Spelling

.github/SECURITY.md

@@ -11,10 +11,10 @@ to confirm receipt of the issue.
 ## Review Process
 
 Once a maintainer has confirmed the relevance of the report, a draft security
-advisory will be created on Github. The draft advisory will be used to discuss
+advisory will be created on GitHub. The draft advisory will be used to discuss
 the issue with maintainers, the reporter(s).
 If the reporter(s) wishes to participate in this discussion, then provide
-reporter Github username(s) to be invited to the discussion. If the reporter(s)
+reporter GitHub username(s) to be invited to the discussion. If the reporter(s)
 does not wish to participate directly in the discussion, then the reporter(s)
 can request to be updated regularly via email.
 

api/api.proto

@@ -112,7 +112,7 @@ message VersionReq {}
 message VersionResp {
   // Semantic version of the server.
   string server = 1;
-  // Numeric version of the API. It increases everytime a new call is added to the API.
+  // Numeric version of the API. It increases every time a new call is added to the API.
   // Clients should use this info to determine if the server supports specific features.
   int32 api = 2;
 }

api/v2/api.proto

@@ -112,7 +112,7 @@ message VersionReq {}
 message VersionResp {
   // Semantic version of the server.
   string server = 1;
-  // Numeric version of the API. It increases everytime a new call is added to the API.
+  // Numeric version of the API. It increases every time a new call is added to the API.
   // Clients should use this info to determine if the server supports specific features.
   int32 api = 2;
 }

config.yaml.dist

@@ -118,7 +118,7 @@ web:
 #     name: 'Example App'
 #     secret: ZXhhbXBsZS1hcHAtc2VjcmV0
 
-# Connectors are used to authenticate users agains upstream identity providers.
+# Connectors are used to authenticate users against upstream identity providers.
 #
 # See the documentation (https://dexidp.io/docs/connectors/) for further information.
 # connectors: []

connector/gitlab/gitlab.go

@@ -1,4 +1,4 @@
-// Package gitlab provides authentication strategies using Gitlab.
+// Package gitlab provides authentication strategies using GitLab.
 package gitlab
 
 import (

connector/google/google_test.go

@@ -86,7 +86,7 @@ func TestOpen(t *testing.T) {
 		expectedErr string
 
 		// string to set in GOOGLE_APPLICATION_CREDENTIALS. As local development environments can
-		// already contain ADC, test cases will be built uppon this setting this env variable
+		// already contain ADC, test cases will be built upon this setting this env variable
 		adc string
 	}
 

connector/ldap/ldap.go

@@ -619,7 +619,7 @@ func (c *ldapConnector) groups(ctx context.Context, user ldap.Entry) ([]string,
 	for _, group := range groups {
 		name := getAttr(*group, c.GroupSearch.NameAttr)
 		if name == "" {
-			// Be obnoxious about missing missing attributes. If the group entry is
+			// Be obnoxious about missing attributes. If the group entry is
 			// missing its name attribute, that indicates a misconfiguration.
 			//
 			// In the future we can add configuration options to just log these errors.

connector/ldap/ldap_test.go

@@ -523,7 +523,7 @@ func getenv(key, defaultVal string) string {
 
 // runTests runs a set of tests against an LDAP schema.
 //
-// The tests require LDAP to be runnning.
+// The tests require LDAP to be running.
 // You can use the provided docker-compose file to setup an LDAP server.
 func runTests(t *testing.T, connMethod connectionMethod, config *Config, tests []subtest) {
 	ldapHost := os.Getenv("DEX_LDAP_HOST")

connector/oidc/oidc.go

@@ -38,7 +38,7 @@ type Config struct {
 	// Certificates for SSL validation
 	RootCAs []string `json:"rootCAs"`
 
-	// Override the value of email_verifed to true in the returned claims
+	// Override the value of email_verified to true in the returned claims
 	InsecureSkipEmailVerified bool `json:"insecureSkipEmailVerified"`
 
 	// InsecureEnableGroups enables groups claims. This is disabled by default until https://github.com/dexidp/dex/issues/1065 is resolved

docs/enhancements/token-exchange-2023-02-03-#2812.md

@@ -40,18 +40,18 @@ without issuing long lived API tokens.
 
 Examples of downstream issues:
 
-- [argoproj/argo-cd#11632 Argocd SSO login via Azure AD Auth using OIDC not work for cli sso login]
+- [argoproj/argo-cd#11632 ArgoCD SSO login via Azure AD Auth using OIDC not work for cli sso login]
 
 Other related Dex issues:
 
 - [#2450 Non-OIDC JWT Connector] is a functionally similar request, but expanded to arbitrary JWTs
-- [#1225 GitHub Non-Web application flow support] also asks for an exchange, but for an opaque Github PAT
+- [#1225 GitHub Non-Web application flow support] also asks for an exchange, but for an opaque GitHub PAT
 
 More broadly, this fits into recent movements to issue machine identities:
 
