2dcd9b937d
docs(example): modify comment for client_credentials
...
Signed-off-by: Mathias Gebbe <mathias.gebbe@gmail.com>
1 month ago
2f3c5a5314
refactor(oauth2): remove dead feature flag check from server.go
...
The feature flag check in the else branch of server.go is dead code
since serve.go always sets a default AllowedGrantTypes list. Move the
gate entirely to cmd/dex/serve.go and remove the unused featureflags
import. Restore server_test.go to match server.go behavior directly.
Signed-off-by: Mathias Gebbe <mathias.gebbe@gmail.com>
1 month ago
36ea47c0f0
fix(cmd): include client_credentials in default grants when feature flag is enabled
...
The serve command sets a default grantTypes list when none is configured,
which meant AllowedGrantTypes was never empty and the feature flag check
in server.go was bypassed. Append client_credentials to the default list
when DEX_CLIENT_CREDENTIAL_GRANT_ENABLED_BY_DEFAULT is true.
Signed-off-by: Mathias Gebbe <mathias.gebbe@gmail.com>
1 month ago
afc02eecc6
feat(oauth2): gate client_credentials behind feature flag
...
Add DEX_CLIENT_CREDENTIAL_GRANT_ENABLED_BY_DEFAULT feature flag
(default false) so client_credentials is not advertised by default.
Users can still explicitly enable it via oauth2.grantTypes config.
The flag will be flipped to true in a future release before removal.
Signed-off-by: Mathias Gebbe <mathias.gebbe@gmail.com>
1 month ago
3c10d71ed7
fix(oauth2): use empty connector ID and pass nonce for client_credentials
...
Use an empty connector ID instead of __client_credentials to avoid
requiring reserved ID validation. Read the nonce parameter from the
token request and forward it to newAccessToken and newIDToken.
Signed-off-by: Mathias Gebbe <mathias.gebbe@gmail.com>
1 month ago
d9d679930d
revert(api): remove reserved connector ID prefix check
...
The __client_credentials connector ID is no longer used since the
client_credentials grant now uses an empty connector ID. Remove the
__ prefix validation from CreateConnector and its associated test.
Signed-off-by: Mathias Gebbe <mathias.gebbe@gmail.com>
1 month ago
21d7739692
style: fix gci formatting in handlers and handlers_test
...
Signed-off-by: Mathias Gebbe <mathias.gebbe@gmail.com>
1 month ago
0f246405a6
docs: comment out oauth2 section in example config
...
Signed-off-by: Mathias Gebbe <mathias.gebbe@gmail.com>
1 month ago
259e785529
feat(api): reject connector IDs with reserved __ prefix
...
Signed-off-by: Mathias Gebbe <mathias.gebbe@gmail.com>
1 month ago
b652d5b2a0
fix(oauth2): scope-conditional claims and reserved connector ID for client_credentials
...
Signed-off-by: Mathias Gebbe <mathias.gebbe@gmail.com>
1 month ago
a2d713a13c
refactor(oauth2): gate client_credentials via grantTypes instead of config flag
...
Signed-off-by: Mathias Gebbe <mathias.gebbe@gmail.com>
1 month ago
aaac9998ce
style: fix unnecessary whitespace changes in constants and test config
...
Signed-off-by: Mathias Gebbe <mathias.gebbe@gmail.com>
1 month ago
0778edeb45
fix(oauth2): restore client_credentials in default grant types list
...
The gating happens via allSupportedGrants in server.go, not via the
allowed list. Without client_credentials in the defaults, the
intersection filter always excluded it even with the flag enabled.
This matches how the password grant works: present in defaults but
only activated when the corresponding config flag is set.
Signed-off-by: Mathias Gebbe <mathias.gebbe@gmail.com>
1 month ago
b3c62556a0
docs: add clientCredentialsEnabled option to example config
...
Signed-off-by: Mathias Gebbe <mathias.gebbe@gmail.com>
1 month ago
e5c8e6d0ef
feat(oauth2): add client_credentials grant with opt-in config flag
...
Implement the OAuth2 client_credentials grant type for
machine-to-machine authentication. The grant is gated behind a new
clientCredentialsEnabled config flag (defaults to false), following
the same pattern as passwordConnector for the password grant.
Closes #3660
Signed-off-by: Mathias Gebbe <mathias.gebbe@gmail.com>
1 month ago
2ecf64e8b8
build(deps): bump google.golang.org/api from 0.268.0 to 0.269.0 ( #4582 )
1 month ago
a6962a8ba4
fix(mysql): quote `groups` reserved word in query replacer ( #4580 )
...
`groups` is a reserved word in MySQL >= 8.0.2, causing migration 13
to fail with a syntax error on `ALTER TABLE password ADD COLUMN groups`.
