84c3c3aa9c
- Add `AllowPasswordGrant` boolean field to OIDCIdentityProvider's spec - The oidc upstream watcher controller copies the value of `AllowPasswordGrant` into the configuration of the cached provider - Add password grant to the UpstreamOIDCIdentityProviderI interface which is implemented by the cached provider instance for use in the authorization endpoint - Enhance the IDP discovery endpoint to return the supported "flows" for each IDP ("cli_password" and/or "browser_authcode") - Enhance `pinniped get kubeconfig` to help the user choose the desired flow for the selected IDP, and to write the flow into the resulting kubeconfg - Enhance `pinniped login oidc` to have a flow flag to tell it which client-side flow it should use for auth (CLI-based or browser-based) - In the Dex config, allow the resource owner password grant, which Dex implements to also return ID tokens, for use in integration tests - Enhance the authorize endpoint to perform password grant when requested by the incoming headers. This commit does not include unit tests for the enhancements to the authorize endpoint, which will come in the next commit - Extract some shared helpers from the callback endpoint to share the code with the authorize endpoint - Add new integration tests
239 lines
12 KiB
YAML
239 lines
12 KiB
YAML
|
|
---
|
|
apiVersion: apiextensions.k8s.io/v1
|
|
kind: CustomResourceDefinition
|
|
metadata:
|
|
annotations:
|
|
controller-gen.kubebuilder.io/version: v0.4.0
|
|
creationTimestamp: null
|
|
name: oidcidentityproviders.idp.supervisor.pinniped.dev
|
|
spec:
|
|
group: idp.supervisor.pinniped.dev
|
|
names:
|
|
categories:
|
|
- pinniped
|
|
- pinniped-idp
|
|
- pinniped-idps
|
|
kind: OIDCIdentityProvider
|
|
listKind: OIDCIdentityProviderList
|
|
plural: oidcidentityproviders
|
|
singular: oidcidentityprovider
|
|
scope: Namespaced
|
|
versions:
|
|
- additionalPrinterColumns:
|
|
- jsonPath: .spec.issuer
|
|
name: Issuer
|
|
type: string
|
|
- jsonPath: .status.phase
|
|
name: Status
|
|
type: string
|
|
- jsonPath: .metadata.creationTimestamp
|
|
name: Age
|
|
type: date
|
|
name: v1alpha1
|
|
schema:
|
|
openAPIV3Schema:
|
|
description: OIDCIdentityProvider describes the configuration of an upstream
|
|
OpenID Connect identity provider.
|
|
properties:
|
|
apiVersion:
|
|
description: 'APIVersion defines the versioned schema of this representation
|
|
of an object. Servers should convert recognized schemas to the latest
|
|
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
|
|
type: string
|
|
kind:
|
|
description: 'Kind is a string value representing the REST resource this
|
|
object represents. Servers may infer this from the endpoint the client
|
|
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
|
type: string
|
|
metadata:
|
|
type: object
|
|
spec:
|
|
description: Spec for configuring the identity provider.
|
|
properties:
|
|
authorizationConfig:
|
|
description: AuthorizationConfig holds information about how to form
|
|
the OAuth2 authorization request parameters to be used with this
|
|
OIDC identity provider.
|
|
properties:
|
|
additionalScopes:
|
|
description: AdditionalScopes are the scopes in addition to "openid"
|
|
that will be requested as part of the authorization request
|
|
flow with an OIDC identity provider. In the case of a Resource
|
|
Owner Password Credentials Grant flow, AdditionalScopes are
|
|
the scopes in addition to "openid" that will be requested as
|
|
part of the token request (see also the AllowPasswordGrant field).
|
|
By default, only the "openid" scope will be requested.
|
|
items:
|
|
type: string
|
|
type: array
|
|
allowPasswordGrant:
|
|
description: AllowPasswordGrant, when true, will allow the use
|
|
of OAuth 2.0's Resource Owner Password Credentials Grant (see
|
|
https://datatracker.ietf.org/doc/html/rfc6749#section-4.3) to
|
|
authenticate to the OIDC provider using a username and password
|
|
without a web browser, in addition to the usual browser-based
|
|
OIDC Authorization Code Flow. The Resource Owner Password Credentials
|
|
Grant is not officially part of the OIDC specification, so it
|
|
may not be supported by your OIDC provider. If your OIDC provider
|
|
supports returning ID tokens from a Resource Owner Password
|
|
Credentials Grant token request, then you can choose to set
|
|
this field to true. This will allow end users to choose to present
|
|
their username and password to the kubectl CLI (using the Pinniped
|
|
plugin) to authenticate to the cluster, without using a web
|
|
browser to log in as is customary in OIDC Authorization Code
|
|
Flow. This may be convenient for users, especially for identities
|
|
from your OIDC provider which are not intended to represent
|
|
a human actor, such as service accounts performing actions in
|
|
a CI/CD environment. Even if your OIDC provider supports it,
|
|
you may wish to disable this behavior by setting this field
|
|
to false when you prefer to only allow users of this OIDCIdentityProvider
|
|
to log in via the browser-based OIDC Authorization Code Flow.
