Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Cache-control headers to token responses #1948

Merged
merged 1 commit into from
Jan 23, 2021
Merged

Add Cache-control headers to token responses #1948

merged 1 commit into from
Jan 23, 2021

Conversation

nabokihms
Copy link
Member

@nabokihms nabokihms commented Jan 18, 2021
edited
Loading

Signed-off-by: m.nabokikh maksim.nabokikh@flant.com

Overview

  • Add headers
  • Add tests

What this PR does / why we need it

https://tools.ietf.org/html/rfc6749#section-5.1

The authorization server MUST include the HTTP "Cache-Control"
response header field [RFC2616] with a value of "no-store" in any
response containing tokens, credentials, or other sensitive
information, as well as the "Pragma" response header field [RFC2616]
with a value of "no-cache".

It is also ok (and better) to add Cache-Control header to device authorization response as in the example in https://tools.ietf.org/html/rfc8628#section-3.2

Special notes for your reviewer

Cache headers are required to pass the OpenID certification.

Does this PR introduce a user-facing change?

Add "Cache-control: no-store" and "Pragma: no-cache" headers to token responses

@nabokihms
Add Cache-control headers to token responses
a797889 
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
@sagikazarmark sagikazarmark added this to the v2.28.0 milestone Jan 23, 2021
sagikazarmark
sagikazarmark approved these changes Jan 23, 2021
View reviewed changes
Copy link
Member

@sagikazarmark sagikazarmark left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

@sagikazarmark sagikazarmark merged commit 186a719 into dexidp:master Jan 23, 2021
xtremerui pushed a commit to concourse/dex that referenced this pull request Mar 16, 2021
upstream dex release: v2.28.0
ef54461 
The official docker release for this release can be pulled from

```
ghcr.io/dexidp/dex:v2.28.0
```

**Features:**

- Add c_hash to id_token, issued on /auth endpoint, when in hybrid flow (dexidp#1773, @HEllRZA)
- Allow configuration of returned auth proxy header (dexidp#1839, @seuf)
- Allow to disable os.ExpandEnv for storage + connector configs by env variable DEX_EXPAND_ENV = false (dexidp#1902, @heidemn-faro)
- Added the possibility to activate lowercase for UPN-Strings (dexidp#1888, @VF-mbrauer)
- Add "Cache-control: no-store" and "Pragma: no-cache" headers to token responses (dexidp#1948, @nabokihms)
- Add gomplate to the docker image (dexidp#1893, @nabokihms)
- Graceful shutdown (dexidp#1963, @nabokihms)
- Allow public clients created with API to have no client_secret (dexidp#1871, @spohner)

**Bugfixes:**

- Fix the etcd PKCE AuthCode deserialization (dexidp#1908, @bnu0)
- Fix garbage collection logging of device codes and device request (dexidp#1918, @nabokihms)
- Discovery endpoint contains updated claims and auth methods (dexidp#1951, @nabokihms)
- Return invalid_grant error if auth code is invalid or expired (dexidp#1952, @nabokihms)
- Return an error to auth requests with the "request" parameter (dexidp#1956, @nabokihms)

**Minor changes:**

- Change default themes to light/dark (dexidp#1858, @nabokihms)
- Various developer experience improvements
- Dependency upgrades
- Tons of small fixes and changes
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sagikazarmark sagikazarmark sagikazarmark approved these changes

Assignees
No one assigned
Labels
area/oidc-spec kind/enhancement
Projects
None yet
Milestone
v2.28.0
Development

Successfully merging this pull request may close these issues.
2 participants
@nabokihms @sagikazarmark