Andrew Block
296659cb50
Reduced OpenShift scopes and enhanced documentation
2019-12-26 03:14:20 -06:00
Andrew Block
075ab0938e
Fixed formatting
2019-12-22 02:53:10 -05:00
Andrew Block
7e89d8ca24
Resolved newline issues
2019-12-22 02:27:11 -05:00
Andrew Block
02c8f85e4d
Resolved newline issues
2019-12-22 02:27:11 -05:00
Andrew Block
db7711d72a
Test cleanup
2019-12-22 02:27:10 -05:00
Andrew Block
5881a2cfca
Test cleanup
2019-12-22 02:27:10 -05:00
Andrew Block
48954ca716
Corrected test formatting
2019-12-22 02:27:09 -05:00
Andrew Block
92e63771ac
Added OpenShift connector
2019-12-22 02:27:09 -05:00
Nándor István Krácser
a901e2f204
Merge pull request #1604 from dexidp/fix-linters
...
Fix linters
2019-12-20 07:10:22 +01:00
Lars Lehtonen
8e0ae82034
connector/oidc: replace deprecated oauth2.RegisterBrokenAuthHeaderProvider with oauth2.Endpoint.AuthStyle
2019-12-18 08:27:40 -08:00
Mark Sagi-Kazar
65c77e9db2
Fix bodyclose
2019-12-18 16:04:03 +01:00
Mark Sagi-Kazar
2f8d1f8e42
Fix unconvert
2019-12-18 15:56:46 +01:00
Mark Sagi-Kazar
f141f2133b
Fix whitespace
2019-12-18 15:56:12 +01:00
Mark Sagi-Kazar
9bd5ae5197
Fix goimports
2019-12-18 15:53:34 +01:00
Mark Sagi-Kazar
367b187cf4
Fix missspell
2019-12-18 15:51:44 +01:00
Mark Sagi-Kazar
142c96c210
Fix stylecheck
2019-12-18 15:50:36 +01:00
Mark Sagi-Kazar
8c3dc0ca66
Remove unused code (fixed: unused, structcheck, deadcode linters)
2019-12-18 15:46:49 +01:00
Mark Sagi-Kazar
d2095bb2d8
Rewrite LDAP tests to use Docker
2019-12-08 20:21:28 +01:00
Nandor Kracser
a38e215891
connector/google: support group whitelisting
...
Signed-off-by: Nandor Kracser <bonifaido@gmail.com>
2019-12-03 16:27:07 +01:00
Nándor István Krácser
c41035732f
Merge pull request #1434 from jacksontj/groups
...
Add option to enable groups for oidc connectors
2019-11-27 14:00:36 +01:00
Joel Speed
658a2cc477
Make directory service during init
2019-11-19 17:12:44 +00:00
Joel Speed
554870cea0
Add todo for configurable groups key
2019-11-19 17:12:43 +00:00
Joel Speed
6a9bc889b5
Update comments
2019-11-19 17:12:40 +00:00
Joel Speed
c03c98b951
Check config before getting groups
2019-11-19 17:12:39 +00:00
Joel Speed
3f55e2da72
Get groups from directory api
2019-11-19 17:12:38 +00:00
Joel Speed
36370f8f2a
No need to configure issuer
2019-11-19 17:12:37 +00:00
Joel Speed
97ffa21262
Create separate Google connector
2019-11-19 17:12:36 +00:00
Joel Speed
3156553843
OIDC: Rename refreshToken to RefreshToken
2019-11-19 15:43:25 +00:00
Joel Speed
77fcf9ad77
Use a struct for connector data within OIDC connector
2019-11-19 15:43:22 +00:00
Joel Speed
f6077083c9
Identify error as failure to retrieve refresh token
2019-11-19 15:43:21 +00:00
Joel Speed
8b344fe4d3
Fix Refresh comment
2019-11-19 15:43:20 +00:00
Joel Speed
433bb2afec
Remove duplicate code
2019-11-19 15:43:12 +00:00
Joel Speed
4076eed17b
Build opts based on scope
2019-11-19 15:43:11 +00:00
Joel Speed
0857a0fe09
Implement refresh in OIDC connector
...
This has added the access=offline parameter and prompt=consent parameter
to the initial request, this works with google, assuming other providers
will ignore the prompt parameter
2019-11-19 15:43:04 +00:00
Nándor István Krácser
6d41541964
Merge pull request #1544 from kenperkins/saml-groups
...
