k-space/dex - dex - Gitea: Git with a cup of tea

Archived

Author	SHA1	Message	Date
Mark Sagi-Kazar	b8ac640c4f	Update oidc library Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com>	2021-01-13 19:56:09 +01:00
Josh Soref	84e9cb6947	spelling: verified Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>	2020-12-19 22:53:29 -05:00
Rui Yang	058202d007	revert changes for user id and user name Signed-off-by: Rui Yang <ruiya@vmware.com>	2020-09-08 13:12:59 -04:00
Rui Yang	0494993326	update oidc documentation and email claim err msg Signed-off-by: Rui Yang <ruiya@vmware.com>	2020-09-08 10:03:57 -04:00
Rui Yang	41207ba265	Combine #1691 and #1776 to unify OIDC provider claim mapping add tests for groups key mapping Signed-off-by: Rui Yang <ruiya@vmware.com>	2020-08-11 16:26:55 -04:00
Scott Lemmon	a783667c57	Add groupsClaimMapping to the OIDC connector The groupsClaimMapping setting allows one to specify which claim to pull group information from the OIDC provider. Previously it assumed group information was always in the "groups" claim, but that isn't the case for many OIDC providers (such as AWS Cognito using the "cognito:groups" claim instead) Signed-off-by: Scott Lemmon <slemmon@aurora.tech> Signed-off-by: Rui Yang <ruiya@vmware.com>	2020-08-11 16:26:55 -04:00
Cyrille Nofficial	61312e726e	Add parameter configuration to override email claim key Signed-off-by: Rui Yang <ruiya@vmware.com>	2020-08-11 16:26:55 -04:00
Rui Yang	52c39fb130	check if upstream contains preferrend username claim first Signed-off-by: Rui Yang <ryang@pivotal.io> Signed-off-by: Rui Yang <ruiya@vmware.com>	2020-08-11 16:26:55 -04:00
Rui Yang	4812079647	add tests when preferred username key is not set Signed-off-by: Rui Yang <ruiya@vmware.com>	2020-08-11 16:26:55 -04:00
Rui Yang	d9afb7e59c	default to preferred_username claim Signed-off-by: Rui Yang <ruiya@vmware.com>	2020-08-11 16:26:55 -04:00
Josh Winters	9a4e0fcd00	Make OIDC username key configurable Signed-off-by: Josh Winters <jwinters@pivotal.io> Co-authored-by: Mark Huang <mhuang@pivotal.io> Signed-off-by: Rui Yang <ruiya@vmware.com>	2020-08-11 16:26:55 -04:00
Chris Loukas	d33a76fa19	Make prompt configurable for oidc offline_access	2020-02-19 16:10:28 +02:00
m.nabokikh	383c2fe8b6	Adding oidc email scope check This helps to avoid "no email claim" error if email scope was not specified. Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>	2019-12-28 15:28:01 +04:00
Nándor István Krácser	a901e2f204	Merge pull request #1604 from dexidp/fix-linters Fix linters	2019-12-20 07:10:22 +01:00
Lars Lehtonen	8e0ae82034	connector/oidc: replace deprecated oauth2.RegisterBrokenAuthHeaderProvider with oauth2.Endpoint.AuthStyle	2019-12-18 08:27:40 -08:00
Mark Sagi-Kazar	9bd5ae5197	Fix goimports	2019-12-18 15:53:34 +01:00
Nándor István Krácser	c41035732f	Merge pull request #1434 from jacksontj/groups Add option to enable groups for oidc connectors	2019-11-27 14:00:36 +01:00
Joel Speed	3156553843	OIDC: Rename refreshToken to RefreshToken	2019-11-19 15:43:25 +00:00
Joel Speed	77fcf9ad77	Use a struct for connector data within OIDC connector	2019-11-19 15:43:22 +00:00
Joel Speed	f6077083c9	Identify error as failure to retrieve refresh token	2019-11-19 15:43:21 +00:00
Joel Speed	8b344fe4d3	Fix Refresh comment	2019-11-19 15:43:20 +00:00
Joel Speed	433bb2afec	Remove duplicate code	2019-11-19 15:43:12 +00:00
Joel Speed	4076eed17b	Build opts based on scope	2019-11-19 15:43:11 +00:00
Joel Speed	0857a0fe09	Implement refresh in OIDC connector This has added the access=offline parameter and prompt=consent parameter to the initial request, this works with google, assuming other providers will ignore the prompt parameter	2019-11-19 15:43:04 +00:00
Thomas Jackson	21ab30d207	Add option to enable groups for oidc connectors There's been some discussion in #1065 regarding what to do about refreshing groups. As it stands today dex doesn't update any of the claims on refresh (groups would just be another one). The main concern with enabling it is that group claims may change more frequently. While we continue to wait on the upstream refresh flows, this adds an option to enable the group claim. This is disabled by default (so no behavioral change) but enables those that are willing to have the delay in group claim change to use oidc IDPs. Workaround to #1065	2019-09-13 15:50:33 -07:00