 - [GCP Service Identity](https://cloud.google.com/run/docs/securing/service-identity)
 - [AWS Execution Role](https://docs.aws.amazon.com/lambda/latest/dg/lambda-intro-execution-role.html)
-- [Github Actions OIDC](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect)
+- [GitHub Actions OIDC](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect)
 - [CircleCI OIDC](https://circleci.com/docs/openid-connect-tokens/)
 - [Kubernetes Service Accounts](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/)
 - [SPIFFE](https://spiffe.io/)
@@ -64,7 +64,7 @@ and granting access to resources based on trusting federated identities:
 [#1484 Token exchange for external tokens]: https://github.com/dexidp/dex/issues/1484
 [#1668 Question: non-web based clients?]: https://github.com/dexidp/dex/issues/1668
 [#2657 Get OIDC token issued by Dex using a token issued by one of the connectors]: https://github.com/dexidp/dex/issues/2657
-[argoproj/argo-cd#11632 Argocd SSO login via Azure AD Auth using OIDC not work for cli sso login]: https://github.com/argoproj/argo-cd/issues/11632
+[argoproj/argo-cd#11632 ArgoCD SSO login via Azure AD Auth using OIDC not work for cli sso login]: https://github.com/argoproj/argo-cd/issues/11632
 [#2450 Non-OIDC JWT Connector]: https://github.com/dexidp/dex/issues/2450
 [#1225 GitHub Non-Web application flow support]: https://github.com/dexidp/dex/issues/1225
 
@@ -166,7 +166,7 @@ Additionally, a new `allowedGrantTypes` would allow for disabling exchanges if t
 - The password connector could be switch to support this new endpoint, submitting passwords as access tokens,
   allowing for multiple password connectors to be configured
 - The `audience` field could be made optional if there is a single connector or the id token is inspected for issuer url
-- The `actor_token` and `actor_token_type` can be checked / validated if a suitable usecase is determined.
+- The `actor_token` and `actor_token_type` can be checked / validated if a suitable use case is determined.
 - A policy language like [cel] or [rego] as mentioned on [#1635 Connector Middleware] 
   would allow for stronger assertions of the provided identity against requested resource access.
 

server/api_test.go

@@ -337,7 +337,7 @@ func TestRefreshToken(t *testing.T) {
 	}
 
 	if resp, _ := client.ListRefresh(ctx, &listReq); len(resp.RefreshTokens) != 0 {
-		t.Fatalf("Refresh token returned inspite of revoking it.")
+		t.Fatalf("Refresh token returned in spite of revoking it.")
 	}
 }
 

server/deviceflowhandlers_test.go

@@ -508,7 +508,7 @@ func TestDeviceTokenResponse(t *testing.T) {
 			expectedResponseCode:   http.StatusBadRequest,
 		},
 		{
-			testName:          "Test Non-existent Device Code",
+			testName:          "Test Nonexistent Device Code",
 			testDeviceRequest: baseDeviceRequest,
 			testDeviceToken: storage.DeviceToken{
 				DeviceCode:          "foo",

server/server.go

@@ -118,7 +118,7 @@ type WebConfig struct {
 	//   * themes/(theme) - Static static served at "( issuer URL )/theme".
 	Dir string
 
-	// Alternative way to programatically configure static web assets.
+	// Alternative way to programmatically configure static web assets.
 	// If Dir is specified, WebFS is ignored.
 	// It's expected to contain the same files and directories as mentioned above.
 	//

server/server_test.go

@@ -879,7 +879,7 @@ func TestOAuth2CodeFlow(t *testing.T) {
 
 			for _, token := range tokens {
 				if /* token was updated */ token.ObsoleteToken != "" && token.ConnectorData != nil {
-					t.Fatalf("token connectorDatawith id %q field is not nil: %s", token.ID, token.ConnectorData)
+					t.Fatalf("token connectorData with id %q field is not nil: %s", token.ID, token.ConnectorData)
 				}
 			}
 		})

storage/conformance/conformance.go

@@ -63,7 +63,7 @@ func mustLoadJWK(b string) *jose.JSONWebKey {
 func mustBeErrNotFound(t *testing.T, kind string, err error) {
 	switch {
 	case err == nil:
-		t.Errorf("deleting non-existent %s should return an error", kind)
+		t.Errorf("deleting nonexistent %s should return an error", kind)
 	case err != storage.ErrNotFound:
 		t.Errorf("deleting %s expected storage.ErrNotFound, got %v", kind, err)
 	}

storage/kubernetes/client.go

@@ -99,7 +99,7 @@ func (cli *client) urlForWithParams(
 	if name != "" && (len(name) > kubeResourceMaxLen || !kubeResourceNameRegex.MatchString(name)) {
 		// The actual name can be found in auth request or auth code objects and equals to the state value
 		return "", fmt.Errorf(
-			"invalid kubernetes resource name: must match the pattern %s and be no longer than %d charactes",
+			"invalid kubernetes resource name: must match the pattern %s and be no longer than %d characters",
 			kubeResourceNameRegex.String(),
 			kubeResourceMaxLen)
 	}

storage/storage.go

@@ -317,7 +317,7 @@ type RefreshTokenRef struct {
 
 // OfflineSessions objects are sessions pertaining to users with refresh tokens.
 type OfflineSessions struct {
-	// UserID of an end user who has logged in to the server.
+	// UserID of an end user who has logged into the server.
 	UserID string
 
 	// The ID of the connector used to login the user.