1ce63cc03f
Merge branch 'master' into feat/add-client-credential-flow
...
Signed-off-by: Maksim Nabokikh <maksim.nabokikh@flant.com>
2 months ago
4311931881
feat: saml support refresh tokens ( #4565 )
...
Signed-off-by: Ivan Zvyagintsev <ivan.zvyagintsev@flant.com>
2 months ago
ed0b5e5319
Apply suggestions from code review
...
Signed-off-by: Maksim Nabokikh <max.nabokih@gmail.com>
2 months ago
898fb26d36
Merge branch 'master' into feat/add-client-credential-flow
...
Signed-off-by: Maksim Nabokikh <maksim.nabokikh@flant.com>
2 months ago
d78d744468
feat: Disallow unknown config fields ( #4531 )
...
Signed-off-by: maksim.nabokikh <max.nabokih@gmail.com>
2 months ago
49dcb4d863
fix: clean up in-memory connector before create ( #4529 )
...
Signed-off-by: Andy Lo-A-Foe <andy.loafoe@gmail.com>
Co-authored-by: Maksim Nabokikh <max.nabokih@gmail.com>
2 months ago
3295c72066
build(deps): bump actions/attest-build-provenance from 3.2.0 to 4.0.0 ( #4585 )
...
Bumps [actions/attest-build-provenance](https://github.com/actions/attest-build-provenance ) from 3.2.0 to 4.0.0.
- [Release notes](https://github.com/actions/attest-build-provenance/releases )
- [Changelog](https://github.com/actions/attest-build-provenance/blob/main/RELEASE.md )
- [Commits](96278af6ca...e4d4f7c39a
2 months ago
c0daa71ec7
build(deps): bump golang.org/x/net from 0.50.0 to 0.51.0 ( #4586 )
...
Bumps [golang.org/x/net](https://github.com/golang/net ) from 0.50.0 to 0.51.0.
- [Commits](https://github.com/golang/net/compare/v0.50.0...v0.51.0 )
---
updated-dependencies:
- dependency-name: golang.org/x/net
dependency-version: 0.51.0
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2 months ago
9cd6668f40
build(deps): bump anchore/sbom-action from 0.22.2 to 0.23.0 ( #4587 )
...
Bumps [anchore/sbom-action](https://github.com/anchore/sbom-action ) from 0.22.2 to 0.23.0.
- [Release notes](https://github.com/anchore/sbom-action/releases )
- [Changelog](https://github.com/anchore/sbom-action/blob/main/RELEASE.md )
- [Commits](28d71544de...17ae174017
2 months ago
4c3dffdb94
build(deps): bump actions/setup-go from 6.2.0 to 6.3.0 ( #4584 )
...
Bumps [actions/setup-go](https://github.com/actions/setup-go ) from 6.2.0 to 6.3.0.
- [Release notes](https://github.com/actions/setup-go/releases )
- [Commits](7a3fe6cf4c...4b73464bb3
2 months ago
2dcd9b937d
docs(example): modify comment for client_credentials
...
Signed-off-by: Mathias Gebbe <mathias.gebbe@gmail.com>
2 months ago
2f3c5a5314
refactor(oauth2): remove dead feature flag check from server.go
...
The feature flag check in the else branch of server.go is dead code
since serve.go always sets a default AllowedGrantTypes list. Move the
gate entirely to cmd/dex/serve.go and remove the unused featureflags
import. Restore server_test.go to match server.go behavior directly.
Signed-off-by: Mathias Gebbe <mathias.gebbe@gmail.com>
2 months ago
36ea47c0f0
fix(cmd): include client_credentials in default grants when feature flag is enabled
...
The serve command sets a default grantTypes list when none is configured,
which meant AllowedGrantTypes was never empty and the feature flag check
in server.go was bypassed. Append client_credentials to the default list
when DEX_CLIENT_CREDENTIAL_GRANT_ENABLED_BY_DEFAULT is true.
Signed-off-by: Mathias Gebbe <mathias.gebbe@gmail.com>
2 months ago
afc02eecc6
feat(oauth2): gate client_credentials behind feature flag
...
Add DEX_CLIENT_CREDENTIAL_GRANT_ENABLED_BY_DEFAULT feature flag
(default false) so client_credentials is not advertised by default.
Users can still explicitly enable it via oauth2.grantTypes config.
The flag will be flipped to true in a future release before removal.
Signed-off-by: Mathias Gebbe <mathias.gebbe@gmail.com>
2 months ago
3c10d71ed7
fix(oauth2): use empty connector ID and pass nonce for client_credentials
...
Use an empty connector ID instead of __client_credentials to avoid
requiring reserved ID validation. Read the nonce parameter from the
token request and forward it to newAccessToken and newIDToken.
Signed-off-by: Mathias Gebbe <mathias.gebbe@gmail.com>
2 months ago
d9d679930d
revert(api): remove reserved connector ID prefix check
...