Adding support for allowed groups in SAML Connector
2019-10-30 13:28:34 +01:00
Nándor István Krácser
f2590ee07d
Merge pull request #1545 from jacksontj/getUserInfo
...
Run getUserInfo prior to claim enforcement
2019-10-30 13:26:18 +01:00
Nandor Kracser
c1b421fa04
add preffered_username to idToken
...
Signed-off-by: Nandor Kracser <bonifaido@gmail.com>
2019-10-30 13:06:37 +01:00
Thomas Jackson
21ab30d207
Add option to enable groups for oidc connectors
...
There's been some discussion in #1065 regarding what to do about
refreshing groups. As it stands today dex doesn't update any of the
claims on refresh (groups would just be another one). The main concern
with enabling it is that group claims may change more frequently. While
we continue to wait on the upstream refresh flows, this adds an option
to enable the group claim. This is disabled by default (so no behavioral
change) but enables those that are willing to have the delay in group
claim change to use oidc IDPs.
Workaround to #1065
2019-09-13 15:50:33 -07:00
Thomas Jackson
512cb3169e
Run getUserInfo prior to claim enforcement
...
If you have an oidc connector configured *and* that IDP provides thin
tokens (e.g. okta) then the majority of the requested claims come in the
getUserInfo call (such as email_verified). So if getUserInfo is
configured it should be run before claims are validated.
2019-09-13 11:10:44 -07:00
Ken Perkins
285c1f162e
connector/saml: Adding group filtering
...
- 4 new tests
- Doc changes to use the group filtering
2019-09-10 10:53:19 -07:00
wassan128
42e8619830
Fix typo
2019-09-06 09:55:09 +09:00
Nandor Kracser
ef08ad8317
gitlab: add groups scope by default when filtering is requested
2019-08-14 13:33:46 +02:00
Stephan Renatus
d9487e553b
*: fix some lint issues
...
Mostly gathered these using golangci-lint's deadcode and ineffassign
linters.
Signed-off-by: Stephan Renatus <srenatus@chef.io>
2019-07-30 11:29:08 +02:00
Nandor Kracser
ff34e570b4
connector/gitlab: implement useLoginAsID as in GitHub connector
2019-07-28 19:49:49 +02:00
Maxime Desrosiers
458585008b
microsoft: option for group UUIDs instead of name and group whitelist
2019-07-25 09:14:33 -04:00
Stephan Renatus
51f50fcad8
connectors: refactor filter code into a helper package
...
I hope I didn't miss any :D
Signed-off-by: Stephan Renatus <srenatus@chef.io>
2019-07-03 13:09:40 +02:00
Stephan Renatus
d6fad19d95
Merge pull request #1459 from flarno11/master
...
make userName configurable
2019-06-04 09:47:19 +02:00
tan
8613c78863
update LinkedIn connector to use v2 APIs
...
This updates LinkedIn connector to use the more recent v2 APIs. Necessary because v1 APIs are not able to retrieve email ids any more with the default permissions.
The API URLs are now different. Fetching the email address is now a separate call, made after fetching the profile details. The `r_basicprofile` permission is not needed any more, and `r_liteprofile` (which seems to be the one assigned by default) is sufficient.
The relevant API specifications are at:
- https://docs.microsoft.com/en-us/linkedin/shared/integrations/people/profile-api
- https://docs.microsoft.com/en-us/linkedin/shared/integrations/people/primary-contact-api
- https://docs.microsoft.com/en-us/linkedin/consumer/integrations/self-serve/migration-faq#how-do-i-retrieve-the-members-email-address
2019-06-03 22:59:37 +05:30
flarno11
8c1716d356
make userName configurable
2019-06-03 14:09:07 +02:00
Stephan Renatus
4e8cbf0f61
connectors/oidc: truely ignore "email_verified" claim if configured that way
...
Fixes #1455 , I hope.
Signed-off-by: Stephan Renatus <srenatus@chef.io>
2019-05-28 16:15:06 +02:00
cappyzawa
9650836851
make userID configurable
2019-05-24 19:52:33 +09:00
Thomas Jackson
52d09a2dfa
Add option in oidc to hit the optional userinfo endpoint
...
Some oauth providers return "thin tokens" which won't include all of the
claims requested. This simply adds an option which will make the oidc
connector use the userinfo endpoint to fetch all the claims.
2019-05-23 09:20:48 -07:00
jimmythedog
b189d07d53
dexidp#1440 Add offline_access scope, if required
...
