Sam Chow
301cc6992a
Remove jwt validation for jschorr to fix later
...
Refactor oauth validate method to take config over entire appconfig
2018-06-01 15:07:06 -04:00
Sam Chow
7df8ed4a60
Add a security scanner api config object for params
...
Change SecScanAPI to use a uri creation func instead of test context
Pass config provider through validator context
Remove app config dependency for validators
2018-06-01 15:06:50 -04:00
Sam Chow
554d4f47a8
Change validators to use the validator_context
...
Change InstanceKeys to take a namedtuple for context
2018-06-01 14:59:49 -04:00
Sam Chow
e967fde3ae
Decouple oauth methods from app with a namedtuple
2018-05-31 14:53:27 -04:00
Joseph Schorr
648590c356
Change from manual URL construction to using a lib
...
Makes the code cleaner to read and more resilient to changes
Fixes https://jira.coreos.com/browse/QUAY-940
2018-05-22 13:10:09 -04:00
Joseph Schorr
22a39c3007
Fix bug with missing & in authorization URL for OIDC
...
Also adds testing to ensure we don't break this again
2018-05-15 14:52:00 -04:00
Joseph Schorr
3cd314874f
Add support for defining custom query parameters for OIDC endpoints
...
Fixes https://jira.coreos.com/browse/QUAY-886
2018-04-06 12:48:03 -04:00
Joseph Schorr
c55ad59f1f
Allow admins to configure the login scopes for OIDC login
...
Some OIDC implementations return a larger set of scopes than is necessary, so we allow admins to override.
2017-12-06 15:54:26 -05:00
Joseph Schorr
f51a863158
Remove access_token from user_info
2017-10-02 16:51:09 -04:00
Joseph Schorr
bc82edb2d1
Add ability to configure OIDC internal auth engine via superuser panel
2017-09-12 12:23:52 -04:00
Joseph Schorr
e724125459
Add support for using OIDC tokens via the Docker CLI
2017-09-12 12:23:22 -04:00
Joseph Schorr
751598056e
Enable support in OIDC for endpoints without user info support
...
The user info endpoint is apparently optional.
2017-08-01 13:24:27 -04:00
Joseph Schorr
c0cc574ca2
Add Authorization header with token to user info call
...
While not required, it is recommended to send the token as an Authorization header to the UserInfo call in OIDC: http://openid.net/specs/openid-connect-core-1_0.html#UserInfo
Some implementations expect this and will fail if not present
2017-04-27 11:24:12 -04:00
Joseph Schorr
0c7bac26b7
Add additional debug logs to OIDC auth to make debugging easier
2017-04-07 11:48:53 -04:00
Joseph Schorr
002972fc2f
Read OIDC issuer from the OIDC discovery document, if present
2017-04-07 11:39:34 -04:00
Joseph Schorr
157640e696
Add config validator for OIDC logins
2017-02-28 16:18:19 -05:00
Joseph Schorr
198bdf88bc
Move OAuth login into its own endpoints module
2017-02-16 16:27:54 -05:00
Joseph Schorr
cc4258c015
Blacklist any OIDC service ids that may conflict with our own
2017-02-16 16:27:53 -05:00
Joseph Schorr
2c35383724
Allow OAuth and OIDC login engines to bind to fields in internal auth
...
This feature is subtle but very important: Currently, when a user logs in via an "external" auth system (such as Github), they are either logged into an existing bound account or a new account is created for them in the database. While this normally works jut fine, it hits a roadblock when the *internal* auth system configured is not the database, but instead something like LDAP. In that case, *most* Enterprise customers will prefer that logging in via external auth (like OIDC) will also *automatically* bind the newly created account to the backing *internal* auth account. For example, login via PingFederate OIDC (backed by LDAP) should also bind the new QE account to the associated LDAP account, via either username or email. This change allows for this binding field to be specified, and thereafter will perform the proper lookups and bindings.
2017-02-16 16:27:53 -05:00
Joseph Schorr
f5dbc350f8
Fix missed tests and revert conftest change (breaks docker build)
2017-01-30 17:28:25 -05:00
Joseph Schorr
cf6033b423
Move http_client fixture to root-level conftest
2017-01-30 11:40:45 -05:00
Joseph Schorr
f8deb85751
Clarify OAuth logging message when missing access_token
2017-01-26 12:01:55 -05:00
Joseph Schorr
ce5fafcbd8
Fix pylint ignores to use names
2017-01-26 12:00:54 -05:00
Joseph Schorr
90b6a534c1
Change verify param in OIDC to read better
2017-01-26 12:00:43 -05:00
Joseph Schorr
8573535b8c
Add comment clarifying how we validate client {ID, secret} in Gitlab
2017-01-24 15:20:19 -05:00
Joseph Schorr
adb2ff0b81
Switch base classes in OAuth to use ABC
2017-01-24 15:20:03 -05:00
Joseph Schorr
a9791ea419
Have external login always make an API request to get the authorization URL
...
This makes the OIDC lookup lazy, ensuring that the rest of the registry and app continues working even if one OIDC provider goes down.
2017-01-23 19:06:19 -05:00
Joseph Schorr
fda203e4d7
Add proper and tested OIDC support on the server
...
Note that this will still not work on the client side; the followup CL for the client side is right after this one.
2017-01-23 17:53:34 -05:00
Joseph Schorr
19f7acf575
Lay foundation for truly dynamic external logins
...
Moves all the external login services into a set of classes that share as much code as possible. These services are then registered on both the client and server, allowing us in the followup change to dynamically register new handlers
2017-01-20 15:21:08 -05:00