djpbessems/ContainerImage.Pinniped
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
5a1de2f54c
ContainerImage.Pinniped/internal/oidc
History
Monis Khan cd686ffdf3
Force the use of secure TLS config 
This change updates the TLS config used by all pinniped components.
There are no configuration knobs associated with this change.  Thus
this change tightens our static defaults.

There are four TLS config levels:

1. Secure (TLS 1.3 only)
2. Default (TLS 1.2+ best ciphers that are well supported)
3. Default LDAP (TLS 1.2+ with less good ciphers)
4. Legacy (currently unused, TLS 1.2+ with all non-broken ciphers)

Highlights per component:

1. pinniped CLI
   - uses "secure" config against KAS
   - uses "default" for all other connections
2. concierge
   - uses "secure" config as an aggregated API server
   - uses "default" config as a impersonation proxy API server
   - uses "secure" config against KAS
   - uses "default" config for JWT authenticater (mostly, see code)
   - no changes to webhook authenticater (see code)
3. supervisor
   - uses "default" config as a server
   - uses "secure" config against KAS
   - uses "default" config against OIDC IDPs
   - uses "default LDAP" config against LDAP IDPs

Signed-off-by: Monis Khan <mok@vmware.com>
2021-11-17 16:55:35 -05:00
..
auth Addressing code review changes 2021-11-05 14:22:43 -07:00
callback Lots of small updates based on PR feedback 2021-10-20 15:53:25 -07:00
clientregistry Add "response_mode=form_post" to CLI client. 2021-07-09 12:08:42 -05:00
csrftoken Add some trivial unit tests to internal/oidc/csrftoken. 2021-02-02 09:38:17 -06:00
discovery Extract Supervisor authorize endpoint string constants into apis pkg 2021-08-18 10:20:33 -07:00
downstreamsession Force the use of secure TLS config 2021-11-17 16:55:35 -05:00
dynamiccodec internal/oidc/dynamiccodec: loosen test to reduce flakes 2020-12-11 11:49:27 -05:00
idpdiscovery Merge branch 'main' of github.com:vmware-tanzu/pinniped into active-directory-identity-provider 2021-08-24 12:19:29 -07:00
jwks WIP: start to wire signing key into token handler 2020-12-03 15:37:25 -05:00
provider Addressing code review changes 2021-11-05 14:22:43 -07:00
token Refactors: 2021-11-05 14:22:43 -07:00
dynamic_oauth2_hmac_strategy.go Rename off of main 2020-12-16 14:27:09 -08:00
dynamic_open_id_connect_ecdsa_strategy_test.go Implement upstream LDAP support in auth_handler.go 2021-04-08 17:28:01 -07:00
dynamic_open_id_connect_ecdsa_strategy.go Implement upstream LDAP support in auth_handler.go 2021-04-08 17:28:01 -07:00
kube_storage.go Use a custom type for our static CLI client (smaller change). 2021-06-15 15:31:48 -05:00
nullstorage.go Use a custom type for our static CLI client (smaller change). 2021-06-15 15:31:48 -05:00
oidc.go Perform an upstream refresh during downstream refresh for OIDC upstreams 2021-10-13 12:31:20 -07:00
token_exchange.go Update internal/oidc/token_exchange.go for latest Fosite version. 2021-03-01 13:08:41 -06:00