Commit Graph

252 Commits

Author SHA1 Message Date
Márk Sági-Kazár
9b1ecac0d9
Merge pull request #1952 from flant/auth-code-iinvalid-grant
fix: return invalid_grant error for invalid or expired auth codes
2021-02-10 15:50:18 +01:00
Márk Sági-Kazár
1c551fd86b
Merge pull request #1946 from flant/prealloc-unparam-sqlclosecheck
Enable unparam, prealloc, sqlclosecheck linters
2021-02-10 13:24:47 +01:00
m.nabokikh
d6b5105d9b fix: check code presence
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
2021-01-25 18:50:36 +04:00
m.nabokikh
a7667dff38 fix: remove empty RefreshTokens
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
2021-01-25 14:53:19 +04:00
Márk Sági-Kazár
f7156c26eb
Merge pull request #1956 from flant/request-not-supported
fix: unsupported request parameter error
2021-01-23 19:43:22 +01:00
Márk Sági-Kazár
186a719ecb
Merge pull request #1948 from flant/add-cache-headers
Add Cache-control headers to token responses
2021-01-23 14:13:51 +01:00
m.nabokikh
30a5dade0f fix: unsupported request parameter error
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
2021-01-22 18:01:24 +04:00
m.nabokikh
123185c456 fix: return invalid_grant error for invalid or expired auth codes
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
2021-01-21 01:31:38 +04:00
m.nabokikh
283a87855a fix: update auth methods and claims in discovery endpoint
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
2021-01-20 15:15:30 +04:00
m.nabokikh
bb503dbd81 Use constants in errors
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
2021-01-18 14:54:43 +04:00
m.nabokikh
a7978890c7 Add Cache-control headers to token responses
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
2021-01-18 11:13:28 +04:00
m.nabokikh
b2e9f67edc Enable unparam, prealloc, sqlclosecheck linters
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
2021-01-15 19:29:13 +04:00
Márk Sági-Kazár
afba7577bb
Merge pull request #1918 from flant/log-device-flow-gc
fix: log device flow entities GC result if no auth entities collected
2021-01-14 18:02:20 +01:00
Mark Sagi-Kazar
b8ac640c4f
Update oidc library
Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com>
2021-01-13 19:56:09 +01:00
Maksim Nabokikh
35da73de38
chore: add frontend section to dev config (#1913)
* chore: add frontend section to dev config

Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
2021-01-12 19:20:38 +01:00
m.nabokikh
30c3d78365 fix: log device flow entities GC result if no auth entities collected
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
2021-01-11 12:33:10 +04:00
Márk Sági-Kazár
01f7bf73a0
Merge pull request #1891 from jsoref/spelling
Spelling
2021-01-01 16:27:49 +01:00
m.nabokikh
1e88cca59a Make dark theme even darker, add fallback for legacy themes
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
2020-12-22 11:07:28 +04:00
Josh Soref
5d659a108c spelling: templates
Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
2020-12-19 22:53:29 -05:00
Josh Soref
43b95a2d28 spelling: signer
Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
2020-12-19 22:53:29 -05:00
Josh Soref
22de6da60b spelling: signatures
Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
2020-12-19 22:53:29 -05:00
Josh Soref
3f8fdbf314 spelling: rotator
Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
2020-12-19 22:53:29 -05:00
Josh Soref
8476e5acc0 spelling: requested
Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
2020-12-19 22:53:29 -05:00
Josh Soref
c79b40ad56 spelling: register
Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
2020-12-19 22:53:29 -05:00
Josh Soref
91e153780d spelling: including
Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
2020-12-19 22:53:26 -05:00
Josh Soref
8905fb4a65 spelling: existing
Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
2020-12-19 22:53:21 -05:00
m.nabokikh
bcaddd4354 feat: Change default themes to light/dark
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
2020-11-08 02:12:06 +04:00
Márk Sági-Kazár
170794725d
Merge pull request #1822 from faro-oss/feature/redirect-uris-for-public-clients
Allow public clients (e.g. SPAs using implicit flow or PKCE) to have redirect URLs other than localhost
2020-11-05 11:02:25 +01:00
Mark Sagi-Kazar
349832b380
Run fixer
Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com>
2020-11-03 20:52:14 +01:00
Martin Heide
162073b33e No longer allow desktop/mobile redirect URIs implicitly if RedirectURIs is set
Signed-off-by: Martin Heide <martin.heide@faro.com>
2020-11-02 14:05:47 +00:00
Martin Heide
c15e2887bc Add oob, device and localhost redirect URI tests
Signed-off-by: Martin Heide <martin.heide@faro.com>
2020-11-02 13:41:56 +00:00
Martin Heide
1ea481bb73 Fix gofmt in oauth2_test.go
Signed-off-by: Martin Heide <martin.heide@faro.com>
2020-11-02 12:52:52 +00:00
Martin Heide
b894d9c888 Allow public clients (e.g. using implicit flow or PKCE) to have redirect URIs configured
Signed-off-by: Martin Heide <martin.heide@faro.com>
2020-11-02 12:52:10 +00:00
m.nabokikh
a5ad5eaf08 fix: Minor style fixes after merging PKCE implementation
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
2020-10-26 23:20:33 +04:00
Bernd Eckstein
b5519695a6
PKCE implementation (#1784)
* Basic implementation of PKCE

