ContainerImage.Pinniped

Author	SHA1	Message	Date
Matt Moyer	e25d090ca9	Merge branch 'main' of github.com:vmware-tanzu/pinniped into token-exchange-endpoint	2020-12-09 10:00:54 -06:00
Andrew Keesler	5f4348c57d	Merge pull request #266 from ankeesler/fix-jwt-auth-ca-bundle Fix `JWTAuthenticator` CA bundle	2020-12-09 10:43:33 -05:00
Matt Moyer	644cb687b9	Grant the Pinniped STS scope in authorize/callback handlers. Signed-off-by: Matt Moyer <moyerm@vmware.com>	2020-12-09 09:36:45 -06:00
Matt Moyer	bebe25c32e	Merge branch 'main' of github.com:vmware-tanzu/pinniped into token-exchange-endpoint	2020-12-09 09:25:58 -06:00
Andrew Keesler	4c0fb12cf6	test/integration: only set JWTAuthenticator CA bundle when it exists See comment in code. Signed-off-by: Andrew Keesler <akeesler@vmware.com>	2020-12-09 10:15:53 -05:00
Andrew Keesler	93cfd8c93a	Fix prepare-for-integration-tests.sh and Tiltfile for kubectl 1.20 kubectl 1.20 prints "Kubernetes control plane" instead of "Kubernetes master". Signed-off-by: Andrew Keesler <akeesler@vmware.com> Signed-off-by: Andrew Keesler <akeesler@vmware.com>	2020-12-09 10:15:34 -05:00
Matt Moyer	5f1bd5ec31	Update TestNullStorage_GetClient with adjusted pinniped-cli scopes. Signed-off-by: Matt Moyer <moyerm@vmware.com>	2020-12-09 09:12:32 -06:00
Andrew Keesler	8fcc176d8b	Merge pull request #258 from ankeesler/jwt-authenticator Add JWTAuthenticator API and initial controller	2020-12-09 08:21:04 -05:00
Ryan Richard	6420caca94	Bring back the test that was skipped by the previous commit - This test is still a work in progress. Some TODO comments have been added to give hints for next steps.	2020-12-08 18:25:01 -08:00
Ryan Richard	f84dda937b	Merge branch 'token-refresh' into token-exchange-endpoint	2020-12-08 18:12:12 -08:00
Ryan Richard	ef4ef583dc	token_handler_test.go: Refactor how we specify the expected results - This is to make it easier for the token exchange branch to also edit this test without causing a lot of merge conflicts with the refresh token branch, to enable parallel development of closely related stories.	2020-12-08 18:10:55 -08:00
Margo Crawford	f103c02408	Add check for grant type in tokenexchangehandler, - also started writing a test for the tokenexchangehandler, skipping for now Signed-off-by: Ryan Richard <rrichard@vmware.com>	2020-12-08 17:33:08 -08:00
Margo Crawford	ef3f837800	Merge remote-tracking branch 'origin/token-refresh' into token-exchange-endpoint	2020-12-08 16:58:35 -08:00
Ryan Richard	170982a688	refactor token_handler_test.go: easier to make more requests after initial authcode exchange - This refactor will allow us to add new test tables for the refresh and token exchange requests, which both must come after an initial successful authcode exchange has already happened Signed-off-by: Margo Crawford <margaretc@vmware.com>	2020-12-08 16:54:58 -08:00
Margo Crawford	a852baac75	Merge remote-tracking branch 'origin/token-refresh' into token-exchange-endpoint Signed-off-by: Matt Moyer <moyerm@vmware.com>	2020-12-08 12:55:44 -08:00
Andrew Keesler	381a2e749a	impotent -> idempotent These words do not mean the same thing... Signed-off-by: Andrew Keesler <akeesler@vmware.com>	2020-12-08 15:41:49 -05:00
Aram Price	9ed5dcb031	Only create underlying jwt authenticator when spec has changed Signed-off-by: Andrew Keesler <akeesler@vmware.com>	2020-12-08 15:41:49 -05:00
