Add upstream refresh related config to OIDCIdentityProvider CRD

Also update related docs.

apis/supervisor/idp/v1alpha1/types_oidcidentityprovider.go.tmpl

@@ -20,7 +20,7 @@ const (
 	PhaseError OIDCIdentityProviderPhase = "Error"
 )
 
-// Status of an OIDC identity provider.
+// OIDCIdentityProviderStatus is the status of an OIDC identity provider.
 type OIDCIdentityProviderStatus struct {
 	// Phase summarizes the overall status of the OIDCIdentityProvider.
 	// +kubebuilder:default=Pending
@@ -38,14 +38,59 @@ type OIDCIdentityProviderStatus struct {
 // OIDCAuthorizationConfig provides information about how to form the OAuth2 authorization
 // request parameters.
 type OIDCAuthorizationConfig struct {
-	// AdditionalScopes are the scopes in addition to "openid" that will be requested as part of the authorization
+	// DoNotRequestOfflineAccess determines if the "offline_access" scope will be requested from your OIDC provider in
-	// request flow with an OIDC identity provider.
+	// the authorization request during an OIDC Authorization Code Flow and in the token request during a Resource Owner
-	// In the case of a Resource Owner Password Credentials Grant flow, AdditionalScopes are the scopes
+	// Password Credentials Grant in order to ask to receive a refresh token in the response. Starting in v0.13.0, the
-	// in addition to "openid" that will be requested as part of the token request (see also the allowPasswordGrant field).
+	// Pinniped Supervisor requires that your OIDC provider returns refresh tokens to the Supervisor from these
-	// By default, only the "openid" scope will be requested.
+	// authorization flows. For most OIDC providers, the scope required to receive refresh tokens will be "offline_access".
+	// See https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess for a description of the "offline_access"
+	// scope. See the documentation of your OIDC provider's authorization and token endpoints for its requirements for what
+	// to include in the request in order to receive a refresh token in the response, if anything. By default,
+	// DoNotRequestOfflineAccess is false, which means that "offline_access" will be sent in the authorization request,
+	// since that is what is suggested by the OIDC specification. Note that it may be safe to send "offline_access" even to
+	// providers which do not require it, since the provider may ignore scopes that it does not understand or require (see
+	// https://datatracker.ietf.org/doc/html/rfc6749#section-3.3). In the unusual case that you must avoid sending the
+	// "offline_access" scope, set DoNotRequestOfflineAccess to true. This is required if your OIDC provider will reject
+	// the request when it includes "offline_access" (e.g. GitLab's OIDC provider). If you need to send some other scope
+	// to request a refresh token, include the scope name in the additionalScopes setting. Also note that some OIDC
+	// providers may require that the "prompt" param be set to a specific value for the authorization request during an
+	// OIDC Authorization Code Flow in order to receive a refresh token in the response. To adjust the prompt param, see
+	// the additionalAuthorizeParameters setting.
+	// +optional
+	DoNotRequestOfflineAccess bool `json:"doNotRequestOfflineAccess,omitempty"`
+
+	// AdditionalScopes are the additional scopes that will be requested from your OIDC provider in the authorization
+	// request during an OIDC Authorization Code Flow and in the token request during a Resource Owner Password Credentials
+	// Grant. Note that the "openid" scope will always be requested regardless of the value in this setting, since it is
+	// always required according to the OIDC spec. The "offline_access" scope may also be included according to the value
+	// of the DoNotRequestOfflineAccess setting. Any other scopes required should be included here in the AdditionalScopes
+	// list. For example, you might like to include scopes like "profile", "email", or "groups" in order to receive the
+	// related claims in the returned ID token or userinfo endpoint results if you would like to make use of those
+	// claims in the OIDCClaims settings to determine the usernames and group memberships of your Kubernetes users. See
+	// your OIDC provider's documentation for more information about what scopes are available to request claims.
 	// +optional
 	AdditionalScopes []string `json:"additionalScopes,omitempty"`
 
+	// AdditionalAuthorizeParameters are extra query parameters that should be included in the authorize request to your
+	// OIDC provider in the authorization request during an OIDC Authorization Code Flow. By default, no extra
+	// parameters are sent. The standard parameters that will be sent are "response_type", "scope", "client_id",
+	// "state", "nonce", "code_challenge", "code_challenge_method", and "redirect_uri". These parameters cannot be
+	// included in this setting. This setting does not influence the parameters sent to the token endpoint in the
+	// Resource Owner Password Credentials Grant. Starting in v0.13.0, the Pinniped Supervisor requires that your OIDC
+	// provider returns refresh tokens to the Supervisor from the authorization flows. Some OIDC providers may require
+	// a certain value for the "prompt" parameter in order to properly request refresh tokens. See the documentation of
+	// your OIDC provider's authorization endpoint for its requirements for what to include in the request in
+	// order to receive a refresh token in the response, if anything. If your provider requires the prompt parameter to
+	// request a refresh token, then include it here. Also note that most providers also require a certain scope to be
+	// requested in order to receive refresh tokens. See the doNotRequestOfflineAccess setting for more information about
+	// using scopes to request refresh tokens.
+	// +optional
+	// +patchMergeKey=name
+	// +patchStrategy=merge
+	// +listType=map
+	// +listMapKey=name
+	AdditionalAuthorizeParameters []Parameter `json:"extraAuthorizeParameters,omitempty"`
+
 	// AllowPasswordGrant, when true, will allow the use of OAuth 2.0's Resource Owner Password Credentials Grant
 	// (see https://datatracker.ietf.org/doc/html/rfc6749#section-4.3) to authenticate to the OIDC provider using a
 	// username and password without a web browser, in addition to the usual browser-based OIDC Authorization Code Flow.
@@ -66,15 +111,29 @@ type OIDCAuthorizationConfig struct {
 	AllowPasswordGrant bool `json:"allowPasswordGrant,omitempty"`
 }
 
+// Parameter is a key/value pair which represents a parameter in an HTTP request.
+type Parameter struct {
+	// The name of the parameter. Required.
+	// +kubebuilder:validation:MinLength=1
+	Name string `json:"name"`
+
+	// The value of the parameter.
+	// +optional
+	Value string `json:"value,omitempty"`
+}
+
 // OIDCClaims provides a mapping from upstream claims into identities.
 type OIDCClaims struct {
-	// Groups provides the name of the token claim that will be used to ascertain the groups to which
+	// Groups provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain
-	// an identity belongs.
+	// the groups to which an identity belongs. By default, the identities will not include any group memberships when
+	// this setting is not configured.
 	// +optional
 	Groups string `json:"groups"`
 
-	// Username provides the name of the token claim that will be used to ascertain an identity's
+	// Username provides the name of the ID token claim or userinfo endpoint response claim that will be used to
-	// username.
+	// ascertain an identity's username. When not set, the username will be an automatically constructed unique string
+	// which will include the issuer URL of your OIDC provider along with the value of the "sub" (subject) claim from
+	// the ID token.
 	// +optional
 	Username string `json:"username"`
 }
@@ -89,7 +148,7 @@ type OIDCClient struct {
 	SecretName string `json:"secretName"`
 }
 
-// Spec for configuring an OIDC identity provider.
+// OIDCIdentityProviderSpec is the spec for configuring an OIDC identity provider.
 type OIDCIdentityProviderSpec struct {
 	// Issuer is the issuer URL of this OIDC identity provider, i.e., where to fetch
 	// /.well-known/openid-configuration.
@@ -135,7 +194,7 @@ type OIDCIdentityProvider struct {
 	Status OIDCIdentityProviderStatus `json:"status,omitempty"`
 }
 
-// List of OIDCIdentityProvider objects.
+// OIDCIdentityProviderList lists OIDCIdentityProvider objects.
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 type OIDCIdentityProviderList struct {
 	metav1.TypeMeta `json:",inline"`

deploy/supervisor/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml

@@ -57,13 +57,22 @@ spec:
                   OIDC identity provider.
                 properties:
                   additionalScopes:
-                    description: AdditionalScopes are the scopes in addition to "openid"
+                    description: AdditionalScopes are the additional scopes that will
-                      that will be requested as part of the authorization request
+                      be requested from your OIDC provider in the authorization request
-                      flow with an OIDC identity provider. In the case of a Resource
+                      during an OIDC Authorization Code Flow and in the token request
-                      Owner Password Credentials Grant flow, AdditionalScopes are
+                      during a Resource Owner Password Credentials Grant. Note that
-                      the scopes in addition to "openid" that will be requested as
+                      the "openid" scope will always be requested regardless of the
-                      part of the token request (see also the allowPasswordGrant field).
+                      value in this setting, since it is always required according
-                      By default, only the "openid" scope will be requested.
+                      to the OIDC spec. The "offline_access" scope may also be included
+                      according to the value of the DoNotRequestOfflineAccess setting.
+                      Any other scopes required should be included here in the AdditionalScopes
+                      list. For example, you might like to include scopes like "profile",
+                      "email", or "groups" in order to receive the related claims
+                      in the returned ID token or userinfo endpoint results if you
+                      would like to make use of those claims in the OIDCClaims settings
+                      to determine the usernames and group memberships of your Kubernetes
+                      users. See your OIDC provider's documentation for more information
+                      about what scopes are available to request claims.
                     items:
                       type: string
                     type: array
@@ -97,18 +106,98 @@ spec:
                       during Resource Owner Password Credentials Grant logins. AllowPasswordGrant
                       defaults to false.
                     type: boolean
+                  doNotRequestOfflineAccess:
+                    description: DoNotRequestOfflineAccess determines if the "offline_access"
+                      scope will be requested from your OIDC provider in the authorization
+                      request during an OIDC Authorization Code Flow and in the token
+                      request during a Resource Owner Password Credentials Grant in
+                      order to ask to receive a refresh token in the response. Starting
+                      in v0.13.0, the Pinniped Supervisor requires that your OIDC
+                      provider returns refresh tokens to the Supervisor from these
+                      authorization flows. For most OIDC providers, the scope required
+                      to receive refresh tokens will be "offline_access". See https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess
+                      for a description of the "offline_access" scope. See the documentation
+                      of your OIDC provider's authorization and token endpoints for
+                      its requirements for what to include in the request in order
+                      to receive a refresh token in the response, if anything. By
+                      default, DoNotRequestOfflineAccess is false, which means that
+                      "offline_access" will be sent in the authorization request,
+                      since that is what is suggested by the OIDC specification. Note
+                      that it may be safe to send "offline_access" even to providers
+                      which do not require it, since the provider may ignore scopes
+                      that it does not understand or require (see https://datatracker.ietf.org/doc/html/rfc6749#section-3.3).
+                      In the unusual case that you must avoid sending the "offline_access"
+                      scope, set DoNotRequestOfflineAccess to true. This is required
+                      if your OIDC provider will reject the request when it includes
+                      "offline_access" (e.g. GitLab's OIDC provider). If you need
+                      to send some other scope to request a refresh token, include
+                      the scope name in the additionalScopes setting. Also note that
+                      some OIDC providers may require that the "prompt" param be set
+                      to a specific value for the authorization request during an
+                      OIDC Authorization Code Flow in order to receive a refresh token
+                      in the response. To adjust the prompt param, see the additionalAuthorizeParameters
+                      setting.
+                    type: boolean
+                  extraAuthorizeParameters:
+                    description: AdditionalAuthorizeParameters are extra query parameters
+                      that should be included in the authorize request to your OIDC
+                      provider in the authorization request during an OIDC Authorization
+                      Code Flow. By default, no extra parameters are sent. The standard
+                      parameters that will be sent are "response_type", "scope", "client_id",
+                      "state", "nonce", "code_challenge", "code_challenge_method",
+                      and "redirect_uri". These parameters cannot be included in this
+                      setting. This setting does not influence the parameters sent
+                      to the token endpoint in the Resource Owner Password Credentials
+                      Grant. Starting in v0.13.0, the Pinniped Supervisor requires
+                      that your OIDC provider returns refresh tokens to the Supervisor
+                      from the authorization flows. Some OIDC providers may require
+                      a certain value for the "prompt" parameter in order to properly
+                      request refresh tokens. See the documentation of your OIDC provider's
+                      authorization endpoint for its requirements for what to include
+                      in the request in order to receive a refresh token in the response,
+                      if anything. If your provider requires the prompt parameter
+                      to request a refresh token, then include it here. Also note
+                      that most providers also require a certain scope to be requested
+                      in order to receive refresh tokens. See the doNotRequestOfflineAccess
+                      setting for more information about using scopes to request refresh
+                      tokens.
+                    items:
+                      description: Parameter is a key/value pair which represents
+                        a parameter in an HTTP request.
+                      properties:
+                        name:
+                          description: The name of the parameter. Required.
+                          minLength: 1
+                          type: string
+                        value:
+                          description: The value of the parameter.
+                          type: string
+                      required:
+                      - name
+                      type: object
+                    type: array
+                    x-kubernetes-list-map-keys:
+                    - name
+                    x-kubernetes-list-type: map
                 type: object
               claims:
                 description: Claims provides the names of token claims that will be
                   used when inspecting an identity from this OIDC identity provider.
                 properties:
                   groups:
-                    description: Groups provides the name of the token claim that
+                    description: Groups provides the name of the ID token claim or
-                      will be used to ascertain the groups to which an identity belongs.
+                      userinfo endpoint response claim that will be used to ascertain
+                      the groups to which an identity belongs. By default, the identities
+                      will not include any group memberships when this setting is
+                      not configured.
                     type: string
                   username:
-                    description: Username provides the name of the token claim that
+                    description: Username provides the name of the ID token claim
-                      will be used to ascertain an identity's username.
+                      or userinfo endpoint response claim that will be used to ascertain
+                      an identity's username. When not set, the username will be an
+                      automatically constructed unique string which will include the
+                      issuer URL of your OIDC provider along with the value of the
+                      "sub" (subject) claim from the ID token.
                     type: string
                 type: object
               client:

generated/1.17/README.adoc

@@ -1099,7 +1099,9 @@ OIDCAuthorizationConfig provides information about how to form the OAuth2 author
 [cols="25a,75a", options="header"]
 |===
 | Field | Description
-| *`additionalScopes`* __string array__ | AdditionalScopes are the scopes in addition to "openid" that will be requested as part of the authorization request flow with an OIDC identity provider. In the case of a Resource Owner Password Credentials Grant flow, AdditionalScopes are the scopes in addition to "openid" that will be requested as part of the token request (see also the allowPasswordGrant field). By default, only the "openid" scope will be requested.
+| *`doNotRequestOfflineAccess`* __boolean__ | DoNotRequestOfflineAccess determines if the "offline_access" scope will be requested from your OIDC provider in the authorization request during an OIDC Authorization Code Flow and in the token request during a Resource Owner Password Credentials Grant in order to ask to receive a refresh token in the response. Starting in v0.13.0, the Pinniped Supervisor requires that your OIDC provider returns refresh tokens to the Supervisor from these authorization flows. For most OIDC providers, the scope required to receive refresh tokens will be "offline_access". See https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess for a description of the "offline_access" scope. See the documentation of your OIDC provider's authorization and token endpoints for its requirements for what to include in the request in order to receive a refresh token in the response, if anything. By default, DoNotRequestOfflineAccess is false, which means that "offline_access" will be sent in the authorization request, since that is what is suggested by the OIDC specification. Note that it may be safe to send "offline_access" even to providers which do not require it, since the provider may ignore scopes that it does not understand or require (see https://datatracker.ietf.org/doc/html/rfc6749#section-3.3). In the unusual case that you must avoid sending the "offline_access" scope, set DoNotRequestOfflineAccess to true. This is required if your OIDC provider will reject the request when it includes "offline_access" (e.g. GitLab's OIDC provider). If you need to send some other scope to request a refresh token, include the scope name in the additionalScopes setting. Also note that some OIDC providers may require that the "prompt" param be set to a specific value for the authorization request during an OIDC Authorization Code Flow in order to receive a refresh token in the response. To adjust the prompt param, see the additionalAuthorizeParameters setting.
+| *`additionalScopes`* __string array__ | AdditionalScopes are the additional scopes that will be requested from your OIDC provider in the authorization request during an OIDC Authorization Code Flow and in the token request during a Resource Owner Password Credentials Grant. Note that the "openid" scope will always be requested regardless of the value in this setting, since it is always required according to the OIDC spec. The "offline_access" scope may also be included according to the value of the DoNotRequestOfflineAccess setting. Any other scopes required should be included here in the AdditionalScopes list. For example, you might like to include scopes like "profile", "email", or "groups" in order to receive the related claims in the returned ID token or userinfo endpoint results if you would like to make use of those claims in the OIDCClaims settings to determine the usernames and group memberships of your Kubernetes users. See your OIDC provider's documentation for more information about what scopes are available to request claims.
+| *`extraAuthorizeParameters`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-parameter[$$Parameter$$] array__ | AdditionalAuthorizeParameters are extra query parameters that should be included in the authorize request to your OIDC provider in the authorization request during an OIDC Authorization Code Flow. By default, no extra parameters are sent. The standard parameters that will be sent are "response_type", "scope", "client_id", "state", "nonce", "code_challenge", "code_challenge_method", and "redirect_uri". These parameters cannot be included in this setting. This setting does not influence the parameters sent to the token endpoint in the Resource Owner Password Credentials Grant. Starting in v0.13.0, the Pinniped Supervisor requires that your OIDC provider returns refresh tokens to the Supervisor from the authorization flows. Some OIDC providers may require a certain value for the "prompt" parameter in order to properly request refresh tokens. See the documentation of your OIDC provider's authorization endpoint for its requirements for what to include in the request in order to receive a refresh token in the response, if anything. If your provider requires the prompt parameter to request a refresh token, then include it here. Also note that most providers also require a certain scope to be requested in order to receive refresh tokens. See the doNotRequestOfflineAccess setting for more information about using scopes to request refresh tokens.
 | *`allowPasswordGrant`* __boolean__ | AllowPasswordGrant, when true, will allow the use of OAuth 2.0's Resource Owner Password Credentials Grant (see https://datatracker.ietf.org/doc/html/rfc6749#section-4.3) to authenticate to the OIDC provider using a username and password without a web browser, in addition to the usual browser-based OIDC Authorization Code Flow. The Resource Owner Password Credentials Grant is not officially part of the OIDC specification, so it may not be supported by your OIDC provider. If your OIDC provider supports returning ID tokens from a Resource Owner Password Credentials Grant token request, then you can choose to set this field to true. This will allow end users to choose to present their username and password to the kubectl CLI (using the Pinniped plugin) to authenticate to the cluster, without using a web browser to log in as is customary in OIDC Authorization Code Flow. This may be convenient for users, especially for identities from your OIDC provider which are not intended to represent a human actor, such as service accounts performing actions in a CI/CD environment. Even if your OIDC provider supports it, you may wish to disable this behavior by setting this field to false when you prefer to only allow users of this OIDCIdentityProvider to log in via the browser-based OIDC Authorization Code Flow. Using the Resource Owner Password Credentials Grant means that the Pinniped CLI and Pinniped Supervisor will directly handle your end users' passwords (similar to LDAPIdentityProvider), and you will not be able to require multi-factor authentication or use the other web-based login features of your OIDC provider during Resource Owner Password Credentials Grant logins. AllowPasswordGrant defaults to false.
 |===
 
