Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Cache-control headers to token responses #1948

Merged
merged 1 commit into from
Jan 23, 2021

Conversation

nabokihms
Copy link
Member

@nabokihms nabokihms commented Jan 18, 2021

Signed-off-by: m.nabokikh maksim.nabokikh@flant.com

Overview

  • Add headers
  • Add tests

What this PR does / why we need it

https://tools.ietf.org/html/rfc6749#section-5.1

The authorization server MUST include the HTTP "Cache-Control"
response header field [RFC2616] with a value of "no-store" in any
response containing tokens, credentials, or other sensitive
information, as well as the "Pragma" response header field [RFC2616]
with a value of "no-cache".

It is also ok (and better) to add Cache-Control header to device authorization response as in the example in https://tools.ietf.org/html/rfc8628#section-3.2

Special notes for your reviewer

Cache headers are required to pass the OpenID certification.

Does this PR introduce a user-facing change?

Add "Cache-control: no-store" and "Pragma: no-cache" headers to token responses

Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
Copy link
Member

@sagikazarmark sagikazarmark left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

@sagikazarmark sagikazarmark merged commit 186a719 into dexidp:master Jan 23, 2021
xtremerui pushed a commit to concourse/dex that referenced this pull request Mar 16, 2021
The official docker release for this release can be pulled from

```
ghcr.io/dexidp/dex:v2.28.0
```

**Features:**

- Add c_hash to id_token, issued on /auth endpoint, when in hybrid flow (dexidp#1773, @HEllRZA)
- Allow configuration of returned auth proxy header (dexidp#1839, @seuf)
- Allow to disable os.ExpandEnv for storage + connector configs by env variable DEX_EXPAND_ENV = false (dexidp#1902, @heidemn-faro)
- Added the possibility to activate lowercase for UPN-Strings (dexidp#1888, @VF-mbrauer)
- Add "Cache-control: no-store" and "Pragma: no-cache" headers to token responses (dexidp#1948, @nabokihms)
- Add gomplate to the docker image (dexidp#1893, @nabokihms)
- Graceful shutdown (dexidp#1963, @nabokihms)
- Allow public clients created with API to have no client_secret (dexidp#1871, @spohner)

**Bugfixes:**

- Fix the etcd PKCE AuthCode deserialization (dexidp#1908, @bnu0)
- Fix garbage collection logging of device codes and device request (dexidp#1918, @nabokihms)
- Discovery endpoint contains updated claims and auth methods (dexidp#1951, @nabokihms)
- Return invalid_grant error if auth code is invalid or expired (dexidp#1952, @nabokihms)
- Return an error to auth requests with the "request" parameter (dexidp#1956, @nabokihms)

**Minor changes:**

- Change default themes to light/dark (dexidp#1858, @nabokihms)
- Various developer experience improvements
- Dependency upgrades
- Tons of small fixes and changes
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants