Commit Graph

127 Commits

Author SHA1 Message Date
Maksim Nabokikh
3fac2ab6bc
Merge pull request #1862 from tkleczek/fix-rfc-errors
Improve auth flow error handling
2021-08-03 00:34:54 +04:00
Tomasz Kleczek
4ffaa60d21 Improve auth flow error handling
Signed-off-by: Tomasz Kleczek <tomasz.kleczek@gmail.com>
2021-07-21 09:33:39 +02:00
Henning
138364ceeb
handlePasswordGrant: insert connectorData into OfflineSession (#2199)
* handlePasswordGrant: insert connectorData into OfflineSession

This change will insert the ConnectorData from the initial Login
into the OfflineSession, as already done in handlePasswordLogin.

Signed-off-by: Henning Surmeier <h.surmeier@mittwald.de>
2021-07-21 00:05:35 +04:00
Márk Sági-Kazár
f6904c38ef
Merge pull request #1865 from WorldProgrammingLtd/fix-1849
fix: defer creation of auth request.
2021-06-25 19:05:41 +02:00
m.nabokikh
4b54433ec2 Bump golag-ci lint version to 1.40.1
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
2021-05-27 19:27:06 +04:00
Alastair Houghton
cd0c24ec4d fix: add an extra endpoint to avoid refresh generating AuthRequests.
By adding an extra endpoint and a redirect, we can avoid a situation
where it's trivially easy to generate a large number of AuthRequests
by hitting F5/refresh in the browser.

Signed-off-by: Alastair Houghton <alastair@alastairs-place.net>
2021-05-21 11:42:52 +01:00
Alastair Houghton
0284a4c3c9 fix: back link on password page needs to be explicit.
The back link on the password page was using Javascript to tell the
browser to navigate back, which won't work if the user has entered a
set of incorrect log-in details.  Fix this by using an explicit URL
instead.

Fixes #1851

Signed-off-by: Alastair Houghton <alastair@alastairs-place.net>
2021-05-21 11:24:30 +01:00
Alastair Houghton
cdbb5dd94d fix: defer creation of auth request.
Rather than creating the auth request when the user hits /auth, pass
the arguments through to /auth/{connector} and have the auth request
created there.  This prevents a database error when using the "Select
another login method" link, and also avoids a few other error cases.

Fixes #1849, #646.

Signed-off-by: Alastair Houghton <alastair@alastairs-place.net>
2021-05-21 11:24:23 +01:00
Márk Sági-Kazár
18d1f70cee
Merge pull request #1861 from concourse/pr/bcrypt-for-client-secret-sync
Use constant time comparison for client secret verification
2021-05-17 17:27:42 +02:00
Rui Yang
fe8085b886 remove client secret encryption option
constant time compare for client secret verification will be kept

Signed-off-by: Rui Yang <ruiya@vmware.com>
2021-05-17 10:16:50 -04:00
Rui Yang
ecea593ddd fix a bug in hash comparison function
the client secret coming in should be hashed and the one in storage
is the one in plaintext

Signed-off-by: Rui Yang <ruiya@vmware.com>
2021-05-14 13:32:27 -04:00
Márk Sági-Kazár
94a2b3ed87
Merge pull request #2010 from flant/switch-device-token-endpoint-to-token
fix: use /token endpoint to get tokens with device flow
2021-05-01 13:24:55 +02:00
Márk Sági-Kazár
551229a986
Merge pull request #1846 from flant/refresh-token-expiration-policy
feat: Add refresh token expiration and rotation settings
2021-04-24 11:03:40 +02:00
Rui Yang
d658c24e8f add dex config flag for enabling client secret encryption
* if enabled, it will make sure client secret is bcrypted correctly
* if not, it falls back to old behaviour that allowing empty client
secret and comparing plain text, though now it will do
ConstantTimeCompare to avoid a timing attack.

So in either way it should provide more secure of client secret
verification.

Co-authored-by: Alex Surraci <suraci.alex@gmail.com>
Signed-off-by: Rui Yang <ruiya@vmware.com>
2021-03-20 20:05:56 +00:00
Josh Winters
ec6f3a2f19 use bcrypt when comparing client secrets
- this assumes that the client is already bcrytped
when passed to dex. Similar to user passwords.

