2019-08-21 12:10:25 +02:00
|
|
|
---
|
2021-05-10 10:35:08 +02:00
|
|
|
apiVersion: apiextensions.k8s.io/v1
|
2019-08-21 12:10:25 +02:00
|
|
|
kind: CustomResourceDefinition
|
|
|
|
|
metadata:
|
2021-05-10 10:35:08 +02:00
|
|
|
annotations:
|
2023-08-08 10:30:24 +02:00
|
|
|
controller-gen.kubebuilder.io/version: v0.11.3
|
2019-08-21 12:10:25 +02:00
|
|
|
creationTimestamp: null
|
|
|
|
|
name: oauth2clients.hydra.ory.sh
|
|
|
|
|
spec:
|
|
|
|
|
group: hydra.ory.sh
|
|
|
|
|
names:
|
|
|
|
|
kind: OAuth2Client
|
2021-05-10 10:35:08 +02:00
|
|
|
listKind: OAuth2ClientList
|
2019-08-21 12:10:25 +02:00
|
|
|
plural: oauth2clients
|
2021-05-10 10:35:08 +02:00
|
|
|
singular: oauth2client
|
|
|
|
|
scope: Namespaced
|
|
|
|
|
versions:
|
2022-09-22 07:52:52 -05:00
|
|
|
- name: v1alpha1
|
|
|
|
|
schema:
|
|
|
|
|
openAPIV3Schema:
|
|
|
|
|
description: OAuth2Client is the Schema for the oauth2clients API
|
|
|
|
|
properties:
|
|
|
|
|
apiVersion:
|
|
|
|
|
description:
|
|
|
|
|
"APIVersion defines the versioned schema of this representation
|
|
|
|
|
of an object. Servers should convert recognized schemas to the
|
|
|
|
|
latest internal value, and may reject unrecognized values. More
|
|
|
|
|
info:
|
|
|
|
|
https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources"
|
|
|
|
|
type: string
|
|
|
|
|
kind:
|
|
|
|
|
description:
|
|
|
|
|
"Kind is a string value representing the REST resource this
|
|
|
|
|
object represents. Servers may infer this from the endpoint the
|
|
|
|
|
client submits requests to. Cannot be updated. In CamelCase.
|
|
|
|
|
More info:
|
|
|
|
|
https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds"
|
|
|
|
|
type: string
|
|
|
|
|
metadata:
|
|
|
|
|
type: object
|
|
|
|
|
spec:
|
|
|
|
|
description:
|
|
|
|
|
OAuth2ClientSpec defines the desired state of OAuth2Client
|
|
|
|
|
properties:
|
|
|
|
|
allowedCorsOrigins:
|
|
|
|
|
description:
|
|
|
|
|
AllowedCorsOrigins is an array of allowed CORS origins
|
|
|
|
|
items:
|
|
|
|
|
description:
|
|
|
|
|
RedirectURI represents a redirect URI for the client
|
|
|
|
|
pattern: \w+:/?/?[^\s]+
|
|
|
|
|
type: string
|
|
|
|
|
type: array
|
|
|
|
|
audience:
|
|
|
|
|
description:
|
|
|
|
|
Audience is a whitelist defining the audiences this client
|
|
|
|
|
is allowed to request tokens for
|
|
|
|
|
items:
|
|
|
|
|
type: string
|
|
|
|
|
type: array
|
2023-10-10 13:22:06 +02:00
|
|
|
backChannelLogoutSessionRequired:
|
|
|
|
|
default: false
|
|
|
|
|
description:
|
|
|
|
|
BackChannelLogoutSessionRequired Boolean value specifying
|
|
|
|
|
whether the RP requires that a sid (session ID) Claim be
|
|
|
|
|
included in the Logout Token to identify the RP session with
|
|
|
|
|
the OP when the backchannel_logout_uri is used. If omitted,
|
|
|
|
|
the default value is false.
|
|
|
|
|
type: boolean
|
|
|
|
|
backChannelLogoutURI:
|
|
|
|
|
description:
|
|
|
|
|
BackChannelLogoutURI RP URL that will cause the RP to log
|
|
|
|
|
itself out when sent a Logout Token by the OP
|
|
|
|
|
pattern: (^$|^https?://.*)
|
|
|
|
|
type: string
|
2022-09-22 07:52:52 -05:00
|
|
|
clientName:
|
|
|
|
|
description:
|
|
|
|
|
ClientName is the human-readable string name of the client
|
|
|
|
|
to be presented to the end-user during authorization.
|
2021-05-10 10:35:08 +02:00
|
|
|
type: string
|
2023-10-10 13:22:06 +02:00
|
|
|
frontChannelLogoutSessionRequired:
|
|
|
|
|
default: false
|
|
|
|
|
description:
|
|
|
|
|
FrontChannelLogoutSessionRequired Boolean value specifying
|
|
|
|
|
whether the RP requires that iss (issuer) and sid (session
|
|
|
|
|
ID) query parameters be included to identify the RP session
|
|
|
|
|
with the OP when the frontchannel_logout_uri is used
|
|
|
|
|
type: boolean
|
|
|
|
|
frontChannelLogoutURI:
|
|
|
|
|
description:
|
|
|
|
|
FrontChannelLogoutURI RP URL that will cause the RP to log
|
|
|
|
|
itself out when rendered in an iframe by the OP. An iss
|
|
|
|
|
(issuer) query parameter and a sid (session ID) query
|
|
|
|
|
parameter MAY be included by the OP to enable the RP to
|
|
|
|
|
validate the request and to determine which of the
|
|
|
|
|
potentially multiple sessions is to be logged out; if either
|
|
|
|
|
is included, both MUST be
|
|
|
|
|
pattern: (^$|^https?://.*)
|
|
|
|
|
type: string
|
2022-09-22 07:52:52 -05:00
|
|
|
grantTypes:
|
|
|
|
|
description:
|
|
|
|
|
GrantTypes is an array of grant types the client is allowed
|
|
|
|
|
to use.
|
|
|
|
|
items:
|
|
|
|
|
description: GrantType represents an OAuth 2.0 grant type
|
|
|
|
|
enum:
|
|
|
|
|
- client_credentials
|
|
|
|
|
- authorization_code
|
|
|
|
|
- implicit
|
|
|
|
|
- refresh_token
|
2019-08-21 12:10:25 +02:00
|
|
|
type: string
|
2022-09-22 07:52:52 -05:00
|
|
|
maxItems: 4
|
|
|
|
|
minItems: 1
|
|
|
|
|
type: array
|
|
|
|
|
hydraAdmin:
|
|
|
|
|
description:
|
|
|
|
|
HydraAdmin is the optional configuration to use for managing
|
|
|
|
|
this client
|
|
|
|
|
properties:
|
|
|
|
|
endpoint:
|
|
|
|
|
description:
|
|
|
|
|
Endpoint is the endpoint for the hydra instance on which
|
|
|
|
|
to set up the client. This value will override the value
|
|
|
|
|
provided to `--endpoint` (defaults to `"/clients"` in
|
|
|
|
|
the application)
|
|
|
|
|
pattern: (^$|^/.*)
|
|
|
|
|
type: string
|
|
|
|
|
forwardedProto:
|
|
|
|
|
description:
|
|
|
|
|
ForwardedProto overrides the `--forwarded-proto` flag.
|
|
|
|
|
The value "off" will force this to be off even if
|
|
|
|
|
`--forwarded-proto` is specified
|
|
|
|
|
pattern: (^$|https?|off)
|
|
|
|
|
type: string
|
|
|
|
|
port:
|
|
|
|
|
description:
|
|
|
|
|
Port is the port for the hydra instance on which to set
|
|
|
|
|
up the client. This value will override the value
|
|
|
|
|
provided to `--hydra-port`
|
|
|
|
|
maximum: 65535
|
|
|
|
|
type: integer
|
|
|
|
|
url:
|
|
|
|
|
description:
|
|
|
|
|
URL is the URL for the hydra instance on which to set up
|
|
|
|
|
the client. This value will override the value provided
|
|
|
|
|
to `--hydra-url`
|
|
|
|
|
maxLength: 64
|
|
|
|
|
pattern: (^$|^https?://.*)
|
|
|
|
|
type: string
|
|
|
|
|
type: object
|
2023-08-10 07:49:28 +02:00
|
|
|
jwksUri:
|
|
|
|
|
description:
|
2023-08-15 11:07:35 +02:00
|
|
|
JwksUri Define the URL where the JSON Web Key Set should be
|
|
|
|
|
fetched from when performing the private_key_jwt client
|
2023-08-10 07:49:28 +02:00
|
|
|
authentication method.
|
|
|
|
|
pattern: (^$|^https?://.*)
|
|
|
|
|
type: string
|
2022-09-22 07:52:52 -05:00
|
|
|
metadata:
|
2023-10-10 13:22:06 +02:00
|
|
|
description: Metadata is arbitrary data
|
2022-09-22 07:52:52 -05:00
|
|
|
nullable: true
|
|
|
|
|
type: object
|
|
|
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
|
|
|
postLogoutRedirectUris:
|
|
|
|
|
description:
|
|
|
|
|
PostLogoutRedirectURIs is an array of the post logout
|
|
|
|
|
redirect URIs allowed for the application
|
|
|
|
|
items:
|
|
|
|
|
description:
|
|
|
|
|
RedirectURI represents a redirect URI for the client
|
|
|
|
|
pattern: \w+:/?/?[^\s]+
|
2019-08-21 12:10:25 +02:00
|
|
|
type: string
|
2022-09-22 07:52:52 -05:00
|
|
|
type: array
|
|
|
|
|
redirectUris:
|
|
|
|
|
description:
|
|
|
|
|
RedirectURIs is an array of the redirect URIs allowed for
|
|
|
|
|
the application
|
|
|
|
|
items:
|
|
|
|
|
description:
|
|
|
|
|
RedirectURI represents a redirect URI for the client
|
|
|
|
|
pattern: \w+:/?/?[^\s]+
|
|
|
|
|
type: string
|
|
|
|
|
type: array
|
|
|
|
|
responseTypes:
|
|
|
|
|
description:
|
|
|
|
|
ResponseTypes is an array of the OAuth 2.0 response type
|
|
|
|
|
strings that the client can use at the authorization
|
|
|
|
|
endpoint.
|
|
|
|
|
items:
|
|
|
|
|
description:
|
|
|
|
|
ResponseType represents an OAuth 2.0 response type strings
|
|
|
|
|
enum:
|
|
|
|
|
- id_token
|
|
|
|
|
- code
|
|
|
|
|
- token
|
|
|
|
|
- code token
|
|
|
|
|
- code id_token
|
|
|
|
|
- id_token token
|
|
|
|
|
- code id_token token
|
2019-08-21 12:10:25 +02:00
|
|
|
type: string
|
2022-09-22 07:52:52 -05:00
|
|
|
maxItems: 3
|
|
|
|
|
minItems: 1
|
|
|
|
|
type: array
|
|
|
|
|
scope:
|
|
|
|
|
description:
|
|
|
|
|
Scope is a string containing a space-separated list of scope
|
|
|
|
|
values (as described in Section 3.3 of OAuth 2.0 [RFC6749])
|
|
|
|
|
that the client can use when requesting access tokens.
|
|
|
|
|
pattern: ([a-zA-Z0-9\.\*]+\s?)+
|
2019-11-14 01:11:13 -07:00
|
|
|
type: string
|
2022-09-22 07:52:52 -05:00
|
|
|
secretName:
|
|
|
|
|
description:
|
|
|
|
|
SecretName points to the K8s secret that contains this
|
|
|
|
|
client's ID and password
|
|
|
|
|
maxLength: 253
|
|
|
|
|
minLength: 1
|
|
|
|
|
pattern: '[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*'
|
2019-11-14 01:11:13 -07:00
|
|
|
type: string
|
2023-06-28 13:56:22 +02:00
|
|
|
skipConsent:
|
2023-08-08 10:30:24 +02:00
|
|
|
default: false
|
2023-06-28 13:56:22 +02:00
|
|
|
description:
|
|
|
|
|
SkipConsent skips the consent screen for this client.
|
|
|
|
|
type: boolean
|
2022-09-22 07:52:52 -05:00
|
|
|
tokenEndpointAuthMethod:
|
|
|
|
|
allOf:
|
|
|
|
|
- enum:
|
|
|
|
|
- client_secret_basic
|
|
|
|
|
- client_secret_post
|
|
|
|
|
- private_key_jwt
|
|
|
|
|
- none
|
|
|
|
|
- enum:
|
|
|
|
|
- client_secret_basic
|
|
|
|
|
- client_secret_post
|
|
|
|
|
- private_key_jwt
|
|
|
|
|
- none
|
|
|
|
|
description:
|
|
|
|
|
Indication which authentication method shoud be used for the
|
|
|
|
|
token endpoint
|
2019-11-14 01:11:13 -07:00
|
|
|
type: string
|
2022-09-22 07:52:52 -05:00
|
|
|
required:
|
|
|
|
|
- grantTypes
|
|
|
|
|
- scope
|
|
|
|
|
- secretName
|
|
|
|
|
type: object
|
|
|
|
|
status:
|
|
|
|
|
description:
|
|
|
|
|
OAuth2ClientStatus defines the observed state of OAuth2Client
|
|
|
|
|
properties:
|
2023-03-27 11:34:35 -04:00
|
|
|
conditions:
|
|
|
|
|
items:
|
|
|
|
|
description:
|
|
|
|
|
OAuth2ClientCondition contains condition information for
|
|
|
|
|
an OAuth2Client
|
|
|
|
|
properties:
|
|
|
|
|
status:
|
|
|
|
|
enum:
|
|
|
|
|
- "True"
|
|
|
|
|
- "False"
|
|
|
|
|
- Unknown
|
|
|
|
|
type: string
|
|
|
|
|
type:
|
|
|
|
|
type: string
|
|
|
|
|
required:
|
|
|
|
|
- status
|
|
|
|
|
- type
|
|
|
|
|
type: object
|
|
|
|
|
type: array
|
2022-09-22 07:52:52 -05:00
|
|
|
observedGeneration:
|
2021-05-10 10:35:08 +02:00
|
|
|
description:
|
2022-09-22 07:52:52 -05:00
|
|
|
ObservedGeneration represents the most recent generation
|
|
|
|
|
observed by the daemon set controller.
|
|
|
|
|
format: int64
|
|
|
|
|
type: integer
|
|
|
|
|
reconciliationError:
|
|
|
|
|
description:
|
|
|
|
|
ReconciliationError represents an error that occurred during
|
|
|
|
|
the reconciliation process
|
|
|
|
|
properties:
|
|
|
|
|
description:
|
|
|
|
|
description:
|
|
|
|
|
Description is the description of the reconciliation
|
|
|
|
|
error
|
|
|
|
|
type: string
|
|
|
|
|
statusCode:
|
|
|
|
|
description:
|
|
|
|
|
Code is the status code of the reconciliation error
|
|
|
|
|
type: string
|
|
|
|
|
type: object
|
|
|
|
|
type: object
|
|
|
|
|
type: object
|
|
|
|
|
served: true
|
|
|
|
|
storage: true
|
|
|
|
|
subresources:
|
|
|
|
|
status: {}
|
