Add upstream refresh related config to OIDCIdentityProvider CRD

Also update related docs.
This commit is contained in:
Ryan Richard 2021-10-14 15:49:44 -07:00
parent 9e05d175a7
commit ddb23bd2ed
26 changed files with 1364 additions and 248 deletions

View File

@ -20,7 +20,7 @@ const (
PhaseError OIDCIdentityProviderPhase = "Error" PhaseError OIDCIdentityProviderPhase = "Error"
) )
// Status of an OIDC identity provider. // OIDCIdentityProviderStatus is the status of an OIDC identity provider.
type OIDCIdentityProviderStatus struct { type OIDCIdentityProviderStatus struct {
// Phase summarizes the overall status of the OIDCIdentityProvider. // Phase summarizes the overall status of the OIDCIdentityProvider.
// +kubebuilder:default=Pending // +kubebuilder:default=Pending
@ -38,14 +38,59 @@ type OIDCIdentityProviderStatus struct {
// OIDCAuthorizationConfig provides information about how to form the OAuth2 authorization // OIDCAuthorizationConfig provides information about how to form the OAuth2 authorization
// request parameters. // request parameters.
type OIDCAuthorizationConfig struct { type OIDCAuthorizationConfig struct {
// AdditionalScopes are the scopes in addition to "openid" that will be requested as part of the authorization // DoNotRequestOfflineAccess determines if the "offline_access" scope will be requested from your OIDC provider in
// request flow with an OIDC identity provider. // the authorization request during an OIDC Authorization Code Flow and in the token request during a Resource Owner
// In the case of a Resource Owner Password Credentials Grant flow, AdditionalScopes are the scopes // Password Credentials Grant in order to ask to receive a refresh token in the response. Starting in v0.13.0, the
// in addition to "openid" that will be requested as part of the token request (see also the allowPasswordGrant field). // Pinniped Supervisor requires that your OIDC provider returns refresh tokens to the Supervisor from these
// By default, only the "openid" scope will be requested. // authorization flows. For most OIDC providers, the scope required to receive refresh tokens will be "offline_access".
// See https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess for a description of the "offline_access"
// scope. See the documentation of your OIDC provider's authorization and token endpoints for its requirements for what
// to include in the request in order to receive a refresh token in the response, if anything. By default,
// DoNotRequestOfflineAccess is false, which means that "offline_access" will be sent in the authorization request,
// since that is what is suggested by the OIDC specification. Note that it may be safe to send "offline_access" even to
// providers which do not require it, since the provider may ignore scopes that it does not understand or require (see
// https://datatracker.ietf.org/doc/html/rfc6749#section-3.3). In the unusual case that you must avoid sending the
// "offline_access" scope, set DoNotRequestOfflineAccess to true. This is required if your OIDC provider will reject
// the request when it includes "offline_access" (e.g. GitLab's OIDC provider). If you need to send some other scope
// to request a refresh token, include the scope name in the additionalScopes setting. Also note that some OIDC
// providers may require that the "prompt" param be set to a specific value for the authorization request during an
// OIDC Authorization Code Flow in order to receive a refresh token in the response. To adjust the prompt param, see
// the additionalAuthorizeParameters setting.
// +optional
DoNotRequestOfflineAccess bool `json:"doNotRequestOfflineAccess,omitempty"`
// AdditionalScopes are the additional scopes that will be requested from your OIDC provider in the authorization
// request during an OIDC Authorization Code Flow and in the token request during a Resource Owner Password Credentials
// Grant. Note that the "openid" scope will always be requested regardless of the value in this setting, since it is
// always required according to the OIDC spec. The "offline_access" scope may also be included according to the value
// of the DoNotRequestOfflineAccess setting. Any other scopes required should be included here in the AdditionalScopes
// list. For example, you might like to include scopes like "profile", "email", or "groups" in order to receive the
// related claims in the returned ID token or userinfo endpoint results if you would like to make use of those
// claims in the OIDCClaims settings to determine the usernames and group memberships of your Kubernetes users. See
// your OIDC provider's documentation for more information about what scopes are available to request claims.
// +optional // +optional
AdditionalScopes []string `json:"additionalScopes,omitempty"` AdditionalScopes []string `json:"additionalScopes,omitempty"`
// AdditionalAuthorizeParameters are extra query parameters that should be included in the authorize request to your
// OIDC provider in the authorization request during an OIDC Authorization Code Flow. By default, no extra
// parameters are sent. The standard parameters that will be sent are "response_type", "scope", "client_id",
// "state", "nonce", "code_challenge", "code_challenge_method", and "redirect_uri". These parameters cannot be
// included in this setting. This setting does not influence the parameters sent to the token endpoint in the
// Resource Owner Password Credentials Grant. Starting in v0.13.0, the Pinniped Supervisor requires that your OIDC
// provider returns refresh tokens to the Supervisor from the authorization flows. Some OIDC providers may require
// a certain value for the "prompt" parameter in order to properly request refresh tokens. See the documentation of
// your OIDC provider's authorization endpoint for its requirements for what to include in the request in
// order to receive a refresh token in the response, if anything. If your provider requires the prompt parameter to
// request a refresh token, then include it here. Also note that most providers also require a certain scope to be
// requested in order to receive refresh tokens. See the doNotRequestOfflineAccess setting for more information about
// using scopes to request refresh tokens.
// +optional
// +patchMergeKey=name
// +patchStrategy=merge
// +listType=map
// +listMapKey=name
AdditionalAuthorizeParameters []Parameter `json:"extraAuthorizeParameters,omitempty"`
// AllowPasswordGrant, when true, will allow the use of OAuth 2.0's Resource Owner Password Credentials Grant // AllowPasswordGrant, when true, will allow the use of OAuth 2.0's Resource Owner Password Credentials Grant
// (see https://datatracker.ietf.org/doc/html/rfc6749#section-4.3) to authenticate to the OIDC provider using a // (see https://datatracker.ietf.org/doc/html/rfc6749#section-4.3) to authenticate to the OIDC provider using a
// username and password without a web browser, in addition to the usual browser-based OIDC Authorization Code Flow. // username and password without a web browser, in addition to the usual browser-based OIDC Authorization Code Flow.
@ -66,15 +111,29 @@ type OIDCAuthorizationConfig struct {
AllowPasswordGrant bool `json:"allowPasswordGrant,omitempty"` AllowPasswordGrant bool `json:"allowPasswordGrant,omitempty"`
} }
// Parameter is a key/value pair which represents a parameter in an HTTP request.
type Parameter struct {
// The name of the parameter. Required.
// +kubebuilder:validation:MinLength=1
Name string `json:"name"`
// The value of the parameter.
// +optional
Value string `json:"value,omitempty"`
}
// OIDCClaims provides a mapping from upstream claims into identities. // OIDCClaims provides a mapping from upstream claims into identities.
type OIDCClaims struct { type OIDCClaims struct {
// Groups provides the name of the token claim that will be used to ascertain the groups to which // Groups provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain
// an identity belongs. // the groups to which an identity belongs. By default, the identities will not include any group memberships when
// this setting is not configured.
// +optional // +optional
Groups string `json:"groups"` Groups string `json:"groups"`
// Username provides the name of the token claim that will be used to ascertain an identity's // Username provides the name of the ID token claim or userinfo endpoint response claim that will be used to
// username. // ascertain an identity's username. When not set, the username will be an automatically constructed unique string
// which will include the issuer URL of your OIDC provider along with the value of the "sub" (subject) claim from
// the ID token.
// +optional // +optional
Username string `json:"username"` Username string `json:"username"`
} }
@ -89,7 +148,7 @@ type OIDCClient struct {
SecretName string `json:"secretName"` SecretName string `json:"secretName"`
} }
// Spec for configuring an OIDC identity provider. // OIDCIdentityProviderSpec is the spec for configuring an OIDC identity provider.
type OIDCIdentityProviderSpec struct { type OIDCIdentityProviderSpec struct {
// Issuer is the issuer URL of this OIDC identity provider, i.e., where to fetch // Issuer is the issuer URL of this OIDC identity provider, i.e., where to fetch
// /.well-known/openid-configuration. // /.well-known/openid-configuration.
@ -135,7 +194,7 @@ type OIDCIdentityProvider struct {
Status OIDCIdentityProviderStatus `json:"status,omitempty"` Status OIDCIdentityProviderStatus `json:"status,omitempty"`
} }
// List of OIDCIdentityProvider objects. // OIDCIdentityProviderList lists OIDCIdentityProvider objects.
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
type OIDCIdentityProviderList struct { type OIDCIdentityProviderList struct {
metav1.TypeMeta `json:",inline"` metav1.TypeMeta `json:",inline"`

View File

@ -57,13 +57,22 @@ spec:
OIDC identity provider. OIDC identity provider.
properties: properties:
additionalScopes: additionalScopes:
description: AdditionalScopes are the scopes in addition to "openid" description: AdditionalScopes are the additional scopes that will
that will be requested as part of the authorization request be requested from your OIDC provider in the authorization request
flow with an OIDC identity provider. In the case of a Resource during an OIDC Authorization Code Flow and in the token request
Owner Password Credentials Grant flow, AdditionalScopes are during a Resource Owner Password Credentials Grant. Note that
the scopes in addition to "openid" that will be requested as the "openid" scope will always be requested regardless of the
part of the token request (see also the allowPasswordGrant field). value in this setting, since it is always required according
By default, only the "openid" scope will be requested. to the OIDC spec. The "offline_access" scope may also be included
according to the value of the DoNotRequestOfflineAccess setting.
Any other scopes required should be included here in the AdditionalScopes
list. For example, you might like to include scopes like "profile",
"email", or "groups" in order to receive the related claims
in the returned ID token or userinfo endpoint results if you
would like to make use of those claims in the OIDCClaims settings
to determine the usernames and group memberships of your Kubernetes
users. See your OIDC provider's documentation for more information
about what scopes are available to request claims.
items: items:
type: string type: string
type: array type: array
@ -97,18 +106,98 @@ spec:
during Resource Owner Password Credentials Grant logins. AllowPasswordGrant during Resource Owner Password Credentials Grant logins. AllowPasswordGrant
defaults to false. defaults to false.
type: boolean type: boolean
doNotRequestOfflineAccess:
description: DoNotRequestOfflineAccess determines if the "offline_access"
scope will be requested from your OIDC provider in the authorization
request during an OIDC Authorization Code Flow and in the token
request during a Resource Owner Password Credentials Grant in
order to ask to receive a refresh token in the response. Starting
in v0.13.0, the Pinniped Supervisor requires that your OIDC
provider returns refresh tokens to the Supervisor from these
authorization flows. For most OIDC providers, the scope required
to receive refresh tokens will be "offline_access". See https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess
for a description of the "offline_access" scope. See the documentation
of your OIDC provider's authorization and token endpoints for
its requirements for what to include in the request in order
to receive a refresh token in the response, if anything. By
default, DoNotRequestOfflineAccess is false, which means that
"offline_access" will be sent in the authorization request,
since that is what is suggested by the OIDC specification. Note
that it may be safe to send "offline_access" even to providers
which do not require it, since the provider may ignore scopes
that it does not understand or require (see https://datatracker.ietf.org/doc/html/rfc6749#section-3.3).
In the unusual case that you must avoid sending the "offline_access"
scope, set DoNotRequestOfflineAccess to true. This is required
if your OIDC provider will reject the request when it includes
"offline_access" (e.g. GitLab's OIDC provider). If you need
to send some other scope to request a refresh token, include
the scope name in the additionalScopes setting. Also note that
some OIDC providers may require that the "prompt" param be set
to a specific value for the authorization request during an
OIDC Authorization Code Flow in order to receive a refresh token
in the response. To adjust the prompt param, see the additionalAuthorizeParameters
setting.
type: boolean
extraAuthorizeParameters:
description: AdditionalAuthorizeParameters are extra query parameters
that should be included in the authorize request to your OIDC
provider in the authorization request during an OIDC Authorization
Code Flow. By default, no extra parameters are sent. The standard
parameters that will be sent are "response_type", "scope", "client_id",
"state", "nonce", "code_challenge", "code_challenge_method",
and "redirect_uri". These parameters cannot be included in this
setting. This setting does not influence the parameters sent
to the token endpoint in the Resource Owner Password Credentials
Grant. Starting in v0.13.0, the Pinniped Supervisor requires
that your OIDC provider returns refresh tokens to the Supervisor
from the authorization flows. Some OIDC providers may require
a certain value for the "prompt" parameter in order to properly
request refresh tokens. See the documentation of your OIDC provider's
authorization endpoint for its requirements for what to include
in the request in order to receive a refresh token in the response,
if anything. If your provider requires the prompt parameter
to request a refresh token, then include it here. Also note
that most providers also require a certain scope to be requested
in order to receive refresh tokens. See the doNotRequestOfflineAccess
setting for more information about using scopes to request refresh
tokens.
items:
description: Parameter is a key/value pair which represents
a parameter in an HTTP request.
properties:
name:
description: The name of the parameter. Required.
minLength: 1
type: string
value:
description: The value of the parameter.
type: string
required:
- name
type: object
type: array
x-kubernetes-list-map-keys:
- name
x-kubernetes-list-type: map
type: object type: object
claims: claims:
description: Claims provides the names of token claims that will be description: Claims provides the names of token claims that will be
used when inspecting an identity from this OIDC identity provider. used when inspecting an identity from this OIDC identity provider.
properties: properties:
groups: groups:
description: Groups provides the name of the token claim that description: Groups provides the name of the ID token claim or
will be used to ascertain the groups to which an identity belongs. userinfo endpoint response claim that will be used to ascertain
the groups to which an identity belongs. By default, the identities
will not include any group memberships when this setting is
not configured.
type: string type: string
username: username:
description: Username provides the name of the token claim that description: Username provides the name of the ID token claim
will be used to ascertain an identity's username. or userinfo endpoint response claim that will be used to ascertain
an identity's username. When not set, the username will be an
automatically constructed unique string which will include the
issuer URL of your OIDC provider along with the value of the
"sub" (subject) claim from the ID token.
type: string type: string
type: object type: object
client: client:

View File

@ -1099,7 +1099,9 @@ OIDCAuthorizationConfig provides information about how to form the OAuth2 author
[cols="25a,75a", options="header"] [cols="25a,75a", options="header"]
|=== |===
| Field | Description | Field | Description
| *`additionalScopes`* __string array__ | AdditionalScopes are the scopes in addition to "openid" that will be requested as part of the authorization request flow with an OIDC identity provider. In the case of a Resource Owner Password Credentials Grant flow, AdditionalScopes are the scopes in addition to "openid" that will be requested as part of the token request (see also the allowPasswordGrant field). By default, only the "openid" scope will be requested. | *`doNotRequestOfflineAccess`* __boolean__ | DoNotRequestOfflineAccess determines if the "offline_access" scope will be requested from your OIDC provider in the authorization request during an OIDC Authorization Code Flow and in the token request during a Resource Owner Password Credentials Grant in order to ask to receive a refresh token in the response. Starting in v0.13.0, the Pinniped Supervisor requires that your OIDC provider returns refresh tokens to the Supervisor from these authorization flows. For most OIDC providers, the scope required to receive refresh tokens will be "offline_access". See https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess for a description of the "offline_access" scope. See the documentation of your OIDC provider's authorization and token endpoints for its requirements for what to include in the request in order to receive a refresh token in the response, if anything. By default, DoNotRequestOfflineAccess is false, which means that "offline_access" will be sent in the authorization request, since that is what is suggested by the OIDC specification. Note that it may be safe to send "offline_access" even to providers which do not require it, since the provider may ignore scopes that it does not understand or require (see https://datatracker.ietf.org/doc/html/rfc6749#section-3.3). In the unusual case that you must avoid sending the "offline_access" scope, set DoNotRequestOfflineAccess to true. This is required if your OIDC provider will reject the request when it includes "offline_access" (e.g. GitLab's OIDC provider). If you need to send some other scope to request a refresh token, include the scope name in the additionalScopes setting. Also note that some OIDC providers may require that the "prompt" param be set to a specific value for the authorization request during an OIDC Authorization Code Flow in order to receive a refresh token in the response. To adjust the prompt param, see the additionalAuthorizeParameters setting.
| *`additionalScopes`* __string array__ | AdditionalScopes are the additional scopes that will be requested from your OIDC provider in the authorization request during an OIDC Authorization Code Flow and in the token request during a Resource Owner Password Credentials Grant. Note that the "openid" scope will always be requested regardless of the value in this setting, since it is always required according to the OIDC spec. The "offline_access" scope may also be included according to the value of the DoNotRequestOfflineAccess setting. Any other scopes required should be included here in the AdditionalScopes list. For example, you might like to include scopes like "profile", "email", or "groups" in order to receive the related claims in the returned ID token or userinfo endpoint results if you would like to make use of those claims in the OIDCClaims settings to determine the usernames and group memberships of your Kubernetes users. See your OIDC provider's documentation for more information about what scopes are available to request claims.
| *`extraAuthorizeParameters`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-parameter[$$Parameter$$] array__ | AdditionalAuthorizeParameters are extra query parameters that should be included in the authorize request to your OIDC provider in the authorization request during an OIDC Authorization Code Flow. By default, no extra parameters are sent. The standard parameters that will be sent are "response_type", "scope", "client_id", "state", "nonce", "code_challenge", "code_challenge_method", and "redirect_uri". These parameters cannot be included in this setting. This setting does not influence the parameters sent to the token endpoint in the Resource Owner Password Credentials Grant. Starting in v0.13.0, the Pinniped Supervisor requires that your OIDC provider returns refresh tokens to the Supervisor from the authorization flows. Some OIDC providers may require a certain value for the "prompt" parameter in order to properly request refresh tokens. See the documentation of your OIDC provider's authorization endpoint for its requirements for what to include in the request in order to receive a refresh token in the response, if anything. If your provider requires the prompt parameter to request a refresh token, then include it here. Also note that most providers also require a certain scope to be requested in order to receive refresh tokens. See the doNotRequestOfflineAccess setting for more information about using scopes to request refresh tokens.
| *`allowPasswordGrant`* __boolean__ | AllowPasswordGrant, when true, will allow the use of OAuth 2.0's Resource Owner Password Credentials Grant (see https://datatracker.ietf.org/doc/html/rfc6749#section-4.3) to authenticate to the OIDC provider using a username and password without a web browser, in addition to the usual browser-based OIDC Authorization Code Flow. The Resource Owner Password Credentials Grant is not officially part of the OIDC specification, so it may not be supported by your OIDC provider. If your OIDC provider supports returning ID tokens from a Resource Owner Password Credentials Grant token request, then you can choose to set this field to true. This will allow end users to choose to present their username and password to the kubectl CLI (using the Pinniped plugin) to authenticate to the cluster, without using a web browser to log in as is customary in OIDC Authorization Code Flow. This may be convenient for users, especially for identities from your OIDC provider which are not intended to represent a human actor, such as service accounts performing actions in a CI/CD environment. Even if your OIDC provider supports it, you may wish to disable this behavior by setting this field to false when you prefer to only allow users of this OIDCIdentityProvider to log in via the browser-based OIDC Authorization Code Flow. Using the Resource Owner Password Credentials Grant means that the Pinniped CLI and Pinniped Supervisor will directly handle your end users' passwords (similar to LDAPIdentityProvider), and you will not be able to require multi-factor authentication or use the other web-based login features of your OIDC provider during Resource Owner Password Credentials Grant logins. AllowPasswordGrant defaults to false. | *`allowPasswordGrant`* __boolean__ | AllowPasswordGrant, when true, will allow the use of OAuth 2.0's Resource Owner Password Credentials Grant (see https://datatracker.ietf.org/doc/html/rfc6749#section-4.3) to authenticate to the OIDC provider using a username and password without a web browser, in addition to the usual browser-based OIDC Authorization Code Flow. The Resource Owner Password Credentials Grant is not officially part of the OIDC specification, so it may not be supported by your OIDC provider. If your OIDC provider supports returning ID tokens from a Resource Owner Password Credentials Grant token request, then you can choose to set this field to true. This will allow end users to choose to present their username and password to the kubectl CLI (using the Pinniped plugin) to authenticate to the cluster, without using a web browser to log in as is customary in OIDC Authorization Code Flow. This may be convenient for users, especially for identities from your OIDC provider which are not intended to represent a human actor, such as service accounts performing actions in a CI/CD environment. Even if your OIDC provider supports it, you may wish to disable this behavior by setting this field to false when you prefer to only allow users of this OIDCIdentityProvider to log in via the browser-based OIDC Authorization Code Flow. Using the Resource Owner Password Credentials Grant means that the Pinniped CLI and Pinniped Supervisor will directly handle your end users' passwords (similar to LDAPIdentityProvider), and you will not be able to require multi-factor authentication or use the other web-based login features of your OIDC provider during Resource Owner Password Credentials Grant logins. AllowPasswordGrant defaults to false.
|=== |===
@ -1117,8 +1119,8 @@ OIDCClaims provides a mapping from upstream claims into identities.
[cols="25a,75a", options="header"] [cols="25a,75a", options="header"]
|=== |===
| Field | Description | Field | Description
| *`groups`* __string__ | Groups provides the name of the token claim that will be used to ascertain the groups to which an identity belongs. | *`groups`* __string__ | Groups provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain the groups to which an identity belongs. By default, the identities will not include any group memberships when this setting is not configured.
| *`username`* __string__ | Username provides the name of the token claim that will be used to ascertain an identity's username. | *`username`* __string__ | Username provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain an identity's username. When not set, the username will be an automatically constructed unique string which will include the issuer URL of your OIDC provider along with the value of the "sub" (subject) claim from the ID token.
|=== |===
@ -1164,7 +1166,7 @@ OIDCIdentityProvider describes the configuration of an upstream OpenID Connect i
[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-oidcidentityproviderspec"] [id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-oidcidentityproviderspec"]
==== OIDCIdentityProviderSpec ==== OIDCIdentityProviderSpec
Spec for configuring an OIDC identity provider. OIDCIdentityProviderSpec is the spec for configuring an OIDC identity provider.
.Appears In: .Appears In:
**** ****
@ -1185,7 +1187,7 @@ Spec for configuring an OIDC identity provider.
[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-oidcidentityproviderstatus"] [id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-oidcidentityproviderstatus"]
==== OIDCIdentityProviderStatus ==== OIDCIdentityProviderStatus
Status of an OIDC identity provider. OIDCIdentityProviderStatus is the status of an OIDC identity provider.
.Appears In: .Appears In:
**** ****
@ -1200,6 +1202,24 @@ Status of an OIDC identity provider.
|=== |===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-parameter"]
==== Parameter
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-oidcauthorizationconfig[$$OIDCAuthorizationConfig$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`name`* __string__ | The name of the parameter. Required.
| *`value`* __string__ | The value of the parameter.
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-tlsspec"] [id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-tlsspec"]
==== TLSSpec ==== TLSSpec