Signed-off-by: Tadeusz Magura-Witkowski <tadeuszmw@gmail.com>

* @mfmarche on 24 Feb: when code_verifier is set, don't check client_secret

In PKCE flow, no client_secret is used, so the check for a valid client_secret
would always fail.

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* @deric on 16 Jun: return invalid_grant when wrong code_verifier

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* Enforce PKCE flow on /token when PKCE flow was started on /auth
Also dissallow PKCE on /token, when PKCE flow was not started on /auth

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* fixed error messages when mixed PKCE/no PKCE flow.

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* server_test.go: Added PKCE error cases on /token endpoint

* Added test for invalid_grant, when wrong code_verifier is sent
* Added test for mixed PKCE / no PKCE auth flows.

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* cleanup: extracted method checkErrorResponse and type TestDefinition

* fixed connector being overwritten

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* /token endpoint: skip client_secret verification only for grand type authorization_code with PKCE extension

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* Allow "Authorization" header in CORS handlers

* Adds "Authorization" to the default CORS headers{"Accept", "Accept-Language", "Content-Language", "Origin"}

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* Add "code_challenge_methods_supported" to discovery endpoint

discovery endpoint /dex/.well-known/openid-configuration
now has the following entry:

"code_challenge_methods_supported": [
  "S256",
  "plain"
]

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* Updated tests (mixed-up comments), added a PKCE test

* @asoorm added test that checks if downgrade to "plain" on /token endpoint

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* remove redefinition of providedCodeVerifier, fixed spelling (#6)

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>
Signed-off-by: Bernd Eckstein <HEllRZA@users.noreply.github.com>

* Rename struct CodeChallenge to PKCE

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* PKCE: Check clientSecret when available

In authorization_code flow with PKCE, allow empty client_secret on /auth and /token endpoints. But check the client_secret when it is given.

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* Enable PKCE with public: true

dex configuration public on staticClients now enables the following behavior in PKCE:
- Public: false, PKCE will always check client_secret. This means PKCE in it's natural form is disabled.
- Public: true, PKCE is enabled. It will only check client_secret if the client has sent one. But it allows the code flow if the client didn't sent one.

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* Redirect error on unsupported code_challenge_method

- Check for unsupported code_challenge_method after redirect uri is validated, and use newErr() to return the error.
- Add PKCE tests to oauth2_test.go

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* Reverted go.mod and go.sum to the state of master

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* Don't omit client secret check for PKCE

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* Allow public clients (e.g. with PKCE) to have redirect URIs configured

Signed-off-by: Martin Heide <martin.heide@faro.com>

* Remove "Authorization" as Accepted Headers on CORS, small fixes

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* Revert "Allow public clients (e.g. with PKCE) to have redirect URIs configured"

This reverts commit b6e297b78537dc44cd3e1374f0b4d34bf89404ac.

Signed-off-by: Martin Heide <martin.heide@faro.com>

* PKCE on client_secret client error message

* When connecting to the token endpoint with PKCE without client_secret, but the client is configured with a client_secret, generate a special error message.

