3bf25fd6e0
feat: add SSO sharing policy ( #4705 )
...
Signed-off-by: maksim.nabokikh <max.nabokih@gmail.com >
2026-04-02 14:18:53 +02:00
546e66cb5d
feat: add WebAuthn support ( #4704 )
...
Signed-off-by: maksim.nabokikh <max.nabokih@gmail.com >
Signed-off-by: Maksim Nabokikh <max.nabokih@gmail.com >
Co-authored-by: Alwx <alwxsin@gmail.com >
2026-04-02 11:48:46 +02:00
9f92c71d62
feat: cookies encryption support ( #4676 )
...
Signed-off-by: maksim.nabokikh <max.nabokih@gmail.com >
2026-03-27 09:33:20 +01:00
098ab6036e
feat: support ES256 local signer ( #4682 )
...
Signed-off-by: Ilia Andreev <ilia.andreev@palark.com >
Co-authored-by: Ilia Andreev <ilia.andreev@palark.com >
2026-03-25 09:46:45 +01:00
86abd336f8
Two-Factor authentication (TOTP) ( #3712 )
...
Signed-off-by: maksim.nabokikh <max.nabokih@gmail.com >
2026-03-18 18:20:20 +01:00
cbd7dd7f5a
feat: Create AuthSessions and set cookies ( #4650 )
...
Signed-off-by: maksim.nabokikh <max.nabokih@gmail.com >
2026-03-18 11:58:18 +01:00
4fb3e7810b
feat(logger): add excludeFields config for PII redaction ( #4621 )
...
Adds an slog.Handler wrapper (excludingHandler) that drops log
attributes matching a configured set of keys. This allows
GDPR-sensitive deployments to suppress PII fields like email,
username, preferred_username, or groups at the logger level
rather than per-callsite.
Also adds user_id to the "login successful" log line so operators
who exclude PII fields still have a pseudonymous identifier.
Closes #4391
---------
Signed-off-by: Mark Liu <mark@prove.com.au >
2026-03-15 21:51:44 +01:00
5bbfbbe168
feat: add PKCE (Proof Key for Code Exchange) configuration to OAuth2 settings ( #4638 )
...
Signed-off-by: maksim.nabokikh <max.nabokih@gmail.com >
2026-03-13 13:09:44 +01:00
7777773067
feat(connector): connectors for grants ( #4619 )
...
Signed-off-by: maksim.nabokikh <max.nabokih@gmail.com >
2026-03-11 07:21:14 +01:00
fec4f53203
feat(oauth2): add client credentials flow with opt-in config flag ( #4583 )
...
Implement the OAuth2 client_credentials grant type for
machine-to-machine authentication. The grant is gated behind a new
clientCredentialsEnabled config flag (defaults to false), following
the same pattern as passwordConnector for the password grant.
---------
Signed-off-by: Mathias Gebbe <mathias.gebbe@gmail.com >
Signed-off-by: Maksim Nabokikh <maksim.nabokikh@flant.com >
Signed-off-by: Maksim Nabokikh <max.nabokih@gmail.com >
Co-authored-by: Maksim Nabokikh <maksim.nabokikh@flant.com >
Co-authored-by: Maksim Nabokikh <max.nabokih@gmail.com >
2026-03-03 12:29:04 +01:00
91e985edea
fix: correct error message for device request expiry ( #4599 )
...
Signed-off-by: kanywst <niwatakuma@icloud.com >
2026-03-02 08:48:39 +01:00
99c423364e
fix: fix typo in grpc listener error message ( #4598 )
...
Signed-off-by: kanywst <niwatakuma@icloud.com >
2026-02-28 15:20:33 +01:00
e1d6c38ca2
fix: Invert condition for unknown fields in config unmarshaller ( #4596 )
...
Signed-off-by: Maksim Nabokikh <maksim.nabokikh@flant.com >
2026-02-27 09:04:29 +01:00
d78d744468
feat: Disallow unknown config fields ( #4531 )
...
Signed-off-by: maksim.nabokikh <max.nabokih@gmail.com >
2026-02-26 13:35:50 +01:00
785033767c
feat: refactor signer configuration with local and vault options ( #4532 )
...
Signed-off-by: maksim.nabokikh <max.nabokih@gmail.com >
2026-02-15 16:08:21 +01:00
9e377718dc
feat: add name and emailVerified fields for static passwords ( #4526 )
...
Signed-off-by: Ivan Zvyagintsev <ivan.zvyagintsev@flant.com >
2026-02-12 12:13:54 +01:00
56958b1ad2
feat: Add Vault signer for JWT ( #4512 )
...
Signed-off-by: Maksim Nabokikh <max.nabokih@gmail.com >
2026-02-10 07:56:43 +01:00
d1b2722e39
feat: support groups and preferred_username for staticPasswords ( #4456 )
...
Signed-off-by: Ivan Zvyagintsev <ivan.zvyagintsev@flant.com >
2026-01-13 10:07:21 +01:00
87ec9e077e
Allow server startup with partial connector failures ( #4159 )
...
Signed-off-by: Manoj Vivek <p.manoj.vivek@gmail.com >
2025-06-16 15:53:20 +02:00
230d1dc20a
fix Incorrect Group Handling in RequestContextHandler logger.go ( #4082 )
...
Wrap the grouped handler in requestContextHandler to preserve context attribute injection.
fixes #4081
Signed-off-by: alihasan070707 <52155098+alihasan070707@users.noreply.github.com >
2025-05-13 08:51:25 +02:00
749bbd5d98
fix unmarshaling of expanded environment variables with special characters ( #3770 )
...
If we expand environment values directly with os.ExpandEnv() over whole
config, we might end up in a situation where the environment variable
has escape characters that break the resulting JSON, and unmarshalling
fails. Instead of expanding the entire config with single call, we
recurse through the config and expand the values in leaves one by one.
Signed-off-by: Tuomo Tanskanen <tuomo.tanskanen@est.tech >
2024-10-14 15:15:05 +02:00
d0f1777c41
Added Discovery to grpc ( #3598 )
...
Signed-off-by: Koen de Laat <koen.de.laat@philips.com >
2024-08-29 17:12:25 +02:00
5c66c71864
Change workdir for gomplate ( #3684 )
...
Workaround to run gomplate from a non-root directory in distroless images, because gomplate tries to access CWD on start.
See: https://github.com/hairyhenderson/gomplate/pull/2202
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com >
2024-08-07 19:31:01 +02:00
81af48862b
Remove additional features and add a feature flag instead ( #3663 )
...
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com >
2024-08-01 21:38:09 +02:00
225660785c
Enrich Dex logs with real IP and request ID ( #3661 )
...
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com >
Signed-off-by: Maksim Nabokikh <max.nabokih@gmail.com >
Co-authored-by: Márk Sági-Kazár <sagikazarmark@users.noreply.github.com >
2024-08-01 21:37:35 +02:00
Maksim Nabokikh
iliaandreevde
Mark Liu
Mathias Gebbe
kt
Ivan Zviagintsev
Manoj Vivek
alihasan070707
Tuomo Tanskanen
Koen de Laat