f90b5d48de
Merge branch 'token-refresh' of github.com:vmware-tanzu/pinniped into token-exchange-endpoint
2020-12-09 14:46:57 -06:00
51c828382f
Supervisor token endpoint supports refresh grant type
...
- This commit does not include the sad path tests for the refresh
grant type, which will come in a future commit.
2020-12-09 12:12:59 -08:00
f103c02408
Add check for grant type in tokenexchangehandler,
...
- also started writing a test for the tokenexchangehandler, skipping for
now
Signed-off-by: Ryan Richard <rrichard@vmware.com>
2020-12-08 17:33:08 -08:00
a852baac75
Merge remote-tracking branch 'origin/token-refresh' into token-exchange-endpoint
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-08 12:55:44 -08:00
c090eb6a62
Supervisor token endpoint returns refresh tokens when requested
2020-12-08 11:47:39 -08:00
afbef23a51
WIP implementing TokenExchangeHandler methods
...
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2020-12-08 10:17:03 -08:00
e5ecaf01a0
WIP stubbing out tokenexchangehandler
2020-12-08 09:28:19 -08:00
d91baba240
authorize and callback endpoints now handle the offline_access scope
...
- This is in preparation for the token endpoint to support the refresh
grant
Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-12-07 17:22:34 -08:00
8d5f4a93ed
Get rid of an unnecessary comment from 58237d0e7d
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-12-04 11:16:32 -05:00
37631b41ea
Don't set our TokenURL - we don't need it right now
...
TokenURL is used by Fosite to validate clients authenticating with the
private_key_jwt method. We don't have any use for this right now, so just leave
this blank until we need it.
See when Ryan brought this up in
https://github.com/vmware-tanzu/pinniped/pull/239#discussion_r528022162 .
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-12-04 10:18:45 -05:00
03806629b8
Cleanup code via TODOs accumulated during token endpoint work
...
We opened https://github.com/vmware-tanzu/pinniped/issues/254 for the TODO in
dynamicOpenIDConnectECDSAStrategy.GenerateToken().
This commit also ensures that linting and unit tests are passing again.
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-12-04 10:09:42 -05:00
0bb2b10b3b
Passing signing key through to the token endpoint
2020-12-03 17:16:08 -08:00
58237d0e7d
WIP: start to wire signing key into token handler
...
This commit includes a failing test (amongst other compiler failures) for the
dynamic signing key fetcher that we will inject into fosite. We are checking it
in so that we can pass the WIP off.
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2020-12-03 15:37:25 -05:00
2f1a67ef0d
Merge remote-tracking branch 'upstream/callback-endpoint' into token-endpoint
2020-12-03 11:14:37 -05:00
970be58847
token_handler.go: first draft of token handler, with a bunch of TODOs
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-12-02 11:14:45 -05:00
f38c150f6a
Finished tests for pkce storage and added it to kubestorage
...
- Also fixed some lint errors with v1.33.0 of the linter
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2020-12-01 14:53:22 -08:00
e6b6c0e3ab
Merge branch 'main' into callback-endpoint
2020-11-20 15:50:26 -08:00
ccddeb4cda
Merge branch 'main' into callback-endpoint
2020-11-20 15:13:25 -08:00
d39cc08b66
Set defaults for fosite config
...
Signed-off-by: Monis Khan <mok@vmware.com>
2020-11-20 17:18:52 -05:00
72321fc106
Use /callback (without IDP name) path for callback endpoint (part 1)
...
This is much nicer UX for an administrator installing a UpstreamOIDCProvider
CRD. They don't have to guess as hard at what the callback endpoint path should
be for their UpstreamOIDCProvider.
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-11-20 16:14:45 -05:00
541019eb98
callback_handler.go: simplify stored ID token claims
...
Fosite is gonna set these fields for us.
Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-11-20 15:36:51 -05:00
488d1b663a
internal/oidc/provider/manager: route to callback endpoint
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-11-20 10:44:56 -05:00
227fbd63aa
Use an interface instead of a concrete type for UpstreamOIDCIdentityProvider
...
Because we want it to implement an AuthcodeExchanger interface and
do it in a way that will be more unit test-friendly than the underlying
library that we intend to use inside its implementation.
2020-11-18 13:38:13 -08:00
052cdc40dc
callback_handler.go: add CSRF and version state validations
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-11-16 14:41:00 -05:00
4138c9244f
callback_handler.go: write 2 invalid cookie tests
...
Also common-ize some more constants shared between the auth and callback
endpoints.
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-11-16 11:47:49 -05:00
3ef1171667
Tiny bit more code for Supervisor's callback_handler.go
...
Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-11-13 15:59:51 -08:00
246471bc91
Also run OIDC validations in supervisor authorize endpoint
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-11-06 14:44:58 -08:00
33ce79f89d
Expose the Supervisor OIDC authorization endpoint to the public
2020-11-04 17:06:47 -08:00
a36f7c6c07
Test that the port of localhost redirect URI is ignored during validation
...
Also move definition of our oauth client and the general fosite
configuration to a helper so we can use the same config to construct
the handler for both test and production code.
Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-11-04 15:04:50 -08:00
8b7d96f42c
Several small refactors related to OIDC providers
2020-10-08 11:28:21 -07:00
fd6a7f5892
supervisor-oidc: hoist OIDC discovery handler for testing
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-10-06 11:16:57 -04:00
Matt Moyer