4395d5a0ca
Add a default --client-id in `pinniped login oidc` command.
...
This default matches the static client we have defined in the supervisor, which will be the correct value in most cases.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-10 09:46:07 -06:00
d83927ae75
Merge pull request #268 from vmware-tanzu/secret-generation-prefactor
...
Secret generation prefactor
2020-12-10 08:39:32 -05:00
86c75b7a80
CSRF cookie is no longer encrypted
2020-12-09 17:34:02 -08:00
f1f8ffa456
Distinct `Encoder`'s use distinct keys
2020-12-09 17:34:02 -08:00
4a5f8e30a8
Use distinct `Encoder` for state and csrf data
2020-12-09 17:34:02 -08:00
e111ca02da
Use the narrowest possible interface
2020-12-09 17:34:02 -08:00
6ec3589112
Use recorder `Cookies()` helper
...
- replaces hand-parsing of cookie strings
2020-12-09 17:34:02 -08:00
2ddba8d825
Merge pull request #267 from vmware-tanzu/token-exchange-endpoint
...
Implement RFC8693 token exchange handler in the supervisor
2020-12-09 17:13:28 -08:00
218f27306c
Integration test for refresh grant
...
Signed-off-by: Ryan Richard <rrichard@vmware.com>
2020-12-09 17:07:37 -08:00
fde2e6fa97
Merge remote-tracking branch 'origin/main' into token-exchange-endpoint
2020-12-09 15:22:54 -08:00
4d82ec1283
Merge pull request #262 from vmware-tanzu/token-refresh
...
Support for the refresh grant in the supervisor's token endpoint
2020-12-09 15:22:02 -08:00
5b7c510577
Fixed error handling for token exchange when openid scope missing
...
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2020-12-09 15:15:50 -08:00
0abadddb1a
token_handler_test.go: modify a test about refresh request scopes param
...
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2020-12-09 15:03:52 -08:00
5f6e7de785
Merge branch 'token-refresh' into token-exchange-endpoint
...
Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-12-09 14:56:41 -08:00
64631d5780
token_handler_test.go: add even more test cases for refresh grant
...
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2020-12-09 14:53:39 -08:00
0386658d26
token_handler_test.go: add more test cases for refresh grant
2020-12-09 14:12:00 -08:00
167d440b65
Remove this unneccesary go113 `nolint` directives.
...
We disabled this linter across the project.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-09 14:51:27 -06:00
3e6ebab389
Clean up TestTokenExchange a bit.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-09 14:49:44 -06:00
f90b5d48de
Merge branch 'token-refresh' of github.com:vmware-tanzu/pinniped into token-exchange-endpoint
2020-12-09 14:46:57 -06:00
016b0e9a8e
Satisfy the pedantic linter config 🙃 .
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-09 14:41:27 -06:00
51c828382f
Supervisor token endpoint supports refresh grant type
...
- This commit does not include the sad path tests for the refresh
grant type, which will come in a future commit.
2020-12-09 12:12:59 -08:00
02d96d731f
Finish TestTokenExchange unit tests and add missing scope check.
...
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2020-12-09 13:56:53 -06:00
cac3a3520f
Merge branch 'main' into token-refresh
2020-12-09 09:58:21 -08:00
b04db6ad2b
Fix some false positive gosec warnings.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-09 10:42:37 -06:00
f1aff2faab
Start extending TestSupervisorLogin to test the token exchange flow (WIP).
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-09 10:23:10 -06:00
b1542be7b1
In oidcclient token exchange request, pass client_id but don't bother with authorization header.
...
I think this should be more correct. In the server we're authenticating the request primarily via the `subject_token` parameter anyway, and Fosite needs the `client_id` to be set.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-09 10:08:41 -06:00
1db2ae3a45
Add more parameter validations and refactor internal/oidc/token_exchange.go.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-09 10:04:58 -06:00
e25d090ca9
Merge branch 'main' of github.com:vmware-tanzu/pinniped into token-exchange-endpoint
2020-12-09 10:00:54 -06:00
5f4348c57d
Merge pull request #266 from ankeesler/fix-jwt-auth-ca-bundle
...
Fix `JWTAuthenticator` CA bundle
2020-12-09 10:43:33 -05:00
644cb687b9
Grant the Pinniped STS scope in authorize/callback handlers.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-09 09:36:45 -06:00
bebe25c32e
Merge branch 'main' of github.com:vmware-tanzu/pinniped into token-exchange-endpoint
2020-12-09 09:25:58 -06:00
4c0fb12cf6
test/integration: only set JWTAuthenticator CA bundle when it exists
...
See comment in code.
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-12-09 10:15:53 -05:00
93cfd8c93a
Fix prepare-for-integration-tests.sh and Tiltfile for kubectl 1.20
...
kubectl 1.20 prints "Kubernetes control plane" instead of "Kubernetes master".
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-12-09 10:15:34 -05:00
5f1bd5ec31
Update TestNullStorage_GetClient with adjusted pinniped-cli scopes.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-09 09:12:32 -06:00
8fcc176d8b
Merge pull request #258 from ankeesler/jwt-authenticator
...
Add JWTAuthenticator API and initial controller
2020-12-09 08:21:04 -05:00
6420caca94
Bring back the test that was skipped by the previous commit
...
- This test is still a work in progress. Some TODO comments
have been added to give hints for next steps.
2020-12-08 18:25:01 -08:00
f84dda937b
Merge branch 'token-refresh' into token-exchange-endpoint
2020-12-08 18:12:12 -08:00
ef4ef583dc
token_handler_test.go: Refactor how we specify the expected results
...
- This is to make it easier for the token exchange branch to also edit
this test without causing a lot of merge conflicts with the
refresh token branch, to enable parallel development of closely
related stories.
2020-12-08 18:10:55 -08:00
f103c02408
Add check for grant type in tokenexchangehandler,
...
- also started writing a test for the tokenexchangehandler, skipping for
now
Signed-off-by: Ryan Richard <rrichard@vmware.com>
2020-12-08 17:33:08 -08:00
ef3f837800
Merge remote-tracking branch 'origin/token-refresh' into token-exchange-endpoint
2020-12-08 16:58:35 -08:00
170982a688
refactor token_handler_test.go: easier to make more requests after initial authcode exchange
...
- This refactor will allow us to add new test tables for the
refresh and token exchange requests, which both must come after
an initial successful authcode exchange has already happened
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2020-12-08 16:54:58 -08:00
a852baac75
Merge remote-tracking branch 'origin/token-refresh' into token-exchange-endpoint
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-08 12:55:44 -08:00
381a2e749a
impotent -> idempotent
...
These words do not mean the same thing...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-12-08 15:41:49 -05:00
9ed5dcb031
Only create underlying jwt authenticator when spec has changed
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-12-08 15:41:49 -05:00
e0ee18a993
Always close JWTAuthenticator underlying authenticator
...
Otherwise we will leak goroutines.
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-12-08 15:41:48 -05:00
0efc19a1b7
Support JWTAuthenticator in pinniped CLI
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-12-08 15:41:48 -05:00
57103e0a9f
Add JWTAuthenticator controller
...
See https://github.com/vmware-tanzu/pinniped/issues/260 for UX bummer.
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-12-08 15:41:48 -05:00
946b0539d2
Add JWTAuthenticator API type
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-12-08 15:41:48 -05:00
a9111f39af
Merge branch 'main' into token-refresh
2020-12-08 12:32:41 -08:00
18d90a727e
token_handler_test.go: refresh token gets deleted when authcode reused
2020-12-08 12:12:55 -08:00
Matt Moyer