Signed-off-by: Josh Winters <jwinters@pivotal.io>
Co-authored-by: Vikram Yadav <vyadav@pivotal.io>
2021-03-20 20:05:56 +00:00
m.nabokikh
1211a86d58 fix: use /token endpoint to get tokens with device flow
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
2021-02-24 16:03:25 +04:00
Mark Sagi-Kazar
7da0a89936
refactor: remove unused health checker
Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com>
2021-02-11 01:29:27 +01:00
m.nabokikh
0c75ed12e2 Add refresh token expiration tests and some refactoring
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
2021-02-10 23:43:19 +04:00
m.nabokikh
06c8ab5aa7 Fixes of naming and code style
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
2021-02-10 23:37:57 +04:00
m.nabokikh
91de99d57e feat: Add refresh token expiration and rotation settings
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
2021-02-10 23:37:57 +04:00
Márk Sági-Kazár
5a667bbee0
Merge pull request #1773 from faro-oss/faro-upstream/add-c_hash-to-id_token
Add c_hash to id_token, issued on /auth endpoint, when in hybrid flow
2021-02-10 16:12:54 +01:00
Márk Sági-Kazár
9b1ecac0d9
Merge pull request #1952 from flant/auth-code-iinvalid-grant
fix: return invalid_grant error for invalid or expired auth codes
2021-02-10 15:50:18 +01:00
m.nabokikh
d6b5105d9b fix: check code presence
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
2021-01-25 18:50:36 +04:00
Márk Sági-Kazár
186a719ecb
Merge pull request #1948 from flant/add-cache-headers
Add Cache-control headers to token responses
2021-01-23 14:13:51 +01:00
m.nabokikh
123185c456 fix: return invalid_grant error for invalid or expired auth codes
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
2021-01-21 01:31:38 +04:00
m.nabokikh
283a87855a fix: update auth methods and claims in discovery endpoint
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
2021-01-20 15:15:30 +04:00
m.nabokikh
a7978890c7 Add Cache-control headers to token responses
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
2021-01-18 11:13:28 +04:00
Mark Sagi-Kazar
b8ac640c4f
Update oidc library
Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com>
2021-01-13 19:56:09 +01:00
Josh Soref
c79b40ad56 spelling: register
Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
2020-12-19 22:53:29 -05:00
m.nabokikh
a5ad5eaf08 fix: Minor style fixes after merging PKCE implementation
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
2020-10-26 23:20:33 +04:00
Bernd Eckstein
b5519695a6
PKCE implementation (#1784)
* Basic implementation of PKCE

Signed-off-by: Tadeusz Magura-Witkowski <tadeuszmw@gmail.com>

* @mfmarche on 24 Feb: when code_verifier is set, don't check client_secret

In PKCE flow, no client_secret is used, so the check for a valid client_secret
would always fail.

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* @deric on 16 Jun: return invalid_grant when wrong code_verifier

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* Enforce PKCE flow on /token when PKCE flow was started on /auth
Also dissallow PKCE on /token, when PKCE flow was not started on /auth

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* fixed error messages when mixed PKCE/no PKCE flow.

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* server_test.go: Added PKCE error cases on /token endpoint

* Added test for invalid_grant, when wrong code_verifier is sent
* Added test for mixed PKCE / no PKCE auth flows.

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* cleanup: extracted method checkErrorResponse and type TestDefinition

* fixed connector being overwritten

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* /token endpoint: skip client_secret verification only for grand type authorization_code with PKCE extension

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* Allow "Authorization" header in CORS handlers

* Adds "Authorization" to the default CORS headers{"Accept", "Accept-Language", "Content-Language", "Origin"}

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* Add "code_challenge_methods_supported" to discovery endpoint

discovery endpoint /dex/.well-known/openid-configuration
now has the following entry:

"code_challenge_methods_supported": [
  "S256",
  "plain"
]

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* Updated tests (mixed-up comments), added a PKCE test

* @asoorm added test that checks if downgrade to "plain" on /token endpoint

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* remove redefinition of providedCodeVerifier, fixed spelling (#6)

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>
Signed-off-by: Bernd Eckstein <HEllRZA@users.noreply.github.com>

* Rename struct CodeChallenge to PKCE

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* PKCE: Check clientSecret when available

In authorization_code flow with PKCE, allow empty client_secret on /auth and /token endpoints. But check the client_secret when it is given.

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* Enable PKCE with public: true

dex configuration public on staticClients now enables the following behavior in PKCE:
- Public: false, PKCE will always check client_secret. This means PKCE in it's natural form is disabled.
- Public: true, PKCE is enabled. It will only check client_secret if the client has sent one. But it allows the code flow if the client didn't sent one.

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* Redirect error on unsupported code_challenge_method

- Check for unsupported code_challenge_method after redirect uri is validated, and use newErr() to return the error.
- Add PKCE tests to oauth2_test.go

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* Reverted go.mod and go.sum to the state of master

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* Don't omit client secret check for PKCE

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* Allow public clients (e.g. with PKCE) to have redirect URIs configured

Signed-off-by: Martin Heide <martin.heide@faro.com>

* Remove "Authorization" as Accepted Headers on CORS, small fixes

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* Revert "Allow public clients (e.g. with PKCE) to have redirect URIs configured"

This reverts commit b6e297b78537dc44cd3e1374f0b4d34bf89404ac.

