Commit Graph

1034 Commits

Author SHA1 Message Date
Eric Chiang
72a431dd4b {web,server}: use html/template and reduce use of auth request ID
Switch from using "text/template" to "html/template", which provides
basic XSS preventions. We haven't identified any particular place
where unsanitized user data is rendered to the frontend. This is
just a preventative step.

At the same time, make more templates take pure URL instead of
forming an URL themselves using an "authReqID" argument. This will
help us stop using the auth req ID in certain places, preventing
garbage collection from killing login flows that wait too long at
the login screen.

Also increase the login session window (time between initial
redirect and the user logging in) from 30 minutes to 24 hours,
and display a more helpful error message when the session expires.

How to test:

1. Spin up dex and example with examples/config-dev.yaml.
2. Login through both the password prompt and the direct redirect.
3. Edit examples/config-dev.yaml removing the "connectors" section.
4. Ensure you can still login with a password.

(email/password is "admin@example.com" and "password")
2017-02-02 11:11:00 -08:00
rithu leena john
12f969364e Merge pull request #794 from rithujohn191/saml-doc
Documentation: Minor changes to SAML connector doc.
2017-02-02 09:49:00 -08:00
rithu john
fecd596ae2 Documentation: Minor changes to SAML connector doc. 2017-02-01 11:28:46 -08:00
rithu leena john
42d0728048 Merge pull request #785 from holgerkoser/master
Improve SAML Signature and Response Validation
2017-02-01 11:14:13 -08:00
rithu leena john
27224cdc98 Merge pull request #788 from givia/gitlab-connector
connector: add GitLab connecor
2017-02-01 09:39:37 -08:00
Ali Javadi
e623ad4d35 connector: add GitLab connector 2017-01-28 01:36:02 +03:30
Eric Chiang
0dcf1bcf79 Merge pull request #792 from ericchiang/auth-endpoint-post
server: support POSTing to authorization endpoint
2017-01-27 13:36:02 -08:00
Eric Chiang
8541184afb server: support POSTing to authorization endpoint
Fixes #791
2017-01-27 11:42:46 -08:00
rithu leena john
36883d0bbf Merge pull request #789 from rithujohn191/token-revocation-proposal
Documentation/proposals: Add a proposal for refresh token revocation.
2017-01-27 09:39:13 -08:00
rithu john
d114b8ffc7 Documentation/proposals: Add a proposal for refresh token revocation. 2017-01-27 09:37:01 -08:00
Ali Javadi
98bfa4fbb1 Fixes #706 2017-01-27 05:12:58 +03:30
Holger Koser
27a1e9f1bd vendor: revendor 2017-01-26 19:06:54 +01:00
Holger Koser
e46f2ebe40 Improve SAML Signature and Response Validation
* Improve Order of Namespace Declarations and Attributes in Canonical XML. This is related to an issue in goxmldsig for which I created an [pull request](https://github.com/russellhaering/goxmldsig/pull/17).
* Do not compress the AuthnRequest if `HTTP-POST` binding is used.
* SAML Response is valid if the Message and/or the Assertion is signed.
* Add `AssertionConsumerServiceURL` to `AuthnRequest`
* Validate Status on the Response
* Validate Conditions on the Assertion
* Validation SubjectConfirmation on the Subject
2017-01-26 19:05:40 +01:00
rithu leena john
48fcf66a35 Merge pull request #783 from rithujohn191/config-validation
cmd/dex: make connector name field mandatory in dex configuration.
2017-01-23 17:03:50 -08:00
rithu john
31e8009441 cmd/dex: make connector name field mandatory in dex configuration. 2017-01-23 15:14:41 -08:00
Eric Chiang
613d160ad9 Merge pull request #782 from marians/patch-1
Docs: Added a name to the LDAP connector
2017-01-23 09:07:24 -08:00
Eric Chiang
d3f4ae2ab7 Merge pull request #781 from ajohnstone/patch-1
Update kubernetes.md - correct typo
2017-01-23 08:52:37 -08:00
Marian Steinbach
38a2e41e0a Added a name to the connector
Without a name, the example app's login form will only show `Log in with` as a button label.
2017-01-23 10:46:29 +01:00
Andrew Johnstone
b10c0a1c87 Update kubernetes.md 2017-01-23 06:28:21 +00:00
rithu leena john
a3ef8d26bc Merge pull request #777 from rithujohn191/update-release-doc
Documentation: add docs on patch release process.
2017-01-17 14:50:37 -08:00
rithu john
265cfacd17 Documentation: add docs on patch release process. 2017-01-17 11:49:09 -08:00
rithu leena john
fe93f60af4 Merge pull request #775 from xeonx/master
Allow CORS on keys and token endpoints
2017-01-17 10:48:06 -08:00
Simon HEGE
415a68f977 Allow CORS on keys and token endpoints 2017-01-14 21:15:51 +01:00
Eric Chiang
ca7d2b8f9e Merge pull request #772 from ericchiang/at_hash-support
server: add at_hash claim support
2017-01-13 10:15:21 -08:00
Eric Chiang
1eda382789 server: add at_hash claim support
The "at_hash" claim, which provides hash verification for the
"access_token," is a required claim for implicit and hybrid flow
requests. Previously we did not include it (against spec). This
PR implements the "at_hash" logic and adds the claim to all
responses.

