From ddb23bd2edc17d79f657759b3057d76a61a0915c Mon Sep 17 00:00:00 2001 From: Ryan Richard Date: Thu, 14 Oct 2021 15:49:44 -0700 Subject: [PATCH] Add upstream refresh related config to OIDCIdentityProvider CRD Also update related docs. --- .../types_oidcidentityprovider.go.tmpl | 83 ++++++-- ...or.pinniped.dev_oidcidentityproviders.yaml | 111 +++++++++- generated/1.17/README.adoc | 30 ++- .../v1alpha1/types_oidcidentityprovider.go | 83 ++++++-- .../idp/v1alpha1/zz_generated.deepcopy.go | 21 ++ ...or.pinniped.dev_oidcidentityproviders.yaml | 111 +++++++++- generated/1.18/README.adoc | 30 ++- .../v1alpha1/types_oidcidentityprovider.go | 83 ++++++-- .../idp/v1alpha1/zz_generated.deepcopy.go | 21 ++ ...or.pinniped.dev_oidcidentityproviders.yaml | 111 +++++++++- generated/1.19/README.adoc | 30 ++- .../v1alpha1/types_oidcidentityprovider.go | 83 ++++++-- .../idp/v1alpha1/zz_generated.deepcopy.go | 21 ++ ...or.pinniped.dev_oidcidentityproviders.yaml | 111 +++++++++- generated/1.20/README.adoc | 30 ++- .../v1alpha1/types_oidcidentityprovider.go | 83 ++++++-- .../idp/v1alpha1/zz_generated.deepcopy.go | 21 ++ ...or.pinniped.dev_oidcidentityproviders.yaml | 111 +++++++++- .../v1alpha1/types_oidcidentityprovider.go | 83 ++++++-- .../idp/v1alpha1/zz_generated.deepcopy.go | 21 ++ go.mod | 4 +- .../oidc_upstream_watcher.go | 64 +++++- .../oidc_upstream_watcher_test.go | 196 +++++++++++------- .../howto/configure-supervisor-with-dex.md | 14 +- .../howto/configure-supervisor-with-gitlab.md | 23 +- .../howto/configure-supervisor-with-okta.md | 33 ++- 26 files changed, 1364 insertions(+), 248 deletions(-) diff --git a/apis/supervisor/idp/v1alpha1/types_oidcidentityprovider.go.tmpl b/apis/supervisor/idp/v1alpha1/types_oidcidentityprovider.go.tmpl index 5d7277bf..9e0624a0 100644 --- a/apis/supervisor/idp/v1alpha1/types_oidcidentityprovider.go.tmpl +++ b/apis/supervisor/idp/v1alpha1/types_oidcidentityprovider.go.tmpl @@ -20,7 +20,7 @@ const ( PhaseError OIDCIdentityProviderPhase = "Error" ) -// Status of an OIDC identity provider. +// OIDCIdentityProviderStatus is the status of an OIDC identity provider. type OIDCIdentityProviderStatus struct { // Phase summarizes the overall status of the OIDCIdentityProvider. // +kubebuilder:default=Pending @@ -38,14 +38,59 @@ type OIDCIdentityProviderStatus struct { // OIDCAuthorizationConfig provides information about how to form the OAuth2 authorization // request parameters. type OIDCAuthorizationConfig struct { - // AdditionalScopes are the scopes in addition to "openid" that will be requested as part of the authorization - // request flow with an OIDC identity provider. - // In the case of a Resource Owner Password Credentials Grant flow, AdditionalScopes are the scopes - // in addition to "openid" that will be requested as part of the token request (see also the allowPasswordGrant field). - // By default, only the "openid" scope will be requested. + // DoNotRequestOfflineAccess determines if the "offline_access" scope will be requested from your OIDC provider in + // the authorization request during an OIDC Authorization Code Flow and in the token request during a Resource Owner + // Password Credentials Grant in order to ask to receive a refresh token in the response. Starting in v0.13.0, the + // Pinniped Supervisor requires that your OIDC provider returns refresh tokens to the Supervisor from these + // authorization flows. For most OIDC providers, the scope required to receive refresh tokens will be "offline_access". + // See https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess for a description of the "offline_access" + // scope. See the documentation of your OIDC provider's authorization and token endpoints for its requirements for what + // to include in the request in order to receive a refresh token in the response, if anything. By default, + // DoNotRequestOfflineAccess is false, which means that "offline_access" will be sent in the authorization request, + // since that is what is suggested by the OIDC specification. Note that it may be safe to send "offline_access" even to + // providers which do not require it, since the provider may ignore scopes that it does not understand or require (see + // https://datatracker.ietf.org/doc/html/rfc6749#section-3.3). In the unusual case that you must avoid sending the + // "offline_access" scope, set DoNotRequestOfflineAccess to true. This is required if your OIDC provider will reject + // the request when it includes "offline_access" (e.g. GitLab's OIDC provider). If you need to send some other scope + // to request a refresh token, include the scope name in the additionalScopes setting. Also note that some OIDC + // providers may require that the "prompt" param be set to a specific value for the authorization request during an + // OIDC Authorization Code Flow in order to receive a refresh token in the response. To adjust the prompt param, see + // the additionalAuthorizeParameters setting. + // +optional + DoNotRequestOfflineAccess bool `json:"doNotRequestOfflineAccess,omitempty"` + + // AdditionalScopes are the additional scopes that will be requested from your OIDC provider in the authorization + // request during an OIDC Authorization Code Flow and in the token request during a Resource Owner Password Credentials + // Grant. Note that the "openid" scope will always be requested regardless of the value in this setting, since it is + // always required according to the OIDC spec. The "offline_access" scope may also be included according to the value + // of the DoNotRequestOfflineAccess setting. Any other scopes required should be included here in the AdditionalScopes + // list. For example, you might like to include scopes like "profile", "email", or "groups" in order to receive the + // related claims in the returned ID token or userinfo endpoint results if you would like to make use of those + // claims in the OIDCClaims settings to determine the usernames and group memberships of your Kubernetes users. See + // your OIDC provider's documentation for more information about what scopes are available to request claims. // +optional AdditionalScopes []string `json:"additionalScopes,omitempty"` + // AdditionalAuthorizeParameters are extra query parameters that should be included in the authorize request to your + // OIDC provider in the authorization request during an OIDC Authorization Code Flow. By default, no extra + // parameters are sent. The standard parameters that will be sent are "response_type", "scope", "client_id", + // "state", "nonce", "code_challenge", "code_challenge_method", and "redirect_uri". These parameters cannot be + // included in this setting. This setting does not influence the parameters sent to the token endpoint in the + // Resource Owner Password Credentials Grant. Starting in v0.13.0, the Pinniped Supervisor requires that your OIDC + // provider returns refresh tokens to the Supervisor from the authorization flows. Some OIDC providers may require + // a certain value for the "prompt" parameter in order to properly request refresh tokens. See the documentation of + // your OIDC provider's authorization endpoint for its requirements for what to include in the request in + // order to receive a refresh token in the response, if anything. If your provider requires the prompt parameter to + // request a refresh token, then include it here. Also note that most providers also require a certain scope to be + // requested in order to receive refresh tokens. See the doNotRequestOfflineAccess setting for more information about + // using scopes to request refresh tokens. + // +optional + // +patchMergeKey=name + // +patchStrategy=merge + // +listType=map + // +listMapKey=name + AdditionalAuthorizeParameters []Parameter `json:"extraAuthorizeParameters,omitempty"` + // AllowPasswordGrant, when true, will allow the use of OAuth 2.0's Resource Owner Password Credentials Grant // (see https://datatracker.ietf.org/doc/html/rfc6749#section-4.3) to authenticate to the OIDC provider using a // username and password without a web browser, in addition to the usual browser-based OIDC Authorization Code Flow. @@ -66,15 +111,29 @@ type OIDCAuthorizationConfig struct { AllowPasswordGrant bool `json:"allowPasswordGrant,omitempty"` } +// Parameter is a key/value pair which represents a parameter in an HTTP request. +type Parameter struct { + // The name of the parameter. Required. + // +kubebuilder:validation:MinLength=1 + Name string `json:"name"` + + // The value of the parameter. + // +optional + Value string `json:"value,omitempty"` +} + // OIDCClaims provides a mapping from upstream claims into identities. type OIDCClaims struct { - // Groups provides the name of the token claim that will be used to ascertain the groups to which - // an identity belongs. + // Groups provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain + // the groups to which an identity belongs. By default, the identities will not include any group memberships when + // this setting is not configured. // +optional Groups string `json:"groups"` - // Username provides the name of the token claim that will be used to ascertain an identity's - // username. + // Username provides the name of the ID token claim or userinfo endpoint response claim that will be used to + // ascertain an identity's username. When not set, the username will be an automatically constructed unique string + // which will include the issuer URL of your OIDC provider along with the value of the "sub" (subject) claim from + // the ID token. // +optional Username string `json:"username"` } @@ -89,7 +148,7 @@ type OIDCClient struct { SecretName string `json:"secretName"` } -// Spec for configuring an OIDC identity provider. +// OIDCIdentityProviderSpec is the spec for configuring an OIDC identity provider. type OIDCIdentityProviderSpec struct { // Issuer is the issuer URL of this OIDC identity provider, i.e., where to fetch // /.well-known/openid-configuration. @@ -135,7 +194,7 @@ type OIDCIdentityProvider struct { Status OIDCIdentityProviderStatus `json:"status,omitempty"` } -// List of OIDCIdentityProvider objects. +// OIDCIdentityProviderList lists OIDCIdentityProvider objects. // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object type OIDCIdentityProviderList struct { metav1.TypeMeta `json:",inline"` diff --git a/deploy/supervisor/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml b/deploy/supervisor/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml index 70d3865d..390f4848 100644 --- a/deploy/supervisor/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml +++ b/deploy/supervisor/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml @@ -57,13 +57,22 @@ spec: OIDC identity provider. properties: additionalScopes: - description: AdditionalScopes are the scopes in addition to "openid" - that will be requested as part of the authorization request - flow with an OIDC identity provider. In the case of a Resource - Owner Password Credentials Grant flow, AdditionalScopes are - the scopes in addition to "openid" that will be requested as - part of the token request (see also the allowPasswordGrant field). - By default, only the "openid" scope will be requested. + description: AdditionalScopes are the additional scopes that will + be requested from your OIDC provider in the authorization request + during an OIDC Authorization Code Flow and in the token request + during a Resource Owner Password Credentials Grant. Note that + the "openid" scope will always be requested regardless of the + value in this setting, since it is always required according + to the OIDC spec. The "offline_access" scope may also be included + according to the value of the DoNotRequestOfflineAccess setting. + Any other scopes required should be included here in the AdditionalScopes + list. For example, you might like to include scopes like "profile", + "email", or "groups" in order to receive the related claims + in the returned ID token or userinfo endpoint results if you + would like to make use of those claims in the OIDCClaims settings + to determine the usernames and group memberships of your Kubernetes + users. See your OIDC provider's documentation for more information + about what scopes are available to request claims. items: type: string type: array @@ -97,18 +106,98 @@ spec: during Resource Owner Password Credentials Grant logins. AllowPasswordGrant defaults to false. type: boolean + doNotRequestOfflineAccess: + description: DoNotRequestOfflineAccess determines if the "offline_access" + scope will be requested from your OIDC provider in the authorization + request during an OIDC Authorization Code Flow and in the token + request during a Resource Owner Password Credentials Grant in + order to ask to receive a refresh token in the response. Starting + in v0.13.0, the Pinniped Supervisor requires that your OIDC + provider returns refresh tokens to the Supervisor from these + authorization flows. For most OIDC providers, the scope required + to receive refresh tokens will be "offline_access". See https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess + for a description of the "offline_access" scope. See the documentation + of your OIDC provider's authorization and token endpoints for + its requirements for what to include in the request in order + to receive a refresh token in the response, if anything. By + default, DoNotRequestOfflineAccess is false, which means that + "offline_access" will be sent in the authorization request, + since that is what is suggested by the OIDC specification. Note + that it may be safe to send "offline_access" even to providers + which do not require it, since the provider may ignore scopes + that it does not understand or require (see https://datatracker.ietf.org/doc/html/rfc6749#section-3.3). + In the unusual case that you must avoid sending the "offline_access" + scope, set DoNotRequestOfflineAccess to true. This is required + if your OIDC provider will reject the request when it includes + "offline_access" (e.g. GitLab's OIDC provider). If you need + to send some other scope to request a refresh token, include + the scope name in the additionalScopes setting. Also note that + some OIDC providers may require that the "prompt" param be set + to a specific value for the authorization request during an + OIDC Authorization Code Flow in order to receive a refresh token + in the response. To adjust the prompt param, see the additionalAuthorizeParameters + setting. + type: boolean + extraAuthorizeParameters: + description: AdditionalAuthorizeParameters are extra query parameters + that should be included in the authorize request to your OIDC + provider in the authorization request during an OIDC Authorization + Code Flow. By default, no extra parameters are sent. The standard + parameters that will be sent are "response_type", "scope", "client_id", + "state", "nonce", "code_challenge", "code_challenge_method", + and "redirect_uri". These parameters cannot be included in this + setting. This setting does not influence the parameters sent + to the token endpoint in the Resource Owner Password Credentials + Grant. Starting in v0.13.0, the Pinniped Supervisor requires + that your OIDC provider returns refresh tokens to the Supervisor + from the authorization flows. Some OIDC providers may require + a certain value for the "prompt" parameter in order to properly + request refresh tokens. See the documentation of your OIDC provider's + authorization endpoint for its requirements for what to include + in the request in order to receive a refresh token in the response, + if anything. If your provider requires the prompt parameter + to request a refresh token, then include it here. Also note + that most providers also require a certain scope to be requested + in order to receive refresh tokens. See the doNotRequestOfflineAccess + setting for more information about using scopes to request refresh + tokens. + items: + description: Parameter is a key/value pair which represents + a parameter in an HTTP request. + properties: + name: + description: The name of the parameter. Required. + minLength: 1 + type: string + value: + description: The value of the parameter. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map type: object claims: description: Claims provides the names of token claims that will be used when inspecting an identity from this OIDC identity provider. properties: groups: - description: Groups provides the name of the token claim that - will be used to ascertain the groups to which an identity belongs. + description: Groups provides the name of the ID token claim or + userinfo endpoint response claim that will be used to ascertain + the groups to which an identity belongs. By default, the identities + will not include any group memberships when this setting is + not configured. type: string username: - description: Username provides the name of the token claim that - will be used to ascertain an identity's username. + description: Username provides the name of the ID token claim + or userinfo endpoint response claim that will be used to ascertain + an identity's username. When not set, the username will be an + automatically constructed unique string which will include the + issuer URL of your OIDC provider along with the value of the + "sub" (subject) claim from the ID token. type: string type: object client: diff --git a/generated/1.17/README.adoc b/generated/1.17/README.adoc index 479b7026..e3c28fbf 100644 --- a/generated/1.17/README.adoc +++ b/generated/1.17/README.adoc @@ -1099,7 +1099,9 @@ OIDCAuthorizationConfig provides information about how to form the OAuth2 author [cols="25a,75a", options="header"] |=== | Field | Description -| *`additionalScopes`* __string array__ | AdditionalScopes are the scopes in addition to "openid" that will be requested as part of the authorization request flow with an OIDC identity provider. In the case of a Resource Owner Password Credentials Grant flow, AdditionalScopes are the scopes in addition to "openid" that will be requested as part of the token request (see also the allowPasswordGrant field). By default, only the "openid" scope will be requested. +| *`doNotRequestOfflineAccess`* __boolean__ | DoNotRequestOfflineAccess determines if the "offline_access" scope will be requested from your OIDC provider in the authorization request during an OIDC Authorization Code Flow and in the token request during a Resource Owner Password Credentials Grant in order to ask to receive a refresh token in the response. Starting in v0.13.0, the Pinniped Supervisor requires that your OIDC provider returns refresh tokens to the Supervisor from these authorization flows. For most OIDC providers, the scope required to receive refresh tokens will be "offline_access". See https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess for a description of the "offline_access" scope. See the documentation of your OIDC provider's authorization and token endpoints for its requirements for what to include in the request in order to receive a refresh token in the response, if anything. By default, DoNotRequestOfflineAccess is false, which means that "offline_access" will be sent in the authorization request, since that is what is suggested by the OIDC specification. Note that it may be safe to send "offline_access" even to providers which do not require it, since the provider may ignore scopes that it does not understand or require (see https://datatracker.ietf.org/doc/html/rfc6749#section-3.3). In the unusual case that you must avoid sending the "offline_access" scope, set DoNotRequestOfflineAccess to true. This is required if your OIDC provider will reject the request when it includes "offline_access" (e.g. GitLab's OIDC provider). If you need to send some other scope to request a refresh token, include the scope name in the additionalScopes setting. Also note that some OIDC providers may require that the "prompt" param be set to a specific value for the authorization request during an OIDC Authorization Code Flow in order to receive a refresh token in the response. To adjust the prompt param, see the additionalAuthorizeParameters setting. +| *`additionalScopes`* __string array__ | AdditionalScopes are the additional scopes that will be requested from your OIDC provider in the authorization request during an OIDC Authorization Code Flow and in the token request during a Resource Owner Password Credentials Grant. Note that the "openid" scope will always be requested regardless of the value in this setting, since it is