@@ -1117,8 +1119,8 @@ OIDCClaims provides a mapping from upstream claims into identities.
 [cols="25a,75a", options="header"]
 |===
 | Field | Description
-| *`groups`* __string__ | Groups provides the name of the token claim that will be used to ascertain the groups to which an identity belongs.
+| *`groups`* __string__ | Groups provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain the groups to which an identity belongs. By default, the identities will not include any group memberships when this setting is not configured.
-| *`username`* __string__ | Username provides the name of the token claim that will be used to ascertain an identity's username.
+| *`username`* __string__ | Username provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain an identity's username. When not set, the username will be an automatically constructed unique string which will include the issuer URL of your OIDC provider along with the value of the "sub" (subject) claim from the ID token.
 |===
 
 
@@ -1164,7 +1166,7 @@ OIDCIdentityProvider describes the configuration of an upstream OpenID Connect i
 [id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-oidcidentityproviderspec"]
 ==== OIDCIdentityProviderSpec 
 
-Spec for configuring an OIDC identity provider.
+OIDCIdentityProviderSpec is the spec for configuring an OIDC identity provider.
 
 .Appears In:
 ****
@@ -1185,7 +1187,7 @@ Spec for configuring an OIDC identity provider.
 [id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-oidcidentityproviderstatus"]
 ==== OIDCIdentityProviderStatus 
 
-Status of an OIDC identity provider.
+OIDCIdentityProviderStatus is the status of an OIDC identity provider.
 
 .Appears In:
 ****
@@ -1200,6 +1202,24 @@ Status of an OIDC identity provider.
 |===
 
 
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-parameter"]
+==== Parameter 
+
+
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-oidcauthorizationconfig[$$OIDCAuthorizationConfig$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`name`* __string__ | The name of the parameter. Required.
+| *`value`* __string__ | The value of the parameter.
+|===
+
+
 [id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-tlsspec"]
 ==== TLSSpec 
 

generated/1.17/apis/supervisor/idp/v1alpha1/types_oidcidentityprovider.go

@@ -20,7 +20,7 @@ const (
 	PhaseError OIDCIdentityProviderPhase = "Error"
 )
 
-// Status of an OIDC identity provider.
+// OIDCIdentityProviderStatus is the status of an OIDC identity provider.
 type OIDCIdentityProviderStatus struct {
 	// Phase summarizes the overall status of the OIDCIdentityProvider.
 	// +kubebuilder:default=Pending
@@ -38,14 +38,59 @@ type OIDCIdentityProviderStatus struct {
 // OIDCAuthorizationConfig provides information about how to form the OAuth2 authorization
 // request parameters.
 type OIDCAuthorizationConfig struct {
-	// AdditionalScopes are the scopes in addition to "openid" that will be requested as part of the authorization
+	// DoNotRequestOfflineAccess determines if the "offline_access" scope will be requested from your OIDC provider in
-	// request flow with an OIDC identity provider.
+	// the authorization request during an OIDC Authorization Code Flow and in the token request during a Resource Owner
-	// In the case of a Resource Owner Password Credentials Grant flow, AdditionalScopes are the scopes
+	// Password Credentials Grant in order to ask to receive a refresh token in the response. Starting in v0.13.0, the
-	// in addition to "openid" that will be requested as part of the token request (see also the allowPasswordGrant field).
+	// Pinniped Supervisor requires that your OIDC provider returns refresh tokens to the Supervisor from these
-	// By default, only the "openid" scope will be requested.
+	// authorization flows. For most OIDC providers, the scope required to receive refresh tokens will be "offline_access".
+	// See https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess for a description of the "offline_access"
+	// scope. See the documentation of your OIDC provider's authorization and token endpoints for its requirements for what
+	// to include in the request in order to receive a refresh token in the response, if anything. By default,
+	// DoNotRequestOfflineAccess is false, which means that "offline_access" will be sent in the authorization request,
+	// since that is what is suggested by the OIDC specification. Note that it may be safe to send "offline_access" even to
+	// providers which do not require it, since the provider may ignore scopes that it does not understand or require (see
+	// https://datatracker.ietf.org/doc/html/rfc6749#section-3.3). In the unusual case that you must avoid sending the
+	// "offline_access" scope, set DoNotRequestOfflineAccess to true. This is required if your OIDC provider will reject
+	// the request when it includes "offline_access" (e.g. GitLab's OIDC provider). If you need to send some other scope
+	// to request a refresh token, include the scope name in the additionalScopes setting. Also note that some OIDC
+	// providers may require that the "prompt" param be set to a specific value for the authorization request during an
+	// OIDC Authorization Code Flow in order to receive a refresh token in the response. To adjust the prompt param, see
+	// the additionalAuthorizeParameters setting.
+	// +optional
+	DoNotRequestOfflineAccess bool `json:"doNotRequestOfflineAccess,omitempty"`
+
+	// AdditionalScopes are the additional scopes that will be requested from your OIDC provider in the authorization
+	// request during an OIDC Authorization Code Flow and in the token request during a Resource Owner Password Credentials
+	// Grant. Note that the "openid" scope will always be requested regardless of the value in this setting, since it is
+	// always required according to the OIDC spec. The "offline_access" scope may also be included according to the value
+	// of the DoNotRequestOfflineAccess setting. Any other scopes required should be included here in the AdditionalScopes
+	// list. For example, you might like to include scopes like "profile", "email", or "groups" in order to receive the
+	// related claims in the returned ID token or userinfo endpoint results if you would like to make use of those
+	// claims in the OIDCClaims settings to determine the usernames and group memberships of your Kubernetes users. See
+	// your OIDC provider's documentation for more information about what scopes are available to request claims.
 	// +optional
 	AdditionalScopes []string `json:"additionalScopes,omitempty"`
 
+	// AdditionalAuthorizeParameters are extra query parameters that should be included in the authorize request to your
+	// OIDC provider in the authorization request during an OIDC Authorization Code Flow. By default, no extra
+	// parameters are sent. The standard parameters that will be sent are "response_type", "scope", "client_id",
+	// "state", "nonce", "code_challenge", "code_challenge_method", and "redirect_uri". These parameters cannot be
+	// included in this setting. This setting does not influence the parameters sent to the token endpoint in the
+	// Resource Owner Password Credentials Grant. Starting in v0.13.0, the Pinniped Supervisor requires that your OIDC
+	// provider returns refresh tokens to the Supervisor from the authorization flows. Some OIDC providers may require
+	// a certain value for the "prompt" parameter in order to properly request refresh tokens. See the documentation of
+	// your OIDC provider's authorization endpoint for its requirements for what to include in the request in
+	// order to receive a refresh token in the response, if anything. If your provider requires the prompt parameter to
+	// request a refresh token, then include it here. Also note that most providers also require a certain scope to be
+	// requested in order to receive refresh tokens. See the doNotRequestOfflineAccess setting for more information about
+	// using scopes to request refresh tokens.
+	// +optional
+	// +patchMergeKey=name
+	// +patchStrategy=merge
+	// +listType=map
+	// +listMapKey=name
+	AdditionalAuthorizeParameters []Parameter `json:"extraAuthorizeParameters,omitempty"`
+
 	// AllowPasswordGrant, when true, will allow the use of OAuth 2.0's Resource Owner Password Credentials Grant
 	// (see https://datatracker.ietf.org/doc/html/rfc6749#section-4.3) to authenticate to the OIDC provider using a
 	// username and password without a web browser, in addition to the usual browser-based OIDC Authorization Code Flow.
@@ -66,15 +111,29 @@ type OIDCAuthorizationConfig struct {
 	AllowPasswordGrant bool `json:"allowPasswordGrant,omitempty"`
 }
 
+// Parameter is a key/value pair which represents a parameter in an HTTP request.
+type Parameter struct {
+	// The name of the parameter. Required.
+	// +kubebuilder:validation:MinLength=1
+	Name string `json:"name"`
+
+	// The value of the parameter.
+	// +optional
+	Value string `json:"value,omitempty"`
+}
+
 // OIDCClaims provides a mapping from upstream claims into identities.
 type OIDCClaims struct {
-	// Groups provides the name of the token claim that will be used to ascertain the groups to which
+	// Groups provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain
-	// an identity belongs.
+	// the groups to which an identity belongs. By default, the identities will not include any group memberships when
+	// this setting is not configured.
 	// +optional
 	Groups string `json:"groups"`
 
-	// Username provides the name of the token claim that will be used to ascertain an identity's
+	// Username provides the name of the ID token claim or userinfo endpoint response claim that will be used to
-	// username.
+	// ascertain an identity's username. When not set, the username will be an automatically constructed unique string
+	// which will include the issuer URL of your OIDC provider along with the value of the "sub" (subject) claim from
+	// the ID token.
 	// +optional
 	Username string `json:"username"`
 }
@@ -89,7 +148,7 @@ type OIDCClient struct {
 	SecretName string `json:"secretName"`
 }
 
-// Spec for configuring an OIDC identity provider.
+// OIDCIdentityProviderSpec is the spec for configuring an OIDC identity provider.
 type OIDCIdentityProviderSpec struct {
 	// Issuer is the issuer URL of this OIDC identity provider, i.e., where to fetch
 	// /.well-known/openid-configuration.
@@ -135,7 +194,7 @@ type OIDCIdentityProvider struct {
 	Status OIDCIdentityProviderStatus `json:"status,omitempty"`
 }
 
-// List of OIDCIdentityProvider objects.
+// OIDCIdentityProviderList lists OIDCIdentityProvider objects.
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 type OIDCIdentityProviderList struct {
 	metav1.TypeMeta `json:",inline"`

generated/1.17/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go

@@ -416,6 +416,11 @@ func (in *OIDCAuthorizationConfig) DeepCopyInto(out *OIDCAuthorizationConfig) {
 		*out = make([]string, len(*in))
 		copy(*out, *in)
 	}
+	if in.AdditionalAuthorizeParameters != nil {
+		in, out := &in.AdditionalAuthorizeParameters, &out.AdditionalAuthorizeParameters
+		*out = make([]Parameter, len(*in))
+		copy(*out, *in)
+	}
 	return
 }
 
@@ -569,6 +574,22 @@ func (in *OIDCIdentityProviderStatus) DeepCopy() *OIDCIdentityProviderStatus {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Parameter) DeepCopyInto(out *Parameter) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Parameter.
+func (in *Parameter) DeepCopy() *Parameter {
+	if in == nil {
+		return nil
+	}
+	out := new(Parameter)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TLSSpec) DeepCopyInto(out *TLSSpec) {
 	*out = *in

generated/1.17/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml

@@ -57,13 +57,22 @@ spec:
                   OIDC identity provider.
                 properties:
                   additionalScopes:
-                    description: AdditionalScopes are the scopes in addition to "openid"
+                    description: AdditionalScopes are the additional scopes that will
-                      that will be requested as part of the authorization request
+                      be requested from your OIDC provider in the authorization request
-                      flow with an OIDC identity provider. In the case of a Resource
+                      during an OIDC Authorization Code Flow and in the token request
-                      Owner Password Credentials Grant flow, AdditionalScopes are
+                      during a Resource Owner Password Credentials Grant. Note that
-                      the scopes in addition to "openid" that will be requested as
+                      the "openid" scope will always be requested regardless of the
-                      part of the token request (see also the allowPasswordGrant field).
+                      value in this setting, since it is always required according
-                      By default, only the "openid" scope will be requested.
+                      to the OIDC spec. The "offline_access" scope may also be included
+                      according to the value of the DoNotRequestOfflineAccess setting.
+                      Any other scopes required should be included here in the AdditionalScopes
+                      list. For example, you might like to include scopes like "profile",
+                      "email", or "groups" in order to receive the related claims
+                      in the returned ID token or userinfo endpoint results if you
+                      would like to make use of those claims in the OIDCClaims settings
+                      to determine the usernames and group memberships of your Kubernetes
+                      users. See your OIDC provider's documentation for more information
+                      about what scopes are available to request claims.
                     items:
                       type: string
                     type: array
@@ -97,18 +106,98 @@ spec:
                       during Resource Owner Password Credentials Grant logins. AllowPasswordGrant
                       defaults to false.
                     type: boolean
+                  doNotRequestOfflineAccess:
+                    description: DoNotRequestOfflineAccess determines if the "offline_access"
+                      scope will be requested from your OIDC provider in the authorization
+                      request during an OIDC Authorization Code Flow and in the token
+                      request during a Resource Owner Password Credentials Grant in
+                      order to ask to receive a refresh token in the response. Starting
+                      in v0.13.0, the Pinniped Supervisor requires that your OIDC
+                      provider returns refresh tokens to the Supervisor from these
+                      authorization flows. For most OIDC providers, the scope required
+                      to receive refresh tokens will be "offline_access". See https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess
+                      for a description of the "offline_access" scope. See the documentation
+                      of your OIDC provider's authorization and token endpoints for
+                      its requirements for what to include in the request in order
+                      to receive a refresh token in the response, if anything. By
+                      default, DoNotRequestOfflineAccess is false, which means that
+                      "offline_access" will be sent in the authorization request,
+                      since that is what is suggested by the OIDC specification. Note
+                      that it may be safe to send "offline_access" even to providers
+                      which do not require it, since the provider may ignore scopes
+                      that it does not understand or require (see https://datatracker.ietf.org/doc/html/rfc6749#section-3.3).
+                      In the unusual case that you must avoid sending the "offline_access"
+                      scope, set DoNotRequestOfflineAccess to true. This is required
+                      if your OIDC provider will reject the request when it includes
+                      "offline_access" (e.g. GitLab's OIDC provider). If you need
+                      to send some other scope to request a refresh token, include
+                      the scope name in the additionalScopes setting. Also note that
+                      some OIDC providers may require that the "prompt" param be set
+                      to a specific value for the authorization request during an
+                      OIDC Authorization Code Flow in order to receive a refresh token
+                      in the response. To adjust the prompt param, see the additionalAuthorizeParameters
+                      setting.
+                    type: boolean
+                  extraAuthorizeParameters:
+                    description: AdditionalAuthorizeParameters are extra query parameters
+                      that should be included in the authorize request to your OIDC
+                      provider in the authorization request during an OIDC Authorization
+                      Code Flow. By default, no extra parameters are sent. The standard
+                      parameters that will be sent are "response_type", "scope", "client_id",
+                      "state", "nonce", "code_challenge", "code_challenge_method",
+                      and "redirect_uri". These parameters cannot be included in this
+                      setting. This setting does not influence the parameters sent
+                      to the token endpoint in the Resource Owner Password Credentials
+                      Grant. Starting in v0.13.0, the Pinniped Supervisor requires
+                      that your OIDC provider returns refresh tokens to the Supervisor
+                      from the authorization flows. Some OIDC providers may require
+                      a certain value for the "prompt" parameter in order to properly
+                      request refresh tokens. See the documentation of your OIDC provider's
+                      authorization endpoint for its requirements for what to include
+                      in the request in order to receive a refresh token in the response,
+                      if anything. If your provider requires the prompt parameter
+                      to request a refresh token, then include it here. Also note
+                      that most providers also require a certain scope to be requested
+                      in order to receive refresh tokens. See the doNotRequestOfflineAccess
+                      setting for more information about using scopes to request refresh
+                      tokens.
+                    items:
+                      description: Parameter is a key/value pair which represents
+                        a parameter in an HTTP request.
+                      properties:
+                        name:
+                          description: The name of the parameter. Required.
+                          minLength: 1
+                          type: string
+                        value:
+                          description: The value of the parameter.
+                          type: string
+                      required:
+                      - name
+                      type: object
+                    type: array
+                    x-kubernetes-list-map-keys:
+                    - name
+                    x-kubernetes-list-type: map
                 type: object
               claims:
                 description: Claims provides the names of token claims that will be
                   used when inspecting an identity from this OIDC identity provider.
                 properties:
                   groups:
-                    description: Groups provides the name of the token claim that
+                    description: Groups provides the name of the ID token claim or
-                      will be used to ascertain the groups to which an identity belongs.
+                      userinfo endpoint response claim that will be used to ascertain
+                      the groups to which an identity belongs. By default, the identities
+                      will not include any group memberships when this setting is
+                      not configured.
                     type: string
                   username:
-                    description: Username provides the name of the token claim that
+                    description: Username provides the name of the ID token claim
-                      will be used to ascertain an identity's username.
+                      or userinfo endpoint response claim that will be used to ascertain
+                      an identity's username. When not set, the username will be an
+                      automatically constructed unique string which will include the
+                      issuer URL of your OIDC provider along with the value of the
+                      "sub" (subject) claim from the ID token.
                     type: string
                 type: object
               client:

