Commits · 362e0798a4f0c6816e9b1c885aff1e089be45259 · go / dex

07 Apr, 2017 1 commit
- connector/saml: clean up SAML verification logic and comments · 362e0798
  Eric Chiang authored Apr 07, 2017
  
  362e0798
06 Apr, 2017 7 commits
- Merge pull request #897 from Calpicow/issuer_typo · 258ec4ff
  Eric Chiang authored Apr 06, 2017
```
Fix entityIssuer -> ssoIssuer typo
```
  258ec4ff
- Fix entityIssuer -> ssoIssuer typo · bd754e2b
  Phu Kieu authored Apr 06, 2017
  
  bd754e2b
- Merge pull request #896 from Calpicow/audience_validate_fix · 53acaa9e
  Eric Chiang authored Apr 06, 2017
```
Validate audience with entityIssuer if present, use redirectURI otherwise
```
  53acaa9e
- Validate audience with entityIssuer if present, use redirectURI otherwise · 47897f73
  Phu Kieu authored Apr 06, 2017
  
  47897f73
- Merge pull request #885 from Calpicow/saml_issuer_fix · 40f0265a
  Eric Chiang authored Apr 06, 2017
```
Add ssoIssuer to fix Response issuer checking
```
  40f0265a
- Update documentation · 8c0eb67e
  Phu Kieu authored Apr 06, 2017
  
  8c0eb67e
- Add ssoIssuer to fix Response issuer checking · 217b5ca2
  Phu Kieu authored Mar 29, 2017
```
Rename issuer to entityIssuer
```
  217b5ca2
04 Apr, 2017 5 commits

Merge pull request #893 from ericchiang/fix-saml-validation · 207d2077
Eric Chiang authored Apr 04, 2017
```
connector/saml: fix validation bug with multiple Assertion elements
```
207d2077

connector/saml: refactor tests and add self-signed responses · a97cffcd

Eric Chiang authored Apr 04, 2017

Introduces SAML tests which execute full response processing and
compare user attributes. tesdata now includes a full, self-signed
CA and documents signed using xmlsec1.

Adds deprication notices to existing tests, but don't remove them
since they still provide coverage.

a97cffcd

connector/saml: fix validation bug with multiple Assertion elements · e0709dc2

Eric Chiang authored Apr 04, 2017

When a SAML response provided multiple Assertion elements, only the
first one is checked for a valid signature. If the Assertion is
verified, the original Assertion is removed and the canonicalized
version is prepended to the Response. However, if there were
multiple assertions, the second assertion could end up first in the
list of Assertions, even if it was unsigned.

For example this:

    <Response>
      <!--
         Response unsigned. According to SAML spec must check
         assertion signature.
      -->
      <Assertion>
        <Signature>
          <!-- Correrctly signed assertion -->
        </Signature>
      </Assertion>

      <Assertion>
        <!-- Unsigned assertion inserted by attacker-->
      </Assertion>
    </Response>

could be verified then re-ordered to the following:

    <Response>
      <!--
         Response unsigned. According to SAML spec must check
         assertion signature.
      -->
      <Assertion>
        <!-- Unsigned assertion inserted by attacker-->
      </Assertion>

      <Assertion>
        <!-- Canonicalized, correrctly signed assertion -->
      </Assertion>
    </Response>

Fix this by removing all unverified child elements of the Response,
not just the original assertion.

e0709dc2

Merge pull request #891 from squat/garbage_log_info · a7d443ea
Lucas Servén authored Apr 04, 2017
```
server/server.go: make successful garbage collection log at info level
```
a7d443ea
server/server.go: make successful garbage collection log at info level · f3d9bd50
Lucas Serven authored Apr 04, 2017

f3d9bd50

29 Mar, 2017 4 commits
- Merge pull request #886 from rithujohn191/error-msg-update · f4865a35
  rithu leena john authored Mar 29, 2017
```
storage/static.go: correct the error message that gets displayed.
```
  f4865a35
- storage/static.go: correct the error message that gets displayed. · 5abb4b3d
  rithu john authored Mar 29, 2017
  
  5abb4b3d
- Merge pull request #883 from ericchiang/scopes-docs · 5eb8210e
  Eric Chiang authored Mar 29, 2017
```
Documentation: document dex scopes, claims, and client features
```
  5eb8210e
- Merge pull request #881 from ericchiang/api-test-use-client · 8902ddc0
  Eric Chiang authored Mar 29, 2017
```
server: use client connected to remove server for gRPC tests
```
  8902ddc0
28 Mar, 2017 4 commits
- Documentation: document dex scopes, claims, and client features · 5e34f0d1
  Eric Chiang authored Mar 20, 2017
  
