Tree: 48e2d4e22c

artifact-workflow

dependabot/go_modules/api/v2/google.golang.org/grpc-1.80.0

fix-google-admin-regression

helm

master

v1

v2.0.x

v2.1.x

v2.10.x

v2.13.x

v2.16.x

v2.2.x

v2.28.x

v2.3.x

v2.30.x

v2.31.x

v2.32.x

v2.33.x

v2.34.x

v2.35.x

v2.36.x

v2.37.x

v2.38.x

v2.39.x

v2.4.x

v2.40.x

v2.41.x

v2.42.x

v2.43.x

v2.45.x

v2.5.x

v2.6.x

v2.7.x

v2.8.x

v2.9.x

api/v2.0.0

api/v2.1.0

api/v2.2.0

api/v2.3.0

api/v2.4.0

v0.1.0

v0.2.0

v0.2.1

v0.2.2

v0.2.3

v0.3.0

v0.4.0

v0.5.0

v0.5.1

v0.6.0

v0.6.1

v2.0.0

v2.0.0-alpha.1

v2.0.0-alpha.2

v2.0.0-alpha.3

v2.0.0-alpha.4

v2.0.0-alpha.5

v2.0.0-beta.1

v2.0.0-beta.2

v2.0.0-beta.3

v2.0.1

v2.0.2

v2.1.0

v2.10.0

v2.11.0

v2.12.0

v2.13.0

v2.14.0

v2.15.0

v2.16.0

v2.17.0

v2.18.0

v2.19.0

v2.2.0

v2.2.1

v2.2.2

v2.2.3

v2.2.4

v2.2.5

v2.20.0

v2.21.0

v2.22.0

v2.23.0

v2.24.0

v2.25.0

v2.26.0

v2.27.0

v2.28.0

v2.28.1

v2.29.0

v2.3.0

v2.3.1

v2.30.0

v2.30.1

v2.30.2

v2.30.3

v2.31.0

v2.31.1

v2.31.2

v2.32.0

v2.32.1

v2.33.0

v2.33.1

v2.34.0

v2.35.0

v2.35.1

v2.35.2

v2.35.3

v2.36.0

v2.37.0

v2.38.0

v2.39.0

v2.39.1

v2.4.0

v2.4.1

v2.40.0

v2.41.0

v2.41.1

v2.42.0

v2.42.1

v2.43.0

v2.43.1

v2.44.0

v2.45.0

v2.45.1

v2.5.0

v2.6.0

v2.6.1

v2.7.0

v2.7.1

v2.8.0

v2.8.1

v2.9.0

Branches Tags

${ item.name }

Create tag ${ searchTerm }

Create branch ${ searchTerm }

from '48e2d4e22c'