generated/1.18/README.adoc

@@ -1099,7 +1099,9 @@ OIDCAuthorizationConfig provides information about how to form the OAuth2 author
 [cols="25a,75a", options="header"]
 |===
 | Field | Description
-| *`additionalScopes`* __string array__ | AdditionalScopes are the scopes in addition to "openid" that will be requested as part of the authorization request flow with an OIDC identity provider. In the case of a Resource Owner Password Credentials Grant flow, AdditionalScopes are the scopes in addition to "openid" that will be requested as part of the token request (see also the allowPasswordGrant field). By default, only the "openid" scope will be requested.
+| *`doNotRequestOfflineAccess`* __boolean__ | DoNotRequestOfflineAccess determines if the "offline_access" scope will be requested from your OIDC provider in the authorization request during an OIDC Authorization Code Flow and in the token request during a Resource Owner Password Credentials Grant in order to ask to receive a refresh token in the response. Starting in v0.13.0, the Pinniped Supervisor requires that your OIDC provider returns refresh tokens to the Supervisor from these authorization flows. For most OIDC providers, the scope required to receive refresh tokens will be "offline_access". See https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess for a description of the "offline_access" scope. See the documentation of your OIDC provider's authorization and token endpoints for its requirements for what to include in the request in order to receive a refresh token in the response, if anything. By default, DoNotRequestOfflineAccess is false, which means that "offline_access" will be sent in the authorization request, since that is what is suggested by the OIDC specification. Note that it may be safe to send "offline_access" even to providers which do not require it, since the provider may ignore scopes that it does not understand or require (see https://datatracker.ietf.org/doc/html/rfc6749#section-3.3). In the unusual case that you must avoid sending the "offline_access" scope, set DoNotRequestOfflineAccess to true. This is required if your OIDC provider will reject the request when it includes "offline_access" (e.g. GitLab's OIDC provider). If you need to send some other scope to request a refresh token, include the scope name in the additionalScopes setting. Also note that some OIDC providers may require that the "prompt" param be set to a specific value for the authorization request during an OIDC Authorization Code Flow in order to receive a refresh token in the response. To adjust the prompt param, see the additionalAuthorizeParameters setting.
+| *`additionalScopes`* __string array__ | AdditionalScopes are the additional scopes that will be requested from your OIDC provider in the authorization request during an OIDC Authorization Code Flow and in the token request during a Resource Owner Password Credentials Grant. Note that the "openid" scope will always be requested regardless of the value in this setting, since it is always required according to the OIDC spec. The "offline_access" scope may also be included according to the value of the DoNotRequestOfflineAccess setting. Any other scopes required should be included here in the AdditionalScopes list. For example, you might like to include scopes like "profile", "email", or "groups" in order to receive the related claims in the returned ID token or userinfo endpoint results if you would like to make use of those claims in the OIDCClaims settings to determine the usernames and group memberships of your Kubernetes users. See your OIDC provider's documentation for more information about what scopes are available to request claims.
+| *`extraAuthorizeParameters`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-parameter[$$Parameter$$] array__ | AdditionalAuthorizeParameters are extra query parameters that should be included in the authorize request to your OIDC provider in the authorization request during an OIDC Authorization Code Flow. By default, no extra parameters are sent. The standard parameters that will be sent are "response_type", "scope", "client_id", "state", "nonce", "code_challenge", "code_challenge_method", and "redirect_uri". These parameters cannot be included in this setting. This setting does not influence the parameters sent to the token endpoint in the Resource Owner Password Credentials Grant. Starting in v0.13.0, the Pinniped Supervisor requires that your OIDC provider returns refresh tokens to the Supervisor from the authorization flows. Some OIDC providers may require a certain value for the "prompt" parameter in order to properly request refresh tokens. See the documentation of your OIDC provider's authorization endpoint for its requirements for what to include in the request in order to receive a refresh token in the response, if anything. If your provider requires the prompt parameter to request a refresh token, then include it here. Also note that most providers also require a certain scope to be requested in order to receive refresh tokens. See the doNotRequestOfflineAccess setting for more information about using scopes to request refresh tokens.
 | *`allowPasswordGrant`* __boolean__ | AllowPasswordGrant, when true, will allow the use of OAuth 2.0's Resource Owner Password Credentials Grant (see https://datatracker.ietf.org/doc/html/rfc6749#section-4.3) to authenticate to the OIDC provider using a username and password without a web browser, in addition to the usual browser-based OIDC Authorization Code Flow. The Resource Owner Password Credentials Grant is not officially part of the OIDC specification, so it may not be supported by your OIDC provider. If your OIDC provider supports returning ID tokens from a Resource Owner Password Credentials Grant token request, then you can choose to set this field to true. This will allow end users to choose to present their username and password to the kubectl CLI (using the Pinniped plugin) to authenticate to the cluster, without using a web browser to log in as is customary in OIDC Authorization Code Flow. This may be convenient for users, especially for identities from your OIDC provider which are not intended to represent a human actor, such as service accounts performing actions in a CI/CD environment. Even if your OIDC provider supports it, you may wish to disable this behavior by setting this field to false when you prefer to only allow users of this OIDCIdentityProvider to log in via the browser-based OIDC Authorization Code Flow. Using the Resource Owner Password Credentials Grant means that the Pinniped CLI and Pinniped Supervisor will directly handle your end users' passwords (similar to LDAPIdentityProvider), and you will not be able to require multi-factor authentication or use the other web-based login features of your OIDC provider during Resource Owner Password Credentials Grant logins. AllowPasswordGrant defaults to false.
 |===
 
@@ -1117,8 +1119,8 @@ OIDCClaims provides a mapping from upstream claims into identities.
 [cols="25a,75a", options="header"]
 |===
 | Field | Description
-| *`groups`* __string__ | Groups provides the name of the token claim that will be used to ascertain the groups to which an identity belongs.
+| *`groups`* __string__ | Groups provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain the groups to which an identity belongs. By default, the identities will not include any group memberships when this setting is not configured.
-| *`username`* __string__ | Username provides the name of the token claim that will be used to ascertain an identity's username.
+| *`username`* __string__ | Username provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain an identity's username. When not set, the username will be an automatically constructed unique string which will include the issuer URL of your OIDC provider along with the value of the "sub" (subject) claim from the ID token.
 |===
 
 
@@ -1164,7 +1166,7 @@ OIDCIdentityProvider describes the configuration of an upstream OpenID Connect i
 [id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-oidcidentityproviderspec"]
 ==== OIDCIdentityProviderSpec 
 
-Spec for configuring an OIDC identity provider.
+OIDCIdentityProviderSpec is the spec for configuring an OIDC identity provider.
 
 .Appears In:
 ****
@@ -1185,7 +1187,7 @@ Spec for configuring an OIDC identity provider.
 [id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-oidcidentityproviderstatus"]
 ==== OIDCIdentityProviderStatus 
 
-Status of an OIDC identity provider.
+OIDCIdentityProviderStatus is the status of an OIDC identity provider.
 
 .Appears In:
 ****
@@ -1200,6 +1202,24 @@ Status of an OIDC identity provider.
 |===
 
 
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-parameter"]
+==== Parameter 
+
+
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-oidcauthorizationconfig[$$OIDCAuthorizationConfig$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`name`* __string__ | The name of the parameter. Required.
+| *`value`* __string__ | The value of the parameter.
+|===
+
+
 [id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-tlsspec"]
 ==== TLSSpec 
 

generated/1.18/apis/supervisor/idp/v1alpha1/types_oidcidentityprovider.go

@@ -20,7 +20,7 @@ const (
 	PhaseError OIDCIdentityProviderPhase = "Error"
 )
 
-// Status of an OIDC identity provider.
+// OIDCIdentityProviderStatus is the status of an OIDC identity provider.
 type OIDCIdentityProviderStatus struct {
 	// Phase summarizes the overall status of the OIDCIdentityProvider.
 	// +kubebuilder:default=Pending
@@ -38,14 +38,59 @@ type OIDCIdentityProviderStatus struct {
 // OIDCAuthorizationConfig provides information about how to form the OAuth2 authorization
 // request parameters.
 type OIDCAuthorizationConfig struct {
-	// AdditionalScopes are the scopes in addition to "openid" that will be requested as part of the authorization
+	// DoNotRequestOfflineAccess determines if the "offline_access" scope will be requested from your OIDC provider in
-	// request flow with an OIDC identity provider.
+	// the authorization request during an OIDC Authorization Code Flow and in the token request during a Resource Owner
-	// In the case of a Resource Owner Password Credentials Grant flow, AdditionalScopes are the scopes
+	// Password Credentials Grant in order to ask to receive a refresh token in the response. Starting in v0.13.0, the
-	// in addition to "openid" that will be requested as part of the token request (see also the allowPasswordGrant field).
+	// Pinniped Supervisor requires that your OIDC provider returns refresh tokens to the Supervisor from these
-	// By default, only the "openid" scope will be requested.
+	// authorization flows. For most OIDC providers, the scope required to receive refresh tokens will be "offline_access".
+	// See https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess for a description of the "offline_access"
+	// scope. See the documentation of your OIDC provider's authorization and token endpoints for its requirements for what
+	// to include in the request in order to receive a refresh token in the response, if anything. By default,
+	// DoNotRequestOfflineAccess is false, which means that "offline_access" will be sent in the authorization request,
+	// since that is what is suggested by the OIDC specification. Note that it may be safe to send "offline_access" even to
+	// providers which do not require it, since the provider may ignore scopes that it does not understand or require (see
+	// https://datatracker.ietf.org/doc/html/rfc6749#section-3.3). In the unusual case that you must avoid sending the
+	// "offline_access" scope, set DoNotRequestOfflineAccess to true. This is required if your OIDC provider will reject
+	// the request when it includes "offline_access" (e.g. GitLab's OIDC provider). If you need to send some other scope
+	// to request a refresh token, include the scope name in the additionalScopes setting. Also note that some OIDC
+	// providers may require that the "prompt" param be set to a specific value for the authorization request during an
+	// OIDC Authorization Code Flow in order to receive a refresh token in the response. To adjust the prompt param, see
+	// the additionalAuthorizeParameters setting.
+	// +optional
+	DoNotRequestOfflineAccess bool `json:"doNotRequestOfflineAccess,omitempty"`
+
+	// AdditionalScopes are the additional scopes that will be requested from your OIDC provider in the authorization
+	// request during an OIDC Authorization Code Flow and in the token request during a Resource Owner Password Credentials
+	// Grant. Note that the "openid" scope will always be requested regardless of the value in this setting, since it is
+	// always required according to the OIDC spec. The "offline_access" scope may also be included according to the value
+	// of the DoNotRequestOfflineAccess setting. Any other scopes required should be included here in the AdditionalScopes
+	// list. For example, you might like to include scopes like "profile", "email", or "groups" in order to receive the
+	// related claims in the returned ID token or userinfo endpoint results if you would like to make use of those
+	// claims in the OIDCClaims settings to determine the usernames and group memberships of your Kubernetes users. See
+	// your OIDC provider's documentation for more information about what scopes are available to request claims.
 	// +optional
 	AdditionalScopes []string `json:"additionalScopes,omitempty"`
 
+	// AdditionalAuthorizeParameters are extra query parameters that should be included in the authorize request to your
+	// OIDC provider in the authorization request during an OIDC Authorization Code Flow. By default, no extra
+	// parameters are sent. The standard parameters that will be sent are "response_type", "scope", "client_id",
+	// "state", "nonce", "code_challenge", "code_challenge_method", and "redirect_uri". These parameters cannot be
+	// included in this setting. This setting does not influence the parameters sent to the token endpoint in the
+	// Resource Owner Password Credentials Grant. Starting in v0.13.0, the Pinniped Supervisor requires that your OIDC
+	// provider returns refresh tokens to the Supervisor from the authorization flows. Some OIDC providers may require
+	// a certain value for the "prompt" parameter in order to properly request refresh tokens. See the documentation of
+	// your OIDC provider's authorization endpoint for its requirements for what to include in the request in
+	// order to receive a refresh token in the response, if anything. If your provider requires the prompt parameter to
+	// request a refresh token, then include it here. Also note that most providers also require a certain scope to be
+	// requested in order to receive refresh tokens. See the doNotRequestOfflineAccess setting for more information about
+	// using scopes to request refresh tokens.
+	// +optional
+	// +patchMergeKey=name
+	// +patchStrategy=merge
+	// +listType=map
+	// +listMapKey=name
+	AdditionalAuthorizeParameters []Parameter `json:"extraAuthorizeParameters,omitempty"`
+
 	// AllowPasswordGrant, when true, will allow the use of OAuth 2.0's Resource Owner Password Credentials Grant
 	// (see https://datatracker.ietf.org/doc/html/rfc6749#section-4.3) to authenticate to the OIDC provider using a
 	// username and password without a web browser, in addition to the usual browser-based OIDC Authorization Code Flow.
@@ -66,15 +111,29 @@ type OIDCAuthorizationConfig struct {
 	AllowPasswordGrant bool `json:"allowPasswordGrant,omitempty"`
 }
 
+// Parameter is a key/value pair which represents a parameter in an HTTP request.
+type Parameter struct {
+	// The name of the parameter. Required.
+	// +kubebuilder:validation:MinLength=1
+	Name string `json:"name"`
+
+	// The value of the parameter.
+	// +optional
+	Value string `json:"value,omitempty"`
+}
+
 // OIDCClaims provides a mapping from upstream claims into identities.
 type OIDCClaims struct {
-	// Groups provides the name of the token claim that will be used to ascertain the groups to which
+	// Groups provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain
-	// an identity belongs.
+	// the groups to which an identity belongs. By default, the identities will not include any group memberships when
+	// this setting is not configured.
 	// +optional
 	Groups string `json:"groups"`
 
-	// Username provides the name of the token claim that will be used to ascertain an identity's
+	// Username provides the name of the ID token claim or userinfo endpoint response claim that will be used to
-	// username.
+	// ascertain an identity's username. When not set, the username will be an automatically constructed unique string
+	// which will include the issuer URL of your OIDC provider along with the value of the "sub" (subject) claim from
+	// the ID token.
 	// +optional
 	Username string `json:"username"`
 }
@@ -89,7 +148,7 @@ type OIDCClient struct {
 	SecretName string `json:"secretName"`
 }
 
-// Spec for configuring an OIDC identity provider.
+// OIDCIdentityProviderSpec is the spec for configuring an OIDC identity provider.
 type OIDCIdentityProviderSpec struct {
 	// Issuer is the issuer URL of this OIDC identity provider, i.e., where to fetch
 	// /.well-known/openid-configuration.
@@ -135,7 +194,7 @@ type OIDCIdentityProvider struct {
 	Status OIDCIdentityProviderStatus `json:"status,omitempty"`
 }
 
-// List of OIDCIdentityProvider objects.
+// OIDCIdentityProviderList lists OIDCIdentityProvider objects.
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 type OIDCIdentityProviderList struct {
 	metav1.TypeMeta `json:",inline"`

generated/1.18/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go

@@ -416,6 +416,11 @@ func (in *OIDCAuthorizationConfig) DeepCopyInto(out *OIDCAuthorizationConfig) {
 		*out = make([]string, len(*in))
 		copy(*out, *in)
 	}
+	if in.AdditionalAuthorizeParameters != nil {
+		in, out := &in.AdditionalAuthorizeParameters, &out.AdditionalAuthorizeParameters
+		*out = make([]Parameter, len(*in))
+		copy(*out, *in)
+	}
 	return
 }
 