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* Output info message when PKCE without client_secret used on confidential client

* removes the special error message

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* General missing/invalid client_secret message on token endpoint

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

Co-authored-by: Tadeusz Magura-Witkowski <tadeuszmw@gmail.com>
Co-authored-by: Martin Heide <martin.heide@faro.com>
Co-authored-by: M. Heide <66078329+heidemn-faro@users.noreply.github.com>
2020-10-26 11:33:40 +01:00
m.nabokikh
1d83e4749d Add gocritic
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
2020-10-18 01:54:27 +04:00
m.nabokikh
4d63e9cd68 fix: Bump golangci-lint version and fix some linter's problems
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
2020-10-18 01:02:29 +04:00
Márk Sági-Kazár
9c026107e6
Merge pull request #1830 from WorldProgrammingLtd/fix-1813
fix: log errors from login during password grant
2020-10-13 09:21:44 +02:00
Tom Quarendon
4da93e75fc fix: log errors from login during password grant
Issues: #1813
Signed-off-by: Alastair Houghton <alastair@alastairs-place.net>
2020-10-07 13:36:42 +01:00
Alastair Houghton
9187aa669d fix: allow Authorization header when doing CORS
The Authorization header needs to be allowed when doing CORS because
otherwise /userinfo can't work.  It isn't one of the headers
explicitly allowed by default by Gorilla, so we have to call
handlers.AllowedHeaders() to specify it.

Issues: #1532
Signed-off-by: Alastair Houghton <alastair@alastairs-place.net>
2020-10-05 15:01:54 +01:00
Rui Yang
bd2234cd12 Add constructor for static key strategy
Co-authored-by: Josh Winters <jwinter@pivotal.io>
Signed-off-by: Rui Yang <ruiya@vmware.com>
2020-10-01 15:32:23 -04:00
Márk Sági-Kazár
9781e56ba5
Merge pull request #1690 from flant/fix-relative-url
Fix templates which asset path points to external URL
2020-09-29 19:47:38 +02:00
Tomasz Kleczek
b1311baa3c abort connector login if connector was already set #1707
Signed-off-by: Tomasz Kleczek <tomasz.kleczek@gmail.com>
2020-08-29 17:19:14 +02:00
justin-slowik
9a7926c19b Cleaned up Device Flow test log levels
Signed-off-by: justin-slowik <justin.slowik@thermofisher.com>

Remove extraneous "=" from conformance.go

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

Additional test for TestHandleDeviceCode

Signed-off-by: justin-slowik <justin.slowik@thermofisher.com>
2020-07-21 16:01:08 -04:00
justin-slowik
334ecf0482 Fixes based on PR comments.
Signed-off-by: justin-slowik <justin.slowik@thermofisher.com>
2020-07-14 10:13:37 -04:00
justin-slowik
1404477326 Updates based on dexidp pr
Signed-off-by: justin-slowik <justin.slowik@thermofisher.com>
2020-07-08 16:25:06 -04:00
justin-slowik
f91f294385 gofmt
Signed-off-by: justin-slowik <justin.slowik@thermofisher.com>
2020-07-08 16:25:06 -04:00
justin-slowik
9882ea453f better support for /device/callback redirect uris with public clients.
Signed-off-by: justin-slowik <justin.slowik@thermofisher.com>
2020-07-08 16:25:06 -04:00
Justin Slowik
9c699b1028 Server integration test for Device Flow (#3)
Extracted test cases from OAuth2Code flow tests to reuse in device flow

deviceHandler unit tests to test specific device endpoints

Include client secret as an optional parameter for standards compliance

Signed-off-by: justin-slowik <justin.slowik@thermofisher.com>
2020-07-08 16:25:05 -04:00
Justin Slowik
9bbdc721d5 Device flow token code exchange (#2)
* Added /device/token handler with associated business logic and storage tests.

Perform user code exchange, flag the device code as complete.

Moved device handler code into its own file for cleanliness.  Cleanup

* Removed PKCE code

* Rate limiting for /device/token endpoint based on ietf standards

* Configurable Device expiry

Signed-off-by: justin-slowik <justin.slowik@thermofisher.com>
2020-07-08 16:25:05 -04:00