As a cleanup, it also moves some JOSE signing logic out of the
storage package and into the server package.

For details see:

https://openid.net/specs/openid-connect-core-1_0.html#ImplicitIDToken
2017-01-13 10:05:24 -08:00
Eric Chiang
79c21f9b0c Merge pull request #773 from y2kenny/patch-1
Removed extra o typo
2017-01-11 13:10:57 -08:00
y2kenny
4d4cb99459 Removed extra o typo 2017-01-11 15:47:55 -05:00
Eric Chiang
3c247db00a Merge pull request #757 from ericchiang/constant-refresh-tokens
*: update refresh tokens instead of deleting and creating another
2017-01-11 12:09:39 -08:00
Eric Chiang
ed20fee2b9 cmd/example-app: fix refreshing 2017-01-11 12:07:48 -08:00
Eric Chiang
f4bbab5056 server/internal: generate protobuf types 2017-01-11 12:07:48 -08:00
Eric Chiang
f778b2d33b server: update refresh tokens instead of deleting and creating another
The server implements a strategy called "Refresh Token Rotation" to
ensure refresh tokens can only be claimed once.

ref: https://tools.ietf.org/html/rfc6819#section-5.2.2.3

Previously "refresh_token" values in token responses where just the
ID of the internal refresh object. To implement rotation, when a
client redeemed a refresh token, the object would be deleted, a new
one created, and the new ID returned as the new "refresh_token".

However, this means there was no consistent ID for refresh tokens
internally, making things like foreign keys very hard to implement.
This is problematic for revocation features like showing all the
refresh tokens a user or client has out.

This PR updates the "refresh_token" to be an encoded protobuf
message, which holds the internal ID and a nonce. When a refresh
token is used, the nonce is updated to prevent reuse, but the ID
remains the same. Additionally it adds the timestamp of each
token's last use.
2017-01-11 12:07:48 -08:00
Eric Chiang
312ca7491e storage: add extra fields to refresh token and update method 2017-01-11 12:07:48 -08:00
Eric Chiang
c66cce8b40 Merge pull request #766 from ericchiang/implicit-flow
server: fixes for the implicit and hybrid flow
2017-01-10 16:50:29 -08:00
Eric Chiang
f926d74157 server: fixes for the implicit and hybrid flow
Accept the following response_type for the implicit flow:

    id_token
    token id_token

And the following for hybrid flow

    code id_token
    code token
    code token id_token

This corrects the previous behavior of the implicit flow, which
only accepted "token" (now correctly rejected).
2017-01-10 16:20:17 -08:00
Eric Chiang
7f72ea786d Merge pull request #752 from ericchiang/saml
Add an experimental SAML connector
2017-01-09 18:33:00 -08:00
Eric Chiang
7ea2d24011 vendor: revendor 2017-01-09 18:30:58 -08:00
Eric Chiang
78665074ed cmd/example-app: add option to not request a refresh token 2017-01-09 18:30:58 -08:00
Eric Chiang
0f4a1f69c5 *: wire up SAML POST binding 2017-01-09 18:30:58 -08:00
Eric Chiang
31dfb54b6f connector: add a SAML connector 2017-01-09 18:30:58 -08:00
Eric Chiang
15fadeaf86 Merge pull request #767 from rithujohn191/fix-refresh
storage: Add ConnectorData to storage RefreshToken.
2017-01-09 15:16:18 -08:00
rithu john
2c03693972 storage: Add ConnectorData to storage RefreshToken. 2017-01-09 15:01:29 -08:00
Eric Chiang
ec9d1607b2 Merge pull request #760 from xeonx/master
Allow CORS on discovery endpoint
2017-01-08 11:17:38 -08:00
Simon HEGE
6cbf7125e0 vendor: revendor 2017-01-08 19:28:18 +01:00
Simon HEGE
b4c47910e4 Allow CORS on discovery endpoint 2017-01-08 19:22:39 +01:00
rithu leena john
4ddc5eb061 Merge pull request #765 from rithujohn191/bump-oidc
Bump go-oidc package
2017-01-06 16:06:44 -08:00
rithu john
05cef99a31 vendor: revendor 2017-01-06 15:39:36 -08:00
rithu john
984b2934fe *: update vendored go-oidc 2017-01-06 15:36:56 -08:00
rithu leena john
fb5199c958 Merge pull request #759 from rithujohn191/ldap-grpsearch
connector/ldap: enable groupSearch to be empty
2016-12-28 14:20:37 -08:00
rithu john
6a728f107e connector/ldap: enable groupSearch to be empty 2016-12-27 11:07:03 -08:00
rithu leena john
3e2d857928 Merge pull request #756 from ericchiang/revendor
*: add 'make revendor' and tests to catch incorrect glide usage
2016-12-22 12:05:57 -08:00