Fixes #4579
Signed-off-by: Michiel De Backker <mail@backkem.me>
1 month ago
0963bbe780
build(deps): bump google.golang.org/api from 0.267.0 to 0.268.0 ( #4577 )
1 month ago
bcc2283694
feat: enhance test commands to support GitHub Actions formatting ( #4575 )
...
With the number of tests growing, it is harder and harder to find errors in the test output. Gotestsum is a well-known runner for tests helping to format the output fot both local runs and GitHub Actions.
Signed-off-by: maksim.nabokikh <max.nabokih@gmail.com>
1 month ago
ec26e19e79
build(deps): bump github/codeql-action from 4.32.3 to 4.32.4 ( #4573 )
1 month ago
51c66d2523
build(deps): bump aquasecurity/trivy-action from 0.34.0 to 0.34.1 ( #4574 )
1 month ago
8db7699e0f
feat: implement device code flow in example-app ( #4570 )
...
This is a KubeCon 2026 preparation:
1. Add device flow to the example-app
2. Add userinfo checker
3. Refactor the structure
Signed-off-by: maksim.nabokikh <max.nabokih@gmail.com>
1 month ago
cf17fc68c8
test: update HandleCallback after merging OIDC PKCE ( #4572 )
...
Signed-off-by: maksim.nabokikh <max.nabokih@gmail.com>
1 month ago
83697b06a6
fix(server): respond with forbidden if failed to authenticate ( #4200 )
...
Signed-off-by: Aljoscha Bollmann <aljoscha.bollmann@proton.me>
1 month ago
25591eeaf4
Add support to PKCE in OIDC connector ( #3777 )
...
Signed-off-by: johnvan7 <giovanni.vella98@gmail.com>
Signed-off-by: Giovanni Vella <giovanni.vella98@gmail.com>
1 month ago
5d27abc117
feat: refactor example-app with a new config ( #4569 )
...
This is a preparation for KubeCon 2026:
1. Restyle the app
2. Refactor advanced configuration options
3. Move embedded templates and css to separate files
Signed-off-by: maksim.nabokikh <max.nabokih@gmail.com>
2 months ago
08079303c9
feat: add debug step to check image metadata in workflow ( #4566 )
...
Signed-off-by: maksim.nabokikh <max.nabokih@gmail.com>
2 months ago
49c8228d30
build(deps): bump actions/dependency-review-action from 4.8.2 to 4.8.3 ( #4563 )
...
Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action ) from 4.8.2 to 4.8.3.
- [Release notes](https://github.com/actions/dependency-review-action/releases )
- [Commits](3c4e3dcb1a...05fe457637
2 months ago
0108be9e9f
feat: add skopeo copy command to transfer image from OCI layout ( #4564 )
...
Signed-off-by: maksim.nabokikh <max.nabokih@gmail.com>
2 months ago
548b0f54e8
build(deps): bump filippo.io/edwards25519 from 1.1.0 to 1.1.1 ( #4562 )
2 months ago
29c7b6f4e3
feat: validate redirect URIs and safely append parameters ( #4559 )
...
Signed-off-by: maksim.nabokikh <max.nabokih@gmail.com>
2 months ago
69f9b7eef9
build(deps): bump google.golang.org/api from 0.266.0 to 0.267.0 ( #4558 )
...
Bumps [google.golang.org/api](https://github.com/googleapis/google-api-go-client ) from 0.266.0 to 0.267.0.
- [Release notes](https://github.com/googleapis/google-api-go-client/releases )
- [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md )
- [Commits](https://github.com/googleapis/google-api-go-client/compare/v0.266.0...v0.267.0 )
---
updated-dependencies:
- dependency-name: google.golang.org/api
dependency-version: 0.267.0
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2 months ago
be13b1f4d2
build(deps): bump helm/kind-action from 1.13.0 to 1.14.0 ( #4557 )
...
Bumps [helm/kind-action](https://github.com/helm/kind-action ) from 1.13.0 to 1.14.0.
- [Release notes](https://github.com/helm/kind-action/releases )
- [Commits](92086f6be0...ef37e7f390
2 months ago
dce46384d9
build(deps): update gRPC to v1.79.1 and other dependencies ( #4554 )
...
Signed-off-by: maksim.nabokikh <max.nabokih@gmail.com>
2 months ago
955142bae2
feat: enhance git-version script to generate pseudo-versions with timestamp ( #4553 )
...
Signed-off-by: maksim.nabokikh <max.nabokih@gmail.com>
2 months ago
adec8b481a
Add steps to fetch and extract OCI image tarball ( #4552 )
...
Added steps to fetch and extract OCI image tarball.
Signed-off-by: Maksim Nabokikh <maksim.nabokikh@flant.com>
2 months ago
eb9f04b468
Debug trivy scans ( #4545 )
...