always required according to the OIDC spec. The "offline_access" scope may also be included according to the value of the DoNotRequestOfflineAccess setting. Any other scopes required should be included here in the AdditionalScopes list. For example, you might like to include scopes like "profile", "email", or "groups" in order to receive the related claims in the returned ID token or userinfo endpoint results if you would like to make use of those claims in the OIDCClaims settings to determine the usernames and group memberships of your Kubernetes users. See your OIDC provider's documentation for more information about what scopes are available to request claims. +| *`extraAuthorizeParameters`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-parameter[$$Parameter$$] array__ | AdditionalAuthorizeParameters are extra query parameters that should be included in the authorize request to your OIDC provider in the authorization request during an OIDC Authorization Code Flow. By default, no extra parameters are sent. The standard parameters that will be sent are "response_type", "scope", "client_id", "state", "nonce", "code_challenge", "code_challenge_method", and "redirect_uri". These parameters cannot be included in this setting. This setting does not influence the parameters sent to the token endpoint in the Resource Owner Password Credentials Grant. Starting in v0.13.0, the Pinniped Supervisor requires that your OIDC provider returns refresh tokens to the Supervisor from the authorization flows. Some OIDC providers may require a certain value for the "prompt" parameter in order to properly request refresh tokens. See the documentation of your OIDC provider's authorization endpoint for its requirements for what to include in the request in order to receive a refresh token in the response, if anything. If your provider requires the prompt parameter to request a refresh token, then include it here. Also note that most providers also require a certain scope to be requested in order to receive refresh tokens. See the doNotRequestOfflineAccess setting for more information about using scopes to request refresh tokens. | *`allowPasswordGrant`* __boolean__ | AllowPasswordGrant, when true, will allow the use of OAuth 2.0's Resource Owner Password Credentials Grant (see https://datatracker.ietf.org/doc/html/rfc6749#section-4.3) to authenticate to the OIDC provider using a username and password without a web browser, in addition to the usual browser-based OIDC Authorization Code Flow. The Resource Owner Password Credentials Grant is not officially part of the OIDC specification, so it may not be supported by your OIDC provider. If your OIDC provider supports returning ID tokens from a Resource Owner Password Credentials Grant token request, then you can choose to set this field to true. This will allow end users to choose to present their username and password to the kubectl CLI (using the Pinniped plugin) to authenticate to the cluster, without using a web browser to log in as is customary in OIDC Authorization Code Flow. This may be convenient for users, especially for identities from your OIDC provider which are not intended to represent a human actor, such as service accounts performing actions in a CI/CD environment. Even if your OIDC provider supports it, you may wish to disable this behavior by setting this field to false when you prefer to only allow users of this OIDCIdentityProvider to log in via the browser-based OIDC Authorization Code Flow. Using the Resource Owner Password Credentials Grant means that the Pinniped CLI and Pinniped Supervisor will directly handle your end users' passwords (similar to LDAPIdentityProvider), and you will not be able to require multi-factor authentication or use the other web-based login features of your OIDC provider during Resource Owner Password Credentials Grant logins. AllowPasswordGrant defaults to false. |=== @@ -1117,8 +1119,8 @@ OIDCClaims provides a mapping from upstream claims into identities. [cols="25a,75a", options="header"] |=== | Field | Description -| *`groups`* __string__ | Groups provides the name of the token claim that will be used to ascertain the groups to which an identity belongs. -| *`username`* __string__ | Username provides the name of the token claim that will be used to ascertain an identity's username. +| *`groups`* __string__ | Groups provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain the groups to which an identity belongs. By default, the identities will not include any group memberships when this setting is not configured. +| *`username`* __string__ | Username provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain an identity's username. When not set, the username will be an automatically constructed unique string which will include the issuer URL of your OIDC provider along with the value of the "sub" (subject) claim from the ID token. |=== @@ -1164,7 +1166,7 @@ OIDCIdentityProvider describes the configuration of an upstream OpenID Connect i [id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-oidcidentityproviderspec"] ==== OIDCIdentityProviderSpec -Spec for configuring an OIDC identity provider. +OIDCIdentityProviderSpec is the spec for configuring an OIDC identity provider. .Appears In: **** @@ -1185,7 +1187,7 @@ Spec for configuring an OIDC identity provider. [id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-oidcidentityproviderstatus"] ==== OIDCIdentityProviderStatus -Status of an OIDC identity provider. +OIDCIdentityProviderStatus is the status of an OIDC identity provider. .Appears In: **** @@ -1200,6 +1202,24 @@ Status of an OIDC identity provider. |=== +[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-parameter"] +==== Parameter + + + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-oidcauthorizationconfig[$$OIDCAuthorizationConfig$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`name`* __string__ | The name of the parameter. Required. +| *`value`* __string__ | The value of the parameter. +|=== + + [id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-tlsspec"] ==== TLSSpec diff --git a/generated/1.17/apis/supervisor/idp/v1alpha1/types_oidcidentityprovider.go b/generated/1.17/apis/supervisor/idp/v1alpha1/types_oidcidentityprovider.go index 5d7277bf..9e0624a0 100644 --- a/generated/1.17/apis/supervisor/idp/v1alpha1/types_oidcidentityprovider.go +++ b/generated/1.17/apis/supervisor/idp/v1alpha1/types_oidcidentityprovider.go @@ -20,7 +20,7 @@ const ( PhaseError OIDCIdentityProviderPhase = "Error" ) -// Status of an OIDC identity provider. +// OIDCIdentityProviderStatus is the status of an OIDC identity provider. type OIDCIdentityProviderStatus struct { // Phase summarizes the overall status of the OIDCIdentityProvider. // +kubebuilder:default=Pending @@ -38,14 +38,59 @@ type OIDCIdentityProviderStatus struct { // OIDCAuthorizationConfig provides information about how to form the OAuth2 authorization // request parameters. type OIDCAuthorizationConfig struct { - // AdditionalScopes are the scopes in addition to "openid" that will be requested as part of the authorization - // request flow with an OIDC identity provider. - // In the case of a Resource Owner Password Credentials Grant flow, AdditionalScopes are the scopes - // in addition to "openid" that will be requested as part of the token request (see also the allowPasswordGrant field). - // By default, only the "openid" scope will be requested. + // DoNotRequestOfflineAccess determines if the "offline_access" scope will be requested from your OIDC provider in + // the authorization request during an OIDC Authorization Code Flow and in the token request during a Resource Owner + // Password Credentials Grant in order to ask to receive a refresh token in the response. Starting in v0.13.0, the + // Pinniped Supervisor requires that your OIDC provider returns refresh tokens to the Supervisor from these + // authorization flows. For most OIDC providers, the scope required to receive refresh tokens will be "offline_access". + // See https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess for a description of the "offline_access" + // scope. See the documentation of your OIDC provider's authorization and token endpoints for its requirements for what + // to include in the request in order to receive a refresh token in the response, if anything. By default, + // DoNotRequestOfflineAccess is false, which means that "offline_access" will be sent in the authorization request, + // since that is what is suggested by the OIDC specification. Note that it may be safe to send "offline_access" even to + // providers which do not require it, since the provider may ignore scopes that it does not understand or require (see + // https://datatracker.ietf.org/doc/html/rfc6749#section-3.3). In the unusual case that you must avoid sending the + // "offline_access" scope, set DoNotRequestOfflineAccess to true. This is required if your OIDC provider will reject + // the request when it includes "offline_access" (e.g. GitLab's OIDC provider). If you need to send some other scope + // to request a refresh token, include the scope name in the additionalScopes setting. Also note that some OIDC + // providers may require that the "prompt" param be set to a specific value for the authorization request during an + // OIDC Authorization Code Flow in order to receive a refresh token in the response. To adjust the prompt param, see + // the additionalAuthorizeParameters setting. + // +optional + DoNotRequestOfflineAccess bool `json:"doNotRequestOfflineAccess,omitempty"` + + // AdditionalScopes are the additional scopes that will be requested from your OIDC provider in the authorization + // request during an OIDC Authorization Code Flow and in the token request during a Resource Owner Password Credentials + // Grant. Note that the "openid" scope will always be requested regardless of the value in this setting, since it is + // always required according to the OIDC spec. The "offline_access" scope may also be included according to the value + // of the DoNotRequestOfflineAccess setting. Any other scopes required should be included here in the AdditionalScopes + // list. For example, you might like to include scopes like "profile", "email", or "groups" in order to receive the + // related claims in the returned ID token or userinfo endpoint results if you would like to make use of those + // claims in the OIDCClaims settings to determine the usernames and group memberships of your Kubernetes users. See + // your OIDC provider's documentation for more information about what scopes are available to request claims. // +optional AdditionalScopes []string `json:"additionalScopes,omitempty"` + // AdditionalAuthorizeParameters are extra query parameters that should be included in the authorize request to your + // OIDC provider in the authorization request during an OIDC Authorization Code Flow. By default, no extra + // parameters are sent. The standard parameters that will be sent are "response_type", "scope", "client_id", + // "state", "nonce", "code_challenge", "code_challenge_method", and "redirect_uri". These parameters cannot be + // included in this setting. This setting does not influence the parameters sent to the token endpoint in the + // Resource Owner Password Credentials Grant. Starting in v0.13.0, the Pinniped Supervisor requires that your OIDC + // provider returns refresh tokens to the Supervisor from the authorization flows. Some OIDC providers may require + // a certain value for the "prompt" parameter in order to properly request refresh tokens. See the documentation of + // your OIDC provider's authorization endpoint for its requirements for what to include in the request in + // order to receive a refresh token in the response, if anything. If your provider requires the prompt parameter to + // request a refresh token, then include it here. Also note that most providers also require a certain scope to be + // requested in order to receive refresh tokens. See the doNotRequestOfflineAccess setting for more information about + // using scopes to request refresh tokens. + // +optional + // +patchMergeKey=name + // +patchStrategy=merge + // +listType=map + // +listMapKey=name + AdditionalAuthorizeParameters []Parameter `json:"extraAuthorizeParameters,omitempty"` + // AllowPasswordGrant, when true, will allow the use of OAuth 2.0's Resource Owner Password Credentials Grant // (see https://datatracker.ietf.org/doc/html/rfc6749#section-4.3) to authenticate to the OIDC provider using a // username and password without a web browser, in addition to the usual browser-based OIDC Authorization Code Flow. @@ -66,15 +111,29 @@ type OIDCAuthorizationConfig struct { AllowPasswordGrant bool `json:"allowPasswordGrant,omitempty"` } +// Parameter is a key/value pair which represents a parameter in an HTTP request. +type Parameter struct { + // The name of the parameter. Required. + // +kubebuilder:validation:MinLength=1 + Name string `json:"name"` + + // The value of the parameter. + // +optional + Value string `json:"value,omitempty"` +} + // OIDCClaims provides a mapping from upstream claims into identities. type OIDCClaims struct { - // Groups provides the name of the token claim that will be used to ascertain the groups to which - // an identity belongs. + // Groups provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain + // the groups to which an identity belongs. By default, the identities will not include any group memberships when + // this setting is not configured. // +optional Groups string `json:"groups"` - // Username provides the name of the token claim that will be used to ascertain an identity's - // username. + // Username provides the name of the ID token claim or userinfo endpoint response claim that will be used to + // ascertain an identity's username. When not set, the username will be an automatically constructed unique string + // which will include the issuer URL of your OIDC provider along with the value of the "sub" (subject) claim from + // the ID token. // +optional Username string `json:"username"` } @@ -89,7 +148,7 @@ type OIDCClient struct { SecretName string `json:"secretName"` } -// Spec for configuring an OIDC identity provider. +// OIDCIdentityProviderSpec is the spec for configuring an OIDC identity provider. type OIDCIdentityProviderSpec struct { // Issuer is the issuer URL of this OIDC identity provider, i.e., where to fetch // /.well-known/openid-configuration. @@ -135,7 +194,7 @@ type OIDCIdentityProvider struct { Status OIDCIdentityProviderStatus `json:"status,omitempty"` } -// List of OIDCIdentityProvider objects. +// OIDCIdentityProviderList lists OIDCIdentityProvider objects. // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object type OIDCIdentityProviderList struct { metav1.TypeMeta `json:",inline"` diff --git a/generated/1.17/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go b/generated/1.17/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go index 9895a76e..12e67583 100644 --- a/generated/1.17/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go +++ b/generated/1.17/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go @@ -416,6 +416,11 @@ func (in *OIDCAuthorizationConfig) DeepCopyInto(out *OIDCAuthorizationConfig) { *out = make([]string, len(*in)) copy(*out, *in) } + if in.AdditionalAuthorizeParameters != nil { + in, out := &in.AdditionalAuthorizeParameters, &out.AdditionalAuthorizeParameters + *out = make([]Parameter, len(*in)) + copy(*out, *in) + } return } @@ -569,6 +574,22 @@ func (in *OIDCIdentityProviderStatus) DeepCopy() *OIDCIdentityProviderStatus { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *Parameter) DeepCopyInto(out *Parameter) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Parameter. +func (in *Parameter) DeepCopy() *Parameter { + if in == nil { + return nil + } + out := new(Parameter) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *TLSSpec) DeepCopyInto(out *TLSSpec) { *out = *in diff --git a/generated/1.17/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml b/generated/1.17/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml index 70d3865d..390f4848 100644 --- a/generated/1.17/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml +++ b/generated/1.17/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml @@ -57,13 +57,22 @@ spec: OIDC identity provider. properties: additionalScopes: - description: AdditionalScopes are the scopes in addition to "openid" - that will be requested as part of the authorization request - flow with an OIDC identity provider. In the case of a Resource - Owner Password Credentials Grant flow, AdditionalScopes are - the scopes in addition to "openid" that will be requested as - part of the token request (see also the allowPasswordGrant field). - By default, only the "openid" scope will be requested. + description: AdditionalScopes are the additional scopes that will + be requested from your OIDC provider in the authorization request + during an OIDC Authorization Code Flow and in the token request + during a Resource Owner Password Credentials Grant. Note that + the "openid" scope will always be requested regardless of the + value in this setting, since it is always required according + to the OIDC spec. The "offline_access" scope may also be included + according to the value of the DoNotRequestOfflineAccess setting. + Any other scopes required should be included here in the AdditionalScopes + list. For example, you might like to include scopes like "profile", + "email", or "groups" in order to receive the related claims + in the returned ID token or userinfo endpoint results if you + would like to make use of those claims in the OIDCClaims settings + to determine the usernames and group memberships of your Kubernetes + users. See your OIDC provider's documentation for more information + about what scopes are available to request claims. items: type: string type: array @@ -97,18 +106,98 @@ spec: during Resource Owner Password Credentials Grant logins. AllowPasswordGrant defaults to false. type: boolean + doNotRequestOfflineAccess: + description: DoNotRequestOfflineAccess determines if the "offline_access" + scope will be requested from your OIDC provider in the authorization + request during an OIDC Authorization Code Flow and in the token + request during a Resource Owner Password Credentials Grant in + order to ask to receive a refresh token in the response. Starting + in v0.13.0, the Pinniped Supervisor requires that your OIDC + provider returns refresh tokens to the Supervisor from these + authorization flows. For most OIDC providers, the scope required + to receive refresh tokens will be "offline_access". See https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess + for a description of the "offline_access" scope. See the documentation + of your OIDC provider's authorization and token endpoints for + its requirements for what to include in the request in order + to receive a refresh token in the response, if anything. By + default, DoNotRequestOfflineAccess is false, which means that + "offline_access" will be sent in the authorization request, + since that is what is suggested by the OIDC specification. Note + that it may be safe to send "offline_access" even to providers + which do not require it, since the provider may ignore scopes + that it does not understand or require (see https://datatracker.ietf.org/doc/html/rfc6749#section-3.3). + In the unusual case that you must avoid sending the "offline_access" + scope, set DoNotRequestOfflineAccess to true. This is required + if your OIDC provider will reject the request when it includes + "offline_access" (e.g. GitLab's OIDC provider). If you need + to send some other scope to request a refresh token, include + the scope name in the additionalScopes setting. Also note that + some OIDC providers may require that the "prompt" param be set + to a specific value for the authorization request during an + OIDC Authorization Code Flow in order to receive a refresh token + in the response. To adjust the prompt param, see the additionalAuthorizeParameters + setting. + type: boolean + extraAuthorizeParameters: + description: AdditionalAuthorizeParameters are extra query parameters + that should be included in the authorize request to your OIDC + provider in the authorization request during an OIDC Authorization + Code Flow. By default, no extra parameters are sent. The standard + parameters that will be sent are "response_type", "scope", "client_id", + "state", "nonce", "code_challenge", "code_challenge_method", + and "redirect_uri". These parameters cannot be included in this + setting. This setting does not influence the parameters sent + to the token endpoint in the Resource Owner Password Credentials + Grant. Starting in v0.13.0, the Pinniped Supervisor requires + that your OIDC provider returns refresh tokens to the Supervisor + from the authorization flows. Some OIDC providers may require + a certain value for the "prompt" parameter in order to properly + request refresh tokens. See the documentation of your OIDC provider's + authorization endpoint for its requirements for what to include + in the request in order to receive a refresh token in the response, + if anything. If your provider requires the prompt parameter + to request a refresh token, then include it here. Also note + that most providers also require a certain scope to be requested + in order to receive refresh tokens. See the doNotRequestOfflineAccess + setting for more information about using scopes to request refresh + tokens. + items: + description: Parameter is a key/value pair which represents + a parameter in an HTTP request. + properties: + name: + description: The name of the parameter. Required. + minLength: 1 + type: string + value: + description: The value of the parameter. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map type: object claims: description: Claims provides the names of token claims that will be used when inspecting an identity from this OIDC identity provider. properties: groups: - description: Groups provides the name of the token claim that - will be used to ascertain the groups to which an identity belongs. + description: Groups provides the name of the ID token claim or + userinfo endpoint response claim that will be used to ascertain + the groups to which an identity belongs. By default, the identities + will not include any group memberships when this setting is + not configured. type: string username: - description: Username provides the name of the token claim that - will be used to ascertain an identity's username. + description: Username provides the name of the ID token claim + or userinfo endpoint response claim that will be used to ascertain + an identity's username. When not set, the username will be an + automatically constructed unique string which will include the + issuer URL of your OIDC provider along with the value of the + "sub" (subject) claim from the ID token. type: string type: object client: diff --git a/generated/1.18/README.adoc b/generated/1.18/README.adoc index 1e0f5b16..c08b2d5e 100644 --- a/generated/1.18/README.adoc +++ b/generated/1.18/README.adoc @@ -1099,7 +1099,9 @@ OIDCAuthorizationConfig provides information about how to form the OAuth2 author [cols="25a,75a", options="header"] |=== | Field | Description -| *`additionalScopes`* __string array__ | AdditionalScopes are the scopes in addition to "openid" that will be requested as part of the authorization request flow with an OIDC identity provider. In the case of a Resource Owner Password Credentials Grant flow, AdditionalScopes are the scopes in addition to "openid" that will be requested as part of the token request (see also the allowPasswordGrant field). By default, only the "openid" scope will be requested. +| *`doNotRequestOfflineAccess`* __boolean__ | DoNotRequestOfflineAccess determines if the "offline_access" scope will be requested from your OIDC provider in the authorization request during an OIDC Authorization Code Flow and in the token request during a Resource Owner Password Credentials Grant in order to ask to receive a refresh token in the response. Starting in v0.13.0, the Pinniped Supervisor requires that your OIDC provider returns refresh tokens to the Supervisor from these authorization flows. For most OIDC providers, the scope required to receive refresh tokens will be "offline_access". See https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess for a description of the "offline_access" scope. See the documentation of your OIDC provider's authorization and token endpoints for its requirements for what to include in the request in order to receive a refresh token in the response, if anything. By default, DoNotRequestOfflineAccess is false, which means that "offline_access" will be sent in the authorization request, since that is what is suggested by the OIDC specification. Note that it may be safe to send "offline_access" even to providers which do not require it, since the provider may ignore scopes that it does not understand or require (see https://datatracker.ietf.org/doc/html/rfc6749#section-3.3). In the unusual case that you must avoid sending the "offline_access" scope, set DoNotRequestOfflineAccess to true. This is required if your OIDC provider will reject the request when it includes "offline_access" (e.g. GitLab's OIDC provider). If you need to send some other scope to request a refresh token, include the scope name in the additionalScopes setting. Also note that some OIDC providers may require that the "prompt" param be set to a specific value for the authorization request during an OIDC Authorization Code Flow in order to receive a refresh token in the response. To adjust the prompt param, see the additionalAuthorizeParameters setting. +| *`additionalScopes`* __string array__ | AdditionalScopes are the additional scopes that will be requested from your OIDC provider in the authorization request during an OIDC Authorization Code Flow and in the token request during a Resource Owner Password Credentials Grant. Note that the "openid" scope will always be requested regardless of the value in this setting, since it is always required according to the OIDC spec. The "offline_access" scope may also be included according to the value of the DoNotRequestOfflineAccess setting. Any other scopes required should be included here in the AdditionalScopes list. For example, you might like to include scopes like "profile", "email", or "groups" in order to receive the related claims in the returned ID token or userinfo endpoint results if you would like to make use of those claims in the OIDCClaims settings to determine the usernames and group memberships of your Kubernetes users. See your OIDC provider's documentation for more information about what scopes are available to request claims. +| *`extraAuthorizeParameters`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-parameter[$$Parameter$$] array__ | AdditionalAuthorizeParameters are extra query parameters that should be included in the authorize request to your OIDC provider in the authorization request during an OIDC Authorization Code Flow. By default, no extra parameters are sent. The standard parameters that will be sent are "response_type", "scope", "client_id", "state", "nonce", "code_challenge", "code_challenge_method", and "redirect_uri". These parameters cannot be included in this setting. This setting does not influence the parameters sent to the token endpoint in the Resource Owner Password Credentials Grant. Starting in v0.13.0, the Pinniped Supervisor requires that your OIDC provider returns refresh tokens to the Supervisor from the authorization flows. Some OIDC providers may require a certain value for the "prompt" parameter in order to properly request refresh tokens. See the documentation of your OIDC provider's authorization endpoint for its requirements for what to include in the request in order to receive a refresh token in the response, if anything. If your provider requires the prompt parameter to request a refresh token, then include it here. Also note that most providers also require a certain scope to be requested in order to receive refresh tokens. See the doNotRequestOfflineAccess setting for more information about using scopes to request refresh tokens. | *`allowPasswordGrant`* __boolean__ | AllowPasswordGrant, when true, will allow the use of OAuth 2.0's Resource Owner Password Credentials Grant (see https://datatracker.ietf.org/doc/html/rfc6749#section-4.3) to authenticate to the OIDC provider using a username and password without a web browser, in addition to the usual browser-based OIDC Authorization Code Flow. The Resource Owner Password Credentials Grant is not officially part of the OIDC specification, so it may not be supported by your OIDC provider. If your OIDC provider supports returning ID tokens from a Resource Owner Password Credentials Grant token request, then you can choose to set this field to true. This will allow end users to choose to present their username and password to the kubectl CLI (using the Pinniped plugin) to authenticate to the cluster, without using a web browser to log in as is customary in OIDC Authorization Code Flow. This may be convenient for users, especially for identities from your OIDC provider which are not intended to represent a human actor, such as service accounts performing actions in a CI/CD environment. Even if your OIDC provider supports it, you may wish to disable this behavior by setting this field to false when you prefer to only allow users of this OIDCIdentityProvider to log in via the browser-based OIDC Authorization Code Flow. Using the Resource Owner Password Credentials Grant means that the Pinniped CLI and Pinniped Supervisor will directly handle your end users' passwords (similar to LDAPIdentityProvider), and you will not be able to require multi-factor authentication or use the other web-based login features of your OIDC provider during Resource Owner Password Credentials Grant logins. AllowPasswordGrant defaults to false. |=== @@ -1117,8 +1119,8 @@ OIDCClaims provides a mapping from upstream claims into identities. [cols="25a,75a", options="header"] |=== | Field | Description -| *`groups`* __string__ | Groups provides the name of the token claim that will be used to ascertain the groups to which an identity belongs. -| *`username`* __string__ | Username provides the name of the token claim that will be used to ascertain an identity's username. +| *`groups`* __string__ | Groups provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain the groups to which an identity belongs. By default, the identities will not include any group memberships when this setting is not configured. +| *`username`* __string__ | Username provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain an identity's username. When not set, the username will be an automatically constructed unique string which will include the issuer URL of your OIDC provider along with the value of the "sub" (subject) claim from the ID token. |=== @@ -1164,7 +1166,7 @@ OIDCIdentityProvider describes the configuration of an upstream OpenID Connect i [id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-oidcidentityproviderspec"] ==== OIDCIdentityProviderSpec -Spec for configuring an OIDC identity provider. +OIDCIdentityProviderSpec is the spec for configuring an OIDC identity provider. .Appears In: **** @@ -1185,7 +1187,7 @@ Spec for configuring an OIDC identity provider. [id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-oidcidentityproviderstatus"] ==== OIDCIdentityProviderStatus -Status of an OIDC identity provider. +OIDCIdentityProviderStatus is the status of an OIDC identity provider. .Appears In: **** @@ -1200,6 +1202,24 @@ Status of an OIDC identity provider. |=== +[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-parameter"] +==== Parameter + + + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-oidcauthorizationconfig[$$OIDCAuthorizationConfig$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`name`* __string__ | The name of the parameter. Required. +| *`value`* __string__ | The value of the parameter. +|=== + + [id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-tlsspec"] ==== TLSSpec diff --git a/generated/1.18/apis/supervisor/idp/v1alpha1/types_oidcidentityprovider.go b/generated/1.18/apis/supervisor/idp/v1alpha1/types_oidcidentityprovider.go index 5d7277bf..9e0624a0 100644 --- a/generated/1.18/apis/supervisor/idp/v1alpha1/types_oidcidentityprovider.go +++ b/generated/1.18/apis/supervisor/idp/v1alpha1/types_oidcidentityprovider.go @@ -20,7 +20,7 @@ const ( PhaseError OIDCIdentityProviderPhase = "Error" ) -// Status of an OIDC identity provider. +// OIDCIdentityProviderStatus is the status of an OIDC identity provider. type OIDCIdentityProviderStatus struct { // Phase summarizes the overall status of the OIDCIdentityProvider. // +kubebuilder:default=Pending @@ -38,14 +38,59 @@ type OIDCIdentityProviderStatus struct { // OIDCAuthorizationConfig provides information about how to form the OAuth2 authorization // request parameters. type OIDCAuthorizationConfig struct { - // AdditionalScopes are the scopes in addition to "openid" that will be requested as part of the authorization - // request flow with an OIDC identity provider. - // In the case of a Resource Owner Password Credentials Grant flow, AdditionalScopes are the scopes - // in addition to "openid" that will be requested as part of the token request (see also the allowPasswordGrant field). - // By default, only the "openid" scope will be requested. + // DoNotRequestOfflineAccess determines if the "offline_access" scope will be requested from your OIDC provider in + // the authorization request during an OIDC Authorization Code Flow and in the token request during a Resource Owner + // Password Credentials Grant in order to ask to receive a refresh token in the response. Starting in v0.13.0, the + // Pinniped Supervisor requires that your OIDC provider returns refresh tokens to the Supervisor from these + // authorization flows. For most OIDC providers, the scope required to receive refresh tokens will be "offline_access". + // See https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess for a description of the "offline_access" + // scope. See the documentation of your OIDC provider's authorization and token endpoints for its requirements for what + // to include in the request in order to receive a refresh token in the response, if anything. By default, + // DoNotRequestOfflineAccess is false, which means that "offline_access" will be sent in the authorization request, + // since that is what is suggested by the OIDC specification. Note that it may be safe to send "offline_access" even to + // providers which do not require it, since the provider may ignore scopes that it does not understand or require (see + // https://datatracker.ietf.org/doc/html/rfc6749#section-3.3). In the unusual case that you must avoid sending the + // "offline_access" scope, set DoNotRequestOfflineAccess to true. This is required if your OIDC provider will reject + // the request when it includes "offline_access" (e.g. GitLab's OIDC provider). If you need to send some other scope + // to request a refresh token, include the scope name in the additionalScopes setting. Also note that some OIDC + // providers may require that the "prompt" param be set to a specific value for the authorization request during an + // OIDC Authorization Code Flow in order to receive a refresh token in the response. To adjust the prompt param, see + // the additionalAuthorizeParameters setting. + // +optional + DoNotRequestOfflineAccess bool `json:"doNotRequestOfflineAccess,omitempty"` + + // AdditionalScopes are the additional scopes that will be requested from your OIDC provider in the authorization + // request during an OIDC Authorization Code Flow and in the token request during a Resource Owner Password Credentials + // Grant. Note that the "openid" scope will always be requested regardless of the value in this setting, since it is + // always required according to the OIDC spec. The "offline_access" scope may also be included according to the value + // of the DoNotRequestOfflineAccess setting. Any other scopes required should be included here in the AdditionalScopes + // list. For example, you might like to include scopes like "profile", "email", or "groups" in order to receive the + // related claims in the returned ID token or userinfo endpoint results if you would like to make use of those + // claims in the OIDCClaims settings to determine the usernames and group memberships of your Kubernetes users. See + // your OIDC provider's documentation for more information about what scopes are available to request claims. // +optional AdditionalScopes []string `json:"additionalScopes,omitempty"` + // AdditionalAuthorizeParameters are extra query parameters that should be included in the authorize request to your + // OIDC provider in the authorization request during an OIDC Authorization Code Flow. By default, no extra + // parameters are sent. The standard parameters that will be sent are "response_type", "scope", "client_id", + // "state", "nonce", "code_challenge", "code_challenge_method", and "redirect_uri". These parameters cannot be + // included in this setting. This setting does not influence the parameters sent to the token endpoint in the + // Resource Owner Password Credentials Grant. Starting in v0.13.0, the Pinniped Supervisor requires that your OIDC + // provider returns refresh tokens to the Supervisor from the authorization flows. Some OIDC providers may require + // a certain value for the "prompt" parameter in order to properly request refresh tokens. See the documentation of + // your OIDC provider's authorization endpoint for its requirements for what to include in the request in + // order to receive a refresh token in the response, if anything. If your provider requires the prompt parameter to + // request a refresh token, then include it here. Also note that most providers also require a certain scope to be + // requested in order to receive refresh tokens. See the doNotRequestOfflineAccess setting for more information about + // using scopes to request refresh tokens. + // +optional + // +patchMergeKey=name + // +patchStrategy=merge + // +listType=map + // +listMapKey=name + AdditionalAuthorizeParameters []Parameter `json:"extraAuthorizeParameters,omitempty"` + // AllowPasswordGrant, when true, will allow the use of OAuth 2.0's Resource Owner Password Credentials Grant // (see https://datatracker.ietf.org/doc/html/rfc6749#section-4.3) to authenticate to the OIDC provider using a // username and password without a web browser, in addition to the usual browser-based OIDC Authorization Code Flow. @@ -66,15 +111,29 @@ type OIDCAuthorizationConfig struct { AllowPasswordGrant bool `json:"allowPasswordGrant,omitempty"` } +// Parameter is a key/value pair which represents a parameter in an HTTP request. +type Parameter struct { + // The name of the parameter. Required. + // +kubebuilder:validation:MinLength=1 + Name string `json:"name"` + + // The value of the parameter. + // +optional + Value string `json:"value,omitempty"` +} + // OIDCClaims provides a mapping from upstream claims into identities. type OIDCClaims struct { - // Groups provides the name of the token claim that will be used to ascertain the groups to which - // an identity belongs. + // Groups provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain + // the groups to which an identity belongs. By default, the identities will not include any group memberships when + // this setting is not configured. // +optional Groups string `json:"groups"` - // Username provides the name of the token claim that will be used to ascertain an identity's - // username. + // Username provides the name of the ID token claim or userinfo endpoint response claim that will be used to + // ascertain an identity's username. When not set, the username will be an automatically constructed unique string + // which will include the issuer URL of your OIDC provider along with the value of the "sub" (subject) claim from + // the ID token. // +optional Username string `json:"username"` } @@ -89,7 +148,7 @@ type OIDCClient struct { SecretName string `json:"secretName"` } -// Spec for configuring an OIDC identity provider. +// OIDCIdentityProviderSpec is the spec for configuring an OIDC identity provider. type OIDCIdentityProviderSpec struct { // Issuer is the issuer URL of this OIDC identity provider, i.e., where to fetch // /.well-known/openid-configuration. @@ -135,7 +194,7 @@ type OIDCIdentityProvider struct { Status OIDCIdentityProviderStatus `json:"status,omitempty"` } -// List of OIDCIdentityProvider objects. +// OIDCIdentityProviderList lists OIDCIdentityProvider objects. // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object type OIDCIdentityProviderList struct { metav1.TypeMeta `json:",inline"` diff --git a/generated/1.18/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go b/generated/1.18/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go index 9895a76e..12e67583 100644 --- a/generated/1.18/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go +++ b/generated/1.18/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go @@ -416,6 +416,11 @@ func (in *OIDCAuthorizationConfig) DeepCopyInto(out *OIDCAuthorizationConfig) { *out = make([]string, len(*in)) copy(*out, *in) } + if in.AdditionalAuthorizeParameters != nil { + in, out := &in.AdditionalAuthorizeParameters, &out.AdditionalAuthorizeParameters + *out = make([]Parameter, len(*in)) + copy(*out, *in) + } return } @@ -569,6 +574,22 @@ func (in *OIDCIdentityProviderStatus) DeepCopy() *OIDCIdentityProviderStatus { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *Parameter) DeepCopyInto(out *Parameter) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Parameter. +func (in *Parameter) DeepCopy() *Parameter { + if in == nil { + return nil + } + out := new(Parameter) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *TLSSpec) DeepCopyInto(out *TLSSpec) { *out = *in diff --git a/generated/1.18/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml b/generated/1.18/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml index 70d3865d..390f4848 100644 --- a/generated/1.18/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml +++ b/generated/1.18/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml @@ -57,13 +57,22 @@ spec: OIDC identity provider. properties: additionalScopes: - description: AdditionalScopes are the scopes in addition to "openid" - that will be requested as part of the authorization request - flow with an OIDC identity provider. In the case of a Resource - Owner Password Credentials Grant flow, AdditionalScopes are - the scopes in addition to "openid" that will be requested as - part of the token request (see also the allowPasswordGrant field). - By default, only the "openid" scope will be requested. + description: AdditionalScopes are the additional scopes that will + be requested from your OIDC provider in the authorization request + during an OIDC Authorization Code Flow and in the token request + during a Resource Owner Password Credentials Grant. Note that + the "openid" scope will always be requested regardless of the + value in this setting, since it is always required according + to the OIDC spec. The "offline_access" scope may also be included + according to the value of the DoNotRequestOfflineAccess setting. + Any other scopes required should be included here in the AdditionalScopes + list. For example, you might like to include scopes like "profile", + "email", or "groups" in order to receive the related claims + in the returned ID token or userinfo endpoint results if you + would like to make use of those claims in the OIDCClaims settings + to determine the usernames and group memberships of your Kubernetes + users. See your OIDC provider's documentation for more information + about what scopes are available to request claims. items: type: string type: array @@ -97,18 +106,98 @@ spec: during Resource Owner Password Credentials Grant logins. AllowPasswordGrant defaults to false. type: boolean + doNotRequestOfflineAccess: + description: DoNotRequestOfflineAccess determines if the "offline_access" + scope will be requested from your OIDC provider in the authorization + request during an OIDC Authorization Code Flow and in the token + request during a Resource Owner Password Credentials Grant in + order to ask to receive a refresh token in the response. Starting + in v0.13.0, the Pinniped Supervisor requires that your OIDC + provider returns refresh tokens to the Supervisor from these + authorization flows. For most OIDC providers, the scope required + to receive refresh tokens will be "offline_access". See https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess + for a description of the "offline_access" scope. See the documentation + of your OIDC provider's authorization and token endpoints for + its requirements for what to include in the request in order + to receive a refresh token in the response, if anything. By + default, DoNotRequestOfflineAccess is false, which means that + "offline_access" will be sent in the authorization request, + since that is what is suggested by the OIDC specification. Note + that it may be safe to send "offline_access" even to providers + which do not require it, since the provider may ignore scopes + that it does not understand or require (see https://datatracker.ietf.org/doc/html/rfc6749#section-3.3). + In the unusual case that you must avoid sending the "offline_access" + scope, set DoNotRequestOfflineAccess to true. This is required + if your OIDC provider will reject the request when it includes + "offline_access" (e.g. GitLab's OIDC provider). If you need + to send some other scope to request a refresh token, include + the scope name in the additionalScopes setting. Also note that + some OIDC providers may require that the "prompt" param be set + to a specific value for the authorization request during an + OIDC Authorization Code Flow in order to receive a refresh token + in the response. To adjust the prompt param, see the additionalAuthorizeParameters + setting. + type: boolean + extraAuthorizeParameters: + description: AdditionalAuthorizeParameters are extra query parameters + that should be included in the authorize request to your OIDC + provider in the authorization request during an OIDC Authorization + Code Flow. By default, no extra parameters are sent. The standard + parameters that will be sent are "response_type", "scope", "client_id", + "state", "nonce", "code_challenge", "code_challenge_method", + and "redirect_uri". These parameters cannot be included in this + setting. This setting does not influence the parameters sent + to the token endpoint in the Resource Owner Password Credentials + Grant. Starting in v0.13.0, the Pinniped Supervisor requires + that your OIDC provider returns refresh tokens to the Supervisor + from the authorization flows. Some OIDC providers may require + a certain value for the "prompt" parameter in order to properly + request refresh tokens. See the documentation of your OIDC provider's + authorization endpoint for its requirements for what to include + in the request in order to receive a refresh token in the response, + if anything. If your provider requires the prompt parameter + to request a refresh token, then include it here. Also note + that most providers also require a certain scope to be requested + in order to receive refresh tokens. See the doNotRequestOfflineAccess + setting for more information about using scopes to request refresh + tokens. + items: + description: Parameter is a key/value pair which represents + a parameter in an HTTP request. + properties: + name: + description: The name of the parameter. Required. + minLength: 1 + type: string + value: + description: The value of the parameter. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map type: object claims: description: Claims provides the names of token claims that will be used when inspecting an identity from this OIDC identity provider. properties: groups: - description: Groups provides the name of the token claim that - will be used to ascertain the groups to which an identity belongs. + description: Groups provides the name of the ID token claim or + userinfo endpoint response claim that will be used to ascertain + the groups to which an identity belongs. By default, the identities + will not include any group memberships when this setting is + not configured. type: string username: - description: Username provides the name of the token claim that - will be used to ascertain an identity's username. + description: Username provides the name of the ID token claim + or userinfo endpoint response claim that will be used to ascertain + an identity's username. When not set, the username will be an + automatically constructed unique string which will include the + issuer URL of your OIDC provider along with the value of the + "sub" (subject) claim from the ID token. type: string type: object client: diff --git a/generated/1.19/README.adoc b/generated/1.19/README.adoc index f1bae9ef..f3d0aa51 100644 --- a/generated/1.19/README.adoc +++ b/generated/1.19/README.adoc @@ -1099,7 +1099,9 @@ OIDCAuthorizationConfig provides information about how to form the OAuth2 author [cols="25a,75a", options="header"] |=== | Field | Description -| *`additionalScopes`* __string array__ | AdditionalScopes are the scopes in addition to "openid" that will be requested as part of the authorization request flow with an OIDC identity provider. In the case of a Resource Owner Password Credentials Grant flow, AdditionalScopes are the scopes in addition to "openid" that will be requested as part of the token request (see also the allowPasswordGrant field). By default, only the "openid" scope will be requested. +| *`doNotRequestOfflineAccess`* __boolean__ | DoNotRequestOfflineAccess determines if the "offline_access" scope will be requested from your OIDC provider in the authorization request during an OIDC Authorization Code Flow and in the token request during a Resource Owner Password Credentials Grant in order to ask to receive a refresh token in the response. Starting in v0.13.0, the Pinniped Supervisor requires that your OIDC provider returns refresh tokens to the Supervisor from these authorization flows. For most OIDC providers, the scope required to receive refresh tokens will be "offline_access". See https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess for a description of the "offline_access" scope. See the documentation of your OIDC provider's authorization and token endpoints for its requirements for what to include in the request in order to receive a refresh token in the response, if anything. By default, DoNotRequestOfflineAccess is false, which means that "offline_access" will be sent in the authorization request, since that is what is suggested by the OIDC specification. Note that it may be safe to send "offline_access" even to providers which do not require it, since the provider may ignore scopes that it does not understand or require (see https://datatracker.ietf.org/doc/html/rfc6749#section-3.3). In the unusual case that you must avoid sending the "offline_access" scope, set DoNotRequestOfflineAccess to true. This is required if your OIDC provider will reject the request when it includes "offline_access" (e.g. GitLab's OIDC provider). If you need to send some other scope to request a refresh token, include the scope name in the additionalScopes setting. Also note that some OIDC providers may require that the "prompt" param be set to a specific value for the authorization request during an OIDC Authorization Code Flow in order to receive a refresh token in the response. To adjust the prompt param, see the additionalAuthorizeParameters setting. +| *`additionalScopes`* __string array__ | AdditionalScopes are the additional scopes that will be requested from your OIDC provider in the authorization request during an OIDC Authorization Code Flow and in the token request during a Resource Owner Password Credentials Grant. Note that the "openid" scope will always be requested regardless of the value in this setting, since it is always required according to the OIDC spec. The "offline_access" scope may also be included according to the value of the DoNotRequestOfflineAccess setting. Any other scopes required should be included here in the AdditionalScopes list. For example, you might like to include scopes like "profile", "email", or "groups" in order to receive the related claims in the returned ID token or userinfo endpoint results if you would like to make use of those claims in the OIDCClaims settings to determine the usernames and group memberships of your Kubernetes users. See your OIDC provider's documentation for more information about what scopes are available to request claims. +| *`extraAuthorizeParameters`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-idp-v1alpha1-parameter[$$Parameter$$] array__ | AdditionalAuthorizeParameters are extra query parameters that should be included in the authorize request to your OIDC provider in the authorization request during an OIDC Authorization Code Flow. By default, no extra parameters are sent. The standard parameters that will be sent are "response_type", "scope", "client_id", "state", "nonce", "code_challenge", "code_challenge_method", and "redirect_uri". These parameters cannot be included in this setting. This setting does not influence the parameters sent to the token endpoint in the Resource Owner Password Credentials Grant. Starting in v0.13.0, the Pinniped Supervisor requires that your OIDC provider returns refresh tokens to the Supervisor from the authorization flows. Some OIDC providers may require a certain value for the "prompt" parameter in order to properly request refresh tokens. See the documentation of your OIDC provider's authorization endpoint for its requirements for what to include in the request in order to receive a refresh token in the response, if anything. If your provider requires the prompt parameter to request a refresh token, then include it here. Also note that most providers also require a certain scope to be requested in order to receive refresh tokens. See the doNotRequestOfflineAccess setting for more information about using scopes to request refresh tokens. | *`allowPasswordGrant`* __boolean__ | AllowPasswordGrant, when true, will allow the use of OAuth 2.0's Resource Owner Password Credentials Grant (see https://datatracker.ietf.org/doc/html/rfc6749#section-4.3) to authenticate to the OIDC provider using a username and password without a web browser, in addition to the usual browser-based OIDC Authorization Code Flow. The Resource Owner Password Credentials Grant is not officially part of the OIDC specification, so it may not be supported by your OIDC provider. If your OIDC provider supports returning ID tokens from a Resource Owner Password Credentials Grant token request, then you can choose to set this field to true. This will allow end users to choose to present their username and password to the kubectl CLI (using the Pinniped plugin) to authenticate to the cluster, without using a web browser to log in as is customary in OIDC Authorization Code Flow. This may be convenient for users, especially for identities from your OIDC provider which are not intended to represent a human actor, such as service accounts performing actions in a CI/CD environment. Even if your OIDC provider supports it, you may wish to disable this behavior by setting this field to false when you prefer to only allow users of this OIDCIdentityProvider to log in via the browser-based OIDC Authorization Code Flow. Using the Resource Owner Password Credentials Grant means that the Pinniped CLI and Pinniped Supervisor will directly handle your end users' passwords (similar to LDAPIdentityProvider), and you will not be able to require multi-factor authentication or use the other web-based login features of your OIDC provider during Resource Owner Password Credentials Grant logins. AllowPasswordGrant defaults to false. |=== @@ -1117,8 +1119,8 @@ OIDCClaims provides a mapping from upstream claims into identities. [cols="25a,75a", options="header"] |=== | Field | Description -| *`groups`* __string__ | Groups provides the name of the token claim that will be used to ascertain the groups to which an identity belongs. -| *`username`* __string__ | Username provides the name of the token claim that will be used to ascertain an identity's username. +| *`groups`* __string__ | Groups provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain the groups to which an identity belongs. By default, the identities will not include any group memberships when this setting is not configured. +| *`username`* __string__ | Username provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain an identity's username. When not set, the username will be an automatically constructed unique string which will include the issuer URL of your OIDC provider along with the value of the "sub" (subject) claim from the ID token. |=== @@ -1164,7 +1166,7 @@ OIDCIdentityProvider describes the configuration of an upstream OpenID Connect i [id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-idp-v1alpha1-oidcidentityproviderspec"] ==== OIDCIdentityProviderSpec -Spec for configuring an OIDC identity provider. +OIDCIdentityProviderSpec is the spec for configuring an OIDC identity provider. .Appears In: **** @@ -1185,7 +1187,7 @@ Spec for configuring an OIDC identity provider. [id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-idp-v1alpha1-oidcidentityproviderstatus"] ==== OIDCIdentityProviderStatus -Status of an OIDC identity provider. +OIDCIdentityProviderStatus is the status of an OIDC identity provider. .Appears In: **** @@ -1200,6 +1202,24 @@ Status of an OIDC identity provider. |=== +[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-idp-v1alpha1-parameter"] +==== Parameter + + + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-idp-v1alpha1-oidcauthorizationconfig[$$OIDCAuthorizationConfig$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`name`* __string__ | The name of the parameter. Required. +| *`value`* __string__ | The value of the parameter. +|=== + + [id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-idp-v1alpha1-tlsspec"] ==== TLSSpec diff --git a/generated/1.19/apis/supervisor/idp/v1alpha1/types_oidcidentityprovider.go b/generated/1.19/apis/supervisor/idp/v1alpha1/types_oidcidentityprovider.go index 5d7277bf..9e0624a0 100644 --- a/generated/1.19/apis/supervisor/idp/v1alpha1/types_oidcidentityprovider.go +++ b/generated/1.19/apis/supervisor/idp/v1alpha1/types_oidcidentityprovider.go @@ -20,7 +20,7 @@ const ( PhaseError OIDCIdentityProviderPhase = "Error" ) -// Status of an OIDC identity provider. +// OIDCIdentityProviderStatus is the status of an OIDC identity provider. type OIDCIdentityProviderStatus struct { // Phase summarizes the overall status of the OIDCIdentityProvider. // +kubebuilder:default=Pending @@ -38,14 +38,59 @@ type OIDCIdentityProviderStatus struct { // OIDCAuthorizationConfig provides information about how to form the OAuth2 authorization // request parameters. type OIDCAuthorizationConfig struct { - // AdditionalScopes are the scopes in addition to "openid" that will be requested as part of the authorization - // request flow with an OIDC identity provider. - // In the case of a Resource Owner Password Credentials Grant flow, AdditionalScopes are the scopes - // in addition to "openid" that will be requested as part of the token request (see also the allowPasswordGrant field). - // By default, only the "openid" scope will be requested. + // DoNotRequestOfflineAccess determines if the "offline_access" scope will be requested from your OIDC provider in + // the authorization request during an OIDC Authorization Code Flow and in the token request during a Resource Owner + // Password Credentials Grant in order to ask to receive a refresh token in the response. Starting in v0.13.0, the + // Pinniped Supervisor requires that your OIDC provider returns refresh tokens to the Supervisor from these + // authorization flows. For most OIDC providers, the scope required to receive refresh tokens will be "offline_access". + // See https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess for a description of the "offline_access" + // scope. See the documentation of your OIDC provider's authorization and token endpoints for its requirements for what + // to include in the request in order to receive a refresh token in the response, if anything. By default, + // DoNotRequestOfflineAccess is false, which means that "offline_access" will be sent in the authorization request, + // since that is what is suggested by the OIDC specification. Note that it may be safe to send "offline_access" even to + // providers which do not require it, since the provider may ignore scopes that it does not understand or require (see + // https://datatracker.ietf.org/doc/html/rfc6749#section-3.3). In the unusual case that you must avoid sending the + // "offline_access" scope, set DoNotRequestOfflineAccess to true. This is required if your OIDC provider will reject + // the request when it includes "offline_access" (e.g. GitLab's OIDC provider). If you need to send some other scope + // to request a refresh token, include the scope name in