Update the fosite settings
- AudienceMatchingStrategy: we want to use the default matcher from fosite, so remove that line - AllowedPromptValues: We can use the default if we add a small change to the auth_handler.go to account for it (in a future commit) - MinParameterEntropy: Use the fosite default to make it more likely that off the shelf OIDC clients can work with the supervisor Signed-off-by: Ryan Richard <richardry@vmware.com>
This commit is contained in:
parent
c001bb876e
commit
ded28dff15
@ -199,12 +199,20 @@ func FositeOauth2Helper(
|
||||
AccessTokenLifespan: timeoutsConfiguration.AccessTokenLifespan,
|
||||
RefreshTokenLifespan: timeoutsConfiguration.RefreshTokenLifespan,
|
||||
|
||||
ScopeStrategy: fosite.ExactScopeStrategy,
|
||||
AudienceMatchingStrategy: nil,
|
||||
EnforcePKCE: true,
|
||||
AllowedPromptValues: []string{"none"}, // TODO unclear what we should set here
|
||||
RefreshTokenScopes: []string{coreosoidc.ScopeOfflineAccess}, // as per https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess
|
||||
MinParameterEntropy: 32, // TODO is 256 bits too high?
|
||||
ScopeStrategy: fosite.ExactScopeStrategy,
|
||||
EnforcePKCE: true,
|
||||
|
||||
// "offline_access" as per https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess
|
||||
RefreshTokenScopes: []string{coreosoidc.ScopeOfflineAccess},
|
||||
|
||||
// The default is to support all prompt values from the spec.
|
||||
// See https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
|
||||
// We'll make a best effort to support these by passing the value of this prompt param to the upstream IDP
|
||||
// and rely on its implementation of this param.
|
||||
AllowedPromptValues: nil,
|
||||
|
||||
// Use the fosite default to make it more likely that off the shelf OIDC clients can work with the supervisor.
|
||||
MinParameterEntropy: fosite.MinParameterEntropy,
|
||||
}
|
||||
|
||||
return compose.Compose(
|
||||
|
Loading…
Reference in New Issue
Block a user