View File

@ -20,7 +20,7 @@ const (
PhaseError OIDCIdentityProviderPhase = "Error" PhaseError OIDCIdentityProviderPhase = "Error"
) )
// Status of an OIDC identity provider. // OIDCIdentityProviderStatus is the status of an OIDC identity provider.
type OIDCIdentityProviderStatus struct { type OIDCIdentityProviderStatus struct {
// Phase summarizes the overall status of the OIDCIdentityProvider. // Phase summarizes the overall status of the OIDCIdentityProvider.
// +kubebuilder:default=Pending // +kubebuilder:default=Pending
@ -38,14 +38,59 @@ type OIDCIdentityProviderStatus struct {
// OIDCAuthorizationConfig provides information about how to form the OAuth2 authorization // OIDCAuthorizationConfig provides information about how to form the OAuth2 authorization
// request parameters. // request parameters.
type OIDCAuthorizationConfig struct { type OIDCAuthorizationConfig struct {
// AdditionalScopes are the scopes in addition to "openid" that will be requested as part of the authorization // DoNotRequestOfflineAccess determines if the "offline_access" scope will be requested from your OIDC provider in
// request flow with an OIDC identity provider. // the authorization request during an OIDC Authorization Code Flow and in the token request during a Resource Owner
// In the case of a Resource Owner Password Credentials Grant flow, AdditionalScopes are the scopes // Password Credentials Grant in order to ask to receive a refresh token in the response. Starting in v0.13.0, the
// in addition to "openid" that will be requested as part of the token request (see also the allowPasswordGrant field). // Pinniped Supervisor requires that your OIDC provider returns refresh tokens to the Supervisor from these
// By default, only the "openid" scope will be requested. // authorization flows. For most OIDC providers, the scope required to receive refresh tokens will be "offline_access".
// See https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess for a description of the "offline_access"
// scope. See the documentation of your OIDC provider's authorization and token endpoints for its requirements for what
// to include in the request in order to receive a refresh token in the response, if anything. By default,
// DoNotRequestOfflineAccess is false, which means that "offline_access" will be sent in the authorization request,
// since that is what is suggested by the OIDC specification. Note that it may be safe to send "offline_access" even to
// providers which do not require it, since the provider may ignore scopes that it does not understand or require (see
// https://datatracker.ietf.org/doc/html/rfc6749#section-3.3). In the unusual case that you must avoid sending the
// "offline_access" scope, set DoNotRequestOfflineAccess to true. This is required if your OIDC provider will reject
// the request when it includes "offline_access" (e.g. GitLab's OIDC provider). If you need to send some other scope
// to request a refresh token, include the scope name in the additionalScopes setting. Also note that some OIDC
// providers may require that the "prompt" param be set to a specific value for the authorization request during an
// OIDC Authorization Code Flow in order to receive a refresh token in the response. To adjust the prompt param, see
// the additionalAuthorizeParameters setting.
// +optional
DoNotRequestOfflineAccess bool `json:"doNotRequestOfflineAccess,omitempty"`
// AdditionalScopes are the additional scopes that will be requested from your OIDC provider in the authorization
// request during an OIDC Authorization Code Flow and in the token request during a Resource Owner Password Credentials
// Grant. Note that the "openid" scope will always be requested regardless of the value in this setting, since it is
// always required according to the OIDC spec. The "offline_access" scope may also be included according to the value
// of the DoNotRequestOfflineAccess setting. Any other scopes required should be included here in the AdditionalScopes
// list. For example, you might like to include scopes like "profile", "email", or "groups" in order to receive the
// related claims in the returned ID token or userinfo endpoint results if you would like to make use of those
// claims in the OIDCClaims settings to determine the usernames and group memberships of your Kubernetes users. See
// your OIDC provider's documentation for more information about what scopes are available to request claims.
// +optional // +optional
AdditionalScopes []string `json:"additionalScopes,omitempty"` AdditionalScopes []string `json:"additionalScopes,omitempty"`
// AdditionalAuthorizeParameters are extra query parameters that should be included in the authorize request to your
// OIDC provider in the authorization request during an OIDC Authorization Code Flow. By default, no extra
// parameters are sent. The standard parameters that will be sent are "response_type", "scope", "client_id",
// "state", "nonce", "code_challenge", "code_challenge_method", and "redirect_uri". These parameters cannot be
// included in this setting. This setting does not influence the parameters sent to the token endpoint in the
// Resource Owner Password Credentials Grant. Starting in v0.13.0, the Pinniped Supervisor requires that your OIDC
// provider returns refresh tokens to the Supervisor from the authorization flows. Some OIDC providers may require
// a certain value for the "prompt" parameter in order to properly request refresh tokens. See the documentation of
// your OIDC provider's authorization endpoint for its requirements for what to include in the request in
// order to receive a refresh token in the response, if anything. If your provider requires the prompt parameter to
// request a refresh token, then include it here. Also note that most providers also require a certain scope to be
// requested in order to receive refresh tokens. See the doNotRequestOfflineAccess setting for more information about
// using scopes to request refresh tokens.
// +optional
// +patchMergeKey=name
// +patchStrategy=merge
// +listType=map
// +listMapKey=name
AdditionalAuthorizeParameters []Parameter `json:"extraAuthorizeParameters,omitempty"`
// AllowPasswordGrant, when true, will allow the use of OAuth 2.0's Resource Owner Password Credentials Grant // AllowPasswordGrant, when true, will allow the use of OAuth 2.0's Resource Owner Password Credentials Grant
// (see https://datatracker.ietf.org/doc/html/rfc6749#section-4.3) to authenticate to the OIDC provider using a // (see https://datatracker.ietf.org/doc/html/rfc6749#section-4.3) to authenticate to the OIDC provider using a
// username and password without a web browser, in addition to the usual browser-based OIDC Authorization Code Flow. // username and password without a web browser, in addition to the usual browser-based OIDC Authorization Code Flow.
@ -66,15 +111,29 @@ type OIDCAuthorizationConfig struct {
AllowPasswordGrant bool `json:"allowPasswordGrant,omitempty"` AllowPasswordGrant bool `json:"allowPasswordGrant,omitempty"`
} }
// Parameter is a key/value pair which represents a parameter in an HTTP request.
type Parameter struct {
// The name of the parameter. Required.
// +kubebuilder:validation:MinLength=1
Name string `json:"name"`
// The value of the parameter.
// +optional
Value string `json:"value,omitempty"`
}
// OIDCClaims provides a mapping from upstream claims into identities. // OIDCClaims provides a mapping from upstream claims into identities.
type OIDCClaims struct { type OIDCClaims struct {
// Groups provides the name of the token claim that will be used to ascertain the groups to which // Groups provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain
// an identity belongs. // the groups to which an identity belongs. By default, the identities will not include any group memberships when
// this setting is not configured.
// +optional // +optional
Groups string `json:"groups"` Groups string `json:"groups"`
// Username provides the name of the token claim that will be used to ascertain an identity's // Username provides the name of the ID token claim or userinfo endpoint response claim that will be used to
// username. // ascertain an identity's username. When not set, the username will be an automatically constructed unique string
// which will include the issuer URL of your OIDC provider along with the value of the "sub" (subject) claim from
// the ID token.
// +optional // +optional
Username string `json:"username"` Username string `json:"username"`
} }
@ -89,7 +148,7 @@ type OIDCClient struct {
SecretName string `json:"secretName"` SecretName string `json:"secretName"`
} }
// Spec for configuring an OIDC identity provider. // OIDCIdentityProviderSpec is the spec for configuring an OIDC identity provider.
type OIDCIdentityProviderSpec struct { type OIDCIdentityProviderSpec struct {
// Issuer is the issuer URL of this OIDC identity provider, i.e., where to fetch // Issuer is the issuer URL of this OIDC identity provider, i.e., where to fetch
// /.well-known/openid-configuration. // /.well-known/openid-configuration.
@ -135,7 +194,7 @@ type OIDCIdentityProvider struct {
Status OIDCIdentityProviderStatus `json:"status,omitempty"` Status OIDCIdentityProviderStatus `json:"status,omitempty"`
} }
// List of OIDCIdentityProvider objects. // OIDCIdentityProviderList lists OIDCIdentityProvider objects.
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
type OIDCIdentityProviderList struct { type OIDCIdentityProviderList struct {
metav1.TypeMeta `json:",inline"` metav1.TypeMeta `json:",inline"`

View File

@ -416,6 +416,11 @@ func (in *OIDCAuthorizationConfig) DeepCopyInto(out *OIDCAuthorizationConfig) {
*out = make([]string, len(*in)) *out = make([]string, len(*in))
copy(*out, *in) copy(*out, *in)
} }
if in.AdditionalAuthorizeParameters != nil {
in, out := &in.AdditionalAuthorizeParameters, &out.AdditionalAuthorizeParameters
*out = make([]Parameter, len(*in))
copy(*out, *in)
}
return return
} }
@ -569,6 +574,22 @@ func (in *OIDCIdentityProviderStatus) DeepCopy() *OIDCIdentityProviderStatus {
return out return out
} }
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *Parameter) DeepCopyInto(out *Parameter) {
*out = *in
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Parameter.
func (in *Parameter) DeepCopy() *Parameter {
if in == nil {
return nil
}
out := new(Parameter)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *TLSSpec) DeepCopyInto(out *TLSSpec) { func (in *TLSSpec) DeepCopyInto(out *TLSSpec) {
*out = *in *out = *in

View File

@ -57,13 +57,22 @@ spec:
OIDC identity provider. OIDC identity provider.
properties: properties:
additionalScopes: additionalScopes:
description: AdditionalScopes are the scopes in addition to "openid" description: AdditionalScopes are the additional scopes that will
that will be requested as part of the authorization request be requested from your OIDC provider in the authorization request
flow with an OIDC identity provider. In the case of a Resource during an OIDC Authorization Code Flow and in the token request
Owner Password Credentials Grant flow, AdditionalScopes are during a Resource Owner Password Credentials Grant. Note that
the scopes in addition to "openid" that will be requested as the "openid" scope will always be requested regardless of the
part of the token request (see also the allowPasswordGrant field). value in this setting, since it is always required according
By default, only the "openid" scope will be requested. to the OIDC spec. The "offline_access" scope may also be included
according to the value of the DoNotRequestOfflineAccess setting.
Any other scopes required should be included here in the AdditionalScopes
list. For example, you might like to include scopes like "profile",
"email", or "groups" in order to receive the related claims
in the returned ID token or userinfo endpoint results if you
would like to make use of those claims in the OIDCClaims settings
to determine the usernames and group memberships of your Kubernetes
users. See your OIDC provider's documentation for more information
about what scopes are available to request claims.
items: items:
type: string type: string
type: array type: array
@ -97,18 +106,98 @@ spec:
during Resource Owner Password Credentials Grant logins. AllowPasswordGrant during Resource Owner Password Credentials Grant logins. AllowPasswordGrant
defaults to false. defaults to false.
type: boolean type: boolean
doNotRequestOfflineAccess:
description: DoNotRequestOfflineAccess determines if the "offline_access"
scope will be requested from your OIDC provider in the authorization
request during an OIDC Authorization Code Flow and in the token
request during a Resource Owner Password Credentials Grant in
order to ask to receive a refresh token in the response. Starting
in v0.13.0, the Pinniped Supervisor requires that your OIDC
provider returns refresh tokens to the Supervisor from these
authorization flows. For most OIDC providers, the scope required
to receive refresh tokens will be "offline_access". See https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess
for a description of the "offline_access" scope. See the documentation
of your OIDC provider's authorization and token endpoints for
its requirements for what to include in the request in order
to receive a refresh token in the response, if anything. By
default, DoNotRequestOfflineAccess is false, which means that
"offline_access" will be sent in the authorization request,
since that is what is suggested by the OIDC specification. Note
that it may be safe to send "offline_access" even to providers
which do not require it, since the provider may ignore scopes
that it does not understand or require (see https://datatracker.ietf.org/doc/html/rfc6749#section-3.3).
In the unusual case that you must avoid sending the "offline_access"
scope, set DoNotRequestOfflineAccess to true. This is required
if your OIDC provider will reject the request when it includes
"offline_access" (e.g. GitLab's OIDC provider). If you need
to send some other scope to request a refresh token, include
the scope name in the additionalScopes setting. Also note that
some OIDC providers may require that the "prompt" param be set
to a specific value for the authorization request during an
OIDC Authorization Code Flow in order to receive a refresh token
in the response. To adjust the prompt param, see the additionalAuthorizeParameters
setting.
type: boolean
extraAuthorizeParameters:
description: AdditionalAuthorizeParameters are extra query parameters
that should be included in the authorize request to your OIDC
provider in the authorization request during an OIDC Authorization
Code Flow. By default, no extra parameters are sent. The standard
parameters that will be sent are "response_type", "scope", "client_id",
"state", "nonce", "code_challenge", "code_challenge_method",
and "redirect_uri". These parameters cannot be included in this
setting. This setting does not influence the parameters sent
to the token endpoint in the Resource Owner Password Credentials
Grant. Starting in v0.13.0, the Pinniped Supervisor requires
that your OIDC provider returns refresh tokens to the Supervisor
from the authorization flows. Some OIDC providers may require
a certain value for the "prompt" parameter in order to properly
request refresh tokens. See the documentation of your OIDC provider's
authorization endpoint for its requirements for what to include
in the request in order to receive a refresh token in the response,
if anything. If your provider requires the prompt parameter
to request a refresh token, then include it here. Also note
that most providers also require a certain scope to be requested
in order to receive refresh tokens. See the doNotRequestOfflineAccess
setting for more information about using scopes to request refresh
tokens.
items:
description: Parameter is a key/value pair which represents
a parameter in an HTTP request.
properties:
name:
description: The name of the parameter. Required.
minLength: 1
type: string
value:
description: The value of the parameter.
type: string
required:
- name
type: object
type: array
x-kubernetes-list-map-keys:
- name
x-kubernetes-list-type: map
type: object type: object
claims: claims:
description: Claims provides the names of token claims that will be description: Claims provides the names of token claims that will be
used when inspecting an identity from this OIDC identity provider. used when inspecting an identity from this OIDC identity provider.
properties: properties:
groups: groups:
description: Groups provides the name of the token claim that description: Groups provides the name of the ID token claim or
will be used to ascertain the groups to which an identity belongs. userinfo endpoint response claim that will be used to ascertain
the groups to which an identity belongs. By default, the identities
will not include any group memberships when this setting is
not configured.
type: string type: string
username: username:
description: Username provides the name of the token claim that description: Username provides the name of the ID token claim
will be used to ascertain an identity's username. or userinfo endpoint response claim that will be used to ascertain
an identity's username. When not set, the username will be an
automatically constructed unique string which will include the
issuer URL of your OIDC provider along with the value of the
"sub" (subject) claim from the ID token.
type: string type: string
type: object type: object
client: client:

