Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Added the possibility to activate lowercase for UPN-Strings #1888

Merged
merged 4 commits into from
Jan 6, 2021
Merged

Added the possibility to activate lowercase for UPN-Strings #1888

merged 4 commits into from
Jan 6, 2021

Conversation

VF-mbrauer
Copy link
Contributor

Overview

There was a need to introduce a Boolean-Flag which enables to possibility to transform the UPN (E-Mail) of the user to lowercase.
As we never now how those string are stored in Active Directory or Azure Active Directory. But they are important for mapping.

What this PR does / why we need it

In some Active Directories we have the UPNs in various formats stored. It can be lowercase, uppercase and also it
can be a mix of them. When now sending those to DEX and then when it will be used by the RBAC of the Custer
it needs to match 1:1. But we never now how the name will be transported and how it has been originally stored.
So overcome that issue, we need a small feature which does the trick an put all character to a format where we know
how to handle. As when they are all lowercases and we now that, we just put them the way on the Rolebindings on the cluster.

Special notes for your reviewer

Nothing special to highlight, expect that nothing will be put to LowerCase when Flag has not been set.
Otherwise the parameter keeps false and noting will change at all.

Does this PR introduce a user-facing change?

Depends, if the user want to use this feature, he needs to activate it. Once done the UPNs (E-Mail) will be send all the time
in lowercase letters. So if the user expect then to get the 1:1 from AD or AAD he will be surprised when the feature is on.

Configuration-Details:
If you put the UpnToLowercase: true into your yaml config and if you make it true to enable it will start conversion to LowerCase.


connectors:
  - type: microsoft
    # Required field for connector id.
    id: microsoft
    # Required field for connector name.
    name: Microsoft
    config:
      # Credentials can be string literals or pulled from the environment.
      clientID: $MICROSOFT_APPLICATION_ID
      clientSecret: $MICROSOFT_CLIENT_SECRET
      redirectURI: http://127.0.0.1:5556/dex/callback
      UpnToLowercase: true

@VF-mbrauer
Added the possibility to acticate lowercase for UPN-Strings
eb9ef3b 
Signed-off-by: Maik Brauer <maik.brauer@vodafone.com>
sagikazarmark
sagikazarmark requested changes Jan 5, 2021
View reviewed changes
go.mod Outdated
@@ -46,6 +47,7 @@ require (
gopkg.in/asn1-ber.v1 v1.0.0-20181015200546-f715ec2f112d // indirect
gopkg.in/ldap.v2 v2.5.1
gopkg.in/square/go-jose.v2 v2.4.1
honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc // indirect
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why is this added as a dependency?

go.mod Outdated
@@ -25,6 +25,7 @@ require (
github.com/lib/pq v1.3.0
github.com/mattermost/xml-roundtrip-validator v0.0.0-20201204154048-1a8688af4cf1
github.com/mattn/go-sqlite3 v1.11.0
github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why is this added as a dependency?

connector/microsoft/microsoft.go Outdated
@@ -51,6 +52,7 @@ type Config struct {
Groups []string `json:"groups"`
GroupNameFormat GroupNameFormat `json:"groupNameFormat"`
UseGroupsAsWhitelist bool `json:"useGroupsAsWhitelist"`
UpnToLowercase bool `json:"upnToLowercase"`
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not intimately familiar with microsoft/AD, but I think it would make sense to use email as a phrase here. I guess the UPN is always an email address.

@VF-mbrauer
Adapted recommendation from Maintainer for PR dexidp#1888
4d246bc 
Signed-off-by: Maik Brauer <maik.brauer@vodafone.com>
@VF-mbrauer
Adapted recommendation from Maintainer for PR dexidp#1888
c55f17e 
Signed-off-by: Maik Brauer <maik.brauer@vodafone.com>
@VF-mbrauer
Merge branch 'UPN-Lowercase' of https://github.com/VF-mbrauer/dex int…
0d53fa2 
…o UPN-Lowercase

Signed-off-by: Maik Brauer <maik.brauer@vodafone.com>
@VF-mbrauer
Copy link
Contributor Author

Hi @sagikazarmark, changes done. Please check. Thanks.

@sagikazarmark sagikazarmark added this to the v2.28.0 milestone Jan 6, 2021
sagikazarmark
sagikazarmark approved these changes Jan 6, 2021
View reviewed changes
Copy link
Member

@sagikazarmark sagikazarmark left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

@sagikazarmark sagikazarmark merged commit ee50c09 into dexidp:master Jan 6, 2021
xtremerui pushed a commit to concourse/dex that referenced this pull request Mar 16, 2021
upstream dex release: v2.28.0
ef54461 
The official docker release for this release can be pulled from

```
ghcr.io/dexidp/dex:v2.28.0
```

**Features:**

- Add c_hash to id_token, issued on /auth endpoint, when in hybrid flow (dexidp#1773, @HEllRZA)
- Allow configuration of returned auth proxy header (dexidp#1839, @seuf)
- Allow to disable os.ExpandEnv for storage + connector configs by env variable DEX_EXPAND_ENV = false (dexidp#1902, @heidemn-faro)
- Added the possibility to activate lowercase for UPN-Strings (dexidp#1888, @VF-mbrauer)
- Add "Cache-control: no-store" and "Pragma: no-cache" headers to token responses (dexidp#1948, @nabokihms)
- Add gomplate to the docker image (dexidp#1893, @nabokihms)
- Graceful shutdown (dexidp#1963, @nabokihms)
- Allow public clients created with API to have no client_secret (dexidp#1871, @spohner)

**Bugfixes:**

- Fix the etcd PKCE AuthCode deserialization (dexidp#1908, @bnu0)
- Fix garbage collection logging of device codes and device request (dexidp#1918, @nabokihms)
- Discovery endpoint contains updated claims and auth methods (dexidp#1951, @nabokihms)
- Return invalid_grant error if auth code is invalid or expired (dexidp#1952, @nabokihms)
- Return an error to auth requests with the "request" parameter (dexidp#1956, @nabokihms)

**Minor changes:**

- Change default themes to light/dark (dexidp#1858, @nabokihms)
- Various developer experience improvements
- Dependency upgrades
- Tons of small fixes and changes
elffjs pushed a commit to DIMO-Network/dex that referenced this pull request Jun 27, 2022
@VF-mbrauer @elffjs
Adapted recommendation from Maintainer for PR dexidp#1888
e8f50af 
Signed-off-by: Maik Brauer <maik.brauer@vodafone.com>
@thomwatkin thomwatkin mentioned this pull request Jul 4, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sagikazarmark sagikazarmark sagikazarmark approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
v2.28.0
Development

Successfully merging this pull request may close these issues.
2 participants
@VF-mbrauer @sagikazarmark