${ noResults }

Commit Graph

73 Commits (48e2d4e22c029c19a5e431b2cd99300c71f420fa)

Author	SHA1	Message	Date
Sean Liao	affd4d4e49	verify access tokens by checking getuserinfo during a token exchange (#3031) ... The provider.Verifier.Verify endpoint we were using only works with ID tokens. This isn't an issue with systems which use ID tokens as access tokens (e.g. dex), but for systems with opaque access tokens (e.g. Google / GCP), those access tokens could not be verified. Instead, check the access token against the getUserInfo endpoint. Signed-off-by: Sean Liao <sean+git@liao.dev> Co-authored-by: Maksim Nabokikh <max.nabokih@gmail.com>	3 years ago
Sean Liao	dcf7b18510	OAuth 2.0 Token Exchange (#2806) ... Signed-off-by: Sean Liao <sean+git@liao.dev> Co-authored-by: Maksim Nabokikh <max.nabokih@gmail.com>	3 years ago
Maksim Nabokikh	bc8c2276e3	Fail if OIDC config contains hosted domains (#2937) ... Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>	3 years ago
Josh Soref	d8a9756df7	spelling: verified ... Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>	3 years ago
Maksim Nabokikh	2ea1a80c86	fix: propagate http client to userInfo requests for OIDC connector (#2781) ... Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>	3 years ago
Rui Yang	54345b6331	TLS configure for OIDC connector (#1632) ... Signed-off-by: Rui Yang <ruiya@vmware.com>	4 years ago
Joost Buskermolen	72dd3c60c0	fix: Fallback when group claim is a string instead of an array of strings (#2639) ... Signed-off-by: Joost Buskermolen <joost@buskervezel.nl> Co-authored-by: Michiel van Pouderoijen <michiel@pouderoijen.nl>	4 years ago
Anthony Brandelli	5fe1647fc7	Fix issues to make the linter happy ... Signed-off-by: Anthony Brandelli <abrandel@cisco.com>	4 years ago
Anthony Brandelli	7c335e9337	Add support for IDPs that do not send ID tokens in the reply when using a refresh grant. Add tests for the aforementioned functionality. ... Signed-off-by: Anthony Brandelli <abrandel@cisco.com>	4 years ago
Anthony Brandelli	f07a58a7f1	Remove google specific hd / hosted domain claim config ... Signed-off-by: Anthony Brandelli <abrandel@cisco.com>	4 years ago
Engin Diri	5d9d68106a	feat: Add acr_values support for OIDC ... Signed-off-by: Engin Diri <engin.diri@mail.schwarz>	4 years ago
Happy2C0de	419db81c67	Remove overrideWithMissingCustomEmailClaim ... Signed-off-by: Happy2C0de <46957159+Happy2C0de@users.noreply.github.com>	4 years ago
Happy2C0de	55605751f5	Add overrideWithMissingCustomEmailClaim test ... Signed-off-by: Happy2C0de <46957159+Happy2C0de@users.noreply.github.com>	4 years ago
Happy2C0de	b28098dde8	Revert querying preferrredUsernameKey ... Signed-off-by: Happy2C0de <46957159+Happy2C0de@users.noreply.github.com>	4 years ago
Happy2C0de	1608b473eb	Remove false failed errors. ... Signed-off-by: Happy2C0de <46957159+Happy2C0de@users.noreply.github.com>	4 years ago
Happy2C0de	2b6bb1997c	Revert ClaimMapping struct ... Signed-off-by: Happy2C0de <46957159+Happy2C0de@users.noreply.github.com>	4 years ago
Happy2C0de	14a0aecc81	Move claimMapping.enforce to overrideClaimMapping ... Signed-off-by: Happy2C0de <46957159+Happy2C0de@users.noreply.github.com>	4 years ago
Happy2C0de	45143c98b3	Add claimMapping enforcement ... Signed-off-by: Happy2C0de <46957159+Happy2C0de@users.noreply.github.com>	4 years ago
Mark Sagi-Kazar	b8ac640c4f	Update oidc library ... Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com>	5 years ago
Josh Soref	84e9cb6947	spelling: verified ... Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>	5 years ago
Rui Yang	058202d007	revert changes for user id and user name ... Signed-off-by: Rui Yang <ruiya@vmware.com>	6 years ago
Rui Yang	0494993326	update oidc documentation and email claim err msg ... Signed-off-by: Rui Yang <ruiya@vmware.com>	6 years ago
Rui Yang	41207ba265	Combine #1691 and #1776 to unify OIDC provider claim mapping ... add tests for groups key mapping Signed-off-by: Rui Yang <ruiya@vmware.com>	6 years ago
Scott Lemmon	a783667c57	Add groupsClaimMapping to the OIDC connector ... The groupsClaimMapping setting allows one to specify which claim to pull group information from the OIDC provider. Previously it assumed group information was always in the "groups" claim, but that isn't the case for many OIDC providers (such as AWS Cognito using the "cognito:groups" claim instead) Signed-off-by: Scott Lemmon <slemmon@aurora.tech> Signed-off-by: Rui Yang <ruiya@vmware.com>	6 years ago