@@ -569,6 +574,22 @@ func (in *OIDCIdentityProviderStatus) DeepCopy() *OIDCIdentityProviderStatus {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Parameter) DeepCopyInto(out *Parameter) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Parameter.
+func (in *Parameter) DeepCopy() *Parameter {
+	if in == nil {
+		return nil
+	}
+	out := new(Parameter)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TLSSpec) DeepCopyInto(out *TLSSpec) {
 	*out = *in

generated/1.18/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml

@@ -57,13 +57,22 @@ spec:
                   OIDC identity provider.
                 properties:
                   additionalScopes:
-                    description: AdditionalScopes are the scopes in addition to "openid"
+                    description: AdditionalScopes are the additional scopes that will
-                      that will be requested as part of the authorization request
+                      be requested from your OIDC provider in the authorization request
-                      flow with an OIDC identity provider. In the case of a Resource
+                      during an OIDC Authorization Code Flow and in the token request
-                      Owner Password Credentials Grant flow, AdditionalScopes are
+                      during a Resource Owner Password Credentials Grant. Note that
-                      the scopes in addition to "openid" that will be requested as
+                      the "openid" scope will always be requested regardless of the
-                      part of the token request (see also the allowPasswordGrant field).
+                      value in this setting, since it is always required according
-                      By default, only the "openid" scope will be requested.
+                      to the OIDC spec. The "offline_access" scope may also be included
+                      according to the value of the DoNotRequestOfflineAccess setting.
+                      Any other scopes required should be included here in the AdditionalScopes
+                      list. For example, you might like to include scopes like "profile",
+                      "email", or "groups" in order to receive the related claims
+                      in the returned ID token or userinfo endpoint results if you
+                      would like to make use of those claims in the OIDCClaims settings
+                      to determine the usernames and group memberships of your Kubernetes
+                      users. See your OIDC provider's documentation for more information
+                      about what scopes are available to request claims.
                     items:
                       type: string
                     type: array
@@ -97,18 +106,98 @@ spec:
                       during Resource Owner Password Credentials Grant logins. AllowPasswordGrant
                       defaults to false.
                     type: boolean
+                  doNotRequestOfflineAccess:
+                    description: DoNotRequestOfflineAccess determines if the "offline_access"
+                      scope will be requested from your OIDC provider in the authorization
+                      request during an OIDC Authorization Code Flow and in the token
+                      request during a Resource Owner Password Credentials Grant in
+                      order to ask to receive a refresh token in the response. Starting
+                      in v0.13.0, the Pinniped Supervisor requires that your OIDC
+                      provider returns refresh tokens to the Supervisor from these
+                      authorization flows. For most OIDC providers, the scope required
+                      to receive refresh tokens will be "offline_access". See https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess
+                      for a description of the "offline_access" scope. See the documentation
+                      of your OIDC provider's authorization and token endpoints for
+                      its requirements for what to include in the request in order
+                      to receive a refresh token in the response, if anything. By
+                      default, DoNotRequestOfflineAccess is false, which means that
+                      "offline_access" will be sent in the authorization request,
+                      since that is what is suggested by the OIDC specification. Note
+                      that it may be safe to send "offline_access" even to providers
+                      which do not require it, since the provider may ignore scopes
+                      that it does not understand or require (see https://datatracker.ietf.org/doc/html/rfc6749#section-3.3).
+                      In the unusual case that you must avoid sending the "offline_access"
+                      scope, set DoNotRequestOfflineAccess to true. This is required
+                      if your OIDC provider will reject the request when it includes
+                      "offline_access" (e.g. GitLab's OIDC provider). If you need
+                      to send some other scope to request a refresh token, include
+                      the scope name in the additionalScopes setting. Also note that
+                      some OIDC providers may require that the "prompt" param be set
+                      to a specific value for the authorization request during an
+                      OIDC Authorization Code Flow in order to receive a refresh token
+                      in the response. To adjust the prompt param, see the additionalAuthorizeParameters
+                      setting.
+                    type: boolean
+                  extraAuthorizeParameters:
+                    description: AdditionalAuthorizeParameters are extra query parameters
+                      that should be included in the authorize request to your OIDC
+                      provider in the authorization request during an OIDC Authorization
+                      Code Flow. By default, no extra parameters are sent. The standard
+                      parameters that will be sent are "response_type", "scope", "client_id",
+                      "state", "nonce", "code_challenge", "code_challenge_method",
+                      and "redirect_uri". These parameters cannot be included in this
+                      setting. This setting does not influence the parameters sent
+                      to the token endpoint in the Resource Owner Password Credentials
+                      Grant. Starting in v0.13.0, the Pinniped Supervisor requires
+                      that your OIDC provider returns refresh tokens to the Supervisor
+                      from the authorization flows. Some OIDC providers may require
+                      a certain value for the "prompt" parameter in order to properly
+                      request refresh tokens. See the documentation of your OIDC provider's
+                      authorization endpoint for its requirements for what to include
+                      in the request in order to receive a refresh token in the response,
+                      if anything. If your provider requires the prompt parameter
+                      to request a refresh token, then include it here. Also note
+                      that most providers also require a certain scope to be requested
+                      in order to receive refresh tokens. See the doNotRequestOfflineAccess
+                      setting for more information about using scopes to request refresh
+                      tokens.
+                    items:
+                      description: Parameter is a key/value pair which represents
+                        a parameter in an HTTP request.
+                      properties:
+                        name:
+                          description: The name of the parameter. Required.
+                          minLength: 1
+                          type: string
+                        value:
+                          description: The value of the parameter.
+                          type: string
+                      required:
+                      - name
+                      type: object
+                    type: array
+                    x-kubernetes-list-map-keys:
+                    - name
+                    x-kubernetes-list-type: map
                 type: object
               claims:
                 description: Claims provides the names of token claims that will be
                   used when inspecting an identity from this OIDC identity provider.
                 properties:
                   groups:
-                    description: Groups provides the name of the token claim that
+                    description: Groups provides the name of the ID token claim or
-                      will be used to ascertain the groups to which an identity belongs.
+                      userinfo endpoint response claim that will be used to ascertain
+                      the groups to which an identity belongs. By default, the identities
+                      will not include any group memberships when this setting is
+                      not configured.
                     type: string
                   username:
-                    description: Username provides the name of the token claim that
+                    description: Username provides the name of the ID token claim
-                      will be used to ascertain an identity's username.
+                      or userinfo endpoint response claim that will be used to ascertain
+                      an identity's username. When not set, the username will be an
+                      automatically constructed unique string which will include the
+                      issuer URL of your OIDC provider along with the value of the
+                      "sub" (subject) claim from the ID token.
                     type: string
                 type: object
               client:

generated/1.19/README.adoc

@@ -1099,7 +1099,9 @@ OIDCAuthorizationConfig provides information about how to form the OAuth2 author
 [cols="25a,75a", options="header"]
 |===
 | Field | Description
-| *`additionalScopes`* __string array__ | AdditionalScopes are the scopes in addition to "openid" that will be requested as part of the authorization request flow with an OIDC identity provider. In the case of a Resource Owner Password Credentials Grant flow, AdditionalScopes are the scopes in addition to "openid" that will be requested as part of the token request (see also the allowPasswordGrant field). By default, only the "openid" scope will be requested.
+| *`doNotRequestOfflineAccess`* __boolean__ | DoNotRequestOfflineAccess determines if the "offline_access" scope will be requested from your OIDC provider in the authorization request during an OIDC Authorization Code Flow and in the token request during a Resource Owner Password Credentials Grant in order to ask to receive a refresh token in the response. Starting in v0.13.0, the Pinniped Supervisor requires that your OIDC provider returns refresh tokens to the Supervisor from these authorization flows. For most OIDC providers, the scope required to receive refresh tokens will be "offline_access". See https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess for a description of the "offline_access" scope. See the documentation of your OIDC provider's authorization and token endpoints for its requirements for what to include in the request in order to receive a refresh token in the response, if anything. By default, DoNotRequestOfflineAccess is false, which means that "offline_access" will be sent in the authorization request, since that is what is suggested by the OIDC specification. Note that it may be safe to send "offline_access" even to providers which do not require it, since the provider may ignore scopes that it does not understand or require (see https://datatracker.ietf.org/doc/html/rfc6749#section-3.3). In the unusual case that you must avoid sending the "offline_access" scope, set DoNotRequestOfflineAccess to true. This is required if your OIDC provider will reject the request when it includes "offline_access" (e.g. GitLab's OIDC provider). If you need to send some other scope to request a refresh token, include the scope name in the additionalScopes setting. Also note that some OIDC providers may require that the "prompt" param be set to a specific value for the authorization request during an OIDC Authorization Code Flow in order to receive a refresh token in the response. To adjust the prompt param, see the additionalAuthorizeParameters setting.
+| *`additionalScopes`* __string array__ | AdditionalScopes are the additional scopes that will be requested from your OIDC provider in the authorization request during an OIDC Authorization Code Flow and in the token request during a Resource Owner Password Credentials Grant. Note that the "openid" scope will always be requested regardless of the value in this setting, since it is always required according to the OIDC spec. The "offline_access" scope may also be included according to the value of the DoNotRequestOfflineAccess setting. Any other scopes required should be included here in the AdditionalScopes list. For example, you might like to include scopes like "profile", "email", or "groups" in order to receive the related claims in the returned ID token or userinfo endpoint results if you would like to make use of those claims in the OIDCClaims settings to determine the usernames and group memberships of your Kubernetes users. See your OIDC provider's documentation for more information about what scopes are available to request claims.
+| *`extraAuthorizeParameters`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-idp-v1alpha1-parameter[$$Parameter$$] array__ | AdditionalAuthorizeParameters are extra query parameters that should be included in the authorize request to your OIDC provider in the authorization request during an OIDC Authorization Code Flow. By default, no extra parameters are sent. The standard parameters that will be sent are "response_type", "scope", "client_id", "state", "nonce", "code_challenge", "code_challenge_method", and "redirect_uri". These parameters cannot be included in this setting. This setting does not influence the parameters sent to the token endpoint in the Resource Owner Password Credentials Grant. Starting in v0.13.0, the Pinniped Supervisor requires that your OIDC provider returns refresh tokens to the Supervisor from the authorization flows. Some OIDC providers may require a certain value for the "prompt" parameter in order to properly request refresh tokens. See the documentation of your OIDC provider's authorization endpoint for its requirements for what to include in the request in order to receive a refresh token in the response, if anything. If your provider requires the prompt parameter to request a refresh token, then include it here. Also note that most providers also require a certain scope to be requested in order to receive refresh tokens. See the doNotRequestOfflineAccess setting for more information about using scopes to request refresh tokens.
 | *`allowPasswordGrant`* __boolean__ | AllowPasswordGrant, when true, will allow the use of OAuth 2.0's Resource Owner Password Credentials Grant (see https://datatracker.ietf.org/doc/html/rfc6749#section-4.3) to authenticate to the OIDC provider using a username and password without a web browser, in addition to the usual browser-based OIDC Authorization Code Flow. The Resource Owner Password Credentials Grant is not officially part of the OIDC specification, so it may not be supported by your OIDC provider. If your OIDC provider supports returning ID tokens from a Resource Owner Password Credentials Grant token request, then you can choose to set this field to true. This will allow end users to choose to present their username and password to the kubectl CLI (using the Pinniped plugin) to authenticate to the cluster, without using a web browser to log in as is customary in OIDC Authorization Code Flow. This may be convenient for users, especially for identities from your OIDC provider which are not intended to represent a human actor, such as service accounts performing actions in a CI/CD environment. Even if your OIDC provider supports it, you may wish to disable this behavior by setting this field to false when you prefer to only allow users of this OIDCIdentityProvider to log in via the browser-based OIDC Authorization Code Flow. Using the Resource Owner Password Credentials Grant means that the Pinniped CLI and Pinniped Supervisor will directly handle your end users' passwords (similar to LDAPIdentityProvider), and you will not be able to require multi-factor authentication or use the other web-based login features of your OIDC provider during Resource Owner Password Credentials Grant logins. AllowPasswordGrant defaults to false.
 |===
 
@@ -1117,8 +1119,8 @@ OIDCClaims provides a mapping from upstream claims into identities.
 [cols="25a,75a", options="header"]
 |===
 | Field | Description
-| *`groups`* __string__ | Groups provides the name of the token claim that will be used to ascertain the groups to which an identity belongs.
+| *`groups`* __string__ | Groups provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain the groups to which an identity belongs. By default, the identities will not include any group memberships when this setting is not configured.
-| *`username`* __string__ | Username provides the name of the token claim that will be used to ascertain an identity's username.
+| *`username`* __string__ | Username provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain an identity's username. When not set, the username will be an automatically constructed unique string which will include the issuer URL of your OIDC provider along with the value of the "sub" (subject) claim from the ID token.
 |===
 
 
@@ -1164,7 +1166,7 @@ OIDCIdentityProvider describes the configuration of an upstream OpenID Connect i
 [id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-idp-v1alpha1-oidcidentityproviderspec"]
 ==== OIDCIdentityProviderSpec 
 
-Spec for configuring an OIDC identity provider.
+OIDCIdentityProviderSpec is the spec for configuring an OIDC identity provider.
 
 .Appears In:
 ****
@@ -1185,7 +1187,7 @@ Spec for configuring an OIDC identity provider.
 [id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-idp-v1alpha1-oidcidentityproviderstatus"]
 ==== OIDCIdentityProviderStatus 
 
-Status of an OIDC identity provider.
+OIDCIdentityProviderStatus is the status of an OIDC identity provider.
 
 .Appears In:
 ****
@@ -1200,6 +1202,24 @@ Status of an OIDC identity provider.
 |===
 
 
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-idp-v1alpha1-parameter"]
+==== Parameter 
+
+
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-idp-v1alpha1-oidcauthorizationconfig[$$OIDCAuthorizationConfig$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`name`* __string__ | The name of the parameter. Required.
+| *`value`* __string__ | The value of the parameter.
+|===
+
+
 [id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-idp-v1alpha1-tlsspec"]
 ==== TLSSpec 
 

generated/1.19/apis/supervisor/idp/v1alpha1/types_oidcidentityprovider.go

@@ -20,7 +20,7 @@ const (
 	PhaseError OIDCIdentityProviderPhase = "Error"
 )
 
-// Status of an OIDC identity provider.
+// OIDCIdentityProviderStatus is the status of an OIDC identity provider.
 type OIDCIdentityProviderStatus struct {
 	// Phase summarizes the overall status of the OIDCIdentityProvider.
 	// +kubebuilder:default=Pending
@@ -38,14 +38,59 @@ type OIDCIdentityProviderStatus struct {
 // OIDCAuthorizationConfig provides information about how to form the OAuth2 authorization
 // request parameters.
 type OIDCAuthorizationConfig struct {
-	// AdditionalScopes are the scopes in addition to "openid" that will be requested as part of the authorization
+	// DoNotRequestOfflineAccess determines if the "offline_access" scope will be requested from your OIDC provider in
-	// request flow with an OIDC identity provider.
+	// the authorization request during an OIDC Authorization Code Flow and in the token request during a Resource Owner
-	// In the case of a Resource Owner Password Credentials Grant flow, AdditionalScopes are the scopes
+	// Password Credentials Grant in order to ask to receive a refresh token in the response. Starting in v0.13.0, the
-	// in addition to "openid" that will be requested as part of the token request (see also the allowPasswordGrant field).
+	// Pinniped Supervisor requires that your OIDC provider returns refresh tokens to the Supervisor from these
-	// By default, only the "openid" scope will be requested.
+	// authorization flows. For most OIDC providers, the scope required to receive refresh tokens will be "offline_access".
+	// See https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess for a description of the "offline_access"
+	// scope. See the documentation of your OIDC provider's authorization and token endpoints for its requirements for what
+	// to include in the request in order to receive a refresh token in the response, if anything. By default,
+	// DoNotRequestOfflineAccess is false, which means that "offline_access" will be sent in the authorization request,
+	// since that is what is suggested by the OIDC specification. Note that it may be safe to send "offline_access" even to
+	// providers which do not require it, since the provider may ignore scopes that it does not understand or require (see
+	// https://datatracker.ietf.org/doc/html/rfc6749#section-3.3). In the unusual case that you must avoid sending the
+	// "offline_access" scope, set DoNotRequestOfflineAccess to true. This is required if your OIDC provider will reject
+	// the request when it includes "offline_access" (e.g. GitLab's OIDC provider). If you need to send some other scope
+	// to request a refresh token, include the scope name in the additionalScopes setting. Also note that some OIDC
+	// providers may require that the "prompt" param be set to a specific value for the authorization request during an
+	// OIDC Authorization Code Flow in order to receive a refresh token in the response. To adjust the prompt param, see
+	// the additionalAuthorizeParameters setting.
+	// +optional
+	DoNotRequestOfflineAccess bool `json:"doNotRequestOfflineAccess,omitempty"`
+
+	// AdditionalScopes are the additional scopes that will be requested from your OIDC provider in the authorization
+	// request during an OIDC Authorization Code Flow and in the token request during a Resource Owner Password Credentials
+	// Grant. Note that the "openid" scope will always be requested regardless of the value in this setting, since it is
+	// always required according to the OIDC spec. The "offline_access" scope may also be included according to the value
+	// of the DoNotRequestOfflineAccess setting. Any other scopes required should be included here in the AdditionalScopes
+	// list. For example, you might like to include scopes like "profile", "email", or "groups" in order to receive the
+	// related claims in the returned ID token or userinfo endpoint results if you would like to make use of those
+	// claims in the OIDCClaims settings to determine the usernames and group memberships of your Kubernetes users. See
+	// your OIDC provider's documentation for more information about what scopes are available to request claims.
 	// +optional
 	AdditionalScopes []string `json:"additionalScopes,omitempty"`
 
+	// AdditionalAuthorizeParameters are extra query parameters that should be included in the authorize request to your
+	// OIDC provider in the authorization request during an OIDC Authorization Code Flow. By default, no extra
+	// parameters are sent. The standard parameters that will be sent are "response_type", "scope", "client_id",
+	// "state", "nonce", "code_challenge", "code_challenge_method", and "redirect_uri". These parameters cannot be
+	// included in this setting. This setting does not influence the parameters sent to the token endpoint in the
+	// Resource Owner Password Credentials Grant. Starting in v0.13.0, the Pinniped Supervisor requires that your OIDC
+	// provider returns refresh tokens to the Supervisor from the authorization flows. Some OIDC providers may require
+	// a certain value for the "prompt" parameter in order to properly request refresh tokens. See the documentation of
+	// your OIDC provider's authorization endpoint for its requirements for what to include in the request in
+	// order to receive a refresh token in the response, if anything. If your provider requires the prompt parameter to
+	// request a refresh token, then include it here. Also note that most providers also require a certain scope to be
+	// requested in order to receive refresh tokens. See the doNotRequestOfflineAccess setting for more information about
+	// using scopes to request refresh tokens.
+	// +optional
+	// +patchMergeKey=name
+	// +patchStrategy=merge
+	// +listType=map
+	// +listMapKey=name
+	AdditionalAuthorizeParameters []Parameter `json:"extraAuthorizeParameters,omitempty"`
+
 	// AllowPasswordGrant, when true, will allow the use of OAuth 2.0's Resource Owner Password Credentials Grant
 	// (see https://datatracker.ietf.org/doc/html/rfc6749#section-4.3) to authenticate to the OIDC provider using a
 	// username and password without a web browser, in addition to the usual browser-based OIDC Authorization Code Flow.
@@ -66,15 +111,29 @@ type OIDCAuthorizationConfig struct {
 	AllowPasswordGrant bool `json:"allowPasswordGrant,omitempty"`
 }
 
