Update '.drone.yml'

.drone.yml

@@ -0,0 +1,19 @@
+kind: pipeline
+type: kubernetes
+name: Container
+
+steps:
+- name: build & publish
+  image: spritsail/docker-build
+  context: .
+  settings:
+    repo: bv11-cr01.bessems.eu/library/pinniped-server
+    registry: bv11-cr01.bessems.eu
+    tags: latest
+    build_args:
+      - BUILDPLATFORM=linux/amd64
+    mtu: 1450
+    username:
+      from_secret: harbor_username
+    password:
+      from_secret: harbor_password

Dockerfile

@@ -4,7 +4,7 @@
 # SPDX-License-Identifier: Apache-2.0
 
 # Prepare to cross-compile by always running the build stage in the build platform, not the target platform.
-FROM --platform=$BUILDPLATFORM golang:1.21.3 as build-env
+FROM --platform=linux/amd64 golang:1.21.3 as build-env
 
 WORKDIR /work
 

go.mod

@@ -38,7 +38,7 @@ require (
 	github.com/spf13/cobra v1.7.0
 	github.com/spf13/pflag v1.0.5
 	github.com/stretchr/testify v1.8.4
-	github.com/tdewolff/minify/v2 v2.20.4
+	github.com/tdewolff/minify/v2 v2.20.1
 	go.uber.org/zap v1.26.0
 	golang.org/x/crypto v0.14.0
 	golang.org/x/net v0.17.0
@@ -132,7 +132,7 @@ require (
 	github.com/spf13/jwalterweatherman v1.1.0 // indirect
 	github.com/stoewer/go-strcase v1.2.0 // indirect
 	github.com/subosito/gotenv v1.4.0 // indirect
-	github.com/tdewolff/parse/v2 v2.7.2 // indirect
+	github.com/tdewolff/parse/v2 v2.7.1 // indirect
 	go.etcd.io/etcd/api/v3 v3.5.9 // indirect
 	go.etcd.io/etcd/client/pkg/v3 v3.5.9 // indirect
 	go.etcd.io/etcd/client/v3 v3.5.9 // indirect

go.sum

@@ -482,10 +482,10 @@ github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXl
 github.com/subosito/gotenv v1.2.0/go.mod h1:N0PQaV/YGNqwC0u51sEeR/aUtSLEXKX9iv69rRypqCw=
 github.com/subosito/gotenv v1.4.0 h1:yAzM1+SmVcz5R4tXGsNMu1jUl2aOJXoiWUCEwwnGrvs=
 github.com/subosito/gotenv v1.4.0/go.mod h1:mZd6rFysKEcUhUHXJk0C/08wAgyDBFuwEYL7vWWGaGo=
-github.com/tdewolff/minify/v2 v2.20.4 h1:rN2rooMxvJKDXdwpNsdHrCduSyBG+vMBs7wbAVpF/SM=
-github.com/tdewolff/minify/v2 v2.20.4/go.mod h1:AMF0J/eNujZLDbfMZvWweg5TSG/KuK+/UGKc+k1N8/w=
-github.com/tdewolff/parse/v2 v2.7.2 h1:9NdxF0nk/+lPI0YADDonSlpiY15hGcVUhXRj9hnK8sM=
-github.com/tdewolff/parse/v2 v2.7.2/go.mod h1:9p2qMIHpjRSTr1qnFxQr+igogyTUTlwvf9awHSm84h8=
+github.com/tdewolff/minify/v2 v2.20.1 h1:ARmlyj4gJYXNrPtdatTR9gMusp3AciwZA5o/qYtFbow=
+github.com/tdewolff/minify/v2 v2.20.1/go.mod h1:spLa6hfzR2CXXPV92kcHpziPsOobxB7IFov+8k5l5NY=
+github.com/tdewolff/parse/v2 v2.7.1 h1:gdImkv0sIupYr/cXAu5s+CxfVpxMdYZX2Qr+5Q+RdF8=
+github.com/tdewolff/parse/v2 v2.7.1/go.mod h1:9p2qMIHpjRSTr1qnFxQr+igogyTUTlwvf9awHSm84h8=
 github.com/tdewolff/test v1.0.10 h1:uWiheaLgLcNFqHcdWveum7PQfMnIUTf9Kl3bFxrIoew=
 github.com/tdewolff/test v1.0.10/go.mod h1:6DAvZliBAAnD7rhVgwaM7DE5/d9NMOAJ09SqYqeK4QE=
 github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U=

internal/federationdomain/oidc/oidc.go

@@ -144,7 +144,10 @@ func FositeOauth2Helper(
 		RefreshTokenLifespan:  timeoutsConfiguration.RefreshTokenLifespan,
 
 		ScopeStrategy: fosite.ExactScopeStrategy,
-		EnforcePKCE:   true,
+		// The only public client is pinniped-cli, so this combination of PKCE settings requires PKCE for the
+		// pinniped-cli client and does not require PKCE for any dynamically configured OIDCClients.
+		EnforcePKCE:                 false,
+		EnforcePKCEForPublicClients: true,
 
 		// "offline_access" as per https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess
 		RefreshTokenScopes: []string{oidcapi.ScopeOfflineAccess},