Commit Graph

134 Commits

Author SHA1 Message Date
Eric Chiang
72a431dd4b {web,server}: use html/template and reduce use of auth request ID
Switch from using "text/template" to "html/template", which provides
basic XSS preventions. We haven't identified any particular place
where unsanitized user data is rendered to the frontend. This is
just a preventative step.

At the same time, make more templates take pure URL instead of
forming an URL themselves using an "authReqID" argument. This will
help us stop using the auth req ID in certain places, preventing
garbage collection from killing login flows that wait too long at
the login screen.

Also increase the login session window (time between initial
redirect and the user logging in) from 30 minutes to 24 hours,
and display a more helpful error message when the session expires.

How to test:

1. Spin up dex and example with examples/config-dev.yaml.
2. Login through both the password prompt and the direct redirect.
3. Edit examples/config-dev.yaml removing the "connectors" section.
4. Ensure you can still login with a password.

(email/password is "admin@example.com" and "password")
2017-02-02 11:11:00 -08:00
Simon HEGE
415a68f977 Allow CORS on keys and token endpoints 2017-01-14 21:15:51 +01:00
Eric Chiang
1eda382789 server: add at_hash claim support
The "at_hash" claim, which provides hash verification for the
"access_token," is a required claim for implicit and hybrid flow
requests. Previously we did not include it (against spec). This
PR implements the "at_hash" logic and adds the claim to all
responses.

As a cleanup, it also moves some JOSE signing logic out of the
storage package and into the server package.

For details see:

https://openid.net/specs/openid-connect-core-1_0.html#ImplicitIDToken
2017-01-13 10:05:24 -08:00
Eric Chiang
f778b2d33b server: update refresh tokens instead of deleting and creating another
The server implements a strategy called "Refresh Token Rotation" to
ensure refresh tokens can only be claimed once.

ref: https://tools.ietf.org/html/rfc6819#section-5.2.2.3

Previously "refresh_token" values in token responses where just the
ID of the internal refresh object. To implement rotation, when a
client redeemed a refresh token, the object would be deleted, a new
one created, and the new ID returned as the new "refresh_token".

However, this means there was no consistent ID for refresh tokens
internally, making things like foreign keys very hard to implement.
This is problematic for revocation features like showing all the
refresh tokens a user or client has out.

This PR updates the "refresh_token" to be an encoded protobuf
message, which holds the internal ID and a nonce. When a refresh
token is used, the nonce is updated to prevent reuse, but the ID
remains the same. Additionally it adds the timestamp of each
token's last use.
2017-01-11 12:07:48 -08:00
Eric Chiang
c66cce8b40 Merge pull request #766 from ericchiang/implicit-flow
server: fixes for the implicit and hybrid flow
2017-01-10 16:50:29 -08:00
Eric Chiang
f926d74157 server: fixes for the implicit and hybrid flow
Accept the following response_type for the implicit flow:

    id_token
    token id_token

And the following for hybrid flow

    code id_token
    code token
    code token id_token

This corrects the previous behavior of the implicit flow, which
only accepted "token" (now correctly rejected).
2017-01-10 16:20:17 -08:00
Eric Chiang
0f4a1f69c5 *: wire up SAML POST binding 2017-01-09 18:30:58 -08:00
Simon HEGE
b4c47910e4 Allow CORS on discovery endpoint 2017-01-08 19:22:39 +01:00
rithu john
75aa1c67ce server: add error HTML templates with error description. 2016-12-16 10:42:54 -08:00
rithu john
9949a1313c server: modify error messages to use logrus. 2016-12-13 11:52:44 -08:00
Eric Chiang
952e0f81f5 connector: add RefreshConnector interface 2016-11-22 12:53:46 -08:00
Phu Kieu
35180a72f1 Enable groups scope 2016-11-18 13:13:32 -08:00
Eric Chiang
12a5c0ada3 server: use seconds instead of nano seconds for expires_in and expiry 2016-11-04 17:00:10 -07:00
Eric Chiang
d7912a3a97 Merge pull request #638 from ericchiang/dev-share-a-single-callback
*: allow call connectors to share a single a single callback
2016-10-27 16:59:04 -07:00
Eric Chiang
7c2289e0de *: rename internally used "state" form value to "req"
"state" means something specific to OAuth2 and SAML so we don't
want to confuse developers who are working on this.

Also don't use "session" which could easily be confused with HTTP
cookies.
2016-10-27 10:26:01 -07:00
Eric Chiang
a3235d022a *: verify "state" field before passing request to callback connectors
Let the server handle the state token instead of the connector. As a
result it can throw out bad requests earlier. It can also use that
token to determine which connector was used to generate the request
allowing all connectors to share the same callback URL.

Callbacks now all look like:

    https://dex.example.com/callback

Instead of:

    https://dex.example.com/callback/(connector id)

Even when multiple connectors are being used.
2016-10-27 10:23:09 -07:00
Lucas Serven
5c498ae4df server/handlers: fix Cache-Control header
fixes: #636

This commit addresses a problem where the `max-age` value is being set
in nanoseconds as opposed to seconds, as required by the specification.
2016-10-26 14:58:18 -07:00
Eric Chiang
7084a801d7 *: port oob template 2016-10-19 12:45:17 -07:00
Eric Chiang
5bec61d73f Merge pull request #602 from ericchiang/dev-add-garbage-collect-method-to-storage
dev branch: add garbage collect method to storage
2016-10-12 22:08:53 -07:00
Eric Chiang
3e20a080fe server: fix auth request expiry 2016-10-12 18:51:13 -07:00
Eric Chiang
2834da443f server: allow extra spaces in scopes
go-oidc sends an extra space before the list of scopes. This is bad
but we have to support it, so we'll be more lenient and ignore
duplicated whitespace.
2016-10-12 15:37:12 -07:00
Eric Chiang
ac6e419d48 server: add tests for refreshing with explicit scopes 2016-10-10 11:02:27 -07:00
Eric Chiang
e873a31b21 server: add health check endpoint 2016-10-04 17:20:17 -07:00
Eric Chiang
82a55cf785 {server,storage}: add LoggedIn flag to AuthRequest and improve storage docs
Currently, whether or not a user has authenticated themselves through
a connector is indicated by a pointer being nil or non-nil. Instead
add an explicit flag that marks this.
2016-09-30 22:40:04 -07:00
Eric Chiang
608d8ba984 *: switch dex to the ported templates 2016-09-05 17:25:39 -07:00
Eric Chiang
571024182d *: set response types supported in discovery based on server config 2016-08-25 16:18:09 -07:00
Eric Chiang
c113df961a *: support the implicit flow 2016-08-24 11:21:39 -07:00
Eric Chiang
c33ad3e0f3 server: fix oauth2 values and remove unused code 2016-08-24 11:14:38 -07:00
Eric Chiang
bfe560ee21 rename 2016-08-10 22:31:42 -07:00
Eric Chiang
235ae9c3c4 server: update discovery to include offline_access scope 2016-08-08 19:10:32 -07:00
Eric Chiang
53d1be4a87 *: load static clients from config file 2016-08-05 09:54:03 -07:00
Eric Chiang
3110f45c3d *: lots of renaming 2016-08-02 21:57:36 -07:00
Eric Chiang
f4c5722e42 *: connectors use a different identity object than storage 2016-08-02 21:20:18 -07:00
Eric Chiang
cab271f304 initial commit 2016-07-26 15:51:24 -07:00