug being
returned for each team, allowing a bit more flexibility in auth
validation.
Signed-off-by: Topher Bullock <tbullock@pivotal.io>
Signed-off-by: Alex Suraci <suraci.alex@gmail.com>
Fixes#1304, if we want to be harsh.
However, I think if it was the user's intention to pass two certs, and
the second one couldn't be read, that shouldn't just disappear. After
all, when attempting to login later, that might fail because the
expected IdP cert data isn't there.
Signed-off-by: Stephan Renatus <srenatus@chef.io>
Format ldap.go
Format ldap.go: with a space for golint
with a space
Rename clientCA is to clientCert
Update ldap.go
modified the ldap client certificate file comments.
modified load ldap client cert error.
modified load ldap client cert error: fmt.Errorf("ldap: load client cert failed: %v", err)
Some directory servers (I think it's Oracle) return
Constraint Violation: Exceed password retry limit. Account locked.
when attempting to login too many times. While constraint violation can
mean many things, we're checking this as an error on BIND, so it's
more likely that something like this has happened than any other thing.
Hence, we should treat it as an "incorrect password" situation, not an
internal error.
It would of course be preferrable to surface more information about this
precise error (and similar ones), but I think this is beyond this small
change.
Signed-off-by: Stephan Renatus <srenatus@chef.io>
Microsoft connector now provides support for 'groups' claim in case
'tenant' is configured in Dex config for the connector. It's possible to
deny user authentication if the user is not a member of at least one
configured groups.
Signed-off-by: Pavel Borzenkov <pavel.borzenkov@gmail.com>