View File

@ -1099,7 +1099,9 @@ OIDCAuthorizationConfig provides information about how to form the OAuth2 author
[cols="25a,75a", options="header"] [cols="25a,75a", options="header"]
|=== |===
| Field | Description | Field | Description
| *`additionalScopes`* __string array__ | AdditionalScopes are the scopes in addition to "openid" that will be requested as part of the authorization request flow with an OIDC identity provider. In the case of a Resource Owner Password Credentials Grant flow, AdditionalScopes are the scopes in addition to "openid" that will be requested as part of the token request (see also the allowPasswordGrant field). By default, only the "openid" scope will be requested. | *`doNotRequestOfflineAccess`* __boolean__ | DoNotRequestOfflineAccess determines if the "offline_access" scope will be requested from your OIDC provider in the authorization request during an OIDC Authorization Code Flow and in the token request during a Resource Owner Password Credentials Grant in order to ask to receive a refresh token in the response. Starting in v0.13.0, the Pinniped Supervisor requires that your OIDC provider returns refresh tokens to the Supervisor from these authorization flows. For most OIDC providers, the scope required to receive refresh tokens will be "offline_access". See https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess for a description of the "offline_access" scope. See the documentation of your OIDC provider's authorization and token endpoints for its requirements for what to include in the request in order to receive a refresh token in the response, if anything. By default, DoNotRequestOfflineAccess is false, which means that "offline_access" will be sent in the authorization request, since that is what is suggested by the OIDC specification. Note that it may be safe to send "offline_access" even to providers which do not require it, since the provider may ignore scopes that it does not understand or require (see https://datatracker.ietf.org/doc/html/rfc6749#section-3.3). In the unusual case that you must avoid sending the "offline_access" scope, set DoNotRequestOfflineAccess to true. This is required if your OIDC provider will reject the request when it includes "offline_access" (e.g. GitLab's OIDC provider). If you need to send some other scope to request a refresh token, include the scope name in the additionalScopes setting. Also note that some OIDC providers may require that the "prompt" param be set to a specific value for the authorization request during an OIDC Authorization Code Flow in order to receive a refresh token in the response. To adjust the prompt param, see the additionalAuthorizeParameters setting.
| *`additionalScopes`* __string array__ | AdditionalScopes are the additional scopes that will be requested from your OIDC provider in the authorization request during an OIDC Authorization Code Flow and in the token request during a Resource Owner Password Credentials Grant. Note that the "openid" scope will always be requested regardless of the value in this setting, since it is always required according to the OIDC spec. The "offline_access" scope may also be included according to the value of the DoNotRequestOfflineAccess setting. Any other scopes required should be included here in the AdditionalScopes list. For example, you might like to include scopes like "profile", "email", or "groups" in order to receive the related claims in the returned ID token or userinfo endpoint results if you would like to make use of those claims in the OIDCClaims settings to determine the usernames and group memberships of your Kubernetes users. See your OIDC provider's documentation for more information about what scopes are available to request claims.
| *`extraAuthorizeParameters`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-parameter[$$Parameter$$] array__ | AdditionalAuthorizeParameters are extra query parameters that should be included in the authorize request to your OIDC provider in the authorization request during an OIDC Authorization Code Flow. By default, no extra parameters are sent. The standard parameters that will be sent are "response_type", "scope", "client_id", "state", "nonce", "code_challenge", "code_challenge_method", and "redirect_uri". These parameters cannot be included in this setting. This setting does not influence the parameters sent to the token endpoint in the Resource Owner Password Credentials Grant. Starting in v0.13.0, the Pinniped Supervisor requires that your OIDC provider returns refresh tokens to the Supervisor from the authorization flows. Some OIDC providers may require a certain value for the "prompt" parameter in order to properly request refresh tokens. See the documentation of your OIDC provider's authorization endpoint for its requirements for what to include in the request in order to receive a refresh token in the response, if anything. If your provider requires the prompt parameter to request a refresh token, then include it here. Also note that most providers also require a certain scope to be requested in order to receive refresh tokens. See the doNotRequestOfflineAccess setting for more information about using scopes to request refresh tokens.
| *`allowPasswordGrant`* __boolean__ | AllowPasswordGrant, when true, will allow the use of OAuth 2.0's Resource Owner Password Credentials Grant (see https://datatracker.ietf.org/doc/html/rfc6749#section-4.3) to authenticate to the OIDC provider using a username and password without a web browser, in addition to the usual browser-based OIDC Authorization Code Flow. The Resource Owner Password Credentials Grant is not officially part of the OIDC specification, so it may not be supported by your OIDC provider. If your OIDC provider supports returning ID tokens from a Resource Owner Password Credentials Grant token request, then you can choose to set this field to true. This will allow end users to choose to present their username and password to the kubectl CLI (using the Pinniped plugin) to authenticate to the cluster, without using a web browser to log in as is customary in OIDC Authorization Code Flow. This may be convenient for users, especially for identities from your OIDC provider which are not intended to represent a human actor, such as service accounts performing actions in a CI/CD environment. Even if your OIDC provider supports it, you may wish to disable this behavior by setting this field to false when you prefer to only allow users of this OIDCIdentityProvider to log in via the browser-based OIDC Authorization Code Flow. Using the Resource Owner Password Credentials Grant means that the Pinniped CLI and Pinniped Supervisor will directly handle your end users' passwords (similar to LDAPIdentityProvider), and you will not be able to require multi-factor authentication or use the other web-based login features of your OIDC provider during Resource Owner Password Credentials Grant logins. AllowPasswordGrant defaults to false. | *`allowPasswordGrant`* __boolean__ | AllowPasswordGrant, when true, will allow the use of OAuth 2.0's Resource Owner Password Credentials Grant (see https://datatracker.ietf.org/doc/html/rfc6749#section-4.3) to authenticate to the OIDC provider using a username and password without a web browser, in addition to the usual browser-based OIDC Authorization Code Flow. The Resource Owner Password Credentials Grant is not officially part of the OIDC specification, so it may not be supported by your OIDC provider. If your OIDC provider supports returning ID tokens from a Resource Owner Password Credentials Grant token request, then you can choose to set this field to true. This will allow end users to choose to present their username and password to the kubectl CLI (using the Pinniped plugin) to authenticate to the cluster, without using a web browser to log in as is customary in OIDC Authorization Code Flow. This may be convenient for users, especially for identities from your OIDC provider which are not intended to represent a human actor, such as service accounts performing actions in a CI/CD environment. Even if your OIDC provider supports it, you may wish to disable this behavior by setting this field to false when you prefer to only allow users of this OIDCIdentityProvider to log in via the browser-based OIDC Authorization Code Flow. Using the Resource Owner Password Credentials Grant means that the Pinniped CLI and Pinniped Supervisor will directly handle your end users' passwords (similar to LDAPIdentityProvider), and you will not be able to require multi-factor authentication or use the other web-based login features of your OIDC provider during Resource Owner Password Credentials Grant logins. AllowPasswordGrant defaults to false.
|=== |===
@ -1117,8 +1119,8 @@ OIDCClaims provides a mapping from upstream claims into identities.
[cols="25a,75a", options="header"] [cols="25a,75a", options="header"]
|=== |===
| Field | Description | Field | Description
| *`groups`* __string__ | Groups provides the name of the token claim that will be used to ascertain the groups to which an identity belongs. | *`groups`* __string__ | Groups provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain the groups to which an identity belongs. By default, the identities will not include any group memberships when this setting is not configured.
| *`username`* __string__ | Username provides the name of the token claim that will be used to ascertain an identity's username. | *`username`* __string__ | Username provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain an identity's username. When not set, the username will be an automatically constructed unique string which will include the issuer URL of your OIDC provider along with the value of the "sub" (subject) claim from the ID token.
|=== |===
@ -1164,7 +1166,7 @@ OIDCIdentityProvider describes the configuration of an upstream OpenID Connect i
[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-oidcidentityproviderspec"] [id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-oidcidentityproviderspec"]
==== OIDCIdentityProviderSpec ==== OIDCIdentityProviderSpec
Spec for configuring an OIDC identity provider. OIDCIdentityProviderSpec is the spec for configuring an OIDC identity provider.
.Appears In: .Appears In:
**** ****
@ -1185,7 +1187,7 @@ Spec for configuring an OIDC identity provider.
[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-oidcidentityproviderstatus"] [id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-oidcidentityproviderstatus"]
==== OIDCIdentityProviderStatus ==== OIDCIdentityProviderStatus
Status of an OIDC identity provider. OIDCIdentityProviderStatus is the status of an OIDC identity provider.
.Appears In: .Appears In:
**** ****
@ -1200,6 +1202,24 @@ Status of an OIDC identity provider.
|=== |===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-parameter"]
==== Parameter
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-oidcauthorizationconfig[$$OIDCAuthorizationConfig$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`name`* __string__ | The name of the parameter. Required.
| *`value`* __string__ | The value of the parameter.
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-tlsspec"] [id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-tlsspec"]
==== TLSSpec ==== TLSSpec

View File

@ -20,7 +20,7 @@ const (
PhaseError OIDCIdentityProviderPhase = "Error" PhaseError OIDCIdentityProviderPhase = "Error"
) )
// Status of an OIDC identity provider. // OIDCIdentityProviderStatus is the status of an OIDC identity provider.
type OIDCIdentityProviderStatus struct { type OIDCIdentityProviderStatus struct {
// Phase summarizes the overall status of the OIDCIdentityProvider. // Phase summarizes the overall status of the OIDCIdentityProvider.
// +kubebuilder:default=Pending // +kubebuilder:default=Pending
@ -38,14 +38,59 @@ type OIDCIdentityProviderStatus struct {
// OIDCAuthorizationConfig provides information about how to form the OAuth2 authorization // OIDCAuthorizationConfig provides information about how to form the OAuth2 authorization
// request parameters. // request parameters.
type OIDCAuthorizationConfig struct { type OIDCAuthorizationConfig struct {
// AdditionalScopes are the scopes in addition to "openid" that will be requested as part of the authorization // DoNotRequestOfflineAccess determines if the "offline_access" scope will be requested from your OIDC provider in
// request flow with an OIDC identity provider. // the authorization request during an OIDC Authorization Code Flow and in the token request during a Resource Owner
// In the case of a Resource Owner Password Credentials Grant flow, AdditionalScopes are the scopes // Password Credentials Grant in order to ask to receive a refresh token in the response. Starting in v0.13.0, the
// in addition to "openid" that will be requested as part of the token request (see also the allowPasswordGrant field). // Pinniped Supervisor requires that your OIDC provider returns refresh tokens to the Supervisor from these
// By default, only the "openid" scope will be requested. // authorization flows. For most OIDC providers, the scope required to receive refresh tokens will be "offline_access".
// See https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess for a description of the "offline_access"
// scope. See the documentation of your OIDC provider's authorization and token endpoints for its requirements for what
// to include in the request in order to receive a refresh token in the response, if anything. By default,
// DoNotRequestOfflineAccess is false, which means that "offline_access" will be sent in the authorization request,
// since that is what is suggested by the OIDC specification. Note that it may be safe to send "offline_access" even to
// providers which do not require it, since the provider may ignore scopes that it does not understand or require (see
// https://datatracker.ietf.org/doc/html/rfc6749#section-3.3). In the unusual case that you must avoid sending the
// "offline_access" scope, set DoNotRequestOfflineAccess to true. This is required if your OIDC provider will reject
// the request when it includes "offline_access" (e.g. GitLab's OIDC provider). If you need to send some other scope
// to request a refresh token, include the scope name in the additionalScopes setting. Also note that some OIDC
// providers may require that the "prompt" param be set to a specific value for the authorization request during an
// OIDC Authorization Code Flow in order to receive a refresh token in the response. To adjust the prompt param, see
// the additionalAuthorizeParameters setting.
// +optional
DoNotRequestOfflineAccess bool `json:"doNotRequestOfflineAccess,omitempty"`
// AdditionalScopes are the additional scopes that will be requested from your OIDC provider in the authorization
// request during an OIDC Authorization Code Flow and in the token request during a Resource Owner Password Credentials
// Grant. Note that the "openid" scope will always be requested regardless of the value in this setting, since it is
// always required according to the OIDC spec. The "offline_access" scope may also be included according to the value
// of the DoNotRequestOfflineAccess setting. Any other scopes required should be included here in the AdditionalScopes
// list. For example, you might like to include scopes like "profile", "email", or "groups" in order to receive the
// related claims in the returned ID token or userinfo endpoint results if you would like to make use of those
// claims in the OIDCClaims settings to determine the usernames and group memberships of your Kubernetes users. See
// your OIDC provider's documentation for more information about what scopes are available to request claims.
// +optional // +optional
AdditionalScopes []string `json:"additionalScopes,omitempty"` AdditionalScopes []string `json:"additionalScopes,omitempty"`
// AdditionalAuthorizeParameters are extra query parameters that should be included in the authorize request to your
// OIDC provider in the authorization request during an OIDC Authorization Code Flow. By default, no extra
// parameters are sent. The standard parameters that will be sent are "response_type", "scope", "client_id",
// "state", "nonce", "code_challenge", "code_challenge_method", and "redirect_uri". These parameters cannot be
// included in this setting. This setting does not influence the parameters sent to the token endpoint in the
// Resource Owner Password Credentials Grant. Starting in v0.13.0, the Pinniped Supervisor requires that your OIDC
// provider returns refresh tokens to the Supervisor from the authorization flows. Some OIDC providers may require
// a certain value for the "prompt" parameter in order to properly request refresh tokens. See the documentation of
// your OIDC provider's authorization endpoint for its requirements for what to include in the request in
// order to receive a refresh token in the response, if anything. If your provider requires the prompt parameter to
// request a refresh token, then include it here. Also note that most providers also require a certain scope to be
// requested in order to receive refresh tokens. See the doNotRequestOfflineAccess setting for more information about
// using scopes to request refresh tokens.
// +optional
// +patchMergeKey=name
// +patchStrategy=merge
// +listType=map
// +listMapKey=name
AdditionalAuthorizeParameters []Parameter `json:"extraAuthorizeParameters,omitempty"`
// AllowPasswordGrant, when true, will allow the use of OAuth 2.0's Resource Owner Password Credentials Grant // AllowPasswordGrant, when true, will allow the use of OAuth 2.0's Resource Owner Password Credentials Grant
// (see https://datatracker.ietf.org/doc/html/rfc6749#section-4.3) to authenticate to the OIDC provider using a // (see https://datatracker.ietf.org/doc/html/rfc6749#section-4.3) to authenticate to the OIDC provider using a
// username and password without a web browser, in addition to the usual browser-based OIDC Authorization Code Flow. // username and password without a web browser, in addition to the usual browser-based OIDC Authorization Code Flow.
@ -66,15 +111,29 @@ type OIDCAuthorizationConfig struct {
AllowPasswordGrant bool `json:"allowPasswordGrant,omitempty"` AllowPasswordGrant bool `json:"allowPasswordGrant,omitempty"`
} }
// Parameter is a key/value pair which represents a parameter in an HTTP request.
type Parameter struct {
// The name of the parameter. Required.
// +kubebuilder:validation:MinLength=1
Name string `json:"name"`
// The value of the parameter.
// +optional
Value string `json:"value,omitempty"`
}
// OIDCClaims provides a mapping from upstream claims into identities. // OIDCClaims provides a mapping from upstream claims into identities.
type OIDCClaims struct { type OIDCClaims struct {
// Groups provides the name of the token claim that will be used to ascertain the groups to which // Groups provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain
// an identity belongs. // the groups to which an identity belongs. By default, the identities will not include any group memberships when
// this setting is not configured.
// +optional // +optional
Groups string `json:"groups"` Groups string `json:"groups"`
// Username provides the name of the token claim that will be used to ascertain an identity's // Username provides the name of the ID token claim or userinfo endpoint response claim that will be used to
// username. // ascertain an identity's username. When not set, the username will be an automatically constructed unique string
// which will include the issuer URL of your OIDC provider along with the value of the "sub" (subject) claim from
// the ID token.
// +optional // +optional
Username string `json:"username"` Username string `json:"username"`
} }
@ -89,7 +148,7 @@ type OIDCClient struct {
SecretName string `json:"secretName"` SecretName string `json:"secretName"`
} }
// Spec for configuring an OIDC identity provider. // OIDCIdentityProviderSpec is the spec for configuring an OIDC identity provider.
type OIDCIdentityProviderSpec struct { type OIDCIdentityProviderSpec struct {
// Issuer is the issuer URL of this OIDC identity provider, i.e., where to fetch // Issuer is the issuer URL of this OIDC identity provider, i.e., where to fetch
// /.well-known/openid-configuration. // /.well-known/openid-configuration.
@ -135,7 +194,7 @@ type OIDCIdentityProvider struct {
Status OIDCIdentityProviderStatus `json:"status,omitempty"` Status OIDCIdentityProviderStatus `json:"status,omitempty"`
} }
// List of OIDCIdentityProvider objects. // OIDCIdentityProviderList lists OIDCIdentityProvider objects.
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
type OIDCIdentityProviderList struct { type OIDCIdentityProviderList struct {
metav1.TypeMeta `json:",inline"` metav1.TypeMeta `json:",inline"`

View File

@ -416,6 +416,11 @@ func (in *OIDCAuthorizationConfig) DeepCopyInto(out *OIDCAuthorizationConfig) {
*out = make([]string, len(*in)) *out = make([]string, len(*in))
copy(*out, *in) copy(*out, *in)
} }
if in.AdditionalAuthorizeParameters != nil {
in, out := &in.AdditionalAuthorizeParameters, &out.AdditionalAuthorizeParameters
*out = make([]Parameter, len(*in))
copy(*out, *in)
}
return return
} }
@ -569,6 +574,22 @@ func (in *OIDCIdentityProviderStatus) DeepCopy() *OIDCIdentityProviderStatus {
return out return out
} }
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *Parameter) DeepCopyInto(out *Parameter) {
*out = *in
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Parameter.
func (in *Parameter) DeepCopy() *Parameter {
if in == nil {
return nil
}
out := new(Parameter)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *TLSSpec) DeepCopyInto(out *TLSSpec) { func (in *TLSSpec) DeepCopyInto(out *TLSSpec) {
*out = *in *out = *in

View File

@ -57,13 +57,22 @@ spec:
OIDC identity provider. OIDC identity provider.
properties: properties:
additionalScopes: additionalScopes:
description: AdditionalScopes are the scopes in addition to "openid" description: AdditionalScopes are the additional scopes that will
that will be requested as part of the authorization request be requested from your OIDC provider in the authorization request
flow with an OIDC identity provider. In the case of a Resource during an OIDC Authorization Code Flow and in the token request
Owner Password Credentials Grant flow, AdditionalScopes are during a Resource Owner Password Credentials Grant. Note that
the scopes in addition to "openid" that will be requested as the "openid" scope will always be requested regardless of the
part of the token request (see also the allowPasswordGrant field). value in this setting, since it is always required according
By default, only the "openid" scope will be requested. to the OIDC spec. The "offline_access" scope may also be included
according to the value of the DoNotRequestOfflineAccess setting.
Any other scopes required should be included here in the AdditionalScopes
list. For example, you might like to include scopes like "profile",
"email", or "groups" in order to receive the related claims
in the returned ID token or userinfo endpoint results if you
would like to make use of those claims in the OIDCClaims settings
to determine the usernames and group memberships of your Kubernetes
users. See your OIDC provider's documentation for more information
about what scopes are available to request claims.
items: items:
type: string type: string
type: array type: array
@ -97,18 +106,98 @@ spec:
during Resource Owner Password Credentials Grant logins. AllowPasswordGrant during Resource Owner Password Credentials Grant logins. AllowPasswordGrant
defaults to false. defaults to false.
type: boolean type: boolean
doNotRequestOfflineAccess:
description: DoNotRequestOfflineAccess determines if the "offline_access"
scope will be requested from your OIDC provider in the authorization
request during an OIDC Authorization Code Flow and in the token
request during a Resource Owner Password Credentials Grant in
order to ask to receive a refresh token in the response. Starting
in v0.13.0, the Pinniped Supervisor requires that your OIDC
provider returns refresh tokens to the Supervisor from these
authorization flows. For most OIDC providers, the scope required
to receive refresh tokens will be "offline_access". See https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess
for a description of the "offline_access" scope. See the documentation
of your OIDC provider's authorization and token endpoints for
its requirements for what to include in the request in order
to receive a refresh token in the response, if anything. By
default, DoNotRequestOfflineAccess is false, which means that
"offline_access" will be sent in the authorization request,
since that is what is suggested by the OIDC specification. Note
that it may be safe to send "offline_access" even to providers
which do not require it, since the provider may ignore scopes
that it does not understand or require (see https://datatracker.ietf.org/doc/html/rfc6749#section-3.3).
In the unusual case that you must avoid sending the "offline_access"
scope, set DoNotRequestOfflineAccess to true. This is required
if your OIDC provider will reject the request when it includes
"offline_access" (e.g. GitLab's OIDC provider). If you need
to send some other scope to request a refresh token, include
the scope name in the additionalScopes setting. Also note that
some OIDC providers may require that the "prompt" param be set
to a specific value for the authorization request during an
OIDC Authorization Code Flow in order to receive a refresh token
in the response. To adjust the prompt param, see the additionalAuthorizeParameters
setting.
type: boolean
extraAuthorizeParameters:
description: AdditionalAuthorizeParameters are extra query parameters
that should be included in the authorize request to your OIDC
provider in the authorization request during an OIDC Authorization
Code Flow. By default, no extra parameters are sent. The standard
parameters that will be sent are "response_type", "scope", "client_id",
"state", "nonce", "code_challenge", "code_challenge_method",
and "redirect_uri". These parameters cannot be included in this
setting. This setting does not influence the parameters sent
to the token endpoint in the Resource Owner Password Credentials
Grant. Starting in v0.13.0, the Pinniped Supervisor requires
that your OIDC provider returns refresh tokens to the Supervisor
from the authorization flows. Some OIDC providers may require
a certain value for the "prompt" parameter in order to properly
request refresh tokens. See the documentation of your OIDC provider's
authorization endpoint for its requirements for what to include
in the request in order to receive a refresh token in the response,
if anything. If your provider requires the prompt parameter
to request a refresh token, then include it here. Also note
that most providers also require a certain scope to be requested
in order to receive refresh tokens. See the doNotRequestOfflineAccess
setting for more information about using scopes to request refresh
tokens.
items:
description: Parameter is a key/value pair which represents
a parameter in an HTTP request.
properties:
name:
description: The name of the parameter. Required.
minLength: 1
type: string
value:
description: The value of the parameter.
type: string
required:
- name
type: object
type: array
x-kubernetes-list-map-keys:
- name
x-kubernetes-list-type: map
type: object type: object
claims: claims:
description: Claims provides the names of token claims that will be description: Claims provides the names of token claims that will be
used when inspecting an identity from this OIDC identity provider. used when inspecting an identity from this OIDC identity provider.
properties: properties:
groups: groups:
description: Groups provides the name of the token claim that description: Groups provides the name of the ID token claim or
will be used to ascertain the groups to which an identity belongs. userinfo endpoint response claim that will be used to ascertain
the groups to which an identity belongs. By default, the identities
will not include any group memberships when this setting is
not configured.
type: string type: string
username: username:
description: Username provides the name of the token claim that description: Username provides the name of the ID token claim
will be used to ascertain an identity's username. or userinfo endpoint response claim that will be used to ascertain
an identity's username. When not set, the username will be an
automatically constructed unique string which will include the
issuer URL of your OIDC provider along with the value of the
"sub" (subject) claim from the ID token.
type: string type: string
type: object type: object
client: client:

