k-space/dex
Archived
11
0
Fork 0
Code Issues Pull Requests Packages Projects Activity
1,916 Commits 1 Branch 0 Tags
93b32c3500f0f169b708af8e7b0b3a87f0347bd0
Commit Graph

313 Commits

Author SHA1 Message Date
Maksim Nabokikh
9d3471e39b Merge pull request #2026 from flant/ldap-groups-user-matcher-warning 
chore: warning about deprecated LDAP groupSearch fields
 2021-12-11 13:26:30 +04:00
Maksim Nabokikh
ac02fb04cf Merge pull request #2344 from flant/invalid_grant_claim_another_client 
fix: return invalid_grant error on claiming token of another client
 2021-12-08 17:30:52 +04:00
Maksim Nabokikh
ca615f7ad7 Update server/refreshhandlers.go 
Co-authored-by: Márk Sági-Kazár <sagikazarmark@users.noreply.github.com>
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
 2021-12-08 09:13:24 +04:00
m.nabokikh
578cb05f7b fix: return invalid_grant error on claiming token of another client 
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
 2021-12-05 23:45:52 +04:00
Joshua Winters
9284ffb8c0 Add generic oauth connector 
Co-authored-by: Shash Reddy <sreddy@pivotal.io>
Signed-off-by: Joshua Winters <jwinters@pivotal.io>
 2021-11-17 15:06:53 -05:00
copperyp
5854dd192d using path.Join replace filepath.Join 
Signed-off-by: copperyp <copperyp@gmail.com>
 2021-10-27 14:44:26 +08:00
copperyp
a1c1076137 fix web static file path slash error for win platform 
Signed-off-by: copperyp <copperyp@gmail.com>
 2021-10-23 12:13:55 +08:00
Maksim Nabokikh
84b241721e Merge pull request #2300 from flant/do-not-update-offline-session-last-time 
fix: do not update offlinesession lastUsed field if refresh token was not updated
 2021-10-21 20:23:45 +04:00
Márk Sági-Kazár
18311aa44d Merge pull request #2234 from enj/enj/i/password_grant_access_token 
Return valid JWT access token from password grant
 2021-10-21 17:42:33 +02:00
m.nabokikh
9fad0602ec fix: do not update offlinesession lastUsed field if refresh token was not change 
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
 2021-10-19 01:16:34 +04:00
Márk Sági-Kazár
67ba7a1c70 Merge pull request #2265 from ariary/master 
Add parametrization of grant type supported in discovery endpoint
 2021-10-06 15:54:17 +02:00
ariary
7bc966217d sort grant type supported 
Signed-off-by: ariary <ariary9.2@hotmail.fr>
 2021-10-06 08:29:14 -04:00
Eng Zer Jun
f0186ff265 refactor: move from io/ioutil to io and os package 
The io/ioutil package has been deprecated as of Go 1.16, see
https://golang.org/doc/go1.16#ioutil. This commit replaces the existing
io/ioutil functions with their new definitions in io and os packages.

Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>
 2021-09-17 14:12:39 +08:00
ariary
c6f6dd69e9 lint comment 
Signed-off-by: ariary <ariary9.2@hotmail.fr>
 2021-09-15 03:58:27 -04:00
kali
1497e70225 Add parametrization of grant type supported in discovery endpoint 
Signed-off-by: ariary <ariary9.2@hotmail.fr>
 2021-09-03 05:50:59 -04:00
Monis Khan
3009ae3b5d Return valid JWT access token from password grant 
This change updates the password grant handler to issue a valid JWT
access token instead of just returning a random value as the access
token.  This makes it possible to use the access token against the
user info endpoint.