Andrew Keesler	e0ee18a993	Always close JWTAuthenticator underlying authenticator Otherwise we will leak goroutines. Signed-off-by: Andrew Keesler <akeesler@vmware.com>	2020-12-08 15:41:48 -05:00
Andrew Keesler	0efc19a1b7	Support JWTAuthenticator in pinniped CLI Signed-off-by: Andrew Keesler <akeesler@vmware.com>	2020-12-08 15:41:48 -05:00
Andrew Keesler	57103e0a9f	Add JWTAuthenticator controller See https://github.com/vmware-tanzu/pinniped/issues/260 for UX bummer. Signed-off-by: Andrew Keesler <akeesler@vmware.com>	2020-12-08 15:41:48 -05:00
Andrew Keesler	946b0539d2	Add JWTAuthenticator API type Signed-off-by: Andrew Keesler <akeesler@vmware.com>	2020-12-08 15:41:48 -05:00
Ryan Richard	a9111f39af	Merge branch 'main' into token-refresh	2020-12-08 12:32:41 -08:00
Ryan Richard	18d90a727e	token_handler_test.go: refresh token gets deleted when authcode reused	2020-12-08 12:12:55 -08:00
Ryan Richard	c090eb6a62	Supervisor token endpoint returns refresh tokens when requested	2020-12-08 11:47:39 -08:00
Andrew Keesler	8f51993db2	Merge pull request #265 from vmware-tanzu/scope-constants Use constants for scope values	2020-12-08 14:32:09 -05:00
aram price	8d2b8ae6b5	Use constants for scope values	2020-12-08 10:46:05 -08:00
Matt Moyer	afbef23a51	WIP implementing TokenExchangeHandler methods Signed-off-by: Margo Crawford <margaretc@vmware.com>	2020-12-08 10:17:03 -08:00
Margo Crawford	e5ecaf01a0	WIP stubbing out tokenexchangehandler	2020-12-08 09:28:19 -08:00
Margo Crawford	b7b6816531	Merge pull request #259 from mattmoyer/add-cli-request-audience Add a `--request-audience` flag to the `pinniped login oidc` CLI command	2020-12-08 09:26:19 -08:00
Matt Moyer	bfcd2569e9	Add a `--request-audience` flag to the `pinniped login oidc` CLI command. Signed-off-by: Matt Moyer <moyerm@vmware.com> Signed-off-by: Margo Crawford <margaretc@vmware.com>	2020-12-08 10:22:20 -06:00
Aram Price	d91baba240	authorize and callback endpoints now handle the offline_access scope - This is in preparation for the token endpoint to support the refresh grant Signed-off-by: Ryan Richard <richardry@vmware.com>	2020-12-07 17:22:34 -08:00
Ryan Richard	6a90a10123	Merge pull request #249 from vmware-tanzu/token-endpoint OIDC token endpoint supports authcode flow	2020-12-07 15:08:07 -08:00
Ryan Richard	12e5f94e75	Merge branch 'main' into token-endpoint	2020-12-07 14:23:40 -08:00
Ryan Richard	e1ae48f2e4	Discovery does not return `token_endpoint_auth_signing_alg_values_supported` `token_endpoint_auth_signing_alg_values_supported` is only related to private_key_jwt and client_secret_jwt client authentication methods at the token endpoint, which we do not support. See https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata for more details. Signed-off-by: Aram Price <pricear@vmware.com>	2020-12-07 14:15:31 -08:00
Matt Moyer	dcaf9166dc	Merge pull request #261 from mattmoyer/remove-goerr113-linter Disable the goerr113 linter.	2020-12-07 16:07:11 -06:00
Matt Moyer	9e945d7547	Disable the goerr113 linter. This linter is nice in principle, but I've found it more annoying than helpful in practice. Signed-off-by: Matt Moyer <moyerm@vmware.com>	2020-12-07 15:53:41 -06:00
Aram Price	648fa4b9ba	Backfill test for token endpoint error when JWK is not yet available Signed-off-by: Ryan Richard <richardry@vmware.com>	2020-12-07 11:53:24 -08:00