Signed-off-by: Martin Heide <martin.heide@faro.com>

* PKCE on client_secret client error message

* When connecting to the token endpoint with PKCE without client_secret, but the client is configured with a client_secret, generate a special error message.

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* Output info message when PKCE without client_secret used on confidential client

* removes the special error message

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* General missing/invalid client_secret message on token endpoint

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

Co-authored-by: Tadeusz Magura-Witkowski <tadeuszmw@gmail.com>
Co-authored-by: Martin Heide <martin.heide@faro.com>
Co-authored-by: M. Heide <66078329+heidemn-faro@users.noreply.github.com>
2020-10-26 11:33:40 +01:00
m.nabokikh
1d83e4749d Add gocritic
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
2020-10-18 01:54:27 +04:00
m.nabokikh
4d63e9cd68 fix: Bump golangci-lint version and fix some linter's problems
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
2020-10-18 01:02:29 +04:00
Tom Quarendon
4da93e75fc fix: log errors from login during password grant
Issues: #1813
Signed-off-by: Alastair Houghton <alastair@alastairs-place.net>
2020-10-07 13:36:42 +01:00
Tomasz Kleczek
b1311baa3c abort connector login if connector was already set #1707
Signed-off-by: Tomasz Kleczek <tomasz.kleczek@gmail.com>
2020-08-29 17:19:14 +02:00
Bernd Eckstein
f6cd778b60 Add c_hash to id_token, issued on /auth endpoint, when in hybrid flow
* fixed name collision (renamed hash->hashFunc)

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>
2020-07-31 12:06:19 +02:00
Justin Slowik
9c699b1028 Server integration test for Device Flow (#3)
Extracted test cases from OAuth2Code flow tests to reuse in device flow

deviceHandler unit tests to test specific device endpoints

Include client secret as an optional parameter for standards compliance

Signed-off-by: justin-slowik <justin.slowik@thermofisher.com>
2020-07-08 16:25:05 -04:00
Justin Slowik
9bbdc721d5 Device flow token code exchange (#2)
* Added /device/token handler with associated business logic and storage tests.

Perform user code exchange, flag the device code as complete.

Moved device handler code into its own file for cleanliness.  Cleanup

* Removed PKCE code

* Rate limiting for /device/token endpoint based on ietf standards

* Configurable Device expiry

Signed-off-by: justin-slowik <justin.slowik@thermofisher.com>
2020-07-08 16:25:05 -04:00
Justin Slowik
0d1a0e4129 Device token api endpoint (#1)
* Added /device/token handler with associated business logic and storage tests.

* Use crypto rand for user code

Signed-off-by: justin-slowik <justin.slowik@thermofisher.com>
2020-07-08 16:25:05 -04:00
Justin Slowik
6d343e059b Generates/Stores the device request and returns the device and user codes.
Signed-off-by: justin-slowik <justin.slowik@thermofisher.com>
2020-07-08 16:25:05 -04:00
Tadeusz Magura-Witkowski
7b7e2a040d Automatic consistency fixing in case of missing refresh token in db 2020-03-25 13:43:53 +01:00
Kyle Larose
ab5ea03025
handlers: do not fail login if refresh token gone
There is a chance that offline storage could fall out of sync with the
refresh token tables. One example is if dex crashes/is stopped in the
middle of handling a login request. If the old refresh token associated
with the offline session is deleted, and then the process stops, the
offline session will still refer to the old token.

Unfortunately, if this case occurs, there is no way to recover from it,
since further logins will be halted due to dex being unable to clean up
the old tokens till referenced in the offline session: the database is
essentially corrupted.

There doesn't seem to be a good reason to fail the auth request if the
old refresh token is gone. This changes the logic in `handleAuthCode` to
not fail the entire transaction if the old refresh token could not be
deleted because it was not present. This has the effect of installing
the new refresh token, and unpdating the offline storage, thereby fixing
the issue, however it occured.
2020-03-18 12:56:37 -04:00
Rui Yang
0f9a74f1d0 Remove uneccesary client verification 2020-01-10 14:52:57 -05:00
Zach Brown
13be146d2a Add support for password grant #926 2020-01-10 13:18:09 -05:00
Márk Sági-Kazár
789272a0c1
Merge pull request #1576 from flant/icons-proposal
Pick icons on login screen by connector type instead of ID
2019-12-23 13:05:19 +01:00
m.nabokikh
058e72ef50 Pick icons on login screen by connector type instead of ID
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
2019-12-23 12:38:22 +04:00
Mark Sagi-Kazar
f141f2133b
Fix whitespace 2019-12-18 15:56:12 +01:00
Mark Sagi-Kazar
367b187cf4
Fix missspell 2019-12-18 15:51:44 +01:00
Joel Speed
c4e96dda32
Fix migration of old connector data 2019-11-19 15:43:23 +00:00
Joel Speed
d9095073c8
Unindent session updates on finalizeLogin 2019-11-19 15:43:22 +00:00