Joel Speed
575c792156
Store most recent refresh token in offline sessions
2019-11-19 15:40:56 +00:00
serhiimakogon
b793afd375
preferred_username claim added on refresh token
2019-11-19 16:27:34 +02:00
Nándor István Krácser
0b55f121b4
Fix missing email in log message
...
Co-Authored-By: Felix Fontein <ff@dybuster.com>
2019-10-30 13:13:33 +01:00
Nandor Kracser
c1b421fa04
add preffered_username to idToken
...
Signed-off-by: Nandor Kracser <bonifaido@gmail.com>
2019-10-30 13:06:37 +01:00
Yannis Zarkadas
27944d4f8f
templates: add new relativeURL function
...
Signed-off-by: Yannis Zarkadas <yanniszark@arrikto.com>
2019-10-02 17:08:06 +03:00
Yannis Zarkadas
839130f01c
handlers: change all handlers to pass down http request
...
Signed-off-by: Yannis Zarkadas <yanniszark@arrikto.com>
2019-10-02 17:08:06 +03:00
Stephan Renatus
c854e760db
Merge pull request #1539 from erwinvaneyk/replace-context-import
...
Replace x/net/context with stdlib context
2019-08-31 17:52:18 +02:00
erwinvaneyk
3e2217b3f4
Replace x/net/context with context of stdlib
2019-08-30 11:52:46 +02:00
Nandor Kracser
bd61535cb6
connector/ldap: display login error
2019-08-22 15:55:05 +02:00
Stephan Renatus
e1afe771cb
Merge pull request #1505 from MarcDufresne/show-login-page
...
Add option to always display connector selection even if there's only one
2019-08-07 09:23:42 +02:00
Stephan Renatus
89e43c198b
Merge pull request #1504 from MarcDufresne/template-custom-data
...
Allow arbitrary data to be passed to templates
2019-08-07 09:19:14 +02:00
Marc-André Dufresne
0dbb642f2c
Add option to always display connector selection even if there's only one
2019-08-06 13:18:46 -04:00
Marc-André Dufresne
d458e882aa
Allow arbitrary data to be passed to templates
2019-08-06 13:14:53 -04:00
Mike O
43d1a044bd
Add tests for some callback handler error conditions
2019-08-05 16:02:28 -07:00
Mike O
d03a43335e
Return HTTP 400 for invalid state parameter
2019-08-01 16:22:53 -07:00
Stephan Renatus
291cd9e01c
regenerate protobuf code
...
Signed-off-by: Stephan Renatus <srenatus@chef.io>
2019-07-31 08:16:18 +02:00
Stephan Renatus
231e571c3c
server/api: fix logging in VerifyPassword
...
Before:
msg="api: password check failed : %vcrypto/bcrypt: hashedPassword is not the hash of the given password"
After:
msg="api: password check failed : crypto/bcrypt: hashedPassword is not the hash of the given password"
Signed-off-by: Stephan Renatus <srenatus@chef.io>
2019-07-30 14:53:33 +02:00
Stephan Renatus
d9487e553b
*: fix some lint issues
...
Mostly gathered these using golangci-lint's deadcode and ineffassign
linters.
Signed-off-by: Stephan Renatus <srenatus@chef.io>
2019-07-30 11:29:08 +02:00
Stephan Renatus
8561a66365
server/{handler,oauth2}: cleanup error returns
...
Now, we'll return a standard error, and have the caller act upon this
being an instance of authErr.
Also changes the storage.AuthRequest return to a pointer, and returns
nil in error cases.
Signed-off-by: Stephan Renatus <srenatus@chef.io>
2019-07-25 13:40:06 +02:00
Stephan Renatus
421c26fdf5
Merge pull request #1481 from LanceH/master
...
Added "connector_id" to skip straight to a connector (similar to when len(connector) is 1.
2019-07-23 11:31:25 +02:00
LanceH
07a77e0dac
Use connector_id param to skip directly to a specific connector
2019-07-22 10:47:11 -05:00
Tyler Cloke
dd84e73c0e
Add VerifyPassword to API
...
It takes in an email and plain text password to verify. If it fails to find a password stored for email, it returns not_found. If it finds the password hash stored but that hash doesn't match the password passed via the API, it returns verified = false, else it returns verified = true.
