From ded28dff158707c743afdde0d96a2cdf3139a7d0 Mon Sep 17 00:00:00 2001 From: Margo Crawford Date: Fri, 11 Dec 2020 16:15:50 -0800 Subject: [PATCH] Update the fosite settings - AudienceMatchingStrategy: we want to use the default matcher from fosite, so remove that line - AllowedPromptValues: We can use the default if we add a small change to the auth_handler.go to account for it (in a future commit) - MinParameterEntropy: Use the fosite default to make it more likely that off the shelf OIDC clients can work with the supervisor Signed-off-by: Ryan Richard --- internal/oidc/oidc.go | 20 ++++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) diff --git a/internal/oidc/oidc.go b/internal/oidc/oidc.go index 76600470..69ee1dfa 100644 --- a/internal/oidc/oidc.go +++ b/internal/oidc/oidc.go @@ -199,12 +199,20 @@ func FositeOauth2Helper( AccessTokenLifespan: timeoutsConfiguration.AccessTokenLifespan, RefreshTokenLifespan: timeoutsConfiguration.RefreshTokenLifespan, - ScopeStrategy: fosite.ExactScopeStrategy, - AudienceMatchingStrategy: nil, - EnforcePKCE: true, - AllowedPromptValues: []string{"none"}, // TODO unclear what we should set here - RefreshTokenScopes: []string{coreosoidc.ScopeOfflineAccess}, // as per https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess - MinParameterEntropy: 32, // TODO is 256 bits too high? + ScopeStrategy: fosite.ExactScopeStrategy, + EnforcePKCE: true, + + // "offline_access" as per https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess + RefreshTokenScopes: []string{coreosoidc.ScopeOfflineAccess}, + + // The default is to support all prompt values from the spec. + // See https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest + // We'll make a best effort to support these by passing the value of this prompt param to the upstream IDP + // and rely on its implementation of this param. + AllowedPromptValues: nil, + + // Use the fosite default to make it more likely that off the shelf OIDC clients can work with the supervisor. + MinParameterEntropy: fosite.MinParameterEntropy, } return compose.Compose(