The feature flag check in the else branch of server.go is dead code
since serve.go always sets a default AllowedGrantTypes list. Move the
gate entirely to cmd/dex/serve.go and remove the unused featureflags
import. Restore server_test.go to match server.go behavior directly.
Signed-off-by: Mathias Gebbe <mathias.gebbe@gmail.com>
Add DEX_CLIENT_CREDENTIAL_GRANT_ENABLED_BY_DEFAULT feature flag
(default false) so client_credentials is not advertised by default.
Users can still explicitly enable it via oauth2.grantTypes config.
The flag will be flipped to true in a future release before removal.
Signed-off-by: Mathias Gebbe <mathias.gebbe@gmail.com>
Use an empty connector ID instead of __client_credentials to avoid
requiring reserved ID validation. Read the nonce parameter from the
token request and forward it to newAccessToken and newIDToken.
Signed-off-by: Mathias Gebbe <mathias.gebbe@gmail.com>
The __client_credentials connector ID is no longer used since the
client_credentials grant now uses an empty connector ID. Remove the
__ prefix validation from CreateConnector and its associated test.
Signed-off-by: Mathias Gebbe <mathias.gebbe@gmail.com>
Implement the OAuth2 client_credentials grant type for
machine-to-machine authentication. The grant is gated behind a new
clientCredentialsEnabled config flag (defaults to false), following
the same pattern as passwordConnector for the password grant.
Closes#3660
Signed-off-by: Mathias Gebbe <mathias.gebbe@gmail.com>
If the issuer path ends with a / the URL will be built wrong so we
should instead use the helper function to ensure the path is built
correctly. fixes#4242.
Signed-off-by: Doug Goldstein <cardoe@cardoe.com>
As per RFC8628 section 3.1, https://datatracker.ietf.org/doc/html/rfc8628#section-3.1
the scope is optional. Since dex always requires at least 'openid',
default the value to comply with the RFC.
Signed-off-by: Doug Goldstein <cardoe@cardoe.com>
Instead of only checking for "localhost", also validate through
net.ParseIP + IsLoopback whether the host is numerically localhost
Signed-off-by: Daniel Sonck <daniel@sonck.nl>
replaces felixge/httpsnoop with prometheus/client_golang instrumentation
adds histograms for response_size_bytes & request_duration_seconds
Signed-off-by: Ivo Gosemann <ivo.gosemann@sap.com>
Signed-off-by: Giovanni Campeol <giovanni.campeol.95@gmail.com>
Signed-off-by: Maksim Nabokikh <maksim.nabokikh@flant.com>
Co-authored-by: Maksim Nabokikh <maksim.nabokikh@flant.com>
Customization of headers in the authentication server is crucial for enforcing stringent security measures by allowing the inclusion of specific headers required for authentication protocols and compliance standards. This customization ensures that authentication requests are processed securely, mitigating potential vulnerabilities and ensuring adherence to security policies.
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
Mathias Gebbe
Mathias Gebbe
Aljoscha Bollmann
Giovanni Vella
Maksim Nabokikh
Ivan Zviagintsev
Mark Sagi-Kazar
Doug Goldstein
Wenxuan Zhao
Julius Foitzik
Manoj Vivek
Oleksandr Redko
Massimiliano Filacchioni
Bob Maertz
Nicholas Wiersma
Daniël Sonck
IvoGoman
Koen de Laat
Giovanni Campeol
Sean Liao
Romain Caire