Branch: v2.3.x

artifact-workflow

dependabot/go_modules/api/v2/google.golang.org/grpc-1.80.0

fix-google-admin-regression

helm

master

v1

v2.0.x

v2.1.x

v2.10.x

v2.13.x

v2.16.x

v2.2.x

v2.28.x

v2.3.x

v2.30.x

v2.31.x

v2.32.x

v2.33.x

v2.34.x

v2.35.x

v2.36.x

v2.37.x

v2.38.x

v2.39.x

v2.4.x

v2.40.x

v2.41.x

v2.42.x

v2.43.x

v2.45.x

v2.5.x

v2.6.x

v2.7.x

v2.8.x

v2.9.x

api/v2.0.0

api/v2.1.0

api/v2.2.0

api/v2.3.0

api/v2.4.0

v0.1.0

v0.2.0

v0.2.1

v0.2.2

v0.2.3

v0.3.0

v0.4.0

v0.5.0

v0.5.1

v0.6.0

v0.6.1

v2.0.0

v2.0.0-alpha.1

v2.0.0-alpha.2

v2.0.0-alpha.3

v2.0.0-alpha.4

v2.0.0-alpha.5

v2.0.0-beta.1

v2.0.0-beta.2

v2.0.0-beta.3

v2.0.1

v2.0.2

v2.1.0

v2.10.0

v2.11.0

v2.12.0

v2.13.0

v2.14.0

v2.15.0

v2.16.0

v2.17.0

v2.18.0

v2.19.0

v2.2.0

v2.2.1

v2.2.2

v2.2.3

v2.2.4

v2.2.5

v2.20.0

v2.21.0

v2.22.0

v2.23.0

v2.24.0

v2.25.0

v2.26.0

v2.27.0

v2.28.0

v2.28.1

v2.29.0

v2.3.0

v2.3.1

v2.30.0

v2.30.1

v2.30.2

v2.30.3

v2.31.0

v2.31.1

v2.31.2

v2.32.0

v2.32.1

v2.33.0

v2.33.1

v2.34.0

v2.35.0

v2.35.1

v2.35.2

v2.35.3

v2.36.0

v2.37.0

v2.38.0

v2.39.0

v2.39.1

v2.4.0

v2.4.1

v2.40.0

v2.41.0

v2.41.1

v2.42.0

v2.42.1

v2.43.0

v2.43.1

v2.44.0

v2.45.0

v2.45.1

v2.5.0

v2.6.0

v2.6.1

v2.7.0

v2.7.1

v2.8.0

v2.8.1

v2.9.0

Branches Tags

${ item.name }

Create tag ${ searchTerm }

Create branch ${ searchTerm }

from 'v2.3.x'