Signed-off-by: Maksim Nabokikh <maksim.nabokikh@flant.com>
2 months ago
5593fb7fcf
build(deps): bump github/codeql-action from 4.32.2 to 4.32.3 ( #4547 )
...
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 4.32.2 to 4.32.3.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](45cbd0c69e...9e907b5e64
2 months ago
c331bb9608
build(deps): bump the etcd group with 2 updates ( #4548 )
...
Bumps the etcd group with 2 updates: [go.etcd.io/etcd/client/pkg/v3](https://github.com/etcd-io/etcd ) and [go.etcd.io/etcd/client/v3](https://github.com/etcd-io/etcd ).
Updates `go.etcd.io/etcd/client/pkg/v3` from 3.6.7 to 3.6.8
- [Release notes](https://github.com/etcd-io/etcd/releases )
- [Commits](https://github.com/etcd-io/etcd/compare/v3.6.7...v3.6.8 )
Updates `go.etcd.io/etcd/client/v3` from 3.6.7 to 3.6.8
- [Release notes](https://github.com/etcd-io/etcd/releases )
- [Commits](https://github.com/etcd-io/etcd/compare/v3.6.7...v3.6.8 )
---
updated-dependencies:
- dependency-name: go.etcd.io/etcd/client/pkg/v3
dependency-version: 3.6.8
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: etcd
- dependency-name: go.etcd.io/etcd/client/v3
dependency-version: 3.6.8
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: etcd
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2 months ago
e640a40a47
build(deps): bump google.golang.org/grpc from 1.79.0 to 1.79.1 ( #4549 )
...
Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go ) from 1.79.0 to 1.79.1.
- [Release notes](https://github.com/grpc/grpc-go/releases )
- [Commits](https://github.com/grpc/grpc-go/compare/v1.79.0...v1.79.1 )
---
updated-dependencies:
- dependency-name: google.golang.org/grpc
dependency-version: 1.79.1
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2 months ago
2976b2363a
build(deps): bump google.golang.org/grpc in /examples ( #4551 )
...
Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go ) from 1.79.0 to 1.79.1.
- [Release notes](https://github.com/grpc/grpc-go/releases )
- [Commits](https://github.com/grpc/grpc-go/compare/v1.79.0...v1.79.1 )
---
updated-dependencies:
- dependency-name: google.golang.org/grpc
dependency-version: 1.79.1
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2 months ago
7c74dd8ad8
build(deps): bump distroless/static-debian13 from `f9f84bd` to `01e550f` ( #4546 )
...
Bumps distroless/static-debian13 from `f9f84bd` to `01e550f`.
---
updated-dependencies:
- dependency-name: distroless/static-debian13
dependency-version: nonroot
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2 months ago
a5f49565a1
Add permissions section to trivydb-cache workflow ( #4544 )
...
Signed-off-by: Maksim Nabokikh <maksim.nabokikh@flant.com>
2 months ago
9bee809252
feat(crd): add CRD handling behavior and configuration options ( #4543 )
...
Signed-off-by: maksim.nabokikh <max.nabokih@gmail.com>
2 months ago
ad3a83ebcf
build(gomplate): update gomplate version to v5.0.0 and add update script ( #4542 )
...
Signed-off-by: maksim.nabokikh <max.nabokih@gmail.com>
2 months ago
785033767c
feat: refactor signer configuration with local and vault options ( #4532 )
...
Signed-off-by: maksim.nabokikh <max.nabokih@gmail.com>
2 months ago
d90827cc30
fix: use correct id value for label ( #4541 )
...
Signed-off-by: Logan <31484824+loganripplinger@users.noreply.github.com>
2 months ago
489e37d07a
fix: suppress deprecation warning for userAttr when not set ( #4539 )
...
Signed-off-by: maksim.nabokikh <max.nabokih@gmail.com>
2 months ago
76d7ed49ed
build(deps): bump aquasecurity/trivy-action from 0.33.1 to 0.34.0 ( #4533 )
...
Bumps [aquasecurity/trivy-action](https://github.com/aquasecurity/trivy-action ) from 0.33.1 to 0.34.0.
- [Release notes](https://github.com/aquasecurity/trivy-action/releases )
- [Commits](b6643a29fe...c1824fd6ed
2 months ago
4955d43d45
build(deps): bump docker/build-push-action from 6.19.1 to 6.19.2 ( #4535 )
...
Bumps [docker/build-push-action](https://github.com/docker/build-push-action ) from 6.19.1 to 6.19.2.
- [Release notes](https://github.com/docker/build-push-action/releases )
- [Commits](601a80b39c...10e90e3645
2 months ago
Mathias Gebbe
Mathias Gebbe
dependabot[bot]
Michiel De Backker
Maksim Nabokikh
Aljoscha Bollmann
Giovanni Vella
Logan