From 54fb570ffa9b81986279a668c6382f518036978b Mon Sep 17 00:00:00 2001
From: Maksim Nabokikh <maksim.nabokikh@flant.com>
Date: Tue, 6 Aug 2024 07:57:51 +0200
Subject: [PATCH 01/27] Fix scheme for DialURL ldap connection (#3677)

* Use scheme without :// suffix
* Make test ldap server listen on custom ports to avoid stepping into go-ldap defaults

Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
---
 .github/workflows/ci.yaml | 4 ++--
 connector/ldap/ldap.go    | 6 +++---
 docker-compose.test.yaml  | 4 ++--
 3 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index 8cf94a64f9..534edea15f 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -121,8 +121,8 @@ jobs:
           DEX_ETCD_ENDPOINTS: http://localhost:${{ job.services.etcd.ports[2379] }}
 
           DEX_LDAP_HOST: localhost
-          DEX_LDAP_PORT: 389
-          DEX_LDAP_TLS_PORT: 636
+          DEX_LDAP_PORT: 3890
+          DEX_LDAP_TLS_PORT: 6360
 
           DEX_KEYSTONE_URL: http://localhost:${{ job.services.keystone.ports[5000] }}
           DEX_KEYSTONE_ADMIN_URL: http://localhost:${{ job.services.keystone.ports[35357] }}
diff --git a/connector/ldap/ldap.go b/connector/ldap/ldap.go
index 897f30cff1..856949d240 100644
--- a/connector/ldap/ldap.go
+++ b/connector/ldap/ldap.go
@@ -322,10 +322,10 @@ func (c *ldapConnector) do(_ context.Context, f func(c *ldap.Conn) error) error
 
 	switch {
 	case c.InsecureNoSSL:
-		u := url.URL{Scheme: "ldap://", Host: c.Host}
+		u := url.URL{Scheme: "ldap", Host: c.Host}
 		conn, err = ldap.DialURL(u.String())
 	case c.StartTLS:
-		u := url.URL{Scheme: "ldap://", Host: c.Host}
+		u := url.URL{Scheme: "ldap", Host: c.Host}
 		conn, err = ldap.DialURL(u.String())
 		if err != nil {
 			return fmt.Errorf("failed to connect: %v", err)
@@ -334,7 +334,7 @@ func (c *ldapConnector) do(_ context.Context, f func(c *ldap.Conn) error) error
 			return fmt.Errorf("start TLS failed: %v", err)
 		}
 	default:
-		u := url.URL{Scheme: "ldaps://", Host: c.Host}
+		u := url.URL{Scheme: "ldaps", Host: c.Host}
 		conn, err = ldap.DialURL(u.String(), ldap.DialWithTLSConfig(c.tlsConfig))
 	}
 	if err != nil {
diff --git a/docker-compose.test.yaml b/docker-compose.test.yaml
index 46dfd84c4d..933ff80164 100644
--- a/docker-compose.test.yaml
+++ b/docker-compose.test.yaml
@@ -11,8 +11,8 @@ services:
             LDAP_TLS: "true"
             LDAP_TLS_VERIFY_CLIENT: try
         ports:
-            - 389:389
-            - 636:636
+            - 3890:389
+            - 6360:636
         volumes:
             - ./connector/ldap/testdata/certs:/container/service/slapd/assets/certs
             - ./connector/ldap/testdata/schema.ldif:/container/service/slapd/assets/config/bootstrap/ldif/99-schema.ldif

From 43956db7fd75c488a82c70cf231f44287300a75d Mon Sep 17 00:00:00 2001
From: Maksim Nabokikh <maksim.nabokikh@flant.com>
Date: Wed, 7 Aug 2024 19:31:01 +0200
Subject: [PATCH 02/27] Change workdir for gomplate (#3684)

Workaround to run gomplate from a non-root directory in distroless images, because gomplate tries to access CWD on start.
See: https://github.com/hairyhenderson/gomplate/pull/2202

Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
---
 cmd/docker-entrypoint/main.go      | 46 ++++++++++-------
 cmd/docker-entrypoint/main_test.go | 79 +++++++++++++-----------------
 2 files changed, 62 insertions(+), 63 deletions(-)

diff --git a/cmd/docker-entrypoint/main.go b/cmd/docker-entrypoint/main.go
index b0f8e277f3..14d837e5ee 100644
--- a/cmd/docker-entrypoint/main.go
+++ b/cmd/docker-entrypoint/main.go
@@ -22,20 +22,13 @@ func main() {
 		os.Exit(1)
 	}
 
-	if err := run(args, realExec, realWhich); err != nil {
+	if err := run(args, realExec, realWhich, realGomplate); err != nil {
 		fmt.Println("error:", err.Error())
 		os.Exit(1)
 	}
 }
 
-func realExec(fork bool, args ...string) error {
-	if fork {
-		if output, err := exec.Command(args[0], args[1:]...).CombinedOutput(); err != nil {
-			return fmt.Errorf("cannot fork/exec command %s: %w (output: %q)", args, err, string(output))
-		}
-		return nil
-	}
-
+func realExec(args ...string) error {
 	argv0, err := exec.LookPath(args[0])
 	if err != nil {
 		return fmt.Errorf("cannot lookup path for command %s: %w", args[0], err)
@@ -56,34 +49,49 @@ func realWhich(path string) string {
 	return fullPath
 }
 
-func run(args []string, execFunc func(bool, ...string) error, whichFunc func(string) string) error {
+func realGomplate(path string) (string, error) {
+	tmpFile, err := os.CreateTemp("/tmp", "dex.config.yaml-*")
+	if err != nil {
+		return "", fmt.Errorf("cannot create temp file: %w", err)
+	}
+
+	cmd := exec.Command("gomplate", "-f", path, "-o", tmpFile.Name())
+	// TODO(nabokihms): Workaround to run gomplate from a non-root directory in distroless images
+	//   gomplate tries to access CWD on start, see: https://github.com/hairyhenderson/gomplate/pull/2202
+	cmd.Dir = "/etc/dex"
+
+	output, err := cmd.CombinedOutput()
+	if err != nil {
+		return "", fmt.Errorf("error executing gomplate: %w, (output: %q)", err, string(output))
+	}
+
+	return tmpFile.Name(), nil
+}
+
+func run(args []string, execFunc func(...string) error, whichFunc func(string) string, gomplateFunc func(string) (string, error)) error {
 	if args[0] != "dex" && args[0] != whichFunc("dex") {
-		return execFunc(false, args...)
+		return execFunc(args...)
 	}
 
 	if args[1] != "serve" {
-		return execFunc(false, args...)
+		return execFunc(args...)
 	}
 
 	newArgs := []string{}
 	for _, tplCandidate := range args {
 		if hasSuffixes(tplCandidate, ".tpl", ".tmpl", ".yaml") {
-			tmpFile, err := os.CreateTemp("/tmp", "dex.config.yaml-*")
+			fileName, err := gomplateFunc(tplCandidate)
 			if err != nil {
-				return fmt.Errorf("cannot create temp file: %w", err)
-			}
-
-			if err := execFunc(true, "gomplate", "-f", tplCandidate, "-o", tmpFile.Name()); err != nil {
 				return err
 			}
 
-			newArgs = append(newArgs, tmpFile.Name())
+			newArgs = append(newArgs, fileName)
 		} else {
 			newArgs = append(newArgs, tplCandidate)
 		}
 	}
 
-	return execFunc(false, newArgs...)
+	return execFunc(newArgs...)
 }
 
 func hasSuffixes(s string, suffixes ...string) bool {
diff --git a/cmd/docker-entrypoint/main_test.go b/cmd/docker-entrypoint/main_test.go
index c8aef16979..49da3b5f02 100644
--- a/cmd/docker-entrypoint/main_test.go
+++ b/cmd/docker-entrypoint/main_test.go
@@ -6,7 +6,7 @@ import (
 )
 
 type execArgs struct {
-	fork        bool
+	gomplate    bool
 	argPrefixes []string
 }
 
@@ -16,98 +16,89 @@ func TestRun(t *testing.T) {
 		args         []string
 		execReturns  error
 		whichReturns string
-		wantExecArgs []execArgs
+		wantExecArgs execArgs
 		wantErr      error
 	}{
 		{
 			name:         "executable not dex",
 			args:         []string{"tuna", "fish"},
-			wantExecArgs: []execArgs{{fork: false, argPrefixes: []string{"tuna", "fish"}}},
+			wantExecArgs: execArgs{gomplate: false, argPrefixes: []string{"tuna", "fish"}},
 		},
 		{
 			name:         "executable is full path to dex",
 			args:         []string{"/usr/local/bin/dex", "marshmallow", "zelda"},
 			whichReturns: "/usr/local/bin/dex",
-			wantExecArgs: []execArgs{{fork: false, argPrefixes: []string{"/usr/local/bin/dex", "marshmallow", "zelda"}}},
+			wantExecArgs: execArgs{gomplate: false, argPrefixes: []string{"/usr/local/bin/dex", "marshmallow", "zelda"}},
 		},
 		{
 			name:         "command is not serve",
 			args:         []string{"dex", "marshmallow", "zelda"},
-			wantExecArgs: []execArgs{{fork: false, argPrefixes: []string{"dex", "marshmallow", "zelda"}}},
+			wantExecArgs: execArgs{gomplate: false, argPrefixes: []string{"dex", "marshmallow", "zelda"}},
 		},
 		{
 			name:         "no templates",
 			args:         []string{"dex", "serve", "config.yaml.not-a-template"},
-			wantExecArgs: []execArgs{{fork: false, argPrefixes: []string{"dex", "serve", "config.yaml.not-a-template"}}},
+			wantExecArgs: execArgs{gomplate: false, argPrefixes: []string{"dex", "serve", "config.yaml.not-a-template"}},
 		},
 		{
 			name:         "no templates",
 			args:         []string{"dex", "serve", "config.yaml.not-a-template"},
-			wantExecArgs: []execArgs{{fork: false, argPrefixes: []string{"dex", "serve", "config.yaml.not-a-template"}}},
+			wantExecArgs: execArgs{gomplate: false, argPrefixes: []string{"dex", "serve", "config.yaml.not-a-template"}},
 		},
 		{
-			name: ".tpl template",
-			args: []string{"dex", "serve", "config.tpl"},
-			wantExecArgs: []execArgs{
-				{fork: true, argPrefixes: []string{"gomplate", "-f", "config.tpl", "-o", "/tmp/dex.config.yaml-"}},
-				{fork: false, argPrefixes: []string{"dex", "serve", "/tmp/dex.config.yaml-"}},
-			},
+			name:         ".tpl template",
+			args:         []string{"dex", "serve", "config.tpl"},
+			wantExecArgs: execArgs{gomplate: true, argPrefixes: []string{"dex", "serve", "/tmp/dex.config.yaml-"}},
 		},
 		{
-			name: ".tmpl template",
-			args: []string{"dex", "serve", "config.tmpl"},
-			wantExecArgs: []execArgs{
-				{fork: true, argPrefixes: []string{"gomplate", "-f", "config.tmpl", "-o", "/tmp/dex.config.yaml-"}},
-				{fork: false, argPrefixes: []string{"dex", "serve", "/tmp/dex.config.yaml-"}},
-			},
+			name:         ".tmpl template",
+			args:         []string{"dex", "serve", "config.tmpl"},
+			wantExecArgs: execArgs{gomplate: true, argPrefixes: []string{"dex", "serve", "/tmp/dex.config.yaml-"}},
 		},
 		{
-			name: ".yaml template",
-			args: []string{"dex", "serve", "some/path/config.yaml"},
-			wantExecArgs: []execArgs{
-				{fork: true, argPrefixes: []string{"gomplate", "-f", "some/path/config.yaml", "-o", "/tmp/dex.config.yaml-"}},
-				{fork: false, argPrefixes: []string{"dex", "serve", "/tmp/dex.config.yaml-"}},
-			},
+			name:         ".yaml template",
+			args:         []string{"dex", "serve", "some/path/config.yaml"},
+			wantExecArgs: execArgs{gomplate: true, argPrefixes: []string{"dex", "serve", "/tmp/dex.config.yaml-"}},
 		},
 	}
 	for _, test := range tests {
 		t.Run(test.name, func(t *testing.T) {
-			var gotExecForks []bool
-			var gotExecArgs [][]string
-			fakeExec := func(fork bool, args ...string) error {
-				gotExecForks = append(gotExecForks, fork)
-				gotExecArgs = append(gotExecArgs, args)
+			var gotExecArgs []string
+			var runsGomplate bool
+
+			fakeExec := func(args ...string) error {
+				gotExecArgs = append(args, gotExecArgs...)
 				return test.execReturns
 			}
 
 			fakeWhich := func(_ string) string { return test.whichReturns }
 
-			gotErr := run(test.args, fakeExec, fakeWhich)
+			fakeGomplate := func(file string) (string, error) {
+				runsGomplate = true
+				return "/tmp/dex.config.yaml-", nil
+			}
+
+			gotErr := run(test.args, fakeExec, fakeWhich, fakeGomplate)
 			if (test.wantErr == nil) != (gotErr == nil) {
 				t.Errorf("wanted error %s, got %s", test.wantErr, gotErr)
 			}
-			if !execArgsMatch(test.wantExecArgs, gotExecForks, gotExecArgs) {
-				t.Errorf("wanted exec args %+v, got %+v %+v", test.wantExecArgs, gotExecForks, gotExecArgs)
+
+			if !execArgsMatch(test.wantExecArgs, runsGomplate, gotExecArgs) {
+				t.Errorf("wanted exec args %+v (running gomplate: %+v), got %+v (running gomplate: %+v)",
+					test.wantExecArgs.argPrefixes, test.wantExecArgs.gomplate, gotExecArgs, runsGomplate)
 			}
 		})
 	}
 }
 
-func execArgsMatch(wantExecArgs []execArgs, gotForks []bool, gotExecArgs [][]string) bool {
-	if len(wantExecArgs) != len(gotForks) {
+func execArgsMatch(wantExecArgs execArgs, gomplate bool, gotExecArgs []string) bool {
+	if wantExecArgs.gomplate != gomplate {
 		return false
 	}
-
-	for i := range wantExecArgs {
-		if wantExecArgs[i].fork != gotForks[i] {
+	for i := range wantExecArgs.argPrefixes {
+		if !strings.HasPrefix(gotExecArgs[i], wantExecArgs.argPrefixes[i]) {
 			return false
 		}
-		for j := range wantExecArgs[i].argPrefixes {
-			if !strings.HasPrefix(gotExecArgs[i][j], wantExecArgs[i].argPrefixes[j]) {
-				return false
-			}
-		}
 	}
-
 	return true
 }

From 8d1b597346c81152a86a323fda8ef0e9b4f02f5b Mon Sep 17 00:00:00 2001
From: Joshua Winters <jwinters@pivotal.io>
Date: Tue, 10 Apr 2018 09:47:59 -0400
Subject: [PATCH 03/27] Add new connector for Cloudfoundry

- Verifies user is part of orgs and spaces for group claims

Signed-off-by: Joshua Winters <jwinters@pivotal.io>
Co-authored-by: Shash Reddy <sreddy@pivotal.io>
---
 connector/cf/cf.go      | 303 ++++++++++++++++++++++++++++++++++++++++
 connector/cf/cf_test.go | 191 +++++++++++++++++++++++++
 server/server.go        |   2 +
 3 files changed, 496 insertions(+)
 create mode 100644 connector/cf/cf.go
 create mode 100644 connector/cf/cf_test.go

diff --git a/connector/cf/cf.go b/connector/cf/cf.go
new file mode 100644
index 0000000000..2e4d2243e0
--- /dev/null
+++ b/connector/cf/cf.go
@@ -0,0 +1,303 @@
+package cf
+
+import (
+	"context"
+	"crypto/tls"
+	"crypto/x509"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"io/ioutil"
+	"net"
+	"net/http"
+	"strings"
+	"time"
+
+	"github.com/dexidp/dex/connector"
+	"github.com/dexidp/dex/pkg/log"
+	"golang.org/x/oauth2"
+)
+
+type cfConnector struct {
+	clientID         string
+	clientSecret     string
+	redirectURI      string
+	apiURL           string
+	tokenURL         string
+	authorizationURL string
+	userInfoURL      string
+	httpClient       *http.Client
+	logger           log.Logger
+}
+
+type connectorData struct {
+	AccessToken string
+}
+
+type Config struct {
+	ClientID           string   `json:"clientID"`
+	ClientSecret       string   `json:"clientSecret"`
+	RedirectURI        string   `json:"redirectURI"`
+	APIURL             string   `json:"apiURL"`
+	RootCAs            []string `json:"rootCAs"`
+	InsecureSkipVerify bool     `json:"insecureSkipVerify"`
+}
+
+type CCResponse struct {
+	Resources    []Resource `json:"resources"`
+	TotalResults int        `json:"total_results"`
+}
+
+type Resource struct {
+	Metadata Metadata `json:"metadata"`
+	Entity   Entity   `json:"entity"`
+}
+
+type Metadata struct {
+	Guid string `json:"guid"`
+}
+
+type Entity struct {
+	Name             string `json:"name"`
+	OrganizationGuid string `json:"organization_guid"`
+}
+
+func (c *Config) Open(id string, logger log.Logger) (connector.Connector, error) {
+	var err error
+
+	cfConn := &cfConnector{
+		clientID:     c.ClientID,
+		clientSecret: c.ClientSecret,
+		apiURL:       c.APIURL,
+		redirectURI:  c.RedirectURI,
+		logger:       logger,
+	}
+
+	cfConn.httpClient, err = newHTTPClient(c.RootCAs, c.InsecureSkipVerify)
+	if err != nil {
+		return nil, err
+	}
+
+	apiURL := strings.TrimRight(c.APIURL, "/")
+	apiResp, err := cfConn.httpClient.Get(fmt.Sprintf("%s/v2/info", apiURL))
+
+	if err != nil {
+		logger.Errorf("failed-to-send-request-to-cloud-controller-api", err)
+		return nil, err
+	}
+
+	defer apiResp.Body.Close()
+
+	if apiResp.StatusCode != http.StatusOK {
+		err = errors.New(fmt.Sprintf("request failed with status %d", apiResp.StatusCode))
+		logger.Errorf("failed-get-info-response-from-api", err)
+		return nil, err
+	}
+
+	var apiResult map[string]interface{}
+	json.NewDecoder(apiResp.Body).Decode(&apiResult)
+
+	uaaURL := strings.TrimRight(apiResult["token_endpoint"].(string), "/")
+	uaaResp, err := cfConn.httpClient.Get(fmt.Sprintf("%s/.well-known/openid-configuration", uaaURL))
+
+	if err != nil {
+		logger.Errorf("failed-to-send-request-to-uaa-api", err)
+		return nil, err
+	}
+
+	if apiResp.StatusCode != http.StatusOK {
+		err = errors.New(fmt.Sprintf("request failed with status %d", apiResp.StatusCode))
+		logger.Errorf("failed-to-get-well-known-config-repsonse-from-api", err)
+		return nil, err
+	}
+
+	defer uaaResp.Body.Close()
+
+	var uaaResult map[string]interface{}
+	err = json.NewDecoder(uaaResp.Body).Decode(&uaaResult)
+
+	if err != nil {
+		logger.Errorf("failed-to-decode-response-from-uaa-api", err)
+		return nil, err
+	}
+
+	cfConn.tokenURL, _ = uaaResult["token_endpoint"].(string)
+	cfConn.authorizationURL, _ = uaaResult["authorization_endpoint"].(string)
+	cfConn.userInfoURL, _ = uaaResult["userinfo_endpoint"].(string)
+
+	return cfConn, err
+}
+
+func newHTTPClient(rootCAs []string, insecureSkipVerify bool) (*http.Client, error) {
+	pool, err := x509.SystemCertPool()
+	if err != nil {
+		return nil, err
+	}
+
+	tlsConfig := tls.Config{RootCAs: pool, InsecureSkipVerify: insecureSkipVerify}
+	for _, rootCA := range rootCAs {
+		rootCABytes, err := ioutil.ReadFile(rootCA)
+		if err != nil {
+			return nil, fmt.Errorf("failed to read root-ca: %v", err)
+		}
+		if !tlsConfig.RootCAs.AppendCertsFromPEM(rootCABytes) {
+			return nil, fmt.Errorf("no certs found in root CA file %q", rootCA)
+		}
+	}
+
+	return &http.Client{
+		Transport: &http.Transport{
+			TLSClientConfig: &tlsConfig,
+			Proxy:           http.ProxyFromEnvironment,
+			DialContext: (&net.Dialer{
+				Timeout:   30 * time.Second,
+				KeepAlive: 30 * time.Second,
+				DualStack: true,
+			}).DialContext,
+			MaxIdleConns:          100,
+			IdleConnTimeout:       90 * time.Second,
+			TLSHandshakeTimeout:   10 * time.Second,
+			ExpectContinueTimeout: 1 * time.Second,
+		},
+	}, nil
+}
+
+func (c *cfConnector) LoginURL(scopes connector.Scopes, callbackURL, state string) (string, error) {
+
+	if c.redirectURI != callbackURL {
+		return "", fmt.Errorf("expected callback URL %q did not match the URL in the config %q", callbackURL, c.redirectURI)
+	}
+
+	oauth2Config := &oauth2.Config{
+		ClientID:     c.clientID,
+		ClientSecret: c.clientSecret,
+		Endpoint:     oauth2.Endpoint{TokenURL: c.tokenURL, AuthURL: c.authorizationURL},
+		RedirectURL:  c.redirectURI,
+		Scopes:       []string{"openid", "cloud_controller.read"},
+	}
+
+	return oauth2Config.AuthCodeURL(state), nil
+}
+
+func (c *cfConnector) HandleCallback(s connector.Scopes, r *http.Request) (identity connector.Identity, err error) {
+
+	q := r.URL.Query()
+	if errType := q.Get("error"); errType != "" {
+		return identity, errors.New(q.Get("error_description"))
+	}
+
+	oauth2Config := &oauth2.Config{
+		ClientID:     c.clientID,
+		ClientSecret: c.clientSecret,
+		Endpoint:     oauth2.Endpoint{TokenURL: c.tokenURL, AuthURL: c.authorizationURL},
+		RedirectURL:  c.redirectURI,
+		Scopes:       []string{"openid", "cloud_controller.read"},
+	}
+
+	ctx := context.WithValue(r.Context(), oauth2.HTTPClient, c.httpClient)
+
+	token, err := oauth2Config.Exchange(ctx, q.Get("code"))
+	if err != nil {
+		return identity, fmt.Errorf("CF connector: failed to get token: %v", err)
+	}
+
+	client := oauth2.NewClient(ctx, oauth2.StaticTokenSource(token))
+
+	userInfoResp, err := client.Get(c.userInfoURL)
+	if err != nil {
+		return identity, fmt.Errorf("CF Connector: failed to execute request to userinfo: %v", err)
+	}
+
+	if userInfoResp.StatusCode != http.StatusOK {
+		return identity, fmt.Errorf("CF Connector: failed to execute request to userinfo: status %d", userInfoResp.StatusCode)
+	}
+
+	defer userInfoResp.Body.Close()
+
+	var userInfoResult map[string]interface{}
+	err = json.NewDecoder(userInfoResp.Body).Decode(&userInfoResult)
+
+	if err != nil {
+		return identity, fmt.Errorf("CF Connector: failed to parse userinfo: %v", err)
+	}
+
+	identity.UserID, _ = userInfoResult["user_id"].(string)
+	identity.Username, _ = userInfoResult["user_name"].(string)
+	identity.PreferredUsername, _ = userInfoResult["user_name"].(string)
+	identity.Email, _ = userInfoResult["email"].(string)
+	identity.EmailVerified, _ = userInfoResult["email_verified"].(bool)
+
+	if s.Groups {
+		// fetch orgs
+		orgsResp, err := client.Get(fmt.Sprintf("%s/v2/users/%s/organizations", c.apiURL, identity.UserID))
+		if err != nil {
+			return identity, fmt.Errorf("CF Connector: failed to execute request for orgs: %v", err)
+		}
+		if orgsResp.StatusCode != http.StatusOK {
+			return identity, fmt.Errorf("CF Connector: failed to execute request for orgs: status %d", orgsResp.StatusCode)
+		}
+
+		var orgs CCResponse
+
+		err = json.NewDecoder(orgsResp.Body).Decode(&orgs)
+		if err != nil {
+			return identity, fmt.Errorf("CF Connector: failed to parse orgs: %v", err)
+		}
+
+		var orgMap = make(map[string]string)
+		var orgSpaces = make(map[string][]string)
+
+		for _, resource := range orgs.Resources {
+			orgMap[resource.Metadata.Guid] = resource.Entity.Name
+			orgSpaces[resource.Entity.Name] = []string{}
+		}
+
+		// fetch spaces
+		spacesResp, err := client.Get(fmt.Sprintf("%s/v2/users/%s/spaces", c.apiURL, identity.UserID))
+		if err != nil {
+			return identity, fmt.Errorf("CF Connector: failed to execute request for spaces: %v", err)
+		}
+		if spacesResp.StatusCode != http.StatusOK {
+			return identity, fmt.Errorf("CF Connector: failed to execute request for spaces: status %d", spacesResp.StatusCode)
+		}
+
+		var spaces CCResponse
+
+		err = json.NewDecoder(spacesResp.Body).Decode(&spaces)
+		if err != nil {
+			return identity, fmt.Errorf("CF Connector: failed to parse spaces: %v", err)
+		}
+
+		var groupsClaims []string
+
+		for _, resource := range spaces.Resources {
+			orgName := orgMap[resource.Entity.OrganizationGuid]
+			orgSpaces[orgName] = append(orgSpaces[orgName], resource.Entity.Name)
+
+			groupsClaims = append(groupsClaims, resource.Metadata.Guid)
+		}
+
+		for orgName, spaceNames := range orgSpaces {
+			if len(spaceNames) > 0 {
+				for _, spaceName := range spaceNames {
+					groupsClaims = append(groupsClaims, fmt.Sprintf("%s:%s", orgName, spaceName))
+				}
+			} else {
+				groupsClaims = append(groupsClaims, fmt.Sprintf("%s", orgName))
+			}
+		}
+
+		identity.Groups = groupsClaims
+	}
+
+	if s.OfflineAccess {
+		data := connectorData{AccessToken: token.AccessToken}
+		connData, err := json.Marshal(data)
+		if err != nil {
+			return identity, fmt.Errorf("CF Connector: failed to parse connector data for offline access: %v", err)
+		}
+		identity.ConnectorData = connData
+	}
+
+	return identity, nil
+}
diff --git a/connector/cf/cf_test.go b/connector/cf/cf_test.go
new file mode 100644
index 0000000000..6680da0b16
--- /dev/null
+++ b/connector/cf/cf_test.go
@@ -0,0 +1,191 @@
+package cf
+
+import (
+	"encoding/json"
+	"errors"
+	"fmt"
+	"net/http"
+	"net/http/httptest"
+	"reflect"
+	"sort"
+	"strings"
+	"testing"
+
+	"github.com/dexidp/dex/connector"
+	"github.com/sirupsen/logrus"
+)
+
+func TestOpen(t *testing.T) {
+	testServer := testSetup()
+	defer testServer.Close()
+
+	conn := newConnector(t, testServer.URL)
+
+	expectEqual(t, conn.clientID, "test-client")
+	expectEqual(t, conn.clientSecret, "secret")
+	expectEqual(t, conn.redirectURI, testServer.URL+"/callback")
+}
+
+func TestHandleCallback(t *testing.T) {
+
+	testServer := testSetup()
+	defer testServer.Close()
+
+	cfConn := &cfConnector{
+		tokenURL:         fmt.Sprintf("%s/token", testServer.URL),
+		authorizationURL: fmt.Sprintf("%s/authorize", testServer.URL),
+		userInfoURL:      fmt.Sprintf("%s/userinfo", testServer.URL),
+		apiURL:           testServer.URL,
+		clientSecret:     "secret",
+		clientID:         "test-client",
+		redirectURI:      "localhost:8080/sky/dex/callback",
+		httpClient:       http.DefaultClient,
+	}
+
+	req, err := http.NewRequest("GET", testServer.URL, nil)
+	expectEqual(t, err, nil)
+
+	t.Run("CallbackWithGroupsScope", func(t *testing.T) {
+		identity, err := cfConn.HandleCallback(connector.Scopes{Groups: true}, req)
+		expectEqual(t, err, nil)
+
+		sort.Strings(identity.Groups)
+		expectEqual(t, len(identity.Groups), 3)
+		expectEqual(t, identity.Groups[0], "some-org-name-1:some-space-name")
+		expectEqual(t, identity.Groups[1], "some-org-name-2")
+		expectEqual(t, identity.Groups[2], "some-space-guid")
+	})
+
+	t.Run("CallbackWithoutGroupsScope", func(t *testing.T) {
+		identity, err := cfConn.HandleCallback(connector.Scopes{}, req)
+
+		expectEqual(t, err, nil)
+		expectEqual(t, identity.UserID, "12345")
+		expectEqual(t, identity.Username, "test-user")
+	})
+
+	t.Run("CallbackWithOfflineAccessScope", func(t *testing.T) {
+		identity, err := cfConn.HandleCallback(connector.Scopes{OfflineAccess: true}, req)
+
+		expectEqual(t, err, nil)
+		expectNotEqual(t, len(identity.ConnectorData), 0)
+
+		cData := connectorData{}
+		err = json.Unmarshal(identity.ConnectorData, &cData)
+
+		expectEqual(t, err, nil)
+		expectNotEqual(t, cData.AccessToken, "")
+	})
+}
+
+func testSetup() *httptest.Server {
+	mux := http.NewServeMux()
+	mux.HandleFunc("/token", func(w http.ResponseWriter, r *http.Request) {
+		token := "eyJhbGciOiJSUzI1NiIsImtpZCI6ImtleS0xIiwidHlwIjoiSldUIn0.eyJqdGkiOiIxMjk4MTNhZjJiNGM0ZDNhYmYyNjljMzM4OTFkZjNiZCIsInN1YiI6ImNmMWFlODk4LWQ1ODctNDBhYS1hNWRiLTE5ZTY3MjI0N2I1NyIsInNjb3BlIjpbImNsb3VkX2NvbnRyb2xsZXIucmVhZCIsIm9wZW5pZCJdLCJjbGllbnRfaWQiOiJjb25jb3Vyc2UiLCJjaWQiOiJjb25jb3Vyc2UiLCJhenAiOiJjb25jb3Vyc2UiLCJncmFudF90eXBlIjoiYXV0aG9yaXphdGlvbl9jb2RlIiwidXNlcl9pZCI6ImNmMWFlODk4LWQ1ODctNDBhYS1hNWRiLTE5ZTY3MjI0N2I1NyIsIm9yaWdpbiI6InVhYSIsInVzZXJfbmFtZSI6ImFkbWluIiwiZW1haWwiOiJhZG1pbiIsImF1dGhfdGltZSI6MTUyMzM3NDIwNCwicmV2X3NpZyI6IjYxNWJjMTk0IiwiaWF0IjoxNTIzMzc3MTUyLCJleHAiOjE1MjM0MjAzNTIsImlzcyI6Imh0dHBzOi8vdWFhLnN0eXgucHVzaC5nY3AuY2YtYXBwLmNvbS9vYXV0aC90b2tlbiIsInppZCI6InVhYSIsImF1ZCI6WyJjbG91ZF9jb250cm9sbGVyIiwiY29uY291cnNlIiwib3BlbmlkIl19.FslbnwvW0WScVRNK8IWghRX0buXfl6qaI1K7z_dzjPUVrdEyMtaYa3kJI8srA-2G1PjSSEWa_3Vzs_BEnTc3iG0JQWU0XlcjdCdAFTvnmKiHSzffy1O_oGYyH47KXtnZOxHf3rdV_Xgw4XTqPrfKXQxnPemUAJyKf2tjgs3XToGaqqBw-D_2BQVY79kF0_GgksQsViqq1GW0Dur6m2CgBhtc2h1AQGO16izXl3uNbpW6ClhaW43NQXlE4wqtr7kfmxyOigHJb2MSQ3wwPc6pqYdUT6ka_TMqavqbxEJ4QcS6SoEcVsDTmEQ4c8dmWUgXM0AZjd0CaEGTB6FDHxH5sw"
+		w.Header().Add("Content-Type", "application/json")
+		json.NewEncoder(w).Encode(map[string]string{
+			"access_token": token,
+		})
+	})
+
+	mux.HandleFunc("/v2/info", func(w http.ResponseWriter, r *http.Request) {
+		url := fmt.Sprintf("http://%s", r.Host)
+
+		json.NewEncoder(w).Encode(map[string]string{
+			"token_endpoint": url,
+		})
+	})
+
+	mux.HandleFunc("/.well-known/openid-configuration", func(w http.ResponseWriter, r *http.Request) {
+		url := fmt.Sprintf("http://%s", r.Host)
+
+		json.NewEncoder(w).Encode(map[string]string{
+			"token_endpoint":         url,
+			"authorization_endpoint": url,
+			"userinfo_endpoint":      url,
+		})
+	})
+
+	mux.HandleFunc("/callback", func(w http.ResponseWriter, r *http.Request) {
+	})
+
+	mux.HandleFunc("/userinfo", func(w http.ResponseWriter, r *http.Request) {
+		json.NewEncoder(w).Encode(map[string]string{
+			"user_id":   "12345",
+			"user_name": "test-user",
+			"email":     "blah-email",
+		})
+	})
+
+	mux.HandleFunc("/v2/users/", func(w http.ResponseWriter, r *http.Request) {
+		var result map[string]interface{}
+
+		if strings.Contains(r.URL.String(), "spaces") {
+			result = map[string]interface{}{
+				"resources": []map[string]interface{}{
+					{
+						"metadata": map[string]string{"guid": "some-space-guid"},
+						"entity":   map[string]string{"name": "some-space-name", "organization_guid": "some-org-guid-1"},
+					},
+				},
+			}
+		}
+
+		if strings.Contains(r.URL.String(), "organizations") {
+			result = map[string]interface{}{
+				"resources": []map[string]interface{}{
+					{
+						"metadata": map[string]string{"guid": "some-org-guid-1"},
+						"entity":   map[string]string{"name": "some-org-name-1"},
+					},
+					{
+						"metadata": map[string]string{"guid": "some-org-guid-2"},
+						"entity":   map[string]string{"name": "some-org-name-2"},
+					},
+				},
+			}
+		}
+		json.NewEncoder(w).Encode(result)
+	})
+
+	return httptest.NewServer(mux)
+}
+
+func newConnector(t *testing.T, serverURL string) *cfConnector {
+
+	callBackURL := fmt.Sprintf("%s/callback", serverURL)
+
+	testConfig := Config{
+		APIURL:             serverURL,
+		ClientID:           "test-client",
+		ClientSecret:       "secret",
+		RedirectURI:        callBackURL,
+		InsecureSkipVerify: true,
+	}
+
+	log := logrus.New()
+
+	conn, err := testConfig.Open("id", log)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	cfConn, ok := conn.(*cfConnector)
+	if !ok {
+		t.Fatal(errors.New("it is not a cf conn"))
+	}
+
+	return cfConn
+}
+
+func expectEqual(t *testing.T, a interface{}, b interface{}) {
+	if !reflect.DeepEqual(a, b) {
+		t.Fatalf("Expected %+v to equal %+v", a, b)
+	}
+}
+
+func expectNotEqual(t *testing.T, a interface{}, b interface{}) {
+	if reflect.DeepEqual(a, b) {
+		t.Fatalf("Expected %+v to NOT equal %+v", a, b)
+	}
+}
diff --git a/server/server.go b/server/server.go
index 1cf71c5038..1c3f336c4f 100644
--- a/server/server.go
+++ b/server/server.go
@@ -33,6 +33,7 @@ import (
 	"github.com/dexidp/dex/connector/atlassiancrowd"
 	"github.com/dexidp/dex/connector/authproxy"
 	"github.com/dexidp/dex/connector/bitbucketcloud"
+	"github.com/dexidp/dex/connector/cf"
 	"github.com/dexidp/dex/connector/gitea"
 	"github.com/dexidp/dex/connector/github"
 	"github.com/dexidp/dex/connector/gitlab"
@@ -640,6 +641,7 @@ var ConnectorsConfig = map[string]func() ConnectorConfig{
 	"bitbucket-cloud": func() ConnectorConfig { return new(bitbucketcloud.Config) },
 	"openshift":       func() ConnectorConfig { return new(openshift.Config) },
 	"atlassian-crowd": func() ConnectorConfig { return new(atlassiancrowd.Config) },
+	"cf":              func() ConnectorConfig { return new(cf.Config) },
 	// Keep around for backwards compatibility.
 	"samlExperimental": func() ConnectorConfig { return new(saml.Config) },
 }

From c8d34e0354c3019fab16496ede1d7d62f2e4233a Mon Sep 17 00:00:00 2001
From: Josh Winters <jwinters@pivotal.io>
Date: Thu, 4 Oct 2018 15:07:26 -0400
Subject: [PATCH 04/27] update cf connector to use 'authorization_endpoint'
 from /v2/info

Co-authored-by: Topher Bullock <tbullock@pivotal.io>
Signed-off-by: Josh Winters <jwinters@pivotal.io>
---
 connector/cf/cf.go      | 2 +-
 connector/cf/cf_test.go | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/connector/cf/cf.go b/connector/cf/cf.go
index 2e4d2243e0..4452e2f99e 100644
--- a/connector/cf/cf.go
+++ b/connector/cf/cf.go
@@ -97,7 +97,7 @@ func (c *Config) Open(id string, logger log.Logger) (connector.Connector, error)
 	var apiResult map[string]interface{}
 	json.NewDecoder(apiResp.Body).Decode(&apiResult)
 