Cyrille Nofficial	61312e726e	Add parameter configuration to override email claim key ... Signed-off-by: Rui Yang <ruiya@vmware.com>	6 years ago
Rui Yang	52c39fb130	check if upstream contains preferrend username claim first ... Signed-off-by: Rui Yang <ryang@pivotal.io> Signed-off-by: Rui Yang <ruiya@vmware.com>	6 years ago
Rui Yang	4812079647	add tests when preferred username key is not set ... Signed-off-by: Rui Yang <ruiya@vmware.com>	6 years ago
Rui Yang	d9afb7e59c	default to preferred_username claim ... Signed-off-by: Rui Yang <ruiya@vmware.com>	6 years ago
Josh Winters	9a4e0fcd00	Make OIDC username key configurable ... Signed-off-by: Josh Winters <jwinters@pivotal.io> Co-authored-by: Mark Huang <mhuang@pivotal.io> Signed-off-by: Rui Yang <ruiya@vmware.com>	6 years ago
Chris Loukas	d33a76fa19	Make prompt configurable for oidc offline_access	6 years ago
m.nabokikh	383c2fe8b6	Adding oidc email scope check ... This helps to avoid "no email claim" error if email scope was not specified. Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>	6 years ago
Lars Lehtonen	8e0ae82034	connector/oidc: replace deprecated oauth2.RegisterBrokenAuthHeaderProvider with oauth2.Endpoint.AuthStyle	6 years ago
Mark Sagi-Kazar	9bd5ae5197	Fix goimports	6 years ago
Joel Speed	3156553843	OIDC: Rename refreshToken to RefreshToken	7 years ago
Joel Speed	77fcf9ad77	Use a struct for connector data within OIDC connector	7 years ago
Joel Speed	f6077083c9	Identify error as failure to retrieve refresh token	7 years ago
Joel Speed	8b344fe4d3	Fix Refresh comment	7 years ago
Joel Speed	433bb2afec	Remove duplicate code	7 years ago
Joel Speed	4076eed17b	Build opts based on scope	7 years ago
Joel Speed	0857a0fe09	Implement refresh in OIDC connector ... This has added the access=offline parameter and prompt=consent parameter to the initial request, this works with google, assuming other providers will ignore the prompt parameter	7 years ago
Thomas Jackson	21ab30d207	Add option to enable groups for oidc connectors ... There's been some discussion in #1065 regarding what to do about refreshing groups. As it stands today dex doesn't update any of the claims on refresh (groups would just be another one). The main concern with enabling it is that group claims may change more frequently. While we continue to wait on the upstream refresh flows, this adds an option to enable the group claim. This is disabled by default (so no behavioral change) but enables those that are willing to have the delay in group claim change to use oidc IDPs. Workaround to #1065	7 years ago
Thomas Jackson	512cb3169e	Run getUserInfo prior to claim enforcement ... If you have an oidc connector configured *and* that IDP provides thin tokens (e.g. okta) then the majority of the requested claims come in the getUserInfo call (such as email_verified). So if getUserInfo is configured it should be run before claims are validated.	7 years ago
Stephan Renatus	d9487e553b	*: fix some lint issues ... Mostly gathered these using golangci-lint's deadcode and ineffassign linters. Signed-off-by: Stephan Renatus <srenatus@chef.io>	7 years ago
flarno11	8c1716d356	make userName configurable	7 years ago
Stephan Renatus	4e8cbf0f61	connectors/oidc: truely ignore "email_verified" claim if configured that way ... Fixes #1455, I hope. Signed-off-by: Stephan Renatus <srenatus@chef.io>	7 years ago
cappyzawa	9650836851	make userID configurable	7 years ago
Thomas Jackson	52d09a2dfa	Add option in oidc to hit the optional userinfo endpoint ... Some oauth providers return "thin tokens" which won't include all of the claims requested. This simply adds an option which will make the oidc connector use the userinfo endpoint to fetch all the claims.	7 years ago
Gerald Barker	fc723af0fe	Add option to OIDC connecter to override email_verified to true	7 years ago
Mark Sagi-Kazar	be581fa7ff	Add logger interface and stop relying on Logrus directly	7 years ago
Stephan Renatus	b9f6594bf0	*: github.com/coreos/dex -> github.com/dexidp/dex ... Signed-off-by: Stephan Renatus <srenatus@chef.io>	8 years ago