See https://users.rust-lang.org/t/rustup-1-5-0-released/11529

• Separate the functionality into a separate crate (#69)
• Use r2d2-diesel (#70)
• Generic DB agnostic implementation (#71)
• Implement migration for Library (#73)
• Implement Migration in CLI (#77)
• Improve test harness wrt database servers setup (maybe with Docker Compose to run the databases) (also perhaps via integration tests instead)
• Support SQLite (#78)
• Support Postgres (#79)
• Add tests for "non default" DB schema
• Add CLI tools for managing users
• Improve documentation

For more flexibility

https://github.com/diesel-rs/diesel/releases/tag/v1.0.0-beta1

And include the kid in the tokens issued.

Usually /token_key endpoint.

The shape of the information will be authenticator dependent. And should be configurable

• Library changes
• LDAP
• Diesel based ones

These will only show non username/password related errors.

Since it's based on Docker Registry's authentication protocol, I think I can put rowdy in front of Docker Registry in order to provide authentication, right? (Maybe I'm missing something.)

• Exponential Backoff
• Total lockout?

What gives?

• "Proper" Basic Auth response
• LDAP integration
• Refresh Token
• Scope resolution (maybe some kind of API?)
• Session "remembering" login (for some form of SSO)
• Single Logout
• Blacklisting Access/Refresh Token

Hey there,
apologies for the noobish question - are there examples somewhere on how this might be integrated into an existing project?

Consider https://github.com/erickt/rust-gssapi

Even if it's not for production, at least have some semblance of proper security.

Use argon2 (https://github.com/bryant/argon2rs) or https://dnaq.github.io/sodiumoxide/sodiumoxide/crypto/pwhash/scryptsalsa208sha256/index.html

https://crates.io/crates/ldap3

And maybe we can finally be rid of rustc-serialize.

Specifically, launch is not tested.

Here's a sample of the fields available:

('CN=Daniel Sim,CN=Users,DC=dsd,DC=example,DC=gov,DC=sg',
  {'accountExpires': ['9223372036854775807'],
   'badPasswordTime': ['131408687478170480'],
   'badPwdCount': ['0'],
   'cn': ['Daniel Sim'],
   'codePage': ['0'],
   'company': ['GovTech'],
   'countryCode': ['0'],
   'dSCorePropagationData': ['20160928023533.0Z',
    '20160928020831.0Z',
    '16010101000001.0Z'],
   'department': ['DSD'],
   'displayName': ['Daniel Sim'],
   'distinguishedName': ['CN=Daniel Sim,CN=Users,DC=dsd,DC=example,DC=gov,DC=sg'],
   'givenName': ['Daniel Sim'],
   'instanceType': ['4'],
   'lastLogoff': ['0'],
   'lastLogon': ['131408688359644108'],
   'lastLogonTimestamp': ['131408636685082554'],
   'lockoutTime': ['0'],
   'logonCount': ['0'],
   'mail': ['[email protected]'],
   'memberOf': ['CN=DanielTesting2,CN=Users,DC=dsd,DC=example,DC=gov,DC=sg',
    'CN=DanielTesting,CN=Users,DC=dsd,DC=example,DC=gov,DC=sg'],
   'name': ['Daniel Sim'],
   'objectCategory': ['CN=Person,CN=Schema,CN=Configuration,DC=dsd,DC=example,DC=gov,DC=sg'],
   'objectClass': ['top', 'person', 'organizationalPerson', 'user'],
   'objectGUID': ['P\xebV\xe5\xaebYB\xa5)\xf6\x93[ \x12^'],
   'objectSid': ['\x01\x05\x00\x00\x00\x00\x00\x05\x15\x00\x00\x00\x1c\xcf\x13\x90\n\xfe,\xe0\xb7y\x98\xa5\\\x04\x00\x00'],
   'physicalDeliveryOfficeName': ['X'],
   'primaryGroupID': ['513'],
   'pwdLastSet': ['131408636244939448'],
   'sAMAccountName': ['daniel_sim'],
   'sAMAccountType': ['805306368'],
   'uSNChanged': ['55404'],
   'uSNCreated': ['12915'],
   'userAccountControl': ['512'],
   'userPrincipalName': ['[email protected]'],
   'whenChanged': ['20170602075428.0Z'],
   'whenCreated': ['20160928020831.0Z']}),

If the user specifies scope=userPrincipalName,memberOf,mail, the JSON web token should also include the following fields:

{
    userPrincipalName: ['[email protected]'],
    memberOf: [
        'CN=DanielTesting2,CN=Users,DC=dsd,DC=example,DC=gov,DC=sg',
        'CN=DanielTesting,CN=Users,DC=dsd,DC=example,DC=gov,DC=sg'
    ],
    mail: ['[email protected]']
}

This way, we can perform group checks without hitting the LDAP server

Relevant line of code: https://github.com/lawliet89/rowdy/blob/master/src/auth/ldap.rs#L101

I can break the LDAP search filter by passing illegal characters into the username, e.g. ''

Under the Allow header.

Otherwise... travis-cargo does not know how to upload docs.

Remove use that are in prelude:

• std::default::Default
• std::convert::{From, Into};

Don't do format!("{}", x) because impl<T> ToString for T where T: Display + ?Sized

If I run the docker example, and submit a request with offline_token=true, it doesn't return a refresh token in the response. Same thing if I configure the csv fixture for refresh tokens.