-	uaaURL := strings.TrimRight(apiResult["token_endpoint"].(string), "/")
+	uaaURL := strings.TrimRight(apiResult["authorization_endpoint"].(string), "/")
 	uaaResp, err := cfConn.httpClient.Get(fmt.Sprintf("%s/.well-known/openid-configuration", uaaURL))
 
 	if err != nil {
diff --git a/connector/cf/cf_test.go b/connector/cf/cf_test.go
index 6680da0b16..bd1026bd6a 100644
--- a/connector/cf/cf_test.go
+++ b/connector/cf/cf_test.go
@@ -92,7 +92,7 @@ func testSetup() *httptest.Server {
 		url := fmt.Sprintf("http://%s", r.Host)
 
 		json.NewEncoder(w).Encode(map[string]string{
-			"token_endpoint": url,
+			"authorization_endpoint": url,
 		})
 	})
 

From 9f80f919b7724b28b4a6f0bc4d907581cba2bbbd Mon Sep 17 00:00:00 2001
From: Daniel Lavoie <dlavoie@live.ca>
Date: Thu, 4 Apr 2019 18:26:59 -0400
Subject: [PATCH 05/27] Added support for CF resources pagination

Signed-off-by: Daniel Lavoie <dlavoie@live.ca>
---
 connector/cf/cf.go      | 81 ++++++++++++++++++++++++-----------------
 connector/cf/cf_test.go | 70 +++++++++++++++++++++++++----------
 2 files changed, 99 insertions(+), 52 deletions(-)

diff --git a/connector/cf/cf.go b/connector/cf/cf.go
index 4452e2f99e..db185307d7 100644
--- a/connector/cf/cf.go
+++ b/connector/cf/cf.go
@@ -44,6 +44,7 @@ type Config struct {
 }
 
 type CCResponse struct {
+	NextUrl      string     `json:"next_url"`
 	Resources    []Resource `json:"resources"`
 	TotalResults int        `json:"total_results"`
 }
@@ -227,54 +228,68 @@ func (c *cfConnector) HandleCallback(s connector.Scopes, r *http.Request) (ident
 	identity.Email, _ = userInfoResult["email"].(string)
 	identity.EmailVerified, _ = userInfoResult["email_verified"].(bool)
 
+	var orgMap = make(map[string]string)
+	var orgSpaces = make(map[string][]string)
+	var groupsClaims []string
+
 	if s.Groups {
 		// fetch orgs
-		orgsResp, err := client.Get(fmt.Sprintf("%s/v2/users/%s/organizations", c.apiURL, identity.UserID))
-		if err != nil {
-			return identity, fmt.Errorf("CF Connector: failed to execute request for orgs: %v", err)
-		}
-		if orgsResp.StatusCode != http.StatusOK {
-			return identity, fmt.Errorf("CF Connector: failed to execute request for orgs: status %d", orgsResp.StatusCode)
-		}
 
 		var orgs CCResponse
+		var nextUrl = fmt.Sprintf("%s/v2/users/%s/organizations", c.apiURL, identity.UserID)
+		for moreResults := true; moreResults; moreResults = orgs.NextUrl != "" {
+			orgsResp, err := client.Get(nextUrl)
+			if err != nil {
+				return identity, fmt.Errorf("CF Connector: failed to execute request for orgs: %v", err)
+			}
+			if orgsResp.StatusCode != http.StatusOK {
+				return identity, fmt.Errorf("CF Connector: failed to execute request for orgs: status %d", orgsResp.StatusCode)
+			}
 
-		err = json.NewDecoder(orgsResp.Body).Decode(&orgs)
-		if err != nil {
-			return identity, fmt.Errorf("CF Connector: failed to parse orgs: %v", err)
-		}
+			orgs = CCResponse{}
+			err = json.NewDecoder(orgsResp.Body).Decode(&orgs)
+			if err != nil {
+				return identity, fmt.Errorf("CF Connector: failed to parse orgs: %v", err)
+			}
 
-		var orgMap = make(map[string]string)
-		var orgSpaces = make(map[string][]string)
+			for _, resource := range orgs.Resources {
+				orgMap[resource.Metadata.Guid] = resource.Entity.Name
+				orgSpaces[resource.Entity.Name] = []string{}
+			}
 
-		for _, resource := range orgs.Resources {
-			orgMap[resource.Metadata.Guid] = resource.Entity.Name
-			orgSpaces[resource.Entity.Name] = []string{}
+			if orgs.NextUrl != "" {
+				nextUrl = fmt.Sprintf("%s%s", c.apiURL, orgs.NextUrl)
+			}
 		}
 
 		// fetch spaces
-		spacesResp, err := client.Get(fmt.Sprintf("%s/v2/users/%s/spaces", c.apiURL, identity.UserID))
-		if err != nil {
-			return identity, fmt.Errorf("CF Connector: failed to execute request for spaces: %v", err)
-		}
-		if spacesResp.StatusCode != http.StatusOK {
-			return identity, fmt.Errorf("CF Connector: failed to execute request for spaces: status %d", spacesResp.StatusCode)
-		}
-
 		var spaces CCResponse
+		nextUrl = fmt.Sprintf("%s/v2/users/%s/spaces", c.apiURL, identity.UserID)
+		for moreResults := true; moreResults; moreResults = spaces.NextUrl != "" {
+			spacesResp, err := client.Get(nextUrl)
+			if err != nil {
+				return identity, fmt.Errorf("CF Connector: failed to execute request for spaces: %v", err)
+			}
+			if spacesResp.StatusCode != http.StatusOK {
+				return identity, fmt.Errorf("CF Connector: failed to execute request for spaces: status %d", spacesResp.StatusCode)
+			}
 
-		err = json.NewDecoder(spacesResp.Body).Decode(&spaces)
-		if err != nil {
-			return identity, fmt.Errorf("CF Connector: failed to parse spaces: %v", err)
-		}
+			spaces = CCResponse{}
+			err = json.NewDecoder(spacesResp.Body).Decode(&spaces)
+			if err != nil {
+				return identity, fmt.Errorf("CF Connector: failed to parse spaces: %v", err)
+			}
 
-		var groupsClaims []string
+			for _, resource := range spaces.Resources {
+				orgName := orgMap[resource.Entity.OrganizationGuid]
+				orgSpaces[orgName] = append(orgSpaces[orgName], resource.Entity.Name)
 
-		for _, resource := range spaces.Resources {
-			orgName := orgMap[resource.Entity.OrganizationGuid]
-			orgSpaces[orgName] = append(orgSpaces[orgName], resource.Entity.Name)
+				groupsClaims = append(groupsClaims, resource.Metadata.Guid)
+			}
 
-			groupsClaims = append(groupsClaims, resource.Metadata.Guid)
+			if spaces.NextUrl != "" {
+				nextUrl = fmt.Sprintf("%s%s", c.apiURL, spaces.NextUrl)
+			}
 		}
 
 		for orgName, spaceNames := range orgSpaces {
diff --git a/connector/cf/cf_test.go b/connector/cf/cf_test.go
index bd1026bd6a..138dff22db 100644
--- a/connector/cf/cf_test.go
+++ b/connector/cf/cf_test.go
@@ -50,10 +50,13 @@ func TestHandleCallback(t *testing.T) {
 		expectEqual(t, err, nil)
 
 		sort.Strings(identity.Groups)
-		expectEqual(t, len(identity.Groups), 3)
-		expectEqual(t, identity.Groups[0], "some-org-name-1:some-space-name")
-		expectEqual(t, identity.Groups[1], "some-org-name-2")
-		expectEqual(t, identity.Groups[2], "some-space-guid")
+		expectEqual(t, len(identity.Groups), 6)
+		expectEqual(t, identity.Groups[0], "some-org-name-1:some-space-name-1")
+		expectEqual(t, identity.Groups[1], "some-org-name-2:some-space-name-2")
+		expectEqual(t, identity.Groups[2], "some-org-name-3")
+		expectEqual(t, identity.Groups[3], "some-org-name-4")
+		expectEqual(t, identity.Groups[4], "some-space-guid-1")
+		expectEqual(t, identity.Groups[5], "some-space-guid-2")
 	})
 
 	t.Run("CallbackWithoutGroupsScope", func(t *testing.T) {
@@ -121,30 +124,59 @@ func testSetup() *httptest.Server {
 		var result map[string]interface{}
 
 		if strings.Contains(r.URL.String(), "spaces") {
-			result = map[string]interface{}{
-				"resources": []map[string]interface{}{
-					{
-						"metadata": map[string]string{"guid": "some-space-guid"},
-						"entity":   map[string]string{"name": "some-space-name", "organization_guid": "some-org-guid-1"},
+			if strings.Contains(r.URL.String(), "spaces?order-direction=asc&page=2&results-per-page=50") {
+				result = map[string]interface{}{
+					"resources": []map[string]interface{}{
+						{
+							"metadata": map[string]string{"guid": "some-space-guid-2"},
+							"entity":   map[string]string{"name": "some-space-name-2", "organization_guid": "some-org-guid-2"},
+						},
 					},
-				},
+				}
+			} else {
+				result = map[string]interface{}{
+					"next_url": "/v2/users/12345/spaces?order-direction=asc&page=2&results-per-page=50",
+					"resources": []map[string]interface{}{
+						{
+							"metadata": map[string]string{"guid": "some-space-guid-1"},
+							"entity":   map[string]string{"name": "some-space-name-1", "organization_guid": "some-org-guid-1"},
+						},
+					},
+				}
 			}
 		}
 
 		if strings.Contains(r.URL.String(), "organizations") {
-			result = map[string]interface{}{
-				"resources": []map[string]interface{}{
-					{
-						"metadata": map[string]string{"guid": "some-org-guid-1"},
-						"entity":   map[string]string{"name": "some-org-name-1"},
+			if strings.Contains(r.URL.String(), "organizations?order-direction=asc&page=2&results-per-page=50") {
+				result = map[string]interface{}{
+					"resources": []map[string]interface{}{
+						{
+							"metadata": map[string]string{"guid": "some-org-guid-3"},
+							"entity":   map[string]string{"name": "some-org-name-3"},
+						},
+						{
+							"metadata": map[string]string{"guid": "some-org-guid-4"},
+							"entity":   map[string]string{"name": "some-org-name-4"},
+						},
 					},
-					{
-						"metadata": map[string]string{"guid": "some-org-guid-2"},
-						"entity":   map[string]string{"name": "some-org-name-2"},
+				}
+			} else {
+				result = map[string]interface{}{
+					"next_url": "/v2/users/12345/organizations?order-direction=asc&page=2&results-per-page=50",
+					"resources": []map[string]interface{}{
+						{
+							"metadata": map[string]string{"guid": "some-org-guid-1"},
+							"entity":   map[string]string{"name": "some-org-name-1"},
+						},
+						{
+							"metadata": map[string]string{"guid": "some-org-guid-2"},
+							"entity":   map[string]string{"name": "some-org-name-2"},
+						},
 					},
-				},
+				}
 			}
 		}
+
 		json.NewEncoder(w).Encode(result)
 	})
 

From 61d07a36292b7759ab6ef03bca3b023df071f317 Mon Sep 17 00:00:00 2001
From: Joshua Winters <jwinters@pivotal.io>
Date: Thu, 7 Nov 2019 12:36:10 -0500
Subject: [PATCH 06/27] cf: add org to groups claims

Signed-off-by: Joshua Winters <jwinters@pivotal.io>
Co-authored-by: Rui Yang <ryang@pivotal.io>
---
 connector/cf/cf.go      |  9 +++------
 connector/cf/cf_test.go | 16 +++++++++-------
 2 files changed, 12 insertions(+), 13 deletions(-)

diff --git a/connector/cf/cf.go b/connector/cf/cf.go
index db185307d7..0dd76fb821 100644
--- a/connector/cf/cf.go
+++ b/connector/cf/cf.go
@@ -293,12 +293,9 @@ func (c *cfConnector) HandleCallback(s connector.Scopes, r *http.Request) (ident
 		}
 
 		for orgName, spaceNames := range orgSpaces {
-			if len(spaceNames) > 0 {
-				for _, spaceName := range spaceNames {
-					groupsClaims = append(groupsClaims, fmt.Sprintf("%s:%s", orgName, spaceName))
-				}
-			} else {
-				groupsClaims = append(groupsClaims, fmt.Sprintf("%s", orgName))
+			groupsClaims = append(groupsClaims, fmt.Sprintf("%s", orgName))
+			for _, spaceName := range spaceNames {
+				groupsClaims = append(groupsClaims, fmt.Sprintf("%s:%s", orgName, spaceName))
 			}
 		}
 
diff --git a/connector/cf/cf_test.go b/connector/cf/cf_test.go
index 138dff22db..b5b581954e 100644
--- a/connector/cf/cf_test.go
+++ b/connector/cf/cf_test.go
@@ -50,13 +50,15 @@ func TestHandleCallback(t *testing.T) {
 		expectEqual(t, err, nil)
 
 		sort.Strings(identity.Groups)
-		expectEqual(t, len(identity.Groups), 6)
-		expectEqual(t, identity.Groups[0], "some-org-name-1:some-space-name-1")
-		expectEqual(t, identity.Groups[1], "some-org-name-2:some-space-name-2")
-		expectEqual(t, identity.Groups[2], "some-org-name-3")
-		expectEqual(t, identity.Groups[3], "some-org-name-4")
-		expectEqual(t, identity.Groups[4], "some-space-guid-1")
-		expectEqual(t, identity.Groups[5], "some-space-guid-2")
+		expectEqual(t, len(identity.Groups), 8)
+		expectEqual(t, identity.Groups[0], "some-org-name-1")
+		expectEqual(t, identity.Groups[1], "some-org-name-1:some-space-name-1")
+		expectEqual(t, identity.Groups[2], "some-org-name-2")
+		expectEqual(t, identity.Groups[3], "some-org-name-2:some-space-name-2")
+		expectEqual(t, identity.Groups[4], "some-org-name-3")
+		expectEqual(t, identity.Groups[5], "some-org-name-4")
+		expectEqual(t, identity.Groups[6], "some-space-guid-1")
+		expectEqual(t, identity.Groups[7], "some-space-guid-2")
 	})
 
 	t.Run("CallbackWithoutGroupsScope", func(t *testing.T) {

From a5ed574e6b83f7fbaf1eb8c4eb029ed9a34fcba8 Mon Sep 17 00:00:00 2001
From: Joshua Winters <jwinters@pivotal.io>
Date: Mon, 18 Nov 2019 16:38:33 -0500
Subject: [PATCH 07/27] cf: add org guid to groups claims

Co-authored-by: Rui Yang <ryang@pivotal.io>
Signed-off-by: Joshua Winters <jwinters@pivotal.io>
---
 connector/cf/cf.go      | 12 +++++++++---
 connector/cf/cf_test.go | 24 +++++++++++++-----------
 2 files changed, 22 insertions(+), 14 deletions(-)

diff --git a/connector/cf/cf.go b/connector/cf/cf.go
index 0dd76fb821..d677a33fb3 100644
--- a/connector/cf/cf.go
+++ b/connector/cf/cf.go
@@ -10,6 +10,7 @@ import (
 	"io/ioutil"
 	"net"
 	"net/http"
+	"sort"
 	"strings"
 	"time"
 
@@ -255,6 +256,9 @@ func (c *cfConnector) HandleCallback(s connector.Scopes, r *http.Request) (ident
 			for _, resource := range orgs.Resources {
 				orgMap[resource.Metadata.Guid] = resource.Entity.Name
 				orgSpaces[resource.Entity.Name] = []string{}
+
+				groupsClaims = append(groupsClaims, resource.Metadata.Guid)
+				groupsClaims = append(groupsClaims, resource.Entity.Name)
 			}
 
 			if orgs.NextUrl != "" {
@@ -292,14 +296,16 @@ func (c *cfConnector) HandleCallback(s connector.Scopes, r *http.Request) (ident
 			}
 		}
 
+		var orgSpaceClaims []string
 		for orgName, spaceNames := range orgSpaces {
-			groupsClaims = append(groupsClaims, fmt.Sprintf("%s", orgName))
 			for _, spaceName := range spaceNames {
-				groupsClaims = append(groupsClaims, fmt.Sprintf("%s:%s", orgName, spaceName))
+				orgSpaceClaims = append(orgSpaceClaims, fmt.Sprintf("%s:%s", orgName, spaceName))
 			}
 		}
 
-		identity.Groups = groupsClaims
+		sort.Strings(orgSpaceClaims)
+
+		identity.Groups = append(groupsClaims, orgSpaceClaims...)
 	}
 
 	if s.OfflineAccess {
diff --git a/connector/cf/cf_test.go b/connector/cf/cf_test.go
index b5b581954e..67850d2eb2 100644
--- a/connector/cf/cf_test.go
+++ b/connector/cf/cf_test.go
@@ -7,7 +7,6 @@ import (
 	"net/http"
 	"net/http/httptest"
 	"reflect"
-	"sort"
 	"strings"
 	"testing"
 
@@ -49,16 +48,19 @@ func TestHandleCallback(t *testing.T) {
 		identity, err := cfConn.HandleCallback(connector.Scopes{Groups: true}, req)
 		expectEqual(t, err, nil)
 
-		sort.Strings(identity.Groups)
-		expectEqual(t, len(identity.Groups), 8)
-		expectEqual(t, identity.Groups[0], "some-org-name-1")
-		expectEqual(t, identity.Groups[1], "some-org-name-1:some-space-name-1")
-		expectEqual(t, identity.Groups[2], "some-org-name-2")
-		expectEqual(t, identity.Groups[3], "some-org-name-2:some-space-name-2")
-		expectEqual(t, identity.Groups[4], "some-org-name-3")
-		expectEqual(t, identity.Groups[5], "some-org-name-4")
-		expectEqual(t, identity.Groups[6], "some-space-guid-1")
-		expectEqual(t, identity.Groups[7], "some-space-guid-2")
+		expectEqual(t, len(identity.Groups), 12)
+		expectEqual(t, identity.Groups[0], "some-org-guid-1")
+		expectEqual(t, identity.Groups[1], "some-org-name-1")
+		expectEqual(t, identity.Groups[2], "some-org-guid-2")
+		expectEqual(t, identity.Groups[3], "some-org-name-2")
+		expectEqual(t, identity.Groups[4], "some-org-guid-3")
+		expectEqual(t, identity.Groups[5], "some-org-name-3")
+		expectEqual(t, identity.Groups[6], "some-org-guid-4")
+		expectEqual(t, identity.Groups[7], "some-org-name-4")
+		expectEqual(t, identity.Groups[8], "some-space-guid-1")
+		expectEqual(t, identity.Groups[9], "some-space-guid-2")
+		expectEqual(t, identity.Groups[10], "some-org-name-1:some-space-name-1")
+		expectEqual(t, identity.Groups[11], "some-org-name-2:some-space-name-2")
 	})
 
 	t.Run("CallbackWithoutGroupsScope", func(t *testing.T) {

From 934f55a505b78969562e0cd335cf6f53c55292f7 Mon Sep 17 00:00:00 2001
From: Zoe Tian <ztian@pivotal.io>
Date: Mon, 7 Oct 2019 17:16:00 -0400
Subject: [PATCH 08/27] add unit test and api call to `audited_spaces` and
 `managed_spaces`

Signed-off-by: Zoe Tian <ztian@pivotal.io>
Co-authored-by: Ciro S. Costa <cscosta@pivotal.io>
Signed-off-by: w3tian <w3tian@uwaterloo.ca>
---
 connector/cf/cf.go      | 210 +++++++++++++++++++++++++++-------------
 connector/cf/cf_test.go | 143 +++++++++++++++------------
 2 files changed, 224 insertions(+), 129 deletions(-)

diff --git a/connector/cf/cf.go b/connector/cf/cf.go
index d677a33fb3..6b33ebe1ba 100644
--- a/connector/cf/cf.go
+++ b/connector/cf/cf.go
@@ -64,6 +64,17 @@ type Entity struct {
 	OrganizationGuid string `json:"organization_guid"`
 }
 
+type Space struct {
+	Name    string
+	Guid    string
+	OrgGuid string
+}
+
+type Org struct {
+	Name string
+	Guid string
+}
+
 func (c *Config) Open(id string, logger log.Logger) (connector.Connector, error) {
 	var err error
 
@@ -181,6 +192,115 @@ func (c *cfConnector) LoginURL(scopes connector.Scopes, callbackURL, state strin
 	return oauth2Config.AuthCodeURL(state), nil
 }
 
+func fetchRoleSpaces(baseUrl, path string, client *http.Client) ([]Space, error) {
+	var spaces []Space
+
+	resources, err := fetchResources(baseUrl, path, client)
+	if err != nil {
+		return nil, fmt.Errorf("failed to fetch resources: %v", err)
+	}
+
+	for _, resource := range resources {
+		spaces = append(spaces, Space{
+			Name:    resource.Entity.Name,
+			Guid:    resource.Metadata.Guid,
+			OrgGuid: resource.Entity.OrganizationGuid,
+		})
+	}
+
+	return spaces, nil
+}
+
+func fetchOrgs(baseUrl, path string, client *http.Client) ([]Org, error) {
+	var orgs []Org
+
+	resources, err := fetchResources(baseUrl, path, client)
+	if err != nil {
+		return nil, fmt.Errorf("failed to fetch resources: %v", err)
+	}
+
+	for _, resource := range resources {
+		orgs = append(orgs, Org{
+			Name: resource.Entity.Name,
+			Guid: resource.Metadata.Guid,
+		})
+	}
+
+	return orgs, nil
+}
+
+func fetchResources(baseUrl, path string, client *http.Client) ([]Resource, error) {
+	var (
+		resources []Resource
+		url       string
+	)
+
+	for {
+		url = fmt.Sprintf("%s%s", baseUrl, path)
+
+		resp, err := client.Get(url)
+		if err != nil {
+			return nil, fmt.Errorf("failed to execute request: %v", err)
+		}
+
+		if resp.StatusCode != http.StatusOK {
+			return nil, fmt.Errorf("unsuccessful status code %d", resp.StatusCode)
+		}
+
+		response := CCResponse{}
+		err = json.NewDecoder(resp.Body).Decode(&response)
+		if err != nil {
+			return nil, fmt.Errorf("failed to parse spaces: %v", err)
+		}
+
+		resources = append(resources, response.Resources...)
+
+		path = response.NextUrl
+		if path == "" {
+			break
+		}
+	}
+
+	return resources, nil
+}
+
+func getGroupsClaims(orgs []Org, spaces []Space) []string {
+
+	var (
+		orgMap       = map[string]string{}
+		orgSpaces    = map[string][]string{}
+		groupsClaims = map[string]bool{}
+	)
+
+	for _, org := range orgs {
+		orgMap[org.Guid] = org.Name
+		orgSpaces[org.Name] = []string{}
+		groupsClaims[org.Guid] = true
+		groupsClaims[org.Name] = true
+	}
+
+	for _, space := range spaces {
+		orgName := orgMap[space.OrgGuid]
+		orgSpaces[orgName] = append(orgSpaces[orgName], space.Name)
+		groupsClaims[space.Guid] = true
+	}
+
+	for orgName, spaceNames := range orgSpaces {
+		for _, spaceName := range spaceNames {
+			groupsClaims[fmt.Sprintf("%s:%s", orgName, spaceName)] = true
+		}
+	}
+
+	var groups []string
+	for k, _ := range groupsClaims {
+		groups = append(groups, k)
+	}
+
+	sort.Strings(groups)
+
+	return groups
+}
+
 func (c *cfConnector) HandleCallback(s connector.Scopes, r *http.Request) (identity connector.Identity, err error) {
 
 	q := r.URL.Query()
@@ -229,83 +349,37 @@ func (c *cfConnector) HandleCallback(s connector.Scopes, r *http.Request) (ident
 	identity.Email, _ = userInfoResult["email"].(string)
 	identity.EmailVerified, _ = userInfoResult["email_verified"].(bool)
 
-	var orgMap = make(map[string]string)
-	var orgSpaces = make(map[string][]string)
-	var groupsClaims []string
+	var (
+		devPath     = fmt.Sprintf("/v2/users/%s/spaces", identity.UserID)
+		auditorPath = fmt.Sprintf("/v2/users/%s/audited_spaces", identity.UserID)
+		managerPath = fmt.Sprintf("/v2/users/%s/managed_spaces", identity.UserID)
+		orgsPath    = fmt.Sprintf("/v2/users/%s/organizations", identity.UserID)
+	)
 
 	if s.Groups {
-		// fetch orgs
-
-		var orgs CCResponse
-		var nextUrl = fmt.Sprintf("%s/v2/users/%s/organizations", c.apiURL, identity.UserID)
-		for moreResults := true; moreResults; moreResults = orgs.NextUrl != "" {
-			orgsResp, err := client.Get(nextUrl)
-			if err != nil {
-				return identity, fmt.Errorf("CF Connector: failed to execute request for orgs: %v", err)
-			}
-			if orgsResp.StatusCode != http.StatusOK {
-				return identity, fmt.Errorf("CF Connector: failed to execute request for orgs: status %d", orgsResp.StatusCode)
-			}
-
-			orgs = CCResponse{}
-			err = json.NewDecoder(orgsResp.Body).Decode(&orgs)
-			if err != nil {
-				return identity, fmt.Errorf("CF Connector: failed to parse orgs: %v", err)
-			}
-
-			for _, resource := range orgs.Resources {
-				orgMap[resource.Metadata.Guid] = resource.Entity.Name
-				orgSpaces[resource.Entity.Name] = []string{}
-
-				groupsClaims = append(groupsClaims, resource.Metadata.Guid)
-				groupsClaims = append(groupsClaims, resource.Entity.Name)
-			}
-
-			if orgs.NextUrl != "" {
-				nextUrl = fmt.Sprintf("%s%s", c.apiURL, orgs.NextUrl)
-			}
+		orgs, err := fetchOrgs(c.apiURL, orgsPath, client)
+		if err != nil {
+			return identity, fmt.Errorf("failed to fetch organizaitons: %v", err)
 		}
 
-		// fetch spaces
-		var spaces CCResponse
-		nextUrl = fmt.Sprintf("%s/v2/users/%s/spaces", c.apiURL, identity.UserID)
-		for moreResults := true; moreResults; moreResults = spaces.NextUrl != "" {
-			spacesResp, err := client.Get(nextUrl)
-			if err != nil {
-				return identity, fmt.Errorf("CF Connector: failed to execute request for spaces: %v", err)
-			}
-			if spacesResp.StatusCode != http.StatusOK {
-				return identity, fmt.Errorf("CF Connector: failed to execute request for spaces: status %d", spacesResp.StatusCode)
-			}
-
-			spaces = CCResponse{}
-			err = json.NewDecoder(spacesResp.Body).Decode(&spaces)
-			if err != nil {
-				return identity, fmt.Errorf("CF Connector: failed to parse spaces: %v", err)
-			}
-
-			for _, resource := range spaces.Resources {
-				orgName := orgMap[resource.Entity.OrganizationGuid]
-				orgSpaces[orgName] = append(orgSpaces[orgName], resource.Entity.Name)
-
-				groupsClaims = append(groupsClaims, resource.Metadata.Guid)
-			}
-
-			if spaces.NextUrl != "" {
-				nextUrl = fmt.Sprintf("%s%s", c.apiURL, spaces.NextUrl)
-			}
+		developerSpaces, err := fetchRoleSpaces(c.apiURL, devPath, client)
+		if err != nil {
+			return identity, fmt.Errorf("failed to fetch spaces for developer roles: %v", err)
 		}
 
-		var orgSpaceClaims []string
-		for orgName, spaceNames := range orgSpaces {
-			for _, spaceName := range spaceNames {
-				orgSpaceClaims = append(orgSpaceClaims, fmt.Sprintf("%s:%s", orgName, spaceName))
-			}
+		auditorSpaces, err := fetchRoleSpaces(c.apiURL, auditorPath, client)
+		if err != nil {
+			return identity, fmt.Errorf("failed to fetch spaces for developer roles: %v", err)
+		}
+
+		managerSpaces, err := fetchRoleSpaces(c.apiURL, managerPath, client)
+		if err != nil {
+			return identity, fmt.Errorf("failed to fetch spaces for developer roles: %v", err)
 		}
 
-		sort.Strings(orgSpaceClaims)
+		spaces := append(developerSpaces, append(auditorSpaces, managerSpaces...)...)
 
-		identity.Groups = append(groupsClaims, orgSpaceClaims...)
+		identity.Groups = getGroupsClaims(orgs, spaces)
 	}
 
 	if s.OfflineAccess {
diff --git a/connector/cf/cf_test.go b/connector/cf/cf_test.go
index 67850d2eb2..40daa7c758 100644
--- a/connector/cf/cf_test.go
+++ b/connector/cf/cf_test.go
@@ -50,17 +50,17 @@ func TestHandleCallback(t *testing.T) {
 
 		expectEqual(t, len(identity.Groups), 12)
 		expectEqual(t, identity.Groups[0], "some-org-guid-1")
-		expectEqual(t, identity.Groups[1], "some-org-name-1")
-		expectEqual(t, identity.Groups[2], "some-org-guid-2")
-		expectEqual(t, identity.Groups[3], "some-org-name-2")
-		expectEqual(t, identity.Groups[4], "some-org-guid-3")
-		expectEqual(t, identity.Groups[5], "some-org-name-3")
-		expectEqual(t, identity.Groups[6], "some-org-guid-4")
-		expectEqual(t, identity.Groups[7], "some-org-name-4")
-		expectEqual(t, identity.Groups[8], "some-space-guid-1")
-		expectEqual(t, identity.Groups[9], "some-space-guid-2")
-		expectEqual(t, identity.Groups[10], "some-org-name-1:some-space-name-1")
-		expectEqual(t, identity.Groups[11], "some-org-name-2:some-space-name-2")
+		expectEqual(t, identity.Groups[1], "some-org-guid-2")
+		expectEqual(t, identity.Groups[2], "some-org-guid-3")
+		expectEqual(t, identity.Groups[3], "some-org-guid-4")
+		expectEqual(t, identity.Groups[4], "some-org-name-1")
+		expectEqual(t, identity.Groups[5], "some-org-name-1:some-space-name-1")
+		expectEqual(t, identity.Groups[6], "some-org-name-2")
+		expectEqual(t, identity.Groups[7], "some-org-name-2:some-space-name-2")
+		expectEqual(t, identity.Groups[8], "some-org-name-3")
+		expectEqual(t, identity.Groups[9], "some-org-name-4")
+		expectEqual(t, identity.Groups[10], "some-space-guid-1")
+		expectEqual(t, identity.Groups[11], "some-space-guid-2")
 	})
 
 	t.Run("CallbackWithoutGroupsScope", func(t *testing.T) {
@@ -85,6 +85,64 @@ func TestHandleCallback(t *testing.T) {
 	})
 }
 
+func testSpaceHandler(reqUrl, spaceApiEndpoint string) (result map[string]interface{}) {
+	fullUrl := fmt.Sprintf("%s?order-direction=asc&page=2&results-per-page=50", spaceApiEndpoint)
+	if strings.Contains(reqUrl, fullUrl) {
+		result = map[string]interface{}{
+			"resources": []map[string]interface{}{
+				{
+					"metadata": map[string]string{"guid": "some-space-guid-2"},
+					"entity":   map[string]string{"name": "some-space-name-2", "organization_guid": "some-org-guid-2"},
+				},
+			},
+		}
+	} else {
+		nextUrl := fmt.Sprintf("/v2/users/12345/%s?order-direction=asc&page=2&results-per-page=50", spaceApiEndpoint)
+		result = map[string]interface{}{
+			"next_url": nextUrl,
+			"resources": []map[string]interface{}{
+				{
+					"metadata": map[string]string{"guid": "some-space-guid-1"},
+					"entity":   map[string]string{"name": "some-space-name-1", "organization_guid": "some-org-guid-1"},
+				},
+			},
+		}
+	}
+	return result
+}
+
+func testOrgHandler(reqUrl string) (result map[string]interface{}) {
+	if strings.Contains(reqUrl, "organizations?order-direction=asc&page=2&results-per-page=50") {
+		result = map[string]interface{}{
+			"resources": []map[string]interface{}{
+				{
+					"metadata": map[string]string{"guid": "some-org-guid-3"},
+					"entity":   map[string]string{"name": "some-org-name-3"},
+				},
+				{
+					"metadata": map[string]string{"guid": "some-org-guid-4"},
+					"entity":   map[string]string{"name": "some-org-name-4"},
+				},
+			},
+		}
+	} else {
+		result = map[string]interface{}{
+			"next_url": "/v2/users/12345/organizations?order-direction=asc&page=2&results-per-page=50",
+			"resources": []map[string]interface{}{
+				{
+					"metadata": map[string]string{"guid": "some-org-guid-1"},
+					"entity":   map[string]string{"name": "some-org-name-1"},
+				},
+				{
+					"metadata": map[string]string{"guid": "some-org-guid-2"},
+					"entity":   map[string]string{"name": "some-org-name-2"},
+				},
+			},
+		}
+	}
+	return result
+}
+
 func testSetup() *httptest.Server {
 	mux := http.NewServeMux()
 	mux.HandleFunc("/token", func(w http.ResponseWriter, r *http.Request) {
@@ -127,58 +185,21 @@ func testSetup() *httptest.Server {
 	mux.HandleFunc("/v2/users/", func(w http.ResponseWriter, r *http.Request) {
 		var result map[string]interface{}
 
-		if strings.Contains(r.URL.String(), "spaces") {
-			if strings.Contains(r.URL.String(), "spaces?order-direction=asc&page=2&results-per-page=50") {
-				result = map[string]interface{}{
-					"resources": []map[string]interface{}{
-						{
-							"metadata": map[string]string{"guid": "some-space-guid-2"},
-							"entity":   map[string]string{"name": "some-space-name-2", "organization_guid": "some-org-guid-2"},
-						},
-					},
-				}
-			} else {
-				result = map[string]interface{}{
-					"next_url": "/v2/users/12345/spaces?order-direction=asc&page=2&results-per-page=50",
-					"resources": []map[string]interface{}{
-						{
-							"metadata": map[string]string{"guid": "some-space-guid-1"},
-							"entity":   map[string]string{"name": "some-space-name-1", "organization_guid": "some-org-guid-1"},
-						},
-					},
-				}
-			}
+		reqUrl := r.URL.String()
+		if strings.Contains(reqUrl, "/spaces") {
+			result = testSpaceHandler(reqUrl, "spaces")
+		}
+
+		if strings.Contains(reqUrl, "/audited_spaces") {
+			result = testSpaceHandler(reqUrl, "audited_spaces")
+		}
+
+		if strings.Contains(reqUrl, "/managed_spaces") {
+			result = testSpaceHandler(reqUrl, "managed_spaces")
 		}
 
-		if strings.Contains(r.URL.String(), "organizations") {
-			if strings.Contains(r.URL.String(), "organizations?order-direction=asc&page=2&results-per-page=50") {
-				result = map[string]interface{}{
-					"resources": []map[string]interface{}{
-						{
-							"metadata": map[string]string{"guid": "some-org-guid-3"},
-							"entity":   map[string]string{"name": "some-org-name-3"},
-						},
-						{
-							"metadata": map[string]string{"guid": "some-org-guid-4"},
-							"entity":   map[string]string{"name": "some-org-name-4"},
-						},
-					},
-				}
-			} else {
-				result = map[string]interface{}{
-					"next_url": "/v2/users/12345/organizations?order-direction=asc&page=2&results-per-page=50",
-					"resources": []map[string]interface{}{
-						{
-							"metadata": map[string]string{"guid": "some-org-guid-1"},
-							"entity":   map[string]string{"name": "some-org-name-1"},
-						},
-						{
-							"metadata": map[string]string{"guid": "some-org-guid-2"},
-							"entity":   map[string]string{"name": "some-org-name-2"},
-						},
-					},
-				}
-			}
+		if strings.Contains(reqUrl, "organizations") {
+			result = testOrgHandler(reqUrl)
 		}
 
 		json.NewEncoder(w).Encode(result)

From 031e4e556f4ce14602b901580c7f14254801053b Mon Sep 17 00:00:00 2001
From: Rui Yang <ryang@pivotal.io>
Date: Mon, 4 Nov 2019 17:06:23 -0500
Subject: [PATCH 09/27] append role to space guids

Signed-off-by: Rui Yang <ryang@pivotal.io>
Co-authored-by: Joshua Winters <jwinters@pivotal.io>
---
 connector/cf/cf.go      | 27 +++++++++++++++------------
 connector/cf/cf_test.go | 10 ++++++++--
 2 files changed, 23 insertions(+), 14 deletions(-)

diff --git a/connector/cf/cf.go b/connector/cf/cf.go
index 6b33ebe1ba..67c3d56702 100644
--- a/connector/cf/cf.go
+++ b/connector/cf/cf.go
@@ -68,6 +68,7 @@ type Space struct {
 	Name    string
 	Guid    string
 	OrgGuid string
+	Role    string
 }
 
 type Org struct {
@@ -192,7 +193,7 @@ func (c *cfConnector) LoginURL(scopes connector.Scopes, callbackURL, state strin
 	return oauth2Config.AuthCodeURL(state), nil
 }
 
-func fetchRoleSpaces(baseUrl, path string, client *http.Client) ([]Space, error) {
+func fetchRoleSpaces(baseUrl, path, role string, client *http.Client) ([]Space, error) {
 	var spaces []Space
 
 	resources, err := fetchResources(baseUrl, path, client)
@@ -205,6 +206,7 @@ func fetchRoleSpaces(baseUrl, path string, client *http.Client) ([]Space, error)
 			Name:    resource.Entity.Name,
 			Guid:    resource.Metadata.Guid,
 			OrgGuid: resource.Entity.OrganizationGuid,
+			Role:    role,
 		})
 	}
 