Ryan Richard	e0b6133bf1	Integration tests call supervisor token endpoint and validate response Signed-off-by: Aram Price <pricear@vmware.com>	2020-12-04 17:07:04 -08:00
Aram Price	ac19782405	Merge branch 'main' into token-endpoint Signed-off-by: Ryan Richard <richardry@vmware.com>	2020-12-04 15:52:49 -08:00
Ryan Richard	858356610c	Make assertions about how many secrets were stored by fosite in tests In both callback_handler_test.go and token_handler_test.go Signed-off-by: Aram Price <pricear@vmware.com>	2020-12-04 15:40:17 -08:00
Matt Moyer	040ad3293a	Merge pull request #255 from mattmoyer/reduce-default-cli-scopes Remove "email" and "profile" from default scopes requested by CLI.	2020-12-04 17:04:03 -06:00
Matt Moyer	66270fded0	Merge pull request #257 from mattmoyer/prefactoring-for-cli-request-audience Prefactor before adding CLI "request audience" functionality.	2020-12-04 17:03:38 -06:00
Aram Price	26a8747509	Use the more specific label name of "storage.pinniped.dev/type" Instead of the less specific "storage.pinniped.dev" Signed-off-by: Ryan Richard <richardry@vmware.com>	2020-12-04 14:39:11 -08:00
Ryan Richard	ac83633888	Add fosite kube storage for access and refresh tokens Also switched the token_handler_test.go to use kube storage. Signed-off-by: Aram Price <pricear@vmware.com>	2020-12-04 14:31:06 -08:00
Matt Moyer	c6ead9d7dd	Remove "email" and "profile" from default scopes requested by CLI. We decided that we don't really need these in every case, since we'll be returning username and groups in a custom claim. Signed-off-by: Matt Moyer <moyerm@vmware.com>	2020-12-04 16:02:16 -06:00
Matt Moyer	8c3be3ffb2	Refactor UpstreamOIDCIdentityProviderI claim handling. This refactors the `UpstreamOIDCIdentityProviderI` interface and its implementations to pass ID token claims through a `*oidctypes.Token` return parameter rather than as a third return parameter. Signed-off-by: Matt Moyer <moyerm@vmware.com>	2020-12-04 15:35:35 -06:00
Matt Moyer	014d760f3d	Add validated ID token claims to the oidctypes.Token structure. This is just a more convenient copy of these values which are already stored inside the ID token. This will save us from having to pass them around seprately or re-parse them later. Signed-off-by: Matt Moyer <moyerm@vmware.com>	2020-12-04 15:18:41 -06:00
Andrew Keesler	8d5f4a93ed	Get rid of an unnecessary comment from `58237d0e7d` Signed-off-by: Andrew Keesler <akeesler@vmware.com>	2020-12-04 11:16:32 -05:00
Andrew Keesler	37631b41ea	Don't set our TokenURL - we don't need it right now TokenURL is used by Fosite to validate clients authenticating with the private_key_jwt method. We don't have any use for this right now, so just leave this blank until we need it. See when Ryan brought this up in https://github.com/vmware-tanzu/pinniped/pull/239#discussion_r528022162. Signed-off-by: Andrew Keesler <akeesler@vmware.com>	2020-12-04 10:18:45 -05:00
Andrew Keesler	03806629b8	Cleanup code via TODOs accumulated during token endpoint work We opened https://github.com/vmware-tanzu/pinniped/issues/254 for the TODO in dynamicOpenIDConnectECDSAStrategy.GenerateToken(). This commit also ensures that linting and unit tests are passing again. Signed-off-by: Andrew Keesler <akeesler@vmware.com>	2020-12-04 10:09:42 -05:00

1 2 3 4 5 ...

1038 Commits