Skip to content

D
dex
Switch branch/tag
  1. 24 Feb, 2017 3 commits
  3. 23 Feb, 2017 2 commits
  5. 22 Feb, 2017 3 commits
  7. 21 Feb, 2017 2 commits
  9. 20 Feb, 2017 1 commit
  11. 15 Feb, 2017 2 commits
  13. 14 Feb, 2017 2 commits
  15. 10 Feb, 2017 2 commits
  17. 07 Feb, 2017 2 commits
  19. 06 Feb, 2017 3 commits
  21. 03 Feb, 2017 1 commit
  23. 02 Feb, 2017 2 commits
    • Eric Chiang's avatar
      {web,server}: use html/template and reduce use of auth request ID · 72a431dd
      Eric Chiang authored 
      Switch from using "text/template" to "html/template", which provides
basic XSS preventions. We haven't identified any particular place
where unsanitized user data is rendered to the frontend. This is
just a preventative step.

At the same time, make more templates take pure URL instead of
forming an URL themselves using an "authReqID" argument. This will
help us stop using the auth req ID in certain places, preventing
garbage collection from killing login flows that wait too long at
the login screen.

Also increase the login session window (time between initial
redirect and the user logging in) from 30 minutes to 24 hours,
and display a more helpful error message when the session expires.

How to test:

1. Spin up dex and example with examples/config-dev.yaml.
2. Login through both the password prompt and the direct redirect.
3. Edit examples/config-dev.yaml removing the "connectors" section.
4. Ensure you can still login with a password.

(email/password is "admin@example.com" and "password")
      72a431dd
    • rithu leena john's avatar
      Merge pull request #794 from rithujohn191/saml-doc · 12f96936
      rithu leena john authored 
      Documentation: Minor changes to SAML connector doc.
      12f96936
  25. 01 Feb, 2017 3 commits
  27. 27 Jan, 2017 6 commits
  29. 26 Jan, 2017 2 commits
    • Holger Koser's avatar
      vendor: revendor · 27a1e9f1
      Holger Koser authored
      27a1e9f1
    • Holger Koser's avatar
      Improve SAML Signature and Response Validation · e46f2ebe
      Holger Koser authored 
      * Improve Order of Namespace Declarations and Attributes in Canonical XML. This is related to an issue in goxmldsig for which I created an [pull request](https://github.com/russellhaering/goxmldsig/pull/17).
* Do not compress the AuthnRequest if `HTTP-POST` binding is used.
* SAML Response is valid if the Message and/or the Assertion is signed.
* Add `AssertionConsumerServiceURL` to `AuthnRequest`
* Validate Status on the Response
* Validate Conditions on the Assertion
* Validation SubjectConfirmation on the Subject
      e46f2ebe
  31. 24 Jan, 2017 1 commit
  33. 23 Jan, 2017 3 commits