This should make AllowedGroups equivalent to an LDAP group filter:
When set to true, only the groups from AllowedGroups will be included in the
user's identity.
Signed-off-by: Stephan Renatus <srenatus@chef.io>
* Add atlassiancrowd connector to list in readme
* Add TestIdentityFromCrowdUser
* Set preferred_username claim when configured
* Add preferredUsernameField option to docs
* Log warning when mapping invalid crowd field
* Added Email of Keystone to Identity
After the successful login to keystone, the Email of the logged in user
is fetch from keystone and provided to `identity.Email`.
This is useful for upstream software that uses the Email as the primary
identification.
* Removed unnecessary code from getUsers
* Changed creation of userResponse in keystone
* Fixing linter error
Co-authored-by: Christoph Glaubitz <christoph.glaubitz@innovo-cloud.de>
There is a chance that offline storage could fall out of sync with the
refresh token tables. One example is if dex crashes/is stopped in the
middle of handling a login request. If the old refresh token associated
with the offline session is deleted, and then the process stops, the
offline session will still refer to the old token.
Unfortunately, if this case occurs, there is no way to recover from it,
since further logins will be halted due to dex being unable to clean up
the old tokens till referenced in the offline session: the database is
essentially corrupted.
There doesn't seem to be a good reason to fail the auth request if the
old refresh token is gone. This changes the logic in `handleAuthCode` to
not fail the entire transaction if the old refresh token could not be
deleted because it was not present. This has the effect of installing
the new refresh token, and unpdating the offline storage, thereby fixing
the issue, however it occured.
Having ID and Secret in clear inside configuration files for static
clients is not ideal. This commit allows setting these from environment
variables.
Signed-off-by: Yann Soubeyrand <yann.soubeyrand@gmx.fr>
When constructing the host address string, the address is
not wrapped in square brackets. This does not work in IPv6
Kubernetes deployments. This commit adds square brackets
around the address. IPv4 was also tested to ensure it works
with wrapped address.
Signed-off-by: Jerry Sun <jerry.sun@windriver.com>
In 58093dbb2 the kubernetes documentation was updated to refer to CRDs
rather than TPRs when discussing how storage works for dex. However, the
rest of the line was not updated and still referred to the TPR section,
whose anchor link was changed in 395febf80 with the removal of TPR
support. This change updates the kubernetes documentation to point to
the currect section of the storage documentation for CRDs.