  5e34f0d1
- server: use client connected to remove server for gRPC tests · f734b140
  Eric Chiang authored Mar 28, 2017
  
  f734b140
- Merge pull request #880 from rithujohn191/connector-object · 42c1eed2
  rithu leena john authored Mar 28, 2017
```
storage: add connector object to backend storage.
```
  42c1eed2
- storage: add connector object to backend storage. · bc55b86d
  rithu john authored Mar 23, 2017
  
  bc55b86d
24 Mar, 2017 7 commits
- Merge pull request #875 from ericchiang/fix-example-app-custom-ca · 6e50c184
  Eric Chiang authored Mar 24, 2017
```
cmd/example-app: fix custom CA behavior
```
  6e50c184
- cmd/example-app: fix custom CA behavior · 9b0e9ab2
  Eric Chiang authored Mar 24, 2017
  
  9b0e9ab2
- Merge pull request #870 from Calpicow/fix_assertion_fallback · 2a6ae0a6
  Eric Chiang authored Mar 24, 2017
```
Fix assertion fallback
```
  2a6ae0a6
- Use etreeutils.NSSelectOne to select Assertion element · 6f9ef961
  Phu Kieu authored Mar 22, 2017
  
  6f9ef961
- vendor: revendor · 4b457d8c
  Phu Kieu authored Mar 24, 2017
  
  4b457d8c
- glide.yaml: update goxmldsig · b5f70dac
  Phu Kieu authored Mar 22, 2017
  
  b5f70dac
- Merge pull request #873 from rithujohn191/client-example · 5d49e184
  rithu leena john authored Mar 24, 2017
```
examples/grpc-client: clean up the example and add tlsClientCA to ConfigMap.
```
  5d49e184
23 Mar, 2017 3 commits
- examples/grpc-client: clean up the example and add tlsClientCA to ConfigMap. · 562eae3f
  rithu john authored Mar 23, 2017
  
  562eae3f
- Merge pull request #872 from rithujohn191/offline-access-error · 6146e233
  rithu leena john authored Mar 23, 2017
```
connector: Connectors without a RefreshConnector should not error out
```
  6146e233
- connector: Connectors without a RefreshConnector should not return a refresh… · 59502850
  rithu john authored Mar 23, 2017
```
connector: Connectors without a RefreshConnector should not return a refresh token instead of erroring
```
  59502850
22 Mar, 2017 2 commits
- Merge pull request #869 from ericchiang/saml-response-to · b112aa2e
  Eric Chiang authored Mar 22, 2017
```
*: validate InResponseTo SAML response field and make issuer optional
```
  b112aa2e
- *: validate InResponseTo SAML response field and make issuer optional · 50b223a9
  Eric Chiang authored Mar 21, 2017
  
  50b223a9
21 Mar, 2017 3 commits
- Merge pull request #867 from ericchiang/xml-validation · 8b2956dd
  Eric Chiang authored Mar 21, 2017
```
glide.yaml: update goxmldsig
```
  8b2956dd
- vendor: revendor · 910d5986
  Eric Chiang authored Mar 21, 2017
  
  910d5986
- glide.yaml: update goxmldsig · 58882209
  Eric Chiang authored Mar 21, 2017
  
  58882209
20 Mar, 2017 4 commits
- Merge pull request #855 from ericchiang/static-storage-fallthrough · 95d23700
  Eric Chiang authored Mar 20, 2017
```
storage: make static storages query real storages for some actions
```
  95d23700
- Merge pull request #864 from ericchiang/spelling · af54f592
  Eric Chiang authored Mar 20, 2017
```
*: fix spelling using github.com/client9/misspell
```
  af54f592
- Merge pull request #860 from ericchiang/oidc-broken-auth-header · 25fdaa67
  Eric Chiang authored Mar 20, 2017
```
connector/oidc: expose oauth2.RegisterBrokenAuthHeaderProvider
```
  25fdaa67
- storage: make static storages query real storages for some actions · 4c39bc20
  Eric Chiang authored Mar 15, 2017
```
If dex is configured with static passwords or clients, let the API
still add or modify objects in the backing storage, so long as
their IDs don't conflict with the static ones. List options now
aggregate resources from the static list and backing storage.
```
  4c39bc20