Commit Graph

136 Commits

Author SHA1 Message Date
Kyle Larose
ab5ea03025
handlers: do not fail login if refresh token gone
There is a chance that offline storage could fall out of sync with the
refresh token tables. One example is if dex crashes/is stopped in the
middle of handling a login request. If the old refresh token associated
with the offline session is deleted, and then the process stops, the
offline session will still refer to the old token.

Unfortunately, if this case occurs, there is no way to recover from it,
since further logins will be halted due to dex being unable to clean up
the old tokens till referenced in the offline session: the database is
essentially corrupted.

There doesn't seem to be a good reason to fail the auth request if the
old refresh token is gone. This changes the logic in `handleAuthCode` to
not fail the entire transaction if the old refresh token could not be
deleted because it was not present. This has the effect of installing
the new refresh token, and unpdating the offline storage, thereby fixing
the issue, however it occured.
2020-03-18 12:56:37 -04:00
Rui Yang
0f9a74f1d0 Remove uneccesary client verification 2020-01-10 14:52:57 -05:00
Zach Brown
13be146d2a Add support for password grant #926 2020-01-10 13:18:09 -05:00
Márk Sági-Kazár
789272a0c1
Merge pull request #1576 from flant/icons-proposal
Pick icons on login screen by connector type instead of ID
2019-12-23 13:05:19 +01:00
m.nabokikh
058e72ef50 Pick icons on login screen by connector type instead of ID
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
2019-12-23 12:38:22 +04:00
Mark Sagi-Kazar
f141f2133b
Fix whitespace 2019-12-18 15:56:12 +01:00
Mark Sagi-Kazar
367b187cf4
Fix missspell 2019-12-18 15:51:44 +01:00
Joel Speed
c4e96dda32
Fix migration of old connector data 2019-11-19 15:43:23 +00:00
Joel Speed
d9095073c8
Unindent session updates on finalizeLogin 2019-11-19 15:43:22 +00:00
Joel Speed
19ad7daa7f
Use old ConnectorData before session.ConnectorData 2019-11-19 15:43:19 +00:00
Joel Speed
176ba709a4
Revert "Remove connectordata from other structs"
This reverts commit 27f33516db343bd79b56a47ecef0fe514a35082d.
2019-11-19 15:43:14 +00:00
Joel Speed
4076eed17b
Build opts based on scope 2019-11-19 15:43:11 +00:00
Joel Speed
5c88713177
Remove connectordata from other structs 2019-11-19 15:43:03 +00:00
Joel Speed
0352258093
Update handleRefreshToken logic 2019-11-19 15:43:01 +00:00
Joel Speed
575c792156
Store most recent refresh token in offline sessions 2019-11-19 15:40:56 +00:00
serhiimakogon
b793afd375 preferred_username claim added on refresh token 2019-11-19 16:27:34 +02:00
Nándor István Krácser
0b55f121b4
Fix missing email in log message
Co-Authored-By: Felix Fontein <ff@dybuster.com>
2019-10-30 13:13:33 +01:00
Nandor Kracser
c1b421fa04 add preffered_username to idToken
Signed-off-by: Nandor Kracser <bonifaido@gmail.com>
2019-10-30 13:06:37 +01:00
Yannis Zarkadas
839130f01c handlers: change all handlers to pass down http request
Signed-off-by: Yannis Zarkadas <yanniszark@arrikto.com>
2019-10-02 17:08:06 +03:00
Nandor Kracser
bd61535cb6 connector/ldap: display login error 2019-08-22 15:55:05 +02:00
Stephan Renatus
e1afe771cb
Merge pull request #1505 from MarcDufresne/show-login-page
Add option to always display connector selection even if there's only one
2019-08-07 09:23:42 +02:00
Marc-André Dufresne
0dbb642f2c
Add option to always display connector selection even if there's only one 2019-08-06 13:18:46 -04:00
Mike O
d03a43335e Return HTTP 400 for invalid state parameter 2019-08-01 16:22:53 -07:00
Stephan Renatus
8561a66365
server/{handler,oauth2}: cleanup error returns
Now, we'll return a standard error, and have the caller act upon this
being an instance of authErr.

Also changes the storage.AuthRequest return to a pointer, and returns
nil in error cases.