the additionalScopes setting. Also note that some OIDC + // providers may require that the "prompt" param be set to a specific value for the authorization request during an + // OIDC Authorization Code Flow in order to receive a refresh token in the response. To adjust the prompt param, see + // the additionalAuthorizeParameters setting. + // +optional + DoNotRequestOfflineAccess bool `json:"doNotRequestOfflineAccess,omitempty"` + + // AdditionalScopes are the additional scopes that will be requested from your OIDC provider in the authorization + // request during an OIDC Authorization Code Flow and in the token request during a Resource Owner Password Credentials + // Grant. Note that the "openid" scope will always be requested regardless of the value in this setting, since it is + // always required according to the OIDC spec. The "offline_access" scope may also be included according to the value + // of the DoNotRequestOfflineAccess setting. Any other scopes required should be included here in the AdditionalScopes + // list. For example, you might like to include scopes like "profile", "email", or "groups" in order to receive the + // related claims in the returned ID token or userinfo endpoint results if you would like to make use of those + // claims in the OIDCClaims settings to determine the usernames and group memberships of your Kubernetes users. See + // your OIDC provider's documentation for more information about what scopes are available to request claims. // +optional AdditionalScopes []string `json:"additionalScopes,omitempty"` + // AdditionalAuthorizeParameters are extra query parameters that should be included in the authorize request to your + // OIDC provider in the authorization request during an OIDC Authorization Code Flow. By default, no extra + // parameters are sent. The standard parameters that will be sent are "response_type", "scope", "client_id", + // "state", "nonce", "code_challenge", "code_challenge_method", and "redirect_uri". These parameters cannot be + // included in this setting. This setting does not influence the parameters sent to the token endpoint in the + // Resource Owner Password Credentials Grant. Starting in v0.13.0, the Pinniped Supervisor requires that your OIDC + // provider returns refresh tokens to the Supervisor from the authorization flows. Some OIDC providers may require + // a certain value for the "prompt" parameter in order to properly request refresh tokens. See the documentation of + // your OIDC provider's authorization endpoint for its requirements for what to include in the request in + // order to receive a refresh token in the response, if anything. If your provider requires the prompt parameter to + // request a refresh token, then include it here. Also note that most providers also require a certain scope to be + // requested in order to receive refresh tokens. See the doNotRequestOfflineAccess setting for more information about + // using scopes to request refresh tokens. + // +optional + // +patchMergeKey=name + // +patchStrategy=merge + // +listType=map + // +listMapKey=name + AdditionalAuthorizeParameters []Parameter `json:"extraAuthorizeParameters,omitempty"` + // AllowPasswordGrant, when true, will allow the use of OAuth 2.0's Resource Owner Password Credentials Grant // (see https://datatracker.ietf.org/doc/html/rfc6749#section-4.3) to authenticate to the OIDC provider using a // username and password without a web browser, in addition to the usual browser-based OIDC Authorization Code Flow. @@ -66,15 +111,29 @@ type OIDCAuthorizationConfig struct { AllowPasswordGrant bool `json:"allowPasswordGrant,omitempty"` } +// Parameter is a key/value pair which represents a parameter in an HTTP request. +type Parameter struct { + // The name of the parameter. Required. + // +kubebuilder:validation:MinLength=1 + Name string `json:"name"` + + // The value of the parameter. + // +optional + Value string `json:"value,omitempty"` +} + // OIDCClaims provides a mapping from upstream claims into identities. type OIDCClaims struct { - // Groups provides the name of the token claim that will be used to ascertain the groups to which - // an identity belongs. + // Groups provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain + // the groups to which an identity belongs. By default, the identities will not include any group memberships when + // this setting is not configured. // +optional Groups string `json:"groups"` - // Username provides the name of the token claim that will be used to ascertain an identity's - // username. + // Username provides the name of the ID token claim or userinfo endpoint response claim that will be used to + // ascertain an identity's username. When not set, the username will be an automatically constructed unique string + // which will include the issuer URL of your OIDC provider along with the value of the "sub" (subject) claim from + // the ID token. // +optional Username string `json:"username"` } @@ -89,7 +148,7 @@ type OIDCClient struct { SecretName string `json:"secretName"` } -// Spec for configuring an OIDC identity provider. +// OIDCIdentityProviderSpec is the spec for configuring an OIDC identity provider. type OIDCIdentityProviderSpec struct { // Issuer is the issuer URL of this OIDC identity provider, i.e., where to fetch // /.well-known/openid-configuration. @@ -135,7 +194,7 @@ type OIDCIdentityProvider struct { Status OIDCIdentityProviderStatus `json:"status,omitempty"` } -// List of OIDCIdentityProvider objects. +// OIDCIdentityProviderList lists OIDCIdentityProvider objects. // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object type OIDCIdentityProviderList struct { metav1.TypeMeta `json:",inline"` diff --git a/generated/1.19/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go b/generated/1.19/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go index 9895a76e..12e67583 100644 --- a/generated/1.19/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go +++ b/generated/1.19/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go @@ -416,6 +416,11 @@ func (in *OIDCAuthorizationConfig) DeepCopyInto(out *OIDCAuthorizationConfig) { *out = make([]string, len(*in)) copy(*out, *in) } + if in.AdditionalAuthorizeParameters != nil { + in, out := &in.AdditionalAuthorizeParameters, &out.AdditionalAuthorizeParameters + *out = make([]Parameter, len(*in)) + copy(*out, *in) + } return } @@ -569,6 +574,22 @@ func (in *OIDCIdentityProviderStatus) DeepCopy() *OIDCIdentityProviderStatus { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *Parameter) DeepCopyInto(out *Parameter) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Parameter. +func (in *Parameter) DeepCopy() *Parameter { + if in == nil { + return nil + } + out := new(Parameter) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *TLSSpec) DeepCopyInto(out *TLSSpec) { *out = *in diff --git a/generated/1.19/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml b/generated/1.19/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml index 70d3865d..390f4848 100644 --- a/generated/1.19/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml +++ b/generated/1.19/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml @@ -57,13 +57,22 @@ spec: OIDC identity provider. properties: additionalScopes: - description: AdditionalScopes are the scopes in addition to "openid" - that will be requested as part of the authorization request - flow with an OIDC identity provider. In the case of a Resource - Owner Password Credentials Grant flow, AdditionalScopes are - the scopes in addition to "openid" that will be requested as - part of the token request (see also the allowPasswordGrant field). - By default, only the "openid" scope will be requested. + description: AdditionalScopes are the additional scopes that will + be requested from your OIDC provider in the authorization request + during an OIDC Authorization Code Flow and in the token request + during a Resource Owner Password Credentials Grant. Note that + the "openid" scope will always be requested regardless of the + value in this setting, since it is always required according + to the OIDC spec. The "offline_access" scope may also be included + according to the value of the DoNotRequestOfflineAccess setting. + Any other scopes required should be included here in the AdditionalScopes + list. For example, you might like to include scopes like "profile", + "email", or "groups" in order to receive the related claims + in the returned ID token or userinfo endpoint results if you + would like to make use of those claims in the OIDCClaims settings + to determine the usernames and group memberships of your Kubernetes + users. See your OIDC provider's documentation for more information + about what scopes are available to request claims. items: type: string type: array @@ -97,18 +106,98 @@ spec: during Resource Owner Password Credentials Grant logins. AllowPasswordGrant defaults to false. type: boolean + doNotRequestOfflineAccess: + description: DoNotRequestOfflineAccess determines if the "offline_access" + scope will be requested from your OIDC provider in the authorization + request during an OIDC Authorization Code Flow and in the token + request during a Resource Owner Password Credentials Grant in + order to ask to receive a refresh token in the response. Starting + in v0.13.0, the Pinniped Supervisor requires that your OIDC + provider returns refresh tokens to the Supervisor from these + authorization flows. For most OIDC providers, the scope required + to receive refresh tokens will be "offline_access". See https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess + for a description of the "offline_access" scope. See the documentation + of your OIDC provider's authorization and token endpoints for + its requirements for what to include in the request in order + to receive a refresh token in the response, if anything. By + default, DoNotRequestOfflineAccess is false, which means that + "offline_access" will be sent in the authorization request, + since that is what is suggested by the OIDC specification. Note + that it may be safe to send "offline_access" even to providers + which do not require it, since the provider may ignore scopes + that it does not understand or require (see https://datatracker.ietf.org/doc/html/rfc6749#section-3.3). + In the unusual case that you must avoid sending the "offline_access" + scope, set DoNotRequestOfflineAccess to true. This is required + if your OIDC provider will reject the request when it includes + "offline_access" (e.g. GitLab's OIDC provider). If you need + to send some other scope to request a refresh token, include + the scope name in the additionalScopes setting. Also note that + some OIDC providers may require that the "prompt" param be set + to a specific value for the authorization request during an + OIDC Authorization Code Flow in order to receive a refresh token + in the response. To adjust the prompt param, see the additionalAuthorizeParameters + setting. + type: boolean + extraAuthorizeParameters: + description: AdditionalAuthorizeParameters are extra query parameters + that should be included in the authorize request to your OIDC + provider in the authorization request during an OIDC Authorization + Code Flow. By default, no extra parameters are sent. The standard + parameters that will be sent are "response_type", "scope", "client_id", + "state", "nonce", "code_challenge", "code_challenge_method", + and "redirect_uri". These parameters cannot be included in this + setting. This setting does not influence the parameters sent + to the token endpoint in the Resource Owner Password Credentials + Grant. Starting in v0.13.0, the Pinniped Supervisor requires + that your OIDC provider returns refresh tokens to the Supervisor + from the authorization flows. Some OIDC providers may require + a certain value for the "prompt" parameter in order to properly + request refresh tokens. See the documentation of your OIDC provider's + authorization endpoint for its requirements for what to include + in the request in order to receive a refresh token in the response, + if anything. If your provider requires the prompt parameter + to request a refresh token, then include it here. Also note + that most providers also require a certain scope to be requested + in order to receive refresh tokens. See the doNotRequestOfflineAccess + setting for more information about using scopes to request refresh + tokens. + items: + description: Parameter is a key/value pair which represents + a parameter in an HTTP request. + properties: + name: + description: The name of the parameter. Required. + minLength: 1 + type: string + value: + description: The value of the parameter. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map type: object claims: description: Claims provides the names of token claims that will be used when inspecting an identity from this OIDC identity provider. properties: groups: - description: Groups provides the name of the token claim that - will be used to ascertain the groups to which an identity belongs. + description: Groups provides the name of the ID token claim or + userinfo endpoint response claim that will be used to ascertain + the groups to which an identity belongs. By default, the identities + will not include any group memberships when this setting is + not configured. type: string username: - description: Username provides the name of the token claim that - will be used to ascertain an identity's username. + description: Username provides the name of the ID token claim + or userinfo endpoint response claim that will be used to ascertain + an identity's username. When not set, the username will be an + automatically constructed unique string which will include the + issuer URL of your OIDC provider along with the value of the + "sub" (subject) claim from the ID token. type: string type: object client: diff --git a/generated/1.20/README.adoc b/generated/1.20/README.adoc index efcde7ab..b78ae013 100644 --- a/generated/1.20/README.adoc +++ b/generated/1.20/README.adoc @@ -1099,7 +1099,9 @@ OIDCAuthorizationConfig provides information about how to form the OAuth2 author [cols="25a,75a", options="header"] |=== | Field | Description -| *`additionalScopes`* __string array__ | AdditionalScopes are the scopes in addition to "openid" that will be requested as part of the authorization request flow with an OIDC identity provider. In the case of a Resource Owner Password Credentials Grant flow, AdditionalScopes are the scopes in addition to "openid" that will be requested as part of the token request (see also the allowPasswordGrant field). By default, only the "openid" scope will be requested. +| *`doNotRequestOfflineAccess`* __boolean__ | DoNotRequestOfflineAccess determines if the "offline_access" scope will be requested from your OIDC provider in the authorization request during an OIDC Authorization Code Flow and in the token request during a Resource Owner Password Credentials Grant in order to ask to receive a refresh token in the response. Starting in v0.13.0, the Pinniped Supervisor requires that your OIDC provider returns refresh tokens to the Supervisor from these authorization flows. For most OIDC providers, the scope required to receive refresh tokens will be "offline_access". See https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess for a description of the "offline_access" scope. See the documentation of your OIDC provider's authorization and token endpoints for its requirements for what to include in the request in order to receive a refresh token in the response, if anything. By default, DoNotRequestOfflineAccess is false, which means that "offline_access" will be sent in the authorization request, since that is what is suggested by the OIDC specification. Note that it may be safe to send "offline_access" even to providers which do not require it, since the provider may ignore scopes that it does not understand or require (see https://datatracker.ietf.org/doc/html/rfc6749#section-3.3). In the unusual case that you must avoid sending the "offline_access" scope, set DoNotRequestOfflineAccess to true. This is required if your OIDC provider will reject the request when it includes "offline_access" (e.g. GitLab's OIDC provider). If you need to send some other scope to request a refresh token, include the scope name in the additionalScopes setting. Also note that some OIDC providers may require that the "prompt" param be set to a specific value for the authorization request during an OIDC Authorization Code Flow in order to receive a refresh token in the response. To adjust the prompt param, see the additionalAuthorizeParameters setting. +| *`additionalScopes`* __string array__ | AdditionalScopes are the additional scopes that will be requested from your OIDC provider in the authorization request during an OIDC Authorization Code Flow and in the token request during a Resource Owner Password Credentials Grant. Note that the "openid" scope will always be requested regardless of the value in this setting, since it is always required according to the OIDC spec. The "offline_access" scope may also be included according to the value of the DoNotRequestOfflineAccess setting. Any other scopes required should be included here in the AdditionalScopes list. For example, you might like to include scopes like "profile", "email", or "groups" in order to receive the related claims in the returned ID token or userinfo endpoint results if you would like to make use of those claims in the OIDCClaims settings to determine the usernames and group memberships of your Kubernetes users. See your OIDC provider's documentation for more information about what scopes are available to request claims. +| *`extraAuthorizeParameters`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-idp-v1alpha1-parameter[$$Parameter$$] array__ | AdditionalAuthorizeParameters are extra query parameters that should be included in the authorize request to your OIDC provider in the authorization request during an OIDC Authorization Code Flow. By default, no extra parameters are sent. The standard parameters that will be sent are "response_type", "scope", "client_id", "state", "nonce", "code_challenge", "code_challenge_method", and "redirect_uri". These parameters cannot be included in this setting. This setting does not influence the parameters sent to the token endpoint in the Resource Owner Password Credentials Grant. Starting in v0.13.0, the Pinniped Supervisor requires that your OIDC provider returns refresh tokens to the Supervisor from the authorization flows. Some OIDC providers may require a certain value for the "prompt" parameter in order to properly request refresh tokens. See the documentation of your OIDC provider's authorization endpoint for its requirements for what to include in the request in order to receive a refresh token in the response, if anything. If your provider requires the prompt parameter to request a refresh token, then include it here. Also note that most providers also require a certain scope to be requested in order to receive refresh tokens. See the doNotRequestOfflineAccess setting for more information about using scopes to request refresh tokens. | *`allowPasswordGrant`* __boolean__ | AllowPasswordGrant, when true, will allow the use of OAuth 2.0's Resource Owner Password Credentials Grant (see https://datatracker.ietf.org/doc/html/rfc6749#section-4.3) to authenticate to the OIDC provider using a username and password without a web browser, in addition to the usual browser-based OIDC Authorization Code Flow. The Resource Owner Password Credentials Grant is not officially part of the OIDC specification, so it may not be supported by your OIDC provider. If your OIDC provider supports returning ID tokens from a Resource Owner Password Credentials Grant token request, then you can choose to set this field to true. This will allow end users to choose to present their username and password to the kubectl CLI (using the Pinniped plugin) to authenticate to the cluster, without using a web browser to log in as is customary in OIDC Authorization Code Flow. This may be convenient for users, especially for identities from your OIDC provider which are not intended to represent a human actor, such as service accounts performing actions in a CI/CD environment. Even if your OIDC provider supports it, you may wish to disable this behavior by setting this field to false when you prefer to only allow users of this OIDCIdentityProvider to log in via the