${ noResults }

Commit Graph

39 Commits (v2.3.x)

Author	SHA1	Message	Date
rithu john	59502850f0	connector: Connectors without a RefreshConnector should not return a refresh token instead of erroring	9 years ago
Eric Chiang	50b223a9db	*: validate InResponseTo SAML response field and make issuer optional	9 years ago
Eric Chiang	33f0199077	*: fix spelling using github.com/client9/misspell	9 years ago
rithu john	d201e49248	api: adding a gRPC call for listing refresh tokens.	9 years ago
rithu john	d928ac0677	storage: Add OfflineSession object to backend storage.	9 years ago
Eric Chiang	72a431dd4b	{web,server}: use html/template and reduce use of auth request ID ... Switch from using "text/template" to "html/template", which provides basic XSS preventions. We haven't identified any particular place where unsanitized user data is rendered to the frontend. This is just a preventative step. At the same time, make more templates take pure URL instead of forming an URL themselves using an "authReqID" argument. This will help us stop using the auth req ID in certain places, preventing garbage collection from killing login flows that wait too long at the login screen. Also increase the login session window (time between initial redirect and the user logging in) from 30 minutes to 24 hours, and display a more helpful error message when the session expires. How to test: 1. Spin up dex and example with examples/config-dev.yaml. 2. Login through both the password prompt and the direct redirect. 3. Edit examples/config-dev.yaml removing the "connectors" section. 4. Ensure you can still login with a password. (email/password is "admin@example.com" and "password")	9 years ago
Simon HEGE	415a68f977	Allow CORS on keys and token endpoints	9 years ago
Eric Chiang	1eda382789	server: add at_hash claim support ... The "at_hash" claim, which provides hash verification for the "access_token," is a required claim for implicit and hybrid flow requests. Previously we did not include it (against spec). This PR implements the "at_hash" logic and adds the claim to all responses. As a cleanup, it also moves some JOSE signing logic out of the storage package and into the server package. For details see: https://openid.net/specs/openid-connect-core-1_0.html#ImplicitIDToken	9 years ago
Eric Chiang	f778b2d33b	server: update refresh tokens instead of deleting and creating another ... The server implements a strategy called "Refresh Token Rotation" to ensure refresh tokens can only be claimed once. ref: https://tools.ietf.org/html/rfc6819#section-5.2.2.3 Previously "refresh_token" values in token responses where just the ID of the internal refresh object. To implement rotation, when a client redeemed a refresh token, the object would be deleted, a new one created, and the new ID returned as the new "refresh_token". However, this means there was no consistent ID for refresh tokens internally, making things like foreign keys very hard to implement. This is problematic for revocation features like showing all the refresh tokens a user or client has out. This PR updates the "refresh_token" to be an encoded protobuf message, which holds the internal ID and a nonce. When a refresh token is used, the nonce is updated to prevent reuse, but the ID remains the same. Additionally it adds the timestamp of each token's last use.	9 years ago
Eric Chiang	f926d74157	server: fixes for the implicit and hybrid flow ... Accept the following response_type for the implicit flow: id_token token id_token And the following for hybrid flow code id_token code token code token id_token This corrects the previous behavior of the implicit flow, which only accepted "token" (now correctly rejected).	9 years ago
Eric Chiang	0f4a1f69c5	*: wire up SAML POST binding	9 years ago
Simon HEGE	b4c47910e4	Allow CORS on discovery endpoint	9 years ago
rithu john	75aa1c67ce	server: add error HTML templates with error description.	10 years ago
rithu john	9949a1313c	server: modify error messages to use logrus.	10 years ago
Eric Chiang	952e0f81f5	connector: add RefreshConnector interface	10 years ago
Phu Kieu	35180a72f1	Enable groups scope	10 years ago
Eric Chiang	12a5c0ada3	server: use seconds instead of nano seconds for expires_in and expiry	10 years ago
Eric Chiang	7c2289e0de	*: rename internally used "state" form value to "req" ... "state" means something specific to OAuth2 and SAML so we don't want to confuse developers who are working on this. Also don't use "session" which could easily be confused with HTTP cookies.	10 years ago
Eric Chiang	a3235d022a	*: verify "state" field before passing request to callback connectors ... Let the server handle the state token instead of the connector. As a result it can throw out bad requests earlier. It can also use that token to determine which connector was used to generate the request allowing all connectors to share the same callback URL. Callbacks now all look like: https://dex.example.com/callback Instead of: https://dex.example.com/callback/(connector id) Even when multiple connectors are being used.	10 years ago
Lucas Serven	5c498ae4df	server/handlers: fix Cache-Control header ... fixes: #636 This commit addresses a problem where the `max-age` value is being set in nanoseconds as opposed to seconds, as required by the specification.	10 years ago
Eric Chiang	7084a801d7	*: port oob template	10 years ago
Eric Chiang	3e20a080fe	server: fix auth request expiry	10 years ago
Eric Chiang	2834da443f	server: allow extra spaces in scopes ... go-oidc sends an extra space before the list of scopes. This is bad but we have to support it, so we'll be more lenient and ignore duplicated whitespace.	10 years ago
Eric Chiang	ac6e419d48	server: add tests for refreshing with explicit scopes	10 years ago
Eric Chiang	e873a31b21	server: add health check endpoint	10 years ago
Eric Chiang	82a55cf785	{server,storage}: add LoggedIn flag to AuthRequest and improve storage docs ... Currently, whether or not a user has authenticated themselves through a connector is indicated by a pointer being nil or non-nil. Instead add an explicit flag that marks this.	10 years ago
Eric Chiang	608d8ba984	*: switch dex to the ported templates	10 years ago
Eric Chiang	571024182d	*: set response types supported in discovery based on server config	10 years ago
Eric Chiang	c113df961a	*: support the implicit flow	10 years ago
Eric Chiang	c33ad3e0f3	server: fix oauth2 values and remove unused code	10 years ago
Eric Chiang	bfe560ee21	rename	10 years ago
Eric Chiang	235ae9c3c4	server: update discovery to include offline_access scope	10 years ago
Eric Chiang	53d1be4a87	*: load static clients from config file	10 years ago
Eric Chiang	3110f45c3d	*: lots of renaming	10 years ago
Eric Chiang	f4c5722e42	*: connectors use a different identity object than storage	10 years ago
Eric Chiang	cab271f304	initial commit	10 years ago