From ded28dff158707c743afdde0d96a2cdf3139a7d0 Mon Sep 17 00:00:00 2001
From: Margo Crawford <margaretc@vmware.com>
Date: Fri, 11 Dec 2020 16:15:50 -0800
Subject: [PATCH] Update the fosite settings

- AudienceMatchingStrategy: we want to use the default matcher from
  fosite, so remove that line
- AllowedPromptValues: We can use the default if we add a small
  change to the auth_handler.go to account for it (in a future commit)
- MinParameterEntropy: Use the fosite default to make it more likely
  that off the shelf OIDC clients can work with the supervisor

Signed-off-by: Ryan Richard <richardry@vmware.com>
---
 internal/oidc/oidc.go | 20 ++++++++++++++------
 1 file changed, 14 insertions(+), 6 deletions(-)

diff --git a/internal/oidc/oidc.go b/internal/oidc/oidc.go
index 76600470..69ee1dfa 100644
--- a/internal/oidc/oidc.go
+++ b/internal/oidc/oidc.go
@@ -199,12 +199,20 @@ func FositeOauth2Helper(
 		AccessTokenLifespan:   timeoutsConfiguration.AccessTokenLifespan,
 		RefreshTokenLifespan:  timeoutsConfiguration.RefreshTokenLifespan,
 
-		ScopeStrategy:            fosite.ExactScopeStrategy,
-		AudienceMatchingStrategy: nil,
-		EnforcePKCE:              true,
-		AllowedPromptValues:      []string{"none"},                        // TODO unclear what we should set here
-		RefreshTokenScopes:       []string{coreosoidc.ScopeOfflineAccess}, // as per https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess
-		MinParameterEntropy:      32,                                      // TODO is 256 bits too high?
+		ScopeStrategy: fosite.ExactScopeStrategy,
+		EnforcePKCE:   true,
+
+		// "offline_access" as per https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess
+		RefreshTokenScopes: []string{coreosoidc.ScopeOfflineAccess},
+
+		// The default is to support all prompt values from the spec.
+		// See https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
+		// We'll make a best effort to support these by passing the value of this prompt param to the upstream IDP
+		// and rely on its implementation of this param.
+		AllowedPromptValues: nil,
+
+		// Use the fosite default to make it more likely that off the shelf OIDC clients can work with the supervisor.
+		MinParameterEntropy: fosite.MinParameterEntropy,
 	}
 
 	return compose.Compose(