+// Parameter is a key/value pair which represents a parameter in an HTTP request.
+type Parameter struct {
+	// The name of the parameter. Required.
+	// +kubebuilder:validation:MinLength=1
+	Name string `json:"name"`
+
+	// The value of the parameter.
+	// +optional
+	Value string `json:"value,omitempty"`
+}
+
 // OIDCClaims provides a mapping from upstream claims into identities.
 type OIDCClaims struct {
-	// Groups provides the name of the token claim that will be used to ascertain the groups to which
+	// Groups provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain
-	// an identity belongs.
+	// the groups to which an identity belongs. By default, the identities will not include any group memberships when
+	// this setting is not configured.
 	// +optional
 	Groups string `json:"groups"`
 
-	// Username provides the name of the token claim that will be used to ascertain an identity's
+	// Username provides the name of the ID token claim or userinfo endpoint response claim that will be used to
-	// username.
+	// ascertain an identity's username. When not set, the username will be an automatically constructed unique string
+	// which will include the issuer URL of your OIDC provider along with the value of the "sub" (subject) claim from
+	// the ID token.
 	// +optional
 	Username string `json:"username"`
 }
@@ -89,7 +148,7 @@ type OIDCClient struct {
 	SecretName string `json:"secretName"`
 }
 
-// Spec for configuring an OIDC identity provider.
+// OIDCIdentityProviderSpec is the spec for configuring an OIDC identity provider.
 type OIDCIdentityProviderSpec struct {
 	// Issuer is the issuer URL of this OIDC identity provider, i.e., where to fetch
 	// /.well-known/openid-configuration.
@@ -135,7 +194,7 @@ type OIDCIdentityProvider struct {
 	Status OIDCIdentityProviderStatus `json:"status,omitempty"`
 }
 
-// List of OIDCIdentityProvider objects.
+// OIDCIdentityProviderList lists OIDCIdentityProvider objects.
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 type OIDCIdentityProviderList struct {
 	metav1.TypeMeta `json:",inline"`

generated/1.19/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go

@@ -416,6 +416,11 @@ func (in *OIDCAuthorizationConfig) DeepCopyInto(out *OIDCAuthorizationConfig) {
 		*out = make([]string, len(*in))
 		copy(*out, *in)
 	}
+	if in.AdditionalAuthorizeParameters != nil {
+		in, out := &in.AdditionalAuthorizeParameters, &out.AdditionalAuthorizeParameters
+		*out = make([]Parameter, len(*in))
+		copy(*out, *in)
+	}
 	return
 }
 
@@ -569,6 +574,22 @@ func (in *OIDCIdentityProviderStatus) DeepCopy() *OIDCIdentityProviderStatus {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Parameter) DeepCopyInto(out *Parameter) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Parameter.
+func (in *Parameter) DeepCopy() *Parameter {
+	if in == nil {
+		return nil
+	}
+	out := new(Parameter)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TLSSpec) DeepCopyInto(out *TLSSpec) {
 	*out = *in

generated/1.19/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml

@@ -57,13 +57,22 @@ spec:
                   OIDC identity provider.
                 properties:
                   additionalScopes:
-                    description: AdditionalScopes are the scopes in addition to "openid"
+                    description: AdditionalScopes are the additional scopes that will
-                      that will be requested as part of the authorization request
+                      be requested from your OIDC provider in the authorization request
-                      flow with an OIDC identity provider. In the case of a Resource
+                      during an OIDC Authorization Code Flow and in the token request
-                      Owner Password Credentials Grant flow, AdditionalScopes are
+                      during a Resource Owner Password Credentials Grant. Note that
-                      the scopes in addition to "openid" that will be requested as
+                      the "openid" scope will always be requested regardless of the
-                      part of the token request (see also the allowPasswordGrant field).
+                      value in this setting, since it is always required according
-                      By default, only the "openid" scope will be requested.
+                      to the OIDC spec. The "offline_access" scope may also be included
+                      according to the value of the DoNotRequestOfflineAccess setting.
+                      Any other scopes required should be included here in the AdditionalScopes
+                      list. For example, you might like to include scopes like "profile",
+                      "email", or "groups" in order to receive the related claims
+                      in the returned ID token or userinfo endpoint results if you
+                      would like to make use of those claims in the OIDCClaims settings
+                      to determine the usernames and group memberships of your Kubernetes
+                      users. See your OIDC provider's documentation for more information
+                      about what scopes are available to request claims.
                     items:
                       type: string
                     type: array
@@ -97,18 +106,98 @@ spec:
                       during Resource Owner Password Credentials Grant logins. AllowPasswordGrant
                       defaults to false.
                     type: boolean
+                  doNotRequestOfflineAccess:
+                    description: DoNotRequestOfflineAccess determines if the "offline_access"
+                      scope will be requested from your OIDC provider in the authorization
+                      request during an OIDC Authorization Code Flow and in the token
+                      request during a Resource Owner Password Credentials Grant in
+                      order to ask to receive a refresh token in the response. Starting
+                      in v0.13.0, the Pinniped Supervisor requires that your OIDC
+                      provider returns refresh tokens to the Supervisor from these
+                      authorization flows. For most OIDC providers, the scope required
+                      to receive refresh tokens will be "offline_access". See https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess
+                      for a description of the "offline_access" scope. See the documentation
+                      of your OIDC provider's authorization and token endpoints for
+                      its requirements for what to include in the request in order
+                      to receive a refresh token in the response, if anything. By
+                      default, DoNotRequestOfflineAccess is false, which means that
+                      "offline_access" will be sent in the authorization request,
+                      since that is what is suggested by the OIDC specification. Note
+                      that it may be safe to send "offline_access" even to providers
+                      which do not require it, since the provider may ignore scopes
+                      that it does not understand or require (see https://datatracker.ietf.org/doc/html/rfc6749#section-3.3).
+                      In the unusual case that you must avoid sending the "offline_access"
+                      scope, set DoNotRequestOfflineAccess to true. This is required
+                      if your OIDC provider will reject the request when it includes
+                      "offline_access" (e.g. GitLab's OIDC provider). If you need
+                      to send some other scope to request a refresh token, include
+                      the scope name in the additionalScopes setting. Also note that
+                      some OIDC providers may require that the "prompt" param be set
+                      to a specific value for the authorization request during an
+                      OIDC Authorization Code Flow in order to receive a refresh token
+                      in the response. To adjust the prompt param, see the additionalAuthorizeParameters
+                      setting.
+                    type: boolean
+                  extraAuthorizeParameters:
+                    description: AdditionalAuthorizeParameters are extra query parameters
+                      that should be included in the authorize request to your OIDC
+                      provider in the authorization request during an OIDC Authorization
+                      Code Flow. By default, no extra parameters are sent. The standard
+                      parameters that will be sent are "response_type", "scope", "client_id",
+                      "state", "nonce", "code_challenge", "code_challenge_method",
+                      and "redirect_uri". These parameters cannot be included in this
+                      setting. This setting does not influence the parameters sent
+                      to the token endpoint in the Resource Owner Password Credentials
+                      Grant. Starting in v0.13.0, the Pinniped Supervisor requires
+                      that your OIDC provider returns refresh tokens to the Supervisor
+                      from the authorization flows. Some OIDC providers may require
+                      a certain value for the "prompt" parameter in order to properly
+                      request refresh tokens. See the documentation of your OIDC provider's
+                      authorization endpoint for its requirements for what to include
+                      in the request in order to receive a refresh token in the response,
+                      if anything. If your provider requires the prompt parameter
+                      to request a refresh token, then include it here. Also note
+                      that most providers also require a certain scope to be requested
+                      in order to receive refresh tokens. See the doNotRequestOfflineAccess
+                      setting for more information about using scopes to request refresh
+                      tokens.
+                    items:
+                      description: Parameter is a key/value pair which represents
+                        a parameter in an HTTP request.
+                      properties:
+                        name:
+                          description: The name of the parameter. Required.
+                          minLength: 1
+                          type: string
+                        value:
+                          description: The value of the parameter.
+                          type: string
+                      required:
+                      - name
+                      type: object
+                    type: array
+                    x-kubernetes-list-map-keys:
+                    - name
+                    x-kubernetes-list-type: map
                 type: object
               claims:
                 description: Claims provides the names of token claims that will be
                   used when inspecting an identity from this OIDC identity provider.
                 properties:
                   groups:
-                    description: Groups provides the name of the token claim that
+                    description: Groups provides the name of the ID token claim or
-                      will be used to ascertain the groups to which an identity belongs.
+                      userinfo endpoint response claim that will be used to ascertain
+                      the groups to which an identity belongs. By default, the identities
+                      will not include any group memberships when this setting is
+                      not configured.
                     type: string
                   username:
-                    description: Username provides the name of the token claim that
+                    description: Username provides the name of the ID token claim
-                      will be used to ascertain an identity's username.
+                      or userinfo endpoint response claim that will be used to ascertain
+                      an identity's username. When not set, the username will be an
+                      automatically constructed unique string which will include the
+                      issuer URL of your OIDC provider along with the value of the
+                      "sub" (subject) claim from the ID token.
                     type: string
                 type: object
               client:

generated/1.20/README.adoc

@@ -1099,7 +1099,9 @@ OIDCAuthorizationConfig provides information about how to form the OAuth2 author
 [cols="25a,75a", options="header"]
 |===
 | Field | Description
-| *`additionalScopes`* __string array__ | AdditionalScopes are the scopes in addition to "openid" that will be requested as part of the authorization request flow with an OIDC identity provider. In the case of a Resource Owner Password Credentials Grant flow, AdditionalScopes are the scopes in addition to "openid" that will be requested as part of the token request (see also the allowPasswordGrant field). By default, only the "openid" scope will be requested.
+| *`doNotRequestOfflineAccess`* __boolean__ | DoNotRequestOfflineAccess determines if the "offline_access" scope will be requested from your OIDC provider in the authorization request during an OIDC Authorization Code Flow and in the token request during a Resource Owner Password Credentials Grant in order to ask to receive a refresh token in the response. Starting in v0.13.0, the Pinniped Supervisor requires that your OIDC provider returns refresh tokens to the Supervisor from these authorization flows. For most OIDC providers, the scope required to receive refresh tokens will be "offline_access". See https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess for a description of the "offline_access" scope. See the documentation of your OIDC provider's authorization and token endpoints for its requirements for what to include in the request in order to receive a refresh token in the response, if anything. By default, DoNotRequestOfflineAccess is false, which means that "offline_access" will be sent in the authorization request, since that is what is suggested by the OIDC specification. Note that it may be safe to send "offline_access" even to providers which do not require it, since the provider may ignore scopes that it does not understand or require (see https://datatracker.ietf.org/doc/html/rfc6749#section-3.3). In the unusual case that you must avoid sending the "offline_access" scope, set DoNotRequestOfflineAccess to true. This is required if your OIDC provider will reject the request when it includes "offline_access" (e.g. GitLab's OIDC provider). If you need to send some other scope to request a refresh token, include the scope name in the additionalScopes setting. Also note that some OIDC providers may require that the "prompt" param be set to a specific value for the authorization request during an OIDC Authorization Code Flow in order to receive a refresh token in the response. To adjust the prompt param, see the additionalAuthorizeParameters setting.
+| *`additionalScopes`* __string array__ | AdditionalScopes are the additional scopes that will be requested from your OIDC provider in the authorization request during an OIDC Authorization Code Flow and in the token request during a Resource Owner Password Credentials Grant. Note that the "openid" scope will always be requested regardless of the value in this setting, since it is always required according to the OIDC spec. The "offline_access" scope may also be included according to the value of the DoNotRequestOfflineAccess setting. Any other scopes required should be included here in the AdditionalScopes list. For example, you might like to include scopes like "profile", "email", or "groups" in order to receive the related claims in the returned ID token or userinfo endpoint results if you would like to make use of those claims in the OIDCClaims settings to determine the usernames and group memberships of your Kubernetes users. See your OIDC provider's documentation for more information about what scopes are available to request claims.
+| *`extraAuthorizeParameters`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-idp-v1alpha1-parameter[$$Parameter$$] array__ | AdditionalAuthorizeParameters are extra query parameters that should be included in the authorize request to your OIDC provider in the authorization request during an OIDC Authorization Code Flow. By default, no extra parameters are sent. The standard parameters that will be sent are "response_type", "scope", "client_id", "state", "nonce", "code_challenge", "code_challenge_method", and "redirect_uri". These parameters cannot be included in this setting. This setting does not influence the parameters sent to the token endpoint in the Resource Owner Password Credentials Grant. Starting in v0.13.0, the Pinniped Supervisor requires that your OIDC provider returns refresh tokens to the Supervisor from the authorization flows. Some OIDC providers may require a certain value for the "prompt" parameter in order to properly request refresh tokens. See the documentation of your OIDC provider's authorization endpoint for its requirements for what to include in the request in order to receive a refresh token in the response, if anything. If your provider requires the prompt parameter to request a refresh token, then include it here. Also note that most providers also require a certain scope to be requested in order to receive refresh tokens. See the doNotRequestOfflineAccess setting for more information about using scopes to request refresh tokens.
 | *`allowPasswordGrant`* __boolean__ | AllowPasswordGrant, when true, will allow the use of OAuth 2.0's Resource Owner Password Credentials Grant (see https://datatracker.ietf.org/doc/html/rfc6749#section-4.3) to authenticate to the OIDC provider using a username and password without a web browser, in addition to the usual browser-based OIDC Authorization Code Flow. The Resource Owner Password Credentials Grant is not officially part of the OIDC specification, so it may not be supported by your OIDC provider. If your OIDC provider supports returning ID tokens from a Resource Owner Password Credentials Grant token request, then you can choose to set this field to true. This will allow end users to choose to present their username and password to the kubectl CLI (using the Pinniped plugin) to authenticate to the cluster, without using a web browser to log in as is customary in OIDC Authorization Code Flow. This may be convenient for users, especially for identities from your OIDC provider which are not intended to represent a human actor, such as service accounts performing actions in a CI/CD environment. Even if your OIDC provider supports it, you may wish to disable this behavior by setting this field to false when you prefer to only allow users of this OIDCIdentityProvider to log in via the browser-based OIDC Authorization Code Flow. Using the Resource Owner Password Credentials Grant means that the Pinniped CLI and Pinniped Supervisor will directly handle your end users' passwords (similar to LDAPIdentityProvider), and you will not be able to require multi-factor authentication or use the other web-based login features of your OIDC provider during Resource Owner Password Credentials Grant logins. AllowPasswordGrant defaults to false.
 |===
 
@@ -1117,8 +1119,8 @@ OIDCClaims provides a mapping from upstream claims into identities.
 [cols="25a,75a", options="header"]
 |===
 | Field | Description
-| *`groups`* __string__ | Groups provides the name of the token claim that will be used to ascertain the groups to which an identity belongs.
+| *`groups`* __string__ | Groups provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain the groups to which an identity belongs. By default, the identities will not include any group memberships when this setting is not configured.
-| *`username`* __string__ | Username provides the name of the token claim that will be used to ascertain an identity's username.
+| *`username`* __string__ | Username provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain an identity's username. When not set, the username will be an automatically constructed unique string which will include the issuer URL of your OIDC provider along with the value of the "sub" (subject) claim from the ID token.
 |===
 
 
@@ -1164,7 +1166,7 @@ OIDCIdentityProvider describes the configuration of an upstream OpenID Connect i
 [id="{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-idp-v1alpha1-oidcidentityproviderspec"]
 ==== OIDCIdentityProviderSpec 
 
-Spec for configuring an OIDC identity provider.
+OIDCIdentityProviderSpec is the spec for configuring an OIDC identity provider.
 
 .Appears In:
 ****
@@ -1185,7 +1187,7 @@ Spec for configuring an OIDC identity provider.
 [id="{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-idp-v1alpha1-oidcidentityproviderstatus"]
 ==== OIDCIdentityProviderStatus 
 
-Status of an OIDC identity provider.
+OIDCIdentityProviderStatus is the status of an OIDC identity provider.
 
 .Appears In:
 ****
@@ -1200,6 +1202,24 @@ Status of an OIDC identity provider.
 |===
 
 
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-idp-v1alpha1-parameter"]
+==== Parameter 
+
+
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-idp-v1alpha1-oidcauthorizationconfig[$$OIDCAuthorizationConfig$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`name`* __string__ | The name of the parameter. Required.
+| *`value`* __string__ | The value of the parameter.
+|===
+
+
 [id="{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-idp-v1alpha1-tlsspec"]
 ==== TLSSpec 
 

generated/1.20/apis/supervisor/idp/v1alpha1/types_oidcidentityprovider.go

@@ -20,7 +20,7 @@ const (
 	PhaseError OIDCIdentityProviderPhase = "Error"
 )
 
-// Status of an OIDC identity provider.
+// OIDCIdentityProviderStatus is the status of an OIDC identity provider.
 type OIDCIdentityProviderStatus struct {
 	// Phase summarizes the overall status of the OIDCIdentityProvider.
 	// +kubebuilder:default=Pending
@@ -38,14 +38,59 @@ type OIDCIdentityProviderStatus struct {
 // OIDCAuthorizationConfig provides information about how to form the OAuth2 authorization
 // request parameters.
 type OIDCAuthorizationConfig struct {
-	// AdditionalScopes are the scopes in addition to "openid" that will be requested as part of the authorization
+	// DoNotRequestOfflineAccess determines if the "offline_access" scope will be requested from your OIDC provider in
-	// request flow with an OIDC identity provider.
+	// the authorization request during an OIDC Authorization Code Flow and in the token request during a Resource Owner
-	// In the case of a Resource Owner Password Credentials Grant flow, AdditionalScopes are the scopes
+	// Password Credentials Grant in order to ask to receive a refresh token in the response. Starting in v0.13.0, the
-	// in addition to "openid" that will be requested as part of the token request (see also the allowPasswordGrant field).
+	// Pinniped Supervisor requires that your OIDC provider returns refresh tokens to the Supervisor from these
-	// By default, only the "openid" scope will be requested.
+	// authorization flows. For most OIDC providers, the scope required to receive refresh tokens will be "offline_access".
+	// See https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess for a description of the "offline_access"
+	// scope. See the documentation of your OIDC provider's authorization and token endpoints for its requirements for what
+	// to include in the request in order to receive a refresh token in the response, if anything. By default,
+	// DoNotRequestOfflineAccess is false, which means that "offline_access" will be sent in the authorization request,
+	// since that is what is suggested by the OIDC specification. Note that it may be safe to send "offline_access" even to
+	// providers which do not require it, since the provider may ignore scopes that it does not understand or require (see
+	// https://datatracker.ietf.org/doc/html/rfc6749#section-3.3). In the unusual case that you must avoid sending the
+	// "offline_access" scope, set DoNotRequestOfflineAccess to true. This is required if your OIDC provider will reject
+	// the request when it includes "offline_access" (e.g. GitLab's OIDC provider). If you need to send some other scope
+	// to request a refresh token, include the scope name in the additionalScopes setting. Also note that some OIDC
+	// providers may require that the "prompt" param be set to a specific value for the authorization request during an
+	// OIDC Authorization Code Flow in order to receive a refresh token in the response. To adjust the prompt param, see
+	// the additionalAuthorizeParameters setting.
+	// +optional
+	DoNotRequestOfflineAccess bool `json:"doNotRequestOfflineAccess,omitempty"`
+
+	// AdditionalScopes are the additional scopes that will be requested from your OIDC provider in the authorization
+	// request during an OIDC Authorization Code Flow and in the token request during a Resource Owner Password Credentials
+	// Grant. Note that the "openid" scope will always be requested regardless of the value in this setting, since it is
+	// always required according to the OIDC spec. The "offline_access" scope may also be included according to the value
+	// of the DoNotRequestOfflineAccess setting. Any other scopes required should be included here in the AdditionalScopes
+	// list. For example, you might like to include scopes like "profile", "email", or "groups" in order to receive the
+	// related claims in the returned ID token or userinfo endpoint results if you would like to make use of those
+	// claims in the OIDCClaims settings to determine the usernames and group memberships of your Kubernetes users. See
+	// your OIDC provider's documentation for more information about what scopes are available to request claims.
 	// +optional
 	AdditionalScopes []string `json:"additionalScopes,omitempty"`
 
+	// AdditionalAuthorizeParameters are extra query parameters that should be included in the authorize request to your
+	// OIDC provider in the authorization request during an OIDC Authorization Code Flow. By default, no extra
+	// parameters are sent. The standard parameters that will be sent are "response_type", "scope", "client_id",
+	// "state", "nonce", "code_challenge", "code_challenge_method", and "redirect_uri". These parameters cannot be
+	// included in this setting. This setting does not influence the parameters sent to the token endpoint in the
+	// Resource Owner Password Credentials Grant. Starting in v0.13.0, the Pinniped Supervisor requires that your OIDC
+	// provider returns refresh tokens to the Supervisor from the authorization flows. Some OIDC providers may require
+	// a certain value for the "prompt" parameter in order to properly request refresh tokens. See the documentation of
+	// your OIDC provider's authorization endpoint for its requirements for what to include in the request in
+	// order to receive a refresh token in the response, if anything. If your provider requires the prompt parameter to
+	// request a refresh token, then include it here. Also note that most providers also require a certain scope to be
+	// requested in order to receive refresh tokens. See the doNotRequestOfflineAccess setting for more information about
+	// using scopes to request refresh tokens.
+	// +optional
+	// +patchMergeKey=name
+	// +patchStrategy=merge
+	// +listType=map
+	// +listMapKey=name
+	AdditionalAuthorizeParameters []Parameter `json:"extraAuthorizeParameters,omitempty"`
+
 	// AllowPasswordGrant, when true, will allow the use of OAuth 2.0's Resource Owner Password Credentials Grant
 	// (see https://datatracker.ietf.org/doc/html/rfc6749#section-4.3) to authenticate to the OIDC provider using a
 	// username and password without a web browser, in addition to the usual browser-based OIDC Authorization Code Flow.
@@ -66,15 +111,29 @@ type OIDCAuthorizationConfig struct {
 	AllowPasswordGrant bool `json:"allowPasswordGrant,omitempty"`
 }
 
+// Parameter is a key/value pair which represents a parameter in an HTTP request.
+type Parameter struct {
+	// The name of the parameter. Required.
+	// +kubebuilder:validation:MinLength=1
+	Name string `json:"name"`
+
+	// The value of the parameter.
+	// +optional
+	Value string `json:"value,omitempty"`
+}
+
 // OIDCClaims provides a mapping from upstream claims into identities.
 type OIDCClaims struct {
-	// Groups provides the name of the token claim that will be used to ascertain the groups to which
+	// Groups provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain
-	// an identity belongs.
+	// the groups to which an identity belongs. By default, the identities will not include any group memberships when
+	// this setting is not configured.
 	// +optional
 	Groups string `json:"groups"`
 
-	// Username provides the name of the token claim that will be used to ascertain an identity's
+	// Username provides the name of the ID token claim or userinfo endpoint response claim that will be used to
-	// username.
+	// ascertain an identity's username. When not set, the username will be an automatically constructed unique string
+	// which will include the issuer URL of your OIDC provider along with the value of the "sub" (subject) claim from
+	// the ID token.
 	// +optional
 	Username string `json:"username"`
 }
@@ -89,7 +148,7 @@ type OIDCClient struct {
 	SecretName string `json:"secretName"`
 }
 
-// Spec for configuring an OIDC identity provider.
+// OIDCIdentityProviderSpec is the spec for configuring an OIDC identity provider.
 type OIDCIdentityProviderSpec struct {
 	// Issuer is the issuer URL of this OIDC identity provider, i.e., where to fetch
 	// /.well-known/openid-configuration.
@@ -135,7 +194,7 @@ type OIDCIdentityProvider struct {
 	Status OIDCIdentityProviderStatus `json:"status,omitempty"`
 }
 
-// List of OIDCIdentityProvider objects.
+// OIDCIdentityProviderList lists OIDCIdentityProvider objects.
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 type OIDCIdentityProviderList struct {
 	metav1.TypeMeta `json:",inline"`

generated/1.20/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go

@@ -416,6 +416,11 @@ func (in *OIDCAuthorizationConfig) DeepCopyInto(out *OIDCAuthorizationConfig) {
 		*out = make([]string, len(*in))
 		copy(*out, *in)
 	}
+	if in.AdditionalAuthorizeParameters != nil {
+		in, out := &in.AdditionalAuthorizeParameters, &out.AdditionalAuthorizeParameters
+		*out = make([]Parameter, len(*in))
+		copy(*out, *in)
+	}
 	return
 }
 
@@ -569,6 +574,22 @@ func (in *OIDCIdentityProviderStatus) DeepCopy() *OIDCIdentityProviderStatus {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Parameter) DeepCopyInto(out *Parameter) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Parameter.
+func (in *Parameter) DeepCopy() *Parameter {
+	if in == nil {
+		return nil
+	}
+	out := new(Parameter)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TLSSpec) DeepCopyInto(out *TLSSpec) {
 	*out = *in

generated/1.20/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml

@@ -57,13 +57,22 @@ spec:
                   OIDC identity provider.
                 properties:
                   additionalScopes:
-                    description: AdditionalScopes are the scopes in addition to "openid"
+                    description: AdditionalScopes are the additional scopes that will
-                      that will be requested as part of the authorization request
+                      be requested from your OIDC provider in the authorization request
-                      flow with an OIDC identity provider. In the case of a Resource
+                      during an OIDC Authorization Code Flow and in the token request
-                      Owner Password Credentials Grant flow, AdditionalScopes are
+                      during a Resource Owner Password Credentials Grant. Note that
-                      the scopes in addition to "openid" that will be requested as
+                      the "openid" scope will always be requested regardless of the
-                      part of the token request (see also the allowPasswordGrant field).
+                      value in this setting, since it is always required according
-                      By default, only the "openid" scope will be requested.
+                      to the OIDC spec. The "offline_access" scope may also be included
+                      according to the value of the DoNotRequestOfflineAccess setting.
+                      Any other scopes required should be included here in the AdditionalScopes
+                      list. For example, you might like to include scopes like "profile",
+                      "email", or "groups" in order to receive the related claims
+                      in the returned ID token or userinfo endpoint results if you
+                      would like to make use of those claims in the OIDCClaims settings
+                      to determine the usernames and group memberships of your Kubernetes
+                      users. See your OIDC provider's documentation for more information
+                      about what scopes are available to request claims.
                     items:
                       type: string
                     type: array
@@ -97,18 +106,98 @@ spec:
                       during Resource Owner Password Credentials Grant logins. AllowPasswordGrant
                       defaults to false.
                     type: boolean
+                  doNotRequestOfflineAccess:
+                    description: DoNotRequestOfflineAccess determines if the "offline_access"
+                      scope will be requested from your OIDC provider in the authorization
+                      request during an OIDC Authorization Code Flow and in the token
+                      request during a Resource Owner Password Credentials Grant in
+                      order to ask to receive a refresh token in the response. Starting
+                      in v0.13.0, the Pinniped Supervisor requires that your OIDC
+                      provider returns refresh tokens to the Supervisor from these
+                      authorization flows. For most OIDC providers, the scope required
+                      to receive refresh tokens will be "offline_access". See https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess
+                      for a description of the "offline_access" scope. See the documentation
+                      of your OIDC provider's authorization and token endpoints for
+                      its requirements for what to include in the request in order
+                      to receive a refresh token in the response, if anything. By
+                      default, DoNotRequestOfflineAccess is false, which means that
+                      "offline_access" will be sent in the authorization request,
+                      since that is what is suggested by the OIDC specification. Note
+                      that it may be safe to send "offline_access" even to providers
+                      which do not require it, since the provider may ignore scopes
+                      that it does not understand or require (see https://datatracker.ietf.org/doc/html/rfc6749#section-3.3).
+                      In the unusual case that you must avoid sending the "offline_access"
+                      scope, set DoNotRequestOfflineAccess to true. This is required
+                      if your OIDC provider will reject the request when it includes
+                      "offline_access" (e.g. GitLab's OIDC provider). If you need
+                      to send some other scope to request a refresh token, include
+                      the scope name in the additionalScopes setting. Also note that
+                      some OIDC providers may require that the "prompt" param be set
+                      to a specific value for the authorization request during an
+                      OIDC Authorization Code Flow in order to receive a refresh token
+                      in the response. To adjust the prompt param, see the additionalAuthorizeParameters
+                      setting.
+                    type: boolean
+                  extraAuthorizeParameters:
+                    description: AdditionalAuthorizeParameters are extra query parameters
+                      that should be included in the authorize request to your OIDC
+                      provider in the authorization request during an OIDC Authorization
+                      Code Flow. By default, no extra parameters are sent. The standard
+                      parameters that will be sent are "response_type", "scope", "client_id",
+                      "state", "nonce", "code_challenge", "code_challenge_method",
+                      and "redirect_uri". These parameters cannot be included in this
+                      setting. This setting does not influence the parameters sent
+                      to the token endpoint in the Resource Owner Password Credentials
+                      Grant. Starting in v0.13.0, the Pinniped Supervisor requires
+                      that your OIDC provider returns refresh tokens to the Supervisor
+                      from the authorization flows. Some OIDC providers may require
+                      a certain value for the "prompt" parameter in order to properly
+                      request refresh tokens. See the documentation of your OIDC provider's
+                      authorization endpoint for its requirements for what to include
+                      in the request in order to receive a refresh token in the response,
+                      if anything. If your provider requires the prompt parameter
+                      to request a refresh token, then include it here. Also note
+                      that most providers also require a certain scope to be requested
+                      in order to receive refresh tokens. See the doNotRequestOfflineAccess
+                      setting for more information about using scopes to request refresh
+                      tokens.
+                    items:
+                      description: Parameter is a key/value pair which represents
+                        a parameter in an HTTP request.
+                      properties:
+                        name:
+                          description: The name of the parameter. Required.
+                          minLength: 1
+                          type: string
+                        value:
+                          description: The value of the parameter.
+                          type: string
+                      required:
+                      - name
+                      type: object
+                    type: array
+                    x-kubernetes-list-map-keys:
+                    - name
+                    x-kubernetes-list-type: map
                 type: object
               claims:
                 description: Claims provides the names of token claims that will be
                   used when inspecting an identity from this OIDC identity provider.
                 properties:
                   groups:
-                    description: Groups provides the name of the token claim that
+                    description: Groups provides the name of the ID token claim or
-                      will be used to ascertain the groups to which an identity belongs.
+                      userinfo endpoint response claim that will be used to ascertain
+                      the groups to which an identity belongs. By default, the identities
+                      will not include any group memberships when this setting is
+                      not configured.
                     type: string
                   username:
-                    description: Username provides the name of the token claim that
+                    description: Username provides the name of the ID token claim
-                      will be used to ascertain an identity's username.
+                      or userinfo endpoint response claim that will be used to ascertain
+                      an identity's username. When not set, the username will be an
+                      automatically constructed unique string which will include the
+                      issuer URL of your OIDC provider along with the value of the
+                      "sub" (subject) claim from the ID token.
                     type: string
                 type: object
               client:

generated/latest/apis/supervisor/idp/v1alpha1/types_oidcidentityprovider.go

@@ -20,7 +20,7 @@ const (
 	PhaseError OIDCIdentityProviderPhase = "Error"
 )
 
-// Status of an OIDC identity provider.
+// OIDCIdentityProviderStatus is the status of an OIDC identity provider.
 type OIDCIdentityProviderStatus struct {
 	// Phase summarizes the overall status of the OIDCIdentityProvider.
 	// +kubebuilder:default=Pending
@@ -38,14 +38,59 @@ type OIDCIdentityProviderStatus struct {
 // OIDCAuthorizationConfig provides information about how to form the OAuth2 authorization
 // request parameters.
 type OIDCAuthorizationConfig struct {
-	// AdditionalScopes are the scopes in addition to "openid" that will be requested as part of the authorization
+	// DoNotRequestOfflineAccess determines if the "offline_access" scope will be requested from your OIDC provider in
-	// request flow with an OIDC identity provider.
+	// the authorization request during an OIDC Authorization Code Flow and in the token request during a Resource Owner
-	// In the case of a Resource Owner Password Credentials Grant flow, AdditionalScopes are the scopes
+	// Password Credentials Grant in order to ask to receive a refresh token in the response. Starting in v0.13.0, the
-	// in addition to "openid" that will be requested as part of the token request (see also the allowPasswordGrant field).
+	// Pinniped Supervisor requires that your OIDC provider returns refresh tokens to the Supervisor from these
-	// By default, only the "openid" scope will be requested.
+	// authorization flows. For most OIDC providers, the scope required to receive refresh tokens will be "offline_access".
+	// See https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess for a description of the "offline_access"
+	// scope. See the documentation of your OIDC provider's authorization and token endpoints for its requirements for what
+	// to include in the request in order to receive a refresh token in the response, if anything. By default,
+	// DoNotRequestOfflineAccess is false, which means that "offline_access" will be sent in the authorization request,
+	// since that is what is suggested by the OIDC specification. Note that it may be safe to send "offline_access" even to
+	// providers which do not require it, since the provider may ignore scopes that it does not understand or require (see
+	// https://datatracker.ietf.org/doc/html/rfc6749#section-3.3). In the unusual case that you must avoid sending the
+	// "offline_access" scope, set DoNotRequestOfflineAccess to true. This is required if your OIDC provider will reject
+	// the request when it includes "offline_access" (e.g. GitLab's OIDC provider). If you need to send some other scope
+	// to request a refresh token, include the scope name in the additionalScopes setting. Also note that some OIDC
+	// providers may require that the "prompt" param be set to a specific value for the authorization request during an
+	// OIDC Authorization Code Flow in order to receive a refresh token in the response. To adjust the prompt param, see
+	// the additionalAuthorizeParameters setting.
+	// +optional
+	DoNotRequestOfflineAccess bool `json:"doNotRequestOfflineAccess,omitempty"`
+
+	// AdditionalScopes are the additional scopes that will be requested from your OIDC provider in the authorization
+	// request during an OIDC Authorization Code Flow and in the token request during a Resource Owner Password Credentials
+	// Grant. Note that the "openid" scope will always be requested regardless of the value in this setting, since it is
+	// always required according to the OIDC spec. The "offline_access" scope may also be included according to the value
+	// of the DoNotRequestOfflineAccess setting. Any other scopes required should be included here in the AdditionalScopes
+	// list. For example, you might like to include scopes like "profile", "email", or "groups" in order to receive the
+	// related claims in the returned ID token or userinfo endpoint results if you would like to make use of those
+	// claims in the OIDCClaims settings to determine the usernames and group memberships of your Kubernetes users. See
+	// your OIDC provider's documentation for more information about what scopes are available to request claims.
 	// +optional
 	AdditionalScopes []string `json:"additionalScopes,omitempty"`
 
+	// AdditionalAuthorizeParameters are extra query parameters that should be included in the authorize request to your
+	// OIDC provider in the authorization request during an OIDC Authorization Code Flow. By default, no extra
+	// parameters are sent. The standard parameters that will be sent are "response_type", "scope", "client_id",
+	// "state", "nonce", "code_challenge", "code_challenge_method", and "redirect_uri". These parameters cannot be
+	// included in this setting. This setting does not influence the parameters sent to the token endpoint in the
+	// Resource Owner Password Credentials Grant. Starting in v0.13.0, the Pinniped Supervisor requires that your OIDC
+	// provider returns refresh tokens to the Supervisor from the authorization flows. Some OIDC providers may require
+	// a certain value for the "prompt" parameter in order to properly request refresh tokens. See the documentation of
+	// your OIDC provider's authorization endpoint for its requirements for what to include in the request in
+	// order to receive a refresh token in the response, if anything. If your provider requires the prompt parameter to
+	// request a refresh token, then include it here. Also note that most providers also require a certain scope to be
+	// requested in order to receive refresh tokens. See the doNotRequestOfflineAccess setting for more information about
+	// using scopes to request refresh tokens.
+	// +optional
+	// +patchMergeKey=name
+	// +patchStrategy=merge
+	// +listType=map
+	// +listMapKey=name
+	AdditionalAuthorizeParameters []Parameter `json:"extraAuthorizeParameters,omitempty"`
+
 	// AllowPasswordGrant, when true, will allow the use of OAuth 2.0's Resource Owner Password Credentials Grant
 	// (see https://datatracker.ietf.org/doc/html/rfc6749#section-4.3) to authenticate to the OIDC provider using a
 	// username and password without a web browser, in addition to the usual browser-based OIDC Authorization Code Flow.
@@ -66,15 +111,29 @@ type OIDCAuthorizationConfig struct {
 	AllowPasswordGrant bool `json:"allowPasswordGrant,omitempty"`
 }
 
+// Parameter is a key/value pair which represents a parameter in an HTTP request.
+type Parameter struct {
+	// The name of the parameter. Required.
+	// +kubebuilder:validation:MinLength=1
+	Name string `json:"name"`
+
+	// The value of the parameter.
+	// +optional
+	Value string `json:"value,omitempty"`
+}
+
 // OIDCClaims provides a mapping from upstream claims into identities.
 type OIDCClaims struct {
-	// Groups provides the name of the token claim that will be used to ascertain the groups to which
+	// Groups provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain
-	// an identity belongs.
+	// the groups to which an identity belongs. By default, the identities will not include any group memberships when
+	// this setting is not configured.
 	// +optional
 	Groups string `json:"groups"`
 
-	// Username provides the name of the token claim that will be used to ascertain an identity's
+	// Username provides the name of the ID token claim or userinfo endpoint response claim that will be used to
-	// username.
+	// ascertain an identity's username. When not set, the username will be an automatically constructed unique string
+	// which will include the issuer URL of your OIDC provider along with the value of the "sub" (subject) claim from
+	// the ID token.
 	// +optional
 	Username string `json:"username"`
 }
@@ -89,7 +148,7 @@ type OIDCClient struct {
 	SecretName string `json:"secretName"`
 }
 
-// Spec for configuring an OIDC identity provider.
+// OIDCIdentityProviderSpec is the spec for configuring an OIDC identity provider.
 type OIDCIdentityProviderSpec struct {
 	// Issuer is the issuer URL of this OIDC identity provider, i.e., where to fetch
 	// /.well-known/openid-configuration.
@@ -135,7 +194,7 @@ type OIDCIdentityProvider struct {
 	Status OIDCIdentityProviderStatus `json:"status,omitempty"`
 }
 
-// List of OIDCIdentityProvider objects.
+// OIDCIdentityProviderList lists OIDCIdentityProvider objects.
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 type OIDCIdentityProviderList struct {
 	metav1.TypeMeta `json:",inline"`

generated/latest/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go

@@ -416,6 +416,11 @@ func (in *OIDCAuthorizationConfig) DeepCopyInto(out *OIDCAuthorizationConfig) {
 		*out = make([]string, len(*in))
 		copy(*out, *in)
 	}
+	if in.AdditionalAuthorizeParameters != nil {
+		in, out := &in.AdditionalAuthorizeParameters, &out.AdditionalAuthorizeParameters
+		*out = make([]Parameter, len(*in))
+		copy(*out, *in)
+	}
 	return
 }
 
@@ -569,6 +574,22 @@ func (in *OIDCIdentityProviderStatus) DeepCopy() *OIDCIdentityProviderStatus {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Parameter) DeepCopyInto(out *Parameter) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Parameter.
+func (in *Parameter) DeepCopy() *Parameter {
+	if in == nil {
+		return nil
+	}
+	out := new(Parameter)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TLSSpec) DeepCopyInto(out *TLSSpec) {
 	*out = *in

go.mod

@@ -17,7 +17,9 @@ require (
 	github.com/google/uuid v1.1.2
 	github.com/gorilla/securecookie v1.1.1
 	github.com/gorilla/websocket v1.4.2
+	github.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826
 	github.com/ory/fosite v0.40.2
+	github.com/ory/x v0.0.212
 	github.com/pkg/browser v0.0.0-20210115035449-ce105d075bb4
 	github.com/pkg/errors v0.9.1
 	github.com/sclevine/agouti v3.0.0+incompatible
@@ -96,12 +98,10 @@ require (
 	github.com/moby/spdystream v0.2.0 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.1 // indirect
-	github.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/ory/go-acc v0.2.6 // indirect
 	github.com/ory/go-convenience v0.1.0 // indirect
 	github.com/ory/viper v1.7.5 // indirect
-	github.com/ory/x v0.0.212 // indirect
 	github.com/pborman/uuid v1.2.0 // indirect
 	github.com/pelletier/go-toml v1.9.3 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect

internal/controller/supervisorconfig/oidcupstreamwatcher/oidc_upstream_watcher.go

@@ -53,15 +53,35 @@ const (
 
 	// Constants related to conditions.
 	typeClientCredentialsValid             = "ClientCredentialsValid"
+	typeAdditionalAuthorizeParametersValid = "AdditionalAuthorizeParametersValid"
 	typeOIDCDiscoverySucceeded             = "OIDCDiscoverySucceeded"
 
 	reasonUnreachable             = "Unreachable"
 	reasonInvalidResponse         = "InvalidResponse"
+	reasonDisallowedParameterName = "DisallowedParameterName"
 
 	// Errors that are generated by our reconcile process.
 	errOIDCFailureStatus = constable.Error("OIDCIdentityProvider has a failing condition")
 )
 
+var (
+	// Reject these AdditionalAuthorizeParameters to avoid allowing the user's config to overwrite the parameters
+	// that are always used by Pinniped in authcode authorization requests. The OIDC library used would otherwise
+	// happily treat the user's config as an override. Users can already set the "client_id" and "scope" params
+	// using other settings, and the others never make sense to override. This map should be treated as read-only
+	// since it is a global variable.
+	disallowedAdditionalAuthorizeParameters = map[string]bool{ //nolint: gochecknoglobals
+		"response_type":         true,
+		"scope":                 true,
+		"client_id":             true,
+		"state":                 true,
+		"nonce":                 true,
+		"code_challenge":        true,
+		"code_challenge_method": true,
+		"redirect_uri":          true,
+	}
+)
+
 // UpstreamOIDCIdentityProviderICache is a thread safe cache that holds a list of validated upstream OIDC IDP configurations.
 type UpstreamOIDCIdentityProviderICache interface {
 	SetOIDCIdentityProviders([]provider.UpstreamOIDCIdentityProviderI)
@@ -167,21 +187,45 @@ func (c *oidcWatcherController) Sync(ctx controllerlib.Context) error {
 // validateUpstream validates the provided v1alpha1.OIDCIdentityProvider and returns the validated configuration as a
 // provider.UpstreamOIDCIdentityProvider. As a side effect, it also updates the status of the v1alpha1.OIDCIdentityProvider.
 func (c *oidcWatcherController) validateUpstream(ctx controllerlib.Context, upstream *v1alpha1.OIDCIdentityProvider) *upstreamoidc.ProviderConfig {
+	authorizationConfig := upstream.Spec.AuthorizationConfig
+
+	additionalAuthcodeAuthorizeParameters := map[string]string{}
+	var rejectedAuthcodeAuthorizeParameters []string
+	for _, p := range authorizationConfig.AdditionalAuthorizeParameters {
+		if disallowedAdditionalAuthorizeParameters[p.Name] {
+			rejectedAuthcodeAuthorizeParameters = append(rejectedAuthcodeAuthorizeParameters, p.Name)
+		} else {
+			additionalAuthcodeAuthorizeParameters[p.Name] = p.Value
+		}
+	}
+
 	result := upstreamoidc.ProviderConfig{
 		Name: upstream.Name,
 		Config: &oauth2.Config{
-			Scopes: computeScopes(upstream.Spec.AuthorizationConfig.AdditionalScopes),
+			Scopes: computeScopes(authorizationConfig.AdditionalScopes, !authorizationConfig.DoNotRequestOfflineAccess),
 		},
 		UsernameClaim:            upstream.Spec.Claims.Username,
 		GroupsClaim:              upstream.Spec.Claims.Groups,
-		AllowPasswordGrant:       upstream.Spec.AuthorizationConfig.AllowPasswordGrant,
+		AllowPasswordGrant:       authorizationConfig.AllowPasswordGrant,
-		AdditionalAuthcodeParams: map[string]string{"prompt": "consent"},
+		AdditionalAuthcodeParams: additionalAuthcodeAuthorizeParameters,
 		ResourceUID:              upstream.UID,
 	}
+
 	conditions := []*v1alpha1.Condition{
 		c.validateSecret(upstream, &result),
 		c.validateIssuer(ctx.Context, upstream, &result),
 	}
+	if len(rejectedAuthcodeAuthorizeParameters) > 0 {
+		// This condition probably isn't important enough to report when it is successful, so just report errors.
+		conditions = append(conditions, &v1alpha1.Condition{
+			Type:   typeAdditionalAuthorizeParametersValid,
+			Status: v1alpha1.ConditionFalse,
+			Reason: reasonDisallowedParameterName,
+			Message: fmt.Sprintf("the following additionalAuthorizeParameters are not allowed: %s",
+				strings.Join(rejectedAuthcodeAuthorizeParameters, ",")),
+		})
+	}
+
 	c.updateStatus(ctx.Context, upstream, conditions)
 
 	valid := true
@@ -372,11 +416,13 @@ func getTLSConfig(upstream *v1alpha1.OIDCIdentityProvider) (*tls.Config, error)
 	return &result, nil
 }
 
-func computeScopes(additionalScopes []string) []string {
+func computeScopes(additionalScopes []string, includeOfflineAccess bool) []string {
 	// First compute the unique set of scopes, including "openid" (de-duplicate).
 	set := make(map[string]bool, len(additionalScopes)+1)
 	set["openid"] = true
+	if includeOfflineAccess {
 		set["offline_access"] = true
+	}
 	for _, s := range additionalScopes {
 		set[s] = true
 	}

internal/controller/supervisorconfig/oidcupstreamwatcher/oidc_upstream_watcher_test.go

@@ -124,8 +124,9 @@ func TestOIDCUpstreamWatcherControllerSync(t *testing.T) {
 		testName                     = "test-name"
 		testSecretName               = "test-client-secret"
 		testAdditionalScopes         = []string{"scope1", "scope2", "scope3"}
-		testExpectedScopes           = []string{"offline_access", "openid", "scope1", "scope2", "scope3"}
+		testExpectedScopes           = []string{"openid", "scope1", "scope2", "scope3"}
-		testExpectedAdditionalParams = map[string]string{"prompt": "consent"}
+		testAdditionalParams         = []v1alpha1.Parameter{{Name: "prompt", Value: "consent"}, {Name: "foo", Value: "bar"}}
+		testExpectedAdditionalParams = map[string]string{"prompt": "consent", "foo": "bar"}
 		testClientID                 = "test-oidc-client-id"
 		testClientSecret             = "test-oidc-client-secret"
 		testValidSecretData          = map[string][]byte{"clientID": []byte(testClientID), "clientSecret": []byte(testClientSecret)}
@@ -153,7 +154,6 @@ func TestOIDCUpstreamWatcherControllerSync(t *testing.T) {
 					Issuer: testIssuerURL,
 					TLS:    &v1alpha1.TLSSpec{CertificateAuthorityData: testIssuerCABase64},
 					Client: v1alpha1.OIDCClient{SecretName: testSecretName},
-					AuthorizationConfig: v1alpha1.OIDCAuthorizationConfig{AdditionalScopes: testAdditionalScopes},
 				},
 			}},
 			inputSecrets: []runtime.Object{},
@@ -195,7 +195,6 @@ func TestOIDCUpstreamWatcherControllerSync(t *testing.T) {
 					Issuer: testIssuerURL,
 					TLS:    &v1alpha1.TLSSpec{CertificateAuthorityData: testIssuerCABase64},
 					Client: v1alpha1.OIDCClient{SecretName: testSecretName},
-					AuthorizationConfig: v1alpha1.OIDCAuthorizationConfig{AdditionalScopes: testAdditionalScopes},
 				},
 			}},
 			inputSecrets: []runtime.Object{&corev1.Secret{
@@ -241,7 +240,6 @@ func TestOIDCUpstreamWatcherControllerSync(t *testing.T) {
 					Issuer: testIssuerURL,
 					TLS:    &v1alpha1.TLSSpec{CertificateAuthorityData: testIssuerCABase64},
 					Client: v1alpha1.OIDCClient{SecretName: testSecretName},
-					AuthorizationConfig: v1alpha1.OIDCAuthorizationConfig{AdditionalScopes: testAdditionalScopes},
 				},
 			}},
 			inputSecrets: []runtime.Object{&corev1.Secret{
@@ -288,7 +286,6 @@ func TestOIDCUpstreamWatcherControllerSync(t *testing.T) {
 						CertificateAuthorityData: "invalid-base64",
 					},
 					Client: v1alpha1.OIDCClient{SecretName: testSecretName},
-					AuthorizationConfig: v1alpha1.OIDCAuthorizationConfig{AdditionalScopes: append(testAdditionalScopes, "xyz", "openid")},
 				},
 			}},
 			inputSecrets: []runtime.Object{&corev1.Secret{
@@ -336,7 +333,6 @@ func TestOIDCUpstreamWatcherControllerSync(t *testing.T) {
 						CertificateAuthorityData: base64.StdEncoding.EncodeToString([]byte("not-a-pem-ca-bundle")),
 					},
 					Client: v1alpha1.OIDCClient{SecretName: testSecretName},
-					AuthorizationConfig: v1alpha1.OIDCAuthorizationConfig{AdditionalScopes: append(testAdditionalScopes, "xyz", "openid")},
 				},
 			}},
 			inputSecrets: []runtime.Object{&corev1.Secret{
@@ -381,7 +377,6 @@ func TestOIDCUpstreamWatcherControllerSync(t *testing.T) {
 				Spec: v1alpha1.OIDCIdentityProviderSpec{
 					Issuer: "invalid-url-that-is-really-really-long-nanananananananannanananan-batman-nanananananananananananananana-batman-lalalalalalalalalal-batman-weeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee",
 					Client: v1alpha1.OIDCClient{SecretName: testSecretName},
-					AuthorizationConfig: v1alpha1.OIDCAuthorizationConfig{AdditionalScopes: testAdditionalScopes},
 				},
 			}},
 			inputSecrets: []runtime.Object{&corev1.Secret{
@@ -429,7 +424,6 @@ Get "invalid-url-that-is-really-really-long-nanananananananannanananan-batman-na
 					Issuer: testIssuerURL + "/valid-url-that-is-really-really-long-nanananananananannanananan-batman-nanananananananananananananana-batman-lalalalalalalalalal-batman-weeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee",
 					TLS:    &v1alpha1.TLSSpec{CertificateAuthorityData: wrongCABase64},
 					Client: v1alpha1.OIDCClient{SecretName: testSecretName},
-					AuthorizationConfig: v1alpha1.OIDCAuthorizationConfig{AdditionalScopes: testAdditionalScopes},
 				},
 			}},
 			inputSecrets: []runtime.Object{&corev1.Secret{
@@ -477,7 +471,6 @@ Get "` + testIssuerURL + `/valid-url-that-is-really-really-long-nananananananana
 					Issuer: testIssuerURL + "/invalid",
 					TLS:    &v1alpha1.TLSSpec{CertificateAuthorityData: testIssuerCABase64},
 					Client: v1alpha1.OIDCClient{SecretName: testSecretName},
-					AuthorizationConfig: v1alpha1.OIDCAuthorizationConfig{AdditionalScopes: testAdditionalScopes},
 				},
 			}},
 			inputSecrets: []runtime.Object{&corev1.Secret{
@@ -523,7 +516,6 @@ Get "` + testIssuerURL + `/valid-url-that-is-really-really-long-nananananananana
 					Issuer: testIssuerURL + "/insecure",
 					TLS:    &v1alpha1.TLSSpec{CertificateAuthorityData: testIssuerCABase64},
 					Client: v1alpha1.OIDCClient{SecretName: testSecretName},
-					AuthorizationConfig: v1alpha1.OIDCAuthorizationConfig{AdditionalScopes: testAdditionalScopes},
 				},
 			}},
 			inputSecrets: []runtime.Object{&corev1.Secret{
@@ -570,7 +562,7 @@ Get "` + testIssuerURL + `/valid-url-that-is-really-really-long-nananananananana
 					TLS:    &v1alpha1.TLSSpec{CertificateAuthorityData: testIssuerCABase64},
 					Client: v1alpha1.OIDCClient{SecretName: testSecretName},
 					AuthorizationConfig: v1alpha1.OIDCAuthorizationConfig{
-						AdditionalScopes:   append(testAdditionalScopes, "xyz", "openid", "offline_access"),
+						AdditionalScopes:   append(testAdditionalScopes, "xyz", "openid", "offline_access"), // adds openid and offline_access unnecessarily
 						AllowPasswordGrant: true,
 					},
 					Claims: v1alpha1.OIDCClaims{Groups: testGroupsClaim, Username: testUsernameClaim},
@@ -597,11 +589,11 @@ Get "` + testIssuerURL + `/valid-url-that-is-really-really-long-nananananananana
 					Name:                     testName,
 					ClientID:                 testClientID,
 					AuthorizationURL:         *testIssuerAuthorizeURL,
-					Scopes:                   append(testExpectedScopes, "xyz"),
+					Scopes:                   append(testExpectedScopes, "offline_access", "xyz"), // includes offline_access only once
 					UsernameClaim:            testUsernameClaim,
 					GroupsClaim:              testGroupsClaim,
 					AllowPasswordGrant:       true,
-					AdditionalAuthcodeParams: testExpectedAdditionalParams,
+					AdditionalAuthcodeParams: map[string]string{},
 					ResourceUID:              testUID,
 				},
 			},
@@ -624,9 +616,65 @@ Get "` + testIssuerURL + `/valid-url-that-is-really-really-long-nananananananana
 					Issuer: testIssuerURL,
 					TLS:    &v1alpha1.TLSSpec{CertificateAuthorityData: testIssuerCABase64},
 					Client: v1alpha1.OIDCClient{SecretName: testSecretName},
+					Claims: v1alpha1.OIDCClaims{Groups: testGroupsClaim, Username: testUsernameClaim},
 					AuthorizationConfig: v1alpha1.OIDCAuthorizationConfig{
-						AdditionalScopes:   testAdditionalScopes,
+						AdditionalScopes: testAdditionalScopes, // does not include offline_access
+					},
+				},
+				Status: v1alpha1.OIDCIdentityProviderStatus{
+					Phase: "Ready",
+					Conditions: []v1alpha1.Condition{
+						{Type: "ClientCredentialsValid", Status: "True", LastTransitionTime: earlier, Reason: "Success", Message: "loaded client credentials"},
+						{Type: "OIDCDiscoverySucceeded", Status: "True", LastTransitionTime: earlier, Reason: "Success", Message: "discovered issuer configuration"},
+					},
+				},
+			}},
+			inputSecrets: []runtime.Object{&corev1.Secret{
+				ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testSecretName},
+				Type:       "secrets.pinniped.dev/oidc-client",
+				Data:       testValidSecretData,
+			}},
+			wantLogs: []string{
+				`oidc-upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="loaded client credentials" "reason"="Success" "status"="True" "type"="ClientCredentialsValid"`,
+				`oidc-upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="discovered issuer configuration" "reason"="Success" "status"="True" "type"="OIDCDiscoverySucceeded"`,
+			},
+			wantResultingCache: []provider.UpstreamOIDCIdentityProviderI{
+				&oidctestutil.TestUpstreamOIDCIdentityProvider{
+					Name:                     testName,
+					ClientID:                 testClientID,
+					AuthorizationURL:         *testIssuerAuthorizeURL,
+					Scopes:                   append(testExpectedScopes, "offline_access"), // gets offline_access by default
+					UsernameClaim:            testUsernameClaim,
+					GroupsClaim:              testGroupsClaim,
 					AllowPasswordGrant:       false,
+					AdditionalAuthcodeParams: map[string]string{},
+					ResourceUID:              testUID,
+				},
+			},
+			wantResultingUpstreams: []v1alpha1.OIDCIdentityProvider{{
+				ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testUID},
+				Status: v1alpha1.OIDCIdentityProviderStatus{
+					Phase: "Ready",
+					Conditions: []v1alpha1.Condition{
+						{Type: "ClientCredentialsValid", Status: "True", LastTransitionTime: earlier, Reason: "Success", Message: "loaded client credentials", ObservedGeneration: 1234},
+						{Type: "OIDCDiscoverySucceeded", Status: "True", LastTransitionTime: earlier, Reason: "Success", Message: "discovered issuer configuration", ObservedGeneration: 1234},
+					},
+				},
+			}},
+		},
+		{
+			name: "existing valid upstream with trailing slash and more optional settings",
+			inputUpstreams: []runtime.Object{&v1alpha1.OIDCIdentityProvider{
+				ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testUID},
+				Spec: v1alpha1.OIDCIdentityProviderSpec{
+					Issuer: testIssuerURL + "/ends-with-slash/",
+					TLS:    &v1alpha1.TLSSpec{CertificateAuthorityData: testIssuerCABase64},
+					Client: v1alpha1.OIDCClient{SecretName: testSecretName},
+					AuthorizationConfig: v1alpha1.OIDCAuthorizationConfig{
+						DoNotRequestOfflineAccess:     true,
+						AdditionalScopes:              testAdditionalScopes,
+						AdditionalAuthorizeParameters: testAdditionalParams,
+						AllowPasswordGrant:            true,
 					},
 					Claims: v1alpha1.OIDCClaims{Groups: testGroupsClaim, Username: testUsernameClaim},
 				},
@@ -652,10 +700,10 @@ Get "` + testIssuerURL + `/valid-url-that-is-really-really-long-nananananananana
 					Name:                     testName,
 					ClientID:                 testClientID,
 					AuthorizationURL:         *testIssuerAuthorizeURL,
-					Scopes:                   testExpectedScopes,
+					Scopes:                   testExpectedScopes, // does not include offline_access
 					UsernameClaim:            testUsernameClaim,
 					GroupsClaim:              testGroupsClaim,
-					AllowPasswordGrant:       false,
+					AllowPasswordGrant:       true,
 					AdditionalAuthcodeParams: testExpectedAdditionalParams,
 					ResourceUID:              testUID,
 				},
@@ -672,21 +720,25 @@ Get "` + testIssuerURL + `/valid-url-that-is-really-really-long-nananananananana
 			}},
 		},
 		{
-			name: "existing valid upstream with trailing slash",
+			name: "has disallowed additionalAuthorizeParams keys",
 			inputUpstreams: []runtime.Object{&v1alpha1.OIDCIdentityProvider{
 				ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testUID},
 				Spec: v1alpha1.OIDCIdentityProviderSpec{
-					Issuer:              testIssuerURL + "/ends-with-slash/",
+					Issuer: testIssuerURL,
 					TLS:    &v1alpha1.TLSSpec{CertificateAuthorityData: testIssuerCABase64},
 					Client: v1alpha1.OIDCClient{SecretName: testSecretName},
-					AuthorizationConfig: v1alpha1.OIDCAuthorizationConfig{AdditionalScopes: testAdditionalScopes},
+					AuthorizationConfig: v1alpha1.OIDCAuthorizationConfig{
-					Claims:              v1alpha1.OIDCClaims{Groups: testGroupsClaim, Username: testUsernameClaim},
+						AdditionalAuthorizeParameters: []v1alpha1.Parameter{
+							{Name: "response_type", Value: "foo"},
+							{Name: "scope", Value: "foo"},
+							{Name: "client_id", Value: "foo"},
+							{Name: "state", Value: "foo"},
+							{Name: "nonce", Value: "foo"},
+							{Name: "code_challenge", Value: "foo"},
+							{Name: "code_challenge_method", Value: "foo"},
+							{Name: "redirect_uri", Value: "foo"},
+							{Name: "this_one_is_allowed", Value: "foo"},
 						},
-				Status: v1alpha1.OIDCIdentityProviderStatus{
-					Phase: "Ready",
-					Conditions: []v1alpha1.Condition{
-						{Type: "ClientCredentialsValid", Status: "True", LastTransitionTime: earlier, Reason: "Success", Message: "loaded client credentials"},
-						{Type: "OIDCDiscoverySucceeded", Status: "True", LastTransitionTime: earlier, Reason: "Success", Message: "discovered issuer configuration"},
 					},
 				},
 			}},
@@ -695,30 +747,24 @@ Get "` + testIssuerURL + `/valid-url-that-is-really-really-long-nananananananana
 				Type:       "secrets.pinniped.dev/oidc-client",
 				Data:       testValidSecretData,
 			}},
+			wantErr: controllerlib.ErrSyntheticRequeue.Error(),
 			wantLogs: []string{
 				`oidc-upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="loaded client credentials" "reason"="Success" "status"="True" "type"="ClientCredentialsValid"`,
 				`oidc-upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="discovered issuer configuration" "reason"="Success" "status"="True" "type"="OIDCDiscoverySucceeded"`,
+				`oidc-upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="the following additionalAuthorizeParameters are not allowed: response_type,scope,client_id,state,nonce,code_challenge,code_challenge_method,redirect_uri" "reason"="DisallowedParameterName" "status"="False" "type"="AdditionalAuthorizeParametersValid"`,
+				`oidc-upstream-observer "msg"="found failing condition" "error"="OIDCIdentityProvider has a failing condition" "message"="the following additionalAuthorizeParameters are not allowed: response_type,scope,client_id,state,nonce,code_challenge,code_challenge_method,redirect_uri" "name"="test-name" "namespace"="test-namespace" "reason"="DisallowedParameterName" "type"="AdditionalAuthorizeParametersValid"`,
 			},
-			wantResultingCache: []provider.UpstreamOIDCIdentityProviderI{
+			wantResultingCache: []provider.UpstreamOIDCIdentityProviderI{},
-				&oidctestutil.TestUpstreamOIDCIdentityProvider{
-					Name:                     testName,
-					ClientID:                 testClientID,
-					AuthorizationURL:         *testIssuerAuthorizeURL,
-					Scopes:                   testExpectedScopes,
-					UsernameClaim:            testUsernameClaim,
-					GroupsClaim:              testGroupsClaim,
-					AllowPasswordGrant:       false,
-					AdditionalAuthcodeParams: testExpectedAdditionalParams,
-					ResourceUID:              testUID,
-				},
-			},
 			wantResultingUpstreams: []v1alpha1.OIDCIdentityProvider{{
 				ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testUID},
 				Status: v1alpha1.OIDCIdentityProviderStatus{
-					Phase: "Ready",
+					Phase: "Error",
 					Conditions: []v1alpha1.Condition{
-						{Type: "ClientCredentialsValid", Status: "True", LastTransitionTime: earlier, Reason: "Success", Message: "loaded client credentials", ObservedGeneration: 1234},
+						{Type: "AdditionalAuthorizeParametersValid", Status: "False", LastTransitionTime: now, Reason: "DisallowedParameterName",
-						{Type: "OIDCDiscoverySucceeded", Status: "True", LastTransitionTime: earlier, Reason: "Success", Message: "discovered issuer configuration", ObservedGeneration: 1234},
+							Message: "the following additionalAuthorizeParameters are not allowed: " +
+								"response_type,scope,client_id,state,nonce,code_challenge,code_challenge_method,redirect_uri", ObservedGeneration: 1234},
+						{Type: "ClientCredentialsValid", Status: "True", LastTransitionTime: now, Reason: "Success", Message: "loaded client credentials", ObservedGeneration: 1234},
+						{Type: "OIDCDiscoverySucceeded", Status: "True", LastTransitionTime: now, Reason: "Success", Message: "discovered issuer configuration", ObservedGeneration: 1234},
 					},
 				},
 			}},
@@ -731,7 +777,6 @@ Get "` + testIssuerURL + `/valid-url-that-is-really-really-long-nananananananana
 					Issuer: testIssuerURL + "/ends-with-slash",
 					TLS:    &v1alpha1.TLSSpec{CertificateAuthorityData: testIssuerCABase64},
 					Client: v1alpha1.OIDCClient{SecretName: testSecretName},
-					AuthorizationConfig: v1alpha1.OIDCAuthorizationConfig{AdditionalScopes: testAdditionalScopes},
 				},
 			}},
 			inputSecrets: []runtime.Object{&corev1.Secret{
@@ -779,7 +824,6 @@ oidc: issuer did not match the issuer returned by provider, expected "` + testIs
 					Issuer: testIssuerURL + "/",
 					TLS:    &v1alpha1.TLSSpec{CertificateAuthorityData: testIssuerCABase64},
 					Client: v1alpha1.OIDCClient{SecretName: testSecretName},
-					AuthorizationConfig: v1alpha1.OIDCAuthorizationConfig{AdditionalScopes: testAdditionalScopes},
 				},
 			}},
 			inputSecrets: []runtime.Object{&corev1.Secret{

site/content/docs/howto/configure-supervisor-with-dex.md

@@ -85,12 +85,20 @@ spec:
   # Specify the upstream issuer URL (no trailing slash).
   issuer: https://<dex-dns-record>
 
+  # Specify how to form authorization requests to Dex.
+  authorizationConfig:
+
     # Request any scopes other than "openid" for claims besides
     # the default claims in your token. The "openid" scope is always
     # included.
-  authorizationConfig:
     additionalScopes: [groups, email]
 
+    # If you would also like to allow your end users to authenticate using
+    # a password grant, then change this to true.
+    # Password grants with Dex will only work in Dex versions that include
+    # this bug fix: https://github.com/dexidp/dex/pull/2234
+    allowPasswordGrant: false
+
   # Specify how Dex claims are mapped to Kubernetes identities.
   claims:
     # Specify the name of the claim in your Dex ID token that will be mapped

site/content/docs/howto/configure-supervisor-with-gitlab.md

@@ -30,8 +30,14 @@ For example, to create a user-owned application:
 1. Create a new application:
    1. Enter a name for your application, such as "My Kubernetes Clusters".
    1. Enter the redirect URI. This is the `spec.issuer` you configured in your `FederationDomain` appended with `/callback`.
-   1. Check the box saying that the application is _Confidential_.
+   1. Check the box saying that the application is _Confidential_. This is required and will cause GitLab to autogenerate
-   1. Select scope `openid`. This provides access to the `nickname` (GitLab username) and `groups` (GitLab groups) claims.
+      a client ID and client secret for your application.
+   1. Check the box saying to _Expire Access Tokens_ to cause refresh tokens to be returned to the Supervisor. This is
+      required starting in Pinniped v0.13.0.
+   1. Select scope `openid`. This is required to get ID tokens. Also, this provides access to the `nickname` (GitLab username)
+      and `groups` (GitLab groups) claims in the ID tokens.
+   1. Optionally select other scopes which might provide access to other claims that you might want to use to determine
+      the usernames of your users, for example `email`.
    1. Save the application and make note of the _Application ID_ and _Secret_.
 
 ## Configure the Supervisor cluster
@@ -51,6 +57,19 @@ spec:
   # Specify the upstream issuer URL.
   issuer: https://gitlab.com
 
+  # Specify how to form authorization requests to GitLab.
+  authorizationConfig:
+
+    # GitLab is unusual among OIDC providers in that it returns an
+    # error if you request the "offline_access" scope during an
+    # authorization flow, so ask Pinniped to avoid requesting that
+    # scope when using GitLab.
+    doNotRequestOfflineAccess: true
+
+    # If you would also like to allow your end users to authenticate using
+    # a password grant, then change this to true.
+    allowPasswordGrant: false
+
   # Specify how GitLab claims are mapped to Kubernetes identities.
   claims:
 

site/content/docs/howto/configure-supervisor-with-okta.md

@@ -32,11 +32,18 @@ For example, to create an app:
 1. Create a new app:
    1. Click `Create App Integration`.
    1. For `Sign-on method`, select `OIDC`.
-   1. For `Application type`, app `Web Application`, then click next.
+   1. For `Application type`, app `Web Application`, then click next. Only if you would like to offer the
+      password grant flow to your end users, then choose `Native Application` instead.
    1. Enter a name for your app, such as "My Kubernetes Clusters".
+   1. If you chose to create a `Web Application` then in the General Settings section, choose Grant Types
+      `Authorization Code` and `Refresh Token`. Starting in Pinniped v0.13.0, the `Refresh Token` grant is required.
+   1. If you chose `Native Application` then in the General Settings section, choose Grant Types `Authorization Code`,
+      `Refresh Token`, and `Resource Owner Password`. Starting in Pinniped v0.13.0, the `Refresh Token` grant is required.
    1. Enter the sign-in redirect URI. This is the `spec.issuer` you configured in your `FederationDomain` appended with `/callback`.
    1. Optionally select `Limit access to selected groups` to restrict which Okta users can log in to Kubernetes using this integration.
-   1. Save the app and make note of the _Client ID_ and _Client secret_.
+   1. Save the app and make note of the _Client ID_ and _Client secret_. If you chose to create a `Native Application`
+      then there is an extra step required to get a client secret: after saving the app, in the
+      Client Credentials section click `Edit`, choose `Use Client Authentication`, and click `Save`.
    1. Navigate to the _Sign On_ tab > _OpenID Connect ID Token_ and click `Edit`. Fill in the Groups claim filter.
       For example, for all groups to be present under the claim name `groups`, fill in "groups" in the first box, then select "Matches regex" and ".*".
 
@@ -54,18 +61,26 @@ metadata:
   name: okta
 spec:
 
-  # Specify the upstream issuer URL (no trailing slash).
+  # Specify the upstream issuer URL (no trailing slash). Change this to be the
+  # actual issuer provided by your Okta account.
   issuer: https://my-company.okta.com
 
+  # Specify how to form authorization requests to Okta.
+  authorizationConfig:
+
     # Request any scopes other than "openid" for claims besides
     # the default claims in your token. The "openid" scope is always
     # included.
     #
     # To learn more about how to customize the claims returned, see here:
     # https://developer.okta.com/docs/guides/customize-tokens-returned-from-okta/overview/
-  authorizationConfig:
     additionalScopes: [groups, email]
 
+    # If you would also like to allow your end users to authenticate using
+    # a password grant, then change this to true. Password grants only work
+    # with applications created in Okta as "Native Applications".
+    allowPasswordGrant: false
+
   # Specify how Okta claims are mapped to Kubernetes identities.
   claims: