ContainerImage.Pinniped/internal/oidc
Ryan Richard 84c3c3aa9c Optionally allow OIDC password grant for CLI-based login experience
- Add `AllowPasswordGrant` boolean field to OIDCIdentityProvider's spec
- The oidc upstream watcher controller copies the value of
  `AllowPasswordGrant` into the configuration of the cached provider
- Add password grant to the UpstreamOIDCIdentityProviderI interface
  which is implemented by the cached provider instance for use in the
  authorization endpoint
- Enhance the IDP discovery endpoint to return the supported "flows"
  for each IDP ("cli_password" and/or "browser_authcode")
- Enhance `pinniped get kubeconfig` to help the user choose the desired
  flow for the selected IDP, and to write the flow into the resulting
  kubeconfg
- Enhance `pinniped login oidc` to have a flow flag to tell it which
  client-side flow it should use for auth (CLI-based or browser-based)
- In the Dex config, allow the resource owner password grant, which Dex
  implements to also return ID tokens, for use in integration tests
- Enhance the authorize endpoint to perform password grant when
  requested by the incoming headers. This commit does not include unit
  tests for the enhancements to the authorize endpoint, which will come
  in the next commit
- Extract some shared helpers from the callback endpoint to share the
  code with the authorize endpoint
- Add new integration tests
2021-08-12 10:45:39 -07:00
..
auth Optionally allow OIDC password grant for CLI-based login experience 2021-08-12 10:45:39 -07:00
callback Optionally allow OIDC password grant for CLI-based login experience 2021-08-12 10:45:39 -07:00
clientregistry Add "response_mode=form_post" to CLI client. 2021-07-09 12:08:42 -05:00
csrftoken Add some trivial unit tests to internal/oidc/csrftoken. 2021-02-02 09:38:17 -06:00
discovery Add "response_modes_supported" to Supervisor discovery response. 2021-07-09 12:08:43 -05:00
downstreamsession Optionally allow OIDC password grant for CLI-based login experience 2021-08-12 10:45:39 -07:00
dynamiccodec internal/oidc/dynamiccodec: loosen test to reduce flakes 2020-12-11 11:49:27 -05:00
idpdiscovery Optionally allow OIDC password grant for CLI-based login experience 2021-08-12 10:45:39 -07:00
jwks WIP: start to wire signing key into token handler 2020-12-03 15:37:25 -05:00
provider Optionally allow OIDC password grant for CLI-based login experience 2021-08-12 10:45:39 -07:00
token Update ID token tests for latest Fosite. 2021-05-28 12:53:37 -05:00
dynamic_oauth2_hmac_strategy.go Rename off of main 2020-12-16 14:27:09 -08:00
dynamic_open_id_connect_ecdsa_strategy_test.go Implement upstream LDAP support in auth_handler.go 2021-04-08 17:28:01 -07:00
dynamic_open_id_connect_ecdsa_strategy.go Implement upstream LDAP support in auth_handler.go 2021-04-08 17:28:01 -07:00
kube_storage.go Use a custom type for our static CLI client (smaller change). 2021-06-15 15:31:48 -05:00
nullstorage.go Use a custom type for our static CLI client (smaller change). 2021-06-15 15:31:48 -05:00
oidc.go Add custom response_mode=form_post HTML template. 2021-07-09 12:08:43 -05:00
token_exchange.go Update internal/oidc/token_exchange.go for latest Fosite version. 2021-03-01 13:08:41 -06:00