If we expand environment values directly with os.ExpandEnv() over whole
config, we might end up in a situation where the environment variable
has escape characters that break the resulting JSON, and unmarshalling
fails. Instead of expanding the entire config with single call, we
recurse through the config and expand the values in leaves one by one.
Signed-off-by: Tuomo Tanskanen <tuomo.tanskanen@est.tech>
The problem caused by the mistake in the newLogger function. The nil value is returned even with the valid log format.
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
Customization of headers in the authentication server is crucial for enforcing stringent security measures by allowing the inclusion of specific headers required for authentication protocols and compliance standards. This customization ensures that authentication requests are processed securely, mitigating potential vulnerabilities and ensuring adherence to security policies.
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
Add configuration options for TLSMinVersion and TLSMaxVersion.
This enables setting TLS 1.3 as minimum version for example for both
GRPC and Web, or enforcing TLS 1.2 only for easier debugging of
secure connections.
Signed-off-by: Tuomo Tanskanen <tuomo.tanskanen@est.tech>
When TLS certificate reloading functionality was implemented and
released in Dex 2.37.0, added newTLSReloader() returns empty tlsConfig
and discards the provided, already configured tlsConfig. Server's with
empty tlsConfig override Go's sensible defaults, and starts serving Dex
over TLS 1.0 and TLS 1.1 in addition to Go's defaults TLS 1.2+.
TLS 1.0 and 1.1 are long deprecated and vulnerable, making this a
security risk. Server and its secrets are vulnerable to attackers.
The io/ioutil package has been deprecated as of Go 1.16, see
https://golang.org/doc/go1.16#ioutil. This commit replaces the existing
io/ioutil functions with their new definitions in io and os packages.
Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>
alihasan070707
Tuomo Tanskanen
Koen de Laat
Maksim Nabokikh
Giovanni Campeol
Nicolas Lamirault
Richard Gomez
Sean Liao
Márk Sági-Kazár
Josiah Evans
Andrew Keesler
iam-veeramalla
Eng Zer Jun