View File

@ -1099,7 +1099,9 @@ OIDCAuthorizationConfig provides information about how to form the OAuth2 author
[cols="25a,75a", options="header"] [cols="25a,75a", options="header"]
|=== |===
| Field | Description | Field | Description
| *`additionalScopes`* __string array__ | AdditionalScopes are the scopes in addition to "openid" that will be requested as part of the authorization request flow with an OIDC identity provider. In the case of a Resource Owner Password Credentials Grant flow, AdditionalScopes are the scopes in addition to "openid" that will be requested as part of the token request (see also the allowPasswordGrant field). By default, only the "openid" scope will be requested. | *`doNotRequestOfflineAccess`* __boolean__ | DoNotRequestOfflineAccess determines if the "offline_access" scope will be requested from your OIDC provider in the authorization request during an OIDC Authorization Code Flow and in the token request during a Resource Owner Password Credentials Grant in order to ask to receive a refresh token in the response. Starting in v0.13.0, the Pinniped Supervisor requires that your OIDC provider returns refresh tokens to the Supervisor from these authorization flows. For most OIDC providers, the scope required to receive refresh tokens will be "offline_access". See https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess for a description of the "offline_access" scope. See the documentation of your OIDC provider's authorization and token endpoints for its requirements for what to include in the request in order to receive a refresh token in the response, if anything. By default, DoNotRequestOfflineAccess is false, which means that "offline_access" will be sent in the authorization request, since that is what is suggested by the OIDC specification. Note that it may be safe to send "offline_access" even to providers which do not require it, since the provider may ignore scopes that it does not understand or require (see https://datatracker.ietf.org/doc/html/rfc6749#section-3.3). In the unusual case that you must avoid sending the "offline_access" scope, set DoNotRequestOfflineAccess to true. This is required if your OIDC provider will reject the request when it includes "offline_access" (e.g. GitLab's OIDC provider). If you need to send some other scope to request a refresh token, include the scope name in the additionalScopes setting. Also note that some OIDC providers may require that the "prompt" param be set to a specific value for the authorization request during an OIDC Authorization Code Flow in order to receive a refresh token in the response. To adjust the prompt param, see the additionalAuthorizeParameters setting.
| *`additionalScopes`* __string array__ | AdditionalScopes are the additional scopes that will be requested from your OIDC provider in the authorization request during an OIDC Authorization Code Flow and in the token request during a Resource Owner Password Credentials Grant. Note that the "openid" scope will always be requested regardless of the value in this setting, since it is always required according to the OIDC spec. The "offline_access" scope may also be included according to the value of the DoNotRequestOfflineAccess setting. Any other scopes required should be included here in the AdditionalScopes list. For example, you might like to include scopes like "profile", "email", or "groups" in order to receive the related claims in the returned ID token or userinfo endpoint results if you would like to make use of those claims in the OIDCClaims settings to determine the usernames and group memberships of your Kubernetes users. See your OIDC provider's documentation for more information about what scopes are available to request claims.
| *`extraAuthorizeParameters`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-idp-v1alpha1-parameter[$$Parameter$$] array__ | AdditionalAuthorizeParameters are extra query parameters that should be included in the authorize request to your OIDC provider in the authorization request during an OIDC Authorization Code Flow. By default, no extra parameters are sent. The standard parameters that will be sent are "response_type", "scope", "client_id", "state", "nonce", "code_challenge", "code_challenge_method", and "redirect_uri". These parameters cannot be included in this setting. This setting does not influence the parameters sent to the token endpoint in the Resource Owner Password Credentials Grant. Starting in v0.13.0, the Pinniped Supervisor requires that your OIDC provider returns refresh tokens to the Supervisor from the authorization flows. Some OIDC providers may require a certain value for the "prompt" parameter in order to properly request refresh tokens. See the documentation of your OIDC provider's authorization endpoint for its requirements for what to include in the request in order to receive a refresh token in the response, if anything. If your provider requires the prompt parameter to request a refresh token, then include it here. Also note that most providers also require a certain scope to be requested in order to receive refresh tokens. See the doNotRequestOfflineAccess setting for more information about using scopes to request refresh tokens.
| *`allowPasswordGrant`* __boolean__ | AllowPasswordGrant, when true, will allow the use of OAuth 2.0's Resource Owner Password Credentials Grant (see https://datatracker.ietf.org/doc/html/rfc6749#section-4.3) to authenticate to the OIDC provider using a username and password without a web browser, in addition to the usual browser-based OIDC Authorization Code Flow. The Resource Owner Password Credentials Grant is not officially part of the OIDC specification, so it may not be supported by your OIDC provider. If your OIDC provider supports returning ID tokens from a Resource Owner Password Credentials Grant token request, then you can choose to set this field to true. This will allow end users to choose to present their username and password to the kubectl CLI (using the Pinniped plugin) to authenticate to the cluster, without using a web browser to log in as is customary in OIDC Authorization Code Flow. This may be convenient for users, especially for identities from your OIDC provider which are not intended to represent a human actor, such as service accounts performing actions in a CI/CD environment. Even if your OIDC provider supports it, you may wish to disable this behavior by setting this field to false when you prefer to only allow users of this OIDCIdentityProvider to log in via the browser-based OIDC Authorization Code Flow. Using the Resource Owner Password Credentials Grant means that the Pinniped CLI and Pinniped Supervisor will directly handle your end users' passwords (similar to LDAPIdentityProvider), and you will not be able to require multi-factor authentication or use the other web-based login features of your OIDC provider during Resource Owner Password Credentials Grant logins. AllowPasswordGrant defaults to false. | *`allowPasswordGrant`* __boolean__ | AllowPasswordGrant, when true, will allow the use of OAuth 2.0's Resource Owner Password Credentials Grant (see https://datatracker.ietf.org/doc/html/rfc6749#section-4.3) to authenticate to the OIDC provider using a username and password without a web browser, in addition to the usual browser-based OIDC Authorization Code Flow. The Resource Owner Password Credentials Grant is not officially part of the OIDC specification, so it may not be supported by your OIDC provider. If your OIDC provider supports returning ID tokens from a Resource Owner Password Credentials Grant token request, then you can choose to set this field to true. This will allow end users to choose to present their username and password to the kubectl CLI (using the Pinniped plugin) to authenticate to the cluster, without using a web browser to log in as is customary in OIDC Authorization Code Flow. This may be convenient for users, especially for identities from your OIDC provider which are not intended to represent a human actor, such as service accounts performing actions in a CI/CD environment. Even if your OIDC provider supports it, you may wish to disable this behavior by setting this field to false when you prefer to only allow users of this OIDCIdentityProvider to log in via the browser-based OIDC Authorization Code Flow. Using the Resource Owner Password Credentials Grant means that the Pinniped CLI and Pinniped Supervisor will directly handle your end users' passwords (similar to LDAPIdentityProvider), and you will not be able to require multi-factor authentication or use the other web-based login features of your OIDC provider during Resource Owner Password Credentials Grant logins. AllowPasswordGrant defaults to false.
|=== |===
@ -1117,8 +1119,8 @@ OIDCClaims provides a mapping from upstream claims into identities.
[cols="25a,75a", options="header"] [cols="25a,75a", options="header"]
|=== |===
| Field | Description | Field | Description
| *`groups`* __string__ | Groups provides the name of the token claim that will be used to ascertain the groups to which an identity belongs. | *`groups`* __string__ | Groups provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain the groups to which an identity belongs. By default, the identities will not include any group memberships when this setting is not configured.
| *`username`* __string__ | Username provides the name of the token claim that will be used to ascertain an identity's username. | *`username`* __string__ | Username provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain an identity's username. When not set, the username will be an automatically constructed unique string which will include the issuer URL of your OIDC provider along with the value of the "sub" (subject) claim from the ID token.
|=== |===
@ -1164,7 +1166,7 @@ OIDCIdentityProvider describes the configuration of an upstream OpenID Connect i
[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-idp-v1alpha1-oidcidentityproviderspec"] [id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-idp-v1alpha1-oidcidentityproviderspec"]
==== OIDCIdentityProviderSpec ==== OIDCIdentityProviderSpec
Spec for configuring an OIDC identity provider. OIDCIdentityProviderSpec is the spec for configuring an OIDC identity provider.
.Appears In: .Appears In:
**** ****
@ -1185,7 +1187,7 @@ Spec for configuring an OIDC identity provider.
[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-idp-v1alpha1-oidcidentityproviderstatus"] [id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-idp-v1alpha1-oidcidentityproviderstatus"]
==== OIDCIdentityProviderStatus ==== OIDCIdentityProviderStatus
Status of an OIDC identity provider. OIDCIdentityProviderStatus is the status of an OIDC identity provider.
.Appears In: .Appears In:
**** ****
@ -1200,6 +1202,24 @@ Status of an OIDC identity provider.
|=== |===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-idp-v1alpha1-parameter"]
==== Parameter
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-idp-v1alpha1-oidcauthorizationconfig[$$OIDCAuthorizationConfig$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`name`* __string__ | The name of the parameter. Required.
| *`value`* __string__ | The value of the parameter.
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-idp-v1alpha1-tlsspec"] [id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-idp-v1alpha1-tlsspec"]
==== TLSSpec ==== TLSSpec

View File

@ -20,7 +20,7 @@ const (
PhaseError OIDCIdentityProviderPhase = "Error" PhaseError OIDCIdentityProviderPhase = "Error"
) )
// Status of an OIDC identity provider. // OIDCIdentityProviderStatus is the status of an OIDC identity provider.
type OIDCIdentityProviderStatus struct { type OIDCIdentityProviderStatus struct {
// Phase summarizes the overall status of the OIDCIdentityProvider. // Phase summarizes the overall status of the OIDCIdentityProvider.
// +kubebuilder:default=Pending // +kubebuilder:default=Pending
@ -38,14 +38,59 @@ type OIDCIdentityProviderStatus struct {
// OIDCAuthorizationConfig provides information about how to form the OAuth2 authorization // OIDCAuthorizationConfig provides information about how to form the OAuth2 authorization
// request parameters. // request parameters.
type OIDCAuthorizationConfig struct { type OIDCAuthorizationConfig struct {
// AdditionalScopes are the scopes in addition to "openid" that will be requested as part of the authorization // DoNotRequestOfflineAccess determines if the "offline_access" scope will be requested from your OIDC provider in
// request flow with an OIDC identity provider. // the authorization request during an OIDC Authorization Code Flow and in the token request during a Resource Owner
// In the case of a Resource Owner Password Credentials Grant flow, AdditionalScopes are the scopes // Password Credentials Grant in order to ask to receive a refresh token in the response. Starting in v0.13.0, the
// in addition to "openid" that will be requested as part of the token request (see also the allowPasswordGrant field). // Pinniped Supervisor requires that your OIDC provider returns refresh tokens to the Supervisor from these
// By default, only the "openid" scope will be requested. // authorization flows. For most OIDC providers, the scope required to receive refresh tokens will be "offline_access".
// See https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess for a description of the "offline_access"
// scope. See the documentation of your OIDC provider's authorization and token endpoints for its requirements for what
// to include in the request in order to receive a refresh token in the response, if anything. By default,
// DoNotRequestOfflineAccess is false, which means that "offline_access" will be sent in the authorization request,
// since that is what is suggested by the OIDC specification. Note that it may be safe to send "offline_access" even to
// providers which do not require it, since the provider may ignore scopes that it does not understand or require (see
// https://datatracker.ietf.org/doc/html/rfc6749#section-3.3). In the unusual case that you must avoid sending the
// "offline_access" scope, set DoNotRequestOfflineAccess to true. This is required if your OIDC provider will reject
// the request when it includes "offline_access" (e.g. GitLab's OIDC provider). If you need to send some other scope
// to request a refresh token, include the scope name in the additionalScopes setting. Also note that some OIDC
// providers may require that the "prompt" param be set to a specific value for the authorization request during an
// OIDC Authorization Code Flow in order to receive a refresh token in the response. To adjust the prompt param, see
// the additionalAuthorizeParameters setting.
// +optional
DoNotRequestOfflineAccess bool `json:"doNotRequestOfflineAccess,omitempty"`
// AdditionalScopes are the additional scopes that will be requested from your OIDC provider in the authorization
// request during an OIDC Authorization Code Flow and in the token request during a Resource Owner Password Credentials
// Grant. Note that the "openid" scope will always be requested regardless of the value in this setting, since it is
// always required according to the OIDC spec. The "offline_access" scope may also be included according to the value
// of the DoNotRequestOfflineAccess setting. Any other scopes required should be included here in the AdditionalScopes
// list. For example, you might like to include scopes like "profile", "email", or "groups" in order to receive the
// related claims in the returned ID token or userinfo endpoint results if you would like to make use of those
// claims in the OIDCClaims settings to determine the usernames and group memberships of your Kubernetes users. See
// your OIDC provider's documentation for more information about what scopes are available to request claims.
// +optional // +optional
AdditionalScopes []string `json:"additionalScopes,omitempty"` AdditionalScopes []string `json:"additionalScopes,omitempty"`
// AdditionalAuthorizeParameters are extra query parameters that should be included in the authorize request to your
// OIDC provider in the authorization request during an OIDC Authorization Code Flow. By default, no extra
// parameters are sent. The standard parameters that will be sent are "response_type", "scope", "client_id",
// "state", "nonce", "code_challenge", "code_challenge_method", and "redirect_uri". These parameters cannot be
// included in this setting. This setting does not influence the parameters sent to the token endpoint in the
// Resource Owner Password Credentials Grant. Starting in v0.13.0, the Pinniped Supervisor requires that your OIDC
// provider returns refresh tokens to the Supervisor from the authorization flows. Some OIDC providers may require
// a certain value for the "prompt" parameter in order to properly request refresh tokens. See the documentation of
// your OIDC provider's authorization endpoint for its requirements for what to include in the request in
// order to receive a refresh token in the response, if anything. If your provider requires the prompt parameter to
// request a refresh token, then include it here. Also note that most providers also require a certain scope to be
// requested in order to receive refresh tokens. See the doNotRequestOfflineAccess setting for more information about
// using scopes to request refresh tokens.
// +optional
// +patchMergeKey=name
// +patchStrategy=merge
// +listType=map
// +listMapKey=name
AdditionalAuthorizeParameters []Parameter `json:"extraAuthorizeParameters,omitempty"`
// AllowPasswordGrant, when true, will allow the use of OAuth 2.0's Resource Owner Password Credentials Grant // AllowPasswordGrant, when true, will allow the use of OAuth 2.0's Resource Owner Password Credentials Grant
// (see https://datatracker.ietf.org/doc/html/rfc6749#section-4.3) to authenticate to the OIDC provider using a // (see https://datatracker.ietf.org/doc/html/rfc6749#section-4.3) to authenticate to the OIDC provider using a
// username and password without a web browser, in addition to the usual browser-based OIDC Authorization Code Flow. // username and password without a web browser, in addition to the usual browser-based OIDC Authorization Code Flow.
@ -66,15 +111,29 @@ type OIDCAuthorizationConfig struct {
AllowPasswordGrant bool `json:"allowPasswordGrant,omitempty"` AllowPasswordGrant bool `json:"allowPasswordGrant,omitempty"`
} }
// Parameter is a key/value pair which represents a parameter in an HTTP request.
type Parameter struct {
// The name of the parameter. Required.
// +kubebuilder:validation:MinLength=1
Name string `json:"name"`
// The value of the parameter.
// +optional
Value string `json:"value,omitempty"`
}
// OIDCClaims provides a mapping from upstream claims into identities. // OIDCClaims provides a mapping from upstream claims into identities.
type OIDCClaims struct { type OIDCClaims struct {
// Groups provides the name of the token claim that will be used to ascertain the groups to which // Groups provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain
// an identity belongs. // the groups to which an identity belongs. By default, the identities will not include any group memberships when
// this setting is not configured.
// +optional // +optional
Groups string `json:"groups"` Groups string `json:"groups"`
// Username provides the name of the token claim that will be used to ascertain an identity's // Username provides the name of the ID token claim or userinfo endpoint response claim that will be used to
// username. // ascertain an identity's username. When not set, the username will be an automatically constructed unique string
// which will include the issuer URL of your OIDC provider along with the value of the "sub" (subject) claim from
// the ID token.
// +optional // +optional
Username string `json:"username"` Username string `json:"username"`
} }
@ -89,7 +148,7 @@ type OIDCClient struct {
SecretName string `json:"secretName"` SecretName string `json:"secretName"`
} }
// Spec for configuring an OIDC identity provider. // OIDCIdentityProviderSpec is the spec for configuring an OIDC identity provider.
type OIDCIdentityProviderSpec struct { type OIDCIdentityProviderSpec struct {
// Issuer is the issuer URL of this OIDC identity provider, i.e., where to fetch // Issuer is the issuer URL of this OIDC identity provider, i.e., where to fetch
// /.well-known/openid-configuration. // /.well-known/openid-configuration.
@ -135,7 +194,7 @@ type OIDCIdentityProvider struct {
Status OIDCIdentityProviderStatus `json:"status,omitempty"` Status OIDCIdentityProviderStatus `json:"status,omitempty"`
} }
// List of OIDCIdentityProvider objects. // OIDCIdentityProviderList lists OIDCIdentityProvider objects.
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
type OIDCIdentityProviderList struct { type OIDCIdentityProviderList struct {
metav1.TypeMeta `json:",inline"` metav1.TypeMeta `json:",inline"`

View File

@ -416,6 +416,11 @@ func (in *OIDCAuthorizationConfig) DeepCopyInto(out *OIDCAuthorizationConfig) {
*out = make([]string, len(*in)) *out = make([]string, len(*in))
copy(*out, *in) copy(*out, *in)
} }
if in.AdditionalAuthorizeParameters != nil {
in, out := &in.AdditionalAuthorizeParameters, &out.AdditionalAuthorizeParameters
*out = make([]Parameter, len(*in))
copy(*out, *in)
}
return return
} }
@ -569,6 +574,22 @@ func (in *OIDCIdentityProviderStatus) DeepCopy() *OIDCIdentityProviderStatus {
return out return out
} }
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *Parameter) DeepCopyInto(out *Parameter) {
*out = *in
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Parameter.
func (in *Parameter) DeepCopy() *Parameter {
if in == nil {
return nil
}
out := new(Parameter)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *TLSSpec) DeepCopyInto(out *TLSSpec) { func (in *TLSSpec) DeepCopyInto(out *TLSSpec) {
*out = *in *out = *in

View File

@ -57,13 +57,22 @@ spec:
OIDC identity provider. OIDC identity provider.
properties: properties:
additionalScopes: additionalScopes:
description: AdditionalScopes are the scopes in addition to "openid" description: AdditionalScopes are the additional scopes that will
that will be requested as part of the authorization request be requested from your OIDC provider in the authorization request
flow with an OIDC identity provider. In the case of a Resource during an OIDC Authorization Code Flow and in the token request
Owner Password Credentials Grant flow, AdditionalScopes are during a Resource Owner Password Credentials Grant. Note that
the scopes in addition to "openid" that will be requested as the "openid" scope will always be requested regardless of the
part of the token request (see also the allowPasswordGrant field). value in this setting, since it is always required according
By default, only the "openid" scope will be requested. to the OIDC spec. The "offline_access" scope may also be included
according to the value of the DoNotRequestOfflineAccess setting.
Any other scopes required should be included here in the AdditionalScopes
list. For example, you might like to include scopes like "profile",
"email", or "groups" in order to receive the related claims
in the returned ID token or userinfo endpoint results if you
would like to make use of those claims in the OIDCClaims settings
to determine the usernames and group memberships of your Kubernetes
users. See your OIDC provider's documentation for more information
about what scopes are available to request claims.
items: items:
type: string type: string
type: array type: array
@ -97,18 +106,98 @@ spec:
during Resource Owner Password Credentials Grant logins. AllowPasswordGrant during Resource Owner Password Credentials Grant logins. AllowPasswordGrant
defaults to false. defaults to false.
type: boolean type: boolean
doNotRequestOfflineAccess:
description: DoNotRequestOfflineAccess determines if the "offline_access"
scope will be requested from your OIDC provider in the authorization
request during an OIDC Authorization Code Flow and in the token
request during a Resource Owner Password Credentials Grant in
order to ask to receive a refresh token in the response. Starting
in v0.13.0, the Pinniped Supervisor requires that your OIDC
provider returns refresh tokens to the Supervisor from these
authorization flows. For most OIDC providers, the scope required
to receive refresh tokens will be "offline_access". See https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess
for a description of the "offline_access" scope. See the documentation
of your OIDC provider's authorization and token endpoints for
its requirements for what to include in the request in order
to receive a refresh token in the response, if anything. By
default, DoNotRequestOfflineAccess is false, which means that
"offline_access" will be sent in the authorization request,
since that is what is suggested by the OIDC specification. Note
that it may be safe to send "offline_access" even to providers
which do not require it, since the provider may ignore scopes
that it does not understand or require (see https://datatracker.ietf.org/doc/html/rfc6749#section-3.3).
In the unusual case that you must avoid sending the "offline_access"
scope, set DoNotRequestOfflineAccess to true. This is required
if your OIDC provider will reject the request when it includes
"offline_access" (e.g. GitLab's OIDC provider). If you need
to send some other scope to request a refresh token, include
the scope name in the additionalScopes setting. Also note that
some OIDC providers may require that the "prompt" param be set
to a specific value for the authorization request during an
OIDC Authorization Code Flow in order to receive a refresh token
in the response. To adjust the prompt param, see the additionalAuthorizeParameters
setting.
type: boolean
extraAuthorizeParameters:
description: AdditionalAuthorizeParameters are extra query parameters
that should be included in the authorize request to your OIDC
provider in the authorization request during an OIDC Authorization
Code Flow. By default, no extra parameters are sent. The standard
parameters that will be sent are "response_type", "scope", "client_id",
"state", "nonce", "code_challenge", "code_challenge_method",
and "redirect_uri". These parameters cannot be included in this
setting. This setting does not influence the parameters sent
to the token endpoint in the Resource Owner Password Credentials
Grant. Starting in v0.13.0, the Pinniped Supervisor requires
that your OIDC provider returns refresh tokens to the Supervisor
from the authorization flows. Some OIDC providers may require
a certain value for the "prompt" parameter in order to properly
request refresh tokens. See the documentation of your OIDC provider's
authorization endpoint for its requirements for what to include
in the request in order to receive a refresh token in the response,
if anything. If your provider requires the prompt parameter
to request a refresh token, then include it here. Also note
that most providers also require a certain scope to be requested
in order to receive refresh tokens. See the doNotRequestOfflineAccess
setting for more information about using scopes to request refresh
tokens.
items:
description: Parameter is a key/value pair which represents
a parameter in an HTTP request.
properties:
name:
description: The name of the parameter. Required.
minLength: 1
type: string
value:
description: The value of the parameter.
type: string
required:
- name
type: object
type: array
x-kubernetes-list-map-keys:
- name
x-kubernetes-list-type: map
type: object type: object
claims: claims:
description: Claims provides the names of token claims that will be description: Claims provides the names of token claims that will be
used when inspecting an identity from this OIDC identity provider. used when inspecting an identity from this OIDC identity provider.
properties: properties:
groups: groups:
description: Groups provides the name of the token claim that description: Groups provides the name of the ID token claim or
will be used to ascertain the groups to which an identity belongs. userinfo endpoint response claim that will be used to ascertain
the groups to which an identity belongs. By default, the identities
will not include any group memberships when this setting is
not configured.
type: string type: string
username: username:
description: Username provides the name of the token claim that description: Username provides the name of the ID token claim
will be used to ascertain an identity's username. or userinfo endpoint response claim that will be used to ascertain
an identity's username. When not set, the username will be an
automatically constructed unique string which will include the
issuer URL of your OIDC provider along with the value of the
"sub" (subject) claim from the ID token.
type: string type: string
type: object type: object
client: client:

View File

@ -1099,7 +1099,9 @@ OIDCAuthorizationConfig provides information about how to form the OAuth2 author
[cols="25a,75a", options="header"] [cols="25a,75a", options="header"]
|=== |===
| Field | Description | Field | Description
| *`additionalScopes`* __string array__ | AdditionalScopes are the scopes in addition to "openid" that will be requested as part of the authorization request flow with an OIDC identity provider. In the case of a Resource Owner Password Credentials Grant flow, AdditionalScopes are the scopes in addition to "openid" that will be requested as part of the token request (see also the allowPasswordGrant field). By default, only the "openid" scope will be requested. | *`doNotRequestOfflineAccess`* __boolean__ | DoNotRequestOfflineAccess determines if the "offline_access" scope will be requested from your OIDC provider in the authorization request during an OIDC Authorization Code Flow and in the token request during a Resource Owner Password Credentials Grant in order to ask to receive a refresh token in the response. Starting in v0.13.0, the Pinniped Supervisor requires that your OIDC provider returns refresh tokens to the Supervisor from these authorization flows. For most OIDC providers, the scope required to receive refresh tokens will be "offline_access". See https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess for a description of the "offline_access" scope. See the documentation of your OIDC provider's authorization and token endpoints for its requirements for what to include in the request in order to receive a refresh token in the response, if anything. By default, DoNotRequestOfflineAccess is false, which means that "offline_access" will be sent in the authorization request, since that is what is suggested by the OIDC specification. Note that it may be safe to send "offline_access" even to providers which do not require it, since the provider may ignore scopes that it does not understand or require (see https://datatracker.ietf.org/doc/html/rfc6749#section-3.3). In the unusual case that you must avoid sending the "offline_access" scope, set DoNotRequestOfflineAccess to true. This is required if your OIDC provider will reject the request when it includes "offline_access" (e.g. GitLab's OIDC provider). If you need to send some other scope to request a refresh token, include the scope name in the additionalScopes setting. Also note that some OIDC providers may require that the "prompt" param be set to a specific value for the authorization request during an OIDC Authorization Code Flow in order to receive a refresh token in the response. To adjust the prompt param, see the additionalAuthorizeParameters setting.
| *`additionalScopes`* __string array__ | AdditionalScopes are the additional scopes that will be requested from your OIDC provider in the authorization request during an OIDC Authorization Code Flow and in the token request during a Resource Owner Password Credentials Grant. Note that the "openid" scope will always be requested regardless of the value in this setting, since it is always required according to the OIDC spec. The "offline_access" scope may also be included according to the value of the DoNotRequestOfflineAccess setting. Any other scopes required should be included here in the AdditionalScopes list. For example, you might like to include scopes like "profile", "email", or "groups" in order to receive the related claims in the returned ID token or userinfo endpoint results if you would like to make use of those claims in the OIDCClaims settings to determine the usernames and group memberships of your Kubernetes users. See your OIDC provider's documentation for more information about what scopes are available to request claims.
| *`extraAuthorizeParameters`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-idp-v1alpha1-parameter[$$Parameter$$] array__ | AdditionalAuthorizeParameters are extra query parameters that should be included in the authorize request to your OIDC provider in the authorization request during an OIDC Authorization Code Flow. By default, no extra parameters are sent. The standard parameters that will be sent are "response_type", "scope", "client_id", "state", "nonce", "code_challenge", "code_challenge_method", and "redirect_uri". These parameters cannot be included in this setting. This setting does not influence the parameters sent to the token endpoint in the Resource Owner Password Credentials Grant. Starting in v0.13.0, the Pinniped Supervisor requires that your OIDC provider returns refresh tokens to the Supervisor from the authorization flows. Some OIDC providers may require a certain value for the "prompt" parameter in order to properly request refresh tokens. See the documentation of your OIDC provider's authorization endpoint for its requirements for what to include in the request in order to receive a refresh token in the response, if anything. If your provider requires the prompt parameter to request a refresh token, then include it here. Also note that most providers also require a certain scope to be requested in order to receive refresh tokens. See the doNotRequestOfflineAccess setting for more information about using scopes to request refresh tokens.
| *`allowPasswordGrant`* __boolean__ | AllowPasswordGrant, when true, will allow the use of OAuth 2.0's Resource Owner Password Credentials Grant (see https://datatracker.ietf.org/doc/html/rfc6749#section-4.3) to authenticate to the OIDC provider using a username and password without a web browser, in addition to the usual browser-based OIDC Authorization Code Flow. The Resource Owner Password Credentials Grant is not officially part of the OIDC specification, so it may not be supported by your OIDC provider. If your OIDC provider supports returning ID tokens from a Resource Owner Password Credentials Grant token request, then you can choose to set this field to true. This will allow end users to choose to present their username and password to the kubectl CLI (using the Pinniped plugin) to authenticate to the cluster, without using a web browser to log in as is customary in OIDC Authorization Code Flow. This may be convenient for users, especially for identities from your OIDC provider which are not intended to represent a human actor, such as service accounts performing actions in a CI/CD environment. Even if your OIDC provider supports it, you may wish to disable this behavior by setting this field to false when you prefer to only allow users of this OIDCIdentityProvider to log in via the browser-based OIDC Authorization Code Flow. Using the Resource Owner Password Credentials Grant means that the Pinniped CLI and Pinniped Supervisor will directly handle your end users' passwords (similar to LDAPIdentityProvider), and you will not be able to require multi-factor authentication or use the other web-based login features of your OIDC provider during Resource Owner Password Credentials Grant logins. AllowPasswordGrant defaults to false. | *`allowPasswordGrant`* __boolean__ | AllowPasswordGrant, when true, will allow the use of OAuth 2.0's Resource Owner Password Credentials Grant (see https://datatracker.ietf.org/doc/html/rfc6749#section-4.3) to authenticate to the OIDC provider using a username and password without a web browser, in addition to the usual browser-based OIDC Authorization Code Flow. The Resource Owner Password Credentials Grant is not officially part of the OIDC specification, so it may not be supported by your OIDC provider. If your OIDC provider supports returning ID tokens from a Resource Owner Password Credentials Grant token request, then you can choose to set this field to true. This will allow end users to choose to present their username and password to the kubectl CLI (using the Pinniped plugin) to authenticate to the cluster, without using a web browser to log in as is customary in OIDC Authorization Code Flow. This may be convenient for users, especially for identities from your OIDC provider which are not intended to represent a human actor, such as service accounts performing actions in a CI/CD environment. Even if your OIDC provider supports it, you may wish to disable this behavior by setting this field to false when you prefer to only allow users of this OIDCIdentityProvider to log in via the browser-based OIDC Authorization Code Flow. Using the Resource Owner Password Credentials Grant means that the Pinniped CLI and Pinniped Supervisor will directly handle your end users' passwords (similar to LDAPIdentityProvider), and you will not be able to require multi-factor authentication or use the other web-based login features of your OIDC provider during Resource Owner Password Credentials Grant logins. AllowPasswordGrant defaults to false.
|=== |===
@ -1117,8 +1119,8 @@ OIDCClaims provides a mapping from upstream claims into identities.
[cols="25a,75a", options="header"] [cols="25a,75a", options="header"]
|=== |===
| Field | Description | Field | Description
| *`groups`* __string__ | Groups provides the name of the token claim that will be used to ascertain the groups to which an identity belongs. | *`groups`* __string__ | Groups provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain the groups to which an identity belongs. By default, the identities will not include any group memberships when this setting is not configured.
| *`username`* __string__ | Username provides the name of the token claim that will be used to ascertain an identity's username. | *`username`* __string__ | Username provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain an identity's username. When not set, the username will be an automatically constructed unique string which will include the issuer URL of your OIDC provider along with the value of the "sub" (subject) claim from the ID token.
|=== |===
@ -1164,7 +1166,7 @@ OIDCIdentityProvider describes the configuration of an upstream OpenID Connect i
[id="{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-idp-v1alpha1-oidcidentityproviderspec"] [id="{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-idp-v1alpha1-oidcidentityproviderspec"]
==== OIDCIdentityProviderSpec ==== OIDCIdentityProviderSpec
Spec for configuring an OIDC identity provider. OIDCIdentityProviderSpec is the spec for configuring an OIDC identity provider.
.Appears In: .Appears In:
**** ****
@ -1185,7 +1187,7 @@ Spec for configuring an OIDC identity provider.
[id="{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-idp-v1alpha1-oidcidentityproviderstatus"] [id="{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-idp-v1alpha1-oidcidentityproviderstatus"]
==== OIDCIdentityProviderStatus ==== OIDCIdentityProviderStatus
Status of an OIDC identity provider. OIDCIdentityProviderStatus is the status of an OIDC identity provider.
.Appears In: .Appears In:
**** ****
@ -1200,6 +1202,24 @@ Status of an OIDC identity provider.
|=== |===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-idp-v1alpha1-parameter"]
==== Parameter
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-idp-v1alpha1-oidcauthorizationconfig[$$OIDCAuthorizationConfig$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`name`* __string__ | The name of the parameter. Required.
| *`value`* __string__ | The value of the parameter.
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-idp-v1alpha1-tlsspec"] [id="{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-idp-v1alpha1-tlsspec"]
==== TLSSpec ==== TLSSpec

View File

@ -20,7 +20,7 @@ const (
PhaseError OIDCIdentityProviderPhase = "Error" PhaseError OIDCIdentityProviderPhase = "Error"
) )
// Status of an OIDC identity provider. // OIDCIdentityProviderStatus is the status of an OIDC identity provider.
type OIDCIdentityProviderStatus struct { type OIDCIdentityProviderStatus struct {
// Phase summarizes the overall status of the OIDCIdentityProvider. // Phase summarizes the overall status of the OIDCIdentityProvider.
// +kubebuilder:default=Pending // +kubebuilder:default=Pending
@ -38,14 +38,59 @@ type OIDCIdentityProviderStatus struct {
// OIDCAuthorizationConfig provides information about how to form the OAuth2 authorization // OIDCAuthorizationConfig provides information about how to form the OAuth2 authorization
// request parameters. // request parameters.
type OIDCAuthorizationConfig struct { type OIDCAuthorizationConfig struct {
// AdditionalScopes are the scopes in addition to "openid" that will be requested as part of the authorization // DoNotRequestOfflineAccess determines if the "offline_access" scope will be requested from your OIDC provider in
// request flow with an OIDC identity provider. // the authorization request during an OIDC Authorization Code Flow and in the token request during a Resource Owner
// In the case of a Resource Owner Password Credentials Grant flow, AdditionalScopes are the scopes // Password Credentials Grant in order to ask to receive a refresh token in the response. Starting in v0.13.0, the
// in addition to "openid" that will be requested as part of the token request (see also the allowPasswordGrant field). // Pinniped Supervisor requires that your OIDC provider returns refresh tokens to the Supervisor from these
// By default, only the "openid" scope will be requested. // authorization flows. For most OIDC providers, the scope required to receive refresh tokens will be "offline_access".
// See https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess for a description of the "offline_access"
// scope. See the documentation of your OIDC provider's authorization and token endpoints for its requirements for what
// to include in the request in order to receive a refresh token in the response, if anything. By default,
// DoNotRequestOfflineAccess is false, which means that "offline_access" will be sent in the authorization request,
// since that is what is suggested by the OIDC specification. Note that it may be safe to send "offline_access" even to
// providers which do not require it, since the provider may ignore scopes that it does not understand or require (see
// https://datatracker.ietf.org/doc/html/rfc6749#section-3.3). In the unusual case that you must avoid sending the
// "offline_access" scope, set DoNotRequestOfflineAccess to true. This is required if your OIDC provider will reject
// the request when it includes "offline_access" (e.g. GitLab's OIDC provider). If you need to send some other scope
// to request a refresh token, include the scope name in the additionalScopes setting. Also note that some OIDC
// providers may require that the "prompt" param be set to a specific value for the authorization request during an
// OIDC Authorization Code Flow in order to receive a refresh token in the response. To adjust the prompt param, see
// the additionalAuthorizeParameters setting.
// +optional
DoNotRequestOfflineAccess bool `json:"doNotRequestOfflineAccess,omitempty"`
// AdditionalScopes are the additional scopes that will be requested from your OIDC provider in the authorization
// request during an OIDC Authorization Code Flow and in the token request during a Resource Owner Password Credentials
// Grant. Note that the "openid" scope will always be requested regardless of the value in this setting, since it is
// always required according to the OIDC spec. The "offline_access" scope may also be included according to the value
// of the DoNotRequestOfflineAccess setting. Any other scopes required should be included here in the AdditionalScopes
// list. For example, you might like to include scopes like "profile", "email", or "groups" in order to receive the
// related claims in the returned ID token or userinfo endpoint results if you would like to make use of those
// claims in the OIDCClaims settings to determine the usernames and group memberships of your Kubernetes users. See
// your OIDC provider's documentation for more information about what scopes are available to request claims.
// +optional // +optional
AdditionalScopes []string `json:"additionalScopes,omitempty"` AdditionalScopes []string `json:"additionalScopes,omitempty"`
// AdditionalAuthorizeParameters are extra query parameters that should be included in the authorize request to your
// OIDC provider in the authorization request during an OIDC Authorization Code Flow. By default, no extra
// parameters are sent. The standard parameters that will be sent are "response_type", "scope", "client_id",
// "state", "nonce", "code_challenge", "code_challenge_method", and "redirect_uri". These parameters cannot be
// included in this setting. This setting does not influence the parameters sent to the token endpoint in the
// Resource Owner Password Credentials Grant. Starting in v0.13.0, the Pinniped Supervisor requires that your OIDC
// provider returns refresh tokens to the Supervisor from the authorization flows. Some OIDC providers may require
// a certain value for the "prompt" parameter in order to properly request refresh tokens. See the documentation of
// your OIDC provider's authorization endpoint for its requirements for what to include in the request in
// order to receive a refresh token in the response, if anything. If your provider requires the prompt parameter to
// request a refresh token, then include it here. Also note that most providers also require a certain scope to be
// requested in order to receive refresh tokens. See the doNotRequestOfflineAccess setting for more information about
// using scopes to request refresh tokens.
// +optional
// +patchMergeKey=name
// +patchStrategy=merge
// +listType=map
// +listMapKey=name
AdditionalAuthorizeParameters []Parameter `json:"extraAuthorizeParameters,omitempty"`
// AllowPasswordGrant, when true, will allow the use of OAuth 2.0's Resource Owner Password Credentials Grant // AllowPasswordGrant, when true, will allow the use of OAuth 2.0's Resource Owner Password Credentials Grant
// (see https://datatracker.ietf.org/doc/html/rfc6749#section-4.3) to authenticate to the OIDC provider using a // (see https://datatracker.ietf.org/doc/html/rfc6749#section-4.3) to authenticate to the OIDC provider using a
// username and password without a web browser, in addition to the usual browser-based OIDC Authorization Code Flow. // username and password without a web browser, in addition to the usual browser-based OIDC Authorization Code Flow.
@ -66,15 +111,29 @@ type OIDCAuthorizationConfig struct {
AllowPasswordGrant bool `json:"allowPasswordGrant,omitempty"` AllowPasswordGrant bool `json:"allowPasswordGrant,omitempty"`
} }
// Parameter is a key/value pair which represents a parameter in an HTTP request.
type Parameter struct {
// The name of the parameter. Required.
// +kubebuilder:validation:MinLength=1
Name string `json:"name"`
// The value of the parameter.
// +optional
Value string `json:"value,omitempty"`
}
// OIDCClaims provides a mapping from upstream claims into identities. // OIDCClaims provides a mapping from upstream claims into identities.
type OIDCClaims struct { type OIDCClaims struct {
// Groups provides the name of the token claim that will be used to ascertain the groups to which // Groups provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain
// an identity belongs. // the groups to which an identity belongs. By default, the identities will not include any group memberships when
// this setting is not configured.
// +optional // +optional
Groups string `json:"groups"` Groups string `json:"groups"`
// Username provides the name of the token claim that will be used to ascertain an identity's // Username provides the name of the ID token claim or userinfo endpoint response claim that will be used to
// username. // ascertain an identity's username. When not set, the username will be an automatically constructed unique string
// which will include the issuer URL of your OIDC provider along with the value of the "sub" (subject) claim from
// the ID token.
// +optional // +optional
Username string `json:"username"` Username string `json:"username"`
} }
@ -89,7 +148,7 @@ type OIDCClient struct {
SecretName string `json:"secretName"` SecretName string `json:"secretName"`
} }
// Spec for configuring an OIDC identity provider. // OIDCIdentityProviderSpec is the spec for configuring an OIDC identity provider.
type OIDCIdentityProviderSpec struct { type OIDCIdentityProviderSpec struct {
// Issuer is the issuer URL of this OIDC identity provider, i.e., where to fetch // Issuer is the issuer URL of this OIDC identity provider, i.e., where to fetch
// /.well-known/openid-configuration. // /.well-known/openid-configuration.
@ -135,7 +194,7 @@ type OIDCIdentityProvider struct {
Status OIDCIdentityProviderStatus `json:"status,omitempty"` Status OIDCIdentityProviderStatus `json:"status,omitempty"`
} }
// List of OIDCIdentityProvider objects. // OIDCIdentityProviderList lists OIDCIdentityProvider objects.
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
type OIDCIdentityProviderList struct { type OIDCIdentityProviderList struct {
metav1.TypeMeta `json:",inline"` metav1.TypeMeta `json:",inline"`

View File

@ -416,6 +416,11 @@ func (in *OIDCAuthorizationConfig) DeepCopyInto(out *OIDCAuthorizationConfig) {
*out = make([]string, len(*in)) *out = make([]string, len(*in))
copy(*out, *in) copy(*out, *in)
} }
if in.AdditionalAuthorizeParameters != nil {
in, out := &in.AdditionalAuthorizeParameters, &out.AdditionalAuthorizeParameters
*out = make([]Parameter, len(*in))
copy(*out, *in)
}
return return
} }
@ -569,6 +574,22 @@ func (in *OIDCIdentityProviderStatus) DeepCopy() *OIDCIdentityProviderStatus {
return out return out
} }
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *Parameter) DeepCopyInto(out *Parameter) {
*out = *in
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Parameter.
func (in *Parameter) DeepCopy() *Parameter {
if in == nil {
return nil
}
out := new(Parameter)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *TLSSpec) DeepCopyInto(out *TLSSpec) { func (in *TLSSpec) DeepCopyInto(out *TLSSpec) {
*out = *in *out = *in

View File

@ -57,13 +57,22 @@ spec:
OIDC identity provider. OIDC identity provider.
properties: properties:
additionalScopes: additionalScopes:
description: AdditionalScopes are the scopes in addition to "openid" description: AdditionalScopes are the additional scopes that will
that will be requested as part of the authorization request be requested from your OIDC provider in the authorization request
flow with an OIDC identity provider. In the case of a Resource during an OIDC Authorization Code Flow and in the token request
Owner Password Credentials Grant flow, AdditionalScopes are during a Resource Owner Password Credentials Grant. Note that
the scopes in addition to "openid" that will be requested as the "openid" scope will always be requested regardless of the
part of the token request (see also the allowPasswordGrant field). value in this setting, since it is always required according
By default, only the "openid" scope will be requested. to the OIDC spec. The "offline_access" scope may also be included
according to the value of the DoNotRequestOfflineAccess setting.
Any other scopes required should be included here in the AdditionalScopes
list. For example, you might like to include scopes like "profile",
"email", or "groups" in order to receive the related claims
in the returned ID token or userinfo endpoint results if you
would like to make use of those claims in the OIDCClaims settings
to determine the usernames and group memberships of your Kubernetes
users. See your OIDC provider's documentation for more information
about what scopes are available to request claims.
items: items:
type: string type: string
type: array type: array
@ -97,18 +106,98 @@ spec:
during Resource Owner Password Credentials Grant logins. AllowPasswordGrant during Resource Owner Password Credentials Grant logins. AllowPasswordGrant
defaults to false. defaults to false.
type: boolean type: boolean
doNotRequestOfflineAccess:
description: DoNotRequestOfflineAccess determines if the "offline_access"
scope will be requested from your OIDC provider in the authorization
request during an OIDC Authorization Code Flow and in the token
request during a Resource Owner Password Credentials Grant in
order to ask to receive a refresh token in the response. Starting
in v0.13.0, the Pinniped Supervisor requires that your OIDC
provider returns refresh tokens to the Supervisor from these
authorization flows. For most OIDC providers, the scope required
to receive refresh tokens will be "offline_access". See https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess
for a description of the "offline_access" scope. See the documentation
of your OIDC provider's authorization and token endpoints for
its requirements for what to include in the request in order
to receive a refresh token in the response, if anything. By
default, DoNotRequestOfflineAccess is false, which means that
"offline_access" will be sent in the authorization request,
since that is what is suggested by the OIDC specification. Note
that it may be safe to send "offline_access" even to providers
which do not require it, since the provider may ignore scopes
that it does not understand or require (see https://datatracker.ietf.org/doc/html/rfc6749#section-3.3).
In the unusual case that you must avoid sending the "offline_access"
scope, set DoNotRequestOfflineAccess to true. This is required
if your OIDC provider will reject the request when it includes
"offline_access" (e.g. GitLab's OIDC provider). If you need
to send some other scope to request a refresh token, include
the scope name in the additionalScopes setting. Also note that
some OIDC providers may require that the "prompt" param be set
to a specific value for the authorization request during an
OIDC Authorization Code Flow in order to receive a refresh token
in the response. To adjust the prompt param, see the additionalAuthorizeParameters
setting.
type: boolean
extraAuthorizeParameters:
description: AdditionalAuthorizeParameters are extra query parameters
that should be included in the authorize request to your OIDC
provider in the authorization request during an OIDC Authorization
Code Flow. By default, no extra parameters are sent. The standard
parameters that will be sent are "response_type", "scope", "client_id",
"state", "nonce", "code_challenge", "code_challenge_method",
and "redirect_uri". These parameters cannot be included in this
setting. This setting does not influence the parameters sent
to the token endpoint in the Resource Owner Password Credentials
Grant. Starting in v0.13.0, the Pinniped Supervisor requires
that your OIDC provider returns refresh tokens to the Supervisor
from the authorization flows. Some OIDC providers may require
a certain value for the "prompt" parameter in order to properly
request refresh tokens. See the documentation of your OIDC provider's
authorization endpoint for its requirements for what to include
in the request in order to receive a refresh token in the response,
if anything. If your provider requires the prompt parameter
to request a refresh token, then include it here. Also note
that most providers also require a certain scope to be requested
in order to receive refresh tokens. See the doNotRequestOfflineAccess
setting for more information about using scopes to request refresh
tokens.
items:
description: Parameter is a key/value pair which represents
a parameter in an HTTP request.
properties:
name:
description: The name of the parameter. Required.
minLength: 1
type: string
value:
description: The value of the parameter.
type: string
required:
- name
type: object
type: array
x-kubernetes-list-map-keys:
- name
x-kubernetes-list-type: map
type: object type: object
claims: claims:
description: Claims provides the names of token claims that will be description: Claims provides the names of token claims that will be
used when inspecting an identity from this OIDC identity provider. used when inspecting an identity from this OIDC identity provider.
properties: properties:
groups: groups:
description: Groups provides the name of the token claim that description: Groups provides the name of the ID token claim or
will be used to ascertain the groups to which an identity belongs. userinfo endpoint response claim that will be used to ascertain
the groups to which an identity belongs. By default, the identities
will not include any group memberships when this setting is
not configured.
type: string type: string
username: username:
description: Username provides the name of the token claim that description: Username provides the name of the ID token claim
will be used to ascertain an identity's username. or userinfo endpoint response claim that will be used to ascertain
an identity's username. When not set, the username will be an
automatically constructed unique string which will include the
issuer URL of your OIDC provider along with the value of the
"sub" (subject) claim from the ID token.
type: string type: string
type: object type: object
client: client:

View File

@ -20,7 +20,7 @@ const (
PhaseError OIDCIdentityProviderPhase = "Error" PhaseError OIDCIdentityProviderPhase = "Error"
) )
// Status of an OIDC identity provider. // OIDCIdentityProviderStatus is the status of an OIDC identity provider.
type OIDCIdentityProviderStatus struct { type OIDCIdentityProviderStatus struct {
// Phase summarizes the overall status of the OIDCIdentityProvider. // Phase summarizes the overall status of the OIDCIdentityProvider.
// +kubebuilder:default=Pending // +kubebuilder:default=Pending
@ -38,14 +38,59 @@ type OIDCIdentityProviderStatus struct {
// OIDCAuthorizationConfig provides information about how to form the OAuth2 authorization // OIDCAuthorizationConfig provides information about how to form the OAuth2 authorization
// request parameters. // request parameters.
type OIDCAuthorizationConfig struct { type OIDCAuthorizationConfig struct {
// AdditionalScopes are the scopes in addition to "openid" that will be requested as part of the authorization // DoNotRequestOfflineAccess determines if the "offline_access" scope will be requested from your OIDC provider in
// request flow with an OIDC identity provider. // the authorization request during an OIDC Authorization Code Flow and in the token request during a Resource Owner
// In the case of a Resource Owner Password Credentials Grant flow, AdditionalScopes are the scopes // Password Credentials Grant in order to ask to receive a refresh token in the response. Starting in v0.13.0, the
// in addition to "openid" that will be requested as part of the token request (see also the allowPasswordGrant field). // Pinniped Supervisor requires that your OIDC provider returns refresh tokens to the Supervisor from these
// By default, only the "openid" scope will be requested. // authorization flows. For most OIDC providers, the scope required to receive refresh tokens will be "offline_access".
// See https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess for a description of the "offline_access"
// scope. See the documentation of your OIDC provider's authorization and token endpoints for its requirements for what
// to include in the request in order to receive a refresh token in the response, if anything. By default,
// DoNotRequestOfflineAccess is false, which means that "offline_access" will be sent in the authorization request,
// since that is what is suggested by the OIDC specification. Note that it may be safe to send "offline_access" even to
// providers which do not require it, since the provider may ignore scopes that it does not understand or require (see
// https://datatracker.ietf.org/doc/html/rfc6749#section-3.3). In the unusual case that you must avoid sending the
// "offline_access" scope, set DoNotRequestOfflineAccess to true. This is required if your OIDC provider will reject
// the request when it includes "offline_access" (e.g. GitLab's OIDC provider). If you need to send some other scope
// to request a refresh token, include the scope name in the additionalScopes setting. Also note that some OIDC
// providers may require that the "prompt" param be set to a specific value for the authorization request during an
// OIDC Authorization Code Flow in order to receive a refresh token in the response. To adjust the prompt param, see
// the additionalAuthorizeParameters setting.
// +optional
DoNotRequestOfflineAccess bool `json:"doNotRequestOfflineAccess,omitempty"`
// AdditionalScopes are the additional scopes that will be requested from your OIDC provider in the authorization
// request during an OIDC Authorization Code Flow and in the token request during a Resource Owner Password Credentials
// Grant. Note that the "openid" scope will always be requested regardless of the value in this setting, since it is
// always required according to the OIDC spec. The "offline_access" scope may also be included according to the value
// of the DoNotRequestOfflineAccess setting. Any other scopes required should be included here in the AdditionalScopes
// list. For example, you might like to include scopes like "profile", "email", or "groups" in order to receive the
// related claims in the returned ID token or userinfo endpoint results if you would like to make use of those
// claims in the OIDCClaims settings to determine the usernames and group memberships of your Kubernetes users. See
// your OIDC provider's documentation for more information about what scopes are available to request claims.
// +optional // +optional
AdditionalScopes []string `json:"additionalScopes,omitempty"` AdditionalScopes []string `json:"additionalScopes,omitempty"`
// AdditionalAuthorizeParameters are extra query parameters that should be included in the authorize request to your
// OIDC provider in the authorization request during an OIDC Authorization Code Flow. By default, no extra
// parameters are sent. The standard parameters that will be sent are "response_type", "scope", "client_id",
// "state", "nonce", "code_challenge", "code_challenge_method", and "redirect_uri". These parameters cannot be
// included in this setting. This setting does not influence the parameters sent to the token endpoint in the
// Resource Owner Password Credentials Grant. Starting in v0.13.0, the Pinniped Supervisor requires that your OIDC
// provider returns refresh tokens to the Supervisor from the authorization flows. Some OIDC providers may require
// a certain value for the "prompt" parameter in order to properly request refresh tokens. See the documentation of
// your OIDC provider's authorization endpoint for its requirements for what to include in the request in
// order to receive a refresh token in the response, if anything. If your provider requires the prompt parameter to
// request a refresh token, then include it here. Also note that most providers also require a certain scope to be
// requested in order to receive refresh tokens. See the doNotRequestOfflineAccess setting for more information about
// using scopes to request refresh tokens.
// +optional
// +patchMergeKey=name
// +patchStrategy=merge
// +listType=map
// +listMapKey=name
AdditionalAuthorizeParameters []Parameter `json:"extraAuthorizeParameters,omitempty"`
// AllowPasswordGrant, when true, will allow the use of OAuth 2.0's Resource Owner Password Credentials Grant // AllowPasswordGrant, when true, will allow the use of OAuth 2.0's Resource Owner Password Credentials Grant
// (see https://datatracker.ietf.org/doc/html/rfc6749#section-4.3) to authenticate to the OIDC provider using a // (see https://datatracker.ietf.org/doc/html/rfc6749#section-4.3) to authenticate to the OIDC provider using a
// username and password without a web browser, in addition to the usual browser-based OIDC Authorization Code Flow. // username and password without a web browser, in addition to the usual browser-based OIDC Authorization Code Flow.
@ -66,15 +111,29 @@ type OIDCAuthorizationConfig struct {
AllowPasswordGrant bool `json:"allowPasswordGrant,omitempty"` AllowPasswordGrant bool `json:"allowPasswordGrant,omitempty"`
} }
// Parameter is a key/value pair which represents a parameter in an HTTP request.
type Parameter struct {
// The name of the parameter. Required.
// +kubebuilder:validation:MinLength=1
Name string `json:"name"`
// The value of the parameter.
// +optional
Value string `json:"value,omitempty"`
}
// OIDCClaims provides a mapping from upstream claims into identities. // OIDCClaims provides a mapping from upstream claims into identities.
type OIDCClaims struct { type OIDCClaims struct {
// Groups provides the name of the token claim that will be used to ascertain the groups to which // Groups provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain
// an identity belongs. // the groups to which an identity belongs. By default, the identities will not include any group memberships when
// this setting is not configured.
// +optional // +optional
Groups string `json:"groups"` Groups string `json:"groups"`
// Username provides the name of the token claim that will be used to ascertain an identity's // Username provides the name of the ID token claim or userinfo endpoint response claim that will be used to
// username. // ascertain an identity's username. When not set, the username will be an automatically constructed unique string
// which will include the issuer URL of your OIDC provider along with the value of the "sub" (subject) claim from
// the ID token.
// +optional // +optional
Username string `json:"username"` Username string `json:"username"`
} }
@ -89,7 +148,7 @@ type OIDCClient struct {
SecretName string `json:"secretName"` SecretName string `json:"secretName"`
} }
// Spec for configuring an OIDC identity provider. // OIDCIdentityProviderSpec is the spec for configuring an OIDC identity provider.
type OIDCIdentityProviderSpec struct { type OIDCIdentityProviderSpec struct {
// Issuer is the issuer URL of this OIDC identity provider, i.e., where to fetch // Issuer is the issuer URL of this OIDC identity provider, i.e., where to fetch
// /.well-known/openid-configuration. // /.well-known/openid-configuration.
@ -135,7 +194,7 @@ type OIDCIdentityProvider struct {
Status OIDCIdentityProviderStatus `json:"status,omitempty"` Status OIDCIdentityProviderStatus `json:"status,omitempty"`
} }
// List of OIDCIdentityProvider objects. // OIDCIdentityProviderList lists OIDCIdentityProvider objects.
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
type OIDCIdentityProviderList struct { type OIDCIdentityProviderList struct {
metav1.TypeMeta `json:",inline"` metav1.TypeMeta `json:",inline"`

View File

@ -416,6 +416,11 @@ func (in *OIDCAuthorizationConfig) DeepCopyInto(out *OIDCAuthorizationConfig) {
*out = make([]string, len(*in)) *out = make([]string, len(*in))
copy(*out, *in) copy(*out, *in)
} }
if in.AdditionalAuthorizeParameters != nil {
in, out := &in.AdditionalAuthorizeParameters, &out.AdditionalAuthorizeParameters
*out = make([]Parameter, len(*in))
copy(*out, *in)
}
return return
} }
@ -569,6 +574,22 @@ func (in *OIDCIdentityProviderStatus) DeepCopy() *OIDCIdentityProviderStatus {
return out return out
} }
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *Parameter) DeepCopyInto(out *Parameter) {
*out = *in
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Parameter.
func (in *Parameter) DeepCopy() *Parameter {
if in == nil {
return nil
}
out := new(Parameter)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *TLSSpec) DeepCopyInto(out *TLSSpec) { func (in *TLSSpec) DeepCopyInto(out *TLSSpec) {
*out = *in *out = *in

4
go.mod
View File

@ -17,7 +17,9 @@ require (
github.com/google/uuid v1.1.2 github.com/google/uuid v1.1.2
github.com/gorilla/securecookie v1.1.1 github.com/gorilla/securecookie v1.1.1
github.com/gorilla/websocket v1.4.2 github.com/gorilla/websocket v1.4.2
github.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826
github.com/ory/fosite v0.40.2 github.com/ory/fosite v0.40.2
github.com/ory/x v0.0.212
github.com/pkg/browser v0.0.0-20210115035449-ce105d075bb4 github.com/pkg/browser v0.0.0-20210115035449-ce105d075bb4
github.com/pkg/errors v0.9.1 github.com/pkg/errors v0.9.1
github.com/sclevine/agouti v3.0.0+incompatible github.com/sclevine/agouti v3.0.0+incompatible
@ -96,12 +98,10 @@ require (
github.com/moby/spdystream v0.2.0 // indirect github.com/moby/spdystream v0.2.0 // indirect
github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
github.com/modern-go/reflect2 v1.0.1 // indirect github.com/modern-go/reflect2 v1.0.1 // indirect
github.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826 // indirect
github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
github.com/ory/go-acc v0.2.6 // indirect github.com/ory/go-acc v0.2.6 // indirect
github.com/ory/go-convenience v0.1.0 // indirect github.com/ory/go-convenience v0.1.0 // indirect
github.com/ory/viper v1.7.5 // indirect github.com/ory/viper v1.7.5 // indirect
github.com/ory/x v0.0.212 // indirect
github.com/pborman/uuid v1.2.0 // indirect github.com/pborman/uuid v1.2.0 // indirect
github.com/pelletier/go-toml v1.9.3 // indirect github.com/pelletier/go-toml v1.9.3 // indirect
github.com/pmezard/go-difflib v1.0.0 // indirect github.com/pmezard/go-difflib v1.0.0 // indirect