Signed-off-by: Stephan Renatus <srenatus@chef.io>
2019-07-25 13:40:06 +02:00
LanceH
07a77e0dac Use connector_id param to skip directly to a specific connector 2019-07-22 10:47:11 -05:00
Andy Lindeman
5b66bf05c8 Fixed shadowed variable declaration 2019-06-27 19:12:18 -04:00
Andy Lindeman
21174c06a1 Remove comment
We have a story around user info now
2019-06-24 09:42:46 -04:00
Andy Lindeman
46f5726d11 Use oidc.Verifier to verify tokens 2019-06-22 13:18:35 -04:00
mdbraber
3dd1bac821 Fix comments 2019-06-05 22:14:31 +02:00
Maarten den Braber
74f4e749b9 Formatting 2019-06-05 22:14:31 +02:00
Maarten den Braber
d7750b1e26 Fix changes 2019-06-05 22:14:31 +02:00
Maarten den Braber
a8d059a237 Add userinfo endpoint
Co-authored-by: Yuxing Li <360983+jackielii@users.noreply.github.com>
Co-authored-by: Francisco Santiago <1737357+fjbsantiago@users.noreply.github.com>
2019-06-05 22:11:21 +02:00
Tomas Barton
55cebd58a8
print appropriate error 2019-05-03 14:19:54 +02:00
Eric Chiang
8935a1479c server: update health check endpoint to query storage periodically
Instead of querying the storage every time a health check is performed
query it periodically and save the result.
2019-02-04 19:02:41 +00:00
Haines Chan
b78b8aeee0 Replace "GET", "POST" to http.MethodGet and http.MethodPost 2018-12-27 16:27:36 +08:00
Maximilian Gaß
468c74d1d2 Make expiry of auth requests configurable 2018-12-13 11:50:34 +01:00
Alexander Matyushentsev
ff8b44558e Issue #1263 - Render error message provided by connector if user authentication failed 2018-11-13 15:44:28 -08:00
Stephan Renatus
b9f6594bf0 *: github.com/coreos/dex -> github.com/dexidp/dex
Signed-off-by: Stephan Renatus <srenatus@chef.io>
2018-09-05 17:57:08 +02:00
Stephan Renatus
f013a44581 handlers/connector_login: check before update (optimization)
Signed-off-by: Stephan Renatus <srenatus@chef.io>
2017-12-11 08:32:22 +01:00
Stephan Renatus
f18d7afc6f handlers/connector_login: update AuthRequest irregardless of method
Before, you could not POST your credentials to a password-connector's
endpoint without GETing that endpoint first. While this makes sense for
browser clients; automated interactions with Dex don't need to look at
the password form to fill it in.

A symptom of that missing GET was that the POST succeeded (!) with

    login successful: connector "", username="admin", email="admin@example.com", groups=[]

Note the connector "". A subsequent call to finalizeLogin would then
fail with

    connector with ID "" not found: failed to get connector object from storage: not found

Now, the connector ID of an auth request will be updated for both GETs
and POSTs.

Signed-off-by: Stephan Renatus <srenatus@chef.io>
2017-12-08 11:49:52 +01:00
Kazumasa Kohtaka
9948228e5b Set a proper status code before sending an error status page 2017-12-01 14:23:45 +09:00
Stephan Renatus
41f663f70c show "back" link for password connectors
This way, the user who has selected, say, "Log in with Email" can make up
their mind, and select a different connector instead.

However, if there's only one connector set up, none of this makes sense -- and
the link will thus not be displayed.

Signed-off-by: Stephan Renatus <srenatus@chef.io>
2017-11-13 08:39:59 +01:00
Stephan Renatus
b09a13458f password connectors: allow overriding the username attribute (password prompt)
This allows users of the LDAP connector to give users of Dex' login
prompt an idea of what they should enter for a username.

Before, irregardless of how the LDAP connector was set up, the prompt
was

    Username
    [_________________]

    Password
    [_________________]

Now, this is configurable, and can be used to say "MyCorp SSO Login" if
that's what it is.

If it's not configured, it will default to "Username".

For the passwordDB connector (local users), it is set to "Email
Address", since this is what it uses.