Co-authored-by: Alban Seurat <alban.seurat@me.com>
2019-07-22 10:23:07 +02:00
Andy Lindeman
5b66bf05c8
Fixed shadowed variable declaration
2019-06-27 19:12:18 -04:00
Andy Lindeman
59b6595c37
userinfo_endpoint is required
2019-06-25 12:17:03 -04:00
Andy Lindeman
8959dc4275
ctx is not used
2019-06-24 09:43:12 -04:00
Andy Lindeman
21174c06a1
Remove comment
...
We have a story around user info now
2019-06-24 09:42:46 -04:00
Andy Lindeman
840065faaf
Assert something about the returned userinfo
2019-06-24 09:39:54 -04:00
Andy Lindeman
46f5726d11
Use oidc.Verifier to verify tokens
2019-06-22 13:18:35 -04:00
Andy Lindeman
157c359f3e
Bump go-oidc to latest v2
2019-06-20 12:27:47 -04:00
mdbraber
3dd1bac821
Fix comments
2019-06-05 22:14:31 +02:00
Maarten den Braber
74f4e749b9
Formatting
2019-06-05 22:14:31 +02:00
Maarten den Braber
d7750b1e26
Fix changes
2019-06-05 22:14:31 +02:00
Maarten den Braber
a8d059a237
Add userinfo endpoint
...
Co-authored-by: Yuxing Li <360983+jackielii@users.noreply.github.com>
Co-authored-by: Francisco Santiago <1737357+fjbsantiago@users.noreply.github.com>
2019-06-05 22:11:21 +02:00
Eric Chiang
cd3c6983da
Merge pull request #1429 from tsuna/master
...
server: add metrics for CORS handlers.
2019-05-12 10:40:23 -07:00
Tomas Barton
55cebd58a8
print appropriate error
2019-05-03 14:19:54 +02:00
Benoit Sigoure
d6ad67a6de
server: add metrics for CORS handlers.
2019-04-19 14:32:52 -07:00
Mark Sagi-Kazar
06521ffa49
Remove the logrus logger wrapper
2019-02-22 21:31:46 +01:00
Mark Sagi-Kazar
d1c8f8d095
Remove structured logging from the logger interface
2019-02-22 21:26:30 +01:00
Mark Sagi-Kazar
be581fa7ff
Add logger interface and stop relying on Logrus directly
2019-02-22 13:38:57 +01:00
Eric Chiang
8935a1479c
server: update health check endpoint to query storage periodically
...
Instead of querying the storage every time a health check is performed
query it periodically and save the result.
2019-02-04 19:02:41 +00:00
joannano
88d1e2b041
keystone: test cases, refactoring and cleanup
2019-01-11 15:14:56 +01:00
Krzysztof Balka
a965365a2b
keystone: refresh token and groups
2019-01-11 15:14:11 +01:00
knangia
0774a89066
keystone: squashed changes from knangia/dex
2019-01-11 15:12:59 +01:00
Haines Chan
b78b8aeee0
Replace "GET", "POST" to http.MethodGet and http.MethodPost
2018-12-27 16:27:36 +08:00
Maximilian Gaß
468c74d1d2
Make expiry of auth requests configurable
2018-12-13 11:50:34 +01:00
Stephan Renatus
f3acec0b1b
Merge pull request #1275 from ccojocar/client-update-api
...
Extend the API with a function which updates the client configuration
2018-11-27 11:47:16 +01:00
Cosmin Cojocar
01c6b9dd91
Remove the 'public' field from UpdateClientReq proto message
2018-11-26 19:07:59 +01:00
Alexander Matyushentsev
ff8b44558e
Issue #1263 - Render error message provided by connector if user authentication failed
2018-11-13 15:44:28 -08:00
Cosmin Cojocar
281ec27118
Update also to a list of empty redirect URIs and Peers
2018-11-13 09:59:45 +01:00
Cosmin Cojocar
9d1ec6c36b
Revert "Avoid overwriting exiting redirect URI and trusted peers when updating the client"
...
This reverts commit 49fa5ee6e8
.
2018-11-13 09:58:17 +01:00
Cosmin Cojocar
49fa5ee6e8
Avoid overwriting exiting redirect URI and trusted peers when updating the client
...
Also skip configure the Public field.
2018-11-12 21:48:14 +01:00
Cosmin Cojocar
c9b18b2785
Add tests for UpateClient API
2018-11-12 18:43:48 +01:00
Cosmin Cojocar
9926a0dced
Extend the API with a function which updates the client configuration
2018-11-12 17:33:06 +01:00
Stephan Renatus
e1acb6d577
Merge pull request #1307 from edtan/upstream-add-bitbucket-connector
...
