Commit Graph

1589 Commits

Author SHA1 Message Date
Eric Chiang
053c476c4f
Merge pull request #1157 from ericchiang/conn-oidc-doc-groups
document limitations in the OpenID Connect connector
2017-12-20 17:20:21 -08:00
Eric Chiang
0811d1a07a document limitations in the OpenID Connect connector 2017-12-20 17:12:00 -08:00
Eric Chiang
b5baf6b1ca
Merge pull request #1152 from diegs/bom
license: add bill of materials.
2017-12-19 10:31:43 -08:00
Diego Pontoriero
6d4fef4b9a
license: add bill of materials. 2017-12-19 10:23:27 -08:00
Eric Chiang
9d4b1041bd
Merge pull request #1151 from topos-ai/email-address
Clarify email scope description
2017-12-17 10:36:58 -08:00
Eric Buth
da45adcb6e email scope only allows access to a user's email address 2017-12-17 12:08:19 -05:00
Stephan Renatus
f013a44581 handlers/connector_login: check before update (optimization)
Signed-off-by: Stephan Renatus <srenatus@chef.io>
2017-12-11 08:32:22 +01:00
Eric Chiang
ec5e2cc3c6
Merge pull request #1135 from mpashka/master
Update slapd.sh
2017-12-08 15:26:14 -06:00
Pavel Moukhataev
5ef1312b38 Add note for OpenLDAP installation 2017-12-08 23:53:36 +03:00
Stephan Renatus
f18d7afc6f handlers/connector_login: update AuthRequest irregardless of method
Before, you could not POST your credentials to a password-connector's
endpoint without GETing that endpoint first. While this makes sense for
browser clients; automated interactions with Dex don't need to look at
the password form to fill it in.

A symptom of that missing GET was that the POST succeeded (!) with

    login successful: connector "", username="admin", email="admin@example.com", groups=[]

Note the connector "". A subsequent call to finalizeLogin would then
fail with

    connector with ID "" not found: failed to get connector object from storage: not found

Now, the connector ID of an auth request will be updated for both GETs
and POSTs.

Signed-off-by: Stephan Renatus <srenatus@chef.io>
2017-12-08 11:49:52 +01:00
Eric Chiang
5172a46171
Merge pull request #1143 from wkalt/fix-verifier-creation-typo
Correct "Verifier" method name in using-dex doc
2017-12-05 17:47:11 -05:00
Wyatt Alt
e7d57bb31b Correct "Verifier" method name in using-dex doc
Change provider.NewVerifier to provider.Verifier per the godocs:
https://godoc.org/github.com/coreos/go-oidc#Provider.Verifier
2017-12-05 13:38:11 -08:00
Eric Chiang
18da628842
Merge pull request #1142 from zlabjp/status-code
Bugfix: Set a proper status code before sending an error status page
2017-12-04 00:04:28 -05:00
rithu leena john
32257bcf8e
Merge pull request #1140 from ericchiang/fix-proto-build
*: fix proto build
2017-12-01 14:02:11 -08:00
Eric Chiang
c5de6fa733 *: regenerate proto 2017-12-01 11:29:33 -08:00
Eric Chiang
ab102b8189 *: revendor 2017-12-01 10:32:04 -08:00
Eric Chiang
35063da41e *: pin protoc-gen-go dependencies 2017-12-01 10:32:04 -08:00
Kazumasa Kohtaka
9948228e5b Set a proper status code before sending an error status page 2017-12-01 14:23:45 +09:00
Eric Chiang
861d4ae447
Merge pull request #1131 from pborzenkov/microsoft
Implement Microsoft (Azure AD) connector
2017-11-28 09:33:11 -08:00
Eric Chiang
c872938298
Merge pull request #1136 from vyshane/master
Specify Java package for dex Protobuf API
2017-11-28 09:20:59 -08:00
Vy-Shane Xie
19cb2a5ffb Specify Java package option 2017-11-28 20:35:34 +08:00
Pavel Borzenkov
47df6ea2ff connector/microsoft: add support for groups
Microsoft connector now provides support for 'groups' claim in case
'tenant' is configured in Dex config for the connector. It's possible to
deny user authentication if the user is not a member of at least one
configured groups.

Signed-off-by: Pavel Borzenkov <pavel.borzenkov@gmail.com>
2017-11-23 17:01:34 +03:00
Pavel Borzenkov
6193bf5566 connector: implement Microsoft connector
connector/microsoft implements authorization strategy via Microsoft's
OAuth2 endpoint + Graph API. It allows to choose what kind of tenants
are allowed to authenticate in Dex via Microsoft:
  * common - both personal and business/school accounts
  * organizations - only business/school accounts
  * consumers - only personal accounts
  * <tenant uuid> - only account of specific tenant

Signed-off-by: Pavel Borzenkov <pavel.borzenkov@gmail.com>
2017-11-23 17:01:34 +03:00
Eric Chiang
f4b6bf2ac3
Merge pull request #1123 from srenatus/sr/back-button-for-password-template
show "back" link for password connectors
2017-11-13 10:58:25 -08:00
rithu leena john
bc01767212
Merge pull request #1124 from ericchiang/remove-milestones-link
README.md: remove milestones link
2017-11-13 09:48:42 -08:00
Stephan Renatus
41f663f70c show "back" link for password connectors
This way, the user who has selected, say, "Log in with Email" can make up
their mind, and select a different connector instead.

However, if there's only one connector set up, none of this makes sense -- and
the link will thus not be displayed.