Signed-off-by: Stephan Renatus <srenatus@chef.io>
2017-11-09 09:30:03 +01:00
Michael Stapelberg
a41d93db4a Implement the “authproxy” connector (for Apache2 mod_auth etc.) 2017-10-25 21:53:51 +02:00
Eric Chiang
aad328bb35 *: add log events for login, LDAP queries, and SAML responses 2017-08-11 12:00:06 -07:00
rithu john
8c9c2518f5 server: account for dynamically changing connector object in storage. 2017-04-25 09:19:02 -07:00
Eric Chiang
5f377f07d4 *: promote SAML to stable
This means we no longer refer to it as "experimental" and wont make
breaking changes.
2017-04-11 10:09:48 -07:00
rithu john
59502850f0 connector: Connectors without a RefreshConnector should not return a refresh token instead of erroring 2017-03-23 14:56:34 -07:00
Eric Chiang
50b223a9db *: validate InResponseTo SAML response field and make issuer optional 2017-03-22 13:02:44 -07:00
Eric Chiang
33f0199077 *: fix spelling using github.com/client9/misspell 2017-03-20 09:16:56 -07:00
rithu john
d201e49248 api: adding a gRPC call for listing refresh tokens. 2017-02-13 16:12:16 -08:00
rithu john
d928ac0677 storage: Add OfflineSession object to backend storage. 2017-02-09 19:01:28 -08:00
Eric Chiang
72a431dd4b {web,server}: use html/template and reduce use of auth request ID
Switch from using "text/template" to "html/template", which provides
basic XSS preventions. We haven't identified any particular place
where unsanitized user data is rendered to the frontend. This is
just a preventative step.

At the same time, make more templates take pure URL instead of
forming an URL themselves using an "authReqID" argument. This will
help us stop using the auth req ID in certain places, preventing
garbage collection from killing login flows that wait too long at
the login screen.

Also increase the login session window (time between initial
redirect and the user logging in) from 30 minutes to 24 hours,
and display a more helpful error message when the session expires.

How to test:

1. Spin up dex and example with examples/config-dev.yaml.
2. Login through both the password prompt and the direct redirect.
3. Edit examples/config-dev.yaml removing the "connectors" section.
4. Ensure you can still login with a password.

(email/password is "admin@example.com" and "password")
2017-02-02 11:11:00 -08:00
Simon HEGE
415a68f977 Allow CORS on keys and token endpoints 2017-01-14 21:15:51 +01:00
Eric Chiang
1eda382789 server: add at_hash claim support
The "at_hash" claim, which provides hash verification for the
"access_token," is a required claim for implicit and hybrid flow
requests. Previously we did not include it (against spec). This
PR implements the "at_hash" logic and adds the claim to all
responses.

As a cleanup, it also moves some JOSE signing logic out of the
storage package and into the server package.

For details see:

https://openid.net/specs/openid-connect-core-1_0.html#ImplicitIDToken
2017-01-13 10:05:24 -08:00
Eric Chiang
f778b2d33b server: update refresh tokens instead of deleting and creating another
The server implements a strategy called "Refresh Token Rotation" to
ensure refresh tokens can only be claimed once.

ref: https://tools.ietf.org/html/rfc6819#section-5.2.2.3

Previously "refresh_token" values in token responses where just the
ID of the internal refresh object. To implement rotation, when a
client redeemed a refresh token, the object would be deleted, a new
one created, and the new ID returned as the new "refresh_token".

However, this means there was no consistent ID for refresh tokens
internally, making things like foreign keys very hard to implement.
This is problematic for revocation features like showing all the
refresh tokens a user or client has out.

This PR updates the "refresh_token" to be an encoded protobuf
message, which holds the internal ID and a nonce. When a refresh
token is used, the nonce is updated to prevent reuse, but the ID
remains the same. Additionally it adds the timestamp of each
token's last use.
2017-01-11 12:07:48 -08:00
Eric Chiang
c66cce8b40 Merge pull request #766 from ericchiang/implicit-flow
server: fixes for the implicit and hybrid flow
2017-01-10 16:50:29 -08:00
Eric Chiang
f926d74157 server: fixes for the implicit and hybrid flow
Accept the following response_type for the implicit flow:

    id_token
    token id_token

And the following for hybrid flow

    code id_token
    code token
    code token id_token

This corrects the previous behavior of the implicit flow, which
only accepted "token" (now correctly rejected).
2017-01-10 16:20:17 -08:00
Eric Chiang
0f4a1f69c5 *: wire up SAML POST binding 2017-01-09 18:30:58 -08:00
Simon HEGE
b4c47910e4 Allow CORS on discovery endpoint 2017-01-08 19:22:39 +01:00
rithu john
75aa1c67ce server: add error HTML templates with error description. 2016-12-16 10:42:54 -08:00
rithu john
9949a1313c server: modify error messages to use logrus. 2016-12-13 11:52:44 -08:00
Eric Chiang
952e0f81f5 connector: add RefreshConnector interface 2016-11-22 12:53:46 -08:00
Phu Kieu
35180a72f1 Enable groups scope 2016-11-18 13:13:32 -08:00
Eric Chiang
12a5c0ada3 server: use seconds instead of nano seconds for expires_in and expiry 2016-11-04 17:00:10 -07:00
Eric Chiang
d7912a3a97 Merge pull request #638 from ericchiang/dev-share-a-single-callback
*: allow call connectors to share a single a single callback
2016-10-27 16:59:04 -07:00
Eric Chiang
7c2289e0de *: rename internally used "state" form value to "req"
"state" means something specific to OAuth2 and SAML so we don't
want to confuse developers who are working on this.

Also don't use "session" which could easily be confused with HTTP
cookies.
2016-10-27 10:26:01 -07:00
Eric Chiang
a3235d022a *: verify "state" field before passing request to callback connectors
Let the server handle the state token instead of the connector. As a
result it can throw out bad requests earlier. It can also use that
token to determine which connector was used to generate the request
allowing all connectors to share the same callback URL.

Callbacks now all look like:

    https://dex.example.com/callback

Instead of:

    https://dex.example.com/callback/(connector id)

Even when multiple connectors are being used.
2016-10-27 10:23:09 -07:00
Lucas Serven
5c498ae4df server/handlers: fix Cache-Control header
fixes: #636

This commit addresses a problem where the `max-age` value is being set
in nanoseconds as opposed to seconds, as required by the specification.
2016-10-26 14:58:18 -07:00
Eric Chiang
7084a801d7 *: port oob template 2016-10-19 12:45:17 -07:00
Eric Chiang
5bec61d73f Merge pull request #602 from ericchiang/dev-add-garbage-collect-method-to-storage
dev branch: add garbage collect method to storage
2016-10-12 22:08:53 -07:00
Eric Chiang
3e20a080fe server: fix auth request expiry 2016-10-12 18:51:13 -07:00
Eric Chiang
2834da443f server: allow extra spaces in scopes
go-oidc sends an extra space before the list of scopes. This is bad
but we have to support it, so we'll be more lenient and ignore
duplicated whitespace.
2016-10-12 15:37:12 -07:00
Eric Chiang
ac6e419d48 server: add tests for refreshing with explicit scopes 2016-10-10 11:02:27 -07:00
Eric Chiang
e873a31b21 server: add health check endpoint 2016-10-04 17:20:17 -07:00
Eric Chiang
82a55cf785 {server,storage}: add LoggedIn flag to AuthRequest and improve storage docs
Currently, whether or not a user has authenticated themselves through
a connector is indicated by a pointer being nil or non-nil. Instead
add an explicit flag that marks this.
2016-09-30 22:40:04 -07:00
Eric Chiang
608d8ba984 *: switch dex to the ported templates 2016-09-05 17:25:39 -07:00
Eric Chiang
571024182d *: set response types supported in discovery based on server config 2016-08-25 16:18:09 -07:00
Eric Chiang
c113df961a *: support the implicit flow 2016-08-24 11:21:39 -07:00
Eric Chiang
c33ad3e0f3 server: fix oauth2 values and remove unused code 2016-08-24 11:14:38 -07:00
Eric Chiang
bfe560ee21 rename 2016-08-10 22:31:42 -07:00
Eric Chiang
235ae9c3c4 server: update discovery to include offline_access scope 2016-08-08 19:10:32 -07:00
Eric Chiang
53d1be4a87 *: load static clients from config file 2016-08-05 09:54:03 -07:00
Eric Chiang
3110f45c3d *: lots of renaming 2016-08-02 21:57:36 -07:00
Eric Chiang
f4c5722e42 *: connectors use a different identity object than storage 2016-08-02 21:20:18 -07:00
Eric Chiang
cab271f304 initial commit 2016-07-26 15:51:24 -07:00