View File

@ -52,16 +52,36 @@ const (
oidcValidatorCacheTTL = 15 * time.Minute oidcValidatorCacheTTL = 15 * time.Minute
// Constants related to conditions. // Constants related to conditions.
typeClientCredentialsValid = "ClientCredentialsValid" typeClientCredentialsValid = "ClientCredentialsValid"
typeOIDCDiscoverySucceeded = "OIDCDiscoverySucceeded" typeAdditionalAuthorizeParametersValid = "AdditionalAuthorizeParametersValid"
typeOIDCDiscoverySucceeded = "OIDCDiscoverySucceeded"
reasonUnreachable = "Unreachable" reasonUnreachable = "Unreachable"
reasonInvalidResponse = "InvalidResponse" reasonInvalidResponse = "InvalidResponse"
reasonDisallowedParameterName = "DisallowedParameterName"
// Errors that are generated by our reconcile process. // Errors that are generated by our reconcile process.
errOIDCFailureStatus = constable.Error("OIDCIdentityProvider has a failing condition") errOIDCFailureStatus = constable.Error("OIDCIdentityProvider has a failing condition")
) )
var (
// Reject these AdditionalAuthorizeParameters to avoid allowing the user's config to overwrite the parameters
// that are always used by Pinniped in authcode authorization requests. The OIDC library used would otherwise
// happily treat the user's config as an override. Users can already set the "client_id" and "scope" params
// using other settings, and the others never make sense to override. This map should be treated as read-only
// since it is a global variable.
disallowedAdditionalAuthorizeParameters = map[string]bool{ //nolint: gochecknoglobals
"response_type": true,
"scope": true,
"client_id": true,
"state": true,
"nonce": true,
"code_challenge": true,
"code_challenge_method": true,
"redirect_uri": true,
}
)
// UpstreamOIDCIdentityProviderICache is a thread safe cache that holds a list of validated upstream OIDC IDP configurations. // UpstreamOIDCIdentityProviderICache is a thread safe cache that holds a list of validated upstream OIDC IDP configurations.
type UpstreamOIDCIdentityProviderICache interface { type UpstreamOIDCIdentityProviderICache interface {
SetOIDCIdentityProviders([]provider.UpstreamOIDCIdentityProviderI) SetOIDCIdentityProviders([]provider.UpstreamOIDCIdentityProviderI)
@ -167,21 +187,45 @@ func (c *oidcWatcherController) Sync(ctx controllerlib.Context) error {
// validateUpstream validates the provided v1alpha1.OIDCIdentityProvider and returns the validated configuration as a // validateUpstream validates the provided v1alpha1.OIDCIdentityProvider and returns the validated configuration as a
// provider.UpstreamOIDCIdentityProvider. As a side effect, it also updates the status of the v1alpha1.OIDCIdentityProvider. // provider.UpstreamOIDCIdentityProvider. As a side effect, it also updates the status of the v1alpha1.OIDCIdentityProvider.
func (c *oidcWatcherController) validateUpstream(ctx controllerlib.Context, upstream *v1alpha1.OIDCIdentityProvider) *upstreamoidc.ProviderConfig { func (c *oidcWatcherController) validateUpstream(ctx controllerlib.Context, upstream *v1alpha1.OIDCIdentityProvider) *upstreamoidc.ProviderConfig {
authorizationConfig := upstream.Spec.AuthorizationConfig
additionalAuthcodeAuthorizeParameters := map[string]string{}
var rejectedAuthcodeAuthorizeParameters []string
for _, p := range authorizationConfig.AdditionalAuthorizeParameters {
if disallowedAdditionalAuthorizeParameters[p.Name] {
rejectedAuthcodeAuthorizeParameters = append(rejectedAuthcodeAuthorizeParameters, p.Name)
} else {
additionalAuthcodeAuthorizeParameters[p.Name] = p.Value
}
}
result := upstreamoidc.ProviderConfig{ result := upstreamoidc.ProviderConfig{
Name: upstream.Name, Name: upstream.Name,
Config: &oauth2.Config{ Config: &oauth2.Config{
Scopes: computeScopes(upstream.Spec.AuthorizationConfig.AdditionalScopes), Scopes: computeScopes(authorizationConfig.AdditionalScopes, !authorizationConfig.DoNotRequestOfflineAccess),
}, },
UsernameClaim: upstream.Spec.Claims.Username, UsernameClaim: upstream.Spec.Claims.Username,
GroupsClaim: upstream.Spec.Claims.Groups, GroupsClaim: upstream.Spec.Claims.Groups,
AllowPasswordGrant: upstream.Spec.AuthorizationConfig.AllowPasswordGrant, AllowPasswordGrant: authorizationConfig.AllowPasswordGrant,
AdditionalAuthcodeParams: map[string]string{"prompt": "consent"}, AdditionalAuthcodeParams: additionalAuthcodeAuthorizeParameters,
ResourceUID: upstream.UID, ResourceUID: upstream.UID,
} }
conditions := []*v1alpha1.Condition{ conditions := []*v1alpha1.Condition{
c.validateSecret(upstream, &result), c.validateSecret(upstream, &result),
c.validateIssuer(ctx.Context, upstream, &result), c.validateIssuer(ctx.Context, upstream, &result),
} }
if len(rejectedAuthcodeAuthorizeParameters) > 0 {
// This condition probably isn't important enough to report when it is successful, so just report errors.
conditions = append(conditions, &v1alpha1.Condition{
Type: typeAdditionalAuthorizeParametersValid,
Status: v1alpha1.ConditionFalse,
Reason: reasonDisallowedParameterName,
Message: fmt.Sprintf("the following additionalAuthorizeParameters are not allowed: %s",
strings.Join(rejectedAuthcodeAuthorizeParameters, ",")),
})
}
c.updateStatus(ctx.Context, upstream, conditions) c.updateStatus(ctx.Context, upstream, conditions)
valid := true valid := true
@ -372,11 +416,13 @@ func getTLSConfig(upstream *v1alpha1.OIDCIdentityProvider) (*tls.Config, error)
return &result, nil return &result, nil
} }
func computeScopes(additionalScopes []string) []string { func computeScopes(additionalScopes []string, includeOfflineAccess bool) []string {
// First compute the unique set of scopes, including "openid" (de-duplicate). // First compute the unique set of scopes, including "openid" (de-duplicate).
set := make(map[string]bool, len(additionalScopes)+1) set := make(map[string]bool, len(additionalScopes)+1)
set["openid"] = true set["openid"] = true
set["offline_access"] = true if includeOfflineAccess {
set["offline_access"] = true
}
for _, s := range additionalScopes { for _, s := range additionalScopes {
set[s] = true set[s] = true
} }