@@ -268,32 +270,33 @@ func getGroupsClaims(orgs []Org, spaces []Space) []string {
 
 	var (
 		orgMap       = map[string]string{}
-		orgSpaces    = map[string][]string{}
+		orgSpaces    = map[string][]Space{}
 		groupsClaims = map[string]bool{}
 	)
 
 	for _, org := range orgs {
 		orgMap[org.Guid] = org.Name
-		orgSpaces[org.Name] = []string{}
+		orgSpaces[org.Name] = []Space{}
 		groupsClaims[org.Guid] = true
 		groupsClaims[org.Name] = true
 	}
 
 	for _, space := range spaces {
 		orgName := orgMap[space.OrgGuid]
-		orgSpaces[orgName] = append(orgSpaces[orgName], space.Name)
+		orgSpaces[orgName] = append(orgSpaces[orgName], space)
 		groupsClaims[space.Guid] = true
+		groupsClaims[fmt.Sprintf("%s:%s", space.Guid, space.Role)] = true
 	}
 
-	for orgName, spaceNames := range orgSpaces {
-		for _, spaceName := range spaceNames {
-			groupsClaims[fmt.Sprintf("%s:%s", orgName, spaceName)] = true
+	for orgName, spaces := range orgSpaces {
+		for _, space := range spaces {
+			groupsClaims[fmt.Sprintf("%s:%s", orgName, space.Name)] = true
 		}
 	}
 
 	var groups []string
-	for k, _ := range groupsClaims {
-		groups = append(groups, k)
+	for group, _ := range groupsClaims {
+		groups = append(groups, group)
 	}
 
 	sort.Strings(groups)
@@ -362,17 +365,17 @@ func (c *cfConnector) HandleCallback(s connector.Scopes, r *http.Request) (ident
 			return identity, fmt.Errorf("failed to fetch organizaitons: %v", err)
 		}
 
-		developerSpaces, err := fetchRoleSpaces(c.apiURL, devPath, client)
+		developerSpaces, err := fetchRoleSpaces(c.apiURL, devPath, "developer", client)
 		if err != nil {
 			return identity, fmt.Errorf("failed to fetch spaces for developer roles: %v", err)
 		}
 
-		auditorSpaces, err := fetchRoleSpaces(c.apiURL, auditorPath, client)
+		auditorSpaces, err := fetchRoleSpaces(c.apiURL, auditorPath, "auditor", client)
 		if err != nil {
 			return identity, fmt.Errorf("failed to fetch spaces for developer roles: %v", err)
 		}
 
-		managerSpaces, err := fetchRoleSpaces(c.apiURL, managerPath, client)
+		managerSpaces, err := fetchRoleSpaces(c.apiURL, managerPath, "manager", client)
 		if err != nil {
 			return identity, fmt.Errorf("failed to fetch spaces for developer roles: %v", err)
 		}
diff --git a/connector/cf/cf_test.go b/connector/cf/cf_test.go
index 40daa7c758..f6014230b4 100644
--- a/connector/cf/cf_test.go
+++ b/connector/cf/cf_test.go
@@ -48,7 +48,7 @@ func TestHandleCallback(t *testing.T) {
 		identity, err := cfConn.HandleCallback(connector.Scopes{Groups: true}, req)
 		expectEqual(t, err, nil)
 
-		expectEqual(t, len(identity.Groups), 12)
+		expectEqual(t, len(identity.Groups), 18)
 		expectEqual(t, identity.Groups[0], "some-org-guid-1")
 		expectEqual(t, identity.Groups[1], "some-org-guid-2")
 		expectEqual(t, identity.Groups[2], "some-org-guid-3")
@@ -60,7 +60,13 @@ func TestHandleCallback(t *testing.T) {
 		expectEqual(t, identity.Groups[8], "some-org-name-3")
 		expectEqual(t, identity.Groups[9], "some-org-name-4")
 		expectEqual(t, identity.Groups[10], "some-space-guid-1")
-		expectEqual(t, identity.Groups[11], "some-space-guid-2")
+		expectEqual(t, identity.Groups[11], "some-space-guid-1:auditor")
+		expectEqual(t, identity.Groups[12], "some-space-guid-1:developer")
+		expectEqual(t, identity.Groups[13], "some-space-guid-1:manager")
+		expectEqual(t, identity.Groups[14], "some-space-guid-2")
+		expectEqual(t, identity.Groups[15], "some-space-guid-2:auditor")
+		expectEqual(t, identity.Groups[16], "some-space-guid-2:developer")
+		expectEqual(t, identity.Groups[17], "some-space-guid-2:manager")
 	})
 
 	t.Run("CallbackWithoutGroupsScope", func(t *testing.T) {

From 39c229a0c5d12f87f236f8e1f5f391efe552d72a Mon Sep 17 00:00:00 2001
From: Joshua Winters <jwinters@pivotal.io>
Date: Mon, 25 Nov 2019 15:15:30 -0500
Subject: [PATCH 10/27] add cf org:space:role group claim to token

Signed-off-by: Joshua Winters <jwinters@pivotal.io>
Co-authored-by: Rui Yang <ryang@pivotal.io>
---
 connector/cf/cf.go      |  1 +
 connector/cf/cf_test.go | 32 +++++++++++++++++++-------------
 2 files changed, 20 insertions(+), 13 deletions(-)

diff --git a/connector/cf/cf.go b/connector/cf/cf.go
index 67c3d56702..0dcbb3a86f 100644
--- a/connector/cf/cf.go
+++ b/connector/cf/cf.go
@@ -291,6 +291,7 @@ func getGroupsClaims(orgs []Org, spaces []Space) []string {
 	for orgName, spaces := range orgSpaces {
 		for _, space := range spaces {
 			groupsClaims[fmt.Sprintf("%s:%s", orgName, space.Name)] = true
+			groupsClaims[fmt.Sprintf("%s:%s:%s", orgName, space.Name, space.Role)] = true
 		}
 	}
 
diff --git a/connector/cf/cf_test.go b/connector/cf/cf_test.go
index f6014230b4..afc273daa1 100644
--- a/connector/cf/cf_test.go
+++ b/connector/cf/cf_test.go
@@ -48,25 +48,31 @@ func TestHandleCallback(t *testing.T) {
 		identity, err := cfConn.HandleCallback(connector.Scopes{Groups: true}, req)
 		expectEqual(t, err, nil)
 
-		expectEqual(t, len(identity.Groups), 18)
+		expectEqual(t, len(identity.Groups), 24)
 		expectEqual(t, identity.Groups[0], "some-org-guid-1")
 		expectEqual(t, identity.Groups[1], "some-org-guid-2")
 		expectEqual(t, identity.Groups[2], "some-org-guid-3")
 		expectEqual(t, identity.Groups[3], "some-org-guid-4")
 		expectEqual(t, identity.Groups[4], "some-org-name-1")
 		expectEqual(t, identity.Groups[5], "some-org-name-1:some-space-name-1")
-		expectEqual(t, identity.Groups[6], "some-org-name-2")
-		expectEqual(t, identity.Groups[7], "some-org-name-2:some-space-name-2")
-		expectEqual(t, identity.Groups[8], "some-org-name-3")
-		expectEqual(t, identity.Groups[9], "some-org-name-4")
-		expectEqual(t, identity.Groups[10], "some-space-guid-1")
-		expectEqual(t, identity.Groups[11], "some-space-guid-1:auditor")
-		expectEqual(t, identity.Groups[12], "some-space-guid-1:developer")
-		expectEqual(t, identity.Groups[13], "some-space-guid-1:manager")
-		expectEqual(t, identity.Groups[14], "some-space-guid-2")
-		expectEqual(t, identity.Groups[15], "some-space-guid-2:auditor")
-		expectEqual(t, identity.Groups[16], "some-space-guid-2:developer")
-		expectEqual(t, identity.Groups[17], "some-space-guid-2:manager")
+		expectEqual(t, identity.Groups[6], "some-org-name-1:some-space-name-1:auditor")
+		expectEqual(t, identity.Groups[7], "some-org-name-1:some-space-name-1:developer")
+		expectEqual(t, identity.Groups[8], "some-org-name-1:some-space-name-1:manager")
+		expectEqual(t, identity.Groups[9], "some-org-name-2")
+		expectEqual(t, identity.Groups[10], "some-org-name-2:some-space-name-2")
+		expectEqual(t, identity.Groups[11], "some-org-name-2:some-space-name-2:auditor")
+		expectEqual(t, identity.Groups[12], "some-org-name-2:some-space-name-2:developer")
+		expectEqual(t, identity.Groups[13], "some-org-name-2:some-space-name-2:manager")
+		expectEqual(t, identity.Groups[14], "some-org-name-3")
+		expectEqual(t, identity.Groups[15], "some-org-name-4")
+		expectEqual(t, identity.Groups[16], "some-space-guid-1")
+		expectEqual(t, identity.Groups[17], "some-space-guid-1:auditor")
+		expectEqual(t, identity.Groups[18], "some-space-guid-1:developer")
+		expectEqual(t, identity.Groups[19], "some-space-guid-1:manager")
+		expectEqual(t, identity.Groups[20], "some-space-guid-2")
+		expectEqual(t, identity.Groups[21], "some-space-guid-2:auditor")
+		expectEqual(t, identity.Groups[22], "some-space-guid-2:developer")
+		expectEqual(t, identity.Groups[23], "some-space-guid-2:manager")
 	})
 
 	t.Run("CallbackWithoutGroupsScope", func(t *testing.T) {

From abf3401924a099076dd5799f7703ee82c713733e Mon Sep 17 00:00:00 2001
From: Rui Yang <ryang@pivotal.io>
Date: Mon, 13 Jan 2020 13:19:53 -0500
Subject: [PATCH 11/27] fix lint errors

gofumpt-ed

Signed-off-by: Rui Yang <ryang@pivotal.io>
---
 connector/cf/cf.go      | 59 +++++++++++++++++++----------------------
 connector/cf/cf_test.go | 37 +++++++++++++-------------
 2 files changed, 46 insertions(+), 50 deletions(-)

diff --git a/connector/cf/cf.go b/connector/cf/cf.go
index 0dcbb3a86f..ba0b09d1fb 100644
--- a/connector/cf/cf.go
+++ b/connector/cf/cf.go
@@ -14,9 +14,10 @@ import (
 	"strings"
 	"time"
 
+	"golang.org/x/oauth2"
+
 	"github.com/dexidp/dex/connector"
 	"github.com/dexidp/dex/pkg/log"
-	"golang.org/x/oauth2"
 )
 
 type cfConnector struct {
@@ -45,7 +46,7 @@ type Config struct {
 }
 
 type CCResponse struct {
-	NextUrl      string     `json:"next_url"`
+	NextURL      string     `json:"next_url"`
 	Resources    []Resource `json:"resources"`
 	TotalResults int        `json:"total_results"`
 }
@@ -56,24 +57,24 @@ type Resource struct {
 }
 
 type Metadata struct {
-	Guid string `json:"guid"`
+	GUID string `json:"guid"`
 }
 
 type Entity struct {
 	Name             string `json:"name"`
-	OrganizationGuid string `json:"organization_guid"`
+	OrganizationGUID string `json:"organization_guid"`
 }
 
 type Space struct {
 	Name    string
-	Guid    string
-	OrgGuid string
+	GUID    string
+	OrgGUID string
 	Role    string
 }
 
 type Org struct {
 	Name string
-	Guid string
+	GUID string
 }
 
 func (c *Config) Open(id string, logger log.Logger) (connector.Connector, error) {
@@ -94,7 +95,6 @@ func (c *Config) Open(id string, logger log.Logger) (connector.Connector, error)
 
 	apiURL := strings.TrimRight(c.APIURL, "/")
 	apiResp, err := cfConn.httpClient.Get(fmt.Sprintf("%s/v2/info", apiURL))
-
 	if err != nil {
 		logger.Errorf("failed-to-send-request-to-cloud-controller-api", err)
 		return nil, err
@@ -103,7 +103,7 @@ func (c *Config) Open(id string, logger log.Logger) (connector.Connector, error)
 	defer apiResp.Body.Close()
 
 	if apiResp.StatusCode != http.StatusOK {
-		err = errors.New(fmt.Sprintf("request failed with status %d", apiResp.StatusCode))
+		err = fmt.Errorf("request failed with status %d", apiResp.StatusCode)
 		logger.Errorf("failed-get-info-response-from-api", err)
 		return nil, err
 	}
@@ -113,15 +113,14 @@ func (c *Config) Open(id string, logger log.Logger) (connector.Connector, error)
 
 	uaaURL := strings.TrimRight(apiResult["authorization_endpoint"].(string), "/")
 	uaaResp, err := cfConn.httpClient.Get(fmt.Sprintf("%s/.well-known/openid-configuration", uaaURL))
-
 	if err != nil {
 		logger.Errorf("failed-to-send-request-to-uaa-api", err)
 		return nil, err
 	}
 
 	if apiResp.StatusCode != http.StatusOK {
-		err = errors.New(fmt.Sprintf("request failed with status %d", apiResp.StatusCode))
-		logger.Errorf("failed-to-get-well-known-config-repsonse-from-api", err)
+		err = fmt.Errorf("request failed with status %d", apiResp.StatusCode)
+		logger.Errorf("failed-to-get-well-known-config-response-from-api", err)
 		return nil, err
 	}
 
@@ -177,7 +176,6 @@ func newHTTPClient(rootCAs []string, insecureSkipVerify bool) (*http.Client, err
 }
 
 func (c *cfConnector) LoginURL(scopes connector.Scopes, callbackURL, state string) (string, error) {
-
 	if c.redirectURI != callbackURL {
 		return "", fmt.Errorf("expected callback URL %q did not match the URL in the config %q", callbackURL, c.redirectURI)
 	}
@@ -193,10 +191,10 @@ func (c *cfConnector) LoginURL(scopes connector.Scopes, callbackURL, state strin
 	return oauth2Config.AuthCodeURL(state), nil
 }
 
-func fetchRoleSpaces(baseUrl, path, role string, client *http.Client) ([]Space, error) {
+func fetchRoleSpaces(baseURL, path, role string, client *http.Client) ([]Space, error) {
 	var spaces []Space
 
-	resources, err := fetchResources(baseUrl, path, client)
+	resources, err := fetchResources(baseURL, path, client)
 	if err != nil {
 		return nil, fmt.Errorf("failed to fetch resources: %v", err)
 	}
@@ -204,8 +202,8 @@ func fetchRoleSpaces(baseUrl, path, role string, client *http.Client) ([]Space,
 	for _, resource := range resources {
 		spaces = append(spaces, Space{
 			Name:    resource.Entity.Name,
-			Guid:    resource.Metadata.Guid,
-			OrgGuid: resource.Entity.OrganizationGuid,
+			GUID:    resource.Metadata.GUID,
+			OrgGUID: resource.Entity.OrganizationGUID,
 			Role:    role,
 		})
 	}
@@ -213,10 +211,10 @@ func fetchRoleSpaces(baseUrl, path, role string, client *http.Client) ([]Space,
 	return spaces, nil
 }
 
-func fetchOrgs(baseUrl, path string, client *http.Client) ([]Org, error) {
+func fetchOrgs(baseURL, path string, client *http.Client) ([]Org, error) {
 	var orgs []Org
 
-	resources, err := fetchResources(baseUrl, path, client)
+	resources, err := fetchResources(baseURL, path, client)
 	if err != nil {
 		return nil, fmt.Errorf("failed to fetch resources: %v", err)
 	}
@@ -224,26 +222,27 @@ func fetchOrgs(baseUrl, path string, client *http.Client) ([]Org, error) {
 	for _, resource := range resources {
 		orgs = append(orgs, Org{
 			Name: resource.Entity.Name,
-			Guid: resource.Metadata.Guid,
+			GUID: resource.Metadata.GUID,
 		})
 	}
 
 	return orgs, nil
 }
 
-func fetchResources(baseUrl, path string, client *http.Client) ([]Resource, error) {
+func fetchResources(baseURL, path string, client *http.Client) ([]Resource, error) {
 	var (
 		resources []Resource
 		url       string
 	)
 
 	for {
-		url = fmt.Sprintf("%s%s", baseUrl, path)
+		url = fmt.Sprintf("%s%s", baseURL, path)
 
 		resp, err := client.Get(url)
 		if err != nil {
 			return nil, fmt.Errorf("failed to execute request: %v", err)
 		}
+		defer resp.Body.Close()
 
 		if resp.StatusCode != http.StatusOK {
 			return nil, fmt.Errorf("unsuccessful status code %d", resp.StatusCode)
@@ -257,7 +256,7 @@ func fetchResources(baseUrl, path string, client *http.Client) ([]Resource, erro
 
 		resources = append(resources, response.Resources...)
 
-		path = response.NextUrl
+		path = response.NextURL
 		if path == "" {
 			break
 		}
@@ -267,7 +266,6 @@ func fetchResources(baseUrl, path string, client *http.Client) ([]Resource, erro
 }
 
 func getGroupsClaims(orgs []Org, spaces []Space) []string {
-
 	var (
 		orgMap       = map[string]string{}
 		orgSpaces    = map[string][]Space{}
@@ -275,17 +273,17 @@ func getGroupsClaims(orgs []Org, spaces []Space) []string {
 	)
 
 	for _, org := range orgs {
-		orgMap[org.Guid] = org.Name
+		orgMap[org.GUID] = org.Name
 		orgSpaces[org.Name] = []Space{}
-		groupsClaims[org.Guid] = true
+		groupsClaims[org.GUID] = true
 		groupsClaims[org.Name] = true
 	}
 
 	for _, space := range spaces {
-		orgName := orgMap[space.OrgGuid]
+		orgName := orgMap[space.OrgGUID]
 		orgSpaces[orgName] = append(orgSpaces[orgName], space)
-		groupsClaims[space.Guid] = true
-		groupsClaims[fmt.Sprintf("%s:%s", space.Guid, space.Role)] = true
+		groupsClaims[space.GUID] = true
+		groupsClaims[fmt.Sprintf("%s:%s", space.GUID, space.Role)] = true
 	}
 
 	for orgName, spaces := range orgSpaces {
@@ -296,7 +294,7 @@ func getGroupsClaims(orgs []Org, spaces []Space) []string {
 	}
 
 	var groups []string
-	for group, _ := range groupsClaims {
+	for group := range groupsClaims {
 		groups = append(groups, group)
 	}
 
@@ -306,7 +304,6 @@ func getGroupsClaims(orgs []Org, spaces []Space) []string {
 }
 
 func (c *cfConnector) HandleCallback(s connector.Scopes, r *http.Request) (identity connector.Identity, err error) {
-
 	q := r.URL.Query()
 	if errType := q.Get("error"); errType != "" {
 		return identity, errors.New(q.Get("error_description"))
diff --git a/connector/cf/cf_test.go b/connector/cf/cf_test.go
index afc273daa1..b9bf68dbeb 100644
--- a/connector/cf/cf_test.go
+++ b/connector/cf/cf_test.go
@@ -10,8 +10,9 @@ import (
 	"strings"
 	"testing"
 
-	"github.com/dexidp/dex/connector"
 	"github.com/sirupsen/logrus"
+
+	"github.com/dexidp/dex/connector"
 )
 
 func TestOpen(t *testing.T) {
@@ -26,7 +27,6 @@ func TestOpen(t *testing.T) {
 }
 
 func TestHandleCallback(t *testing.T) {
-
 	testServer := testSetup()
 	defer testServer.Close()
 
@@ -97,9 +97,9 @@ func TestHandleCallback(t *testing.T) {
 	})
 }
 
-func testSpaceHandler(reqUrl, spaceApiEndpoint string) (result map[string]interface{}) {
-	fullUrl := fmt.Sprintf("%s?order-direction=asc&page=2&results-per-page=50", spaceApiEndpoint)
-	if strings.Contains(reqUrl, fullUrl) {
+func testSpaceHandler(reqURL, spaceAPIEndpoint string) (result map[string]interface{}) {
+	fullURL := fmt.Sprintf("%s?order-direction=asc&page=2&results-per-page=50", spaceAPIEndpoint)
+	if strings.Contains(reqURL, fullURL) {
 		result = map[string]interface{}{
 			"resources": []map[string]interface{}{
 				{
@@ -109,9 +109,9 @@ func testSpaceHandler(reqUrl, spaceApiEndpoint string) (result map[string]interf
 			},
 		}
 	} else {
-		nextUrl := fmt.Sprintf("/v2/users/12345/%s?order-direction=asc&page=2&results-per-page=50", spaceApiEndpoint)
+		nextURL := fmt.Sprintf("/v2/users/12345/%s?order-direction=asc&page=2&results-per-page=50", spaceAPIEndpoint)
 		result = map[string]interface{}{
-			"next_url": nextUrl,
+			"next_url": nextURL,
 			"resources": []map[string]interface{}{
 				{
 					"metadata": map[string]string{"guid": "some-space-guid-1"},
@@ -123,8 +123,8 @@ func testSpaceHandler(reqUrl, spaceApiEndpoint string) (result map[string]interf
 	return result
 }
 
-func testOrgHandler(reqUrl string) (result map[string]interface{}) {
-	if strings.Contains(reqUrl, "organizations?order-direction=asc&page=2&results-per-page=50") {
+func testOrgHandler(reqURL string) (result map[string]interface{}) {
+	if strings.Contains(reqURL, "organizations?order-direction=asc&page=2&results-per-page=50") {
 		result = map[string]interface{}{
 			"resources": []map[string]interface{}{
 				{
@@ -197,21 +197,21 @@ func testSetup() *httptest.Server {
 	mux.HandleFunc("/v2/users/", func(w http.ResponseWriter, r *http.Request) {
 		var result map[string]interface{}
 
-		reqUrl := r.URL.String()
-		if strings.Contains(reqUrl, "/spaces") {
-			result = testSpaceHandler(reqUrl, "spaces")
+		reqURL := r.URL.String()
+		if strings.Contains(reqURL, "/spaces") {
+			result = testSpaceHandler(reqURL, "spaces")
 		}
 
-		if strings.Contains(reqUrl, "/audited_spaces") {
-			result = testSpaceHandler(reqUrl, "audited_spaces")
+		if strings.Contains(reqURL, "/audited_spaces") {
+			result = testSpaceHandler(reqURL, "audited_spaces")
 		}
 
-		if strings.Contains(reqUrl, "/managed_spaces") {
-			result = testSpaceHandler(reqUrl, "managed_spaces")
+		if strings.Contains(reqURL, "/managed_spaces") {
+			result = testSpaceHandler(reqURL, "managed_spaces")
 		}
 
-		if strings.Contains(reqUrl, "organizations") {
-			result = testOrgHandler(reqUrl)
+		if strings.Contains(reqURL, "organizations") {
+			result = testOrgHandler(reqURL)
 		}
 
 		json.NewEncoder(w).Encode(result)
@@ -221,7 +221,6 @@ func testSetup() *httptest.Server {
 }
 
 func newConnector(t *testing.T, serverURL string) *cfConnector {
-
 	callBackURL := fmt.Sprintf("%s/callback", serverURL)
 
 	testConfig := Config{

From d7dc0ec08a337a1c0f1093b65f6536f73500a235 Mon Sep 17 00:00:00 2001
From: Rui Yang <ruiya@vmware.com>
Date: Fri, 5 Mar 2021 12:40:56 -0500
Subject: [PATCH 12/27] run golangcli-lint

Signed-off-by: Rui Yang <ruiya@vmware.com>
---
 connector/cf/cf.go | 20 +++++++++-----------
 1 file changed, 9 insertions(+), 11 deletions(-)

diff --git a/connector/cf/cf.go b/connector/cf/cf.go
index ba0b09d1fb..4d839ff63a 100644
--- a/connector/cf/cf.go
+++ b/connector/cf/cf.go
@@ -192,38 +192,36 @@ func (c *cfConnector) LoginURL(scopes connector.Scopes, callbackURL, state strin
 }
 
 func fetchRoleSpaces(baseURL, path, role string, client *http.Client) ([]Space, error) {
-	var spaces []Space
-
 	resources, err := fetchResources(baseURL, path, client)
 	if err != nil {
 		return nil, fmt.Errorf("failed to fetch resources: %v", err)
 	}
 
-	for _, resource := range resources {
-		spaces = append(spaces, Space{
+	spaces := make([]Space, len(resources))
+	for i, resource := range resources {
+		spaces[i] = Space{
 			Name:    resource.Entity.Name,
 			GUID:    resource.Metadata.GUID,
 			OrgGUID: resource.Entity.OrganizationGUID,
 			Role:    role,
-		})
+		}
 	}
 
 	return spaces, nil
 }
 
 func fetchOrgs(baseURL, path string, client *http.Client) ([]Org, error) {
-	var orgs []Org
-
 	resources, err := fetchResources(baseURL, path, client)
 	if err != nil {
 		return nil, fmt.Errorf("failed to fetch resources: %v", err)
 	}
 
-	for _, resource := range resources {
-		orgs = append(orgs, Org{
+	orgs := make([]Org, len(resources))
+	for i, resource := range resources {
+		orgs[i] = Org{
 			Name: resource.Entity.Name,
 			GUID: resource.Metadata.GUID,
-		})
+		}
 	}
 
 	return orgs, nil
@@ -293,7 +291,7 @@ func getGroupsClaims(orgs []Org, spaces []Space) []string {
 		}
 	}
 
-	var groups []string
+	groups := make([]string, 0, len(groupsClaims))
 	for group := range groupsClaims {
 		groups = append(groups, group)
 	}

From 5e302869deacd98ec2f9869e5f1363eb78db2557 Mon Sep 17 00:00:00 2001
From: Rui Yang <ruiya@vmware.com>
Date: Wed, 1 Dec 2021 10:37:56 -0500
Subject: [PATCH 13/27] fix sanity check errors

Signed-off-by: Rui Yang <ruiya@vmware.com>
---
 connector/cf/cf.go | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/connector/cf/cf.go b/connector/cf/cf.go
index 4d839ff63a..4cd04275ca 100644
--- a/connector/cf/cf.go
+++ b/connector/cf/cf.go
@@ -7,9 +7,9 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
-	"io/ioutil"
 	"net"
 	"net/http"
+	"os"
 	"sort"
 	"strings"
 	"time"
@@ -149,7 +149,7 @@ func newHTTPClient(rootCAs []string, insecureSkipVerify bool) (*http.Client, err
 
 	tlsConfig := tls.Config{RootCAs: pool, InsecureSkipVerify: insecureSkipVerify}
 	for _, rootCA := range rootCAs {
-		rootCABytes, err := ioutil.ReadFile(rootCA)
+		rootCABytes, err := os.ReadFile(rootCA)
 		if err != nil {
 			return nil, fmt.Errorf("failed to read root-ca: %v", err)
 		}
@@ -376,9 +376,9 @@ func (c *cfConnector) HandleCallback(s connector.Scopes, r *http.Request) (ident
 			return identity, fmt.Errorf("failed to fetch spaces for developer roles: %v", err)
 		}
 
-		spaces := append(developerSpaces, append(auditorSpaces, managerSpaces...)...)
+		developerSpaces = append(developerSpaces, append(auditorSpaces, managerSpaces...)...)
 
-		identity.Groups = getGroupsClaims(orgs, spaces)
+		identity.Groups = getGroupsClaims(orgs, developerSpaces)
 	}
 
 	if s.OfflineAccess {

From 8ecabd0f0191e06290e38e41f7d07a7c23c991cd Mon Sep 17 00:00:00 2001
From: Rui Yang <ruiya@vmware.com>
Date: Tue, 4 Oct 2022 22:53:06 -0400
Subject: [PATCH 14/27] rename connector;make types private;

Signed-off-by: Rui Yang <ruiya@vmware.com>
---
 .../cf.go => cloudfoundry/cloudfoundry.go}    | 66 +++++++++----------
 .../cloudfoundry_test.go}                     | 18 ++---
 server/server.go                              |  4 +-
 3 files changed, 44 insertions(+), 44 deletions(-)
 rename connector/{cf/cf.go => cloudfoundry/cloudfoundry.go} (85%)
 rename connector/{cf/cf_test.go => cloudfoundry/cloudfoundry_test.go} (94%)

diff --git a/connector/cf/cf.go b/connector/cloudfoundry/cloudfoundry.go
similarity index 85%
rename from connector/cf/cf.go
rename to connector/cloudfoundry/cloudfoundry.go
index 4cd04275ca..8d3ab7f0ae 100644
--- a/connector/cf/cf.go
+++ b/connector/cloudfoundry/cloudfoundry.go
@@ -1,4 +1,4 @@
-package cf
+package cloudfoundry
 
 import (
 	"context"
@@ -20,7 +20,7 @@ import (
 	"github.com/dexidp/dex/pkg/log"
 )
 
-type cfConnector struct {
+type cloudfoundryConnector struct {
 	clientID         string
 	clientSecret     string
 	redirectURI      string
@@ -45,34 +45,34 @@ type Config struct {
 	InsecureSkipVerify bool     `json:"insecureSkipVerify"`
 }
 
-type CCResponse struct {
+type ccResponse struct {
 	NextURL      string     `json:"next_url"`
-	Resources    []Resource `json:"resources"`
+	Resources    []resource `json:"resources"`
 	TotalResults int        `json:"total_results"`
 }
 
-type Resource struct {
-	Metadata Metadata `json:"metadata"`
-	Entity   Entity   `json:"entity"`
+type resource struct {
+	Metadata metadata `json:"metadata"`
+	Entity   entity   `json:"entity"`
 }
 
-type Metadata struct {
+type metadata struct {
 	GUID string `json:"guid"`
 }
 
-type Entity struct {
+type entity struct {
 	Name             string `json:"name"`
 	OrganizationGUID string `json:"organization_guid"`
 }
 
-type Space struct {
+type space struct {
 	Name    string
 	GUID    string
 	OrgGUID string
 	Role    string
 }
 
-type Org struct {
+type org struct {
 	Name string
 	GUID string
 }
@@ -80,7 +80,7 @@ type Org struct {
 func (c *Config) Open(id string, logger log.Logger) (connector.Connector, error) {
 	var err error
 
-	cfConn := &cfConnector{
+	cloudfoundryConn := &cloudfoundryConnector{
 		clientID:     c.ClientID,
 		clientSecret: c.ClientSecret,
 		apiURL:       c.APIURL,
@@ -88,13 +88,13 @@ func (c *Config) Open(id string, logger log.Logger) (connector.Connector, error)
 		logger:       logger,
 	}
 
-	cfConn.httpClient, err = newHTTPClient(c.RootCAs, c.InsecureSkipVerify)
+	cloudfoundryConn.httpClient, err = newHTTPClient(c.RootCAs, c.InsecureSkipVerify)
 	if err != nil {
 		return nil, err
 	}
 
 	apiURL := strings.TrimRight(c.APIURL, "/")
-	apiResp, err := cfConn.httpClient.Get(fmt.Sprintf("%s/v2/info", apiURL))
+	apiResp, err := cloudfoundryConn.httpClient.Get(fmt.Sprintf("%s/v2/info", apiURL))
 	if err != nil {
 		logger.Errorf("failed-to-send-request-to-cloud-controller-api", err)
 		return nil, err
@@ -112,7 +112,7 @@ func (c *Config) Open(id string, logger log.Logger) (connector.Connector, error)
 	json.NewDecoder(apiResp.Body).Decode(&apiResult)
 
 	uaaURL := strings.TrimRight(apiResult["authorization_endpoint"].(string), "/")
-	uaaResp, err := cfConn.httpClient.Get(fmt.Sprintf("%s/.well-known/openid-configuration", uaaURL))
+	uaaResp, err := cloudfoundryConn.httpClient.Get(fmt.Sprintf("%s/.well-known/openid-configuration", uaaURL))
 	if err != nil {
 		logger.Errorf("failed-to-send-request-to-uaa-api", err)
 		return nil, err
@@ -134,11 +134,11 @@ func (c *Config) Open(id string, logger log.Logger) (connector.Connector, error)
 		return nil, err
 	}
 
-	cfConn.tokenURL, _ = uaaResult["token_endpoint"].(string)
-	cfConn.authorizationURL, _ = uaaResult["authorization_endpoint"].(string)
-	cfConn.userInfoURL, _ = uaaResult["userinfo_endpoint"].(string)
+	cloudfoundryConn.tokenURL, _ = uaaResult["token_endpoint"].(string)
+	cloudfoundryConn.authorizationURL, _ = uaaResult["authorization_endpoint"].(string)
+	cloudfoundryConn.userInfoURL, _ = uaaResult["userinfo_endpoint"].(string)
 
-	return cfConn, err
+	return cloudfoundryConn, err
 }
 
 func newHTTPClient(rootCAs []string, insecureSkipVerify bool) (*http.Client, error) {
@@ -175,7 +175,7 @@ func newHTTPClient(rootCAs []string, insecureSkipVerify bool) (*http.Client, err
 	}, nil
 }
 
-func (c *cfConnector) LoginURL(scopes connector.Scopes, callbackURL, state string) (string, error) {
+func (c *cloudfoundryConnector) LoginURL(scopes connector.Scopes, callbackURL, state string) (string, error) {
 	if c.redirectURI != callbackURL {
 		return "", fmt.Errorf("expected callback URL %q did not match the URL in the config %q", callbackURL, c.redirectURI)
 	}
@@ -191,15 +191,15 @@ func (c *cfConnector) LoginURL(scopes connector.Scopes, callbackURL, state strin
 	return oauth2Config.AuthCodeURL(state), nil
 }
 
-func fetchRoleSpaces(baseURL, path, role string, client *http.Client) ([]Space, error) {
+func fetchRoleSpaces(baseURL, path, role string, client *http.Client) ([]space, error) {
 	resources, err := fetchResources(baseURL, path, client)
 	if err != nil {
 		return nil, fmt.Errorf("failed to fetch resources: %v", err)
 	}
 
-	spaces := make([]Space, len(resources))
+	spaces := make([]space, len(resources))
 	for i, resource := range resources {
-		spaces[i] = Space{
+		spaces[i] = space{
 			Name:    resource.Entity.Name,
 			GUID:    resource.Metadata.GUID,
 			OrgGUID: resource.Entity.OrganizationGUID,
@@ -210,15 +210,15 @@ func fetchRoleSpaces(baseURL, path, role string, client *http.Client) ([]Space,
 	return spaces, nil
 }
 
-func fetchOrgs(baseURL, path string, client *http.Client) ([]Org, error) {
+func fetchOrgs(baseURL, path string, client *http.Client) ([]org, error) {
 	resources, err := fetchResources(baseURL, path, client)
 	if err != nil {
 		return nil, fmt.Errorf("failed to fetch resources: %v", err)
 	}
 
-	orgs := make([]Org, len(resources))
+	orgs := make([]org, len(resources))
 	for i, resource := range resources {
-		orgs[i] = Org{
+		orgs[i] = org{
 			Name: resource.Entity.Name,
 			GUID: resource.Metadata.GUID,
 		}
@@ -227,9 +227,9 @@ func fetchOrgs(baseURL, path string, client *http.Client) ([]Org, error) {
 	return orgs, nil
 }
 
-func fetchResources(baseURL, path string, client *http.Client) ([]Resource, error) {
+func fetchResources(baseURL, path string, client *http.Client) ([]resource, error) {
 	var (
-		resources []Resource
+		resources []resource
 		url       string
 	)
 
@@ -246,7 +246,7 @@ func fetchResources(baseURL, path string, client *http.Client) ([]Resource, erro
 			return nil, fmt.Errorf("unsuccessful status code %d", resp.StatusCode)
 		}
 
-		response := CCResponse{}
+		response := ccResponse{}
 		err = json.NewDecoder(resp.Body).Decode(&response)
 		if err != nil {
 			return nil, fmt.Errorf("failed to parse spaces: %v", err)
@@ -263,16 +263,16 @@ func fetchResources(baseURL, path string, client *http.Client) ([]Resource, erro
 	return resources, nil
 }
 
-func getGroupsClaims(orgs []Org, spaces []Space) []string {
+func getGroupsClaims(orgs []org, spaces []space) []string {
 	var (
 		orgMap       = map[string]string{}
-		orgSpaces    = map[string][]Space{}
+		orgSpaces    = map[string][]space{}
 		groupsClaims = map[string]bool{}
 	)
 
 	for _, org := range orgs {
 		orgMap[org.GUID] = org.Name
-		orgSpaces[org.Name] = []Space{}
+		orgSpaces[org.Name] = []space{}
 		groupsClaims[org.GUID] = true
 		groupsClaims[org.Name] = true
 	}
@@ -301,7 +301,7 @@ func getGroupsClaims(orgs []Org, spaces []Space) []string {
 	return groups
 }
 
-func (c *cfConnector) HandleCallback(s connector.Scopes, r *http.Request) (identity connector.Identity, err error) {
+func (c *cloudfoundryConnector) HandleCallback(s connector.Scopes, r *http.Request) (identity connector.Identity, err error) {
 	q := r.URL.Query()
 	if errType := q.Get("error"); errType != "" {
 		return identity, errors.New(q.Get("error_description"))
diff --git a/connector/cf/cf_test.go b/connector/cloudfoundry/cloudfoundry_test.go
similarity index 94%
rename from connector/cf/cf_test.go
rename to connector/cloudfoundry/cloudfoundry_test.go
index b9bf68dbeb..73b521a917 100644
--- a/connector/cf/cf_test.go
+++ b/connector/cloudfoundry/cloudfoundry_test.go
@@ -1,4 +1,4 @@
-package cf
+package cloudfoundry
 
 import (
 	"encoding/json"
@@ -30,7 +30,7 @@ func TestHandleCallback(t *testing.T) {
 	testServer := testSetup()
 	defer testServer.Close()
 
-	cfConn := &cfConnector{
+	cloudfoundryConn := &cloudfoundryConnector{
 		tokenURL:         fmt.Sprintf("%s/token", testServer.URL),
 		authorizationURL: fmt.Sprintf("%s/authorize", testServer.URL),
 		userInfoURL:      fmt.Sprintf("%s/userinfo", testServer.URL),
@@ -45,7 +45,7 @@ func TestHandleCallback(t *testing.T) {
 	expectEqual(t, err, nil)
 
 	t.Run("CallbackWithGroupsScope", func(t *testing.T) {
-		identity, err := cfConn.HandleCallback(connector.Scopes{Groups: true}, req)
+		identity, err := cloudfoundryConn.HandleCallback(connector.Scopes{Groups: true}, req)
 		expectEqual(t, err, nil)
 
 		expectEqual(t, len(identity.Groups), 24)
@@ -76,7 +76,7 @@ func TestHandleCallback(t *testing.T) {
 	})
 
 	t.Run("CallbackWithoutGroupsScope", func(t *testing.T) {
-		identity, err := cfConn.HandleCallback(connector.Scopes{}, req)
+		identity, err := cloudfoundryConn.HandleCallback(connector.Scopes{}, req)
 
 		expectEqual(t, err, nil)
 		expectEqual(t, identity.UserID, "12345")
@@ -84,7 +84,7 @@ func TestHandleCallback(t *testing.T) {
 	})
 
 	t.Run("CallbackWithOfflineAccessScope", func(t *testing.T) {
-		identity, err := cfConn.HandleCallback(connector.Scopes{OfflineAccess: true}, req)
+		identity, err := cloudfoundryConn.HandleCallback(connector.Scopes{OfflineAccess: true}, req)
 
 		expectEqual(t, err, nil)
 		expectNotEqual(t, len(identity.ConnectorData), 0)
@@ -220,7 +220,7 @@ func testSetup() *httptest.Server {
 	return httptest.NewServer(mux)
 }
 
-func newConnector(t *testing.T, serverURL string) *cfConnector {
+func newConnector(t *testing.T, serverURL string) *cloudfoundryConnector {
 	callBackURL := fmt.Sprintf("%s/callback", serverURL)
 
 	testConfig := Config{
@@ -238,12 +238,12 @@ func newConnector(t *testing.T, serverURL string) *cfConnector {
 		t.Fatal(err)
 	}
 
-	cfConn, ok := conn.(*cfConnector)
+	cloudfoundryConn, ok := conn.(*cloudfoundryConnector)
 	if !ok {
-		t.Fatal(errors.New("it is not a cf conn"))
+		t.Fatal(errors.New("it is not a cloudfoundry conn"))
 	}
 
-	return cfConn
+	return cloudfoundryConn
 }
 
 func expectEqual(t *testing.T, a interface{}, b interface{}) {
diff --git a/server/server.go b/server/server.go
index 1c3f336c4f..13db0d7b5d 100644
--- a/server/server.go
+++ b/server/server.go
@@ -33,7 +33,7 @@ import (
 	"github.com/dexidp/dex/connector/atlassiancrowd"
 	"github.com/dexidp/dex/connector/authproxy"
 	"github.com/dexidp/dex/connector/bitbucketcloud"
-	"github.com/dexidp/dex/connector/cf"
+	"github.com/dexidp/dex/connector/cloudfoundry"
 	"github.com/dexidp/dex/connector/gitea"
 	"github.com/dexidp/dex/connector/github"
 	"github.com/dexidp/dex/connector/gitlab"
@@ -641,7 +641,7 @@ var ConnectorsConfig = map[string]func() ConnectorConfig{
 	"bitbucket-cloud": func() ConnectorConfig { return new(bitbucketcloud.Config) },
 	"openshift":       func() ConnectorConfig { return new(openshift.Config) },
 	"atlassian-crowd": func() ConnectorConfig { return new(atlassiancrowd.Config) },
-	"cf":              func() ConnectorConfig { return new(cf.Config) },
+	"cloudfoundry":    func() ConnectorConfig { return new(cloudfoundry.Config) },
 	// Keep around for backwards compatibility.
 	"samlExperimental": func() ConnectorConfig { return new(saml.Config) },
 }

From a2099f492fb29b7df3aa5b40c357cd75e91faa79 Mon Sep 17 00:00:00 2001
From: Rui Yang <ruiya@vmware.com>
Date: Tue, 4 Oct 2022 23:28:34 -0400
Subject: [PATCH 15/27] add cloudfoundry to connector list in readme

Signed-off-by: Rui Yang <ruiya@vmware.com>
---
 README.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/README.md b/README.md
index 2894dcdd46..6127d85bba 100644
--- a/README.md
+++ b/README.md
@@ -82,6 +82,7 @@ Dex implements the following connectors:
 | [Atlassian Crowd](https://dexidp.io/docs/connectors/atlassiancrowd/) | yes | yes | yes * | beta | preferred_username claim must be configured through config |
 | [Gitea](https://dexidp.io/docs/connectors/gitea/) | yes | no | yes | beta | |
 | [OpenStack Keystone](https://dexidp.io/docs/connectors/keystone/) | yes | yes | no | alpha | |
+| [Cloud Foundry](https://dexidp.io/docs/connectors/cloudfoundry/) | no | yes | no | alpha | This connector is community maintained by [Concourse](https://github.com/concourse) |
 
 Stable, beta, and alpha are defined as:
 

From fda2d8cb567f82c7976db25e0bce836febbef405 Mon Sep 17 00:00:00 2001
From: Kump3r <tonevkalin@gmail.com>
Date: Wed, 2 Oct 2024 15:40:33 +0300
Subject: [PATCH 16/27] Switching to CloudFoundry v3 API

Signed-off-by: Kump3r <tonevkalin@gmail.com>
---
 connector/cloudfoundry/cloudfoundry.go      | 8 ++++----
 connector/cloudfoundry/cloudfoundry_test.go | 8 ++++----
 2 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/connector/cloudfoundry/cloudfoundry.go b/connector/cloudfoundry/cloudfoundry.go
index 8d3ab7f0ae..3eeaae9881 100644
--- a/connector/cloudfoundry/cloudfoundry.go
+++ b/connector/cloudfoundry/cloudfoundry.go
@@ -349,10 +349,10 @@ func (c *cloudfoundryConnector) HandleCallback(s connector.Scopes, r *http.Reque
 	identity.EmailVerified, _ = userInfoResult["email_verified"].(bool)
 
 	var (
-		devPath     = fmt.Sprintf("/v2/users/%s/spaces", identity.UserID)
-		auditorPath = fmt.Sprintf("/v2/users/%s/audited_spaces", identity.UserID)
-		managerPath = fmt.Sprintf("/v2/users/%s/managed_spaces", identity.UserID)
-		orgsPath    = fmt.Sprintf("/v2/users/%s/organizations", identity.UserID)
+		devPath     = fmt.Sprintf("/v3/users/%s/spaces", identity.UserID)
+		auditorPath = fmt.Sprintf("/v3/users/%s/audited_spaces", identity.UserID)
+		managerPath = fmt.Sprintf("/v3/users/%s/managed_spaces", identity.UserID)
+		orgsPath    = fmt.Sprintf("/v3/users/%s/organizations", identity.UserID)
 	)
 
 	if s.Groups {
diff --git a/connector/cloudfoundry/cloudfoundry_test.go b/connector/cloudfoundry/cloudfoundry_test.go
index 73b521a917..b7c2e0ba46 100644
--- a/connector/cloudfoundry/cloudfoundry_test.go
+++ b/connector/cloudfoundry/cloudfoundry_test.go
@@ -109,7 +109,7 @@ func testSpaceHandler(reqURL, spaceAPIEndpoint string) (result map[string]interf
 			},
 		}
 	} else {
-		nextURL := fmt.Sprintf("/v2/users/12345/%s?order-direction=asc&page=2&results-per-page=50", spaceAPIEndpoint)
+		nextURL := fmt.Sprintf("/v3/users/12345/%s?order-direction=asc&page=2&results-per-page=50", spaceAPIEndpoint)
 		result = map[string]interface{}{
 			"next_url": nextURL,
 			"resources": []map[string]interface{}{
@@ -139,7 +139,7 @@ func testOrgHandler(reqURL string) (result map[string]interface{}) {
 		}
 	} else {
 		result = map[string]interface{}{
-			"next_url": "/v2/users/12345/organizations?order-direction=asc&page=2&results-per-page=50",
+			"next_url": "/v3/users/12345/organizations?order-direction=asc&page=2&results-per-page=50",
 			"resources": []map[string]interface{}{
 				{
 					"metadata": map[string]string{"guid": "some-org-guid-1"},
@@ -165,7 +165,7 @@ func testSetup() *httptest.Server {
 		})
 	})
 
-	mux.HandleFunc("/v2/info", func(w http.ResponseWriter, r *http.Request) {
+	mux.HandleFunc("/v3/info", func(w http.ResponseWriter, r *http.Request) {
 		url := fmt.Sprintf("http://%s", r.Host)
 
 		json.NewEncoder(w).Encode(map[string]string{
@@ -194,7 +194,7 @@ func testSetup() *httptest.Server {
 		})
 	})
 
-	mux.HandleFunc("/v2/users/", func(w http.ResponseWriter, r *http.Request) {
+	mux.HandleFunc("/v3/users/", func(w http.ResponseWriter, r *http.Request) {
 		var result map[string]interface{}
 
 		reqURL := r.URL.String()

From c67eb796115f1e051b920a067a5995f23f945dd3 Mon Sep 17 00:00:00 2001
From: Kump3r <tonevkalin@gmail.com>
Date: Fri, 3 Jan 2025 11:25:51 +0200
Subject: [PATCH 17/27] Add missing endpoint

Signed-off-by: Kump3r <tonevkalin@gmail.com>
---
 connector/cloudfoundry/cloudfoundry.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/connector/cloudfoundry/cloudfoundry.go b/connector/cloudfoundry/cloudfoundry.go
index 3eeaae9881..acfb77fdb3 100644
--- a/connector/cloudfoundry/cloudfoundry.go
+++ b/connector/cloudfoundry/cloudfoundry.go
@@ -94,7 +94,7 @@ func (c *Config) Open(id string, logger log.Logger) (connector.Connector, error)
 	}
 
 	apiURL := strings.TrimRight(c.APIURL, "/")
-	apiResp, err := cloudfoundryConn.httpClient.Get(fmt.Sprintf("%s/v2/info", apiURL))
+	apiResp, err := cloudfoundryConn.httpClient.Get(fmt.Sprintf("%s/v3/info", apiURL))
 	if err != nil {
 		logger.Errorf("failed-to-send-request-to-cloud-controller-api", err)
 		return nil, err

From ed2e674dc2e606eea78835f2e847dac7068c32b5 Mon Sep 17 00:00:00 2001
From: Kump3r <tonevkalin@gmail.com>
Date: Tue, 7 Jan 2025 12:28:51 +0200
Subject: [PATCH 18/27] Refactor CloudFoundry API request handling to use
 updated response structure

Signed-off-by: Kump3r <tonevkalin@gmail.com>
---
 connector/cloudfoundry/cloudfoundry.go      | 13 ++++++++++---
 connector/cloudfoundry/cloudfoundry_test.go | 10 +++++++---
 2 files changed, 17 insertions(+), 6 deletions(-)

diff --git a/connector/cloudfoundry/cloudfoundry.go b/connector/cloudfoundry/cloudfoundry.go
index acfb77fdb3..32ec6a9157 100644
--- a/connector/cloudfoundry/cloudfoundry.go
+++ b/connector/cloudfoundry/cloudfoundry.go
@@ -94,7 +94,7 @@ func (c *Config) Open(id string, logger log.Logger) (connector.Connector, error)
 	}
 
 	apiURL := strings.TrimRight(c.APIURL, "/")
-	apiResp, err := cloudfoundryConn.httpClient.Get(fmt.Sprintf("%s/v3/info", apiURL))
+	apiResp, err := cloudfoundryConn.httpClient.Get(apiURL)
 	if err != nil {
 		logger.Errorf("failed-to-send-request-to-cloud-controller-api", err)
 		return nil, err
@@ -108,10 +108,17 @@ func (c *Config) Open(id string, logger log.Logger) (connector.Connector, error)
 		return nil, err
 	}
 
-	var apiResult map[string]interface{}
+	var apiResult struct {
+		Links struct {
+			Login struct {
+				Href string `json:"href"`
+			} `json:"login"`
+		} `json:"links"`
+	}
+
 	json.NewDecoder(apiResp.Body).Decode(&apiResult)
 
-	uaaURL := strings.TrimRight(apiResult["authorization_endpoint"].(string), "/")
+	uaaURL := strings.TrimRight(apiResult.Links.Login.Href, "/")
 	uaaResp, err := cloudfoundryConn.httpClient.Get(fmt.Sprintf("%s/.well-known/openid-configuration", uaaURL))
 	if err != nil {
 		logger.Errorf("failed-to-send-request-to-uaa-api", err)
diff --git a/connector/cloudfoundry/cloudfoundry_test.go b/connector/cloudfoundry/cloudfoundry_test.go
index b7c2e0ba46..e90f66a7c9 100644
--- a/connector/cloudfoundry/cloudfoundry_test.go
+++ b/connector/cloudfoundry/cloudfoundry_test.go
@@ -165,11 +165,15 @@ func testSetup() *httptest.Server {
 		})
 	})
 
-	mux.HandleFunc("/v3/info", func(w http.ResponseWriter, r *http.Request) {
+	mux.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
 		url := fmt.Sprintf("http://%s", r.Host)
 
-		json.NewEncoder(w).Encode(map[string]string{
-			"authorization_endpoint": url,
+		json.NewEncoder(w).Encode(map[string]interface{}{
+			"links": map[string]interface{}{
+				"login": map[string]string{
+					"href": url,
+				},
+			},
 		})
 	})
 

From b4fbac46f8d151a096918255f33be2258b068932 Mon Sep 17 00:00:00 2001
From: Kump3r <tonevkalin@gmail.com>
Date: Thu, 9 Jan 2025 15:35:04 +0200
Subject: [PATCH 19/27] Use simple structures for the apiResult

Signed-off-by: Kump3r <tonevkalin@gmail.com>
---
 connector/cloudfoundry/cloudfoundry.go | 20 +++++++++++++-------
 1 file changed, 13 insertions(+), 7 deletions(-)

diff --git a/connector/cloudfoundry/cloudfoundry.go b/connector/cloudfoundry/cloudfoundry.go
index 32ec6a9157..1aad39ce95 100644
--- a/connector/cloudfoundry/cloudfoundry.go
+++ b/connector/cloudfoundry/cloudfoundry.go
@@ -77,6 +77,18 @@ type org struct {
 	GUID string
 }
 
+type infoResp struct {
+	Links links `json:"links"`
+}
+
+type links struct {
+	Login login `json:"login"`
+}
+
+type login struct {
+	Href string `json:"href"`
+}
+
 func (c *Config) Open(id string, logger log.Logger) (connector.Connector, error) {
 	var err error
 
@@ -108,13 +120,7 @@ func (c *Config) Open(id string, logger log.Logger) (connector.Connector, error)
 		return nil, err
 	}
 
-	var apiResult struct {
-		Links struct {
-			Login struct {
-				Href string `json:"href"`
-			} `json:"login"`
-		} `json:"links"`
-	}
+	var apiResult infoResp
 
 	json.NewDecoder(apiResp.Body).Decode(&apiResult)
 

From 716709b27959b8d56cb71d13462a509bd7081f3b Mon Sep 17 00:00:00 2001
From: IvanChalukov <ichalukov@gmail.com>
Date: Thu, 9 Jan 2025 16:58:54 +0200
Subject: [PATCH 20/27] Switching to CF API V3 endpoints

Signed-off-by: IvanChalukov <ichalukov@gmail.com>
---
 connector/cloudfoundry/cloudfoundry.go | 119 ++++++++++++++-----------
 1 file changed, 65 insertions(+), 54 deletions(-)

diff --git a/connector/cloudfoundry/cloudfoundry.go b/connector/cloudfoundry/cloudfoundry.go
index 1aad39ce95..3ba88df5ee 100644
--- a/connector/cloudfoundry/cloudfoundry.go
+++ b/connector/cloudfoundry/cloudfoundry.go
@@ -46,25 +46,43 @@ type Config struct {
 }
 
 type ccResponse struct {
-	NextURL      string     `json:"next_url"`
-	Resources    []resource `json:"resources"`
-	TotalResults int        `json:"total_results"`
+	Pagination pagination `json:"pagination"`
+    Resources  []resource `json:"resources"`
 }
 
-type resource struct {
-	Metadata metadata `json:"metadata"`
-	Entity   entity   `json:"entity"`
+type pagination struct {
+    Next href `json:"next"`
+}
+
+type href struct {
+    Href string `json:"href"`
 }
 
-type metadata struct {
+type resource struct {
 	GUID string `json:"guid"`
+    Name string `json:"name,omitempty"`
+	Type string `json:"type,omitempty"`
+	Relationships relationships `json:"relationships"`
 }
 
-type entity struct {
-	Name             string `json:"name"`
-	OrganizationGUID string `json:"organization_guid"`
+type relationships struct {
+	Organization relOrganization `json:"organization"`
+	Space relSpace `json:"space"`
 }
 
+type relOrganization struct {
+	Data data `json:"data"`
+}
+
+type relSpace struct {
+	Data data `json:"data"`
+}
+
+type data struct {
+	GUID string `json:"guid"`
+}
+
+
 type space struct {
 	Name    string
 	GUID    string
@@ -204,40 +222,39 @@ func (c *cloudfoundryConnector) LoginURL(scopes connector.Scopes, callbackURL, s
 	return oauth2Config.AuthCodeURL(state), nil
 }
 
-func fetchRoleSpaces(baseURL, path, role string, client *http.Client) ([]space, error) {
-	resources, err := fetchResources(baseURL, path, client)
-	if err != nil {
-		return nil, fmt.Errorf("failed to fetch resources: %v", err)
-	}
+func filterUserOrgsSpaces(userOrgsSpaces []resource, orgs []resource, spaces []resource) ([]org, []space) {
+	var filteredOrgs []org
+	var filteredSpaces []space
+
+	orgMap := make(map[string]org)
+	spaceMap := make(map[string]space)
 
-	spaces := make([]space, len(resources))
-	for i, resource := range resources {
-		spaces[i] = space{
-			Name:    resource.Entity.Name,
-			GUID:    resource.Metadata.GUID,
-			OrgGUID: resource.Entity.OrganizationGUID,
-			Role:    role,
+	for _, org_resource := range orgs {
+		orgMap[org_resource.GUID] = org{
+			Name: org_resource.Name,
+			GUID: org_resource.GUID,
 		}
 	}
 
-	return spaces, nil
-}
-
-func fetchOrgs(baseURL, path string, client *http.Client) ([]org, error) {
-	resources, err := fetchResources(baseURL, path, client)
-	if err != nil {
-		return nil, fmt.Errorf("failed to fetch resources: %v", err)
+	for _, space_resource := range spaces {
+		spaceMap[space_resource.GUID] = space{
+			Name:    space_resource.Name,
+			GUID:    space_resource.GUID,
+			OrgGUID: space_resource.Relationships.Organization.Data.GUID,
+		}
 	}
 
-	orgs := make([]org, len(resources))
-	for i, resource := range resources {
-		orgs[i] = org{
-			Name: resource.Entity.Name,
-			GUID: resource.Metadata.GUID,
+	for _, userOrgSpace := range userOrgsSpaces {
+		if space, ok := spaceMap[userOrgSpace.Relationships.Space.Data.GUID]; ok {
+			space.Role = strings.TrimPrefix(userOrgSpace.Type, "space_")
+			filteredSpaces = append(filteredSpaces, space)
+		}
+		if org, ok := orgMap[userOrgSpace.Relationships.Organization.Data.GUID]; ok {
+			filteredOrgs = append(filteredOrgs, org)
 		}
 	}
 
-	return orgs, nil
+	return filteredOrgs, filteredSpaces
 }
 
 func fetchResources(baseURL, path string, client *http.Client) ([]resource, error) {
@@ -262,12 +279,12 @@ func fetchResources(baseURL, path string, client *http.Client) ([]resource, erro
 		response := ccResponse{}
 		err = json.NewDecoder(resp.Body).Decode(&response)
 		if err != nil {
-			return nil, fmt.Errorf("failed to parse spaces: %v", err)
+			return nil, fmt.Errorf("failed to parse response: %v", err)
 		}
 
 		resources = append(resources, response.Resources...)
 
-		path = response.NextURL
+		path = strings.TrimPrefix(response.Pagination.Next.Href, baseURL)
 		if path == "" {
 			break
 		}
@@ -362,36 +379,30 @@ func (c *cloudfoundryConnector) HandleCallback(s connector.Scopes, r *http.Reque
 	identity.EmailVerified, _ = userInfoResult["email_verified"].(bool)
 
 	var (
-		devPath     = fmt.Sprintf("/v3/users/%s/spaces", identity.UserID)
-		auditorPath = fmt.Sprintf("/v3/users/%s/audited_spaces", identity.UserID)
-		managerPath = fmt.Sprintf("/v3/users/%s/managed_spaces", identity.UserID)
-		orgsPath    = fmt.Sprintf("/v3/users/%s/organizations", identity.UserID)
+		orgsPath           = fmt.Sprintf("/v3/organizations")
+		spacesPath         = fmt.Sprintf("/v3/spaces")
+		userOrgsSpacesPath = fmt.Sprintf("/v3/roles?user_guids=%s&types=space_developer,space_manager,space_auditor,organization_user", identity.UserID)
 	)
 
 	if s.Groups {
-		orgs, err := fetchOrgs(c.apiURL, orgsPath, client)
-		if err != nil {
-			return identity, fmt.Errorf("failed to fetch organizaitons: %v", err)
-		}
-
-		developerSpaces, err := fetchRoleSpaces(c.apiURL, devPath, "developer", client)
+		userOrgsSpaces, err := fetchResources(c.apiURL, userOrgsSpacesPath, client)
 		if err != nil {
-			return identity, fmt.Errorf("failed to fetch spaces for developer roles: %v", err)
+			return identity, fmt.Errorf("failed to fetch user organizations: %v", err)
 		}
 
-		auditorSpaces, err := fetchRoleSpaces(c.apiURL, auditorPath, "auditor", client)
+		orgs, err := fetchResources(c.apiURL, orgsPath, client)
 		if err != nil {
-			return identity, fmt.Errorf("failed to fetch spaces for developer roles: %v", err)
+			return identity, fmt.Errorf("failed to fetch organizaitons: %v", err)
 		}
 
-		managerSpaces, err := fetchRoleSpaces(c.apiURL, managerPath, "manager", client)
+		spaces, err := fetchResources(c.apiURL, spacesPath, client)
 		if err != nil {
-			return identity, fmt.Errorf("failed to fetch spaces for developer roles: %v", err)
+			return identity, fmt.Errorf("failed to fetch spaces: %v", err)
 		}
 
-		developerSpaces = append(developerSpaces, append(auditorSpaces, managerSpaces...)...)
+		developerOrgs, developerSpaces := filterUserOrgsSpaces(userOrgsSpaces, orgs, spaces)
 
-		identity.Groups = getGroupsClaims(orgs, developerSpaces)
+		identity.Groups = getGroupsClaims(developerOrgs, developerSpaces)
 	}
 
 	if s.OfflineAccess {

From b94e636f005f2f7d1a9c2d441fbcff1a8481d527 Mon Sep 17 00:00:00 2001
From: Kump3r <tonevkalin@gmail.com>
Date: Fri, 10 Jan 2025 16:20:58 +0200
Subject: [PATCH 21/27] Addapt cloudfoundry_test.go acceptance tests for CF API
 v3

Signed-off-by: Kump3r <tonevkalin@gmail.com>
---
 connector/cloudfoundry/cloudfoundry.go      |  19 +-
 connector/cloudfoundry/cloudfoundry_test.go | 351 +++++++++++++++++---
 2 files changed, 322 insertions(+), 48 deletions(-)

diff --git a/connector/cloudfoundry/cloudfoundry.go b/connector/cloudfoundry/cloudfoundry.go
index 3ba88df5ee..472c14e9ad 100644
--- a/connector/cloudfoundry/cloudfoundry.go
+++ b/connector/cloudfoundry/cloudfoundry.go
@@ -47,27 +47,27 @@ type Config struct {
 
 type ccResponse struct {
 	Pagination pagination `json:"pagination"`
-    Resources  []resource `json:"resources"`
+	Resources  []resource `json:"resources"`
 }
 
 type pagination struct {
-    Next href `json:"next"`
+	Next href `json:"next"`
 }
 
 type href struct {
-    Href string `json:"href"`
+	Href string `json:"href"`
 }
 
 type resource struct {
-	GUID string `json:"guid"`
-    Name string `json:"name,omitempty"`
-	Type string `json:"type,omitempty"`
+	GUID          string        `json:"guid"`
+	Name          string        `json:"name,omitempty"`
+	Type          string        `json:"type,omitempty"`
 	Relationships relationships `json:"relationships"`
 }
 
 type relationships struct {
 	Organization relOrganization `json:"organization"`
-	Space relSpace `json:"space"`
+	Space        relSpace        `json:"space"`
 }
 
 type relOrganization struct {
@@ -82,7 +82,6 @@ type data struct {
 	GUID string `json:"guid"`
 }
 
-
 type space struct {
 	Name    string
 	GUID    string
@@ -379,8 +378,8 @@ func (c *cloudfoundryConnector) HandleCallback(s connector.Scopes, r *http.Reque
 	identity.EmailVerified, _ = userInfoResult["email_verified"].(bool)
 
 	var (
-		orgsPath           = fmt.Sprintf("/v3/organizations")
-		spacesPath         = fmt.Sprintf("/v3/spaces")
+		orgsPath           = "/v3/organizations"
+		spacesPath         = "/v3/spaces"
 		userOrgsSpacesPath = fmt.Sprintf("/v3/roles?user_guids=%s&types=space_developer,space_manager,space_auditor,organization_user", identity.UserID)
 	)
 
diff --git a/connector/cloudfoundry/cloudfoundry_test.go b/connector/cloudfoundry/cloudfoundry_test.go
index e90f66a7c9..383ade22f6 100644
--- a/connector/cloudfoundry/cloudfoundry_test.go
+++ b/connector/cloudfoundry/cloudfoundry_test.go
@@ -97,25 +97,51 @@ func TestHandleCallback(t *testing.T) {
 	})
 }
 
-func testSpaceHandler(reqURL, spaceAPIEndpoint string) (result map[string]interface{}) {
-	fullURL := fmt.Sprintf("%s?order-direction=asc&page=2&results-per-page=50", spaceAPIEndpoint)
-	if strings.Contains(reqURL, fullURL) {
+func testSpaceHandler(reqURL string) (result map[string]interface{}) {
+	if strings.Contains(reqURL, "spaces?page=2&per_page=50") {
 		result = map[string]interface{}{
+			"pagination": map[string]interface{}{
+				"next": map[string]interface{}{
+					"href": nil,
+				},
+			},
 			"resources": []map[string]interface{}{
 				{
-					"metadata": map[string]string{"guid": "some-space-guid-2"},
-					"entity":   map[string]string{"name": "some-space-name-2", "organization_guid": "some-org-guid-2"},
+					"guid": "some-space-guid-2",
+					"name": "some-space-name-2",
+					"relationships": map[string]interface{}{
+						"user": nil,
+						"organization": map[string]interface{}{
+							"data": map[string]interface{}{
+								"guid": "some-org-guid-2",
+							},
+						},
+						"space": nil,
+					},
 				},
 			},
 		}
 	} else {
-		nextURL := fmt.Sprintf("/v3/users/12345/%s?order-direction=asc&page=2&results-per-page=50", spaceAPIEndpoint)
+		nextURL := fmt.Sprintf("%s?page=2&per_page=50", reqURL)
 		result = map[string]interface{}{
-			"next_url": nextURL,
+			"pagination": map[string]interface{}{
+				"next": map[string]interface{}{
+					"href": nextURL,
+				},
+			},
 			"resources": []map[string]interface{}{
 				{
-					"metadata": map[string]string{"guid": "some-space-guid-1"},
-					"entity":   map[string]string{"name": "some-space-name-1", "organization_guid": "some-org-guid-1"},
+					"guid": "some-space-guid-1",
+					"name": "some-space-name-1",
+					"relationships": map[string]interface{}{
+						"user": nil,
+						"organization": map[string]interface{}{
+							"data": map[string]interface{}{
+								"guid": "some-org-guid-1",
+							},
+						},
+						"space": nil,
+					},
 				},
 			},
 		}
@@ -124,30 +150,290 @@ func testSpaceHandler(reqURL, spaceAPIEndpoint string) (result map[string]interf
 }
 
 func testOrgHandler(reqURL string) (result map[string]interface{}) {
-	if strings.Contains(reqURL, "organizations?order-direction=asc&page=2&results-per-page=50") {
+	if strings.Contains(reqURL, "organizations?page=2&per_page=50") {
+		result = map[string]interface{}{
+			"pagination": map[string]interface{}{
+				"next": map[string]interface{}{
+					"href": nil,
+				},
+			},
+			"resources": []map[string]interface{}{
+				{
+					"guid": "some-org-guid-3",
+					"name": "some-org-name-3",
+					"relationships": map[string]interface{}{
+						"user":         nil,
+						"organization": nil,
+						"space":        nil,
+					},
+				},
+				{
+					"guid": "some-org-guid-4",
+					"name": "some-org-name-4",
+					"relationships": map[string]interface{}{
+						"user":         nil,
+						"organization": nil,
+						"space":        nil,
+					},
+				},
+			},
+		}
+	} else {
+		nextURL := fmt.Sprintf("%s?page=2&per_page=50", reqURL)
+		result = map[string]interface{}{
+			"pagination": map[string]interface{}{
+				"next": map[string]interface{}{
+					"href": nextURL,
+				},
+			},
+			"resources": []map[string]interface{}{
+				{
+					"guid": "some-org-guid-1",
+					"name": "some-org-name-1",
+					"relationships": map[string]interface{}{
+						"user":         nil,
+						"organization": nil,
+						"space": map[string]interface{}{
+							"data": map[string]interface{}{
+								"guid": "some-space-guid-1",
+							},
+						},
+					},
+				},
+				{
+					"guid": "some-org-guid-2",
+					"name": "some-org-name-2",
+					"relationships": map[string]interface{}{
+						"user":         nil,
+						"organization": nil,
+						"space": map[string]interface{}{
+							"data": map[string]interface{}{
+								"guid": "some-space-guid-2",
+							},
+						},
+					},
+				},
+			},
+		}
+	}
+	return result
+}
+
+func testUserOrgsSpacesHandler(reqURL string) (result map[string]interface{}) {
+	if strings.Contains(reqURL, "page=2&per_page=50") {
 		result = map[string]interface{}{
+			"pagination": map[string]interface{}{
+				"next": map[string]interface{}{
+					"href": nil,
+				},
+			},
 			"resources": []map[string]interface{}{
 				{
-					"metadata": map[string]string{"guid": "some-org-guid-3"},
-					"entity":   map[string]string{"name": "some-org-name-3"},
+					"guid": "some-type-guid-3",
+					"type": "organization_user",
+					"relationships": map[string]interface{}{
+						"user": nil,
+						"organization": map[string]interface{}{
+							"data": map[string]interface{}{
+								"guid": "some-org-guid-3",
+							},
+						},
+						"space": nil,
+					},
+				},
+				{
+					"guid": "some-type-guid-4",
+					"type": "organization_user",
+					"relationships": map[string]interface{}{
+						"user": nil,
+						"organization": map[string]interface{}{
+							"data": map[string]interface{}{
+								"guid": "some-org-guid-4",
+							},
+						},
+						"space": nil,
+					},
+				},
+				{
+					"guid": "some-type-guid-1",
+					"type": "space_manager",
+					"relationships": map[string]interface{}{
+						"user": nil,
+						"organization": map[string]interface{}{
+							"data": map[string]interface{}{
+								"guid": "some-org-guid-1",
+							},
+						},
+						"space": map[string]interface{}{
+							"data": map[string]interface{}{
+								"guid": "some-space-guid-1",
+							},
+						},
+					},
+				},
+				{
+					"guid": "some-type-guid-2",
+					"type": "space_developer",
+					"relationships": map[string]interface{}{
+						"user": nil,
+						"organization": map[string]interface{}{
+							"data": map[string]interface{}{
+								"guid": "some-org-guid-2",
+							},
+						},
+						"space": map[string]interface{}{
+							"data": map[string]interface{}{
+								"guid": "some-space-guid-2",
+							},
+						},
+					},
 				},
 				{
-					"metadata": map[string]string{"guid": "some-org-guid-4"},
-					"entity":   map[string]string{"name": "some-org-name-4"},
+					"guid": "some-type-guid-2",
+					"type": "space_auditor",
+					"relationships": map[string]interface{}{
+						"user": nil,
+						"organization": map[string]interface{}{
+							"data": map[string]interface{}{
+								"guid": "some-org-guid-2",
+							},
+						},
+						"space": map[string]interface{}{
+							"data": map[string]interface{}{
+								"guid": "some-space-guid-2",
+							},
+						},
+					},
+				},
+				{
+					"guid": "some-type-guid-2",
+					"type": "space_manager",
+					"relationships": map[string]interface{}{
+						"user": nil,
+						"organization": map[string]interface{}{
+							"data": map[string]interface{}{
+								"guid": "some-org-guid-2",
+							},
+						},
+						"space": map[string]interface{}{
+							"data": map[string]interface{}{
+								"guid": "some-space-guid-2",
+							},
+						},
+					},
 				},
 			},
 		}
 	} else {
+		nextURL := fmt.Sprintf("%s?page=2&per_page=50", reqURL)
 		result = map[string]interface{}{
-			"next_url": "/v3/users/12345/organizations?order-direction=asc&page=2&results-per-page=50",
+			"pagination": map[string]interface{}{
+				"next": map[string]interface{}{
+					"href": nextURL,
+				},
+			},
 			"resources": []map[string]interface{}{
 				{
-					"metadata": map[string]string{"guid": "some-org-guid-1"},
-					"entity":   map[string]string{"name": "some-org-name-1"},
+					"guid": "some-type-guid-1",
+					"type": "space_developer",
+					"relationships": map[string]interface{}{
+						"user": nil,
+						"organization": map[string]interface{}{
+							"data": map[string]interface{}{
+								"guid": "some-org-guid-1",
+							},
+						},
+						"space": map[string]interface{}{
+							"data": map[string]interface{}{
+								"guid": "some-space-guid-1",
+							},
+						},
+					},
 				},
 				{
-					"metadata": map[string]string{"guid": "some-org-guid-2"},
-					"entity":   map[string]string{"name": "some-org-name-2"},
+					"guid": "some-type-guid-1",
+					"type": "space_auditor",
+					"relationships": map[string]interface{}{
+						"user": nil,
+						"organization": map[string]interface{}{
+							"data": map[string]interface{}{
+								"guid": "some-org-guid-1",
+							},
+						},
+						"space": map[string]interface{}{
+							"data": map[string]interface{}{
+								"guid": "some-space-guid-1",
+							},
+						},
+					},
+				},
+				{
+					"guid": "some-type-guid-1",
+					"type": "space_manager",
+					"relationships": map[string]interface{}{
+						"user": nil,
+						"organization": map[string]interface{}{
+							"data": map[string]interface{}{
+								"guid": "some-org-guid-1",
+							},
+						},
+						"space": map[string]interface{}{
+							"data": map[string]interface{}{
+								"guid": "some-space-guid-1",
+							},
+						},
+					},
+				},
+				{
+					"guid": "some-type-guid-2",
+					"type": "space_developer",
+					"relationships": map[string]interface{}{
+						"user": nil,
+						"organization": map[string]interface{}{
+							"data": map[string]interface{}{
+								"guid": "some-org-guid-2",
+							},
+						},
+						"space": map[string]interface{}{
+							"data": map[string]interface{}{
+								"guid": "some-space-guid-2",
+							},
+						},
+					},
+				},
+				{
+					"guid": "some-type-guid-2",
+					"type": "space_auditor",
+					"relationships": map[string]interface{}{
+						"user": nil,
+						"organization": map[string]interface{}{
+							"data": map[string]interface{}{
+								"guid": "some-org-guid-2",
+							},
+						},
+						"space": map[string]interface{}{
+							"data": map[string]interface{}{
+								"guid": "some-space-guid-2",
+							},
+						},
+					},
+				},
+				{
+					"guid": "some-type-guid-2",
+					"type": "space_manager",
+					"relationships": map[string]interface{}{
+						"user": nil,
+						"organization": map[string]interface{}{
+							"data": map[string]interface{}{
+								"guid": "some-org-guid-2",
+							},
+						},
+						"space": map[string]interface{}{
+							"data": map[string]interface{}{
+								"guid": "some-space-guid-2",
+							},
+						},
+					},
 				},
 			},
 		}
@@ -198,27 +484,16 @@ func testSetup() *httptest.Server {
 		})
 	})
 
-	mux.HandleFunc("/v3/users/", func(w http.ResponseWriter, r *http.Request) {
-		var result map[string]interface{}
-
-		reqURL := r.URL.String()
-		if strings.Contains(reqURL, "/spaces") {
-			result = testSpaceHandler(reqURL, "spaces")
-		}
-
-		if strings.Contains(reqURL, "/audited_spaces") {
-			result = testSpaceHandler(reqURL, "audited_spaces")
-		}
-
-		if strings.Contains(reqURL, "/managed_spaces") {
-			result = testSpaceHandler(reqURL, "managed_spaces")
-		}
+	mux.HandleFunc("/v3/organizations", func(w http.ResponseWriter, r *http.Request) {
+		json.NewEncoder(w).Encode(testOrgHandler(r.URL.String()))
+	})
 
-		if strings.Contains(reqURL, "organizations") {
-			result = testOrgHandler(reqURL)
-		}
+	mux.HandleFunc("/v3/spaces", func(w http.ResponseWriter, r *http.Request) {
+		json.NewEncoder(w).Encode(testSpaceHandler(r.URL.String()))
+	})
 
-		json.NewEncoder(w).Encode(result)
+	mux.HandleFunc("/v3/roles", func(w http.ResponseWriter, r *http.Request) {
+		json.NewEncoder(w).Encode(testUserOrgsSpacesHandler(r.URL.String()))
 	})
 
 	return httptest.NewServer(mux)

From 00dd862f85a9d2dd97ac581b9dacf539ab65a18a Mon Sep 17 00:00:00 2001
From: Rui Yang <ruiya@vmware.com>
Date: Wed, 10 Nov 2021 14:43:22 -0500
Subject: [PATCH 22/27] add client crendential grant type

Signed-off-by: Rui Yang <ruiya@vmware.com>
---
 server/handlers.go | 25 +++++++++++++++++++++++++
 server/oauth2.go   |  1 +
 2 files changed, 26 insertions(+)

diff --git a/server/handlers.go b/server/handlers.go
index 63cb612295..bb8572697c 100644
--- a/server/handlers.go
+++ b/server/handlers.go
@@ -859,6 +859,8 @@ func (s *Server) handleToken(w http.ResponseWriter, r *http.Request) {
 		s.withClientFromStorage(w, r, s.handlePasswordGrant)
 	case grantTypeTokenExchange:
 		s.withClientFromStorage(w, r, s.handleTokenExchange)
+	case grantTypeClientCredentials:
+		s.withClientFromStorage(w, r, s.handleClientCredentialsGrant)
 	default:
 		s.tokenErrHelper(w, errUnsupportedGrantType, "", http.StatusBadRequest)
 	}
@@ -1111,6 +1113,29 @@ func (s *Server) handleUserInfo(w http.ResponseWriter, r *http.Request) {
 	w.Write(claims)
 }
 
+func (s *Server) handleClientCredentialsGrant(w http.ResponseWriter, r *http.Request, client storage.Client) {
+	if err := r.ParseForm(); err != nil {
+		s.tokenErrHelper(w, errInvalidRequest, "Couldn't parse data", http.StatusBadRequest)
+		return
+	}
+	q := r.Form
+
+	nonce := q.Get("nonce")
+	scopes := strings.Fields(q.Get("scope"))
+
+	claims := storage.Claims{UserID: client.ID}
+
+	accessToken := storage.NewID()
+	idToken, expiry, err := s.newIDToken(r.Context(), client.ID, claims, scopes, nonce, accessToken, "", "client")
+	if err != nil {
+		s.tokenErrHelper(w, errServerError, fmt.Sprintf("failed to create ID token: %v", err), http.StatusInternalServerError)
+		return
+	}
+
+	resp := s.toAccessTokenResponse(idToken, accessToken, "", expiry)
+	s.writeAccessToken(w, resp)
+}
+
 func (s *Server) handlePasswordGrant(w http.ResponseWriter, r *http.Request, client storage.Client) {
 	ctx := r.Context()
 	// Parse the fields
diff --git a/server/oauth2.go b/server/oauth2.go
index ec972beab1..f4641695d7 100644
--- a/server/oauth2.go
+++ b/server/oauth2.go
@@ -133,6 +133,7 @@ const (
 	grantTypePassword          = "password"
 	grantTypeDeviceCode        = "urn:ietf:params:oauth:grant-type:device_code"
 	grantTypeTokenExchange     = "urn:ietf:params:oauth:grant-type:token-exchange"
+	grantTypeClientCredentials = "client_credentials"
 )
 
 const (

From 99ae85c58a715deea627210dd4c4f236a3d5760b Mon Sep 17 00:00:00 2001
From: Michael Kelly <mkelly@arista.com>
Date: Fri, 3 Dec 2021 10:17:21 -0800
Subject: [PATCH 23/27] Fix issues in existing client credentials change

This fixes two issues in the existing client credentials change:

- client_credentials was not listed as a supported grant type
- access tokens are not the storage ID

Signed-off-by: Michael Kelly <mkelly@arista.com>
---
 server/handlers.go | 8 +++++++-
 server/server.go   | 1 +
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/server/handlers.go b/server/handlers.go
index bb8572697c..2f94d8fc14 100644
--- a/server/handlers.go
+++ b/server/handlers.go
@@ -1125,7 +1125,13 @@ func (s *Server) handleClientCredentialsGrant(w http.ResponseWriter, r *http.Req
 
 	claims := storage.Claims{UserID: client.ID}
 
-	accessToken := storage.NewID()
+	accessToken, _, err := s.newAccessToken(r.Context(), client.ID, claims, scopes, nonce, "client")
+	if err != nil {
+		s.logger.ErrorContext(r.Context(), "failed to create new access token", "err", err)
+		s.tokenErrHelper(w, errServerError, err.Error(), http.StatusInternalServerError)
+		return
+	}
+
 	idToken, expiry, err := s.newIDToken(r.Context(), client.ID, claims, scopes, nonce, accessToken, "", "client")
 	if err != nil {
 		s.tokenErrHelper(w, errServerError, fmt.Sprintf("failed to create ID token: %v", err), http.StatusInternalServerError)
diff --git a/server/server.go b/server/server.go
index 1cf71c5038..7269c5ae9b 100644
--- a/server/server.go
+++ b/server/server.go
@@ -236,6 +236,7 @@ func newServer(ctx context.Context, c Config, rotationStrategy rotationStrategy)
 		grantTypeRefreshToken:      true,
 		grantTypeDeviceCode:        true,
 		grantTypeTokenExchange:     true,
+		grantTypeClientCredentials: true,
 	}
 	supportedRes := make(map[string]bool)
 

From f72d7ebca5d70800a57b8a67aff91c77c8b01bec Mon Sep 17 00:00:00 2001
From: Rui Yang <ruiya@vmware.com>
Date: Tue, 2 Aug 2022 13:48:38 -0400
Subject: [PATCH 24/27] Fix tests in TestServerSupportedGrants for client
 credentials

Signed-off-by: Rui Yang <ruiya@vmware.com>
---
 server/handlers_test.go | 1 +
 server/server_test.go   | 9 +++++----
 2 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/server/handlers_test.go b/server/handlers_test.go
index d32101b1cf..58a00d4df4 100644
--- a/server/handlers_test.go
+++ b/server/handlers_test.go
@@ -63,6 +63,7 @@ func TestHandleDiscovery(t *testing.T) {
 		Introspect:     fmt.Sprintf("%s/token/introspect", httpServer.URL),
 		GrantTypes: []string{
 			"authorization_code",
+			"client_credentials",
 			"refresh_token",
 			"urn:ietf:params:oauth:grant-type:device_code",
 			"urn:ietf:params:oauth:grant-type:token-exchange",
diff --git a/server/server_test.go b/server/server_test.go
index 8936c90a07..bc103371ab 100644
--- a/server/server_test.go
+++ b/server/server_test.go
@@ -101,6 +101,7 @@ func newTestServer(ctx context.Context, t *testing.T, updateConfig func(c *Confi
 			grantTypeTokenExchange,
 			grantTypeImplicit,
 			grantTypePassword,
+			grantTypeClientCredentials,
 		},
 	}
 	if updateConfig != nil {
@@ -1760,7 +1761,7 @@ func TestServerSupportedGrants(t *testing.T) {
 		{
 			name:      "Simple",
 			config:    func(c *Config) {},
-			resGrants: []string{grantTypeAuthorizationCode, grantTypeRefreshToken, grantTypeDeviceCode, grantTypeTokenExchange},
+			resGrants: []string{grantTypeAuthorizationCode, grantTypeClientCredentials, grantTypeRefreshToken, grantTypeDeviceCode, grantTypeTokenExchange},
 		},
 		{
 			name:      "Minimal",
@@ -1770,12 +1771,12 @@ func TestServerSupportedGrants(t *testing.T) {
 		{
 			name:      "With password connector",
 			config:    func(c *Config) { c.PasswordConnector = "local" },
-			resGrants: []string{grantTypeAuthorizationCode, grantTypePassword, grantTypeRefreshToken, grantTypeDeviceCode, grantTypeTokenExchange},
+			resGrants: []string{grantTypeAuthorizationCode, grantTypeClientCredentials, grantTypePassword, grantTypeRefreshToken, grantTypeDeviceCode, grantTypeTokenExchange},
 		},
 		{
 			name:      "With token response",
 			config:    func(c *Config) { c.SupportedResponseTypes = append(c.SupportedResponseTypes, responseTypeToken) },
-			resGrants: []string{grantTypeAuthorizationCode, grantTypeImplicit, grantTypeRefreshToken, grantTypeDeviceCode, grantTypeTokenExchange},
+			resGrants: []string{grantTypeAuthorizationCode, grantTypeClientCredentials, grantTypeImplicit, grantTypeRefreshToken, grantTypeDeviceCode, grantTypeTokenExchange},
 		},
 		{
 			name: "All",
@@ -1783,7 +1784,7 @@ func TestServerSupportedGrants(t *testing.T) {
 				c.PasswordConnector = "local"
 				c.SupportedResponseTypes = append(c.SupportedResponseTypes, responseTypeToken)
 			},
-			resGrants: []string{grantTypeAuthorizationCode, grantTypeImplicit, grantTypePassword, grantTypeRefreshToken, grantTypeDeviceCode, grantTypeTokenExchange},
+			resGrants: []string{grantTypeAuthorizationCode, grantTypeClientCredentials, grantTypeImplicit, grantTypePassword, grantTypeRefreshToken, grantTypeDeviceCode, grantTypeTokenExchange},
 		},
 	}
 

From c3165b181a64ba704b418bf4a544f6f10159d269 Mon Sep 17 00:00:00 2001
From: Taylor Silva <dev@taydev.net>
Date: Thu, 16 Jan 2025 18:47:18 +0000
Subject: [PATCH 25/27] update cf connector to use slog instead

Signed-off-by: Taylor Silva <dev@taydev.net>
---
 connector/cloudfoundry/cloudfoundry.go      | 21 ++++++++-------------
 connector/cloudfoundry/cloudfoundry_test.go |  6 +++---
 2 files changed, 11 insertions(+), 16 deletions(-)

diff --git a/connector/cloudfoundry/cloudfoundry.go b/connector/cloudfoundry/cloudfoundry.go
index 472c14e9ad..ff10bccd37 100644
--- a/connector/cloudfoundry/cloudfoundry.go
+++ b/connector/cloudfoundry/cloudfoundry.go
@@ -7,6 +7,7 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
+	"log/slog"
 	"net"
 	"net/http"
 	"os"
@@ -17,7 +18,6 @@ import (
 	"golang.org/x/oauth2"
 
 	"github.com/dexidp/dex/connector"
-	"github.com/dexidp/dex/pkg/log"
 )
 
 type cloudfoundryConnector struct {
@@ -29,7 +29,7 @@ type cloudfoundryConnector struct {
 	authorizationURL string
 	userInfoURL      string
 	httpClient       *http.Client
-	logger           log.Logger
+	logger           *slog.Logger
 }
 
 type connectorData struct {
@@ -106,7 +106,7 @@ type login struct {
 	Href string `json:"href"`
 }
 
-func (c *Config) Open(id string, logger log.Logger) (connector.Connector, error) {
+func (c *Config) Open(id string, logger *slog.Logger) (connector.Connector, error) {
 	var err error
 
 	cloudfoundryConn := &cloudfoundryConnector{
@@ -125,16 +125,14 @@ func (c *Config) Open(id string, logger log.Logger) (connector.Connector, error)
 	apiURL := strings.TrimRight(c.APIURL, "/")
 	apiResp, err := cloudfoundryConn.httpClient.Get(apiURL)
 	if err != nil {
-		logger.Errorf("failed-to-send-request-to-cloud-controller-api", err)
-		return nil, err
+		return nil, fmt.Errorf("failed-to-send-request-to-cloud-controller-api: %w", err)
 	}
 
 	defer apiResp.Body.Close()
 
 	if apiResp.StatusCode != http.StatusOK {
 		err = fmt.Errorf("request failed with status %d", apiResp.StatusCode)
-		logger.Errorf("failed-get-info-response-from-api", err)
-		return nil, err
+		return nil, fmt.Errorf("failed-get-info-response-from-api: %w", err)
 	}
 
 	var apiResult infoResp
@@ -144,14 +142,12 @@ func (c *Config) Open(id string, logger log.Logger) (connector.Connector, error)
 	uaaURL := strings.TrimRight(apiResult.Links.Login.Href, "/")
 	uaaResp, err := cloudfoundryConn.httpClient.Get(fmt.Sprintf("%s/.well-known/openid-configuration", uaaURL))
 	if err != nil {
-		logger.Errorf("failed-to-send-request-to-uaa-api", err)
-		return nil, err
+		return nil, fmt.Errorf("failed-to-send-request-to-uaa-api: %w", err)
 	}
 
 	if apiResp.StatusCode != http.StatusOK {
 		err = fmt.Errorf("request failed with status %d", apiResp.StatusCode)
-		logger.Errorf("failed-to-get-well-known-config-response-from-api", err)
-		return nil, err
+		return nil, fmt.Errorf("failed-to-get-well-known-config-response-from-api: %w", err)
 	}
 
 	defer uaaResp.Body.Close()
@@ -160,8 +156,7 @@ func (c *Config) Open(id string, logger log.Logger) (connector.Connector, error)
 	err = json.NewDecoder(uaaResp.Body).Decode(&uaaResult)
 
 	if err != nil {
-		logger.Errorf("failed-to-decode-response-from-uaa-api", err)
-		return nil, err
+		return nil, fmt.Errorf("failed-to-decode-response-from-uaa-api: %w", err)
 	}
 
 	cloudfoundryConn.tokenURL, _ = uaaResult["token_endpoint"].(string)
diff --git a/connector/cloudfoundry/cloudfoundry_test.go b/connector/cloudfoundry/cloudfoundry_test.go
index 383ade22f6..d15b326104 100644
--- a/connector/cloudfoundry/cloudfoundry_test.go
+++ b/connector/cloudfoundry/cloudfoundry_test.go
@@ -4,14 +4,14 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
+	"io"
+	"log/slog"
 	"net/http"
 	"net/http/httptest"
 	"reflect"
 	"strings"
 	"testing"
 
-	"github.com/sirupsen/logrus"
-
 	"github.com/dexidp/dex/connector"
 )
 
@@ -510,7 +510,7 @@ func newConnector(t *testing.T, serverURL string) *cloudfoundryConnector {
 		InsecureSkipVerify: true,
 	}
 
-	log := logrus.New()
+	log := slog.New(slog.NewTextHandler(io.Discard, &slog.HandlerOptions{}))
 
 	conn, err := testConfig.Open("id", log)
 	if err != nil {

From 0af4ea367c39742258b3a5cb1aa91ab1bb3c561f Mon Sep 17 00:00:00 2001
From: CI Bot <ci@localhost>
Date: Thu, 16 Jan 2025 18:56:04 +0000
Subject: [PATCH 26/27] upstream dex release: v2.41.1
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

<!-- Release notes generated using configuration in .github/release.yml at master -->

## What's Changed
### Bug Fixes 🐛
* Fix ldap connection error: network unreachable @nabokihms in https://github.com/dexidp/dex/pull/3677
* Fix gomplate fork/exec error for distroless images by @nabokihms in https://github.com/dexidp/dex/pull/3684

**Full Changelog**: https://github.com/dexidp/dex/compare/v2.41.0...v2.41.1
---
 .github/workflows/analysis-scorecard.yaml     |  47 ----
 .github/workflows/artifacts.yaml              | 213 ------------------
 .github/workflows/checks.yaml                 |  23 --
 .github/workflows/ci.yaml                     | 178 ---------------
 .github/workflows/release.yaml                |  24 --
 cmd/dex/config.go                             |  16 +-
 cmd/dex/config_test.go                        |  10 +-
 cmd/dex/logger.go                             |   2 +-
 cmd/dex/serve.go                              |   4 +-
 connector/atlassiancrowd/atlassiancrowd.go    |   4 +-
 connector/authproxy/authproxy.go              |   2 +-
 connector/authproxy/authproxy_test.go         |   2 +-
 connector/bitbucketcloud/bitbucketcloud.go    |   4 +-
 .../bitbucketcloud/bitbucketcloud_test.go     |   2 +-
 connector/cloudfoundry/cloudfoundry.go        |   2 +-
 connector/cloudfoundry/cloudfoundry_test.go   |   2 +-
 connector/gitea/gitea.go                      |   2 +-
 connector/gitea/gitea_test.go                 |   2 +-
 connector/github/github.go                    |   6 +-
 connector/github/github_test.go               |   2 +-
 connector/gitlab/gitlab.go                    |   4 +-
 connector/gitlab/gitlab_test.go               |   2 +-
 connector/google/google.go                    |   4 +-
 connector/google/google_test.go               |   2 +-
 connector/keystone/keystone.go                |   2 +-
 connector/keystone/keystone_test.go           |   2 +-
 connector/ldap/ldap.go                        |   2 +-
 connector/ldap/ldap_test.go                   |   2 +-
 connector/linkedin/linkedin.go                |   2 +-
 connector/microsoft/microsoft.go              |   4 +-
 connector/microsoft/microsoft_test.go         |   2 +-
 connector/mock/connectortest.go               |   2 +-
 connector/oauth/oauth.go                      |   4 +-
 connector/oauth/oauth_test.go                 |   2 +-
 connector/oidc/oidc.go                        |   6 +-
 connector/oidc/oidc_test.go                   |   2 +-
 connector/openshift/openshift.go              |   8 +-
 connector/openshift/openshift_test.go         |   6 +-
 connector/saml/saml.go                        |   4 +-
 connector/saml/saml_test.go                   |   2 +-
 examples/go.mod                               |   2 +-
 go.mod                                        |   2 +-
 pkg/groups/groups_test.go                     |   2 +-
 pkg/httpclient/httpclient_test.go             |   2 +-
 server/api.go                                 |   6 +-
 server/api_test.go                            |   6 +-
 server/deviceflowhandlers.go                  |   2 +-
 server/deviceflowhandlers_test.go             |   2 +-
 server/handlers.go                            |   6 +-
 server/handlers_test.go                       |   2 +-
 server/introspectionhandler.go                |   2 +-
 server/introspectionhandler_test.go           |   4 +-
 server/oauth2.go                              |   6 +-
 server/oauth2_test.go                         |   4 +-
 server/refreshhandlers.go                     |   6 +-
 server/refreshhandlers_test.go                |   4 +-
 server/rotation.go                            |   2 +-
 server/rotation_test.go                       |   4 +-
 server/server.go                              |  40 ++--
 server/server_test.go                         |   8 +-
 storage/conformance/conformance.go            |   2 +-
 storage/conformance/transactions.go           |   2 +-
 storage/ent/client/authcode.go                |   2 +-
 storage/ent/client/authrequest.go             |   2 +-
 storage/ent/client/client.go                  |   2 +-
 storage/ent/client/connector.go               |   2 +-
 storage/ent/client/devicerequest.go           |   4 +-
 storage/ent/client/devicetoken.go             |   4 +-
 storage/ent/client/keys.go                    |   4 +-
 storage/ent/client/main.go                    |  14 +-
 storage/ent/client/offlinesession.go          |   2 +-
 storage/ent/client/password.go                |   4 +-
 storage/ent/client/refreshtoken.go            |   2 +-
 storage/ent/client/types.go                   |   4 +-
 storage/ent/client/utils.go                   |   4 +-
 storage/ent/db/authcode.go                    |   2 +-
 storage/ent/db/authcode/where.go              |   2 +-
 storage/ent/db/authcode_create.go             |   2 +-
 storage/ent/db/authcode_delete.go             |   4 +-
 storage/ent/db/authcode_query.go              |   4 +-
 storage/ent/db/authcode_update.go             |   4 +-
 storage/ent/db/authrequest.go                 |   2 +-
 storage/ent/db/authrequest/where.go           |   2 +-
 storage/ent/db/authrequest_create.go          |   2 +-
 storage/ent/db/authrequest_delete.go          |   4 +-
 storage/ent/db/authrequest_query.go           |   4 +-
 storage/ent/db/authrequest_update.go          |   4 +-
 storage/ent/db/client.go                      |  22 +-
 storage/ent/db/connector.go                   |   2 +-
 storage/ent/db/connector/where.go             |   2 +-
 storage/ent/db/connector_create.go            |   2 +-
 storage/ent/db/connector_delete.go            |   4 +-
 storage/ent/db/connector_query.go             |   4 +-
 storage/ent/db/connector_update.go            |   4 +-
 storage/ent/db/devicerequest.go               |   2 +-
 storage/ent/db/devicerequest/where.go         |   2 +-
 storage/ent/db/devicerequest_create.go        |   2 +-
 storage/ent/db/devicerequest_delete.go        |   4 +-
 storage/ent/db/devicerequest_query.go         |   4 +-
 storage/ent/db/devicerequest_update.go        |   4 +-
 storage/ent/db/devicetoken.go                 |   2 +-
 storage/ent/db/devicetoken/where.go           |   2 +-
 storage/ent/db/devicetoken_create.go          |   2 +-
 storage/ent/db/devicetoken_delete.go          |   4 +-
 storage/ent/db/devicetoken_query.go           |   4 +-
 storage/ent/db/devicetoken_update.go          |   4 +-
 storage/ent/db/ent.go                         |  20 +-
 storage/ent/db/enttest/enttest.go             |   6 +-
 storage/ent/db/hook/hook.go                   |   2 +-
 storage/ent/db/keys.go                        |   4 +-
 storage/ent/db/keys/where.go                  |   2 +-
 storage/ent/db/keys_create.go                 |   4 +-
 storage/ent/db/keys_delete.go                 |   4 +-
 storage/ent/db/keys_query.go                  |   4 +-
 storage/ent/db/keys_update.go                 |   6 +-
 storage/ent/db/mutation.go                    |  24 +-
 storage/ent/db/oauth2client.go                |   2 +-
 storage/ent/db/oauth2client/where.go          |   2 +-
 storage/ent/db/oauth2client_create.go         |   2 +-
 storage/ent/db/oauth2client_delete.go         |   4 +-
 storage/ent/db/oauth2client_query.go          |   4 +-
 storage/ent/db/oauth2client_update.go         |   4 +-
 storage/ent/db/offlinesession.go              |   2 +-
 storage/ent/db/offlinesession/where.go        |   2 +-
 storage/ent/db/offlinesession_create.go       |   2 +-
 storage/ent/db/offlinesession_delete.go       |   4 +-
 storage/ent/db/offlinesession_query.go        |   4 +-
 storage/ent/db/offlinesession_update.go       |   4 +-
 storage/ent/db/password.go                    |   2 +-
 storage/ent/db/password/where.go              |   2 +-
 storage/ent/db/password_create.go             |   2 +-
 storage/ent/db/password_delete.go             |   4 +-
 storage/ent/db/password_query.go              |   4 +-
 storage/ent/db/password_update.go             |   4 +-
 storage/ent/db/refreshtoken.go                |   2 +-
 storage/ent/db/refreshtoken/where.go          |   2 +-
 storage/ent/db/refreshtoken_create.go         |   2 +-
 storage/ent/db/refreshtoken_delete.go         |   4 +-
 storage/ent/db/refreshtoken_query.go          |   4 +-
 storage/ent/db/refreshtoken_update.go         |   4 +-
 storage/ent/db/runtime.go                     |  22 +-
 storage/ent/mysql.go                          |   6 +-
 storage/ent/mysql_test.go                     |   4 +-
 storage/ent/postgres.go                       |   6 +-
 storage/ent/postgres_test.go                  |   4 +-
 storage/ent/schema/keys.go                    |   2 +-
 storage/ent/sqlite.go                         |   6 +-
 storage/ent/sqlite_test.go                    |   4 +-
 storage/etcd/config.go                        |   2 +-
 storage/etcd/etcd.go                          |   2 +-
 storage/etcd/etcd_test.go                     |   4 +-
 storage/etcd/types.go                         |   2 +-
 storage/kubernetes/client.go                  |   4 +-
 storage/kubernetes/client_test.go             |   2 +-
 storage/kubernetes/storage.go                 |   4 +-
 storage/kubernetes/storage_test.go            |   4 +-
 storage/kubernetes/transport.go               |   2 +-
 storage/kubernetes/types.go                   |   4 +-
 storage/memory/memory.go                      |   2 +-
 storage/memory/memory_test.go                 |   4 +-
 storage/memory/static_test.go                 |   2 +-
 storage/sql/config.go                         |   2 +-
 storage/sql/config_test.go                    |   4 +-
 storage/sql/crud.go                           |   2 +-
 storage/sql/sqlite.go                         |   2 +-
 165 files changed, 327 insertions(+), 812 deletions(-)
 delete mode 100644 .github/workflows/analysis-scorecard.yaml
 delete mode 100644 .github/workflows/artifacts.yaml
 delete mode 100644 .github/workflows/checks.yaml
 delete mode 100644 .github/workflows/ci.yaml
 delete mode 100644 .github/workflows/release.yaml

diff --git a/.github/workflows/analysis-scorecard.yaml b/.github/workflows/analysis-scorecard.yaml
deleted file mode 100644
index ca67f457eb..0000000000
--- a/.github/workflows/analysis-scorecard.yaml
+++ /dev/null
@@ -1,47 +0,0 @@
-name: OpenSSF Scorecard
-
-on:
-  branch_protection_rule:
-  push:
-    branches: [ main ]
-  schedule:
-    - cron: '30 0 * * 5'
-
-permissions:
-  contents: read
-
-jobs:
-  analyze:
-    name: Analyze
-    runs-on: ubuntu-latest
-
-    permissions:
-      actions: read
-      contents: read
-      id-token: write
-      security-events: write
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
-        with:
-          persist-credentials: false
-
-      - name: Run analysis
-        uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0
-        with:
-          results_file: results.sarif
-          results_format: sarif
-          publish_results: true
-
-      - name: Upload results as artifact
-        uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
-        with:
-          name: OpenSSF Scorecard results
-          path: results.sarif
-          retention-days: 5
-
-      - name: Upload results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # v3.25.15
-        with:
-          sarif_file: results.sarif
diff --git a/.github/workflows/artifacts.yaml b/.github/workflows/artifacts.yaml
deleted file mode 100644
index 81bc378654..0000000000
--- a/.github/workflows/artifacts.yaml
+++ /dev/null
@@ -1,213 +0,0 @@
-name: Artifacts
-
-on:
-  workflow_call:
-    inputs:
-      publish:
-        description: Publish artifacts to the artifact store
-        default: false
-        required: false
-        type: boolean
-    secrets:
-      DOCKER_USERNAME:
-        required: true
-      DOCKER_PASSWORD:
-        required: true
-    outputs:
-      container-image-name:
-        description: Container image name
-        value: ${{ jobs.container-images.outputs.name }}
-      container-image-digest:
-        description: Container image digest
-        value: ${{ jobs.container-images.outputs.digest }}
-      container-image-ref:
-        description: Container image ref
-        value: ${{ jobs.container-images.outputs.ref }}
-
-permissions:
-  contents: read
-
-jobs:
-  container-images:
-    name: Container images
-    runs-on: ubuntu-latest
-    strategy:
-      matrix:
-        variant:
-          - alpine
-          - distroless
-
-    permissions:
-      attestations: write
-      contents: read
-      packages: write
-      id-token: write
-      security-events: write
-
-
-    outputs:
-      name: ${{ steps.image-name.outputs.value }}
-      digest: ${{ steps.build.outputs.digest }}
-      ref: ${{ steps.image-ref.outputs.value }}
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
-
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1
-
-      - name: Set up Syft
-        uses: anchore/sbom-action/download-syft@d94f46e13c6c62f59525ac9a1e147a99dc0b9bf5 # v0.17.0
-
-      - name: Install cosign
-        uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0
-
-      - name: Set image name
-        id: image-name
-        run: echo "value=ghcr.io/${{ github.repository }}" >> "$GITHUB_OUTPUT"
-
-      - name: Gather build metadata
-        id: meta
-        uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
-        with:
-          images: |
-            ${{ steps.image-name.outputs.value }}
-            dexidp/dex
-          flavor: |
-            latest = false
-          tags: |
-            type=ref,event=branch,enable=${{ matrix.variant == 'alpine' }}
-            type=ref,event=pr,prefix=pr-,enable=${{ matrix.variant == 'alpine' }}
-            type=semver,pattern={{raw}},enable=${{ matrix.variant == 'alpine' }}
-            type=raw,value=latest,enable=${{ github.ref_name == github.event.repository.default_branch && matrix.variant == 'alpine' }}
-            type=ref,event=branch,suffix=-${{ matrix.variant }}
-            type=ref,event=pr,prefix=pr-,suffix=-${{ matrix.variant }}
-            type=semver,pattern={{raw}},suffix=-${{ matrix.variant }}
-            type=raw,value=latest,enable={{is_default_branch}},suffix=-${{ matrix.variant }}
-          labels: |
-            org.opencontainers.image.documentation=https://dexidp.io/docs/
-
-      # Multiple exporters are not supported yet
-      # See https://github.com/moby/buildkit/pull/2760
-      - name: Determine build output
-        uses: haya14busa/action-cond@94f77f7a80cd666cb3155084e428254fea4281fd # v1.2.1
-        id: build-output
-        with:
-          cond: ${{ inputs.publish }}
-          if_true: type=image,push=true
-          if_false: type=oci,dest=image.tar
-
-      - name: Login to GitHub Container Registry
-        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ github.token }}
-        if: inputs.publish
-
-      - name: Login to Docker Hub
-        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
-        with:
-          username: ${{ secrets.DOCKER_USERNAME }}
-          password: ${{ secrets.DOCKER_PASSWORD }}
-        if: inputs.publish
-
-      - name: Build and push image
-        id: build
-        uses: docker/build-push-action@5176d81f87c23d6fc96624dfdbcd9f3830bbe445 # v6.5.0
-        with:
-          context: .
-          platforms: linux/amd64,linux/arm/v7,linux/arm64,linux/ppc64le,linux/s390x
-          tags: ${{ steps.meta.outputs.tags }}
-          build-args: |
-            BASE_IMAGE=${{ matrix.variant }}
-            VERSION=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.version'] }}
-            COMMIT_HASH=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }}
-            BUILD_DATE=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }}
-          labels: ${{ steps.meta.outputs.labels }}
-          # cache-from: type=gha
-          # cache-to: type=gha,mode=max
-          outputs: ${{ steps.build-output.outputs.value }}
-          # push: ${{ inputs.publish }}
-
-      - name: Sign the images with GitHub OIDC Token
-        run: |
-          cosign sign --yes ${{ steps.image-name.outputs.value }}@${{ steps.build.outputs.digest }}
-        if: inputs.publish
-
-      - name: Set image ref
-        id: image-ref
-        run: echo "value=${{ steps.image-name.outputs.value }}@${{ steps.build.outputs.digest }}" >> "$GITHUB_OUTPUT"
-
-      - name: Fetch image
-        run: skopeo --insecure-policy copy docker://${{ steps.image-ref.outputs.value }} oci-archive:image.tar
-        if: inputs.publish
-
-      # Uncomment the following lines for debugging:
-      # - name: Upload image as artifact
-      #   uses: actions/upload-artifact@v3
-      #   with:
-      #     name: "[${{ github.job }}] OCI tarball"
-      #     path: image.tar
-
-      - name: Extract OCI tarball
-        run: |
-          mkdir -p image
-          tar -xf image.tar -C image
-
-      # - name: List tags
-      #   run: skopeo --insecure-policy list-tags oci:image
-      #
-      # # See https://github.com/anchore/syft/issues/1545
-      # - name: Extract image from multi-arch image
-      #   run: skopeo --override-os linux --override-arch amd64 --insecure-policy copy oci:image:${{ steps.image-name.outputs.value }}:${{ steps.meta.outputs.version }} docker-archive:docker.tar
-      #
-      # - name: Generate SBOM
-      #   run: syft -o spdx-json=sbom-spdx.json docker-archive:docker.tar
-      #
-      # - name: Upload SBOM as artifact
-      #   uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
-      #   with:
-      #     name: "[${{ github.job }}] SBOM"
-      #     path: sbom-spdx.json
-      #     retention-days: 5
-
-      # TODO: uncomment when the action is working for non ghcr.io pushes. GH Issue: https://github.com/actions/attest-build-provenance/issues/80
-      # - name: Generate build provenance attestation
-      #   uses: actions/attest-build-provenance@210c1913531870065f03ce1f9440dd87bc0938cd # v1.4.0
-      #   with:
-      #     subject-name: dexidp/dex
-      #     subject-digest: ${{ steps.build.outputs.digest }}
-      #     push-to-registry: true
-
-      - name: Generate build provenance attestation
-        uses: actions/attest-build-provenance@210c1913531870065f03ce1f9440dd87bc0938cd # v1.4.0
-        with:
-          subject-name: ghcr.io/dexidp/dex
-          subject-digest: ${{ steps.build.outputs.digest }}
-          push-to-registry: true
-        if: inputs.publish
-
-      - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # 0.24.0
-        with:
-          input: image
-          format: sarif
-          output: trivy-results.sarif
-
-      - name: Upload Trivy scan results as artifact
-        uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
-        with:
-          name: "[${{ github.job }}] Trivy scan results"
-          path: trivy-results.sarif
-          retention-days: 5
-          overwrite: true
-
-      - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # v3.25.15
-        with:
-          sarif_file: trivy-results.sarif
diff --git a/.github/workflows/checks.yaml b/.github/workflows/checks.yaml
deleted file mode 100644
index 558ac08d39..0000000000
--- a/.github/workflows/checks.yaml
+++ /dev/null
@@ -1,23 +0,0 @@
-name: PR Checks
-
-on:
-  pull_request:
-    types: [opened, labeled, unlabeled, synchronize]
-
-permissions:
-  contents: read
-
-jobs:
-  release-label:
-    name: Release note label
-    runs-on: ubuntu-latest
-
-    if: github.repository == 'dexidp/dex'
-
-    steps:
-      - name: Check minimum labels
-        uses: mheap/github-action-required-labels@5847eef68201219cf0a4643ea7be61e77837bbce # v5.4.1
-        with:
-          mode: minimum
-          count: 1
-          labels: "release-note/ignore, kind/feature, release-note/new-feature, kind/enhancement, release-note/enhancement, kind/bug, release-note/bug-fix, release-note/breaking-change, release-note/deprecation, area/dependencies, release-note/dependency-update"
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
deleted file mode 100644
index 534edea15f..0000000000
--- a/.github/workflows/ci.yaml
+++ /dev/null
@@ -1,178 +0,0 @@
-name: CI
-
-on:
-  push:
-    branches: [ master ]
-  pull_request:
-
-permissions:
-  contents: read
-
-jobs:
-  test:
-    name: Test
-    runs-on: ubuntu-latest
-
-    services:
-      postgres:
-        image: postgres:10.8
-        env:
-          TZ: UTC
-        ports:
-          - 5432
-        options: --health-cmd pg_isready --health-interval 10s --health-timeout 5s --health-retries 5
-
-      postgres-ent:
-        image: postgres:10.8
-        env:
-          TZ: UTC
-        ports:
-          - 5432
-        options: --health-cmd pg_isready --health-interval 10s --health-timeout 5s --health-retries 5
-
-      mysql:
-        image: mysql:5.7
-        env:
-          MYSQL_ROOT_PASSWORD: root
-          MYSQL_DATABASE: dex
-        ports:
-          - 3306
-        options: --health-cmd "mysql -proot -e \"show databases;\"" --health-interval 10s --health-timeout 5s --health-retries 5
-
-      mysql-ent:
-        image: mysql:5.7
-        env:
-          MYSQL_ROOT_PASSWORD: root
-          MYSQL_DATABASE: dex
-        ports:
-          - 3306
-        options: --health-cmd "mysql -proot -e \"show databases;\"" --health-interval 10s --health-timeout 5s --health-retries 5
-
-      etcd:
-        image: gcr.io/etcd-development/etcd:v3.5.0
-        ports:
-          - 2379
-        env:
-          ETCD_LISTEN_CLIENT_URLS: http://0.0.0.0:2379
-          ETCD_ADVERTISE_CLIENT_URLS: http://0.0.0.0:2379
-        options: --health-cmd "ETCDCTL_API=3 etcdctl --endpoints http://localhost:2379 endpoint health" --health-interval 10s --health-timeout 5s --health-retries 5
-
-      keystone:
-        image: openio/openstack-keystone:rocky
-        ports:
-          - 5000
-          - 35357
-        options: --health-cmd "curl --fail http://localhost:5000/v3" --health-interval 10s --health-timeout 5s --health-retries 5
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
-
-      - name: Set up Go
-        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
-        with:
-          go-version: "1.21"
-
-      - name: Download tool dependencies
-        run: make deps
-
-      # Ensure that generated files were committed.
-      # It can help us determine, that the code is in the intermediate state, which should not be tested.
-      # Thus, heavy jobs like creating a kind cluster and testing / linting will be skipped.
-      - name: Verify
-        run: make verify
-
-      - name: Start services
-        run: docker compose -f docker-compose.test.yaml up -d
-
-      - name: Create kind cluster
-        uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0
-        with:
-          version: "v0.17.0"
-          node_image: "kindest/node:v1.25.3@sha256:cd248d1438192f7814fbca8fede13cfe5b9918746dfa12583976158a834fd5c5"
-
-      - name: Test
-        run: make testall
-        env:
-          DEX_MYSQL_DATABASE: dex
-          DEX_MYSQL_USER: root
-          DEX_MYSQL_PASSWORD: root
-          DEX_MYSQL_HOST: 127.0.0.1
-          DEX_MYSQL_PORT: ${{ job.services.mysql.ports[3306] }}
-
-          DEX_MYSQL_ENT_DATABASE: dex
-          DEX_MYSQL_ENT_USER: root
-          DEX_MYSQL_ENT_PASSWORD: root
-          DEX_MYSQL_ENT_HOST: 127.0.0.1
-          DEX_MYSQL_ENT_PORT: ${{ job.services.mysql-ent.ports[3306] }}
-
-          DEX_POSTGRES_DATABASE: postgres
-          DEX_POSTGRES_USER: postgres
-          DEX_POSTGRES_PASSWORD: postgres
-          DEX_POSTGRES_HOST: localhost
-          DEX_POSTGRES_PORT: ${{ job.services.postgres.ports[5432] }}
-
-          DEX_POSTGRES_ENT_DATABASE: postgres
-          DEX_POSTGRES_ENT_USER: postgres
-          DEX_POSTGRES_ENT_PASSWORD: postgres
-          DEX_POSTGRES_ENT_HOST: localhost
-          DEX_POSTGRES_ENT_PORT: ${{ job.services.postgres-ent.ports[5432] }}
-
-          DEX_ETCD_ENDPOINTS: http://localhost:${{ job.services.etcd.ports[2379] }}
-
-          DEX_LDAP_HOST: localhost
-          DEX_LDAP_PORT: 3890
-          DEX_LDAP_TLS_PORT: 6360
-
-          DEX_KEYSTONE_URL: http://localhost:${{ job.services.keystone.ports[5000] }}
-          DEX_KEYSTONE_ADMIN_URL: http://localhost:${{ job.services.keystone.ports[35357] }}
-          DEX_KEYSTONE_ADMIN_USER: demo
-          DEX_KEYSTONE_ADMIN_PASS: DEMO_PASS
-
-          DEX_KUBERNETES_CONFIG_PATH: ~/.kube/config
-
-  lint:
-    name: Lint
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
-
-      - name: Set up Go
-        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
-        with:
-          go-version: "1.21"
-
-      - name: Download golangci-lint
-        run: make bin/golangci-lint
-
-      - name: Lint
-        run: make lint
-
-  artifacts:
-    name: Artifacts
-    uses: ./.github/workflows/artifacts.yaml
-    with:
-      publish: ${{ github.event_name == 'push' }}
-    secrets:
-      DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
-      DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }}
-    permissions:
-      attestations: write
-      contents: read
-      packages: write
-      id-token: write
-      security-events: write
-
-  dependency-review:
-    name: Dependency review
-    runs-on: ubuntu-latest
-    if: github.event_name == 'pull_request'
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
-
-      - name: Dependency Review
-        uses: actions/dependency-review-action@5a2ce3f5b92ee19cbb1541a4984c76d921601d7c # v4.3.4
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
deleted file mode 100644
index dbf397cbbe..0000000000
--- a/.github/workflows/release.yaml
+++ /dev/null
@@ -1,24 +0,0 @@
-name: Release
-
-on:
-  push:
-    tags: [ "v[0-9]+.[0-9]+.[0-9]+" ]
-
-permissions:
-  contents: read
-
-jobs:
-  artifacts:
-    name: Artifacts
-    uses: ./.github/workflows/artifacts.yaml
-    with:
-      publish: true
-    secrets:
-      DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
-      DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }}
-    permissions:
-      attestations: write
-      contents: read
-      packages: write
-      id-token: write
-      security-events: write
diff --git a/cmd/dex/config.go b/cmd/dex/config.go
index dd6d2e2ab9..a5c77f11c8 100644
--- a/cmd/dex/config.go
+++ b/cmd/dex/config.go
@@ -12,14 +12,14 @@ import (
 
 	"golang.org/x/crypto/bcrypt"
 
-	"github.com/dexidp/dex/pkg/featureflags"
-	"github.com/dexidp/dex/server"
-	"github.com/dexidp/dex/storage"
-	"github.com/dexidp/dex/storage/ent"
-	"github.com/dexidp/dex/storage/etcd"
-	"github.com/dexidp/dex/storage/kubernetes"
-	"github.com/dexidp/dex/storage/memory"
-	"github.com/dexidp/dex/storage/sql"
+	"github.com/concourse/dex/pkg/featureflags"
+	"github.com/concourse/dex/server"
+	"github.com/concourse/dex/storage"
+	"github.com/concourse/dex/storage/ent"
+	"github.com/concourse/dex/storage/etcd"
+	"github.com/concourse/dex/storage/kubernetes"
+	"github.com/concourse/dex/storage/memory"
+	"github.com/concourse/dex/storage/sql"
 )
 
 // Config is the config format for the main application.
diff --git a/cmd/dex/config_test.go b/cmd/dex/config_test.go
index c6d37cb03e..4cbbc6a877 100644
--- a/cmd/dex/config_test.go
+++ b/cmd/dex/config_test.go
@@ -8,11 +8,11 @@ import (
 	"github.com/ghodss/yaml"
 	"github.com/kylelemons/godebug/pretty"
 
-	"github.com/dexidp/dex/connector/mock"
-	"github.com/dexidp/dex/connector/oidc"
-	"github.com/dexidp/dex/server"
-	"github.com/dexidp/dex/storage"
-	"github.com/dexidp/dex/storage/sql"
+	"github.com/concourse/dex/connector/mock"
+	"github.com/concourse/dex/connector/oidc"
+	"github.com/concourse/dex/server"
+	"github.com/concourse/dex/storage"
+	"github.com/concourse/dex/storage/sql"
 )
 
 var _ = yaml.YAMLToJSON
diff --git a/cmd/dex/logger.go b/cmd/dex/logger.go
index e979011c4f..e06b87f3f6 100644
--- a/cmd/dex/logger.go
+++ b/cmd/dex/logger.go
@@ -7,7 +7,7 @@ import (
 	"os"
 	"strings"
 
-	"github.com/dexidp/dex/server"
+	"github.com/concourse/dex/server"
 )
 
 var logFormats = []string{"json", "text"}
diff --git a/cmd/dex/serve.go b/cmd/dex/serve.go
index 6fcca04da3..ec3d9d7603 100644
--- a/cmd/dex/serve.go
+++ b/cmd/dex/serve.go
@@ -35,8 +35,8 @@ import (
 	"google.golang.org/grpc/reflection"
 
 	"github.com/dexidp/dex/api/v2"
-	"github.com/dexidp/dex/server"
-	"github.com/dexidp/dex/storage"
+	"github.com/concourse/dex/server"
+	"github.com/concourse/dex/storage"
 )
 
 type serveOptions struct {
diff --git a/connector/atlassiancrowd/atlassiancrowd.go b/connector/atlassiancrowd/atlassiancrowd.go
index d36832846e..5d338bf65e 100644
--- a/connector/atlassiancrowd/atlassiancrowd.go
+++ b/connector/atlassiancrowd/atlassiancrowd.go
@@ -13,8 +13,8 @@ import (
 	"strings"
 	"time"
 
-	"github.com/dexidp/dex/connector"
-	"github.com/dexidp/dex/pkg/groups"
+	"github.com/concourse/dex/connector"
+	"github.com/concourse/dex/pkg/groups"
 )
 
 // Config holds configuration options for Atlassian Crowd connector.
diff --git a/connector/authproxy/authproxy.go b/connector/authproxy/authproxy.go
index 61353382f5..1bf806899c 100644
--- a/connector/authproxy/authproxy.go
+++ b/connector/authproxy/authproxy.go
@@ -10,7 +10,7 @@ import (
 	"net/url"
 	"strings"
 
-	"github.com/dexidp/dex/connector"
+	"github.com/concourse/dex/connector"
 )
 
 // Config holds the configuration parameters for a connector which returns an
diff --git a/connector/authproxy/authproxy_test.go b/connector/authproxy/authproxy_test.go
index fdcf4038cf..5f185697cb 100644
--- a/connector/authproxy/authproxy_test.go
+++ b/connector/authproxy/authproxy_test.go
@@ -7,7 +7,7 @@ import (
 	"reflect"
 	"testing"
 
-	"github.com/dexidp/dex/connector"
+	"github.com/concourse/dex/connector"
 )
 
 const (
diff --git a/connector/bitbucketcloud/bitbucketcloud.go b/connector/bitbucketcloud/bitbucketcloud.go
index 5f802e3414..b37f6321da 100644
--- a/connector/bitbucketcloud/bitbucketcloud.go
+++ b/connector/bitbucketcloud/bitbucketcloud.go
@@ -15,8 +15,8 @@ import (
 	"golang.org/x/oauth2"
 	"golang.org/x/oauth2/bitbucket"
 
-	"github.com/dexidp/dex/connector"
-	"github.com/dexidp/dex/pkg/groups"
+	"github.com/concourse/dex/connector"
+	"github.com/concourse/dex/pkg/groups"
 )
 
 const (
diff --git a/connector/bitbucketcloud/bitbucketcloud_test.go b/connector/bitbucketcloud/bitbucketcloud_test.go
index 9545ff09c5..035ec1da3e 100644
--- a/connector/bitbucketcloud/bitbucketcloud_test.go
+++ b/connector/bitbucketcloud/bitbucketcloud_test.go
@@ -10,7 +10,7 @@ import (
 	"reflect"
 	"testing"
 
-	"github.com/dexidp/dex/connector"
+	"github.com/concourse/dex/connector"
 )
 
 func TestUserGroups(t *testing.T) {
diff --git a/connector/cloudfoundry/cloudfoundry.go b/connector/cloudfoundry/cloudfoundry.go
index ff10bccd37..c1353f78da 100644
--- a/connector/cloudfoundry/cloudfoundry.go
+++ b/connector/cloudfoundry/cloudfoundry.go
@@ -17,7 +17,7 @@ import (
 
 	"golang.org/x/oauth2"
 
-	"github.com/dexidp/dex/connector"
+	"github.com/concourse/dex/connector"
 )
 
 type cloudfoundryConnector struct {
diff --git a/connector/cloudfoundry/cloudfoundry_test.go b/connector/cloudfoundry/cloudfoundry_test.go
index d15b326104..6bd4609f86 100644
--- a/connector/cloudfoundry/cloudfoundry_test.go
+++ b/connector/cloudfoundry/cloudfoundry_test.go
@@ -12,7 +12,7 @@ import (
 	"strings"
 	"testing"
 
-	"github.com/dexidp/dex/connector"
+	"github.com/concourse/dex/connector"
 )
 
 func TestOpen(t *testing.T) {
diff --git a/connector/gitea/gitea.go b/connector/gitea/gitea.go
index 62523185d5..15108f71c4 100644
--- a/connector/gitea/gitea.go
+++ b/connector/gitea/gitea.go
@@ -15,7 +15,7 @@ import (
 
 	"golang.org/x/oauth2"
 
-	"github.com/dexidp/dex/connector"
+	"github.com/concourse/dex/connector"
 )
 
 // Config holds configuration options for gitea logins.
diff --git a/connector/gitea/gitea_test.go b/connector/gitea/gitea_test.go
index a71d79956e..c4576d0fd2 100644
--- a/connector/gitea/gitea_test.go
+++ b/connector/gitea/gitea_test.go
@@ -9,7 +9,7 @@ import (
 	"reflect"
 	"testing"
 
-	"github.com/dexidp/dex/connector"
+	"github.com/concourse/dex/connector"
 )
 
 // tests that the email is used as their username when they have no username set
diff --git a/connector/github/github.go b/connector/github/github.go
index 18a56628af..09875db0e6 100644
--- a/connector/github/github.go
+++ b/connector/github/github.go
@@ -16,9 +16,9 @@ import (
 	"golang.org/x/oauth2"
 	"golang.org/x/oauth2/github"
 
-	"github.com/dexidp/dex/connector"
-	groups_pkg "github.com/dexidp/dex/pkg/groups"
-	"github.com/dexidp/dex/pkg/httpclient"
+	"github.com/concourse/dex/connector"
+	groups_pkg "github.com/concourse/dex/pkg/groups"
+	"github.com/concourse/dex/pkg/httpclient"
 )
 
 const (
diff --git a/connector/github/github_test.go b/connector/github/github_test.go
index 088cbb238c..e16e7d6239 100644
--- a/connector/github/github_test.go
+++ b/connector/github/github_test.go
@@ -15,7 +15,7 @@ import (
 	"strings"
 	"testing"
 
-	"github.com/dexidp/dex/connector"
+	"github.com/concourse/dex/connector"
 )
 
 type testResponse struct {
diff --git a/connector/gitlab/gitlab.go b/connector/gitlab/gitlab.go
index fdb2c48204..f4562c600b 100644
--- a/connector/gitlab/gitlab.go
+++ b/connector/gitlab/gitlab.go
@@ -14,8 +14,8 @@ import (
 
 	"golang.org/x/oauth2"
 
-	"github.com/dexidp/dex/connector"
-	"github.com/dexidp/dex/pkg/groups"
+	"github.com/concourse/dex/connector"
+	"github.com/concourse/dex/pkg/groups"
 )
 
 const (
diff --git a/connector/gitlab/gitlab_test.go b/connector/gitlab/gitlab_test.go
index d828b8bd16..f5886ca96c 100644
--- a/connector/gitlab/gitlab_test.go
+++ b/connector/gitlab/gitlab_test.go
@@ -10,7 +10,7 @@ import (
 	"reflect"
 	"testing"
 
-	"github.com/dexidp/dex/connector"
+	"github.com/concourse/dex/connector"
 )
 
 func TestUserGroups(t *testing.T) {
diff --git a/connector/google/google.go b/connector/google/google.go
index e17ec5bd7f..67052e46fd 100644
--- a/connector/google/google.go
+++ b/connector/google/google.go
@@ -20,8 +20,8 @@ import (
 	"google.golang.org/api/impersonate"
 	"google.golang.org/api/option"
 
-	"github.com/dexidp/dex/connector"
-	pkg_groups "github.com/dexidp/dex/pkg/groups"
+	"github.com/concourse/dex/connector"
+	pkg_groups "github.com/concourse/dex/pkg/groups"
 )
 
 const (
diff --git a/connector/google/google_test.go b/connector/google/google_test.go
index bafcadc8ff..f560b894b7 100644
--- a/connector/google/google_test.go
+++ b/connector/google/google_test.go
@@ -17,7 +17,7 @@ import (
 	admin "google.golang.org/api/admin/directory/v1"
 	"google.golang.org/api/option"
 
-	"github.com/dexidp/dex/connector"
+	"github.com/concourse/dex/connector"
 )
 
 var (
diff --git a/connector/keystone/keystone.go b/connector/keystone/keystone.go
index cdfdb55894..dedae9f686 100644
--- a/connector/keystone/keystone.go
+++ b/connector/keystone/keystone.go
@@ -12,7 +12,7 @@ import (
 
 	"github.com/google/uuid"
 
-	"github.com/dexidp/dex/connector"
+	"github.com/concourse/dex/connector"
 )
 
 type conn struct {
diff --git a/connector/keystone/keystone_test.go b/connector/keystone/keystone_test.go
index 9b0590df12..ad53385cd3 100644
--- a/connector/keystone/keystone_test.go
+++ b/connector/keystone/keystone_test.go
@@ -11,7 +11,7 @@ import (
 	"strings"
 	"testing"
 
-	"github.com/dexidp/dex/connector"
+	"github.com/concourse/dex/connector"
 )
 
 const (
diff --git a/connector/ldap/ldap.go b/connector/ldap/ldap.go
index 856949d240..e4ee271233 100644
--- a/connector/ldap/ldap.go
+++ b/connector/ldap/ldap.go
@@ -15,7 +15,7 @@ import (
 
 	"github.com/go-ldap/ldap/v3"
 
-	"github.com/dexidp/dex/connector"
+	"github.com/concourse/dex/connector"
 )
 
 // Config holds the configuration parameters for the LDAP connector. The LDAP
diff --git a/connector/ldap/ldap_test.go b/connector/ldap/ldap_test.go
index de85b6a256..c07062cda4 100644
--- a/connector/ldap/ldap_test.go
+++ b/connector/ldap/ldap_test.go
@@ -10,7 +10,7 @@ import (
 
 	"github.com/kylelemons/godebug/pretty"
 
-	"github.com/dexidp/dex/connector"
+	"github.com/concourse/dex/connector"
 )
 
 // connectionMethod indicates how the test should connect to the LDAP server.
diff --git a/connector/linkedin/linkedin.go b/connector/linkedin/linkedin.go
index f17d17cca1..c455fc1898 100644
--- a/connector/linkedin/linkedin.go
+++ b/connector/linkedin/linkedin.go
@@ -12,7 +12,7 @@ import (
 
 	"golang.org/x/oauth2"
 
-	"github.com/dexidp/dex/connector"
+	"github.com/concourse/dex/connector"
 )
 
 const (
diff --git a/connector/microsoft/microsoft.go b/connector/microsoft/microsoft.go
index 2fcf6a7515..9830894bce 100644
--- a/connector/microsoft/microsoft.go
+++ b/connector/microsoft/microsoft.go
@@ -16,8 +16,8 @@ import (
 
 	"golang.org/x/oauth2"
 
-	"github.com/dexidp/dex/connector"
-	groups_pkg "github.com/dexidp/dex/pkg/groups"
+	"github.com/concourse/dex/connector"
+	groups_pkg "github.com/concourse/dex/pkg/groups"
 )
 
 // GroupNameFormat represents the format of the group identifier
diff --git a/connector/microsoft/microsoft_test.go b/connector/microsoft/microsoft_test.go
index 67be660fce..34381bc3fb 100644
--- a/connector/microsoft/microsoft_test.go
+++ b/connector/microsoft/microsoft_test.go
@@ -10,7 +10,7 @@ import (
 	"reflect"
 	"testing"
 
-	"github.com/dexidp/dex/connector"
+	"github.com/concourse/dex/connector"
 )
 
 type testResponse struct {
diff --git a/connector/mock/connectortest.go b/connector/mock/connectortest.go
index 7e5979a992..0bc5106318 100644
--- a/connector/mock/connectortest.go
+++ b/connector/mock/connectortest.go
@@ -9,7 +9,7 @@ import (
 	"net/http"
 	"net/url"
 
-	"github.com/dexidp/dex/connector"
+	"github.com/concourse/dex/connector"
 )
 
 // NewCallbackConnector returns a mock connector which requires no user interaction. It always returns
diff --git a/connector/oauth/oauth.go b/connector/oauth/oauth.go
index 413a813a08..e188b991e4 100644
--- a/connector/oauth/oauth.go
+++ b/connector/oauth/oauth.go
@@ -12,8 +12,8 @@ import (
 
 	"golang.org/x/oauth2"
 
-	"github.com/dexidp/dex/connector"
-	"github.com/dexidp/dex/pkg/httpclient"
+	"github.com/concourse/dex/connector"
+	"github.com/concourse/dex/pkg/httpclient"
 )
 
 type oauthConnector struct {
diff --git a/connector/oauth/oauth_test.go b/connector/oauth/oauth_test.go
index d06c0c0840..7805e10195 100644
--- a/connector/oauth/oauth_test.go
+++ b/connector/oauth/oauth_test.go
@@ -17,7 +17,7 @@ import (
 	"github.com/go-jose/go-jose/v4"
 	"github.com/stretchr/testify/assert"
 
-	"github.com/dexidp/dex/connector"
+	"github.com/concourse/dex/connector"
 )
 
 func TestOpen(t *testing.T) {
diff --git a/connector/oidc/oidc.go b/connector/oidc/oidc.go
index 7d0cacb056..d25bcf6155 100644
--- a/connector/oidc/oidc.go
+++ b/connector/oidc/oidc.go
@@ -16,9 +16,9 @@ import (
 	"github.com/coreos/go-oidc/v3/oidc"
 	"golang.org/x/oauth2"
 
-	"github.com/dexidp/dex/connector"
-	groups_pkg "github.com/dexidp/dex/pkg/groups"
-	"github.com/dexidp/dex/pkg/httpclient"
+	"github.com/concourse/dex/connector"
+	groups_pkg "github.com/concourse/dex/pkg/groups"
+	"github.com/concourse/dex/pkg/httpclient"
 )
 
 // Config holds configuration options for OpenID Connect logins.
diff --git a/connector/oidc/oidc_test.go b/connector/oidc/oidc_test.go
index 66b35c3fef..c0c4090ffd 100644
--- a/connector/oidc/oidc_test.go
+++ b/connector/oidc/oidc_test.go
@@ -22,7 +22,7 @@ import (
 	"github.com/go-jose/go-jose/v4"
 	"github.com/stretchr/testify/require"
 
-	"github.com/dexidp/dex/connector"
+	"github.com/concourse/dex/connector"
 )
 
 func TestKnownBrokenAuthHeaderProvider(t *testing.T) {
diff --git a/connector/openshift/openshift.go b/connector/openshift/openshift.go
index 4519a85b6d..28059a9f8b 100644
--- a/connector/openshift/openshift.go
+++ b/connector/openshift/openshift.go
@@ -11,10 +11,10 @@ import (
 
 	"golang.org/x/oauth2"
 
-	"github.com/dexidp/dex/connector"
-	"github.com/dexidp/dex/pkg/groups"
-	"github.com/dexidp/dex/pkg/httpclient"
-	"github.com/dexidp/dex/storage/kubernetes/k8sapi"
+	"github.com/concourse/dex/connector"
+	"github.com/concourse/dex/pkg/groups"
+	"github.com/concourse/dex/pkg/httpclient"
+	"github.com/concourse/dex/storage/kubernetes/k8sapi"
 )
 
 const (
diff --git a/connector/openshift/openshift_test.go b/connector/openshift/openshift_test.go
index 89ec0e25a9..fa9eef2e60 100644
--- a/connector/openshift/openshift_test.go
+++ b/connector/openshift/openshift_test.go
@@ -15,9 +15,9 @@ import (
 
 	"golang.org/x/oauth2"
 
-	"github.com/dexidp/dex/connector"
-	"github.com/dexidp/dex/pkg/httpclient"
-	"github.com/dexidp/dex/storage/kubernetes/k8sapi"
+	"github.com/concourse/dex/connector"
+	"github.com/concourse/dex/pkg/httpclient"
+	"github.com/concourse/dex/storage/kubernetes/k8sapi"
 )
 
 func TestOpen(t *testing.T) {
diff --git a/connector/saml/saml.go b/connector/saml/saml.go
index 1ab8e54411..59b055784c 100644
--- a/connector/saml/saml.go
+++ b/connector/saml/saml.go
@@ -20,8 +20,8 @@ import (
 	dsig "github.com/russellhaering/goxmldsig"
 	"github.com/russellhaering/goxmldsig/etreeutils"
 
-	"github.com/dexidp/dex/connector"
-	"github.com/dexidp/dex/pkg/groups"
+	"github.com/concourse/dex/connector"
+	"github.com/concourse/dex/pkg/groups"
 )
 
 const (
diff --git a/connector/saml/saml_test.go b/connector/saml/saml_test.go
index f67e3e8bc9..44765cd1b0 100644
--- a/connector/saml/saml_test.go
+++ b/connector/saml/saml_test.go
@@ -15,7 +15,7 @@ import (
 	"github.com/kylelemons/godebug/pretty"
 	dsig "github.com/russellhaering/goxmldsig"
 
-	"github.com/dexidp/dex/connector"
+	"github.com/concourse/dex/connector"
 )
 
 // responseTest maps a SAML 2.0 response object to a set of expected values.
diff --git a/examples/go.mod b/examples/go.mod
index 704d4e8803..a47bd01d6c 100644
--- a/examples/go.mod
+++ b/examples/go.mod
@@ -1,4 +1,4 @@
-module github.com/dexidp/dex/examples
+module github.com/concourse/dex/examples
 
 go 1.21
 
diff --git a/go.mod b/go.mod
index 890cc8dfe5..f89f2caaf6 100644
--- a/go.mod
+++ b/go.mod
@@ -1,4 +1,4 @@
-module github.com/dexidp/dex
+module github.com/concourse/dex
 
 go 1.21
 
diff --git a/pkg/groups/groups_test.go b/pkg/groups/groups_test.go
index 0be62fb430..2ff38a2df8 100644
--- a/pkg/groups/groups_test.go
+++ b/pkg/groups/groups_test.go
@@ -5,7 +5,7 @@ import (
 
 	"github.com/stretchr/testify/assert"
 
-	"github.com/dexidp/dex/pkg/groups"
+	"github.com/concourse/dex/pkg/groups"
 )
 
 func TestFilter(t *testing.T) {
diff --git a/pkg/httpclient/httpclient_test.go b/pkg/httpclient/httpclient_test.go
index 07baea04ee..567778e10b 100644
--- a/pkg/httpclient/httpclient_test.go
+++ b/pkg/httpclient/httpclient_test.go
@@ -10,7 +10,7 @@ import (
 
 	"github.com/stretchr/testify/assert"
 
-	"github.com/dexidp/dex/pkg/httpclient"
+	"github.com/concourse/dex/pkg/httpclient"
 )
 
 func TestRootCAs(t *testing.T) {
diff --git a/server/api.go b/server/api.go
index f53bc60be5..c57a5ccd42 100644
--- a/server/api.go
+++ b/server/api.go
@@ -10,9 +10,9 @@ import (
 	"golang.org/x/crypto/bcrypt"
 
 	"github.com/dexidp/dex/api/v2"
-	"github.com/dexidp/dex/pkg/featureflags"
-	"github.com/dexidp/dex/server/internal"
-	"github.com/dexidp/dex/storage"
+	"github.com/concourse/dex/pkg/featureflags"
+	"github.com/concourse/dex/server/internal"
+	"github.com/concourse/dex/storage"
 )
 
 // apiVersion increases every time a new call is added to the API. Clients should use this info
diff --git a/server/api_test.go b/server/api_test.go
index bcf240c192..ce12310066 100644
--- a/server/api_test.go
+++ b/server/api_test.go
@@ -14,9 +14,9 @@ import (
 	"google.golang.org/grpc/credentials/insecure"
 
 	"github.com/dexidp/dex/api/v2"
-	"github.com/dexidp/dex/server/internal"
-	"github.com/dexidp/dex/storage"
-	"github.com/dexidp/dex/storage/memory"
+	"github.com/concourse/dex/server/internal"
+	"github.com/concourse/dex/storage"
+	"github.com/concourse/dex/storage/memory"
 )
 
 // apiClient is a test gRPC client. When constructed, it runs a server in
diff --git a/server/deviceflowhandlers.go b/server/deviceflowhandlers.go
index 06f3a7b2d5..31a88d14d5 100644
--- a/server/deviceflowhandlers.go
+++ b/server/deviceflowhandlers.go
@@ -13,7 +13,7 @@ import (
 
 	"golang.org/x/net/html"
 
-	"github.com/dexidp/dex/storage"
+	"github.com/concourse/dex/storage"
 )
 
 type deviceCodeResponse struct {
diff --git a/server/deviceflowhandlers_test.go b/server/deviceflowhandlers_test.go
index 151c75082d..610e4e04f5 100644
--- a/server/deviceflowhandlers_test.go
+++ b/server/deviceflowhandlers_test.go
@@ -13,7 +13,7 @@ import (
 	"testing"
 	"time"
 
-	"github.com/dexidp/dex/storage"
+	"github.com/concourse/dex/storage"
 )
 
 func TestDeviceVerificationURI(t *testing.T) {
diff --git a/server/handlers.go b/server/handlers.go
index 2f94d8fc14..c5bf5b689b 100644
--- a/server/handlers.go
+++ b/server/handlers.go
@@ -21,9 +21,9 @@ import (
 	"github.com/go-jose/go-jose/v4"
 	"github.com/gorilla/mux"
 
-	"github.com/dexidp/dex/connector"
-	"github.com/dexidp/dex/server/internal"
-	"github.com/dexidp/dex/storage"
+	"github.com/concourse/dex/connector"
+	"github.com/concourse/dex/server/internal"
+	"github.com/concourse/dex/storage"
 )
 
 const (
diff --git a/server/handlers_test.go b/server/handlers_test.go
index 58a00d4df4..895bd41377 100644
--- a/server/handlers_test.go
+++ b/server/handlers_test.go
@@ -20,7 +20,7 @@ import (
 	"github.com/stretchr/testify/require"
 	"golang.org/x/oauth2"
 
-	"github.com/dexidp/dex/storage"
+	"github.com/concourse/dex/storage"
 )
 
 func TestHandleHealth(t *testing.T) {
diff --git a/server/introspectionhandler.go b/server/introspectionhandler.go
index ffcbb13679..5a80d82ab0 100644
--- a/server/introspectionhandler.go
+++ b/server/introspectionhandler.go
@@ -9,7 +9,7 @@ import (
 
 	"github.com/coreos/go-oidc/v3/oidc"
 
-	"github.com/dexidp/dex/server/internal"
+	"github.com/concourse/dex/server/internal"
 )
 
 // Introspection contains an access token's session data as specified by
diff --git a/server/introspectionhandler_test.go b/server/introspectionhandler_test.go
index 695bbad8e6..9045a677bb 100644
--- a/server/introspectionhandler_test.go
+++ b/server/introspectionhandler_test.go
@@ -15,8 +15,8 @@ import (
 
 	"github.com/stretchr/testify/require"
 
-	"github.com/dexidp/dex/server/internal"
-	"github.com/dexidp/dex/storage"
+	"github.com/concourse/dex/server/internal"
+	"github.com/concourse/dex/storage"
 )
 
 func toJSON(a interface{}) string {
diff --git a/server/oauth2.go b/server/oauth2.go
index f4641695d7..abed7f462c 100644
--- a/server/oauth2.go
+++ b/server/oauth2.go
@@ -23,9 +23,9 @@ import (
 
 	"github.com/go-jose/go-jose/v4"
 
-	"github.com/dexidp/dex/connector"
-	"github.com/dexidp/dex/server/internal"
-	"github.com/dexidp/dex/storage"
+	"github.com/concourse/dex/connector"
+	"github.com/concourse/dex/server/internal"
+	"github.com/concourse/dex/storage"
 )
 
 // TODO(ericchiang): clean this file up and figure out more idiomatic error handling.
diff --git a/server/oauth2_test.go b/server/oauth2_test.go
index 5f5fc3b663..e92b0c99b9 100644
--- a/server/oauth2_test.go
+++ b/server/oauth2_test.go
@@ -13,8 +13,8 @@ import (
 	"github.com/go-jose/go-jose/v4"
 	"github.com/stretchr/testify/require"
 
-	"github.com/dexidp/dex/storage"
-	"github.com/dexidp/dex/storage/memory"
+	"github.com/concourse/dex/storage"
+	"github.com/concourse/dex/storage/memory"
 )
 
 func TestGetClientID(t *testing.T) {
diff --git a/server/refreshhandlers.go b/server/refreshhandlers.go
index 391d552251..271d94239b 100644
--- a/server/refreshhandlers.go
+++ b/server/refreshhandlers.go
@@ -8,9 +8,9 @@ import (
 	"strings"
 	"time"
 
-	"github.com/dexidp/dex/connector"
-	"github.com/dexidp/dex/server/internal"
-	"github.com/dexidp/dex/storage"
+	"github.com/concourse/dex/connector"
+	"github.com/concourse/dex/server/internal"
+	"github.com/concourse/dex/storage"
 )
 
 func contains(arr []string, item string) bool {
diff --git a/server/refreshhandlers_test.go b/server/refreshhandlers_test.go
index 6b0925c2bd..71284c93c7 100644
--- a/server/refreshhandlers_test.go
+++ b/server/refreshhandlers_test.go
@@ -13,8 +13,8 @@ import (
 
 	"github.com/stretchr/testify/require"
 
-	"github.com/dexidp/dex/server/internal"
-	"github.com/dexidp/dex/storage"
+	"github.com/concourse/dex/server/internal"
+	"github.com/concourse/dex/storage"
 )
 
 func mockRefreshTokenTestStorage(t *testing.T, s storage.Storage, useObsolete bool) {
diff --git a/server/rotation.go b/server/rotation.go
index dfd776d677..d58fbb8c64 100644
--- a/server/rotation.go
+++ b/server/rotation.go
@@ -13,7 +13,7 @@ import (
 
 	"github.com/go-jose/go-jose/v4"
 
-	"github.com/dexidp/dex/storage"
+	"github.com/concourse/dex/storage"
 )
 
 var errAlreadyRotated = errors.New("keys already rotated by another server instance")
diff --git a/server/rotation_test.go b/server/rotation_test.go
index 1d0d2f100a..b558767614 100644
--- a/server/rotation_test.go
+++ b/server/rotation_test.go
@@ -9,8 +9,8 @@ import (
 
 	"github.com/stretchr/testify/require"
 
-	"github.com/dexidp/dex/storage"
-	"github.com/dexidp/dex/storage/memory"
+	"github.com/concourse/dex/storage"
+	"github.com/concourse/dex/storage/memory"
 )
 
 func signingKeyID(t *testing.T, s storage.Storage) string {
diff --git a/server/server.go b/server/server.go
index f2d7a433ed..a64865ea40 100644
--- a/server/server.go
+++ b/server/server.go
@@ -29,26 +29,26 @@ import (
 	"github.com/prometheus/client_golang/prometheus"
 	"golang.org/x/crypto/bcrypt"
 
-	"github.com/dexidp/dex/connector"
-	"github.com/dexidp/dex/connector/atlassiancrowd"
-	"github.com/dexidp/dex/connector/authproxy"
-	"github.com/dexidp/dex/connector/bitbucketcloud"
-	"github.com/dexidp/dex/connector/cloudfoundry"
-	"github.com/dexidp/dex/connector/gitea"
-	"github.com/dexidp/dex/connector/github"
-	"github.com/dexidp/dex/connector/gitlab"
-	"github.com/dexidp/dex/connector/google"
-	"github.com/dexidp/dex/connector/keystone"
-	"github.com/dexidp/dex/connector/ldap"
-	"github.com/dexidp/dex/connector/linkedin"
-	"github.com/dexidp/dex/connector/microsoft"
-	"github.com/dexidp/dex/connector/mock"
-	"github.com/dexidp/dex/connector/oauth"
-	"github.com/dexidp/dex/connector/oidc"
-	"github.com/dexidp/dex/connector/openshift"
-	"github.com/dexidp/dex/connector/saml"
-	"github.com/dexidp/dex/storage"
-	"github.com/dexidp/dex/web"
+	"github.com/concourse/dex/connector"
+	"github.com/concourse/dex/connector/atlassiancrowd"
+	"github.com/concourse/dex/connector/authproxy"
+	"github.com/concourse/dex/connector/bitbucketcloud"
+	"github.com/concourse/dex/connector/cloudfoundry"
+	"github.com/concourse/dex/connector/gitea"
+	"github.com/concourse/dex/connector/github"
+	"github.com/concourse/dex/connector/gitlab"
+	"github.com/concourse/dex/connector/google"
+	"github.com/concourse/dex/connector/keystone"
+	"github.com/concourse/dex/connector/ldap"
+	"github.com/concourse/dex/connector/linkedin"
+	"github.com/concourse/dex/connector/microsoft"
+	"github.com/concourse/dex/connector/mock"
+	"github.com/concourse/dex/connector/oauth"
+	"github.com/concourse/dex/connector/oidc"
+	"github.com/concourse/dex/connector/openshift"
+	"github.com/concourse/dex/connector/saml"
+	"github.com/concourse/dex/storage"
+	"github.com/concourse/dex/web"
 )
 
 // LocalConnector is the local passwordDB connector which is an internal
diff --git a/server/server_test.go b/server/server_test.go
index bc103371ab..b60f052bc5 100644
--- a/server/server_test.go
+++ b/server/server_test.go
@@ -30,10 +30,10 @@ import (
 	"golang.org/x/crypto/bcrypt"
 	"golang.org/x/oauth2"
 
-	"github.com/dexidp/dex/connector"
-	"github.com/dexidp/dex/connector/mock"
-	"github.com/dexidp/dex/storage"
-	"github.com/dexidp/dex/storage/memory"
+	"github.com/concourse/dex/connector"
+	"github.com/concourse/dex/connector/mock"
+	"github.com/concourse/dex/storage"
+	"github.com/concourse/dex/storage/memory"
 )
 
 func mustLoad(s string) *rsa.PrivateKey {
diff --git a/storage/conformance/conformance.go b/storage/conformance/conformance.go
index 84ad1cba5f..7ed98cbec6 100644
--- a/storage/conformance/conformance.go
+++ b/storage/conformance/conformance.go
@@ -13,7 +13,7 @@ import (
 	"github.com/stretchr/testify/require"
 	"golang.org/x/crypto/bcrypt"
 
-	"github.com/dexidp/dex/storage"
+	"github.com/concourse/dex/storage"
 )
 
 // ensure that values being tested on never expire.
diff --git a/storage/conformance/transactions.go b/storage/conformance/transactions.go
index 69ed5517ad..c58c6b6169 100644
--- a/storage/conformance/transactions.go
+++ b/storage/conformance/transactions.go
@@ -7,7 +7,7 @@ import (
 
 	"golang.org/x/crypto/bcrypt"
 
-	"github.com/dexidp/dex/storage"
+	"github.com/concourse/dex/storage"
 )
 
 // RunTransactionTests runs a test suite aimed a verifying the transaction
diff --git a/storage/ent/client/authcode.go b/storage/ent/client/authcode.go
index 8ac1231484..71f7275942 100644
--- a/storage/ent/client/authcode.go
+++ b/storage/ent/client/authcode.go
@@ -3,7 +3,7 @@ package client
 import (
 	"context"
 
-	"github.com/dexidp/dex/storage"
+	"github.com/concourse/dex/storage"
 )
 
 // CreateAuthCode saves provided auth code into the database.
diff --git a/storage/ent/client/authrequest.go b/storage/ent/client/authrequest.go
index 42db702d68..490f15e6f6 100644
--- a/storage/ent/client/authrequest.go
+++ b/storage/ent/client/authrequest.go
@@ -4,7 +4,7 @@ import (
 	"context"
 	"fmt"
 
-	"github.com/dexidp/dex/storage"
+	"github.com/concourse/dex/storage"
 )
 
 // CreateAuthRequest saves provided auth request into the database.
diff --git a/storage/ent/client/client.go b/storage/ent/client/client.go
index 4cb02c0c83..b6e591a9da 100644
--- a/storage/ent/client/client.go
+++ b/storage/ent/client/client.go
@@ -3,7 +3,7 @@ package client
 import (
 	"context"
 
-	"github.com/dexidp/dex/storage"
+	"github.com/concourse/dex/storage"
 )
 
 // CreateClient saves provided oauth2 client settings into the database.
diff --git a/storage/ent/client/connector.go b/storage/ent/client/connector.go
index 1534e52241..33e7adff7f 100644
--- a/storage/ent/client/connector.go
+++ b/storage/ent/client/connector.go
@@ -3,7 +3,7 @@ package client
 import (
 	"context"
 
-	"github.com/dexidp/dex/storage"
+	"github.com/concourse/dex/storage"
 )
 
 // CreateConnector saves a connector into the database.
diff --git a/storage/ent/client/devicerequest.go b/storage/ent/client/devicerequest.go
index d8d371c9ba..be40a312ba 100644
--- a/storage/ent/client/devicerequest.go
+++ b/storage/ent/client/devicerequest.go
@@ -3,8 +3,8 @@ package client
 import (
 	"context"
 
-	"github.com/dexidp/dex/storage"
-	"github.com/dexidp/dex/storage/ent/db/devicerequest"
+	"github.com/concourse/dex/storage"
+	"github.com/concourse/dex/storage/ent/db/devicerequest"
 )
 
 // CreateDeviceRequest saves provided device request into the database.
diff --git a/storage/ent/client/devicetoken.go b/storage/ent/client/devicetoken.go
index 18d483b98a..db9f9b7c57 100644
--- a/storage/ent/client/devicetoken.go
+++ b/storage/ent/client/devicetoken.go
@@ -3,8 +3,8 @@ package client
 import (
 	"context"
 
-	"github.com/dexidp/dex/storage"
-	"github.com/dexidp/dex/storage/ent/db/devicetoken"
+	"github.com/concourse/dex/storage"
+	"github.com/concourse/dex/storage/ent/db/devicetoken"
 )
 
 // CreateDeviceToken saves provided token into the database.
diff --git a/storage/ent/client/keys.go b/storage/ent/client/keys.go
index f65d40fc21..3f06032735 100644
--- a/storage/ent/client/keys.go
+++ b/storage/ent/client/keys.go
@@ -4,8 +4,8 @@ import (
 	"context"
 	"errors"
 
-	"github.com/dexidp/dex/storage"
-	"github.com/dexidp/dex/storage/ent/db"
+	"github.com/concourse/dex/storage"
+	"github.com/concourse/dex/storage/ent/db"
 )
 
 func getKeys(client *db.KeysClient) (storage.Keys, error) {
diff --git a/storage/ent/client/main.go b/storage/ent/client/main.go
index bc4c1600ac..cf7abc8ec3 100644
--- a/storage/ent/client/main.go
+++ b/storage/ent/client/main.go
@@ -6,13 +6,13 @@ import (
 	"hash"
 	"time"
 
-	"github.com/dexidp/dex/storage"
-	"github.com/dexidp/dex/storage/ent/db"
-	"github.com/dexidp/dex/storage/ent/db/authcode"
-	"github.com/dexidp/dex/storage/ent/db/authrequest"
-	"github.com/dexidp/dex/storage/ent/db/devicerequest"
-	"github.com/dexidp/dex/storage/ent/db/devicetoken"
-	"github.com/dexidp/dex/storage/ent/db/migrate"
+	"github.com/concourse/dex/storage"
+	"github.com/concourse/dex/storage/ent/db"
+	"github.com/concourse/dex/storage/ent/db/authcode"
+	"github.com/concourse/dex/storage/ent/db/authrequest"
+	"github.com/concourse/dex/storage/ent/db/devicerequest"
+	"github.com/concourse/dex/storage/ent/db/devicetoken"
+	"github.com/concourse/dex/storage/ent/db/migrate"
 )
 
 var _ storage.Storage = (*Database)(nil)
diff --git a/storage/ent/client/offlinesession.go b/storage/ent/client/offlinesession.go
index 22469eced9..ee99781405 100644
--- a/storage/ent/client/offlinesession.go
+++ b/storage/ent/client/offlinesession.go
@@ -5,7 +5,7 @@ import (
 	"encoding/json"
 	"fmt"
 
-	"github.com/dexidp/dex/storage"
+	"github.com/concourse/dex/storage"
 )
 
 // CreateOfflineSessions saves provided offline session into the database.
diff --git a/storage/ent/client/password.go b/storage/ent/client/password.go
index 3e4aace8ae..7f0381587e 100644
--- a/storage/ent/client/password.go
+++ b/storage/ent/client/password.go
@@ -4,8 +4,8 @@ import (
 	"context"
 	"strings"
 
-	"github.com/dexidp/dex/storage"
-	"github.com/dexidp/dex/storage/ent/db/password"
+	"github.com/concourse/dex/storage"
+	"github.com/concourse/dex/storage/ent/db/password"
 )
 
 // CreatePassword saves provided password into the database.
diff --git a/storage/ent/client/refreshtoken.go b/storage/ent/client/refreshtoken.go
index 6861b07916..fcfa49311a 100644
--- a/storage/ent/client/refreshtoken.go
+++ b/storage/ent/client/refreshtoken.go
@@ -3,7 +3,7 @@ package client
 import (
 	"context"
 
-	"github.com/dexidp/dex/storage"
+	"github.com/concourse/dex/storage"
 )
 
 // CreateRefresh saves provided refresh token into the database.
diff --git a/storage/ent/client/types.go b/storage/ent/client/types.go
index 397d4d30a2..3b0eed0a73 100644
--- a/storage/ent/client/types.go
+++ b/storage/ent/client/types.go
@@ -4,8 +4,8 @@ import (
 	"encoding/json"
 	"strings"
 
-	"github.com/dexidp/dex/storage"
-	"github.com/dexidp/dex/storage/ent/db"
+	"github.com/concourse/dex/storage"
+	"github.com/concourse/dex/storage/ent/db"
 )
 
 const keysRowID = "keys"
diff --git a/storage/ent/client/utils.go b/storage/ent/client/utils.go
index 65c037ac3c..daf0f2fa6b 100644
--- a/storage/ent/client/utils.go
+++ b/storage/ent/client/utils.go
@@ -6,8 +6,8 @@ import (
 
 	"github.com/pkg/errors"
 
-	"github.com/dexidp/dex/storage"
-	"github.com/dexidp/dex/storage/ent/db"
+	"github.com/concourse/dex/storage"
+	"github.com/concourse/dex/storage/ent/db"
 )
 
 func rollback(tx *db.Tx, t string, err error) error {
diff --git a/storage/ent/db/authcode.go b/storage/ent/db/authcode.go
index 841d0b8b3f..36ef9f4530 100644
--- a/storage/ent/db/authcode.go
+++ b/storage/ent/db/authcode.go
@@ -10,7 +10,7 @@ import (
 
 	"entgo.io/ent"
 	"entgo.io/ent/dialect/sql"
-	"github.com/dexidp/dex/storage/ent/db/authcode"
+	"github.com/concourse/dex/storage/ent/db/authcode"
 )
 
 // AuthCode is the model entity for the AuthCode schema.
diff --git a/storage/ent/db/authcode/where.go b/storage/ent/db/authcode/where.go
index f8673fb039..4474f765f9 100644
--- a/storage/ent/db/authcode/where.go
+++ b/storage/ent/db/authcode/where.go
@@ -6,7 +6,7 @@ import (
 	"time"
 
 	"entgo.io/ent/dialect/sql"
-	"github.com/dexidp/dex/storage/ent/db/predicate"
+	"github.com/concourse/dex/storage/ent/db/predicate"
 )
 
 // ID filters vertices based on their ID field.
diff --git a/storage/ent/db/authcode_create.go b/storage/ent/db/authcode_create.go
index 03b8477dee..fec23ef9b7 100644
--- a/storage/ent/db/authcode_create.go
+++ b/storage/ent/db/authcode_create.go
@@ -10,7 +10,7 @@ import (
 
 	"entgo.io/ent/dialect/sql/sqlgraph"
 	"entgo.io/ent/schema/field"
-	"github.com/dexidp/dex/storage/ent/db/authcode"
+	"github.com/concourse/dex/storage/ent/db/authcode"
 )
 
 // AuthCodeCreate is the builder for creating a AuthCode entity.
diff --git a/storage/ent/db/authcode_delete.go b/storage/ent/db/authcode_delete.go
index 1f758fccad..e98744ff8b 100644
--- a/storage/ent/db/authcode_delete.go
+++ b/storage/ent/db/authcode_delete.go
@@ -8,8 +8,8 @@ import (
 	"entgo.io/ent/dialect/sql"
 	"entgo.io/ent/dialect/sql/sqlgraph"
 	"entgo.io/ent/schema/field"
-	"github.com/dexidp/dex/storage/ent/db/authcode"
-	"github.com/dexidp/dex/storage/ent/db/predicate"
+	"github.com/concourse/dex/storage/ent/db/authcode"
+	"github.com/concourse/dex/storage/ent/db/predicate"
 )
 
 // AuthCodeDelete is the builder for deleting a AuthCode entity.
diff --git a/storage/ent/db/authcode_query.go b/storage/ent/db/authcode_query.go
index e7494ea5e1..5cbe875aa9 100644
--- a/storage/ent/db/authcode_query.go
+++ b/storage/ent/db/authcode_query.go
@@ -11,8 +11,8 @@ import (
 	"entgo.io/ent/dialect/sql"
 	"entgo.io/ent/dialect/sql/sqlgraph"
 	"entgo.io/ent/schema/field"
-	"github.com/dexidp/dex/storage/ent/db/authcode"
-	"github.com/dexidp/dex/storage/ent/db/predicate"
+	"github.com/concourse/dex/storage/ent/db/authcode"
+	"github.com/concourse/dex/storage/ent/db/predicate"
 )
 
 // AuthCodeQuery is the builder for querying AuthCode entities.
diff --git a/storage/ent/db/authcode_update.go b/storage/ent/db/authcode_update.go
index 5b3fc06220..11861052e7 100644
--- a/storage/ent/db/authcode_update.go
+++ b/storage/ent/db/authcode_update.go
@@ -12,8 +12,8 @@ import (
 	"entgo.io/ent/dialect/sql/sqlgraph"
 	"entgo.io/ent/dialect/sql/sqljson"
 	"entgo.io/ent/schema/field"
-	"github.com/dexidp/dex/storage/ent/db/authcode"
-	"github.com/dexidp/dex/storage/ent/db/predicate"
+	"github.com/concourse/dex/storage/ent/db/authcode"
+	"github.com/concourse/dex/storage/ent/db/predicate"
 )
 
 // AuthCodeUpdate is the builder for updating AuthCode entities.
diff --git a/storage/ent/db/authrequest.go b/storage/ent/db/authrequest.go
index b95592e58c..96d3021f48 100644
--- a/storage/ent/db/authrequest.go
+++ b/storage/ent/db/authrequest.go
@@ -10,7 +10,7 @@ import (
 
 	"entgo.io/ent"
 	"entgo.io/ent/dialect/sql"
-	"github.com/dexidp/dex/storage/ent/db/authrequest"
+	"github.com/concourse/dex/storage/ent/db/authrequest"
 )
 
 // AuthRequest is the model entity for the AuthRequest schema.
diff --git a/storage/ent/db/authrequest/where.go b/storage/ent/db/authrequest/where.go
index 4d3a39bec5..a927ec5642 100644
--- a/storage/ent/db/authrequest/where.go
+++ b/storage/ent/db/authrequest/where.go
@@ -6,7 +6,7 @@ import (
 	"time"
 
 	"entgo.io/ent/dialect/sql"
-	"github.com/dexidp/dex/storage/ent/db/predicate"
+	"github.com/concourse/dex/storage/ent/db/predicate"
 )
 
 // ID filters vertices based on their ID field.
diff --git a/storage/ent/db/authrequest_create.go b/storage/ent/db/authrequest_create.go
index 3fe0c2b1f7..ef46adb358 100644
--- a/storage/ent/db/authrequest_create.go
+++ b/storage/ent/db/authrequest_create.go
@@ -10,7 +10,7 @@ import (
 
 	"entgo.io/ent/dialect/sql/sqlgraph"
 	"entgo.io/ent/schema/field"
-	"github.com/dexidp/dex/storage/ent/db/authrequest"
+	"github.com/concourse/dex/storage/ent/db/authrequest"
 )
 
 // AuthRequestCreate is the builder for creating a AuthRequest entity.
diff --git a/storage/ent/db/authrequest_delete.go b/storage/ent/db/authrequest_delete.go
index 0cef693afa..fd29a76618 100644
--- a/storage/ent/db/authrequest_delete.go
+++ b/storage/ent/db/authrequest_delete.go
@@ -8,8 +8,8 @@ import (
 	"entgo.io/ent/dialect/sql"
 	"entgo.io/ent/dialect/sql/sqlgraph"
 	"entgo.io/ent/schema/field"
-	"github.com/dexidp/dex/storage/ent/db/authrequest"
-	"github.com/dexidp/dex/storage/ent/db/predicate"
+	"github.com/concourse/dex/storage/ent/db/authrequest"
+	"github.com/concourse/dex/storage/ent/db/predicate"
 )
 
 // AuthRequestDelete is the builder for deleting a AuthRequest entity.
diff --git a/storage/ent/db/authrequest_query.go b/storage/ent/db/authrequest_query.go
index 35ba24b0c2..5999bda454 100644
--- a/storage/ent/db/authrequest_query.go
+++ b/storage/ent/db/authrequest_query.go
@@ -11,8 +11,8 @@ import (
 	"entgo.io/ent/dialect/sql"
 	"entgo.io/ent/dialect/sql/sqlgraph"
 	"entgo.io/ent/schema/field"
-	"github.com/dexidp/dex/storage/ent/db/authrequest"
-	"github.com/dexidp/dex/storage/ent/db/predicate"
+	"github.com/concourse/dex/storage/ent/db/authrequest"
+	"github.com/concourse/dex/storage/ent/db/predicate"
 )
 
 // AuthRequestQuery is the builder for querying AuthRequest entities.
diff --git a/storage/ent/db/authrequest_update.go b/storage/ent/db/authrequest_update.go
index 0f314a4f51..0cd0b44f18 100644
--- a/storage/ent/db/authrequest_update.go
+++ b/storage/ent/db/authrequest_update.go
@@ -12,8 +12,8 @@ import (
 	"entgo.io/ent/dialect/sql/sqlgraph"
 	"entgo.io/ent/dialect/sql/sqljson"
 	"entgo.io/ent/schema/field"
-	"github.com/dexidp/dex/storage/ent/db/authrequest"
-	"github.com/dexidp/dex/storage/ent/db/predicate"
+	"github.com/concourse/dex/storage/ent/db/authrequest"
+	"github.com/concourse/dex/storage/ent/db/predicate"
 )
 
 // AuthRequestUpdate is the builder for updating AuthRequest entities.
diff --git a/storage/ent/db/client.go b/storage/ent/db/client.go
index 822fc3ed6b..3b2753cda7 100644
--- a/storage/ent/db/client.go
+++ b/storage/ent/db/client.go
@@ -9,21 +9,21 @@ import (
 	"log"
 	"reflect"
 
-	"github.com/dexidp/dex/storage/ent/db/migrate"
+	"github.com/concourse/dex/storage/ent/db/migrate"
 
 	"entgo.io/ent"
 	"entgo.io/ent/dialect"
 	"entgo.io/ent/dialect/sql"
-	"github.com/dexidp/dex/storage/ent/db/authcode"
-	"github.com/dexidp/dex/storage/ent/db/authrequest"
-	"github.com/dexidp/dex/storage/ent/db/connector"
-	"github.com/dexidp/dex/storage/ent/db/devicerequest"
-	"github.com/dexidp/dex/storage/ent/db/devicetoken"
-	"github.com/dexidp/dex/storage/ent/db/keys"
-	"github.com/dexidp/dex/storage/ent/db/oauth2client"
-	"github.com/dexidp/dex/storage/ent/db/offlinesession"
-	"github.com/dexidp/dex/storage/ent/db/password"
-	"github.com/dexidp/dex/storage/ent/db/refreshtoken"
+	"github.com/concourse/dex/storage/ent/db/authcode"
+	"github.com/concourse/dex/storage/ent/db/authrequest"
+	"github.com/concourse/dex/storage/ent/db/connector"
+	"github.com/concourse/dex/storage/ent/db/devicerequest"
+	"github.com/concourse/dex/storage/ent/db/devicetoken"
+	"github.com/concourse/dex/storage/ent/db/keys"
+	"github.com/concourse/dex/storage/ent/db/oauth2client"
+	"github.com/concourse/dex/storage/ent/db/offlinesession"
+	"github.com/concourse/dex/storage/ent/db/password"
+	"github.com/concourse/dex/storage/ent/db/refreshtoken"
 )
 
 // Client is the client that holds all ent builders.
diff --git a/storage/ent/db/connector.go b/storage/ent/db/connector.go
index 34c88e31e6..8716909ea1 100644
--- a/storage/ent/db/connector.go
+++ b/storage/ent/db/connector.go
@@ -8,7 +8,7 @@ import (
 
 	"entgo.io/ent"
 	"entgo.io/ent/dialect/sql"
-	"github.com/dexidp/dex/storage/ent/db/connector"
+	"github.com/concourse/dex/storage/ent/db/connector"
 )
 
 // Connector is the model entity for the Connector schema.
diff --git a/storage/ent/db/connector/where.go b/storage/ent/db/connector/where.go
index 39cc477fce..841755e89d 100644
--- a/storage/ent/db/connector/where.go
+++ b/storage/ent/db/connector/where.go
@@ -4,7 +4,7 @@ package connector
 
 import (
 	"entgo.io/ent/dialect/sql"
-	"github.com/dexidp/dex/storage/ent/db/predicate"
+	"github.com/concourse/dex/storage/ent/db/predicate"
 )
 
 // ID filters vertices based on their ID field.
diff --git a/storage/ent/db/connector_create.go b/storage/ent/db/connector_create.go
index 5bd4a19fc1..00e347e3ef 100644
--- a/storage/ent/db/connector_create.go
+++ b/storage/ent/db/connector_create.go
@@ -9,7 +9,7 @@ import (
 
 	"entgo.io/ent/dialect/sql/sqlgraph"
 	"entgo.io/ent/schema/field"
-	"github.com/dexidp/dex/storage/ent/db/connector"
+	"github.com/concourse/dex/storage/ent/db/connector"
 )
 
 // ConnectorCreate is the builder for creating a Connector entity.
diff --git a/storage/ent/db/connector_delete.go b/storage/ent/db/connector_delete.go
index f7f3ed1e0f..8604c43502 100644
--- a/storage/ent/db/connector_delete.go
+++ b/storage/ent/db/connector_delete.go
@@ -8,8 +8,8 @@ import (
 	"entgo.io/ent/dialect/sql"
 	"entgo.io/ent/dialect/sql/sqlgraph"
 	"entgo.io/ent/schema/field"
-	"github.com/dexidp/dex/storage/ent/db/connector"
-	"github.com/dexidp/dex/storage/ent/db/predicate"
+	"github.com/concourse/dex/storage/ent/db/connector"
+	"github.com/concourse/dex/storage/ent/db/predicate"
 )
 
 // ConnectorDelete is the builder for deleting a Connector entity.
diff --git a/storage/ent/db/connector_query.go b/storage/ent/db/connector_query.go
index 35eae22a91..a47deb67b0 100644
--- a/storage/ent/db/connector_query.go
+++ b/storage/ent/db/connector_query.go
@@ -11,8 +11,8 @@ import (
 	"entgo.io/ent/dialect/sql"
 	"entgo.io/ent/dialect/sql/sqlgraph"
 	"entgo.io/ent/schema/field"
-	"github.com/dexidp/dex/storage/ent/db/connector"
-	"github.com/dexidp/dex/storage/ent/db/predicate"
+	"github.com/concourse/dex/storage/ent/db/connector"
+	"github.com/concourse/dex/storage/ent/db/predicate"
 )
 
 // ConnectorQuery is the builder for querying Connector entities.
diff --git a/storage/ent/db/connector_update.go b/storage/ent/db/connector_update.go
index 71b5d25d71..79e699f871 100644
--- a/storage/ent/db/connector_update.go
+++ b/storage/ent/db/connector_update.go
@@ -10,8 +10,8 @@ import (
 	"entgo.io/ent/dialect/sql"
 	"entgo.io/ent/dialect/sql/sqlgraph"
 	"entgo.io/ent/schema/field"
-	"github.com/dexidp/dex/storage/ent/db/connector"
-	"github.com/dexidp/dex/storage/ent/db/predicate"
+	"github.com/concourse/dex/storage/ent/db/connector"
+	"github.com/concourse/dex/storage/ent/db/predicate"
 )
 
 // ConnectorUpdate is the builder for updating Connector entities.
diff --git a/storage/ent/db/devicerequest.go b/storage/ent/db/devicerequest.go
index df0194bb45..8a3321ebe7 100644
--- a/storage/ent/db/devicerequest.go
+++ b/storage/ent/db/devicerequest.go
@@ -10,7 +10,7 @@ import (
 
 	"entgo.io/ent"
 	"entgo.io/ent/dialect/sql"
-	"github.com/dexidp/dex/storage/ent/db/devicerequest"
+	"github.com/concourse/dex/storage/ent/db/devicerequest"
 )
 
 // DeviceRequest is the model entity for the DeviceRequest schema.
diff --git a/storage/ent/db/devicerequest/where.go b/storage/ent/db/devicerequest/where.go
index 47a578fc3c..446027e6f6 100644
--- a/storage/ent/db/devicerequest/where.go
+++ b/storage/ent/db/devicerequest/where.go
@@ -6,7 +6,7 @@ import (
 	"time"
 
 	"entgo.io/ent/dialect/sql"
-	"github.com/dexidp/dex/storage/ent/db/predicate"
+	"github.com/concourse/dex/storage/ent/db/predicate"
 )
 
 // ID filters vertices based on their ID field.
diff --git a/storage/ent/db/devicerequest_create.go b/storage/ent/db/devicerequest_create.go
index 70c97875df..9fb32e8a1c 100644
--- a/storage/ent/db/devicerequest_create.go
+++ b/storage/ent/db/devicerequest_create.go
@@ -10,7 +10,7 @@ import (
 
 	"entgo.io/ent/dialect/sql/sqlgraph"
 	"entgo.io/ent/schema/field"
-	"github.com/dexidp/dex/storage/ent/db/devicerequest"
+	"github.com/concourse/dex/storage/ent/db/devicerequest"
 )
 
 // DeviceRequestCreate is the builder for creating a DeviceRequest entity.
diff --git a/storage/ent/db/devicerequest_delete.go b/storage/ent/db/devicerequest_delete.go
index b92f77984d..13ba30e38b 100644
--- a/storage/ent/db/devicerequest_delete.go
+++ b/storage/ent/db/devicerequest_delete.go
@@ -8,8 +8,8 @@ import (
 	"entgo.io/ent/dialect/sql"
 	"entgo.io/ent/dialect/sql/sqlgraph"
 	"entgo.io/ent/schema/field"
-	"github.com/dexidp/dex/storage/ent/db/devicerequest"
-	"github.com/dexidp/dex/storage/ent/db/predicate"
+	"github.com/concourse/dex/storage/ent/db/devicerequest"
+	"github.com/concourse/dex/storage/ent/db/predicate"
 )
 
 // DeviceRequestDelete is the builder for deleting a DeviceRequest entity.
diff --git a/storage/ent/db/devicerequest_query.go b/storage/ent/db/devicerequest_query.go
index 49ed0461ee..6b7573099d 100644
--- a/storage/ent/db/devicerequest_query.go
+++ b/storage/ent/db/devicerequest_query.go
@@ -11,8 +11,8 @@ import (
 	"entgo.io/ent/dialect/sql"
 	"entgo.io/ent/dialect/sql/sqlgraph"
 	"entgo.io/ent/schema/field"
-	"github.com/dexidp/dex/storage/ent/db/devicerequest"
-	"github.com/dexidp/dex/storage/ent/db/predicate"
+	"github.com/concourse/dex/storage/ent/db/devicerequest"
+	"github.com/concourse/dex/storage/ent/db/predicate"
 )
 
 // DeviceRequestQuery is the builder for querying DeviceRequest entities.
diff --git a/storage/ent/db/devicerequest_update.go b/storage/ent/db/devicerequest_update.go
index b71743c2c1..df63020af8 100644
--- a/storage/ent/db/devicerequest_update.go
+++ b/storage/ent/db/devicerequest_update.go
@@ -12,8 +12,8 @@ import (
 	"entgo.io/ent/dialect/sql/sqlgraph"
 	"entgo.io/ent/dialect/sql/sqljson"
 	"entgo.io/ent/schema/field"
-	"github.com/dexidp/dex/storage/ent/db/devicerequest"
-	"github.com/dexidp/dex/storage/ent/db/predicate"
+	"github.com/concourse/dex/storage/ent/db/devicerequest"
+	"github.com/concourse/dex/storage/ent/db/predicate"
 )
 
 // DeviceRequestUpdate is the builder for updating DeviceRequest entities.
diff --git a/storage/ent/db/devicetoken.go b/storage/ent/db/devicetoken.go
index 0eda024e05..0cf54b5497 100644
--- a/storage/ent/db/devicetoken.go
+++ b/storage/ent/db/devicetoken.go
@@ -9,7 +9,7 @@ import (
 
 	"entgo.io/ent"
 	"entgo.io/ent/dialect/sql"
-	"github.com/dexidp/dex/storage/ent/db/devicetoken"
+	"github.com/concourse/dex/storage/ent/db/devicetoken"
 )
 
 // DeviceToken is the model entity for the DeviceToken schema.
diff --git a/storage/ent/db/devicetoken/where.go b/storage/ent/db/devicetoken/where.go
index 59fa65cb1e..37628cda3e 100644
--- a/storage/ent/db/devicetoken/where.go
+++ b/storage/ent/db/devicetoken/where.go
@@ -6,7 +6,7 @@ import (
 	"time"
 
 	"entgo.io/ent/dialect/sql"
-	"github.com/dexidp/dex/storage/ent/db/predicate"
+	"github.com/concourse/dex/storage/ent/db/predicate"
 )
 
 // ID filters vertices based on their ID field.
diff --git a/storage/ent/db/devicetoken_create.go b/storage/ent/db/devicetoken_create.go
index 966d208fae..8f4eac2096 100644
--- a/storage/ent/db/devicetoken_create.go
+++ b/storage/ent/db/devicetoken_create.go
@@ -10,7 +10,7 @@ import (
 
 	"entgo.io/ent/dialect/sql/sqlgraph"
 	"entgo.io/ent/schema/field"
-	"github.com/dexidp/dex/storage/ent/db/devicetoken"
+	"github.com/concourse/dex/storage/ent/db/devicetoken"
 )
 
 // DeviceTokenCreate is the builder for creating a DeviceToken entity.
diff --git a/storage/ent/db/devicetoken_delete.go b/storage/ent/db/devicetoken_delete.go
index 9632450b0b..ecb2bdccc6 100644
--- a/storage/ent/db/devicetoken_delete.go
+++ b/storage/ent/db/devicetoken_delete.go
@@ -8,8 +8,8 @@ import (
 	"entgo.io/ent/dialect/sql"
 	"entgo.io/ent/dialect/sql/sqlgraph"
 	"entgo.io/ent/schema/field"
-	"github.com/dexidp/dex/storage/ent/db/devicetoken"
-	"github.com/dexidp/dex/storage/ent/db/predicate"
+	"github.com/concourse/dex/storage/ent/db/devicetoken"
+	"github.com/concourse/dex/storage/ent/db/predicate"
 )
 
 // DeviceTokenDelete is the builder for deleting a DeviceToken entity.
diff --git a/storage/ent/db/devicetoken_query.go b/storage/ent/db/devicetoken_query.go
index cbdc9dac7d..bdbd0ca8be 100644
--- a/storage/ent/db/devicetoken_query.go
+++ b/storage/ent/db/devicetoken_query.go
@@ -11,8 +11,8 @@ import (
 	"entgo.io/ent/dialect/sql"
 	"entgo.io/ent/dialect/sql/sqlgraph"
 	"entgo.io/ent/schema/field"
-	"github.com/dexidp/dex/storage/ent/db/devicetoken"
-	"github.com/dexidp/dex/storage/ent/db/predicate"
+	"github.com/concourse/dex/storage/ent/db/devicetoken"
+	"github.com/concourse/dex/storage/ent/db/predicate"
 )
 
 // DeviceTokenQuery is the builder for querying DeviceToken entities.
diff --git a/storage/ent/db/devicetoken_update.go b/storage/ent/db/devicetoken_update.go
index 3c6c841463..2dda7d1416 100644
--- a/storage/ent/db/devicetoken_update.go
+++ b/storage/ent/db/devicetoken_update.go
@@ -11,8 +11,8 @@ import (
 	"entgo.io/ent/dialect/sql"
 	"entgo.io/ent/dialect/sql/sqlgraph"
 	"entgo.io/ent/schema/field"
-	"github.com/dexidp/dex/storage/ent/db/devicetoken"
-	"github.com/dexidp/dex/storage/ent/db/predicate"
+	"github.com/concourse/dex/storage/ent/db/devicetoken"
+	"github.com/concourse/dex/storage/ent/db/predicate"
 )
 
 // DeviceTokenUpdate is the builder for updating DeviceToken entities.
diff --git a/storage/ent/db/ent.go b/storage/ent/db/ent.go
index dec4be7860..020d3ffd47 100644
--- a/storage/ent/db/ent.go
+++ b/storage/ent/db/ent.go
@@ -12,16 +12,16 @@ import (
 	"entgo.io/ent"
 	"entgo.io/ent/dialect/sql"
 	"entgo.io/ent/dialect/sql/sqlgraph"
-	"github.com/dexidp/dex/storage/ent/db/authcode"
-	"github.com/dexidp/dex/storage/ent/db/authrequest"
-	"github.com/dexidp/dex/storage/ent/db/connector"
-	"github.com/dexidp/dex/storage/ent/db/devicerequest"
-	"github.com/dexidp/dex/storage/ent/db/devicetoken"
-	"github.com/dexidp/dex/storage/ent/db/keys"
-	"github.com/dexidp/dex/storage/ent/db/oauth2client"
-	"github.com/dexidp/dex/storage/ent/db/offlinesession"
-	"github.com/dexidp/dex/storage/ent/db/password"
-	"github.com/dexidp/dex/storage/ent/db/refreshtoken"
+	"github.com/concourse/dex/storage/ent/db/authcode"
+	"github.com/concourse/dex/storage/ent/db/authrequest"
+	"github.com/concourse/dex/storage/ent/db/connector"
+	"github.com/concourse/dex/storage/ent/db/devicerequest"
+	"github.com/concourse/dex/storage/ent/db/devicetoken"
+	"github.com/concourse/dex/storage/ent/db/keys"
+	"github.com/concourse/dex/storage/ent/db/oauth2client"
+	"github.com/concourse/dex/storage/ent/db/offlinesession"
+	"github.com/concourse/dex/storage/ent/db/password"
+	"github.com/concourse/dex/storage/ent/db/refreshtoken"
 )
 
 // ent aliases to avoid import conflicts in user's code.
diff --git a/storage/ent/db/enttest/enttest.go b/storage/ent/db/enttest/enttest.go
index 65702d99c9..c7452b44ab 100644
--- a/storage/ent/db/enttest/enttest.go
+++ b/storage/ent/db/enttest/enttest.go
@@ -5,12 +5,12 @@ package enttest
 import (
 	"context"
 
-	"github.com/dexidp/dex/storage/ent/db"
+	"github.com/concourse/dex/storage/ent/db"
 	// required by schema hooks.
-	_ "github.com/dexidp/dex/storage/ent/db/runtime"
+	_ "github.com/concourse/dex/storage/ent/db/runtime"
 
 	"entgo.io/ent/dialect/sql/schema"
-	"github.com/dexidp/dex/storage/ent/db/migrate"
+	"github.com/concourse/dex/storage/ent/db/migrate"
 )
 
 type (
diff --git a/storage/ent/db/hook/hook.go b/storage/ent/db/hook/hook.go
index 12cb91c65e..b7e6f2109e 100644
--- a/storage/ent/db/hook/hook.go
+++ b/storage/ent/db/hook/hook.go
@@ -6,7 +6,7 @@ import (
 	"context"
 	"fmt"
 
-	"github.com/dexidp/dex/storage/ent/db"
+	"github.com/concourse/dex/storage/ent/db"
 )
 
 // The AuthCodeFunc type is an adapter to allow the use of ordinary
diff --git a/storage/ent/db/keys.go b/storage/ent/db/keys.go
index 616b1eaee2..70ad90f43c 100644
--- a/storage/ent/db/keys.go
+++ b/storage/ent/db/keys.go
@@ -10,8 +10,8 @@ import (
 
 	"entgo.io/ent"
 	"entgo.io/ent/dialect/sql"
-	"github.com/dexidp/dex/storage"
-	"github.com/dexidp/dex/storage/ent/db/keys"
+	"github.com/concourse/dex/storage"
+	"github.com/concourse/dex/storage/ent/db/keys"
 	jose "github.com/go-jose/go-jose/v4"
 )
 
diff --git a/storage/ent/db/keys/where.go b/storage/ent/db/keys/where.go
index 04bec3baec..e7270189c2 100644
--- a/storage/ent/db/keys/where.go
+++ b/storage/ent/db/keys/where.go
@@ -6,7 +6,7 @@ import (
 	"time"
 
 	"entgo.io/ent/dialect/sql"
-	"github.com/dexidp/dex/storage/ent/db/predicate"
+	"github.com/concourse/dex/storage/ent/db/predicate"
 )
 
 // ID filters vertices based on their ID field.
diff --git a/storage/ent/db/keys_create.go b/storage/ent/db/keys_create.go
index d555448fe2..5208ea76c6 100644
--- a/storage/ent/db/keys_create.go
+++ b/storage/ent/db/keys_create.go
@@ -10,8 +10,8 @@ import (
 
 	"entgo.io/ent/dialect/sql/sqlgraph"
 	"entgo.io/ent/schema/field"
-	"github.com/dexidp/dex/storage"
-	"github.com/dexidp/dex/storage/ent/db/keys"
+	"github.com/concourse/dex/storage"
+	"github.com/concourse/dex/storage/ent/db/keys"
 	jose "github.com/go-jose/go-jose/v4"
 )
 
diff --git a/storage/ent/db/keys_delete.go b/storage/ent/db/keys_delete.go
index 7f66119452..2a5fe370f5 100644
--- a/storage/ent/db/keys_delete.go
+++ b/storage/ent/db/keys_delete.go
@@ -8,8 +8,8 @@ import (
 	"entgo.io/ent/dialect/sql"
 	"entgo.io/ent/dialect/sql/sqlgraph"
 	"entgo.io/ent/schema/field"
-	"github.com/dexidp/dex/storage/ent/db/keys"
-	"github.com/dexidp/dex/storage/ent/db/predicate"
+	"github.com/concourse/dex/storage/ent/db/keys"
+	"github.com/concourse/dex/storage/ent/db/predicate"
 )
 
 // KeysDelete is the builder for deleting a Keys entity.
diff --git a/storage/ent/db/keys_query.go b/storage/ent/db/keys_query.go
index 2b59c67f0f..02a50310a7 100644
--- a/storage/ent/db/keys_query.go
+++ b/storage/ent/db/keys_query.go
@@ -11,8 +11,8 @@ import (
 	"entgo.io/ent/dialect/sql"
 	"entgo.io/ent/dialect/sql/sqlgraph"
 	"entgo.io/ent/schema/field"
-	"github.com/dexidp/dex/storage/ent/db/keys"
-	"github.com/dexidp/dex/storage/ent/db/predicate"
+	"github.com/concourse/dex/storage/ent/db/keys"
+	"github.com/concourse/dex/storage/ent/db/predicate"
 )
 
 // KeysQuery is the builder for querying Keys entities.
diff --git a/storage/ent/db/keys_update.go b/storage/ent/db/keys_update.go
index ff9ff97fca..2d768bc43d 100644
--- a/storage/ent/db/keys_update.go
+++ b/storage/ent/db/keys_update.go
@@ -12,9 +12,9 @@ import (
 	"entgo.io/ent/dialect/sql/sqlgraph"
 	"entgo.io/ent/dialect/sql/sqljson"
 	"entgo.io/ent/schema/field"
-	"github.com/dexidp/dex/storage"
-	"github.com/dexidp/dex/storage/ent/db/keys"
-	"github.com/dexidp/dex/storage/ent/db/predicate"
+	"github.com/concourse/dex/storage"
+	"github.com/concourse/dex/storage/ent/db/keys"
+	"github.com/concourse/dex/storage/ent/db/predicate"
 	jose "github.com/go-jose/go-jose/v4"
 )
 
diff --git a/storage/ent/db/mutation.go b/storage/ent/db/mutation.go
index 71203574e6..f47f84a986 100644
--- a/storage/ent/db/mutation.go
+++ b/storage/ent/db/mutation.go
@@ -11,18 +11,18 @@ import (
 
 	"entgo.io/ent"
 	"entgo.io/ent/dialect/sql"
-	"github.com/dexidp/dex/storage"
-	"github.com/dexidp/dex/storage/ent/db/authcode"
-	"github.com/dexidp/dex/storage/ent/db/authrequest"
-	"github.com/dexidp/dex/storage/ent/db/connector"
-	"github.com/dexidp/dex/storage/ent/db/devicerequest"
-	"github.com/dexidp/dex/storage/ent/db/devicetoken"
-	"github.com/dexidp/dex/storage/ent/db/keys"
-	"github.com/dexidp/dex/storage/ent/db/oauth2client"
-	"github.com/dexidp/dex/storage/ent/db/offlinesession"
-	"github.com/dexidp/dex/storage/ent/db/password"
-	"github.com/dexidp/dex/storage/ent/db/predicate"
-	"github.com/dexidp/dex/storage/ent/db/refreshtoken"
+	"github.com/concourse/dex/storage"
+	"github.com/concourse/dex/storage/ent/db/authcode"
+	"github.com/concourse/dex/storage/ent/db/authrequest"
+	"github.com/concourse/dex/storage/ent/db/connector"
+	"github.com/concourse/dex/storage/ent/db/devicerequest"
+	"github.com/concourse/dex/storage/ent/db/devicetoken"
+	"github.com/concourse/dex/storage/ent/db/keys"
+	"github.com/concourse/dex/storage/ent/db/oauth2client"
+	"github.com/concourse/dex/storage/ent/db/offlinesession"
+	"github.com/concourse/dex/storage/ent/db/password"
+	"github.com/concourse/dex/storage/ent/db/predicate"
+	"github.com/concourse/dex/storage/ent/db/refreshtoken"
 	jose "github.com/go-jose/go-jose/v4"
 )
 
diff --git a/storage/ent/db/oauth2client.go b/storage/ent/db/oauth2client.go
index 39a4cf82ab..0a53a454f3 100644
--- a/storage/ent/db/oauth2client.go
+++ b/storage/ent/db/oauth2client.go
@@ -9,7 +9,7 @@ import (
 
 	"entgo.io/ent"
 	"entgo.io/ent/dialect/sql"
-	"github.com/dexidp/dex/storage/ent/db/oauth2client"
+	"github.com/concourse/dex/storage/ent/db/oauth2client"
 )
 
 // OAuth2Client is the model entity for the OAuth2Client schema.
diff --git a/storage/ent/db/oauth2client/where.go b/storage/ent/db/oauth2client/where.go
index 55aee79b1a..26d9dc65e0 100644
--- a/storage/ent/db/oauth2client/where.go
+++ b/storage/ent/db/oauth2client/where.go
@@ -4,7 +4,7 @@ package oauth2client
 
 import (
 	"entgo.io/ent/dialect/sql"
-	"github.com/dexidp/dex/storage/ent/db/predicate"
+	"github.com/concourse/dex/storage/ent/db/predicate"
 )
 
 // ID filters vertices based on their ID field.
diff --git a/storage/ent/db/oauth2client_create.go b/storage/ent/db/oauth2client_create.go
index 5b472cd36d..5be2f20612 100644
--- a/storage/ent/db/oauth2client_create.go
+++ b/storage/ent/db/oauth2client_create.go
@@ -9,7 +9,7 @@ import (
 
 	"entgo.io/ent/dialect/sql/sqlgraph"
 	"entgo.io/ent/schema/field"
-	"github.com/dexidp/dex/storage/ent/db/oauth2client"
+	"github.com/concourse/dex/storage/ent/db/oauth2client"
 )
 
 // OAuth2ClientCreate is the builder for creating a OAuth2Client entity.
diff --git a/storage/ent/db/oauth2client_delete.go b/storage/ent/db/oauth2client_delete.go
index ee88e2800b..fb2b038b65 100644
--- a/storage/ent/db/oauth2client_delete.go
+++ b/storage/ent/db/oauth2client_delete.go
@@ -8,8 +8,8 @@ import (
 	"entgo.io/ent/dialect/sql"
 	"entgo.io/ent/dialect/sql/sqlgraph"
 	"entgo.io/ent/schema/field"
-	"github.com/dexidp/dex/storage/ent/db/oauth2client"
-	"github.com/dexidp/dex/storage/ent/db/predicate"
+	"github.com/concourse/dex/storage/ent/db/oauth2client"
+	"github.com/concourse/dex/storage/ent/db/predicate"
 )
 
 // OAuth2ClientDelete is the builder for deleting a OAuth2Client entity.
diff --git a/storage/ent/db/oauth2client_query.go b/storage/ent/db/oauth2client_query.go
index 27597112df..45389002f5 100644
--- a/storage/ent/db/oauth2client_query.go
+++ b/storage/ent/db/oauth2client_query.go
@@ -11,8 +11,8 @@ import (
 	"entgo.io/ent/dialect/sql"
 	"entgo.io/ent/dialect/sql/sqlgraph"
 	"entgo.io/ent/schema/field"
-	"github.com/dexidp/dex/storage/ent/db/oauth2client"
-	"github.com/dexidp/dex/storage/ent/db/predicate"
+	"github.com/concourse/dex/storage/ent/db/oauth2client"
+	"github.com/concourse/dex/storage/ent/db/predicate"
 )
 
 // OAuth2ClientQuery is the builder for querying OAuth2Client entities.
diff --git a/storage/ent/db/oauth2client_update.go b/storage/ent/db/oauth2client_update.go
index 9d84e0b854..dfa2c1b4d2 100644
--- a/storage/ent/db/oauth2client_update.go
+++ b/storage/ent/db/oauth2client_update.go
@@ -11,8 +11,8 @@ import (
 	"entgo.io/ent/dialect/sql/sqlgraph"
 	"entgo.io/ent/dialect/sql/sqljson"
 	"entgo.io/ent/schema/field"
-	"github.com/dexidp/dex/storage/ent/db/oauth2client"
-	"github.com/dexidp/dex/storage/ent/db/predicate"
+	"github.com/concourse/dex/storage/ent/db/oauth2client"
+	"github.com/concourse/dex/storage/ent/db/predicate"
 )
 
 // OAuth2ClientUpdate is the builder for updating OAuth2Client entities.
diff --git a/storage/ent/db/offlinesession.go b/storage/ent/db/offlinesession.go
index 7adc3afca3..2fc2ca4375 100644
--- a/storage/ent/db/offlinesession.go
+++ b/storage/ent/db/offlinesession.go
@@ -8,7 +8,7 @@ import (
 
 	"entgo.io/ent"
 	"entgo.io/ent/dialect/sql"
-	"github.com/dexidp/dex/storage/ent/db/offlinesession"
+	"github.com/concourse/dex/storage/ent/db/offlinesession"
 )
 
 // OfflineSession is the model entity for the OfflineSession schema.
diff --git a/storage/ent/db/offlinesession/where.go b/storage/ent/db/offlinesession/where.go
index e0f19ab2ce..f9a1a9e2be 100644
--- a/storage/ent/db/offlinesession/where.go
+++ b/storage/ent/db/offlinesession/where.go
@@ -4,7 +4,7 @@ package offlinesession
 
 import (
 	"entgo.io/ent/dialect/sql"
-	"github.com/dexidp/dex/storage/ent/db/predicate"
+	"github.com/concourse/dex/storage/ent/db/predicate"
 )
 
 // ID filters vertices based on their ID field.
diff --git a/storage/ent/db/offlinesession_create.go b/storage/ent/db/offlinesession_create.go
index b8250aac8d..64012b91bf 100644
--- a/storage/ent/db/offlinesession_create.go
+++ b/storage/ent/db/offlinesession_create.go
@@ -9,7 +9,7 @@ import (
 
 	"entgo.io/ent/dialect/sql/sqlgraph"
 	"entgo.io/ent/schema/field"
-	"github.com/dexidp/dex/storage/ent/db/offlinesession"
+	"github.com/concourse/dex/storage/ent/db/offlinesession"
 )
 
 // OfflineSessionCreate is the builder for creating a OfflineSession entity.
diff --git a/storage/ent/db/offlinesession_delete.go b/storage/ent/db/offlinesession_delete.go
index 354d0e9197..5481341e1b 100644
--- a/storage/ent/db/offlinesession_delete.go
+++ b/storage/ent/db/offlinesession_delete.go
@@ -8,8 +8,8 @@ import (
 	"entgo.io/ent/dialect/sql"
 	"entgo.io/ent/dialect/sql/sqlgraph"
 	"entgo.io/ent/schema/field"
-	"github.com/dexidp/dex/storage/ent/db/offlinesession"
-	"github.com/dexidp/dex/storage/ent/db/predicate"
+	"github.com/concourse/dex/storage/ent/db/offlinesession"
+	"github.com/concourse/dex/storage/ent/db/predicate"
 )
 
 // OfflineSessionDelete is the builder for deleting a OfflineSession entity.
diff --git a/storage/ent/db/offlinesession_query.go b/storage/ent/db/offlinesession_query.go
index 170bcad3ee..23d2e59c90 100644
--- a/storage/ent/db/offlinesession_query.go
+++ b/storage/ent/db/offlinesession_query.go
@@ -11,8 +11,8 @@ import (
 	"entgo.io/ent/dialect/sql"
 	"entgo.io/ent/dialect/sql/sqlgraph"
 	"entgo.io/ent/schema/field"
-	"github.com/dexidp/dex/storage/ent/db/offlinesession"
-	"github.com/dexidp/dex/storage/ent/db/predicate"
+	"github.com/concourse/dex/storage/ent/db/offlinesession"
+	"github.com/concourse/dex/storage/ent/db/predicate"
 )
 
 // OfflineSessionQuery is the builder for querying OfflineSession entities.
diff --git a/storage/ent/db/offlinesession_update.go b/storage/ent/db/offlinesession_update.go
index d912acf1a9..3a01622912 100644
--- a/storage/ent/db/offlinesession_update.go
+++ b/storage/ent/db/offlinesession_update.go
@@ -10,8 +10,8 @@ import (
 	"entgo.io/ent/dialect/sql"
 	"entgo.io/ent/dialect/sql/sqlgraph"
 	"entgo.io/ent/schema/field"
-	"github.com/dexidp/dex/storage/ent/db/offlinesession"
-	"github.com/dexidp/dex/storage/ent/db/predicate"
+	"github.com/concourse/dex/storage/ent/db/offlinesession"
+	"github.com/concourse/dex/storage/ent/db/predicate"
 )
 
 // OfflineSessionUpdate is the builder for updating OfflineSession entities.
diff --git a/storage/ent/db/password.go b/storage/ent/db/password.go
index 70f8ad2b1e..50b5635493 100644
--- a/storage/ent/db/password.go
+++ b/storage/ent/db/password.go
@@ -8,7 +8,7 @@ import (
 
 	"entgo.io/ent"
 	"entgo.io/ent/dialect/sql"
-	"github.com/dexidp/dex/storage/ent/db/password"
+	"github.com/concourse/dex/storage/ent/db/password"
 )
 
 // Password is the model entity for the Password schema.
diff --git a/storage/ent/db/password/where.go b/storage/ent/db/password/where.go
index 105a8d4fc2..7b93e536a3 100644
--- a/storage/ent/db/password/where.go
+++ b/storage/ent/db/password/where.go
@@ -4,7 +4,7 @@ package password
 
 import (
 	"entgo.io/ent/dialect/sql"
-	"github.com/dexidp/dex/storage/ent/db/predicate"
+	"github.com/concourse/dex/storage/ent/db/predicate"
 )
 
 // ID filters vertices based on their ID field.
diff --git a/storage/ent/db/password_create.go b/storage/ent/db/password_create.go
index aba7ddd930..5aed66d028 100644
--- a/storage/ent/db/password_create.go
+++ b/storage/ent/db/password_create.go
@@ -9,7 +9,7 @@ import (
 
 	"entgo.io/ent/dialect/sql/sqlgraph"
 	"entgo.io/ent/schema/field"
-	"github.com/dexidp/dex/storage/ent/db/password"
+	"github.com/concourse/dex/storage/ent/db/password"
 )
 
 // PasswordCreate is the builder for creating a Password entity.
diff --git a/storage/ent/db/password_delete.go b/storage/ent/db/password_delete.go
index 784d545ee6..49dfcaea12 100644
--- a/storage/ent/db/password_delete.go
+++ b/storage/ent/db/password_delete.go
@@ -8,8 +8,8 @@ import (
 	"entgo.io/ent/dialect/sql"
 	"entgo.io/ent/dialect/sql/sqlgraph"
 	"entgo.io/ent/schema/field"
-	"github.com/dexidp/dex/storage/ent/db/password"
-	"github.com/dexidp/dex/storage/ent/db/predicate"
+	"github.com/concourse/dex/storage/ent/db/password"
+	"github.com/concourse/dex/storage/ent/db/predicate"
 )
 
 // PasswordDelete is the builder for deleting a Password entity.
diff --git a/storage/ent/db/password_query.go b/storage/ent/db/password_query.go
index b20422f763..e8ef0d5a1f 100644
--- a/storage/ent/db/password_query.go
+++ b/storage/ent/db/password_query.go
@@ -11,8 +11,8 @@ import (
 	"entgo.io/ent/dialect/sql"
 	"entgo.io/ent/dialect/sql/sqlgraph"
 	"entgo.io/ent/schema/field"
-	"github.com/dexidp/dex/storage/ent/db/password"
-	"github.com/dexidp/dex/storage/ent/db/predicate"
+	"github.com/concourse/dex/storage/ent/db/password"
+	"github.com/concourse/dex/storage/ent/db/predicate"
 )
 
 // PasswordQuery is the builder for querying Password entities.
diff --git a/storage/ent/db/password_update.go b/storage/ent/db/password_update.go
index 977ad7b42d..bc459ccdf5 100644
--- a/storage/ent/db/password_update.go
+++ b/storage/ent/db/password_update.go
@@ -10,8 +10,8 @@ import (
 	"entgo.io/ent/dialect/sql"
 	"entgo.io/ent/dialect/sql/sqlgraph"
 	"entgo.io/ent/schema/field"
-	"github.com/dexidp/dex/storage/ent/db/password"
-	"github.com/dexidp/dex/storage/ent/db/predicate"
+	"github.com/concourse/dex/storage/ent/db/password"
+	"github.com/concourse/dex/storage/ent/db/predicate"
 )
 
 // PasswordUpdate is the builder for updating Password entities.
diff --git a/storage/ent/db/refreshtoken.go b/storage/ent/db/refreshtoken.go
index f116d6846c..78f692b5ae 100644
--- a/storage/ent/db/refreshtoken.go
+++ b/storage/ent/db/refreshtoken.go
@@ -10,7 +10,7 @@ import (
 
 	"entgo.io/ent"
 	"entgo.io/ent/dialect/sql"
-	"github.com/dexidp/dex/storage/ent/db/refreshtoken"
+	"github.com/concourse/dex/storage/ent/db/refreshtoken"
 )
 
 // RefreshToken is the model entity for the RefreshToken schema.
diff --git a/storage/ent/db/refreshtoken/where.go b/storage/ent/db/refreshtoken/where.go
index 9fece40fcc..639676f221 100644
--- a/storage/ent/db/refreshtoken/where.go
+++ b/storage/ent/db/refreshtoken/where.go
@@ -6,7 +6,7 @@ import (
 	"time"
 
 	"entgo.io/ent/dialect/sql"
-	"github.com/dexidp/dex/storage/ent/db/predicate"
+	"github.com/concourse/dex/storage/ent/db/predicate"
 )
 
 // ID filters vertices based on their ID field.
diff --git a/storage/ent/db/refreshtoken_create.go b/storage/ent/db/refreshtoken_create.go
index 9eb88abe08..c4765cfaa4 100644
--- a/storage/ent/db/refreshtoken_create.go
+++ b/storage/ent/db/refreshtoken_create.go
@@ -10,7 +10,7 @@ import (
 
 	"entgo.io/ent/dialect/sql/sqlgraph"
 	"entgo.io/ent/schema/field"
-	"github.com/dexidp/dex/storage/ent/db/refreshtoken"
+	"github.com/concourse/dex/storage/ent/db/refreshtoken"
 )
 
 // RefreshTokenCreate is the builder for creating a RefreshToken entity.
diff --git a/storage/ent/db/refreshtoken_delete.go b/storage/ent/db/refreshtoken_delete.go
index 78c8cbc6de..32f426f7f2 100644
--- a/storage/ent/db/refreshtoken_delete.go
+++ b/storage/ent/db/refreshtoken_delete.go
@@ -8,8 +8,8 @@ import (
 	"entgo.io/ent/dialect/sql"
 	"entgo.io/ent/dialect/sql/sqlgraph"
 	"entgo.io/ent/schema/field"
-	"github.com/dexidp/dex/storage/ent/db/predicate"
-	"github.com/dexidp/dex/storage/ent/db/refreshtoken"
+	"github.com/concourse/dex/storage/ent/db/predicate"
+	"github.com/concourse/dex/storage/ent/db/refreshtoken"
 )
 
 // RefreshTokenDelete is the builder for deleting a RefreshToken entity.
diff --git a/storage/ent/db/refreshtoken_query.go b/storage/ent/db/refreshtoken_query.go
index 29713182b7..3048b8c067 100644
--- a/storage/ent/db/refreshtoken_query.go
+++ b/storage/ent/db/refreshtoken_query.go
@@ -11,8 +11,8 @@ import (
 	"entgo.io/ent/dialect/sql"
 	"entgo.io/ent/dialect/sql/sqlgraph"
 	"entgo.io/ent/schema/field"
-	"github.com/dexidp/dex/storage/ent/db/predicate"
-	"github.com/dexidp/dex/storage/ent/db/refreshtoken"
+	"github.com/concourse/dex/storage/ent/db/predicate"
+	"github.com/concourse/dex/storage/ent/db/refreshtoken"
 )
 
 // RefreshTokenQuery is the builder for querying RefreshToken entities.
diff --git a/storage/ent/db/refreshtoken_update.go b/storage/ent/db/refreshtoken_update.go
index 4019868b60..665c9b7699 100644
--- a/storage/ent/db/refreshtoken_update.go
+++ b/storage/ent/db/refreshtoken_update.go
@@ -12,8 +12,8 @@ import (
 	"entgo.io/ent/dialect/sql/sqlgraph"
 	"entgo.io/ent/dialect/sql/sqljson"
 	"entgo.io/ent/schema/field"
-	"github.com/dexidp/dex/storage/ent/db/predicate"
-	"github.com/dexidp/dex/storage/ent/db/refreshtoken"
+	"github.com/concourse/dex/storage/ent/db/predicate"
+	"github.com/concourse/dex/storage/ent/db/refreshtoken"
 )
 
 // RefreshTokenUpdate is the builder for updating RefreshToken entities.
diff --git a/storage/ent/db/runtime.go b/storage/ent/db/runtime.go
index 797c97613b..d3c86c6f27 100644
--- a/storage/ent/db/runtime.go
+++ b/storage/ent/db/runtime.go
@@ -5,17 +5,17 @@ package db
 import (
 	"time"
 
-	"github.com/dexidp/dex/storage/ent/db/authcode"
-	"github.com/dexidp/dex/storage/ent/db/authrequest"
-	"github.com/dexidp/dex/storage/ent/db/connector"
-	"github.com/dexidp/dex/storage/ent/db/devicerequest"
-	"github.com/dexidp/dex/storage/ent/db/devicetoken"
-	"github.com/dexidp/dex/storage/ent/db/keys"
-	"github.com/dexidp/dex/storage/ent/db/oauth2client"
-	"github.com/dexidp/dex/storage/ent/db/offlinesession"
-	"github.com/dexidp/dex/storage/ent/db/password"
-	"github.com/dexidp/dex/storage/ent/db/refreshtoken"
-	"github.com/dexidp/dex/storage/ent/schema"
+	"github.com/concourse/dex/storage/ent/db/authcode"
+	"github.com/concourse/dex/storage/ent/db/authrequest"
+	"github.com/concourse/dex/storage/ent/db/connector"
+	"github.com/concourse/dex/storage/ent/db/devicerequest"
+	"github.com/concourse/dex/storage/ent/db/devicetoken"
+	"github.com/concourse/dex/storage/ent/db/keys"
+	"github.com/concourse/dex/storage/ent/db/oauth2client"
+	"github.com/concourse/dex/storage/ent/db/offlinesession"
+	"github.com/concourse/dex/storage/ent/db/password"
+	"github.com/concourse/dex/storage/ent/db/refreshtoken"
+	"github.com/concourse/dex/storage/ent/schema"
 )
 
 // The init function reads all schema descriptors with runtime code
diff --git a/storage/ent/mysql.go b/storage/ent/mysql.go
index 008f7bad33..5abdb55002 100644
--- a/storage/ent/mysql.go
+++ b/storage/ent/mysql.go
@@ -16,9 +16,9 @@ import (
 	entSQL "entgo.io/ent/dialect/sql"
 	"github.com/go-sql-driver/mysql" // Register mysql driver.
 
-	"github.com/dexidp/dex/storage"
-	"github.com/dexidp/dex/storage/ent/client"
-	"github.com/dexidp/dex/storage/ent/db"
+	"github.com/concourse/dex/storage"
+	"github.com/concourse/dex/storage/ent/client"
+	"github.com/concourse/dex/storage/ent/db"
 )
 
 const (
diff --git a/storage/ent/mysql_test.go b/storage/ent/mysql_test.go
index f3e198aa72..ada6c48c21 100644
--- a/storage/ent/mysql_test.go
+++ b/storage/ent/mysql_test.go
@@ -9,8 +9,8 @@ import (
 
 	"github.com/stretchr/testify/require"
 
-	"github.com/dexidp/dex/storage"
-	"github.com/dexidp/dex/storage/conformance"
+	"github.com/concourse/dex/storage"
+	"github.com/concourse/dex/storage/conformance"
 )
 
 const (
diff --git a/storage/ent/postgres.go b/storage/ent/postgres.go
index dad81df445..6cfe6a3e7f 100644
--- a/storage/ent/postgres.go
+++ b/storage/ent/postgres.go
@@ -15,9 +15,9 @@ import (
 	entSQL "entgo.io/ent/dialect/sql"
 	_ "github.com/lib/pq" // Register postgres driver.
 
-	"github.com/dexidp/dex/storage"
-	"github.com/dexidp/dex/storage/ent/client"
-	"github.com/dexidp/dex/storage/ent/db"
+	"github.com/concourse/dex/storage"
+	"github.com/concourse/dex/storage/ent/client"
+	"github.com/concourse/dex/storage/ent/db"
 )
 
 const (
diff --git a/storage/ent/postgres_test.go b/storage/ent/postgres_test.go
index baf0172bb0..44f358e153 100644
--- a/storage/ent/postgres_test.go
+++ b/storage/ent/postgres_test.go
@@ -9,8 +9,8 @@ import (
 
 	"github.com/stretchr/testify/require"
 
-	"github.com/dexidp/dex/storage"
-	"github.com/dexidp/dex/storage/conformance"
+	"github.com/concourse/dex/storage"
+	"github.com/concourse/dex/storage/conformance"
 )
 
 const (
diff --git a/storage/ent/schema/keys.go b/storage/ent/schema/keys.go
index b8e56817b5..ec9f13f56f 100644
--- a/storage/ent/schema/keys.go
+++ b/storage/ent/schema/keys.go
@@ -5,7 +5,7 @@ import (
 	"entgo.io/ent/schema/field"
 	"github.com/go-jose/go-jose/v4"
 
-	"github.com/dexidp/dex/storage"
+	"github.com/concourse/dex/storage"
 )
 
 /* Original SQL table:
diff --git a/storage/ent/sqlite.go b/storage/ent/sqlite.go
index 8c5287ef50..7b8be5a92b 100644
--- a/storage/ent/sqlite.go
+++ b/storage/ent/sqlite.go
@@ -9,9 +9,9 @@ import (
 	"entgo.io/ent/dialect/sql"
 	_ "github.com/mattn/go-sqlite3" // Register sqlite driver.
 
-	"github.com/dexidp/dex/storage"
-	"github.com/dexidp/dex/storage/ent/client"
-	"github.com/dexidp/dex/storage/ent/db"
+	"github.com/concourse/dex/storage"
+	"github.com/concourse/dex/storage/ent/client"
+	"github.com/concourse/dex/storage/ent/db"
 )
 
 // SQLite3 options for creating an SQL db.
diff --git a/storage/ent/sqlite_test.go b/storage/ent/sqlite_test.go
index d88097c225..8dbfce12bc 100644
--- a/storage/ent/sqlite_test.go
+++ b/storage/ent/sqlite_test.go
@@ -5,8 +5,8 @@ import (
 	"log/slog"
 	"testing"
 
-	"github.com/dexidp/dex/storage"
-	"github.com/dexidp/dex/storage/conformance"
+	"github.com/concourse/dex/storage"
+	"github.com/concourse/dex/storage/conformance"
 )
 
 func newSQLiteStorage() storage.Storage {
diff --git a/storage/etcd/config.go b/storage/etcd/config.go
index a8aee39aca..17162b1c44 100644
--- a/storage/etcd/config.go
+++ b/storage/etcd/config.go
@@ -8,7 +8,7 @@ import (
 	clientv3 "go.etcd.io/etcd/client/v3"
 	"go.etcd.io/etcd/client/v3/namespace"
 
-	"github.com/dexidp/dex/storage"
+	"github.com/concourse/dex/storage"
 )
 
 var defaultDialTimeout = 2 * time.Second
diff --git a/storage/etcd/etcd.go b/storage/etcd/etcd.go
index f65701ff1f..7d9b64233f 100644
--- a/storage/etcd/etcd.go
+++ b/storage/etcd/etcd.go
@@ -10,7 +10,7 @@ import (
 
 	clientv3 "go.etcd.io/etcd/client/v3"
 
-	"github.com/dexidp/dex/storage"
+	"github.com/concourse/dex/storage"
 )
 
 const (
diff --git a/storage/etcd/etcd_test.go b/storage/etcd/etcd_test.go
index 5a568e8c3f..10b4761ff0 100644
--- a/storage/etcd/etcd_test.go
+++ b/storage/etcd/etcd_test.go
@@ -13,8 +13,8 @@ import (
 
 	clientv3 "go.etcd.io/etcd/client/v3"
 
-	"github.com/dexidp/dex/storage"
-	"github.com/dexidp/dex/storage/conformance"
+	"github.com/concourse/dex/storage"
+	"github.com/concourse/dex/storage/conformance"
 )
 
 func withTimeout(t time.Duration, f func()) {
diff --git a/storage/etcd/types.go b/storage/etcd/types.go
index b3756604dd..bb3a911400 100644
--- a/storage/etcd/types.go
+++ b/storage/etcd/types.go
@@ -5,7 +5,7 @@ import (
 
 	"github.com/go-jose/go-jose/v4"
 
-	"github.com/dexidp/dex/storage"
+	"github.com/concourse/dex/storage"
 )
 
 // AuthCode is a mirrored struct from storage with JSON struct tags
diff --git a/storage/kubernetes/client.go b/storage/kubernetes/client.go
index 1a1653b345..e8b4dacd55 100644
--- a/storage/kubernetes/client.go
+++ b/storage/kubernetes/client.go
@@ -28,8 +28,8 @@ import (
 	"github.com/ghodss/yaml"
 	"golang.org/x/net/http2"
 
-	"github.com/dexidp/dex/storage"
-	"github.com/dexidp/dex/storage/kubernetes/k8sapi"
+	"github.com/concourse/dex/storage"
+	"github.com/concourse/dex/storage/kubernetes/k8sapi"
 )
 
 type client struct {
diff --git a/storage/kubernetes/client_test.go b/storage/kubernetes/client_test.go
index c8fc8db11b..9b1454554d 100644
--- a/storage/kubernetes/client_test.go
+++ b/storage/kubernetes/client_test.go
@@ -14,7 +14,7 @@ import (
 
 	"github.com/stretchr/testify/require"
 
-	"github.com/dexidp/dex/storage/kubernetes/k8sapi"
+	"github.com/concourse/dex/storage/kubernetes/k8sapi"
 )
 
 // This test does not have an explicit error condition but is used
diff --git a/storage/kubernetes/storage.go b/storage/kubernetes/storage.go
index 8b6d5c9c2e..2559fbd110 100644
--- a/storage/kubernetes/storage.go
+++ b/storage/kubernetes/storage.go
@@ -10,8 +10,8 @@ import (
 	"strings"
 	"time"
 
-	"github.com/dexidp/dex/storage"
-	"github.com/dexidp/dex/storage/kubernetes/k8sapi"
+	"github.com/concourse/dex/storage"
+	"github.com/concourse/dex/storage/kubernetes/k8sapi"
 )
 
 const (
diff --git a/storage/kubernetes/storage_test.go b/storage/kubernetes/storage_test.go
index d8bfd1f689..69c1dffc8a 100644
--- a/storage/kubernetes/storage_test.go
+++ b/storage/kubernetes/storage_test.go
@@ -18,8 +18,8 @@ import (
 	"github.com/stretchr/testify/require"
 	"github.com/stretchr/testify/suite"
 
-	"github.com/dexidp/dex/storage"
-	"github.com/dexidp/dex/storage/conformance"
+	"github.com/concourse/dex/storage"
+	"github.com/concourse/dex/storage/conformance"
 )
 
 const kubeconfigPathVariableName = "DEX_KUBERNETES_CONFIG_PATH"
diff --git a/storage/kubernetes/transport.go b/storage/kubernetes/transport.go
index 9c3cd2baac..bf0bf333d1 100644
--- a/storage/kubernetes/transport.go
+++ b/storage/kubernetes/transport.go
@@ -6,7 +6,7 @@ import (
 	"sync"
 	"time"
 
-	"github.com/dexidp/dex/storage/kubernetes/k8sapi"
+	"github.com/concourse/dex/storage/kubernetes/k8sapi"
 )
 
 // transport is a simple http.Transport wrapper
diff --git a/storage/kubernetes/types.go b/storage/kubernetes/types.go
index c126ddc087..a2f6452d35 100644
--- a/storage/kubernetes/types.go
+++ b/storage/kubernetes/types.go
@@ -6,8 +6,8 @@ import (
 
 	"github.com/go-jose/go-jose/v4"
 
-	"github.com/dexidp/dex/storage"
-	"github.com/dexidp/dex/storage/kubernetes/k8sapi"
+	"github.com/concourse/dex/storage"
+	"github.com/concourse/dex/storage/kubernetes/k8sapi"
 )
 
 const (
diff --git a/storage/memory/memory.go b/storage/memory/memory.go
index 4399c61df1..e8354acfeb 100644
--- a/storage/memory/memory.go
+++ b/storage/memory/memory.go
@@ -8,7 +8,7 @@ import (
 	"sync"
 	"time"
 
-	"github.com/dexidp/dex/storage"
+	"github.com/concourse/dex/storage"
 )
 
 var _ storage.Storage = (*memStorage)(nil)
diff --git a/storage/memory/memory_test.go b/storage/memory/memory_test.go
index 75a17ac62c..a4916e2fc5 100644
--- a/storage/memory/memory_test.go
+++ b/storage/memory/memory_test.go
@@ -5,8 +5,8 @@ import (
 	"log/slog"
 	"testing"
 
-	"github.com/dexidp/dex/storage"
-	"github.com/dexidp/dex/storage/conformance"
+	"github.com/concourse/dex/storage"
+	"github.com/concourse/dex/storage/conformance"
 )
 
 func TestStorage(t *testing.T) {
diff --git a/storage/memory/static_test.go b/storage/memory/static_test.go
index b913874231..62fd608ebf 100644
--- a/storage/memory/static_test.go
+++ b/storage/memory/static_test.go
@@ -8,7 +8,7 @@ import (
 	"strings"
 	"testing"
 
-	"github.com/dexidp/dex/storage"
+	"github.com/concourse/dex/storage"
 )
 
 func TestStaticClients(t *testing.T) {
diff --git a/storage/sql/config.go b/storage/sql/config.go
index 5379aeb6b2..7d9099bb73 100644
--- a/storage/sql/config.go
+++ b/storage/sql/config.go
@@ -16,7 +16,7 @@ import (
 	"github.com/go-sql-driver/mysql"
 	"github.com/lib/pq"
 
-	"github.com/dexidp/dex/storage"
+	"github.com/concourse/dex/storage"
 )
 
 const (
diff --git a/storage/sql/config_test.go b/storage/sql/config_test.go
index b1037e64e9..f3b72fd39d 100644
--- a/storage/sql/config_test.go
+++ b/storage/sql/config_test.go
@@ -10,8 +10,8 @@ import (
 	"testing"
 	"time"
 
-	"github.com/dexidp/dex/storage"
-	"github.com/dexidp/dex/storage/conformance"
+	"github.com/concourse/dex/storage"
+	"github.com/concourse/dex/storage/conformance"
 )
 
 func withTimeout(t time.Duration, f func()) {
diff --git a/storage/sql/crud.go b/storage/sql/crud.go
index 1249243ced..bffcf37af7 100644
--- a/storage/sql/crud.go
+++ b/storage/sql/crud.go
@@ -10,7 +10,7 @@ import (
 	"strings"
 	"time"
 
-	"github.com/dexidp/dex/storage"
+	"github.com/concourse/dex/storage"
 )
 
 // TODO(ericchiang): The update, insert, and select methods queries are all
diff --git a/storage/sql/sqlite.go b/storage/sql/sqlite.go
index 2d29e607dc..ffb301cf18 100644
--- a/storage/sql/sqlite.go
+++ b/storage/sql/sqlite.go
@@ -10,7 +10,7 @@ import (
 
 	sqlite3 "github.com/mattn/go-sqlite3"
 
-	"github.com/dexidp/dex/storage"
+	"github.com/concourse/dex/storage"
 )
 
 // SQLite3 options for creating an SQL db.

From 649f05954c29a0d89b919731b247b3c6461c5507 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Thu, 16 Jan 2025 18:57:19 +0000
Subject: [PATCH 27/27] build(deps): bump github.com/mattn/go-sqlite3 from
 1.14.17 to 1.14.24

Bumps [github.com/mattn/go-sqlite3](https://github.com/mattn/go-sqlite3) from 1.14.17 to 1.14.24.
- [Release notes](https://github.com/mattn/go-sqlite3/releases)
- [Commits](https://github.com/mattn/go-sqlite3/compare/v1.14.17...v1.14.24)

---
updated-dependencies:
- dependency-name: github.com/mattn/go-sqlite3
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 go.mod | 2 +-
 go.sum | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/go.mod b/go.mod
index f89f2caaf6..e183294e4e 100644
--- a/go.mod
+++ b/go.mod
@@ -24,7 +24,7 @@ require (
 	github.com/kylelemons/godebug v1.1.0
 	github.com/lib/pq v1.10.9
 	github.com/mattermost/xml-roundtrip-validator v0.1.0
-	github.com/mattn/go-sqlite3 v1.14.22
+	github.com/mattn/go-sqlite3 v1.14.24
 	github.com/oklog/run v1.1.0
 	github.com/pkg/errors v0.9.1
 	github.com/prometheus/client_golang v1.19.1
diff --git a/go.sum b/go.sum
index da52911df8..539709af53 100644
--- a/go.sum
+++ b/go.sum
@@ -171,8 +171,8 @@ github.com/lib/pq v1.10.9 h1:YXG7RB+JIjhP29X+OtkiDnYaXQwpS4JEWq7dtCCRUEw=
 github.com/lib/pq v1.10.9/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
 github.com/mattermost/xml-roundtrip-validator v0.1.0 h1:RXbVD2UAl7A7nOTR4u7E3ILa4IbtvKBHw64LDsmu9hU=
 github.com/mattermost/xml-roundtrip-validator v0.1.0/go.mod h1:qccnGMcpgwcNaBnxqpJpWWUiPNr5H3O8eDgGV9gT5To=
-github.com/mattn/go-sqlite3 v1.14.22 h1:2gZY6PC6kBnID23Tichd1K+Z0oS6nE/XwU+Vz/5o4kU=
-github.com/mattn/go-sqlite3 v1.14.22/go.mod h1:Uh1q+B4BYcTPb+yiD3kU8Ct7aC0hY9fxUwlHK0RXw+Y=
+github.com/mattn/go-sqlite3 v1.14.24 h1:tpSp2G2KyMnnQu99ngJ47EIkWVmliIizyZBfPrBWDRM=
+github.com/mattn/go-sqlite3 v1.14.24/go.mod h1:Uh1q+B4BYcTPb+yiD3kU8Ct7aC0hY9fxUwlHK0RXw+Y=
 github.com/mitchellh/copystructure v1.0.0 h1:Laisrj+bAB6b/yJwB5Bt3ITZhGJdqmxquMKeZ+mmkFQ=
 github.com/mitchellh/copystructure v1.0.0/go.mod h1:SNtv71yrdKgLRyLFxmLdkAbkKEFWgYaq1OVrnRcwhnw=
 github.com/mitchellh/go-wordwrap v0.0.0-20150314170334-ad45545899c7 h1:DpOJ2HYzCv8LZP15IdmG+YdwD2luVPHITV96TkirNBM=