vbatts/quay
Archived
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity
9036 commits 2 branches 62 tags 205 MiB
Commit graph

30 commits

Author SHA1 Message Date
Joseph Schorr
90c0e34945 Add ability to configure custom email and username claims 
This will help customers support active directory-based OIDC
 2018-09-12 11:14:23 -04:00
Sam Chow
301cc6992a Remove jwt validation for jschorr to fix later 
Refactor oauth validate method to take config over entire appconfig
 2018-06-01 15:07:06 -04:00
Sam Chow
7df8ed4a60 Add a security scanner api config object for params 
Change SecScanAPI to use a uri creation func instead of test context

Pass config provider through validator context

Remove app config dependency for validators
 2018-06-01 15:06:50 -04:00
Sam Chow
554d4f47a8 Change validators to use the validator_context 
Change InstanceKeys to take a namedtuple for context
 2018-06-01 14:59:49 -04:00
Sam Chow
e967fde3ae Decouple oauth methods from app with a namedtuple 2018-05-31 14:53:27 -04:00
Joseph Schorr
648590c356 Change from manual URL construction to using a lib 
Makes the code cleaner to read and more resilient to changes

Fixes https://jira.coreos.com/browse/QUAY-940
 2018-05-22 13:10:09 -04:00
Joseph Schorr
22a39c3007 Fix bug with missing & in authorization URL for OIDC 
Also adds testing to ensure we don't break this again
 2018-05-15 14:52:00 -04:00
Joseph Schorr
3cd314874f Add support for defining custom query parameters for OIDC endpoints 
Fixes https://jira.coreos.com/browse/QUAY-886
 2018-04-06 12:48:03 -04:00
Joseph Schorr
c55ad59f1f Allow admins to configure the login scopes for OIDC login 
Some OIDC implementations return a larger set of scopes than is necessary, so we allow admins to override.
 2017-12-06 15:54:26 -05:00
Joseph Schorr
f51a863158 Remove access_token from user_info 2017-10-02 16:51:09 -04:00
Joseph Schorr
bc82edb2d1 Add ability to configure OIDC internal auth engine via superuser panel 2017-09-12 12:23:52 -04:00
Joseph Schorr
e724125459 Add support for using OIDC tokens via the Docker CLI 2017-09-12 12:23:22 -04:00
Joseph Schorr
751598056e Enable support in OIDC for endpoints without user info support 
The user info endpoint is apparently optional.
 2017-08-01 13:24:27 -04:00
Joseph Schorr
c0cc574ca2 Add Authorization header with token to user info call 
While not required, it is recommended to send the token as an Authorization header to the UserInfo call in OIDC: http://openid.net/specs/openid-connect-core-1_0.html#UserInfo

Some implementations expect this and will fail if not present
 2017-04-27 11:24:12 -04:00
Joseph Schorr
0c7bac26b7 Add additional debug logs to OIDC auth to make debugging easier 2017-04-07 11:48:53 -04:00
Joseph Schorr
002972fc2f Read OIDC issuer from the OIDC discovery document, if present 2017-04-07 11:39:34 -04:00
Joseph Schorr
157640e696 Add config validator for OIDC logins 2017-02-28 16:18:19 -05:00
Joseph Schorr
198bdf88bc Move OAuth login into its own endpoints module 2017-02-16 16:27:54 -05:00
Joseph Schorr
cc4258c015 Blacklist any OIDC service ids that may conflict with our own 2017-02-16 16:27:53 -05:00
Joseph Schorr
2c35383724 Allow OAuth and OIDC login engines to bind to fields in internal auth 
This feature is subtle but very important: Currently, when a user logs in via an "external" auth system (such as Github), they are either logged into an existing bound account or a new account is created for them in the database. While this normally works jut fine, it hits a roadblock when the *internal* auth system configured is not the database, but instead something like LDAP. In that case, *most* Enterprise customers will prefer that logging in via external auth (like OIDC) will also *automatically* bind the newly created account to the backing *internal* auth account. For example, login via PingFederate OIDC (backed by LDAP) should also bind the new QE account to the associated LDAP account, via either username or email. This change allows for this binding field to be specified, and thereafter will perform the proper lookups and bindings.
 2017-02-16 16:27:53 -05:00
Joseph Schorr
f5dbc350f8 Fix missed tests and revert conftest change (breaks docker build) 2017-01-30 17:28:25 -05:00
Joseph Schorr
cf6033b423 Move http_client fixture to root-level conftest 2017-01-30 11:40:45 -05:00
Joseph Schorr
f8deb85751 Clarify OAuth logging message when missing access_token 2017-01-26 12:01:55 -05:00
Joseph Schorr
ce5fafcbd8 Fix pylint ignores to use names 2017-01-26 12:00:54 -05:00
Joseph Schorr
90b6a534c1 Change verify param in OIDC to read better 2017-01-26 12:00:43 -05:00
Joseph Schorr
8573535b8c Add comment clarifying how we validate client {ID, secret} in Gitlab 2017-01-24 15:20:19 -05:00
Joseph Schorr
adb2ff0b81 Switch base classes in OAuth to use ABC 2017-01-24 15:20:03 -05:00
Joseph Schorr
a9791ea419 Have external login always make an API request to get the authorization URL 
This makes the OIDC lookup lazy, ensuring that the rest of the registry and app continues working even if one OIDC provider goes down.
 2017-01-23 19:06:19 -05:00
Joseph Schorr
fda203e4d7 Add proper and tested OIDC support on the server 
Note that this will still not work on the client side; the followup CL for the client side is right after this one.
 2017-01-23 17:53:34 -05:00
Joseph Schorr
19f7acf575 Lay foundation for truly dynamic external logins 
Moves all the external login services into a set of classes that share as much code as possible. These services are then registered on both the client and server, allowing us in the followup change to dynamically register new handlers
 2017-01-20 15:21:08 -05:00