Adds an slog.Handler wrapper (excludingHandler) that drops log
attributes matching a configured set of keys. This allows
GDPR-sensitive deployments to suppress PII fields like email,
username, preferred_username, or groups at the logger level
rather than per-callsite.
Also adds user_id to the "login successful" log line so operators
who exclude PII fields still have a pseudonymous identifier.
Closes#4391
---------
Signed-off-by: Mark Liu <mark@prove.com.au>
When GetAuthRequest returns ErrNotFound in handleApproval, render a 400
"User session error." instead of logging + rendering a 500 "Database
error.". Covers the double-submit race where sendCodeResponse deletes
the auth request on first approval and the second request finds nothing.
---
Signed-off-by: Mark Liu <mark@prove.com.au>
Signed-off-by: mark-liu <mark-liu@users.noreply.github.com>
Implement the OAuth2 client_credentials grant type for
machine-to-machine authentication. The grant is gated behind a new
clientCredentialsEnabled config flag (defaults to false), following
the same pattern as passwordConnector for the password grant.
---------
Signed-off-by: Mathias Gebbe <mathias.gebbe@gmail.com>
Signed-off-by: Maksim Nabokikh <maksim.nabokikh@flant.com>
Signed-off-by: Maksim Nabokikh <max.nabokih@gmail.com>
Co-authored-by: Maksim Nabokikh <maksim.nabokikh@flant.com>
Co-authored-by: Maksim Nabokikh <max.nabokih@gmail.com>
If the issuer path ends with a / the URL will be built wrong so we
should instead use the helper function to ensure the path is built
correctly. fixes#4242.
Signed-off-by: Doug Goldstein <cardoe@cardoe.com>
As per RFC8628 section 3.1, https://datatracker.ietf.org/doc/html/rfc8628#section-3.1
the scope is optional. Since dex always requires at least 'openid',
default the value to comply with the RFC.
Signed-off-by: Doug Goldstein <cardoe@cardoe.com>
Instead of only checking for "localhost", also validate through
net.ParseIP + IsLoopback whether the host is numerically localhost
Signed-off-by: Daniel Sonck <daniel@sonck.nl>
replaces felixge/httpsnoop with prometheus/client_golang instrumentation
adds histograms for response_size_bytes & request_duration_seconds
Signed-off-by: Ivo Gosemann <ivo.gosemann@sap.com>
Signed-off-by: Giovanni Campeol <giovanni.campeol.95@gmail.com>
Signed-off-by: Maksim Nabokikh <maksim.nabokikh@flant.com>
Co-authored-by: Maksim Nabokikh <maksim.nabokikh@flant.com>
Customization of headers in the authentication server is crucial for enforcing stringent security measures by allowing the inclusion of specific headers required for authentication protocols and compliance standards. This customization ensures that authentication requests are processed securely, mitigating potential vulnerabilities and ensuring adherence to security policies.
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
Maksim Nabokikh
Mark Liu
Mathias Gebbe
Ivan Zviagintsev
Andy Lo-A-Foe
Aljoscha Bollmann
Giovanni Vella
Mark Sagi-Kazar
Doug Goldstein
Wenxuan Zhao
Julius Foitzik
Manoj Vivek
Oleksandr Redko
Massimiliano Filacchioni
Bob Maertz
Nicholas Wiersma
Daniël Sonck
IvoGoman
Koen de Laat
Giovanni Campeol
Sean Liao
Romain Caire