- 10 Apr, 2017 3 commits
-
-
Eric Chiang authored
-
Eric Chiang authored
-
Eric Chiang authored
-
- 07 Apr, 2017 2 commits
-
-
Eric Chiang authored
connector/saml: clean up SAML verification logic and comments
-
Eric Chiang authored
-
- 06 Apr, 2017 7 commits
-
-
Eric Chiang authored
Fix entityIssuer -> ssoIssuer typo
-
Phu Kieu authored
-
Eric Chiang authored
Validate audience with entityIssuer if present, use redirectURI otherwise
-
Phu Kieu authored
-
Eric Chiang authored
Add ssoIssuer to fix Response issuer checking
-
Phu Kieu authored
-
Phu Kieu authored
Rename issuer to entityIssuer
-
- 04 Apr, 2017 5 commits
-
-
Eric Chiang authored
connector/saml: fix validation bug with multiple Assertion elements
-
Eric Chiang authored
Introduces SAML tests which execute full response processing and compare user attributes. tesdata now includes a full, self-signed CA and documents signed using xmlsec1. Adds deprication notices to existing tests, but don't remove them since they still provide coverage.
-
Eric Chiang authored
When a SAML response provided multiple Assertion elements, only the first one is checked for a valid signature. If the Assertion is verified, the original Assertion is removed and the canonicalized version is prepended to the Response. However, if there were multiple assertions, the second assertion could end up first in the list of Assertions, even if it was unsigned. For example this: <Response> <!-- Response unsigned. According to SAML spec must check assertion signature. --> <Assertion> <Signature> <!-- Correrctly signed assertion --> </Signature> </Assertion> <Assertion> <!-- Unsigned assertion inserted by attacker--> </Assertion> </Response> could be verified then re-ordered to the following: <Response> <!-- Response unsigned. According to SAML spec must check assertion signature. --> <Assertion> <!-- Unsigned assertion inserted by attacker--> </Assertion> <Assertion> <!-- Canonicalized, correrctly signed assertion --> </Assertion> </Response> Fix this by removing all unverified child elements of the Response, not just the original assertion.
-
Lucas Servén authored
server/server.go: make successful garbage collection log at info level
-
Lucas Serven authored
-
- 29 Mar, 2017 4 commits
-
-
rithu leena john authored
storage/static.go: correct the error message that gets displayed.
-
rithu john authored
-
Eric Chiang authored
Documentation: document dex scopes, claims, and client features
-
Eric Chiang authored
server: use client connected to remove server for gRPC tests
-
- 28 Mar, 2017 4 commits
-
-
Eric Chiang authored
-
Eric Chiang authored
-
rithu leena john authored
storage: add connector object to backend storage.
-
rithu john authored
-
- 24 Mar, 2017 7 commits
-
-
Eric Chiang authored
cmd/example-app: fix custom CA behavior
-
Eric Chiang authored
-
Eric Chiang authored
Fix assertion fallback
-
Phu Kieu authored
-
Phu Kieu authored
-
Phu Kieu authored
-
rithu leena john authored
examples/grpc-client: clean up the example and add tlsClientCA to ConfigMap.
-
- 23 Mar, 2017 3 commits
-
-
rithu john authored
-
rithu leena john authored
connector: Connectors without a RefreshConnector should not error out
-
rithu john authored
connector: Connectors without a RefreshConnector should not return a refresh token instead of erroring
-
- 22 Mar, 2017 2 commits
-
-
Eric Chiang authored
*: validate InResponseTo SAML response field and make issuer optional
-
Eric Chiang authored
-
- 21 Mar, 2017 3 commits
-
-
Eric Chiang authored
glide.yaml: update goxmldsig
-
Eric Chiang authored
-
Eric Chiang authored
-