Matt Moyer f0ebd808d7 Switch CSRF cookie from Same-Site=Strict to Same-Site=Lax. ... This CSRF cookie needs to be included on the request to the callback endpoint triggered by the redirect from the OIDC upstream provider. This is not allowed by `Same-Site=Strict` but is allowed by `Same-Site=Lax` because it is a "cross-site top-level navigation" [1]. We didn't catch this earlier with our Dex-based tests because the upstream and downstream issuers were on the same parent domain `*.svc.cluster.local` so the cookie was allowed even with `Strict` mode. [1]: https://tools.ietf.org/html/draft-ietf-httpbis-cookie-same-site-00#section-3.2 Signed-off-by: Matt Moyer <moyerm@vmware.com>		2020-12-03 21:30:00 -06:00
..
auth	Switch CSRF cookie from Same-Site=Strict to Same-Site=Lax.	2020-12-03 21:30:00 -06:00
callback	Add a redirectURI parameter to ExchangeAuthcodeAndValidateTokens() method.	2020-12-02 15:55:33 -06:00
csrftoken	WIP for saving authorize endpoint state into upstream state param	2020-11-10 17:58:00 -08:00
discovery	Implement per-issuer OIDC JWKS endpoint	2020-10-16 17:51:40 -07:00
jwks	Implement per-issuer OIDC JWKS endpoint	2020-10-16 17:51:40 -07:00
oidctestutil	Add a redirectURI parameter to ExchangeAuthcodeAndValidateTokens() method.	2020-12-02 15:55:33 -06:00
provider	Use kube storage for the supervisor callback endpoint's fosite sessions	2020-12-02 17:40:01 -08:00
kube_storage.go	Add pkce and openidconnect storage	2020-12-01 17:18:32 -08:00
nullstorage_test.go	Add NullStorage for the authorize endpoint to use	2020-11-11 14:49:24 -08:00
nullstorage.go	WIP towards using k8s fosite storage in the supervisor's callback endpoint	2020-12-01 11:01:42 -08:00
oidc.go	Finished tests for pkce storage and added it to kubestorage	2020-12-01 14:53:22 -08:00