|
|
Using the Resource Owner Password Credentials Grant means that
|
|
the Pinniped CLI and Pinniped Supervisor will directly handle
|
|
your end users' passwords (similar to LDAPIdentityProvider),
|
|
and you will not be able to require multi-factor authentication
|
|
or use the other web-based login features of your OIDC provider
|
|
during Resource Owner Password Credentials Grant logins. AllowPasswordGrant
|
|
defaults to false.
|
|
type: boolean
|
|
type: object
|
|
claims:
|
|
description: Claims provides the names of token claims that will be
|
|
used when inspecting an identity from this OIDC identity provider.
|
|
properties:
|
|
groups:
|
|
description: Groups provides the name of the token claim that
|
|
will be used to ascertain the groups to which an identity belongs.
|
|
type: string
|
|
username:
|
|
description: Username provides the name of the token claim that
|
|
will be used to ascertain an identity's username.
|
|
type: string
|
|
type: object
|
|
client:
|
|
description: OIDCClient contains OIDC client information to be used
|
|
used with this OIDC identity provider.
|
|
properties:
|
|
secretName:
|
|
description: SecretName contains the name of a namespace-local
|
|
Secret object that provides the clientID and clientSecret for
|
|
an OIDC client. If only the SecretName is specified in an OIDCClient
|
|
struct, then it is expected that the Secret is of type "secrets.pinniped.dev/oidc-client"
|
|
with keys "clientID" and "clientSecret".
|
|
type: string
|
|
required:
|
|
- secretName
|
|
type: object
|
|
issuer:
|
|
description: Issuer is the issuer URL of this OIDC identity provider,
|
|
i.e., where to fetch /.well-known/openid-configuration.
|
|
minLength: 1
|
|
pattern: ^https://
|
|
type: string
|
|
tls:
|
|
description: TLS configuration for discovery/JWKS requests to the
|
|
issuer.
|
|
properties:
|
|
certificateAuthorityData:
|
|
description: X.509 Certificate Authority (base64-encoded PEM bundle).
|
|
If omitted, a default set of system roots will be trusted.
|
|
type: string
|
|
type: object
|
|
required:
|
|
- client
|
|
- issuer
|
|
type: object
|
|
status:
|
|
description: Status of the identity provider.
|
|
properties:
|
|
conditions:
|
|
description: Represents the observations of an identity provider's
|
|
current state.
|
|
items:
|
|
description: Condition status of a resource (mirrored from the metav1.Condition
|
|
type added in Kubernetes 1.19). In a future API version we can
|
|
switch to using the upstream type. See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413.
|
|
properties:
|
|
lastTransitionTime:
|
|
description: lastTransitionTime is the last time the condition
|
|
transitioned from one status to another. This should be when
|
|
the underlying condition changed. If that is not known, then
|
|
using the time when the API field changed is acceptable.
|
|
format: date-time
|
|
type: string
|
|
message:
|
|
description: message is a human readable message indicating
|
|
details about the transition. This may be an empty string.
|
|
maxLength: 32768
|
|
type: string
|
|
observedGeneration:
|
|
description: observedGeneration represents the .metadata.generation
|
|
that the condition was set based upon. For instance, if .metadata.generation
|
|
is currently 12, but the .status.conditions[x].observedGeneration
|
|
is 9, the condition is out of date with respect to the current
|
|
state of the instance.
|
|
format: int64
|
|
minimum: 0
|
|
type: integer
|
|
reason:
|
|
description: reason contains a programmatic identifier indicating
|
|
the reason for the condition's last transition. Producers
|
|
of specific condition types may define expected values and
|
|
meanings for this field, and whether the values are considered
|
|
a guaranteed API. The value should be a CamelCase string.
|
|
This field may not be empty.
|
|
maxLength: 1024
|
|
minLength: 1
|
|
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
|
|
type: string
|
|
status:
|
|
description: status of the condition, one of True, False, Unknown.
|
|
enum:
|
|
- "True"
|
|
- "False"
|
|
- Unknown
|
|
type: string
|
|
type:
|
|
description: type of condition in CamelCase or in foo.example.com/CamelCase.
|
|
--- Many .condition.type values are consistent across resources
|
|
like Available, but because arbitrary conditions can be useful
|
|
(see .node.status.conditions), the ability to deconflict is
|
|
important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
|
|
maxLength: 316
|
|
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
|
|
type: string
|
|
required:
|
|
- lastTransitionTime
|
|
- message
|
|
- reason
|
|
- status
|
|
- type
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-map-keys:
|
|
- type
|
|
x-kubernetes-list-type: map
|
|
phase:
|
|
default: Pending
|
|
description: Phase summarizes the overall status of the OIDCIdentityProvider.
|
|
enum:
|
|
- Pending
|
|
- Ready
|
|
- Error
|
|
type: string
|
|
type: object
|
|
required:
|
|
- spec
|
|
type: object
|
|
served: true
|
|
storage: true
|
|
subresources:
|
|
status: {}
|
|
status:
|
|
acceptedNames:
|
|
kind: ""
|
|
plural: ""
|
|
conditions: []
|
|
storedVersions: []
|