Implement the OAuth2 client_credentials grant type for
machine-to-machine authentication. The grant is gated behind a new
clientCredentialsEnabled config flag (defaults to false), following
the same pattern as passwordConnector for the password grant.
---------
Signed-off-by: Mathias Gebbe <mathias.gebbe@gmail.com>
Signed-off-by: Maksim Nabokikh <maksim.nabokikh@flant.com>
Signed-off-by: Maksim Nabokikh <max.nabokih@gmail.com>
Co-authored-by: Maksim Nabokikh <maksim.nabokikh@flant.com>
Co-authored-by: Maksim Nabokikh <max.nabokih@gmail.com>
Wrap the grouped handler in requestContextHandler to preserve context attribute injection.
fixes#4081
Signed-off-by: alihasan070707 <52155098+alihasan070707@users.noreply.github.com>
If we expand environment values directly with os.ExpandEnv() over whole
config, we might end up in a situation where the environment variable
has escape characters that break the resulting JSON, and unmarshalling
fails. Instead of expanding the entire config with single call, we
recurse through the config and expand the values in leaves one by one.
Signed-off-by: Tuomo Tanskanen <tuomo.tanskanen@est.tech>
Workaround to run gomplate from a non-root directory in distroless images, because gomplate tries to access CWD on start.
See: https://github.com/hairyhenderson/gomplate/pull/2202
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
Signed-off-by: Giovanni Campeol <giovanni.campeol.95@gmail.com>
Signed-off-by: Maksim Nabokikh <maksim.nabokikh@flant.com>
Co-authored-by: Maksim Nabokikh <maksim.nabokikh@flant.com>
The problem caused by the mistake in the newLogger function. The nil value is returned even with the valid log format.
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
Customization of headers in the authentication server is crucial for enforcing stringent security measures by allowing the inclusion of specific headers required for authentication protocols and compliance standards. This customization ensures that authentication requests are processed securely, mitigating potential vulnerabilities and ensuring adherence to security policies.
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
Add configuration options for TLSMinVersion and TLSMaxVersion.
This enables setting TLS 1.3 as minimum version for example for both
GRPC and Web, or enforcing TLS 1.2 only for easier debugging of
secure connections.
Signed-off-by: Tuomo Tanskanen <tuomo.tanskanen@est.tech>
When TLS certificate reloading functionality was implemented and
released in Dex 2.37.0, added newTLSReloader() returns empty tlsConfig
and discards the provided, already configured tlsConfig. Server's with
empty tlsConfig override Go's sensible defaults, and starts serving Dex
over TLS 1.0 and TLS 1.1 in addition to Go's defaults TLS 1.2+.
TLS 1.0 and 1.1 are long deprecated and vulnerable, making this a
security risk. Server and its secrets are vulnerable to attackers.
The io/ioutil package has been deprecated as of Go 1.16, see
https://golang.org/doc/go1.16#ioutil. This commit replaces the existing
io/ioutil functions with their new definitions in io and os packages.
Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>
* Discard package "version"
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
* Inject api version
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
* Pass version arg to the dex API
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
Unify the interface for reading web statics. Now it could read an
OS directory or get the content on live
One could use
//go:embed static
var webFiles embed.FS
anywhere and config dex server to take the file system by setting
WebConfig{WebFS: webFiles}
Signed-off-by: Rui Yang <ruiya@vmware.com>
Co-authored-by: Aidan Oldershaw <aoldershaw@pivotal.io>
Mathias Gebbe
kt
Maksim Nabokikh
Ivan Zviagintsev
Manoj Vivek
alihasan070707
Tuomo Tanskanen
Koen de Laat
Giovanni Campeol
Nicolas Lamirault
Richard Gomez
Sean Liao
Josiah Evans
Andrew Keesler
iam-veeramalla
Eng Zer Jun
Mark Sagi-Kazar
Rui Yang
Rui Yang
Maksim Nabokikh