Thomas Jackson	512cb3169e	Run getUserInfo prior to claim enforcement If you have an oidc connector configured and that IDP provides thin tokens (e.g. okta) then the majority of the requested claims come in the getUserInfo call (such as email_verified). So if getUserInfo is configured it should be run before claims are validated.	2019-09-13 11:10:44 -07:00
Stephan Renatus	d9487e553b	*: fix some lint issues Mostly gathered these using golangci-lint's deadcode and ineffassign linters. Signed-off-by: Stephan Renatus <srenatus@chef.io>	2019-07-30 11:29:08 +02:00
flarno11	8c1716d356	make userName configurable	2019-06-03 14:09:07 +02:00
Stephan Renatus	4e8cbf0f61	connectors/oidc: truely ignore "email_verified" claim if configured that way Fixes #1455, I hope. Signed-off-by: Stephan Renatus <srenatus@chef.io>	2019-05-28 16:15:06 +02:00
cappyzawa	9650836851	make userID configurable	2019-05-24 19:52:33 +09:00
Thomas Jackson	52d09a2dfa	Add option in oidc to hit the optional userinfo endpoint Some oauth providers return "thin tokens" which won't include all of the claims requested. This simply adds an option which will make the oidc connector use the userinfo endpoint to fetch all the claims.	2019-05-23 09:20:48 -07:00
Gerald Barker	fc723af0fe	Add option to OIDC connecter to override email_verified to true	2019-03-05 21:24:02 +00:00
Mark Sagi-Kazar	be581fa7ff	Add logger interface and stop relying on Logrus directly	2019-02-22 13:38:57 +01:00
Stephan Renatus	b9f6594bf0	*: github.com/coreos/dex -> github.com/dexidp/dex Signed-off-by: Stephan Renatus <srenatus@chef.io>	2018-09-05 17:57:08 +02:00
Eric Chiang	6475ce1f62	connector/oidc: remove test that talks to the internet	2017-10-27 13:40:50 -07:00
Michael Stapelberg	a41d93db4a	Implement the “authproxy” connector (for Apache2 mod_auth etc.)	2017-10-25 21:53:51 +02:00
rithu leena john	05e8d50eca	Merge pull request #1000 from rithujohn191/fix-hosted-domain connector/oidc: fix hosted domain support.	2017-07-31 13:29:26 -07:00
Eric Stroczynski	4a88d0641a	: update {S->s}irupsen/logrus	2017-07-25 13:46:44 -07:00
rithu john	5e0bf8b65f	connector/oidc: fix hosted domain support.	2017-07-25 13:46:12 -07:00
Ben Navetta	cbb007663f	add documentation and tests	2017-06-21 22:56:02 -07:00
Ben Navetta	4194530cf3	initial hostedDomain support	2017-06-20 22:47:28 -07:00
rithu john	682d78f527	connector: improve error message for callback URL mismatch	2017-06-13 15:52:33 -07:00
rithu john	59502850f0	connector: Connectors without a RefreshConnector should not return a refresh token instead of erroring	2017-03-23 14:56:34 -07:00
Eric Chiang	ac032e99f0	connector/oidc: expose oauth2.RegisterBrokenAuthHeaderProvider	2017-03-20 08:47:02 -07:00
Eric Chiang	777eeafabc	*: update go-oidc and use standard library's context package	2017-03-08 10:33:19 -08:00
rithu john	2e22a948cf	cmd/dex: add logging config and serve logger for different modules.	2016-12-12 15:56:50 -08:00
Eric Chiang	522749b5d8	*: switch oidc client to github.com/coreos/go-oidc This saves us from having to import two different versions of square/go-jose.	2016-11-22 13:29:17 -08:00
Eric Chiang	952e0f81f5	connector: add RefreshConnector interface	2016-11-22 12:53:46 -08:00
Eric Chiang	aa7f304bc1	: switch to github.com/ghodss/yaml for more consistent YAML parsing ghodss/yaml converts from YAML to JSON before attempting to unmarshal. This allows us to: Get the correct behavor when decoding base64'd []byte slices. * Use json.RawMessage. Not have to support extravagant YAML features. * Let our structs use `json:` tags	2016-11-03 14:39:32 -07:00
Eric Chiang	d7912a3a97	Merge pull request #638 from ericchiang/dev-share-a-single-callback *: allow call connectors to share a single a single callback	2016-10-27 16:59:04 -07:00

1 2

55 Commits