The __client_credentials connector ID is no longer used since the
client_credentials grant now uses an empty connector ID. Remove the
__ prefix validation from CreateConnector and its associated test.
Signed-off-by: Mathias Gebbe <mathias.gebbe@gmail.com>
2 months ago
21d7739692
style: fix gci formatting in handlers and handlers_test
...
Signed-off-by: Mathias Gebbe <mathias.gebbe@gmail.com>
2 months ago
0f246405a6
docs: comment out oauth2 section in example config
...
Signed-off-by: Mathias Gebbe <mathias.gebbe@gmail.com>
2 months ago
259e785529
feat(api): reject connector IDs with reserved __ prefix
...
Signed-off-by: Mathias Gebbe <mathias.gebbe@gmail.com>
2 months ago
b652d5b2a0
fix(oauth2): scope-conditional claims and reserved connector ID for client_credentials
...
Signed-off-by: Mathias Gebbe <mathias.gebbe@gmail.com>
2 months ago
a2d713a13c
refactor(oauth2): gate client_credentials via grantTypes instead of config flag
...
Signed-off-by: Mathias Gebbe <mathias.gebbe@gmail.com>
2 months ago
aaac9998ce
style: fix unnecessary whitespace changes in constants and test config
...
Signed-off-by: Mathias Gebbe <mathias.gebbe@gmail.com>
2 months ago
0778edeb45
fix(oauth2): restore client_credentials in default grant types list
...
The gating happens via allSupportedGrants in server.go, not via the
allowed list. Without client_credentials in the defaults, the
intersection filter always excluded it even with the flag enabled.
This matches how the password grant works: present in defaults but
only activated when the corresponding config flag is set.
Signed-off-by: Mathias Gebbe <mathias.gebbe@gmail.com>
2 months ago
b3c62556a0
docs: add clientCredentialsEnabled option to example config
...
Signed-off-by: Mathias Gebbe <mathias.gebbe@gmail.com>
2 months ago
e5c8e6d0ef
feat(oauth2): add client_credentials grant with opt-in config flag
...
Implement the OAuth2 client_credentials grant type for
machine-to-machine authentication. The grant is gated behind a new
clientCredentialsEnabled config flag (defaults to false), following
the same pattern as passwordConnector for the password grant.
Closes #3660
Signed-off-by: Mathias Gebbe <mathias.gebbe@gmail.com>
2 months ago
2ecf64e8b8
build(deps): bump google.golang.org/api from 0.268.0 to 0.269.0 ( #4582 )
2 months ago
a6962a8ba4
fix(mysql): quote `groups` reserved word in query replacer ( #4580 )
...
`groups` is a reserved word in MySQL >= 8.0.2, causing migration 13
to fail with a syntax error on `ALTER TABLE password ADD COLUMN groups`.
Fixes #4579
Signed-off-by: Michiel De Backker <mail@backkem.me>
2 months ago
0963bbe780
build(deps): bump google.golang.org/api from 0.267.0 to 0.268.0 ( #4577 )
2 months ago
bcc2283694
feat: enhance test commands to support GitHub Actions formatting ( #4575 )
...
With the number of tests growing, it is harder and harder to find errors in the test output. Gotestsum is a well-known runner for tests helping to format the output fot both local runs and GitHub Actions.
Signed-off-by: maksim.nabokikh <max.nabokih@gmail.com>
2 months ago
ec26e19e79
build(deps): bump github/codeql-action from 4.32.3 to 4.32.4 ( #4573 )
2 months ago
51c66d2523
build(deps): bump aquasecurity/trivy-action from 0.34.0 to 0.34.1 ( #4574 )
2 months ago
8db7699e0f
feat: implement device code flow in example-app ( #4570 )
...
This is a KubeCon 2026 preparation:
1. Add device flow to the example-app
2. Add userinfo checker
3. Refactor the structure
Signed-off-by: maksim.nabokikh <max.nabokih@gmail.com>
2 months ago
cf17fc68c8
test: update HandleCallback after merging OIDC PKCE ( #4572 )
...
Signed-off-by: maksim.nabokikh <max.nabokih@gmail.com>
2 months ago
83697b06a6
fix(server): respond with forbidden if failed to authenticate ( #4200 )
...
Signed-off-by: Aljoscha Bollmann <aljoscha.bollmann@proton.me>
2 months ago
25591eeaf4
Add support to PKCE in OIDC connector ( #3777 )
...
Signed-off-by: johnvan7 <giovanni.vella98@gmail.com>
Signed-off-by: Giovanni Vella <giovanni.vella98@gmail.com>
2 months ago
5d27abc117
feat: refactor example-app with a new config ( #4569 )
...
This is a preparation for KubeCon 2026:
1. Restyle the app
2. Refactor advanced configuration options
3. Move embedded templates and css to separate files
Signed-off-by: maksim.nabokikh <max.nabokih@gmail.com>
2 months ago
08079303c9
feat: add debug step to check image metadata in workflow ( #4566 )
...
