Skip to content

Commit

Permalink
Merge pull request #2 from orange-cloudfoundry/release-orange-v2.37.0
Browse files Browse the repository at this point in the history
Release orange v2.37.0-orange
  • Loading branch information
FernandezBenjamin authored Jul 25, 2023
2 parents 771bf9c + c42367b commit 5c2563a
Show file tree
Hide file tree
Showing 5 changed files with 39 additions and 6 deletions.
1 change: 0 additions & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,6 @@

![logo](docs/logos/dex-horizontal-color.png)


Dex is an identity service that uses [OpenID Connect][openid-connect] to drive authentication for other apps.

Dex acts as a portal to other identity providers through ["connectors."](#connectors) This lets dex defer authentication to LDAP servers, SAML providers, or established identity providers like GitHub, Google, and Active Directory. Clients write their authentication logic once to talk to dex, then dex handles the protocols for a given backend.
Expand Down
1 change: 1 addition & 0 deletions cmd/dex/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -150,6 +150,7 @@ type Web struct {
TLSCert string `json:"tlsCert"`
TLSKey string `json:"tlsKey"`
AllowedOrigins []string `json:"allowedOrigins"`
FrameAncestors []string `json:"frameAncestors"`
}

// Telemetry is the config format for telemetry including the HTTP server config.
Expand Down
4 changes: 4 additions & 0 deletions cmd/dex/serve.go
Original file line number Diff line number Diff line change
Expand Up @@ -253,6 +253,10 @@ func runServe(options serveOptions) error {
logger.Infof("config allowed origins: %s", c.Web.AllowedOrigins)
}

if len(c.Web.FrameAncestors) > 0 {
logger.Infof("config allowed frame ancestors: %s", c.Web.FrameAncestors)
}

// explicitly convert to UTC.
now := func() time.Time { return time.Now().UTC() }

Expand Down
10 changes: 7 additions & 3 deletions server/oauth2.go
Original file line number Diff line number Diff line change
Expand Up @@ -145,9 +145,13 @@ const (
)

const (
responseTypeCode = "code" // "Regular" flow
responseTypeToken = "token" // Implicit flow for frontend apps.
responseTypeIDToken = "id_token" // ID Token in url fragment
responseTypeCode = "code" // "Regular" flow
responseTypeToken = "token" // Implicit flow for frontend apps.
responseTypeIDToken = "id_token" // ID Token in url fragment
responseTypeCodeToken = "code token" // "Regular" flow + Implicit flow
responseTypeCodeIDToken = "code id_token" // "Regular" flow + ID Token
responseTypeIDTokenToken = "id_token token" // ID Token + Implicit flow
responseTypeCodeIDTokenToken = "code id_token token" // "Regular" flow + ID Token + Implicit flow
)

const (
Expand Down
29 changes: 27 additions & 2 deletions server/server.go
Original file line number Diff line number Diff line change
Expand Up @@ -77,6 +77,11 @@ type Config struct {
// domain.
AllowedOrigins []string

// List of domain allowed to frame the content of the application.
// By default no one is accepted to prevent against clickjacking.
// Passing in "*" will allow any domain
FrameAncestors []string

// If enabled, the server won't prompt the user to approve authorization requests.
// Logging in implies approval.
SkipApprovalScreen bool
Expand Down Expand Up @@ -225,9 +230,9 @@ func newServer(ctx context.Context, c Config, rotationStrategy rotationStrategy)

for _, respType := range c.SupportedResponseTypes {
switch respType {
case responseTypeCode, responseTypeIDToken:
case responseTypeCode, responseTypeIDToken, responseTypeCodeIDToken:
// continue
case responseTypeToken:
case responseTypeToken, responseTypeCodeToken, responseTypeIDTokenToken, responseTypeCodeIDTokenToken:
// response_type=token is an implicit flow, let's add it to the discovery info
// https://datatracker.ietf.org/doc/html/rfc6749#section-4.2.1
allSupportedGrants[grantTypeImplicit] = true
Expand Down Expand Up @@ -339,7 +344,27 @@ func newServer(ctx context.Context, c Config, rotationStrategy rotationStrategy)
}
}

// frame-ancestors middleware
frameAncestorsMidldleware := func(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
var ancestors string
if len(c.FrameAncestors) > 0 {
for i := 0; i < len(c.FrameAncestors); i++ {
if c.FrameAncestors[i] == issuerURL.String() {
c.FrameAncestors[i] = "'self'"
}
}
ancestors = strings.Join(c.FrameAncestors, " ")
} else {
ancestors = "'none'"
}
w.Header().Set("Content-Security-Policy", "frame-ancestors "+ancestors)
next.ServeHTTP(w, r)
})
}

r := mux.NewRouter().SkipClean(true).UseEncodedPath()
r.Use(frameAncestorsMidldleware)
handle := func(p string, h http.Handler) {
r.Handle(path.Join(issuerURL.Path, p), instrumentHandlerCounter(p, h))
}
Expand Down

0 comments on commit 5c2563a

Please sign in to comment.