Signed-off-by: Monis Khan <i@monis.app>
 2021-08-11 14:57:58 -04:00
Maksim Nabokikh
3fac2ab6bc Merge pull request #1862 from tkleczek/fix-rfc-errors 
Improve auth flow error handling
 2021-08-03 00:34:54 +04:00
Tomasz Kleczek
4ffaa60d21 Improve auth flow error handling 
Signed-off-by: Tomasz Kleczek <tomasz.kleczek@gmail.com>
 2021-07-21 09:33:39 +02:00
Henning
138364ceeb handlePasswordGrant: insert connectorData into OfflineSession (#2199) 
* handlePasswordGrant: insert connectorData into OfflineSession

This change will insert the ConnectorData from the initial Login
into the OfflineSession, as already done in handlePasswordLogin.

Signed-off-by: Henning Surmeier <h.surmeier@mittwald.de>
 2021-07-21 00:05:35 +04:00
Mark Sagi-Kazar
ceb4324c18 test: quick fix flaky test 
Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com>
 2021-06-28 23:30:14 +02:00
Márk Sági-Kazár
f6904c38ef Merge pull request #1865 from WorldProgrammingLtd/fix-1849 
fix: defer creation of auth request.
 2021-06-25 19:05:41 +02:00
m.nabokikh
21a01ee811 Add sprig v3 functions to web templates 
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
 2021-06-02 11:11:45 +04:00
m.nabokikh
4b54433ec2 Bump golag-ci lint version to 1.40.1 
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
 2021-05-27 19:27:06 +04:00
Mark Sagi-Kazar
0bef10ef80 chore(deps): update gosundheit 
Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com>
 2021-05-26 14:50:35 +02:00
m.nabokikh
dea1d3383c Deprecation warning log message 
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
 2021-05-24 19:40:28 +04:00
Alastair Houghton
cd0c24ec4d fix: add an extra endpoint to avoid refresh generating AuthRequests. 
By adding an extra endpoint and a redirect, we can avoid a situation
where it's trivially easy to generate a large number of AuthRequests
by hitting F5/refresh in the browser.

Signed-off-by: Alastair Houghton <alastair@alastairs-place.net>
 2021-05-21 11:42:52 +01:00
Alastair Houghton
030a6459d6 fix: reinstate TestHandleAuthCode. 
Reinstating this test as it shouldn't have been removed.

Signed-off-by: Alastair Houghton <alastair@alastairs-place.net>
 2021-05-21 11:24:30 +01:00
Alastair Houghton
88025b3d7c fix: remove some additional dependencies. 
Accidentally added some of these back during merge.

Signed-off-by: Alastair Houghton <alastair@alastairs-place.net>
 2021-05-21 11:24:30 +01:00
Alastair Houghton
0284a4c3c9 fix: back link on password page needs to be explicit. 
The back link on the password page was using Javascript to tell the
browser to navigate back, which won't work if the user has entered a
set of incorrect log-in details.  Fix this by using an explicit URL
instead.

Fixes #1851

Signed-off-by: Alastair Houghton <alastair@alastairs-place.net>
 2021-05-21 11:24:30 +01:00
Alastair Houghton
cdbb5dd94d fix: defer creation of auth request. 
Rather than creating the auth request when the user hits /auth, pass
the arguments through to /auth/{connector} and have the auth request
created there.  This prevents a database error when using the "Select
another login method" link, and also avoids a few other error cases.

Fixes #1849, #646.

Signed-off-by: Alastair Houghton <alastair@alastairs-place.net>
 2021-05-21 11:24:23 +01:00
Maksim Nabokikh
20875c972e Discard package "version" (#2107) 
* Discard package "version"

Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>

* Inject api version

Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>

* Pass version arg to the dex API

Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
 2021-05-18 00:55:24 +02:00
Márk Sági-Kazár
18d1f70cee Merge pull request #1861 from concourse/pr/bcrypt-for-client-secret-sync 
Use constant time comparison for client secret verification
 2021-05-17 17:27:42 +02:00
Rui Yang
fe8085b886 remove client secret encryption option 
constant time compare for client secret verification will be kept

Signed-off-by: Rui Yang <ruiya@vmware.com>
 2021-05-17 10:16:50 -04:00
Rui Yang
ecea593ddd fix a bug in hash comparison function 
the client secret coming in should be hashed and the one in storage
is the one in plaintext

