Use Client defined in dex instead of go-oidc for storing clients #411
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
bobbyrullo
force-pushed
the
cross_client
branch
from
a974e9a
to
a436a7b
Compare
bobbyrullo
force-pushed
the
cross_client
branch
from
a436a7b
to
640fadf
Compare
| func ClientsFromReader(r io.Reader) ([]Client, error) { | ||
| var c []struct { | ||
| ID string `json:"id"` | ||
| Secret []byte `json:"secret"` |
There was a problem hiding this comment.
For --no-db mode, I think this now forces the secrets to be doubly base64 encoded. Once because of the []byte for encoding/json, then again for the db code.
- Non base64 encoded secret. Doesn't work on master, still doesn't work on this branch.
[
{
"id": "example-app",
"secret": "example-app-secret",
"redirectURLs": ["http://127.0.0.1:5555/callback"]
}
]$ ./bin/dex-worker --no-db --clients clients.json
WARN: Running in-process without external database or key rotation
FATAL: Unable to build Server: unable to read clients from file clients.json: illegal base64 data at input byte 7
- base64ed secret. Currently works on master, doesn't work on this branch.
[
{
"id": "example-app",
"secret": "ZXhhbXBsZS1hcHAtc2VjcmV0",
"redirectURLs": ["http://127.0.0.1:5555/callback"]
}
]$ ./bin/dex-worker --no-db --clients clients.json
WARN: Running in-process without external database or key rotation
FATAL: Unable to build Server: failed to create client identity repo: illegal base64 data at input byte 16
- base64ed version of the base64ed secret. Currently "works" on master, only thing that works on this branch.
[
{
"id": "example-app",
"secret": "WlhoaGJYQnNaUzFoY0hBdGMyVmpjbVYw",
"redirectURLs": ["http://127.0.0.1:5555/callback"]
}
]$ ./bin/dex-worker --no-db --clients clients.json
WARN: Running in-process without external database or key rotation
INFO: Loaded IdP connector: id=local type=local
INFO: Loaded IdP connector: id=google type=oidc
INFO: Loaded IdP connector: id=github type=github
INFO: Loaded IdP connector: id=bitbucket type=bitbucket
WARN: bindTemplate not used when searchBeforeAuth specified.
INFO: Loaded IdP connector: id=ldap type=ldap
INFO: Binding to 127.0.0.1:5556...
8c3b988
to
428d089
Compare
| @@ -78,7 +78,7 @@ func ValidRedirectURL(rURL *url.URL, redirectURLs []url.URL) (url.URL, error) { | |||
| func ClientsFromReader(r io.Reader) ([]Client, error) { | |||
| var c []struct { | |||
| ID string `json:"id"` | |||
| Secret []byte `json:"secret"` | |||
| Secret string `json:"secret"` | |||
| RedirectURLs []string `json:"redirectURLs"` | |||
There was a problem hiding this comment.
@ericchiang This fixes the doubly encoded issue.
There was a problem hiding this comment.
nit: the type cast to a string later on in the function is no longer necessary.
Secret: string(client.Secret)
|
small nit #411 (comment) other than that lgtm |
bobbyrullo
force-pushed
the
cross_client
branch
from
428d089
to
7476aee
Compare
|
fixed your nit - gonna squash now |
added 7 commits
April 20, 2016 14:31
This is instead of oidc.ClientIdentity. This makes it easier to add new fields custom to dex to the client.
Get rid of all outdated "ClientIdentity" terminology.
Also require client ID and secret.
It's never used by downstream code, and besides, it's not really the secret but a Hash of the secret.
* TestCreateClient was missing test coverage on error cases * Fixed bug where 500s were being reported for bad requests * changed function signature of NewAdminAPI back to old way of passing in lots of repos: passing in a DbMap made it difficult to test * added swappable ID and Secret generators when creating Clients
bobbyrullo
force-pushed
the
cross_client
branch
from
7476aee
to
9c403ab
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
We still use oidc.ClientMetadata and oidc.ClientCredentials but now we can easily add dex-specific stuff to the Client object. Will be very useful for the cross client stuff I'm about to do.