Without this scope, a refresh token will not be returned from Microsoft
2019-05-14 05:15:13 +01:00
Eric Chiang
35f51957c0
Merge pull request #1430 from mkontani/fix/typo
...
fix typo
2019-05-12 10:39:18 -07:00
Nandor Kracser
7b416b5a8e
gitlab: add tests
2019-05-02 08:06:56 +02:00
Nandor Kracser
a08a5811d4
gitlab: support for group whitelist
2019-04-25 12:50:29 +02:00
mkontani
6ae76662de
fix ssoURL
2019-04-20 21:12:01 +09:00
Gerald Barker
fc723af0fe
Add option to OIDC connecter to override email_verified to true
2019-03-05 21:24:02 +00:00
Mark Sagi-Kazar
06521ffa49
Remove the logrus logger wrapper
2019-02-22 21:31:46 +01:00
Mark Sagi-Kazar
be581fa7ff
Add logger interface and stop relying on Logrus directly
2019-02-22 13:38:57 +01:00
Stephan Renatus
7bd4071b4c
Merge pull request #1396 from jtnord/useLoginId-dexidp
...
Use github login as the id
2019-02-05 13:54:49 +01:00
James Nord
fe247b106b
remove blank line that tripped up make verify-proto
2019-02-04 14:06:06 +00:00
James Nord
9840fccdbb
rename useLoginAsId -> useLoginAsID
2019-02-04 14:05:57 +00:00
Stephan Renatus
df18cb0c22
ldap_test: add filter tests
...
The filters for user and group searches hadn't been included in our LDAP
tests. Now they are.
The concrete test cases are somewhat contrived, but that shouldn't
matter too much. Also note that the example queries I've used are not
supported in AD: https://stackoverflow.com/a/10043452
Signed-off-by: Stephan Renatus <srenatus@chef.io>
2019-02-03 11:06:11 +01:00
James Nord
5822a5ce9e
fix formatting of connector/github/github_test.go
2019-02-01 11:47:45 +00:00
James Nord
03ffd0798c
Allow an option to use the github user handle rather than an id.
...
For downstream apps using a github handle is much simpler than working
with numbers.
WHilst the number is stable and the handle is not - GitHUb does give you
a big scary wanring if you try and change it that bad things may happen
to you, and generally few users ever change it.
This can be enabled with a configuration option `useLoginAsId`
2019-02-01 11:37:40 +00:00
Krzysztof Balka
e8ba848907
keystone: fetching groups only if requested, refactoring.
2019-01-11 15:14:59 +01:00
joannano
88d1e2b041
keystone: test cases, refactoring and cleanup
2019-01-11 15:14:56 +01:00
Krzysztof Balka
a965365a2b
keystone: refresh token and groups
2019-01-11 15:14:11 +01:00
knangia
0774a89066
keystone: squashed changes from knangia/dex
2019-01-11 15:12:59 +01:00
Daniel Kessler
ee54a50956
LDAP connector - add emailSuffix config option
2019-01-08 19:01:42 -08:00
Josh Winters
bb11a1ebee
github: add 'both' team name field option
...
this will result in both the team name *and* the team slug being
returned for each team, allowing a bit more flexibility in auth
validation.
Signed-off-by: Topher Bullock <tbullock@pivotal.io>
Signed-off-by: Alex Suraci <suraci.alex@gmail.com>
2018-11-20 10:12:44 -05:00
Stephan Renatus
7c8a22443a
Merge pull request #1349 from alexmt/1102-config-to-load-all-groups
...
Add config to explicitly enable loading all github groups
Follow-up for #1102 .
2018-11-20 15:15:25 +01:00
Stephan Renatus
84ea412ca6
Merge pull request #1351 from CognotektGmbH/gypsydiver/1347-pr-gitlab-groups
...
Gitlab connector should not require the api scope.
Fixes #1347 .
2018-11-20 14:49:11 +01:00
gypsydiver
f21e6a0f00
gypsydiver/1347-pr-gitlab-groups
2018-11-20 11:18:50 +01:00
Stephan Renatus
4738070951
Merge pull request #1338 from srenatus/sr/update-go-ldap
...
update go-ldap, improve errors
2018-11-20 08:02:13 +01:00
Alexander Matyushentsev
7bd084bc07
Issue #1102 - Add config to explicitly enable loading all github groups
2018-11-19 10:14:38 -08:00
Alexander Matyushentsev
20bc6cd353
Full list of groups should include group names as well as group_name:team_name
2018-11-15 14:12:50 -08:00
Alexander Matyushentsev
ce3cd53a11
Bug fix: take into account 'teamNameField' settings while fetching all user groups
2018-11-15 09:23:57 -08:00
Alexander Matyushentsev
e876353128
Rename variables to stop shadowing package name
2018-11-15 09:00:37 -08:00
Alexander Matyushentsev
a9f71e378f
Update getPagination method comment
2018-11-15 08:57:31 -08:00
Alexander Matyushentsev
e10b8232d1
Apply reviewer notes: style changes, make sure unit test verifies pagination
2018-11-15 08:12:28 -08:00
Alexander Matyushentsev
51d9b3d3ca
Issue #1184 - Github connector now returns a full group list when no org is specified
2018-11-14 15:31:31 -08:00
Stephan Renatus
c14b2fd5a5
connector/ldap: slightly improve error output
...
Signed-off-by: Stephan Renatus <srenatus@chef.io>
2018-11-13 09:40:40 +01:00
Stephan Renatus
65b0c91992
Merge pull request #1245 from scotthew1/mock-connector-refresh
...
add Refresh() to mock passwordConnector
2018-10-25 16:38:08 +02:00
Ed Tan
50afa921b5
Remove unused DisplayName
2018-10-06 12:13:55 -04:00
Ed Tan
6ffc8fcd8d
Rename bitbucket to bitbucketcloud
2018-10-06 11:45:56 -04:00
Ed Tan
d26e23c16f
Make suggested code changes
2018-10-05 10:43:49 -04:00
Ed Tan
2c024d8caf
Fix golint issues
2018-09-30 15:43:50 -04:00
Ed Tan
8c75d85b60
Add Bitbucket connector
2018-09-30 15:08:07 -04:00
Stephan Renatus
26c0206627
connector/saml: make unparsable (trailing, non-space/newline) data an error
...
Fixes #1304 , if we want to be harsh.
However, I think if it was the user's intention to pass two certs, and
the second one couldn't be read, that shouldn't just disappear. After
all, when attempting to login later, that might fail because the
expected IdP cert data isn't there.
Signed-off-by: Stephan Renatus <srenatus@chef.io>
2018-09-29 11:09:33 +02:00
veily
317f433a14
support self-signed certificates ldap
...
Format ldap.go
Format ldap.go: with a space for golint
with a space
Rename clientCA is to clientCert
Update ldap.go
modified the ldap client certificate file comments.
modified load ldap client cert error.
modified load ldap client cert error: fmt.Errorf("ldap: load client cert failed: %v", err)
2018-09-22 12:15:11 +08:00
Scott Reisor
2707302054
add Refresh() to mock passwordConnector
2018-09-21 11:55:14 -04:00
Taras Burko
bf39130bab
Configurable team name field for GitHub connector
2018-09-14 01:09:48 +03:00
Eric Chiang
bb75dcd793
Merge pull request #1283 from srenatus/sr/move-github-org/fix-imports
...
Finish GitHub org move
2018-09-05 09:14:06 -07:00
Stephan Renatus
b9f6594bf0
*: github.com/coreos/dex -> github.com/dexidp/dex
...
Signed-off-by: Stephan Renatus <srenatus@chef.io>
2018-09-05 17:57:08 +02:00
Stephan Renatus
6a2d4ab6b4
connectors/ldap: treat 'constraint violation' on bind as bad credentials
...
Some directory servers (I think it's Oracle) return
Constraint Violation: Exceed password retry limit. Account locked.
when attempting to login too many times. While constraint violation can
mean many things, we're checking this as an error on BIND, so it's
more likely that something like this has happened than any other thing.
Hence, we should treat it as an "incorrect password" situation, not an
internal error.
It would of course be preferrable to surface more information about this
precise error (and similar ones), but I think this is beyond this small
change.
Signed-off-by: Stephan Renatus <srenatus@chef.io>
2018-09-05 10:03:17 +02:00
Anian Z
5454a4729f
fix default baseURL for gitlab connector
2018-08-28 19:05:30 +02:00
silenceshell
468b5e3f0a
fix typo
...
Should `pulic` be `public`?
2018-05-10 11:55:11 +08:00
Stephan Renatus
608260d0f1
saml: add tests case covering tampered NameID field (comment)
...
As sketched here:
https://developer.okta.com/blog/2018/02/27/a-breakdown-of-the-new-saml-authentication-bypass-vulnerability
Thought it was interesting to see how our SAML connector behaved. And
it seems to be behaving well. :)
Signed-off-by: Stephan Renatus <srenatus@chef.io>
2018-02-28 08:42:17 +01:00