View File

@ -124,8 +124,9 @@ func TestOIDCUpstreamWatcherControllerSync(t *testing.T) {
testName = "test-name" testName = "test-name"
testSecretName = "test-client-secret" testSecretName = "test-client-secret"
testAdditionalScopes = []string{"scope1", "scope2", "scope3"} testAdditionalScopes = []string{"scope1", "scope2", "scope3"}
testExpectedScopes = []string{"offline_access", "openid", "scope1", "scope2", "scope3"} testExpectedScopes = []string{"openid", "scope1", "scope2", "scope3"}
testExpectedAdditionalParams = map[string]string{"prompt": "consent"} testAdditionalParams = []v1alpha1.Parameter{{Name: "prompt", Value: "consent"}, {Name: "foo", Value: "bar"}}
testExpectedAdditionalParams = map[string]string{"prompt": "consent", "foo": "bar"}
testClientID = "test-oidc-client-id" testClientID = "test-oidc-client-id"
testClientSecret = "test-oidc-client-secret" testClientSecret = "test-oidc-client-secret"
testValidSecretData = map[string][]byte{"clientID": []byte(testClientID), "clientSecret": []byte(testClientSecret)} testValidSecretData = map[string][]byte{"clientID": []byte(testClientID), "clientSecret": []byte(testClientSecret)}
@ -150,10 +151,9 @@ func TestOIDCUpstreamWatcherControllerSync(t *testing.T) {
inputUpstreams: []runtime.Object{&v1alpha1.OIDCIdentityProvider{ inputUpstreams: []runtime.Object{&v1alpha1.OIDCIdentityProvider{
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName}, ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName},
Spec: v1alpha1.OIDCIdentityProviderSpec{ Spec: v1alpha1.OIDCIdentityProviderSpec{
Issuer: testIssuerURL, Issuer: testIssuerURL,
TLS: &v1alpha1.TLSSpec{CertificateAuthorityData: testIssuerCABase64}, TLS: &v1alpha1.TLSSpec{CertificateAuthorityData: testIssuerCABase64},
Client: v1alpha1.OIDCClient{SecretName: testSecretName}, Client: v1alpha1.OIDCClient{SecretName: testSecretName},
AuthorizationConfig: v1alpha1.OIDCAuthorizationConfig{AdditionalScopes: testAdditionalScopes},
}, },
}}, }},
inputSecrets: []runtime.Object{}, inputSecrets: []runtime.Object{},
@ -192,10 +192,9 @@ func TestOIDCUpstreamWatcherControllerSync(t *testing.T) {
inputUpstreams: []runtime.Object{&v1alpha1.OIDCIdentityProvider{ inputUpstreams: []runtime.Object{&v1alpha1.OIDCIdentityProvider{
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName}, ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName},
Spec: v1alpha1.OIDCIdentityProviderSpec{ Spec: v1alpha1.OIDCIdentityProviderSpec{
Issuer: testIssuerURL, Issuer: testIssuerURL,
TLS: &v1alpha1.TLSSpec{CertificateAuthorityData: testIssuerCABase64}, TLS: &v1alpha1.TLSSpec{CertificateAuthorityData: testIssuerCABase64},
Client: v1alpha1.OIDCClient{SecretName: testSecretName}, Client: v1alpha1.OIDCClient{SecretName: testSecretName},
AuthorizationConfig: v1alpha1.OIDCAuthorizationConfig{AdditionalScopes: testAdditionalScopes},
}, },
}}, }},
inputSecrets: []runtime.Object{&corev1.Secret{ inputSecrets: []runtime.Object{&corev1.Secret{
@ -238,10 +237,9 @@ func TestOIDCUpstreamWatcherControllerSync(t *testing.T) {
inputUpstreams: []runtime.Object{&v1alpha1.OIDCIdentityProvider{ inputUpstreams: []runtime.Object{&v1alpha1.OIDCIdentityProvider{
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName}, ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName},
Spec: v1alpha1.OIDCIdentityProviderSpec{ Spec: v1alpha1.OIDCIdentityProviderSpec{
Issuer: testIssuerURL, Issuer: testIssuerURL,
TLS: &v1alpha1.TLSSpec{CertificateAuthorityData: testIssuerCABase64}, TLS: &v1alpha1.TLSSpec{CertificateAuthorityData: testIssuerCABase64},
Client: v1alpha1.OIDCClient{SecretName: testSecretName}, Client: v1alpha1.OIDCClient{SecretName: testSecretName},
AuthorizationConfig: v1alpha1.OIDCAuthorizationConfig{AdditionalScopes: testAdditionalScopes},
}, },
}}, }},
inputSecrets: []runtime.Object{&corev1.Secret{ inputSecrets: []runtime.Object{&corev1.Secret{
@ -287,8 +285,7 @@ func TestOIDCUpstreamWatcherControllerSync(t *testing.T) {
TLS: &v1alpha1.TLSSpec{ TLS: &v1alpha1.TLSSpec{
CertificateAuthorityData: "invalid-base64", CertificateAuthorityData: "invalid-base64",
}, },
Client: v1alpha1.OIDCClient{SecretName: testSecretName}, Client: v1alpha1.OIDCClient{SecretName: testSecretName},
AuthorizationConfig: v1alpha1.OIDCAuthorizationConfig{AdditionalScopes: append(testAdditionalScopes, "xyz", "openid")},
}, },
}}, }},
inputSecrets: []runtime.Object{&corev1.Secret{ inputSecrets: []runtime.Object{&corev1.Secret{
@ -335,8 +332,7 @@ func TestOIDCUpstreamWatcherControllerSync(t *testing.T) {
TLS: &v1alpha1.TLSSpec{ TLS: &v1alpha1.TLSSpec{
CertificateAuthorityData: base64.StdEncoding.EncodeToString([]byte("not-a-pem-ca-bundle")), CertificateAuthorityData: base64.StdEncoding.EncodeToString([]byte("not-a-pem-ca-bundle")),
}, },
Client: v1alpha1.OIDCClient{SecretName: testSecretName}, Client: v1alpha1.OIDCClient{SecretName: testSecretName},
AuthorizationConfig: v1alpha1.OIDCAuthorizationConfig{AdditionalScopes: append(testAdditionalScopes, "xyz", "openid")},
}, },
}}, }},
inputSecrets: []runtime.Object{&corev1.Secret{ inputSecrets: []runtime.Object{&corev1.Secret{
@ -379,9 +375,8 @@ func TestOIDCUpstreamWatcherControllerSync(t *testing.T) {
inputUpstreams: []runtime.Object{&v1alpha1.OIDCIdentityProvider{ inputUpstreams: []runtime.Object{&v1alpha1.OIDCIdentityProvider{
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName}, ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName},
Spec: v1alpha1.OIDCIdentityProviderSpec{ Spec: v1alpha1.OIDCIdentityProviderSpec{
Issuer: "invalid-url-that-is-really-really-long-nanananananananannanananan-batman-nanananananananananananananana-batman-lalalalalalalalalal-batman-weeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee", Issuer: "invalid-url-that-is-really-really-long-nanananananananannanananan-batman-nanananananananananananananana-batman-lalalalalalalalalal-batman-weeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee",
Client: v1alpha1.OIDCClient{SecretName: testSecretName}, Client: v1alpha1.OIDCClient{SecretName: testSecretName},
AuthorizationConfig: v1alpha1.OIDCAuthorizationConfig{AdditionalScopes: testAdditionalScopes},
}, },
}}, }},
inputSecrets: []runtime.Object{&corev1.Secret{ inputSecrets: []runtime.Object{&corev1.Secret{
@ -426,10 +421,9 @@ Get "invalid-url-that-is-really-really-long-nanananananananannanananan-batman-na
inputUpstreams: []runtime.Object{&v1alpha1.OIDCIdentityProvider{ inputUpstreams: []runtime.Object{&v1alpha1.OIDCIdentityProvider{
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName}, ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName},
Spec: v1alpha1.OIDCIdentityProviderSpec{ Spec: v1alpha1.OIDCIdentityProviderSpec{
Issuer: testIssuerURL + "/valid-url-that-is-really-really-long-nanananananananannanananan-batman-nanananananananananananananana-batman-lalalalalalalalalal-batman-weeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee", Issuer: testIssuerURL + "/valid-url-that-is-really-really-long-nanananananananannanananan-batman-nanananananananananananananana-batman-lalalalalalalalalal-batman-weeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee",
TLS: &v1alpha1.TLSSpec{CertificateAuthorityData: wrongCABase64}, TLS: &v1alpha1.TLSSpec{CertificateAuthorityData: wrongCABase64},
Client: v1alpha1.OIDCClient{SecretName: testSecretName}, Client: v1alpha1.OIDCClient{SecretName: testSecretName},
AuthorizationConfig: v1alpha1.OIDCAuthorizationConfig{AdditionalScopes: testAdditionalScopes},
}, },
}}, }},
inputSecrets: []runtime.Object{&corev1.Secret{ inputSecrets: []runtime.Object{&corev1.Secret{
@ -474,10 +468,9 @@ Get "` + testIssuerURL + `/valid-url-that-is-really-really-long-nananananananana
inputUpstreams: []runtime.Object{&v1alpha1.OIDCIdentityProvider{ inputUpstreams: []runtime.Object{&v1alpha1.OIDCIdentityProvider{
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName}, ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName},
Spec: v1alpha1.OIDCIdentityProviderSpec{ Spec: v1alpha1.OIDCIdentityProviderSpec{
Issuer: testIssuerURL + "/invalid", Issuer: testIssuerURL + "/invalid",
TLS: &v1alpha1.TLSSpec{CertificateAuthorityData: testIssuerCABase64}, TLS: &v1alpha1.TLSSpec{CertificateAuthorityData: testIssuerCABase64},
Client: v1alpha1.OIDCClient{SecretName: testSecretName}, Client: v1alpha1.OIDCClient{SecretName: testSecretName},
AuthorizationConfig: v1alpha1.OIDCAuthorizationConfig{AdditionalScopes: testAdditionalScopes},
}, },
}}, }},
inputSecrets: []runtime.Object{&corev1.Secret{ inputSecrets: []runtime.Object{&corev1.Secret{
@ -520,10 +513,9 @@ Get "` + testIssuerURL + `/valid-url-that-is-really-really-long-nananananananana
inputUpstreams: []runtime.Object{&v1alpha1.OIDCIdentityProvider{ inputUpstreams: []runtime.Object{&v1alpha1.OIDCIdentityProvider{
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName}, ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName},
Spec: v1alpha1.OIDCIdentityProviderSpec{ Spec: v1alpha1.OIDCIdentityProviderSpec{
Issuer: testIssuerURL + "/insecure", Issuer: testIssuerURL + "/insecure",
TLS: &v1alpha1.TLSSpec{CertificateAuthorityData: testIssuerCABase64}, TLS: &v1alpha1.TLSSpec{CertificateAuthorityData: testIssuerCABase64},
Client: v1alpha1.OIDCClient{SecretName: testSecretName}, Client: v1alpha1.OIDCClient{SecretName: testSecretName},
AuthorizationConfig: v1alpha1.OIDCAuthorizationConfig{AdditionalScopes: testAdditionalScopes},
}, },
}}, }},
inputSecrets: []runtime.Object{&corev1.Secret{ inputSecrets: []runtime.Object{&corev1.Secret{
@ -570,7 +562,7 @@ Get "` + testIssuerURL + `/valid-url-that-is-really-really-long-nananananananana
TLS: &v1alpha1.TLSSpec{CertificateAuthorityData: testIssuerCABase64}, TLS: &v1alpha1.TLSSpec{CertificateAuthorityData: testIssuerCABase64},
Client: v1alpha1.OIDCClient{SecretName: testSecretName}, Client: v1alpha1.OIDCClient{SecretName: testSecretName},
AuthorizationConfig: v1alpha1.OIDCAuthorizationConfig{ AuthorizationConfig: v1alpha1.OIDCAuthorizationConfig{
AdditionalScopes: append(testAdditionalScopes, "xyz", "openid", "offline_access"), AdditionalScopes: append(testAdditionalScopes, "xyz", "openid", "offline_access"), // adds openid and offline_access unnecessarily
AllowPasswordGrant: true, AllowPasswordGrant: true,
}, },
Claims: v1alpha1.OIDCClaims{Groups: testGroupsClaim, Username: testUsernameClaim}, Claims: v1alpha1.OIDCClaims{Groups: testGroupsClaim, Username: testUsernameClaim},
@ -597,11 +589,11 @@ Get "` + testIssuerURL + `/valid-url-that-is-really-really-long-nananananananana
Name: testName, Name: testName,
ClientID: testClientID, ClientID: testClientID,
AuthorizationURL: *testIssuerAuthorizeURL, AuthorizationURL: *testIssuerAuthorizeURL,
Scopes: append(testExpectedScopes, "xyz"), Scopes: append(testExpectedScopes, "offline_access", "xyz"), // includes offline_access only once
UsernameClaim: testUsernameClaim, UsernameClaim: testUsernameClaim,
GroupsClaim: testGroupsClaim, GroupsClaim: testGroupsClaim,
AllowPasswordGrant: true, AllowPasswordGrant: true,
AdditionalAuthcodeParams: testExpectedAdditionalParams, AdditionalAuthcodeParams: map[string]string{},
ResourceUID: testUID, ResourceUID: testUID,
}, },
}, },
@ -624,9 +616,65 @@ Get "` + testIssuerURL + `/valid-url-that-is-really-really-long-nananananananana
Issuer: testIssuerURL, Issuer: testIssuerURL,
TLS: &v1alpha1.TLSSpec{CertificateAuthorityData: testIssuerCABase64}, TLS: &v1alpha1.TLSSpec{CertificateAuthorityData: testIssuerCABase64},
Client: v1alpha1.OIDCClient{SecretName: testSecretName}, Client: v1alpha1.OIDCClient{SecretName: testSecretName},
Claims: v1alpha1.OIDCClaims{Groups: testGroupsClaim, Username: testUsernameClaim},
AuthorizationConfig: v1alpha1.OIDCAuthorizationConfig{ AuthorizationConfig: v1alpha1.OIDCAuthorizationConfig{
AdditionalScopes: testAdditionalScopes, AdditionalScopes: testAdditionalScopes, // does not include offline_access
AllowPasswordGrant: false, },
},
Status: v1alpha1.OIDCIdentityProviderStatus{
Phase: "Ready",
Conditions: []v1alpha1.Condition{
{Type: "ClientCredentialsValid", Status: "True", LastTransitionTime: earlier, Reason: "Success", Message: "loaded client credentials"},
{Type: "OIDCDiscoverySucceeded", Status: "True", LastTransitionTime: earlier, Reason: "Success", Message: "discovered issuer configuration"},
},
},
}},
inputSecrets: []runtime.Object{&corev1.Secret{
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testSecretName},
Type: "secrets.pinniped.dev/oidc-client",
Data: testValidSecretData,
}},
wantLogs: []string{
`oidc-upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="loaded client credentials" "reason"="Success" "status"="True" "type"="ClientCredentialsValid"`,
`oidc-upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="discovered issuer configuration" "reason"="Success" "status"="True" "type"="OIDCDiscoverySucceeded"`,
},
wantResultingCache: []provider.UpstreamOIDCIdentityProviderI{
&oidctestutil.TestUpstreamOIDCIdentityProvider{
Name: testName,
ClientID: testClientID,
AuthorizationURL: *testIssuerAuthorizeURL,
Scopes: append(testExpectedScopes, "offline_access"), // gets offline_access by default
UsernameClaim: testUsernameClaim,
GroupsClaim: testGroupsClaim,
AllowPasswordGrant: false,
AdditionalAuthcodeParams: map[string]string{},
ResourceUID: testUID,
},
},
wantResultingUpstreams: []v1alpha1.OIDCIdentityProvider{{
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testUID},
Status: v1alpha1.OIDCIdentityProviderStatus{
Phase: "Ready",
Conditions: []v1alpha1.Condition{
{Type: "ClientCredentialsValid", Status: "True", LastTransitionTime: earlier, Reason: "Success", Message: "loaded client credentials", ObservedGeneration: 1234},
{Type: "OIDCDiscoverySucceeded", Status: "True", LastTransitionTime: earlier, Reason: "Success", Message: "discovered issuer configuration", ObservedGeneration: 1234},
},
},
}},
},
{
name: "existing valid upstream with trailing slash and more optional settings",
inputUpstreams: []runtime.Object{&v1alpha1.OIDCIdentityProvider{
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testUID},
Spec: v1alpha1.OIDCIdentityProviderSpec{
Issuer: testIssuerURL + "/ends-with-slash/",
TLS: &v1alpha1.TLSSpec{CertificateAuthorityData: testIssuerCABase64},
Client: v1alpha1.OIDCClient{SecretName: testSecretName},
AuthorizationConfig: v1alpha1.OIDCAuthorizationConfig{
DoNotRequestOfflineAccess: true,
AdditionalScopes: testAdditionalScopes,
AdditionalAuthorizeParameters: testAdditionalParams,
AllowPasswordGrant: true,
}, },
Claims: v1alpha1.OIDCClaims{Groups: testGroupsClaim, Username: testUsernameClaim}, Claims: v1alpha1.OIDCClaims{Groups: testGroupsClaim, Username: testUsernameClaim},
}, },
@ -652,10 +700,10 @@ Get "` + testIssuerURL + `/valid-url-that-is-really-really-long-nananananananana
Name: testName, Name: testName,
ClientID: testClientID, ClientID: testClientID,
AuthorizationURL: *testIssuerAuthorizeURL, AuthorizationURL: *testIssuerAuthorizeURL,
Scopes: testExpectedScopes, Scopes: testExpectedScopes, // does not include offline_access
UsernameClaim: testUsernameClaim, UsernameClaim: testUsernameClaim,
GroupsClaim: testGroupsClaim, GroupsClaim: testGroupsClaim,
AllowPasswordGrant: false, AllowPasswordGrant: true,
AdditionalAuthcodeParams: testExpectedAdditionalParams, AdditionalAuthcodeParams: testExpectedAdditionalParams,
ResourceUID: testUID, ResourceUID: testUID,
}, },
@ -672,21 +720,25 @@ Get "` + testIssuerURL + `/valid-url-that-is-really-really-long-nananananananana
}}, }},
}, },
{ {
name: "existing valid upstream with trailing slash", name: "has disallowed additionalAuthorizeParams keys",
inputUpstreams: []runtime.Object{&v1alpha1.OIDCIdentityProvider{ inputUpstreams: []runtime.Object{&v1alpha1.OIDCIdentityProvider{
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testUID}, ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testUID},
Spec: v1alpha1.OIDCIdentityProviderSpec{ Spec: v1alpha1.OIDCIdentityProviderSpec{
Issuer: testIssuerURL + "/ends-with-slash/", Issuer: testIssuerURL,
TLS: &v1alpha1.TLSSpec{CertificateAuthorityData: testIssuerCABase64}, TLS: &v1alpha1.TLSSpec{CertificateAuthorityData: testIssuerCABase64},
Client: v1alpha1.OIDCClient{SecretName: testSecretName}, Client: v1alpha1.OIDCClient{SecretName: testSecretName},
AuthorizationConfig: v1alpha1.OIDCAuthorizationConfig{AdditionalScopes: testAdditionalScopes}, AuthorizationConfig: v1alpha1.OIDCAuthorizationConfig{
Claims: v1alpha1.OIDCClaims{Groups: testGroupsClaim, Username: testUsernameClaim}, AdditionalAuthorizeParameters: []v1alpha1.Parameter{
}, {Name: "response_type", Value: "foo"},
Status: v1alpha1.OIDCIdentityProviderStatus{ {Name: "scope", Value: "foo"},
Phase: "Ready", {Name: "client_id", Value: "foo"},
Conditions: []v1alpha1.Condition{ {Name: "state", Value: "foo"},
{Type: "ClientCredentialsValid", Status: "True", LastTransitionTime: earlier, Reason: "Success", Message: "loaded client credentials"}, {Name: "nonce", Value: "foo"},
{Type: "OIDCDiscoverySucceeded", Status: "True", LastTransitionTime: earlier, Reason: "Success", Message: "discovered issuer configuration"}, {Name: "code_challenge", Value: "foo"},
{Name: "code_challenge_method", Value: "foo"},
{Name: "redirect_uri", Value: "foo"},
{Name: "this_one_is_allowed", Value: "foo"},
},
}, },
}, },
}}, }},
@ -695,30 +747,24 @@ Get "` + testIssuerURL + `/valid-url-that-is-really-really-long-nananananananana
Type: "secrets.pinniped.dev/oidc-client", Type: "secrets.pinniped.dev/oidc-client",
Data: testValidSecretData, Data: testValidSecretData,
}}, }},
wantErr: controllerlib.ErrSyntheticRequeue.Error(),
wantLogs: []string{ wantLogs: []string{
`oidc-upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="loaded client credentials" "reason"="Success" "status"="True" "type"="ClientCredentialsValid"`, `oidc-upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="loaded client credentials" "reason"="Success" "status"="True" "type"="ClientCredentialsValid"`,
`oidc-upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="discovered issuer configuration" "reason"="Success" "status"="True" "type"="OIDCDiscoverySucceeded"`, `oidc-upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="discovered issuer configuration" "reason"="Success" "status"="True" "type"="OIDCDiscoverySucceeded"`,
`oidc-upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="the following additionalAuthorizeParameters are not allowed: response_type,scope,client_id,state,nonce,code_challenge,code_challenge_method,redirect_uri" "reason"="DisallowedParameterName" "status"="False" "type"="AdditionalAuthorizeParametersValid"`,
`oidc-upstream-observer "msg"="found failing condition" "error"="OIDCIdentityProvider has a failing condition" "message"="the following additionalAuthorizeParameters are not allowed: response_type,scope,client_id,state,nonce,code_challenge,code_challenge_method,redirect_uri" "name"="test-name" "namespace"="test-namespace" "reason"="DisallowedParameterName" "type"="AdditionalAuthorizeParametersValid"`,
}, },
wantResultingCache: []provider.UpstreamOIDCIdentityProviderI{ wantResultingCache: []provider.UpstreamOIDCIdentityProviderI{},
&oidctestutil.TestUpstreamOIDCIdentityProvider{
Name: testName,
ClientID: testClientID,
AuthorizationURL: *testIssuerAuthorizeURL,
Scopes: testExpectedScopes,
UsernameClaim: testUsernameClaim,
GroupsClaim: testGroupsClaim,
AllowPasswordGrant: false,
AdditionalAuthcodeParams: testExpectedAdditionalParams,
ResourceUID: testUID,
},
},
wantResultingUpstreams: []v1alpha1.OIDCIdentityProvider{{ wantResultingUpstreams: []v1alpha1.OIDCIdentityProvider{{
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testUID}, ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234, UID: testUID},
Status: v1alpha1.OIDCIdentityProviderStatus{ Status: v1alpha1.OIDCIdentityProviderStatus{
Phase: "Ready", Phase: "Error",
Conditions: []v1alpha1.Condition{ Conditions: []v1alpha1.Condition{
{Type: "ClientCredentialsValid", Status: "True", LastTransitionTime: earlier, Reason: "Success", Message: "loaded client credentials", ObservedGeneration: 1234}, {Type: "AdditionalAuthorizeParametersValid", Status: "False", LastTransitionTime: now, Reason: "DisallowedParameterName",
{Type: "OIDCDiscoverySucceeded", Status: "True", LastTransitionTime: earlier, Reason: "Success", Message: "discovered issuer configuration", ObservedGeneration: 1234}, Message: "the following additionalAuthorizeParameters are not allowed: " +
"response_type,scope,client_id,state,nonce,code_challenge,code_challenge_method,redirect_uri", ObservedGeneration: 1234},
{Type: "ClientCredentialsValid", Status: "True", LastTransitionTime: now, Reason: "Success", Message: "loaded client credentials", ObservedGeneration: 1234},
{Type: "OIDCDiscoverySucceeded", Status: "True", LastTransitionTime: now, Reason: "Success", Message: "discovered issuer configuration", ObservedGeneration: 1234},
}, },
}, },
}}, }},
@ -728,10 +774,9 @@ Get "` + testIssuerURL + `/valid-url-that-is-really-really-long-nananananananana
inputUpstreams: []runtime.Object{&v1alpha1.OIDCIdentityProvider{ inputUpstreams: []runtime.Object{&v1alpha1.OIDCIdentityProvider{
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName}, ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName},
Spec: v1alpha1.OIDCIdentityProviderSpec{ Spec: v1alpha1.OIDCIdentityProviderSpec{
Issuer: testIssuerURL + "/ends-with-slash", Issuer: testIssuerURL + "/ends-with-slash",
TLS: &v1alpha1.TLSSpec{CertificateAuthorityData: testIssuerCABase64}, TLS: &v1alpha1.TLSSpec{CertificateAuthorityData: testIssuerCABase64},
Client: v1alpha1.OIDCClient{SecretName: testSecretName}, Client: v1alpha1.OIDCClient{SecretName: testSecretName},
AuthorizationConfig: v1alpha1.OIDCAuthorizationConfig{AdditionalScopes: testAdditionalScopes},
}, },
}}, }},
inputSecrets: []runtime.Object{&corev1.Secret{ inputSecrets: []runtime.Object{&corev1.Secret{
@ -776,10 +821,9 @@ oidc: issuer did not match the issuer returned by provider, expected "` + testIs
inputUpstreams: []runtime.Object{&v1alpha1.OIDCIdentityProvider{ inputUpstreams: []runtime.Object{&v1alpha1.OIDCIdentityProvider{
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName}, ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName},
Spec: v1alpha1.OIDCIdentityProviderSpec{ Spec: v1alpha1.OIDCIdentityProviderSpec{
Issuer: testIssuerURL + "/", Issuer: testIssuerURL + "/",
TLS: &v1alpha1.TLSSpec{CertificateAuthorityData: testIssuerCABase64}, TLS: &v1alpha1.TLSSpec{CertificateAuthorityData: testIssuerCABase64},
Client: v1alpha1.OIDCClient{SecretName: testSecretName}, Client: v1alpha1.OIDCClient{SecretName: testSecretName},
AuthorizationConfig: v1alpha1.OIDCAuthorizationConfig{AdditionalScopes: testAdditionalScopes},
}, },
}}, }},
inputSecrets: []runtime.Object{&corev1.Secret{ inputSecrets: []runtime.Object{&corev1.Secret{

View File

@ -85,12 +85,20 @@ spec:
# Specify the upstream issuer URL (no trailing slash). # Specify the upstream issuer URL (no trailing slash).
issuer: https://<dex-dns-record> issuer: https://<dex-dns-record>
# Request any scopes other than "openid" for claims besides # Specify how to form authorization requests to Dex.
# the default claims in your token. The "openid" scope is always
# included.
authorizationConfig: authorizationConfig:
# Request any scopes other than "openid" for claims besides
# the default claims in your token. The "openid" scope is always
# included.
additionalScopes: [groups, email] additionalScopes: [groups, email]
# If you would also like to allow your end users to authenticate using
# a password grant, then change this to true.
# Password grants with Dex will only work in Dex versions that include
# this bug fix: https://github.com/dexidp/dex/pull/2234
allowPasswordGrant: false
# Specify how Dex claims are mapped to Kubernetes identities. # Specify how Dex claims are mapped to Kubernetes identities.
claims: claims:
# Specify the name of the claim in your Dex ID token that will be mapped # Specify the name of the claim in your Dex ID token that will be mapped

View File

@ -30,8 +30,14 @@ For example, to create a user-owned application:
1. Create a new application: 1. Create a new application:
1. Enter a name for your application, such as "My Kubernetes Clusters". 1. Enter a name for your application, such as "My Kubernetes Clusters".
1. Enter the redirect URI. This is the `spec.issuer` you configured in your `FederationDomain` appended with `/callback`. 1. Enter the redirect URI. This is the `spec.issuer` you configured in your `FederationDomain` appended with `/callback`.
1. Check the box saying that the application is _Confidential_. 1. Check the box saying that the application is _Confidential_. This is required and will cause GitLab to autogenerate
1. Select scope `openid`. This provides access to the `nickname` (GitLab username) and `groups` (GitLab groups) claims. a client ID and client secret for your application.
1. Check the box saying to _Expire Access Tokens_ to cause refresh tokens to be returned to the Supervisor. This is
required starting in Pinniped v0.13.0.
1. Select scope `openid`. This is required to get ID tokens. Also, this provides access to the `nickname` (GitLab username)
and `groups` (GitLab groups) claims in the ID tokens.
1. Optionally select other scopes which might provide access to other claims that you might want to use to determine
the usernames of your users, for example `email`.
1. Save the application and make note of the _Application ID_ and _Secret_. 1. Save the application and make note of the _Application ID_ and _Secret_.
## Configure the Supervisor cluster ## Configure the Supervisor cluster
@ -51,6 +57,19 @@ spec:
# Specify the upstream issuer URL. # Specify the upstream issuer URL.
issuer: https://gitlab.com issuer: https://gitlab.com
# Specify how to form authorization requests to GitLab.
authorizationConfig:
# GitLab is unusual among OIDC providers in that it returns an
# error if you request the "offline_access" scope during an
# authorization flow, so ask Pinniped to avoid requesting that
# scope when using GitLab.
doNotRequestOfflineAccess: true
# If you would also like to allow your end users to authenticate using
# a password grant, then change this to true.
allowPasswordGrant: false
# Specify how GitLab claims are mapped to Kubernetes identities. # Specify how GitLab claims are mapped to Kubernetes identities.
claims: claims:

View File

@ -32,11 +32,18 @@ For example, to create an app:
1. Create a new app: 1. Create a new app:
1. Click `Create App Integration`. 1. Click `Create App Integration`.
1. For `Sign-on method`, select `OIDC`. 1. For `Sign-on method`, select `OIDC`.
1. For `Application type`, app `Web Application`, then click next. 1. For `Application type`, app `Web Application`, then click next. Only if you would like to offer the
password grant flow to your end users, then choose `Native Application` instead.
1. Enter a name for your app, such as "My Kubernetes Clusters". 1. Enter a name for your app, such as "My Kubernetes Clusters".
1. If you chose to create a `Web Application` then in the General Settings section, choose Grant Types
`Authorization Code` and `Refresh Token`. Starting in Pinniped v0.13.0, the `Refresh Token` grant is required.
1. If you chose `Native Application` then in the General Settings section, choose Grant Types `Authorization Code`,
`Refresh Token`, and `Resource Owner Password`. Starting in Pinniped v0.13.0, the `Refresh Token` grant is required.
1. Enter the sign-in redirect URI. This is the `spec.issuer` you configured in your `FederationDomain` appended with `/callback`. 1. Enter the sign-in redirect URI. This is the `spec.issuer` you configured in your `FederationDomain` appended with `/callback`.
1. Optionally select `Limit access to selected groups` to restrict which Okta users can log in to Kubernetes using this integration. 1. Optionally select `Limit access to selected groups` to restrict which Okta users can log in to Kubernetes using this integration.
1. Save the app and make note of the _Client ID_ and _Client secret_. 1. Save the app and make note of the _Client ID_ and _Client secret_. If you chose to create a `Native Application`
then there is an extra step required to get a client secret: after saving the app, in the
Client Credentials section click `Edit`, choose `Use Client Authentication`, and click `Save`.
1. Navigate to the _Sign On_ tab > _OpenID Connect ID Token_ and click `Edit`. Fill in the Groups claim filter. 1. Navigate to the _Sign On_ tab > _OpenID Connect ID Token_ and click `Edit`. Fill in the Groups claim filter.
For example, for all groups to be present under the claim name `groups`, fill in "groups" in the first box, then select "Matches regex" and ".*". For example, for all groups to be present under the claim name `groups`, fill in "groups" in the first box, then select "Matches regex" and ".*".
@ -54,18 +61,26 @@ metadata:
name: okta name: okta
spec: spec:
# Specify the upstream issuer URL (no trailing slash). # Specify the upstream issuer URL (no trailing slash). Change this to be the
# actual issuer provided by your Okta account.
issuer: https://my-company.okta.com issuer: https://my-company.okta.com
# Request any scopes other than "openid" for claims besides # Specify how to form authorization requests to Okta.
# the default claims in your token. The "openid" scope is always
# included.
#
# To learn more about how to customize the claims returned, see here:
# https://developer.okta.com/docs/guides/customize-tokens-returned-from-okta/overview/
authorizationConfig: authorizationConfig:
# Request any scopes other than "openid" for claims besides
# the default claims in your token. The "openid" scope is always
# included.
#
# To learn more about how to customize the claims returned, see here:
# https://developer.okta.com/docs/guides/customize-tokens-returned-from-okta/overview/
additionalScopes: [groups, email] additionalScopes: [groups, email]
# If you would also like to allow your end users to authenticate using
# a password grant, then change this to true. Password grants only work
# with applications created in Okta as "Native Applications".
allowPasswordGrant: false
# Specify how Okta claims are mapped to Kubernetes identities. # Specify how Okta claims are mapped to Kubernetes identities.
claims: claims: