Bob Callaway
793bcc4b61
address review comments
...
Signed-off-by: Bob Callaway <bcallaway@google.com>
2022-09-26 15:16:18 -04:00
Bob Callaway
cf3b19a952
Merge remote-tracking branch 'upstream/master' into advisory-fix-1
...
Signed-off-by: Bob Callaway <bcallaway@google.com>
2022-09-26 15:15:58 -04:00
Bob Callaway
fcfbb1ecb0
Add HMAC protection on /approval endpoint
...
Signed-off-by: Bob Callaway <bcallaway@google.com>
2022-07-29 19:45:18 -04:00
Bob Callaway
83e2df821e
add PKCE support to device code flow ( #2575 )
...
Signed-off-by: Bob Callaway <bobcallaway@users.noreply.github.com>
2022-07-27 19:02:18 +03:00
Márk Sági-Kazár
1cc26fab2f
Merge pull request #2468 from flant/cwe-79-device-code
...
fix: prevent cross-site scripting for the device flow
2022-06-30 22:52:33 +03:00
Bob Callaway
6eeba947f1
Merge remote-tracking branch 'upstream/master' into issue2289
2022-05-30 11:52:05 -04:00
Shivansh Vij
65592d0b5a
Updating test cases
...
Fixes https://github.com/dexidp/dex/issues/2537
Signed-off-by: Shivansh Vij <shivanshvij@outlook.com>
2022-05-26 15:54:54 -04:00
Shivansh Vij
cbf158bcc0
Fixes https://github.com/dexidp/dex/issues/2537
...
Signed-off-by: Shivansh Vij <shivanshvij@outlook.com>
2022-05-26 15:49:49 -04:00
m.nabokikh
bdfb10137a
Add the comment about groups request notification
...
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
2022-05-25 17:50:12 +04:00
m.nabokikh
3d5a3befb4
fix: prevent cross-site scripting for the device flow
...
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
2022-05-20 18:26:49 +04:00
m.nabokikh
ad89e01676
fix: log only errors on refreshing
...
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
2022-04-15 10:54:43 +04:00
m.nabokikh
57e9611ff6
fix: Implicit Grant discovery
...
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
2022-03-08 16:16:25 +04:00
Mark Sagi-Kazar
79721196a8
fix(server): wrap credentials in the correct Dial option
...
Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com>
2021-12-19 15:41:15 +01:00
Stephen Augustus
243661155e
server: grpc.WithInsecure is now insecure.NewCredentials()
...
Signed-off-by: Stephen Augustus <foo@auggie.dev>
2021-12-17 19:39:03 -05:00
Maksim Nabokikh
9d3471e39b
Merge pull request #2026 from flant/ldap-groups-user-matcher-warning
...
chore: warning about deprecated LDAP groupSearch fields
2021-12-11 13:26:30 +04:00
Maksim Nabokikh
ac02fb04cf
Merge pull request #2344 from flant/invalid_grant_claim_another_client
...
fix: return invalid_grant error on claiming token of another client
2021-12-08 17:30:52 +04:00
Maksim Nabokikh
ca615f7ad7
Update server/refreshhandlers.go
...
Co-authored-by: Márk Sági-Kazár <sagikazarmark@users.noreply.github.com>
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
2021-12-08 09:13:24 +04:00
m.nabokikh
578cb05f7b
fix: return invalid_grant error on claiming token of another client
...
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
2021-12-05 23:45:52 +04:00
Joshua Winters
9284ffb8c0
Add generic oauth connector
...
Co-authored-by: Shash Reddy <sreddy@pivotal.io>
Signed-off-by: Joshua Winters <jwinters@pivotal.io>
2021-11-17 15:06:53 -05:00
copperyp
5854dd192d
using path.Join replace filepath.Join
...
Signed-off-by: copperyp <copperyp@gmail.com>
2021-10-27 14:44:26 +08:00
copperyp
a1c1076137
fix web static file path slash error for win platform
...
Signed-off-by: copperyp <copperyp@gmail.com>
2021-10-23 12:13:55 +08:00
Maksim Nabokikh
84b241721e
Merge pull request #2300 from flant/do-not-update-offline-session-last-time
...
fix: do not update offlinesession lastUsed field if refresh token was not updated
2021-10-21 20:23:45 +04:00
Márk Sági-Kazár
18311aa44d
Merge pull request #2234 from enj/enj/i/password_grant_access_token
...
Return valid JWT access token from password grant
2021-10-21 17:42:33 +02:00
m.nabokikh
9fad0602ec
fix: do not update offlinesession lastUsed field if refresh token was not change
...
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
2021-10-19 01:16:34 +04:00
Bob Callaway
2e0041f95f
ensure template does not double-escape URL
...
Signed-off-by: Bob Callaway <bob.callaway@gmail.com>
2021-10-06 10:16:55 -04:00
Márk Sági-Kazár
67ba7a1c70
Merge pull request #2265 from ariary/master
...
Add parametrization of grant type supported in discovery endpoint
2021-10-06 15:54:17 +02:00
ariary
7bc966217d
sort grant type supported
...
Signed-off-by: ariary <ariary9.2@hotmail.fr>
2021-10-06 08:29:14 -04:00
Bob Callaway
8fd69c16f5
correctly handle path escaping for connector IDs
...
Signed-off-by: Bob Callaway <bob.callaway@gmail.com>
2021-10-01 16:04:34 -04:00
Eng Zer Jun
f0186ff265
refactor: move from io/ioutil to io and os package
...
The io/ioutil package has been deprecated as of Go 1.16, see
https://golang.org/doc/go1.16#ioutil . This commit replaces the existing
io/ioutil functions with their new definitions in io and os packages.
Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>
2021-09-17 14:12:39 +08:00
ariary
c6f6dd69e9
lint comment
...
Signed-off-by: ariary <ariary9.2@hotmail.fr>
2021-09-15 03:58:27 -04:00
kali
1497e70225
Add parametrization of grant type supported in discovery endpoint
...
Signed-off-by: ariary <ariary9.2@hotmail.fr>
2021-09-03 05:50:59 -04:00
Monis Khan
3009ae3b5d
Return valid JWT access token from password grant
...
This change updates the password grant handler to issue a valid JWT
access token instead of just returning a random value as the access
token. This makes it possible to use the access token against the
user info endpoint.
Signed-off-by: Monis Khan <i@monis.app>
2021-08-11 14:57:58 -04:00
Maksim Nabokikh
3fac2ab6bc
Merge pull request #1862 from tkleczek/fix-rfc-errors
...
Improve auth flow error handling
2021-08-03 00:34:54 +04:00
Tomasz Kleczek
4ffaa60d21
Improve auth flow error handling
...
Signed-off-by: Tomasz Kleczek <tomasz.kleczek@gmail.com>
2021-07-21 09:33:39 +02:00
Henning
138364ceeb
handlePasswordGrant: insert connectorData into OfflineSession ( #2199 )
...
* handlePasswordGrant: insert connectorData into OfflineSession
This change will insert the ConnectorData from the initial Login
into the OfflineSession, as already done in handlePasswordLogin.
Signed-off-by: Henning Surmeier <h.surmeier@mittwald.de>
2021-07-21 00:05:35 +04:00
Mark Sagi-Kazar
ceb4324c18
test: quick fix flaky test
...
Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com>
2021-06-28 23:30:14 +02:00
Márk Sági-Kazár
f6904c38ef
Merge pull request #1865 from WorldProgrammingLtd/fix-1849
...
fix: defer creation of auth request.
2021-06-25 19:05:41 +02:00
m.nabokikh
21a01ee811
Add sprig v3 functions to web templates
...
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
2021-06-02 11:11:45 +04:00
m.nabokikh
4b54433ec2
Bump golag-ci lint version to 1.40.1
...
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
2021-05-27 19:27:06 +04:00
Mark Sagi-Kazar
0bef10ef80
chore(deps): update gosundheit
...
Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com>
2021-05-26 14:50:35 +02:00
m.nabokikh
dea1d3383c
Deprecation warning log message
...
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
2021-05-24 19:40:28 +04:00
Alastair Houghton
cd0c24ec4d
fix: add an extra endpoint to avoid refresh generating AuthRequests.
...
By adding an extra endpoint and a redirect, we can avoid a situation
where it's trivially easy to generate a large number of AuthRequests
by hitting F5/refresh in the browser.
Signed-off-by: Alastair Houghton <alastair@alastairs-place.net>
2021-05-21 11:42:52 +01:00
Alastair Houghton
030a6459d6
fix: reinstate TestHandleAuthCode.
...
Reinstating this test as it shouldn't have been removed.
Signed-off-by: Alastair Houghton <alastair@alastairs-place.net>
2021-05-21 11:24:30 +01:00
Alastair Houghton
88025b3d7c
fix: remove some additional dependencies.
...
Accidentally added some of these back during merge.
Signed-off-by: Alastair Houghton <alastair@alastairs-place.net>
2021-05-21 11:24:30 +01:00
Alastair Houghton
0284a4c3c9
fix: back link on password page needs to be explicit.
...
The back link on the password page was using Javascript to tell the
browser to navigate back, which won't work if the user has entered a
set of incorrect log-in details. Fix this by using an explicit URL
instead.
Fixes #1851
Signed-off-by: Alastair Houghton <alastair@alastairs-place.net>
2021-05-21 11:24:30 +01:00
Alastair Houghton
cdbb5dd94d
fix: defer creation of auth request.
...
Rather than creating the auth request when the user hits /auth, pass
the arguments through to /auth/{connector} and have the auth request
created there. This prevents a database error when using the "Select
another login method" link, and also avoids a few other error cases.
Fixes #1849 , #646 .
Signed-off-by: Alastair Houghton <alastair@alastairs-place.net>
2021-05-21 11:24:23 +01:00
Maksim Nabokikh
20875c972e
Discard package "version" ( #2107 )
...
* Discard package "version"
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
* Inject api version
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
* Pass version arg to the dex API
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
2021-05-18 00:55:24 +02:00
Márk Sági-Kazár
18d1f70cee
Merge pull request #1861 from concourse/pr/bcrypt-for-client-secret-sync
...
Use constant time comparison for client secret verification
2021-05-17 17:27:42 +02:00
Rui Yang
fe8085b886
remove client secret encryption option
...
constant time compare for client secret verification will be kept
Signed-off-by: Rui Yang <ruiya@vmware.com>
2021-05-17 10:16:50 -04:00
Rui Yang
ecea593ddd
fix a bug in hash comparison function
...
the client secret coming in should be hashed and the one in storage
is the one in plaintext
Signed-off-by: Rui Yang <ruiya@vmware.com>
2021-05-14 13:32:27 -04:00