Signed-off-by: Stephan Renatus <srenatus@chef.io>
2017-11-13 08:39:59 +01:00
Eric Chiang
b746ab4975 README.md: remove milestones link 2017-11-10 11:28:03 -08:00
Eric Chiang
75a07f2bfa
Merge pull request #1116 from srenatus/sr/local-users/say-email-in-login
password connectors: make prompt configurable
2017-11-10 11:25:02 -08:00
Stephan Renatus
b09a13458f password connectors: allow overriding the username attribute (password prompt)
This allows users of the LDAP connector to give users of Dex' login
prompt an idea of what they should enter for a username.

Before, irregardless of how the LDAP connector was set up, the prompt
was

    Username
    [_________________]

    Password
    [_________________]

Now, this is configurable, and can be used to say "MyCorp SSO Login" if
that's what it is.

If it's not configured, it will default to "Username".

For the passwordDB connector (local users), it is set to "Email
Address", since this is what it uses.

Signed-off-by: Stephan Renatus <srenatus@chef.io>
2017-11-09 09:30:03 +01:00
Eric Chiang
04e276f2df
Merge pull request #1120 from ericchiang/update-maintainers
*: update maintainers
2017-11-08 15:46:31 -08:00
Eric Chiang
df075d8bda *: update maintainers 2017-11-08 14:19:07 -08:00
Eric Chiang
97d395e351
Merge pull request #1119 from ericchiang/update-go-requirements
*: Go 1.7 no longer supported and updated build image to 1.9
2017-11-08 13:49:08 -08:00
Eric Chiang
b58fba6753 *: Go 1.7 no longer supported and updated build image to 1.9 2017-11-08 13:33:01 -08:00
Eric Chiang
ccf85a7269
Merge pull request #1108 from dqminh/etcd-storage
Add etcd backed storage
2017-11-06 08:36:43 -08:00
Daniel Dao
e617197871 storage/etcd: document struct tag in code
This explicitly adds struct tags for etcd storage instead of implicitly
depends on yaml/json config serialization.
2017-11-06 14:46:18 +00:00
Daniel Dao
a2188bebf1 add documentation for etcd storage
This adds references to etcd storage, including:
- only supports etcd v3
- list of options and their meanings when connecting to etcd cluster
2017-11-06 14:40:25 +00:00
Daniel Dao
fc1c60ed8f add etcd to travis CI
This patch uses docker to run an etcd container in travis CI so we can
run storage/etcd conformance tests.
2017-11-06 14:23:25 +00:00
Eric Chiang
e623bd626e
Merge pull request #1112 from ggreer/ldap-css
Add tectonic-ldap matching rule to ldap icon.
2017-11-03 11:27:27 -07:00
Geoff Greer
3dfc4b430e Add tectonic-ldap matching rule to ldap icon. Fixes an issue where the ldap icon was missing in the tectonic console. 2017-11-02 15:33:30 -07:00
rithu leena john
42ef8fd802
Merge pull request #1072 from ericchiang/k8s-test
*: run kubernetes tests in travis
2017-10-31 10:34:26 -07:00
Eric Chiang
3d2d92b31b *: run kubernetes tests in travis 2017-10-31 10:29:52 -07:00
Daniel Dao
b410622885 vendor etcd dependencies for etcd storage
This change vendors github.com/coreos/etcd related packages to support
etcd storage implementation.
2017-10-31 14:43:13 +00:00
Daniel Dao
ca114f7812 storage: add etcd storage
This patch adds etcd storage implementation. This should be useful in
environments where
- we dont want to depends on a separate, hard to maintain SQL cluster
- we dont want to incur the overhead of talking to kubernetes apiservers
- kubernetes is not available yet, or if kubernetes depends on dex
to perform authentication and the operator would like to remove any
circular dependency if possible.
2017-10-31 14:43:13 +00:00
rithu leena john
943e23cd54
Merge pull request #1109 from ericchiang/oidc-test
connector/oidc: remove test that talks to the internet
2017-10-30 11:18:18 -07:00
Eric Chiang
6475ce1f62 connector/oidc: remove test that talks to the internet 2017-10-27 13:40:50 -07:00
Eric Chiang
e3b96243b5 Merge pull request #1101 from pborzenkov/linkedin
connector: implement LinkedIn connector
2017-10-27 08:56:58 -07:00
Daniel Dao
2b13bdd12d
storage: fix list connector test
The previous test doesnt actually testing ListConnectors code. For
example the following pseudocode will pass the test:

```
ListConnectors() { return nil, nil }
```

Instead change to actually fetch and compare list of connectors,
ordering by name
2017-10-27 15:26:05 +01:00
Pavel Borzenkov
d5a9712aae Documentation: add LinkedIn connector documentation
Signed-off-by: Pavel Borzenkov <pavel.borzenkov@gmail.com>
2017-10-27 12:54:28 +03:00
Pavel Borzenkov
3b5df52c0f connector/linkedin: implement RefreshConnector interface
Do Refresh() by querying user's profile data.

Since LinkedIn doesn't provide refresh tokens at all, and the access
tokens have 60 days expiration, refresh tokens issued by Dex will fail
to update after 60 days.

Signed-off-by: Pavel Borzenkov <pavel.borzenkov@gmail.com>
2017-10-27 12:54:28 +03:00
Pavel Borzenkov
ab06119431 connector: implement LinkedIn connector
connector/linkedin implements authorization strategy via LinkedIn's
OAuth2 endpoint + profile API.

It doesn't implement RefreshConnector as LinkedIn doesn't provide any
refresh token at all (https://developer.linkedin.com/docs/oauth2, Step 5
— Refresh your Access Tokens) and recommends ordinary AuthCode exchange
flow when token refresh is required.

Signed-off-by: Pavel Borzenkov <pavel.borzenkov@gmail.com>
2017-10-27 12:54:28 +03:00