3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-05-02 03:46:29 +02:00
Code Issues Projects Releases Packages Wiki Activity
3224 commits 158 branches 125 tags 103 MiB
Commit graph

28 commits

Author SHA1 Message Date
Kenneth Jenkins
39a477c510
identity: override TokenSource expiry behavior (#4632) 
The current session refresh loop attempts to refresh access tokens when
they are due to expire in less than one minute. However, the code to
perform the refresh relies on a TokenSource from the x/oauth2 package,
which has its own internal 'expiryDelta' threshold, with a default of
10 seconds. As a result, the first four or five attempts to refresh a
particular access token will not actually refresh the token. The refresh
will happen only when the access token is within 10 seconds of expiring.

Instead, before we obtain a new TokenSource, first clear any existing
access token. This causes the TokenSource to consider the token invalid,
triggering a refresh. This should give the refresh loop more control
over when refreshes happen.

Consolidate this logic in a new Refresh() method in the oidc package.
Add unit tests for this new method.
 2023-10-23 08:20:04 -07:00
Caleb Doxsey
a0c92896ef
core/authenticate: refactor idp sign out (#4582) 2023-09-28 08:41:19 -07:00
Kenneth Jenkins
2bf83e20d8
Allow clearing default Azure and Google auth code options (#4315) 
Allow users to clear the default IdP auth code options, by explicitly
setting an empty idp_request_params map.

To do this in a YAML config file, set:

    idp_request_params: {}
 2023-06-27 09:11:54 -07:00
Denis Mishin
2db2d66eba
authenticate: add aws cognito (#4137) 2023-05-16 12:28:12 -04:00
Caleb Doxsey
c3b9adff20
oidc: fix token revocation (#3810) 2022-12-16 13:24:40 -07:00
Caleb Doxsey
c178819875
move directory providers (#3633) 
* remove directory providers and support for groups

* idp: remove directory providers

* better error messages

* fix errors

* restore postgres

* fix test
 2022-11-03 11:33:56 -06:00
dependabot[bot]
ec495bb682
chore(deps): bump github.com/golangci/golangci-lint from 1.48.0 to 1.50.0 (#3667) 
* chore(deps): bump github.com/golangci/golangci-lint

Bumps [github.com/golangci/golangci-lint](https://github.com/golangci/golangci-lint) from 1.48.0 to 1.50.0.
- [Release notes](https://github.com/golangci/golangci-lint/releases)
- [Changelog](https://github.com/golangci/golangci-lint/blob/master/CHANGELOG.md)
- [Commits](https://github.com/golangci/golangci-lint/compare/v1.48.0...v1.50.0)

---
updated-dependencies:
- dependency-name: github.com/golangci/golangci-lint
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

* lint

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Caleb Doxsey <cdoxsey@pomerium.com>
 2022-10-19 09:36:59 -06:00
bobby
ebbb6a7ff2
docs: update references, remove docs dir (#3420) 
* docs: update references, remove docs dir

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>

* Update README.md

Co-authored-by: Alex Fornuto <afornuto@pomerium.com>

* Update Docs Paths

* precommit

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>

* remove spellcheck

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>

* spell the check

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>

Co-authored-by: Alex Fornuto <afornuto@pomerium.com>
 2022-06-13 16:52:52 -07:00
cfanbo
84dad4c612
remove deprecated ioutil usages (#2877) 
* fix: Fixed return description error

* config/options: Adjust the position of TracingJaegerAgentEndpoint option

* DOCS: Remove duplicate configuration items

Remove duplicate configuration items of route

* remove deprecated ioutil usages
 2021-12-30 10:02:12 -08:00
bobby
1a7c5415e7
identity: only assign access_type uri params to google. (#2782) 
* identity: only assign `access_type` uri params to google.

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>

* bump upgrading

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2021-11-28 19:01:34 -08:00
Alex Fornuto
db5d1593e3
Remove api from GitLab defaultScope (#2518) 
* remove api from gitlab defaultScope

* rm redundant scope
 2021-08-25 10:26:35 -05:00
Caleb Doxsey
ac8ae3ef5b
directory: add logging http client to help with debugging outbound http requests (#2385) 2021-07-22 11:58:52 -06:00
Caleb Doxsey
a5731f7d92
identity: infer email from mail claim (#1977) 2021-03-12 09:01:21 -07:00
Caleb Doxsey
fd97561ab1
ping: identity and directory providers (#1975) 
* ping: add identity provider

* ping: implement directory provider

* ping, not onelogin

* ping, not onelogin

* escape path params
 2021-03-10 16:25:49 -07:00
Caleb Doxsey
64d247cfeb
onelogin: fix default scopes for v2 (#1896) 2021-02-17 08:51:13 -07:00
Caleb Doxsey
5e3aa91f23
authenticate: delay evaluation of OIDC provider (#1802) 
* authenticate: delay evaluation of OIDC provider

* add additional error message

* address comments
 2021-01-26 09:20:56 -07:00
bobby
4f78a9b301
chore(deps): update oidc to v3 (#1783) 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2021-01-19 08:26:48 -08:00
Travis Groth
fdbef33aa1
run goimports (#1651) 2020-12-04 15:04:48 -05:00
bobby
7e86ed3c60
microsoft: add support for common endpoint (#1648) 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-12-04 08:42:11 -08:00
Caleb Doxsey
a85b3b04c1
store raw id token so it can be passed to the logout url (#1543) 2020-10-26 10:20:23 -06:00
Caleb Doxsey
88580cf2fb
auth0: implement identity provider (#1470) 
* auth0: implement identity provider

* add auth0 guide

* fix naming
 2020-09-29 09:06:58 -06:00
Caleb Doxsey
045c10edc6
authenticate: support reloading IDP settings (#1273) 
* identity: add name method to provider

* authenticate: support dynamically loading the provider
 2020-08-13 12:14:30 -06:00
bobby
dbd1eac97f
identity: support custom code flow request params (#998) 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-06-25 08:28:46 -07:00
Caleb Doxsey
dbd7f55b20
feature/databroker: user data and session refactor project (#926) 
* databroker: add databroker, identity manager, update cache (#864)

* databroker: add databroker, identity manager, update cache

* fix cache tests

* directory service (#885)

* directory: add google and okta

* add onelogin

* add directory provider

* initialize before sync, upate google provider, remove dead code

* add azure provider

* fix azure provider

* fix gitlab

* add gitlab test, fix azure test

* hook up okta

* remove dead code

* fix tests

* fix flaky test

* authorize: use databroker data for rego policy (#904)

* wip

* add directory provider

* initialize before sync, upate google provider, remove dead code

* fix flaky test

* update authorize to use databroker data

* implement signed jwt

* wait for session and user to appear

* fix test

* directory service (#885)

* directory: add google and okta

* add onelogin

* add directory provider

* initialize before sync, upate google provider, remove dead code

* add azure provider

* fix azure provider

* fix gitlab

* add gitlab test, fix azure test

* hook up okta

* remove dead code

* fix tests

* fix flaky test

* remove log line

* only redirect when no session id exists

* prepare rego query as part of create

* return on ctx done

* retry on disconnect for sync

* move jwt signing

* use !=

* use parent ctx for wait

* remove session state, remove logs

* rename function

* add log message

* pre-allocate slice

* use errgroup

* return nil on eof for sync

* move check

* disable timeout on gRPC requests in envoy

* fix gitlab test

* use v4 backoff

* authenticate: databroker changes (#914)

* wip

* add directory provider

* initialize before sync, upate google provider, remove dead code

* fix flaky test

* update authorize to use databroker data

* implement signed jwt

* wait for session and user to appear

* fix test

* directory service (#885)

* directory: add google and okta

* add onelogin

* add directory provider

* initialize before sync, upate google provider, remove dead code

* add azure provider

* fix azure provider

* fix gitlab

* add gitlab test, fix azure test

* hook up okta

* remove dead code

* fix tests

* fix flaky test

* remove log line

* only redirect when no session id exists

* prepare rego query as part of create

* return on ctx done

* retry on disconnect for sync

* move jwt signing

* use !=

* use parent ctx for wait

* remove session state, remove logs

* rename function

* add log message

* pre-allocate slice

* use errgroup

* return nil on eof for sync

* move check

* disable timeout on gRPC requests in envoy

* fix dashboard

* delete session on logout

* permanently delete sessions once they are marked as deleted

* remove permanent delete

* fix tests

* remove groups and refresh test

* databroker: remove dead code, rename cache url, move dashboard (#925)

* wip

* add directory provider

* initialize before sync, upate google provider, remove dead code

* fix flaky test

* update authorize to use databroker data

* implement signed jwt

* wait for session and user to appear

* fix test

* directory service (#885)

* directory: add google and okta

* add onelogin

* add directory provider

* initialize before sync, upate google provider, remove dead code

* add azure provider

* fix azure provider

* fix gitlab

* add gitlab test, fix azure test

* hook up okta

* remove dead code

* fix tests

* fix flaky test

* remove log line

* only redirect when no session id exists

* prepare rego query as part of create

* return on ctx done

* retry on disconnect for sync

* move jwt signing

* use !=

* use parent ctx for wait

* remove session state, remove logs

* rename function

* add log message

* pre-allocate slice

* use errgroup

* return nil on eof for sync

* move check

* disable timeout on gRPC requests in envoy

* fix dashboard

* delete session on logout

* permanently delete sessions once they are marked as deleted

* remove permanent delete

* fix tests

* remove cache service

* remove kv

* remove refresh docs

* remove obsolete cache docs

* add databroker url option

* cache: use memberlist to detect multiple instances

* add databroker service url

* remove cache service

* remove kv

* remove refresh docs

* remove obsolete cache docs

* add databroker url option

* cache: use memberlist to detect multiple instances

* add databroker service url

* wip

* remove groups and refresh test

* fix redirect, signout

* remove databroker client from proxy

* remove unused method

* remove user dashboard test

* handle missing session ids

* session: reject sessions with no id

* sessions: invalidate old sessions via databroker server version (#930)

* session: add a version field tied to the databroker server version that can be used to invalidate sessions

* fix tests

* add log

* authenticate: create user record immediately, call "get" directly in authorize (#931)
 2020-06-19 07:52:44 -06:00
Caleb Doxsey
988477c90d
authenticate: fix user-info call for AWS cognito (#792) 2020-05-27 15:37:42 -06:00
Bobby DeSimone
666fd6aa35 authenticate: save oauth2 tokens to cache (#698) 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-05-18 17:10:10 -04:00
Ogundele Olumide
5f0c13767b
improvement: update gitlab api scope (#630) 2020-04-23 13:26:25 -07:00
Bobby DeSimone
627a591824
identity: abstract identity providers by type (#560) 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-04-23 10:36:24 -07:00