Add Bitbucket connector
2018-10-12 09:02:21 +02:00
Danny Sauer
74bfbcefbc
minor spelling correction
2018-10-09 15:57:37 -05:00
Ed Tan
d26e23c16f
Make suggested code changes
2018-10-05 10:43:49 -04:00
Ed Tan
8c75d85b60
Add Bitbucket connector
2018-09-30 15:08:07 -04:00
Stephan Renatus
b9f6594bf0
*: github.com/coreos/dex -> github.com/dexidp/dex
...
Signed-off-by: Stephan Renatus <srenatus@chef.io>
2018-09-05 17:57:08 +02:00
Eric Chiang
01d63b086f
Merge pull request #1176 from vyshane/master
...
New id_provider scope that adds the connector ID and user ID to the ID token claims
2018-02-03 11:47:42 -08:00
Vy-Shane Xie
b03c85e56e
Add new federated:id scope that causes Dex to add a federated_claims claim containing the connector_id and user_id to the ID token
2018-02-03 18:40:03 +08:00
Eric Chiang
ce686390a5
Merge pull request #1144 from srenatus/sr/support-direct-post-without-get-first
...
handlers/connector_login: update AuthRequest irregardless of method
2018-02-01 11:26:57 -08:00
Frederic Branczyk
5f03479d29
*: Add go runtime, process, HTTP and gRPC metrics
2017-12-21 21:24:09 +01:00
Eric Buth
da45adcb6e
email scope only allows access to a user's email address
2017-12-17 12:08:19 -05:00
Stephan Renatus
f013a44581
handlers/connector_login: check before update (optimization)
...
Signed-off-by: Stephan Renatus <srenatus@chef.io>
2017-12-11 08:32:22 +01:00
Stephan Renatus
f18d7afc6f
handlers/connector_login: update AuthRequest irregardless of method
...
Before, you could not POST your credentials to a password-connector's
endpoint without GETing that endpoint first. While this makes sense for
browser clients; automated interactions with Dex don't need to look at
the password form to fill it in.
A symptom of that missing GET was that the POST succeeded (!) with
login successful: connector "", username="admin", email="admin@example.com", groups=[]
Note the connector "". A subsequent call to finalizeLogin would then
fail with
connector with ID "" not found: failed to get connector object from storage: not found
Now, the connector ID of an auth request will be updated for both GETs
and POSTs.
Signed-off-by: Stephan Renatus <srenatus@chef.io>
2017-12-08 11:49:52 +01:00
Eric Chiang
18da628842
Merge pull request #1142 from zlabjp/status-code
...
Bugfix: Set a proper status code before sending an error status page
2017-12-04 00:04:28 -05:00
Eric Chiang
c5de6fa733
*: regenerate proto
2017-12-01 11:29:33 -08:00
Kazumasa Kohtaka
9948228e5b
Set a proper status code before sending an error status page
2017-12-01 14:23:45 +09:00
Pavel Borzenkov
6193bf5566
connector: implement Microsoft connector
...
connector/microsoft implements authorization strategy via Microsoft's
OAuth2 endpoint + Graph API. It allows to choose what kind of tenants
are allowed to authenticate in Dex via Microsoft:
* common - both personal and business/school accounts
* organizations - only business/school accounts
* consumers - only personal accounts
* <tenant uuid> - only account of specific tenant
Signed-off-by: Pavel Borzenkov <pavel.borzenkov@gmail.com>
2017-11-23 17:01:34 +03:00
Stephan Renatus
41f663f70c
show "back" link for password connectors
...
This way, the user who has selected, say, "Log in with Email" can make up
their mind, and select a different connector instead.
However, if there's only one connector set up, none of this makes sense -- and
the link will thus not be displayed.
Signed-off-by: Stephan Renatus <srenatus@chef.io>
2017-11-13 08:39:59 +01:00
Stephan Renatus
b09a13458f
password connectors: allow overriding the username attribute (password prompt)
...
This allows users of the LDAP connector to give users of Dex' login
prompt an idea of what they should enter for a username.
Before, irregardless of how the LDAP connector was set up, the prompt
was
Username
[_________________]
Password
[_________________]
Now, this is configurable, and can be used to say "MyCorp SSO Login" if
that's what it is.
If it's not configured, it will default to "Username".
For the passwordDB connector (local users), it is set to "Email
Address", since this is what it uses.
Signed-off-by: Stephan Renatus <srenatus@chef.io>
2017-11-09 09:30:03 +01:00
Pavel Borzenkov
ab06119431
connector: implement LinkedIn connector
...
connector/linkedin implements authorization strategy via LinkedIn's
OAuth2 endpoint + profile API.
It doesn't implement RefreshConnector as LinkedIn doesn't provide any
refresh token at all (https://developer.linkedin.com/docs/oauth2 , Step 5
— Refresh your Access Tokens) and recommends ordinary AuthCode exchange
flow when token refresh is required.
Signed-off-by: Pavel Borzenkov <pavel.borzenkov@gmail.com>
2017-10-27 12:54:28 +03:00
Michael Stapelberg
4931f30a80
authproxy.md: strip X-Remote-User
...
follow-up for https://github.com/coreos/dex/pull/1100
2017-10-26 20:13:37 +02:00
Michael Stapelberg
a41d93db4a
Implement the “authproxy” connector (for Apache2 mod_auth etc.)
2017-10-25 21:53:51 +02:00
Damian Pacierpnik
e3c9b49299
Cross clients improvement - requesting client ID always added to the audience claim
2017-09-28 18:30:15 +02:00
Eric Chiang
f234e3707e
server: fix panic caused by deleting refresh token twice through api
2017-09-05 23:56:34 -07:00
Eric Stroczynski
2b354c8fdb
server: set sane bcrypt cost upper bound
2017-08-21 11:53:46 -07:00
Eric Chiang
aad328bb35
*: add log events for login, LDAP queries, and SAML responses
2017-08-11 12:00:06 -07:00
Eric Stroczynski
4bcb0aaae9
server: log bcrypt cost if > 12, error on runtime > 10s
...
The bcrypt hashing algorithm runtime grows exponentially with cost,
and might cause a timeout if the cost is too high. Notifying the user
of high cost and of long running calculations will help with tuning
and debugging.
2017-07-25 17:09:43 -07:00
Eric Stroczynski
4a88d0641a
: update {S->s}irupsen/logrus
2017-07-25 13:46:44 -07:00
rithu john
753526a506
server/rotation.go: Fix key rotation with multiple dex instances.
2017-07-19 10:37:37 -07:00
Eric Chiang
fcb9c5a1c4
server: fix localhost redirect validation for public clients
2017-05-09 17:09:20 -07:00
rithu john
aefdd6e004
server/api: return empty list of refresh tokens if user does not have any
2017-04-28 15:35:52 -07:00
rithu john
8c9c2518f5
server: account for dynamically changing connector object in storage.
2017-04-25 09:19:02 -07:00
Eric Chiang
ba1660ae1f
*: revendor and regenerate protobuf files
2017-04-13 11:35:41 -07:00
rithu john
dd1e901dd9
server/rotation.go: avoid displaying the "keys already rotated" error
2017-04-11 10:48:08 -07:00
Eric Chiang
5f377f07d4
*: promote SAML to stable
...
This means we no longer refer to it as "experimental" and wont make
breaking changes.
2017-04-11 10:09:48 -07:00
Lucas Serven
f3d9bd5008
server/server.go: make successful garbage collection log at info level
2017-04-04 09:47:53 -07:00
Eric Chiang
f734b140cd
server: use client connected to remove server for gRPC tests
2017-03-28 16:41:39 -07:00
rithu john
59502850f0
connector: Connectors without a RefreshConnector should not return a refresh token instead of erroring
2017-03-23 14:56:34 -07:00
Eric Chiang
50b223a9db
*: validate InResponseTo SAML response field and make issuer optional
2017-03-22 13:02:44 -07:00
Eric Chiang
33f0199077
*: fix spelling using github.com/client9/misspell
2017-03-20 09:16:56 -07:00
rithu john
921090f05f
api: Update timestamp type for RefreshTokenRef to int64.
2017-03-17 15:46:39 -07:00
Eric Chiang
777eeafabc
*: update go-oidc and use standard library's context package
2017-03-08 10:33:19 -08:00
Eric Chiang
2c4752d5d4
server: fix expiry detection for verification keys
2017-03-01 12:43:45 -08:00
rithu john
3df1db1864
storage: Surface "already exists" errors.
2017-02-21 15:00:22 -08:00
rithu john
1ec19d4fbf
api: adding a gRPC call for revoking refresh tokens.
2017-02-15 07:48:20 -08:00
rithu john
d201e49248
api: adding a gRPC call for listing refresh tokens.
2017-02-13 16:12:16 -08:00
rithu john
d928ac0677
storage: Add OfflineSession object to backend storage.
2017-02-09 19:01:28 -08:00
Eric Chiang
80038847de
server: clean up test comments and code flow
2017-02-07 10:31:51 -08:00