Signed-off-by: maksim.nabokikh <max.nabokih@gmail.com>
2 months ago
49c8228d30
build(deps): bump actions/dependency-review-action from 4.8.2 to 4.8.3 ( #4563 )
...
Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action ) from 4.8.2 to 4.8.3.
- [Release notes](https://github.com/actions/dependency-review-action/releases )
- [Commits](3c4e3dcb1a...05fe457637
2 months ago
0108be9e9f
feat: add skopeo copy command to transfer image from OCI layout ( #4564 )
...
Signed-off-by: maksim.nabokikh <max.nabokih@gmail.com>
2 months ago
548b0f54e8
build(deps): bump filippo.io/edwards25519 from 1.1.0 to 1.1.1 ( #4562 )
2 months ago
29c7b6f4e3
feat: validate redirect URIs and safely append parameters ( #4559 )
...
Signed-off-by: maksim.nabokikh <max.nabokih@gmail.com>
2 months ago
69f9b7eef9
build(deps): bump google.golang.org/api from 0.266.0 to 0.267.0 ( #4558 )
...
Bumps [google.golang.org/api](https://github.com/googleapis/google-api-go-client ) from 0.266.0 to 0.267.0.
- [Release notes](https://github.com/googleapis/google-api-go-client/releases )
- [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md )
- [Commits](https://github.com/googleapis/google-api-go-client/compare/v0.266.0...v0.267.0 )
---
updated-dependencies:
- dependency-name: google.golang.org/api
dependency-version: 0.267.0
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2 months ago
be13b1f4d2
build(deps): bump helm/kind-action from 1.13.0 to 1.14.0 ( #4557 )
...
Bumps [helm/kind-action](https://github.com/helm/kind-action ) from 1.13.0 to 1.14.0.
- [Release notes](https://github.com/helm/kind-action/releases )
- [Commits](92086f6be0...ef37e7f390
2 months ago
dce46384d9
build(deps): update gRPC to v1.79.1 and other dependencies ( #4554 )
...
Signed-off-by: maksim.nabokikh <max.nabokih@gmail.com>
2 months ago
955142bae2
feat: enhance git-version script to generate pseudo-versions with timestamp ( #4553 )
...
Signed-off-by: maksim.nabokikh <max.nabokih@gmail.com>
2 months ago
adec8b481a
Add steps to fetch and extract OCI image tarball ( #4552 )
...
Added steps to fetch and extract OCI image tarball.
Signed-off-by: Maksim Nabokikh <maksim.nabokikh@flant.com>
2 months ago
eb9f04b468
Debug trivy scans ( #4545 )
...
Signed-off-by: Maksim Nabokikh <maksim.nabokikh@flant.com>
2 months ago
5593fb7fcf
build(deps): bump github/codeql-action from 4.32.2 to 4.32.3 ( #4547 )
...
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 4.32.2 to 4.32.3.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](45cbd0c69e...9e907b5e64
2 months ago
c331bb9608
build(deps): bump the etcd group with 2 updates ( #4548 )
...
Bumps the etcd group with 2 updates: [go.etcd.io/etcd/client/pkg/v3](https://github.com/etcd-io/etcd ) and [go.etcd.io/etcd/client/v3](https://github.com/etcd-io/etcd ).
Updates `go.etcd.io/etcd/client/pkg/v3` from 3.6.7 to 3.6.8
- [Release notes](https://github.com/etcd-io/etcd/releases )
- [Commits](https://github.com/etcd-io/etcd/compare/v3.6.7...v3.6.8 )
Updates `go.etcd.io/etcd/client/v3` from 3.6.7 to 3.6.8
- [Release notes](https://github.com/etcd-io/etcd/releases )
- [Commits](https://github.com/etcd-io/etcd/compare/v3.6.7...v3.6.8 )
---
updated-dependencies:
- dependency-name: go.etcd.io/etcd/client/pkg/v3
dependency-version: 3.6.8
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: etcd
- dependency-name: go.etcd.io/etcd/client/v3
dependency-version: 3.6.8
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: etcd
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2 months ago
e640a40a47
build(deps): bump google.golang.org/grpc from 1.79.0 to 1.79.1 ( #4549 )
...
Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go ) from 1.79.0 to 1.79.1.
- [Release notes](https://github.com/grpc/grpc-go/releases )
- [Commits](https://github.com/grpc/grpc-go/compare/v1.79.0...v1.79.1 )
---
updated-dependencies:
- dependency-name: google.golang.org/grpc
dependency-version: 1.79.1
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2 months ago
Maksim Nabokikh
Ivan Zviagintsev
Maksim Nabokikh
Andy Lo-A-Foe
dependabot[bot]
Mathias Gebbe
Mathias Gebbe
Michiel De Backker
Aljoscha Bollmann
Giovanni Vella