Signed-off-by: Rui Yang <ruiya@vmware.com>
 2021-05-14 13:32:27 -04:00
Márk Sági-Kazár
94a2b3ed87 Merge pull request #2010 from flant/switch-device-token-endpoint-to-token 
fix: use /token endpoint to get tokens with device flow
 2021-05-01 13:24:55 +02:00
Márk Sági-Kazár
551229a986 Merge pull request #1846 from flant/refresh-token-expiration-policy 
feat: Add refresh token expiration and rotation settings
 2021-04-24 11:03:40 +02:00
Mark Sagi-Kazar
95796b04a3 chore(deps): upgrade protobuf and grpc 
Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com>
 2021-03-24 19:17:26 +01:00
Mark Sagi-Kazar
d25051c867 chore(deps): upgrade protobuf in server/internal package 
Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com>
 2021-03-22 19:27:47 +01:00
Mark Sagi-Kazar
d1e8b085e2 feat: use embedded assets by default 
Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com>
 2021-03-22 15:44:03 +01:00
Rui Yang
2f28fc7451 default to ./web when Dir and WebFS are not set 
update WebFS doc

Signed-off-by: Rui Yang <ruiya@vmware.com>
Co-authored-by: Aidan Oldershaw <aoldershaw@pivotal.io>
 2021-03-20 20:05:59 +00:00
Rui Yang
4e569024fd use go 1.16 new package io/fs 
Unify the interface for reading web statics. Now it could read an
OS directory or get the content on live

One could use

//go:embed static
var webFiles embed.FS

anywhere and config dex server to take the file system by setting

WebConfig{WebFS: webFiles}

Signed-off-by: Rui Yang <ruiya@vmware.com>
Co-authored-by: Aidan Oldershaw <aoldershaw@pivotal.io>
 2021-03-20 20:05:59 +00:00
Rui Yang
7b50cbf0ac use pkger for embedding static contents 
Co-authored-by: Vikram Yadav <vyadav@pivotal.io>
Signed-off-by: Rui Yang <ruiya@vmware.com>
 2021-03-20 20:05:59 +00:00
Rui Yang
1eab25f89f use web host url for asset hosting 
Signed-off-by: Rui Yang <ruiya@vmware.com>
Co-authored-by: Aidan Oldershaw <aoldershaw@pivotal.io>
 2021-03-20 20:05:59 +00:00
Rui Yang
10e9054811 Use http.FileSystem for web assets 
Signed-off-by: Rui Yang <ryang@pivotal.io>
Co-authored-by: Aidan Oldershaw <aoldershaw@pivotal.io>
 2021-03-20 20:05:59 +00:00
Rui Yang
d658c24e8f add dex config flag for enabling client secret encryption 
* if enabled, it will make sure client secret is bcrypted correctly
* if not, it falls back to old behaviour that allowing empty client
secret and comparing plain text, though now it will do
ConstantTimeCompare to avoid a timing attack.

So in either way it should provide more secure of client secret
verification.

Co-authored-by: Alex Surraci <suraci.alex@gmail.com>
Signed-off-by: Rui Yang <ruiya@vmware.com>
 2021-03-20 20:05:56 +00:00
Josh Winters
ec6f3a2f19 use bcrypt when comparing client secrets 
- this assumes that the client is already bcrytped
when passed to dex. Similar to user passwords.

Signed-off-by: Josh Winters <jwinters@pivotal.io>
Co-authored-by: Vikram Yadav <vyadav@pivotal.io>
 2021-03-20 20:05:56 +00:00
Maksim Nabokikh
568fc06520 Update server/refreshhandlers.go 
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
 2021-03-09 09:41:41 +04:00
m.nabokikh
3bd0e91a68 Make /device/token deprecation warning more concise 
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
 2021-02-25 11:53:25 +04:00
m.nabokikh
9ed5cc00cf Add deprecation warning for /device/token endpoint 
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
 2021-02-24 17:14:28 +04:00
m.nabokikh
1211a86d58 fix: use /token endpoint to get tokens with device flow 
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
 2021-02-24 16:03:25 +04:00