browser-based OIDC Authorization Code Flow. Using the Resource Owner Password Credentials Grant means that the Pinniped CLI and Pinniped Supervisor will directly handle your end users' passwords (similar to LDAPIdentityProvider), and you will not be able to require multi-factor authentication or use the other web-based login features of your OIDC provider during Resource Owner Password Credentials Grant logins. AllowPasswordGrant defaults to false. |=== @@ -1117,8 +1119,8 @@ OIDCClaims provides a mapping from upstream claims into identities. [cols="25a,75a", options="header"] |=== | Field | Description -| *`groups`* __string__ | Groups provides the name of the token claim that will be used to ascertain the groups to which an identity belongs. -| *`username`* __string__ | Username provides the name of the token claim that will be used to ascertain an identity's username. +| *`groups`* __string__ | Groups provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain the groups to which an identity belongs. By default, the identities will not include any group memberships when this setting is not configured. +| *`username`* __string__ | Username provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain an identity's username. When not set, the username will be an automatically constructed unique string which will include the issuer URL of your OIDC provider along with the value of the "sub" (subject) claim from the ID token. |=== @@ -1164,7 +1166,7 @@ OIDCIdentityProvider describes the configuration of an upstream OpenID Connect i [id="{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-idp-v1alpha1-oidcidentityproviderspec"] ==== OIDCIdentityProviderSpec -Spec for configuring an OIDC identity provider. +OIDCIdentityProviderSpec is the spec for configuring an OIDC identity provider. .Appears In: **** @@ -1185,7 +1187,7 @@ Spec for configuring an OIDC identity provider. [id="{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-idp-v1alpha1-oidcidentityproviderstatus"] ==== OIDCIdentityProviderStatus -Status of an OIDC identity provider. +OIDCIdentityProviderStatus is the status of an OIDC identity provider. .Appears In: **** @@ -1200,6 +1202,24 @@ Status of an OIDC identity provider. |=== +[id="{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-idp-v1alpha1-parameter"] +==== Parameter + + + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-idp-v1alpha1-oidcauthorizationconfig[$$OIDCAuthorizationConfig$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`name`* __string__ | The name of the parameter. Required. +| *`value`* __string__ | The value of the parameter. +|=== + + [id="{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-idp-v1alpha1-tlsspec"] ==== TLSSpec diff --git a/generated/1.20/apis/supervisor/idp/v1alpha1/types_oidcidentityprovider.go b/generated/1.20/apis/supervisor/idp/v1alpha1/types_oidcidentityprovider.go index 5d7277bf..9e0624a0 100644 --- a/generated/1.20/apis/supervisor/idp/v1alpha1/types_oidcidentityprovider.go +++ b/generated/1.20/apis/supervisor/idp/v1alpha1/types_oidcidentityprovider.go @@ -20,7 +20,7 @@ const ( PhaseError OIDCIdentityProviderPhase = "Error" ) -// Status of an OIDC identity provider. +// OIDCIdentityProviderStatus is the status of an OIDC identity provider. type OIDCIdentityProviderStatus struct { // Phase summarizes the overall status of the OIDCIdentityProvider. // +kubebuilder:default=Pending @@ -38,14 +38,59 @@ type OIDCIdentityProviderStatus struct { // OIDCAuthorizationConfig provides information about how to form the OAuth2 authorization // request parameters. type OIDCAuthorizationConfig struct { - // AdditionalScopes are the scopes in addition to "openid" that will be requested as part of the authorization - // request flow with an OIDC identity provider. - // In the case of a Resource Owner Password Credentials Grant flow, AdditionalScopes are the scopes - // in addition to "openid" that will be requested as part of the token request (see also the allowPasswordGrant field). - // By default, only the "openid" scope will be requested. + // DoNotRequestOfflineAccess determines if the "offline_access" scope will be requested from your OIDC provider in + // the authorization request during an OIDC Authorization Code Flow and in the token request during a Resource Owner + // Password Credentials Grant in order to ask to receive a refresh token in the response. Starting in v0.13.0, the + // Pinniped Supervisor requires that your OIDC provider returns refresh tokens to the Supervisor from these + // authorization flows. For most OIDC providers, the scope required to receive refresh tokens will be "offline_access". + // See https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess for a description of the "offline_access" + // scope. See the documentation of your OIDC provider's authorization and token endpoints for its requirements for what + // to include in the request in order to receive a refresh token in the response, if anything. By default, + // DoNotRequestOfflineAccess is false, which means that "offline_access" will be sent in the authorization request, + // since that is what is suggested by the OIDC specification. Note that it may be safe to send "offline_access" even to + // providers which do not require it, since the provider may ignore scopes that it does not understand or require (see + // https://datatracker.ietf.org/doc/html/rfc6749#section-3.3). In the unusual case that you must avoid sending the + // "offline_access" scope, set DoNotRequestOfflineAccess to true. This is required if your OIDC provider will reject + // the request when it includes "offline_access" (e.g. GitLab's OIDC provider). If you need to send some other scope + // to request a refresh token, include the scope name in the additionalScopes setting. Also note that some OIDC + // providers may require that the "prompt" param be set to a specific value for the authorization request during an + // OIDC Authorization Code Flow in order to receive a refresh token in the response. To adjust the prompt param, see + // the additionalAuthorizeParameters setting. + // +optional + DoNotRequestOfflineAccess bool `json:"doNotRequestOfflineAccess,omitempty"` + + // AdditionalScopes are the additional scopes that will be requested from your OIDC provider in the authorization + // request during an OIDC Authorization Code Flow and in the token request during a Resource Owner Password Credentials + // Grant. Note that the "openid" scope will always be requested regardless of the value in this setting, since it is + // always required according to the OIDC spec. The "offline_access" scope may also be included according to the value + // of the DoNotRequestOfflineAccess setting. Any other scopes required should be included here in the AdditionalScopes + // list. For example, you might like to include scopes like "profile", "email", or "groups" in order to receive the + // related claims in the returned ID token or userinfo endpoint results if you would like to make use of those + // claims in the OIDCClaims settings to determine the usernames and group memberships of your Kubernetes users. See + // your OIDC provider's documentation for more information about what scopes are available to request claims. // +optional AdditionalScopes []string `json:"additionalScopes,omitempty"` + // AdditionalAuthorizeParameters are extra query parameters that should be included in the authorize request to your + // OIDC provider in the authorization request during an OIDC Authorization Code Flow. By default, no extra + // parameters are sent. The standard parameters that will be sent are "response_type", "scope", "client_id", + // "state", "nonce", "code_challenge", "code_challenge_method", and "redirect_uri". These parameters cannot be + // included in this setting. This setting does not influence the parameters sent to the token endpoint in the + // Resource Owner Password Credentials Grant. Starting in v0.13.0, the Pinniped Supervisor requires that your OIDC + // provider returns refresh tokens to the Supervisor from the authorization flows. Some OIDC providers may require + // a certain value for the "prompt" parameter in order to properly request refresh tokens. See the documentation of + // your OIDC provider's authorization endpoint for its requirements for what to include in the request in + // order to receive a refresh token in the response, if anything. If your provider requires the prompt parameter to + // request a refresh token, then include it here. Also note that most providers also require a certain scope to be + // requested in order to receive refresh tokens. See the doNotRequestOfflineAccess setting for more information about + // using scopes to request refresh tokens. + // +optional + // +patchMergeKey=name + // +patchStrategy=merge + // +listType=map + // +listMapKey=name + AdditionalAuthorizeParameters []Parameter `json:"extraAuthorizeParameters,omitempty"` + // AllowPasswordGrant, when true, will allow the use of OAuth 2.0's Resource Owner Password Credentials Grant // (see https://datatracker.ietf.org/doc/html/rfc6749#section-4.3) to authenticate to the OIDC provider using a // username and password without a web browser, in addition to the usual browser-based OIDC Authorization Code Flow. @@ -66,15 +111,29 @@ type OIDCAuthorizationConfig struct { AllowPasswordGrant bool `json:"allowPasswordGrant,omitempty"` } +// Parameter is a key/value pair which represents a parameter in an HTTP request. +type Parameter struct { + // The name of the parameter. Required. + // +kubebuilder:validation:MinLength=1 + Name string `json:"name"` + + // The value of the parameter. + // +optional + Value string `json:"value,omitempty"` +} + // OIDCClaims provides a mapping from upstream claims into identities. type OIDCClaims struct { - // Groups provides the name of the token claim that will be used to ascertain the groups to which - // an identity belongs. + // Groups provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain + // the groups to which an identity belongs. By default, the identities will not include any group memberships when + // this setting is not configured. // +optional Groups string `json:"groups"` - // Username provides the name of the token claim that will be used to ascertain an identity's - // username. + // Username provides the name of the ID token claim or userinfo endpoint response claim that will be used to + // ascertain an identity's username. When not set, the username will be an automatically constructed unique string + // which will include the issuer URL of your OIDC provider along with the value of the "sub" (subject) claim from + // the ID token. // +optional Username string `json:"username"` } @@ -89,7 +148,7 @@ type OIDCClient struct { SecretName string `json:"secretName"` } -// Spec for configuring an OIDC identity provider. +// OIDCIdentityProviderSpec is the spec for configuring an OIDC identity provider. type OIDCIdentityProviderSpec struct { // Issuer is the issuer URL of this OIDC identity provider, i.e., where to fetch // /.well-known/openid-configuration. @@ -135,7 +194,7 @@ type OIDCIdentityProvider struct { Status OIDCIdentityProviderStatus `json:"status,omitempty"` } -// List of OIDCIdentityProvider objects. +// OIDCIdentityProviderList lists OIDCIdentityProvider objects. // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object type OIDCIdentityProviderList struct { metav1.TypeMeta `json:",inline"` diff --git a/generated/1.20/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go b/generated/1.20/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go index 9895a76e..12e67583 100644 --- a/generated/1.20/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go +++ b/generated/1.20/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go @@ -416,6 +416,11 @@ func (in *OIDCAuthorizationConfig) DeepCopyInto(out *OIDCAuthorizationConfig) { *out = make([]string, len(*in)) copy(*out, *in) } + if in.AdditionalAuthorizeParameters != nil { + in, out := &in.AdditionalAuthorizeParameters, &out.AdditionalAuthorizeParameters + *out = make([]Parameter, len(*in)) + copy(*out, *in) + } return } @@ -569,6 +574,22 @@ func (in *OIDCIdentityProviderStatus) DeepCopy() *OIDCIdentityProviderStatus { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *Parameter) DeepCopyInto(out *Parameter) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Parameter. +func (in *Parameter) DeepCopy() *Parameter { + if in == nil { + return nil + } + out := new(Parameter) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *TLSSpec) DeepCopyInto(out *TLSSpec) { *out = *in diff --git a/generated/1.20/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml b/generated/1.20/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml index 70d3865d..390f4848 100644 --- a/generated/1.20/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml +++ b/generated/1.20/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml @@ -57,13 +57,22 @@ spec: OIDC identity provider. properties: additionalScopes: - description: AdditionalScopes are the scopes in addition to "openid" - that will be requested as part of the authorization request - flow with an OIDC identity provider. In the case of a Resource - Owner Password Credentials Grant flow, AdditionalScopes are - the scopes in addition to "openid" that will be requested as - part of the token request (see also the allowPasswordGrant field). - By default, only the "openid" scope will be requested. + description: AdditionalScopes are the additional scopes that will + be requested from your OIDC provider in the authorization request + during an OIDC Authorization Code Flow and in the token request + during a Resource Owner Password Credentials Grant. Note that + the "openid" scope will always be requested regardless of the + value in this setting, since it is always required according + to the OIDC spec. The "offline_access" scope may also be included + according to the value of the DoNotRequestOfflineAccess setting. + Any other scopes required should be included here in the AdditionalScopes + list. For example, you might like to include scopes like "profile", + "email", or "groups" in order to receive the related claims + in the returned ID token or userinfo endpoint results if you + would like to make use of those claims in the OIDCClaims settings + to determine the usernames and group memberships of your Kubernetes + users. See your OIDC provider's documentation for more information + about what scopes are available to request claims. items: type: string type: array @@ -97,18 +106,98 @@ spec: during Resource Owner Password Credentials Grant logins. AllowPasswordGrant defaults to false. type: boolean + doNotRequestOfflineAccess: + description: DoNotRequestOfflineAccess determines if the "offline_access" + scope will be requested from your OIDC provider in the authorization + request during an OIDC Authorization Code Flow and in the token + request during a Resource Owner Password Credentials Grant in + order to ask to receive a refresh token in the response. Starting + in v0.13.0, the Pinniped Supervisor requires that your OIDC + provider returns refresh tokens to the Supervisor from these + authorization flows. For most OIDC providers, the scope required + to receive refresh tokens will be "offline_access". See https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess + for a description of the "offline_access" scope. See the documentation + of your OIDC provider's authorization and token endpoints for + its requirements for what to include in the request in order + to receive a refresh token in the response, if anything. By + default, DoNotRequestOfflineAccess is false, which means that + "offline_access" will be sent in the authorization request, + since that is what is suggested by the OIDC specification. Note + that it may be safe to send "offline_access" even to providers + which do not require it, since the provider may ignore scopes + that it does not understand or require (see https://datatracker.ietf.org/doc/html/rfc6749#section-3.3). + In the unusual case that you must avoid sending the "offline_access" + scope, set DoNotRequestOfflineAccess to true. This is required + if your OIDC provider will reject the request when it includes + "offline_access" (e.g. GitLab's OIDC provider). If you need + to send some other scope to request a refresh token, include + the scope name in the additionalScopes setting. Also note that + some OIDC providers may require that the "prompt" param be set + to a specific value for the authorization request during an + OIDC Authorization Code Flow in order to receive a refresh token + in the response. To adjust the prompt param, see the additionalAuthorizeParameters + setting. + type: boolean + extraAuthorizeParameters: + description: AdditionalAuthorizeParameters are extra query parameters + that should be included in the authorize request to your OIDC + provider in the authorization request during an OIDC Authorization + Code Flow. By default, no extra parameters are sent. The standard + parameters that will be sent are "response_type", "scope", "client_id", + "state", "nonce", "code_challenge", "code_challenge_method", + and "redirect_uri". These parameters cannot be included in this + setting. This setting does not influence the parameters sent + to the token endpoint in the Resource Owner Password Credentials + Grant. Starting in v0.13.0, the Pinniped Supervisor requires + that your OIDC provider returns refresh tokens to the Supervisor + from the authorization flows. Some OIDC providers may require + a certain value for the "prompt" parameter in order to properly + request refresh tokens. See the documentation of your OIDC provider's + authorization endpoint for its requirements for what to include + in the request in order to receive a refresh token in the response, + if anything. If your provider requires the prompt parameter + to request a refresh token, then include it here. Also note + that most providers also require a certain scope to be requested + in order to receive refresh tokens. See the doNotRequestOfflineAccess + setting for more information about using scopes to request refresh + tokens. + items: + description: Parameter is a key/value pair which represents + a parameter in an HTTP request. + properties: + name: + description: The name of the parameter. Required. + minLength: 1 + type: string + value: + description: The value of the parameter. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map type: object claims: description: Claims provides the names of token claims that will be used when inspecting an identity from this OIDC identity provider. properties: groups: - description: Groups provides the name of the token claim that - will be used to ascertain the groups to which an identity belongs. + description: Groups provides the name of the ID token claim or + userinfo endpoint response claim that will be used to ascertain + the groups to which an identity belongs. By default, the identities + will not include any group memberships when this setting is + not configured. type: string username: - description: Username provides the name of the token claim that - will be used to ascertain an identity's username. + description: Username provides the name of the ID token claim + or userinfo endpoint response claim that will be used to ascertain + an identity's username. When not set, the username will be an + automatically constructed unique string which will include the + issuer URL of your OIDC provider along with the value of the + "sub" (subject) claim from the ID token. type: string type: object client: diff --git a/generated/latest/apis/supervisor/idp/v1alpha1/types_oidcidentityprovider.go b/generated/latest/apis/supervisor/idp/v1alpha1/types_oidcidentityprovider.go index 5d7277bf..9e0624a0 100644 --- a/generated/latest/apis/supervisor/idp/v1alpha1/types_oidcidentityprovider.go +++ b/generated/latest/apis/supervisor/idp/v1alpha1/types_oidcidentityprovider.go @@ -20,7 +20,7 @@ const ( PhaseError OIDCIdentityProviderPhase = "Error" ) -// Status of an OIDC identity provider. +// OIDCIdentityProviderStatus is the status of an OIDC identity provider. type OIDCIdentityProviderStatus struct { // Phase summarizes the overall status of the OIDCIdentityProvider. // +kubebuilder:default=Pending @@ -38,14 +38,59 @@ type OIDCIdentityProviderStatus struct { // OIDCAuthorizationConfig provides information about how to form the OAuth2 authorization // request parameters. type OIDCAuthorizationConfig struct { - // AdditionalScopes are the scopes in addition to "openid" that will be requested as part of the authorization - // request flow with an OIDC identity provider. - // In the case of a Resource Owner Password Credentials Grant flow, AdditionalScopes are the scopes - // in addition to "openid" that will be requested as part of the token request (see also the allowPasswordGrant field). - // By default, only the "openid" scope will be requested. + // DoNotRequestOfflineAccess determines if the "offline_access" scope will be requested from your OIDC provider in + // the authorization request during an OIDC Authorization Code Flow and in the token request during a Resource Owner + // Password Credentials Grant in order to ask to receive a refresh token in the response. Starting in v0.13.0, the + // Pinniped Supervisor requires that your OIDC provider returns refresh tokens to the Supervisor from these + // authorization flows. For most OIDC providers, the scope required to receive refresh tokens will be "offline_access". + // See https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess for a description of the "offline_access" + // scope. See the documentation of your OIDC provider's authorization and token endpoints for its requirements for what + // to include in the request in order to receive a refresh token in the response, if anything. By default, + // DoNotRequestOfflineAccess is false, which means that "offline_access" will be sent in the authorization request, + // since that is what is suggested by the OIDC specification. Note that it may be safe to send "offline_access" even to + // providers which do not require it, since the provider may ignore scopes that it does not understand or require (see + // https://datatracker.ietf.org/doc/html/rfc6749#section-3.3). In the unusual case that you must avoid sending the + // "offline_access" scope, set DoNotRequestOfflineAccess to true. This is required if your OIDC provider will reject + // the request when it includes "offline_access" (e.g. GitLab's OIDC provider). If you need to send some other scope + // to request a refresh token, include the scope name in the additionalScopes setting. Also note that some OIDC + // providers may require that the "prompt" param be set to a specific value for the authorization request during an + // OIDC Authorization Code Flow in order to receive a refresh token in the response. To adjust the prompt param, see + // the additionalAuthorizeParameters setting. + // +optional + DoNotRequestOfflineAccess bool `json:"doNotRequestOfflineAccess,omitempty"` + + // AdditionalScopes are the additional scopes that will be requested from your OIDC provider in the authorization + // request during an OIDC Authorization Code Flow and in the token request during a Resource Owner Password Credentials + // Grant. Note that the "openid" scope will always be requested regardless of the value in this setting, since it is + // always required according to the OIDC spec. The "offline_access" scope may also be included according to the value + // of the DoNotRequestOfflineAccess setting. Any other scopes required should be included here in the AdditionalScopes + // list. For example, you might like to include scopes like "profile", "email", or "groups" in order to receive the + // related claims in the returned ID token or userinfo endpoint results if you would like to make use of those + // claims in the OIDCClaims settings to determine the usernames and group memberships of your Kubernetes users. See + // your OIDC provider's documentation for more information about what scopes are available to request claims. // +optional AdditionalScopes []string `json:"additionalScopes,omitempty"` + // AdditionalAuthorizeParameters are extra query parameters that should be included in the authorize request to your + // OIDC provider in the authorization request during an OIDC Authorization Code Flow. By default, no extra + // parameters are sent. The standard parameters that will be sent are "response_type", "scope", "client_id", + // "state", "nonce", "code_challenge", "code_challenge_method", and "redirect_uri". These parameters cannot be + // included in this setting. This setting does not influence the parameters sent to the token endpoint in the + // Resource Owner Password Credentials Grant. Starting in v0.13.0, the Pinniped Supervisor requires that your OIDC + // provider returns refresh tokens to the Supervisor from the authorization flows. Some OIDC providers may require + // a certain value for the "prompt" parameter in order to properly request refresh tokens. See the documentation of + // your OIDC provider's authorization endpoint for its requirements for what to include in the request in + // order to receive a refresh token in the response, if anything. If your provider requires the prompt parameter to + // request a refresh token, then include it here. Also note that most providers also require a certain scope to be + // requested in order to receive refresh tokens. See the doNotRequestOfflineAccess setting for more information about + // using scopes to request refresh tokens. + // +optional + // +patchMergeKey=name + // +patchStrategy=merge + // +listType=map + // +listMapKey=name + AdditionalAuthorizeParameters []Parameter `json:"extraAuthorizeParameters,omitempty"` + // AllowPasswordGrant, when true, will allow the use of OAuth 2.0's Resource Owner Password Credentials Grant // (see https://datatracker.ietf.org/doc/html/rfc6749#section-4.3) to authenticate to the OIDC provider using a // username and password without a web browser, in addition to the usual browser-based OIDC Authorization Code Flow. @@ -66,15 +111,29 @@ type OIDCAuthorizationConfig struct { AllowPasswordGrant bool `json:"allowPasswordGrant,omitempty"` } +// Parameter is a key/value pair which represents a parameter in an HTTP request. +type Parameter struct { + // The name of the parameter. Required. + // +kubebuilder:validation:MinLength=1 + Name string `json:"name"` + + // The value of the parameter. + // +optional + Value string `json:"value,omitempty"` +} + // OIDCClaims provides a mapping from upstream claims into identities. type OIDCClaims struct { - // Groups provides the name of the token claim that will be used to ascertain the groups to which - // an identity belongs. + // Groups provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain + // the groups to which an identity belongs. By default, the identities will not include any group memberships when + // this setting is not configured. // +optional Groups string `json:"groups"` - // Username provides the name of the token claim that will be used to ascertain an identity's - // username. + // Username provides the name of the ID token claim or userinfo endpoint response claim that will be used to + // ascertain an identity's username. When not set, the username will be an automatically constructed unique string + // which will include the issuer URL of your OIDC provider along with the value of the "sub" (subject) claim from + // the ID token. // +optional Username string `json:"username"` } @@ -89,7 +148,7 @@ type OIDCClient struct { SecretName string `json:"secretName"` } -// Spec for configuring an OIDC identity provider. +// OIDCIdentityProviderSpec is the spec for configuring an OIDC identity provider. type OIDCIdentityProviderSpec struct { // Issuer is the issuer URL of this OIDC identity provider, i.e., where to fetch // /.well-known/openid-configuration. @@ -135,7 +194,7 @@ type OIDCIdentityProvider struct { Status OIDCIdentityProviderStatus `json:"status,omitempty"` } -// List of OIDCIdentityProvider objects. +// OIDCIdentityProviderList lists OIDCIdentityProvider objects. // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object type OIDCIdentityProviderList struct { metav1.TypeMeta `json:",inline"` diff --git a/generated/latest/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go b/generated/latest/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go index 9895a76e..12e67583 100644 --- a/generated/latest/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go +++ b/generated/latest/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go @@ -416,6 +416,11 @@ func (in *OIDCAuthorizationConfig) DeepCopyInto(out *OIDCAuthorizationConfig) { *out = make([]string, len(*in)) copy(*out, *in) } + if in.AdditionalAuthorizeParameters != nil { + in, out := &in.AdditionalAuthorizeParameters, &out.AdditionalAuthorizeParameters + *out = make([]Parameter, len(*in)) + copy(*out, *in) + } return } @@ -569,6 +574,22 @@ func (in *OIDCIdentityProviderStatus) DeepCopy() *OIDCIdentityProviderStatus { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *Parameter) DeepCopyInto(out *Parameter) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Parameter. +func (in *Parameter) DeepCopy() *Parameter { + if in == nil { + return nil + } + out := new(Parameter) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *TLSSpec) DeepCopyInto(out *TLSSpec) { *out = *in diff --git a/go.mod b/go.mod index 1593d1f2..b5f0e8ea 100644 --- a/go.mod +++ b/go.mod @@ -17,7 +17,9 @@ require ( github.com/google/uuid v1.1.2 github.com/gorilla/securecookie v1.1.1 github.com/gorilla/websocket v1.4.2 + github.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826 github.com/ory/fosite v0.40.2 + github.com/ory/x v0.0.212 github.com/pkg/browser v0.0.0-20210115035449-ce105d075bb4 github.com/pkg/errors v0.9.1 github.com/sclevine/agouti v3.0.0+incompatible @@ -96,12 +98,10 @@ require ( github.com/moby/spdystream v0.2.0 // indirect github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect github.com/modern-go/reflect2 v1.0.1 // indirect - github.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826 // indirect github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect github.com/ory/go-acc v0.2.6 // indirect github.com/ory/go-convenience v0.1.0 // indirect github.com/ory/viper v1.7.5 // indirect - github.com/ory/x v0.0.212 // indirect github.com/pborman/uuid v1.2.0 // indirect github.com/pelletier/go-toml v1.9.3 // indirect github.com/pmezard/go-difflib v1.0.0 // indirect diff --git a/internal/controller/supervisorconfig/oidcupstreamwatcher/oidc_upstream_watcher.go b/internal/controller/supervisorconfig/oidcupstreamwatcher/oidc_upstream_watcher.go index 31293951..6757a3ff 100644 --- a/internal/controller/supervisorconfig/oidcupstreamwatcher/oidc_upstream_watcher.go +++ b/internal/controller/supervisorconfig/oidcupstreamwatcher/oidc_upstream_watcher.go @@ -52,16 +52,36 @@ const ( oidcValidatorCacheTTL = 15 * time.Minute // Constants related to conditions. - typeClientCredentialsValid = "ClientCredentialsValid" - typeOIDCDiscoverySucceeded = "OIDCDiscoverySucceeded" + typeClientCredentialsValid = "ClientCredentialsValid" + typeAdditionalAuthorizeParametersValid = "AdditionalAuthorizeParametersValid" + typeOIDCDiscoverySucceeded = "OIDCDiscoverySucceeded" - reasonUnreachable = "Unreachable" - reasonInvalidResponse = "InvalidResponse" + reasonUnreachable = "Unreachable" + reasonInvalidResponse = "InvalidResponse" + reasonDisallowedParameterName = "DisallowedParameterName" // Errors that are generated by our reconcile process. errOIDCFailureStatus = constable.Error("OIDCIdentityProvider has a failing condition") ) +var ( + // Reject these AdditionalAuthorizeParameters to avoid allowing the user's config to overwrite the parameters + // that are always used by Pinniped in authcode authorization requests. The OIDC library used would otherwise + // happily treat the user's config as an override. Users can already set the "client_id" and "scope" params + // using other settings, and the others never make sense to override. This map should be treated as read-only + // since it is a global variable. + disallowedAdditionalAuthorizeParameters = map[string]bool{ //nolint: gochecknoglobals + "response_type": true, + "scope": true, + "client_id": true, + "state": true, + "nonce": true, + "code_challenge": true, + "code_challenge_method": true, + "redirect_uri": true, + } +) + // UpstreamOIDCIdentityProviderICache is a thread safe cache that holds a list of validated upstream OIDC IDP configurations. type UpstreamOIDCIdentityProviderICache interface { SetOIDCIdentityProviders([]provider.UpstreamOIDCIdentityProviderI) @@ -167,21 +187,45 @@ func (c *oidcWatcherController) Sync(ctx controllerlib.Context) error { // validateUpstream validates the provided v1alpha1.OIDCIdentityProvider and returns the validated configuration as a // provider.UpstreamOIDCIdentityProvider. As a side effect, it also updates the status of the v1alpha1.OIDCIdentityProvider. func (c *oidcWatcherController) validateUpstream(ctx controllerlib.Context, upstream *v1alpha1.OIDCIdentityProvider) *upstreamoidc.ProviderConfig { + authorizationConfig := upstream.Spec.AuthorizationConfig + + additionalAuthcodeAuthorizeParameters := map[string]string{} + var rejectedAuthcodeAuthorizeParameters []string + for _, p := range authorizationConfig.AdditionalAuthorizeParameters { + if disallowedAdditionalAuthorizeParameters[p.Name] { + rejectedAuthcodeAuthorizeParameters = append(rejectedAuthcodeAuthorizeParameters, p.Name) + } else { + additionalAuthcodeAuthorizeParameters[p.Name] = p.Value + } + } + result := upstreamoidc.ProviderConfig{ Name: upstream.Name, Config: &oauth2.Config{ - Scopes: computeScopes(upstream.Spec.AuthorizationConfig.AdditionalScopes), + Scopes: computeScopes(authorizationConfig.AdditionalScopes, !authorizationConfig.DoNotRequestOfflineAccess), }, UsernameClaim: upstream.Spec.Claims.Username, GroupsClaim: upstream.Spec.Claims.Groups, - AllowPasswordGrant: upstream.Spec.AuthorizationConfig.AllowPasswordGrant, - AdditionalAuthcodeParams: map[string]string{"prompt": "consent"}, + AllowPasswordGrant: authorizationConfig.AllowPasswordGrant, + AdditionalAuthcodeParams: additionalAuthcodeAuthorizeParameters, ResourceUID: upstream.UID, } + conditions := []*v1alpha1.Condition{ c.validateSecret(upstream, &result), c.validateIssuer(ctx.Context, upstream, &result), } + if len(rejectedAuthcodeAuthorizeParameters) > 0 { + // This condition probably isn't important enough to report when it is successful, so just report errors. + conditions = append(conditions, &v1alpha1.Condition{ + Type: typeAdditionalAuthorizeParametersValid, + Status: v1alpha1.ConditionFalse, + Reason: reasonDisallowedParameterName, + Message: fmt.Sprintf("the following additionalAuthorizeParameters are not allowed: %s", + strings.Join(rejectedAuthcodeAuthorizeParameters, ",")), + }) + } + c.updateStatus(ctx.Context, upstream, conditions) valid := true @@ -372,11 +416,13 @@ func getTLSConfig(upstream *v1alpha1.OIDCIdentityProvider) (*tls.Config, error) return &result, nil } -func computeScopes(additionalScopes []string) []string { +func computeScopes(additionalScopes []string, includeOfflineAccess bool) []string { // First compute the unique set of scopes, including "openid" (de-duplicate). set := make(map[string]bool, len(additionalScopes)+1) set["openid"] = true - set["offline_access"] = true + if includeOfflineAccess { + set["offline_access"] = true + } for _, s := range additionalScopes { set[s] = true } diff --git a/internal/controller/supervisorconfig/oidcupstreamwatcher/oidc_upstream_watcher_test.go b/internal/controller/supervisorconfig/oidcupstreamwatcher/oidc_upstream_watcher_test.go index 73b0d2eb..8ac13c2c 100644 --- a/internal/controller/supervisorconfig/oidcupstreamwatcher/oidc_upstream_watcher_test.go +++ b/internal/controller/supervisorconfig/oidcupstreamwatcher/oidc_upstream_watcher_test.go @@ -124,8 +124,9 @@ func TestOIDCUpstreamWatcherControllerSync(t *testing.T) { testName = "test-name" testSecretName = "test-client-secret" testAdditionalScopes = []string{"scope1", "scope2", "scope3"} - testExpectedScopes = []string{"offline_access", "openid", "scope1", "scope2", "scope3"} - testExpectedAdditionalParams = map[string]string{"prompt": "consent"} + testExpectedScopes = []string{"openid", "scope1", "scope2", "scope3"} + testAdditionalParams = []v1alpha1.Parameter{{Name: "prompt", Value: "consent"}, {Name: "foo", Value: "bar"}} + testExpectedAdditionalParams = map[string]string{"prompt": "consent", "foo": "bar"} testClientID = "test-oidc-client-id" testClientSecret = "test-oidc-client-secret" testValidSecretData = map[string][]byte{"clientID": []byte(testClientID), "clientSecret": []byte(testClientSecret)} @@ -150,10 +151,9 @@ func TestOIDCUpstreamWatcherControllerSync(t *testing.T) { inputUpstreams: []runtime.Object{&v1alpha1.OIDCIdentityProvider{ ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName}, Spec: v1alpha1.OIDCIdentityProviderSpec{ - Issuer: testIssuerURL, - TLS: &v1alpha1.TLSSpec{CertificateAuthorityData: testIssuerCABase64}, - Client: v1alpha1.OIDCClient{SecretName: testSecretName}, - AuthorizationConfig: v1alpha1.OIDCAuthorizationConfig{AdditionalScopes: testAdditionalScopes}, + Issuer: testIssuerURL, + TLS: &v1alpha1.TLSSpec{CertificateAuthorityData: testIssuerCABase64}, + Client: v1alpha1.OIDCClient{SecretName: testSecretName}, }, }}, inputSecrets: []runtime.Object{}, @@ -192,10 +192,9 @@ func TestOIDCUpstreamWatcherControllerSync(t *testing.T) { inputUpstreams: []runtime.Object{&v1alpha1.OIDCIdentityProvider{ ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName}, Spec: v1alpha1.OIDCIdentityProviderSpec{ - Issuer: testIssuerURL, - TLS: &v1alpha1.TLSSpec{CertificateAuthorityData: testIssuerCABase64}, - Client: v1alpha1.OIDCClient{SecretName: testSecretName}, - AuthorizationConfig: v1alpha1.OIDCAuthorizationConfig{AdditionalScopes: testAdditionalScopes}, + Issuer: testIssuerURL, + TLS: &v1alpha1.TLSSpec{CertificateAuthorityData: testIssuerCABase64}, + Client: v1alpha1.OIDCClient{SecretName: testSecretName}, }, }}, inputSecrets: []runtime.Object{&corev1.Secret{ @@ -238,10 +237,9 @@ func TestOIDCUpstreamWatcherControllerSync(t *testing.T) { inputUpstreams: []runtime.Object{&v1alpha1.OIDCIdentityProvider{ ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName}, Spec: v1alpha1.OIDCIdentityProviderSpec{ - Issuer: testIssuerURL, - TLS: &v1alpha1.TLSSpec{CertificateAuthorityData: testIssuerCABase64}, - Client: v1alpha1.OIDCClient{SecretName: testSecretName}, - AuthorizationConfig: v1alpha1.OIDCAuthorizationConfig{AdditionalScopes: testAdditionalScopes}, + Issuer: testIssuerURL, + TLS: &v1alpha1.TLSSpec{CertificateAuthorityData: testIssuerCABase64}, + Client: v1alpha1.OIDCClient{SecretName: testSecretName}, }, }}, inputSecrets: []runtime.Object{&corev1.Secret{ @@ -287,8 +285,7 @@ func TestOIDCUpstreamWatcherControllerSync(t *testing.T) { TLS: &v1alpha1.TLSSpec{ CertificateAuthorityData: "invalid-base64", }, - Client: v1alpha1.OIDCClient{SecretName: testSecretName}, - AuthorizationConfig: v1alpha1.OIDCAuthorizationConfig{AdditionalScopes: append(testAdditionalScopes, "xyz", "openid")}, + Client: v1alpha1.OIDCClient{SecretName: testSecretName}, }, }}, inputSecrets: []runtime.Object{&corev1.Secret{ @@ -335,8 +332,7 @@ func TestOIDCUpstreamWatcherControllerSync(t *testing.T) { TLS: &v1alpha1.TLSSpec{ CertificateAuthorityData: base64.StdEncoding.EncodeToString([]byte("not-a-pem-ca-bundle")), }, - Client: v1alpha1.OIDCClient{SecretName: testSecretName}, - AuthorizationConfig: v1alpha1.OIDCAuthorizationConfig{AdditionalScopes: append(testAdditionalScopes, "xyz", "openid")}, + Client: v1alpha1.OIDCClient{SecretName: testSecretName}, }, }}, inputSecrets: []runtime.Object{&corev1.Secret{ @@ -379,9 +375,8 @@ func TestOIDCUpstreamWatcherControllerSync(t *testing.T) { inputUpstreams: []runtime.Object{&v1alpha1.OIDCIdentityProvider{ ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName}, Spec: v1alpha1.OIDCIdentityProviderSpec{ - Issuer: "invalid-url-that-is-really-really-long-nanananananananannanananan-batman-nanananananananananananananana-batman-lalalalalalalalalal-batman-weeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee", - Client: v1alpha1.OIDCClient{SecretName: testSecretName}, - AuthorizationConfig: v1alpha1.OIDCAuthorizationConfig{AdditionalScopes: testAdditionalScopes}, + Issuer: "invalid-url-that-is-really-really-long-nanananananananannanananan-batman-nanananananananananananananana-batman-lalalalalalalalalal-batman-weeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee", + Client: v1alpha1.OIDCClient{SecretName: testSecretName}, }, }}, inputSecrets: []runtime.Object{&corev1.Secret{ @@ -426,10 +421,9 @@ Get "invalid-url-that-is-really-really-long-nanananananananannanananan-batman-na inputUpstreams: []runtime.Object{&v1alpha1.OIDCIdentityProvider{ ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName}, Spec: v1alpha1.OIDCIdentityProviderSpec{ - Issuer: testIssuerURL + "/valid-url-that-is-really-really-long-nanananananananannanananan-batman-nanananananananananananananana-batman-lalalalalalalalalal-batman-weeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee", - TLS: &v1alpha1.TLSSpec{CertificateAuthorityData: wrongCABase64}, - Client: v1alpha1.OIDCClient{SecretName: testSecretName}, - AuthorizationConfig: v1alpha1.OIDCAuthorizationConfig{AdditionalScopes: testAdditionalScopes}, + Issuer: testIssuerURL + "/valid-url-that-is-really-really-long-nanananananananannanananan-batman-nanananananananananananananana-batman-lalalalalalalalalal-batman-weeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee", + TLS: &v1alpha1.TLSSpec{CertificateAuthorityData: wrongCABase64}, + Client: v1alpha1.OIDCClient{SecretName: testSecretName}, }, }}, inputSecrets: []runtime.Object{&corev1.Secret{ @@ -474,10 +468,9 @@ Get "` + testIssuerURL + `/valid-url-that-is-really-really-long-nananananananana inputUpstreams: []runtime.Object{&v1alpha1.OIDCIdentityProvider{ ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName}, Spec: v1alpha1.OIDCIdentityProviderSpec{ - Issuer: testIssuerURL + "/invalid", - TLS: &v1alpha1.TLSSpec{CertificateAuthorityData: testIssuerCABase64}, - Client: v1alpha1.OIDCClient{SecretName: testSecretName}, - AuthorizationConfig: v1alpha1.OIDCAuthorizationConfig{AdditionalScopes: testAdditionalScopes}, + Issuer: testIssuerURL + "/invalid", + TLS: &v1alpha1.TLSSpec{CertificateAuthorityData: testIssuerCABase64}, + Client: v1alpha1.OIDCClient{SecretName: testSecretName}, }, }}, inputSecrets: []runtime.Object{&corev1.Secret{ @@ -520,10 +513,9 @@ Get "` + testIssuerURL + `/valid-url-that-is-really-really-long-nananananananana inputUpstreams: []runtime.Object{&v1alpha1.OIDCIdentityProvider{ ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName}, Spec: v1alpha1.OIDCIdentityProviderSpec{ - Issuer: testIssuerURL + "/insecure", - TLS: &v1alpha1.TLSSpec{CertificateAuthorityData: testIssuerCABase64}, - Client: v1alpha1.OIDCClient{SecretName: testSecretName}, - AuthorizationConfig: v1alpha1.OIDCAuthorizationConfig{AdditionalScopes: testAdditionalScopes}, + Issuer: testIssuerURL + "/insecure", + TLS: &v1alpha1.TLSSpec{CertificateAuthorityData: testIssuerCABase64}, + Client: v1alpha1.OIDCClient{SecretName: testSecretName}, }, }}, inputSecrets: []runtime.Object{&corev1.Secret{ @@ -570,7 +562,7 @@ Get "` + testIssuerURL + `/valid-url-that-is-really-really-long-nananananananana TLS: &v1alpha1.TLSSpec{CertificateAuthorityData: testIssuerCABase64}, Client: v1alpha1.OIDCClient{SecretName: testSecretName}, AuthorizationConfig: v1alpha1.OIDCAuthorizationConfig{ - AdditionalScopes: append(testAdditionalScopes, "xyz", "openid", "offline_access"), + AdditionalScopes: append(testAdditionalScopes, "xyz", "openid", "offline_access"), // adds openid and offline_access unnecessarily AllowPasswordGrant: true, }, Claims: v1alpha1.OIDCClaims{Groups: testGroupsClaim, Username: testUsernameClaim}, @@ -597,11 +589,11 @@ Get "` + testIssuerURL + `/valid-url-that-is-really-really-long-nananananananana Name: testName, ClientID: testClientID, AuthorizationURL: *testIssuerAuthorizeURL, - Scopes: append(testExpectedScopes, "xyz"), + Scopes: append(testExpectedScopes, "offline_access", "xyz"), // includes offline_access only once UsernameClaim: testUsernameClaim, GroupsClaim: testGroupsClaim, AllowPasswordGrant: true, - AdditionalAuthcodeParams: testExpectedAdditionalParams, + AdditionalAuthcodeParams: map[string]string{}, ResourceUID: testUID, }, }, @@ -624,9 +616,65 @@ Get "` + testIssuerURL + `/valid-url-that-is-really-really-long-nananananananana Issuer: testIssuerURL, TLS: &v1alpha1.TLSSpec{CertificateAuthorityData: testIssuerCABase64}, Client: v1alpha1.OIDCClient{SecretName: testSecretName}, + Claims: v1alpha1.OIDCClaims{Groups: testGroupsClaim, Username: testUsernameClaim}, AuthorizationConfig: v1alpha1.OIDCAuthorizationConfig{ - AdditionalScopes: testAdditionalScopes, - AllowPasswordGrant: false, + AdditionalScopes: testAdditionalScopes, // does not include offline_access + }, + }, + Status: v1alpha1.OIDCIdentityProviderStatus{ + Phase: "Ready", + Conditions: []v1alpha1.Condition{ + {Type: "ClientCredentialsValid", Status: "True", LastTransitionTime: earlier, Reason: "Success", Message: "loaded client credentials"}, + {Type: "OIDCDiscoverySucceeded", Status: "True", LastTransitionTime: earlier, Reason: "Success", Message: "discovered issuer configuration"}, + }, + }, + }}, + inputSecrets: []runtime.Object{&corev1.Secret{ + ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testSecretName}, + Type: "secrets.pinniped.dev/oidc-client", + Data: testValidSecretData, + }}, + wantLogs: []string{ + `oidc-upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="loaded client credentials" "reason"="Success" "status"="True" "type"="ClientCredentialsValid"`, + `oidc-upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="discovered issuer configuration" "reason"="Success" "status"="True" "type"="OIDCDiscoverySucceeded"`, + }, + wantResultingCache: []provider.UpstreamOIDCIdentityProviderI{ + &oidctestutil.TestUpstreamOIDCIdentityProvider{ + Name: testName, + ClientID: testClientID, + AuthorizationURL: *testIssuerAuthorizeURL, + Scopes: append(testExpectedScopes, "offline_access"), // gets offline_access by default + UsernameClaim: testUsernameClaim, + GroupsClaim: testGroupsClaim, + AllowPasswordGrant: false, + AdditionalAuthcodeParams: map[string]string{}, + ResourceUID: testUID, + }, + }, + wantResultingUpstreams: []v1alpha1.OIDCIdentityProvider{{ + ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testUID}, + Status: v1alpha1.OIDCIdentityProviderStatus{ + Phase: "Ready", + Conditions: []v1alpha1.Condition{ + {Type: "ClientCredentialsValid", Status: "True", LastTransitionTime: earlier, Reason: "Success", Message: "loaded client credentials", ObservedGeneration: 1234}, + {Type: "OIDCDiscoverySucceeded", Status: "True", LastTransitionTime: earlier, Reason: "Success", Message: "discovered issuer configuration", ObservedGeneration: 1234}, + }, + }, + }}, + }, + { + name: "existing valid upstream with trailing slash and more optional settings", + inputUpstreams: []runtime.Object{&v1alpha1.OIDCIdentityProvider{ + ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testUID}, + Spec: v1alpha1.OIDCIdentityProviderSpec{ + Issuer: testIssuerURL + "/ends-with-slash/", + TLS: &v1alpha1.TLSSpec{CertificateAuthorityData: testIssuerCABase64}, + Client: v1alpha1.OIDCClient{SecretName: testSecretName}, + AuthorizationConfig: v1alpha1.OIDCAuthorizationConfig{ + DoNotRequestOfflineAccess: true, + AdditionalScopes: testAdditionalScopes, + AdditionalAuthorizeParameters: testAdditionalParams, + AllowPasswordGrant: true, }, Claims: v1alpha1.OIDCClaims{Groups: testGroupsClaim, Username: testUsernameClaim}, }, @@ -652,10 +700,10 @@ Get "` + testIssuerURL + `/valid-url-that-is-really-really-long-nananananananana Name: testName, ClientID: testClientID, AuthorizationURL: *testIssuerAuthorizeURL, - Scopes: testExpectedScopes, + Scopes: testExpectedScopes, // does not include offline_access UsernameClaim: testUsernameClaim, GroupsClaim: testGroupsClaim, - AllowPasswordGrant: false, + AllowPasswordGrant: true, AdditionalAuthcodeParams: testExpectedAdditionalParams, ResourceUID: testUID, }, @@ -672,21 +720,25 @@ Get "` + testIssuerURL + `/valid-url-that-is-really-really-long-nananananananana }}, }, { - name: "existing valid upstream with trailing slash", + name: "has disallowed additionalAuthorizeParams keys", inputUpstreams: []runtime.Object{&v1alpha1.OIDCIdentityProvider{ ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testUID}, Spec: v1alpha1.OIDCIdentityProviderSpec{ - Issuer: testIssuerURL + "/ends-with-slash/", - TLS: &v1alpha1.TLSSpec{CertificateAuthorityData: testIssuerCABase64}, - Client: v1alpha1.OIDCClient{SecretName: testSecretName}, - AuthorizationConfig: v1alpha1.OIDCAuthorizationConfig{AdditionalScopes: testAdditionalScopes}, - Claims: v1alpha1.OIDCClaims{Groups: testGroupsClaim, Username: testUsernameClaim}, - }, - Status: v1alpha1.OIDCIdentityProviderStatus{ - Phase: "Ready", - Conditions: []v1alpha1.Condition{ - {Type: "ClientCredentialsValid", Status: "True", LastTransitionTime: earlier, Reason: "Success", Message: "loaded client credentials"}, - {Type: "OIDCDiscoverySucceeded", Status: "True", LastTransitionTime: earlier, Reason: "Success", Message: "discovered issuer configuration"}, + Issuer: testIssuerURL, + TLS: &v1alpha1.TLSSpec{CertificateAuthorityData: testIssuerCABase64}, + Client: v1alpha1.OIDCClient{SecretName: testSecretName}, + AuthorizationConfig: v1alpha1.OIDCAuthorizationConfig{ + AdditionalAuthorizeParameters: []v1alpha1.Parameter{ + {Name: "response_type", Value: "foo"}, + {Name: "scope", Value: "foo"}, + {Name: "client_id", Value: "foo"}, + {Name: "state", Value: "foo"}, + {Name: "nonce", Value: "foo"}, + {Name: "code_challenge", Value: "foo"}, + {Name: "code_challenge_method", Value: "foo"}, + {Name: "redirect_uri", Value: "foo"}, + {Name: "this_one_is_allowed", Value: "foo"}, + }, }, }, }}, @@ -695,30 +747,24 @@ Get "` + testIssuerURL + `/valid-url-that-is-really-really-long-nananananananana Type: "secrets.pinniped.dev/oidc-client", Data: testValidSecretData, }}, + wantErr: controllerlib.ErrSyntheticRequeue.Error(), wantLogs: []string{ `oidc-upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="loaded client credentials" "reason"="Success" "status"="True" "type"="ClientCredentialsValid"`, `oidc-upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="discovered issuer configuration" "reason"="Success" "status"="True" "type"="OIDCDiscoverySucceeded"`, + `oidc-upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="the following additionalAuthorizeParameters are not allowed: response_type,scope,client_id,state,nonce,code_challenge,code_challenge_method,redirect_uri" "reason"="DisallowedParameterName" "status"="False" "type"="AdditionalAuthorizeParametersValid"`, + `oidc-upstream-observer "msg"="found failing condition" "error"="OIDCIdentityProvider has a failing condition" "message"="the following additionalAuthorizeParameters are not allowed: response_type,scope,client_id,state,nonce,code_challenge,code_challenge_method,redirect_uri" "name"="test-name" "namespace"="test-namespace" "reason"="DisallowedParameterName" "type"="AdditionalAuthorizeParametersValid"`, }, - wantResultingCache: []provider.UpstreamOIDCIdentityProviderI{ - &oidctestutil.TestUpstreamOIDCIdentityProvider{ - Name: testName, - ClientID: testClientID, - AuthorizationURL: *testIssuerAuthorizeURL, - Scopes: testExpectedScopes, - UsernameClaim: testUsernameClaim, - GroupsClaim: testGroupsClaim, - AllowPasswordGrant: false, - AdditionalAuthcodeParams: testExpectedAdditionalParams, - ResourceUID: testUID, - }, - }, + wantResultingCache: []provider.UpstreamOIDCIdentityProviderI{}, wantResultingUpstreams: []v1alpha1.OIDCIdentityProvider{{ ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testUID}, Status: v1alpha1.OIDCIdentityProviderStatus{ - Phase: "Ready", + Phase: "Error", Conditions: []v1alpha1.Condition{ - {Type: "ClientCredentialsValid", Status: "True", LastTransitionTime: earlier, Reason: "Success", Message: "loaded client credentials", ObservedGeneration: 1234}, - {Type: "OIDCDiscoverySucceeded", Status: "True", LastTransitionTime: earlier, Reason: "Success", Message: "discovered issuer configuration", ObservedGeneration: 1234}, + {Type: "AdditionalAuthorizeParametersValid", Status: "False", LastTransitionTime: now, Reason: "DisallowedParameterName", + Message: "the following additionalAuthorizeParameters are not allowed: " + + "response_type,scope,client_id,state,nonce,code_challenge,code_challenge_method,redirect_uri", ObservedGeneration: 1234}, + {Type: "ClientCredentialsValid", Status: "True", LastTransitionTime: now, Reason: "Success", Message: "loaded client credentials", ObservedGeneration: 1234}, + {Type: "OIDCDiscoverySucceeded", Status: "True", LastTransitionTime: now, Reason: "Success", Message: "discovered issuer configuration", ObservedGeneration: 1234}, }, }, }}, @@ -728,10 +774,9 @@ Get "` + testIssuerURL + `/valid-url-that-is-really-really-long-nananananananana inputUpstreams: []runtime.Object{&v1alpha1.OIDCIdentityProvider{ ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName}, Spec: v1alpha1.OIDCIdentityProviderSpec{ - Issuer: testIssuerURL + "/ends-with-slash", - TLS: &v1alpha1.TLSSpec{CertificateAuthorityData: testIssuerCABase64}, - Client: v1alpha1.OIDCClient{SecretName: testSecretName}, - AuthorizationConfig: v1alpha1.OIDCAuthorizationConfig{AdditionalScopes: testAdditionalScopes}, + Issuer: testIssuerURL + "/ends-with-slash", + TLS: &v1alpha1.TLSSpec{CertificateAuthorityData: testIssuerCABase64}, + Client: v1alpha1.OIDCClient{SecretName: testSecretName}, }, }}, inputSecrets: []runtime.Object{&corev1.Secret{ @@ -776,10 +821,9 @@ oidc: issuer did not match the issuer returned by provider, expected "` + testIs inputUpstreams: []runtime.Object{&v1alpha1.OIDCIdentityProvider{ ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName}, Spec: v1alpha1.OIDCIdentityProviderSpec{ - Issuer: testIssuerURL + "/", - TLS: &v1alpha1.TLSSpec{CertificateAuthorityData: testIssuerCABase64}, - Client: v1alpha1.OIDCClient{SecretName: testSecretName}, - AuthorizationConfig: v1alpha1.OIDCAuthorizationConfig{AdditionalScopes: testAdditionalScopes}, + Issuer: testIssuerURL + "/", + TLS: &v1alpha1.TLSSpec{CertificateAuthorityData: testIssuerCABase64}, + Client: v1alpha1.OIDCClient{SecretName: testSecretName}, }, }}, inputSecrets: []runtime.Object{&corev1.Secret{ diff --git a/site/content/docs/howto/configure-supervisor-with-dex.md b/site/content/docs/howto/configure-supervisor-with-dex.md index db44d20e..723be7cf 100644 --- a/site/content/docs/howto/configure-supervisor-with-dex.md +++ b/site/content/docs/howto/configure-supervisor-with-dex.md @@ -85,12 +85,20 @@ spec: # Specify the upstream issuer URL (no trailing slash). issuer: https:// - # Request any scopes other than "openid" for claims besides - # the default claims in your token. The "openid" scope is always - # included. + # Specify how to form authorization requests to Dex. authorizationConfig: + + # Request any scopes other than "openid" for claims besides + # the default claims in your token. The "openid" scope is always + # included. additionalScopes: [groups, email] + # If you would also like to allow your end users to authenticate using + # a password grant, then change this to true. + # Password grants with Dex will only work in Dex versions that include + # this bug fix: https://github.com/dexidp/dex/pull/2234 + allowPasswordGrant: false + # Specify how Dex claims are mapped to Kubernetes identities. claims: # Specify the name of the claim in your Dex ID token that will be mapped diff --git a/site/content/docs/howto/configure-supervisor-with-gitlab.md b/site/content/docs/howto/configure-supervisor-with-gitlab.md index fffb0a52..eb372dec 100644 --- a/site/content/docs/howto/configure-supervisor-with-gitlab.md +++ b/site/content/docs/howto/configure-supervisor-with-gitlab.md @@ -30,8 +30,14 @@ For example, to create a user-owned application: 1. Create a new application: 1. Enter a name for your application, such as "My Kubernetes Clusters". 1. Enter the redirect URI. This is the `spec.issuer` you configured in your `FederationDomain` appended with `/callback`. - 1. Check the box saying that the application is _Confidential_. - 1. Select scope `openid`. This provides access to the `nickname` (GitLab username) and `groups` (GitLab groups) claims. + 1. Check the box saying that the application is _Confidential_. This is required and will cause GitLab to autogenerate + a client ID and client secret for your application. + 1. Check the box saying to _Expire Access Tokens_ to cause refresh tokens to be returned to the Supervisor. This is + required starting in Pinniped v0.13.0. + 1. Select scope `openid`. This is required to get ID tokens. Also, this provides access to the `nickname` (GitLab username) + and `groups` (GitLab groups) claims in the ID tokens. + 1. Optionally select other scopes which might provide access to other claims that you might want to use to determine + the usernames of your users, for example `email`. 1. Save the application and make note of the _Application ID_ and _Secret_. ## Configure the Supervisor cluster @@ -51,6 +57,19 @@ spec: # Specify the upstream issuer URL. issuer: https://gitlab.com + # Specify how to form authorization requests to GitLab. + authorizationConfig: + + # GitLab is unusual among OIDC providers in that it returns an + # error if you request the "offline_access" scope during an + # authorization flow, so ask Pinniped to avoid requesting that + # scope when using GitLab. + doNotRequestOfflineAccess: true + + # If you would also like to allow your end users to authenticate using + # a password grant, then change this to true. + allowPasswordGrant: false + # Specify how GitLab claims are mapped to Kubernetes identities. claims: diff --git a/site/content/docs/howto/configure-supervisor-with-okta.md b/site/content/docs/howto/configure-supervisor-with-okta.md index 6c01fb72..0890fa2f 100644 --- a/site/content/docs/howto/configure-supervisor-with-okta.md +++ b/site/content/docs/howto/configure-supervisor-with-okta.md @@ -32,11 +32,18 @@ For example, to create an app: 1. Create a new app: 1. Click `Create App Integration`. 1. For `Sign-on method`, select `OIDC`. - 1. For `Application type`, app `Web Application`, then click next. + 1. For `Application type`, app `Web Application`, then click next. Only if you would like to offer the + password grant flow to your end users, then choose `Native Application` instead. 1. Enter a name for your app, such as "My Kubernetes Clusters". + 1. If you chose to create a `Web Application` then in the General Settings section, choose Grant Types + `Authorization Code` and `Refresh Token`. Starting in Pinniped v0.13.0, the `Refresh Token` grant is required. + 1. If you chose `Native Application` then in the General Settings section, choose Grant Types `Authorization Code`, + `Refresh Token`, and `Resource Owner Password`. Starting in Pinniped v0.13.0, the `Refresh Token` grant is required. 1. Enter the sign-in redirect URI. This is the `spec.issuer` you configured in your `FederationDomain` appended with `/callback`. 1. Optionally select `Limit access to selected groups` to restrict which Okta users can log in to Kubernetes using this integration. - 1. Save the app and make note of the _Client ID_ and _Client secret_. + 1. Save the app and make note of the _Client ID_ and _Client secret_. If you chose to create a `Native Application` + then there is an extra step required to get a client secret: after saving the app, in the + Client Credentials section click `Edit`, choose `Use Client Authentication`, and click `Save`. 1. Navigate to the _Sign On_ tab > _OpenID Connect ID Token_ and click `Edit`. Fill in the Groups claim filter. For example, for all groups to be present under the claim name `groups`, fill in "groups" in the first box, then select "Matches regex" and ".*". @@ -54,18 +61,26 @@ metadata: name: okta spec: - # Specify the upstream issuer URL (no trailing slash). + # Specify the upstream issuer URL (no trailing slash). Change this to be the + # actual issuer provided by your Okta account. issuer: https://my-company.okta.com - # Request any scopes other than "openid" for claims besides - # the default claims in your token. The "openid" scope is always - # included. - # - # To learn more about how to customize the claims returned, see here: - # https://developer.okta.com/docs/guides/customize-tokens-returned-from-okta/overview/ + # Specify how to form authorization requests to Okta. authorizationConfig: + + # Request any scopes other than "openid" for claims besides + # the default claims in your token. The "openid" scope is always + # included. + # + # To learn more about how to customize the claims returned, see here: + # https://developer.okta.com/docs/guides/customize-tokens-returned-from-okta/overview/ additionalScopes: [groups, email] + # If you would also like to allow your end users to authenticate using + # a password grant, then change this to true. Password grants only work + # with applications created in Okta as "Native Applications". + allowPasswordGrant: false + # Specify how Okta claims are mapped to Kubernetes identities. claims: