CadolesKube/hydra-maester
7
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

Implement handling OAuth2 client token lifespans. (#145)

Browse Source
This commit is contained in:
David Wobrock 2024-06-24 13:52:50 +02:00 committed by GitHub
parent 8029e019dd
commit 8f679ba89a
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
6 changed files with 215 additions and 34 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

67
api/v1alpha1/oauth2client_types.go
View File

@ -51,6 +51,69 @@ type HydraAdmin struct {
ForwardedProto string `json:"forwardedProto,omitempty"` ForwardedProto string `json:"forwardedProto,omitempty"`
} }
// TokenLifespans defines the desired token durations by grant type for OAuth2Client
type TokenLifespans struct {
// +kubebuilder:validation:Pattern=[0-9]+(ns|us|ms|s|m|h)
//
// AuthorizationCodeGrantAccessTokenLifespan is the access token lifespan
// issued on an authorization_code grant.
AuthorizationCodeGrantAccessTokenLifespan string `json:"authorization_code_grant_access_token_lifespan,omitempty"`
// +kubebuilder:validation:Pattern=[0-9]+(ns|us|ms|s|m|h)
//
// AuthorizationCodeGrantIdTokenLifespan is the id token lifespan
// issued on an authorization_code grant.
AuthorizationCodeGrantIdTokenLifespan string `json:"authorization_code_grant_id_token_lifespan,omitempty"`
// +kubebuilder:validation:Pattern=[0-9]+(ns|us|ms|s|m|h)
//
// AuthorizationCodeGrantRefreshTokenLifespan is the refresh token lifespan
// issued on an authorization_code grant.
AuthorizationCodeGrantRefreshTokenLifespan string `json:"authorization_code_grant_refresh_token_lifespan,omitempty"`
// +kubebuilder:validation:Pattern=[0-9]+(ns|us|ms|s|m|h)
//
// AuthorizationCodeGrantRefreshTokenLifespan is the access token lifespan
// issued on a client_credentials grant.
ClientCredentialsGrantAccessTokenLifespan string `json:"client_credentials_grant_access_token_lifespan,omitempty"`
// +kubebuilder:validation:Pattern=[0-9]+(ns|us|ms|s|m|h)
//
// ImplicitGrantAccessTokenLifespan is the access token lifespan
// issued on an implicit grant.
ImplicitGrantAccessTokenLifespan string `json:"implicit_grant_access_token_lifespan,omitempty"`
// +kubebuilder:validation:Pattern=[0-9]+(ns|us|ms|s|m|h)
//
// ImplicitGrantIdTokenLifespan is the id token lifespan
// issued on an implicit grant.
ImplicitGrantIdTokenLifespan string `json:"implicit_grant_id_token_lifespan,omitempty"`
// +kubebuilder:validation:Pattern=[0-9]+(ns|us|ms|s|m|h)
//
// JwtBearerGrantAccessTokenLifespan is the access token lifespan
// issued on a jwt_bearer grant.
JwtBearerGrantAccessTokenLifespan string `json:"jwt_bearer_grant_access_token_lifespan,omitempty"`
// +kubebuilder:validation:Pattern=[0-9]+(ns|us|ms|s|m|h)
//
// RefreshTokenGrantAccessTokenLifespan is the access token lifespan
// issued on a refresh_token grant.
RefreshTokenGrantAccessTokenLifespan string `json:"refresh_token_grant_access_token_lifespan,omitempty"`
// +kubebuilder:validation:Pattern=[0-9]+(ns|us|ms|s|m|h)
//
// RefreshTokenGrantIdTokenLifespan is the id token lifespan
// issued on a refresh_token grant.
RefreshTokenGrantIdTokenLifespan string `json:"refresh_token_grant_id_token_lifespan,omitempty"`
// +kubebuilder:validation:Pattern=[0-9]+(ns|us|ms|s|m|h)
//
// RefreshTokenGrantRefreshTokenLifespan is the refresh token lifespan
// issued on a refresh_token grant.
RefreshTokenGrantRefreshTokenLifespan string `json:"refresh_token_grant_refresh_token_lifespan,omitempty"`
}
// OAuth2ClientSpec defines the desired state of OAuth2Client // OAuth2ClientSpec defines the desired state of OAuth2Client
type OAuth2ClientSpec struct { type OAuth2ClientSpec struct {
@ -110,6 +173,10 @@ type OAuth2ClientSpec struct {
// Indication which authentication method shoud be used for the token endpoint // Indication which authentication method shoud be used for the token endpoint
TokenEndpointAuthMethod TokenEndpointAuthMethod `json:"tokenEndpointAuthMethod,omitempty"` TokenEndpointAuthMethod TokenEndpointAuthMethod `json:"tokenEndpointAuthMethod,omitempty"`
// TokenLifespans is the configuration to use for managing different token lifespans
// depending on the used grant type.
TokenLifespans TokenLifespans `json:"tokenLifespans,omitempty"`
// +kubebuilder:validation:Type=object // +kubebuilder:validation:Type=object
// +nullable // +nullable
// +optional // +optional

41
api/v1alpha1/oauth2client_types_test.go
View File

@ -89,17 +89,27 @@ func TestCreateAPI(t *testing.T) {
t.Run("by failing if the requested object doesn't meet CRD requirements", func(t *testing.T) { t.Run("by failing if the requested object doesn't meet CRD requirements", func(t *testing.T) {
for desc, modifyClient := range map[string]func(){ for desc, modifyClient := range map[string]func(){
"invalid grant type": func() { created.Spec.GrantTypes = []GrantType{"invalid"} }, "invalid grant type": func() { created.Spec.GrantTypes = []GrantType{"invalid"} },
"invalid response type": func() { created.Spec.ResponseTypes = []ResponseType{"invalid", "code"} }, "invalid response type": func() { created.Spec.ResponseTypes = []ResponseType{"invalid", "code"} },
"invalid composite response type": func() { created.Spec.ResponseTypes = []ResponseType{"invalid code", "code id_token"} }, "invalid composite response type": func() { created.Spec.ResponseTypes = []ResponseType{"invalid code", "code id_token"} },
"invalid scope": func() { created.Spec.Scope = "" }, "invalid scope": func() { created.Spec.Scope = "" },
"missing secret name": func() { created.Spec.SecretName = "" }, "missing secret name": func() { created.Spec.SecretName = "" },
"invalid redirect URI": func() { created.Spec.RedirectURIs = []RedirectURI{"invalid"} }, "invalid redirect URI": func() { created.Spec.RedirectURIs = []RedirectURI{"invalid"} },
"invalid logout redirect URI": func() { created.Spec.PostLogoutRedirectURIs = []RedirectURI{"invalid"} }, "invalid logout redirect URI": func() { created.Spec.PostLogoutRedirectURIs = []RedirectURI{"invalid"} },
"invalid hydra url": func() { created.Spec.HydraAdmin.URL = "invalid" }, "invalid hydra url": func() { created.Spec.HydraAdmin.URL = "invalid" },
"invalid hydra port high": func() { created.Spec.HydraAdmin.Port = 65536 }, "invalid hydra port high": func() { created.Spec.HydraAdmin.Port = 65536 },
"invalid hydra endpoint": func() { created.Spec.HydraAdmin.Endpoint = "invalid" }, "invalid hydra endpoint": func() { created.Spec.HydraAdmin.Endpoint = "invalid" },
"invalid hydra forwarded proto": func() { created.Spec.HydraAdmin.Endpoint = "invalid" }, "invalid hydra forwarded proto": func() { created.Spec.HydraAdmin.ForwardedProto = "invalid" },
"invalid lifespan authorization code access token": func() { created.Spec.TokenLifespans.AuthorizationCodeGrantAccessTokenLifespan = "invalid" },
"invalid lifespan authorization code id token": func() { created.Spec.TokenLifespans.AuthorizationCodeGrantIdTokenLifespan = "invalid" },
"invalid lifespan authorization code refresh token": func() { created.Spec.TokenLifespans.AuthorizationCodeGrantRefreshTokenLifespan = "invalid" },
"invalid lifespan client credentials access token": func() { created.Spec.TokenLifespans.ClientCredentialsGrantAccessTokenLifespan = "invalid" },
"invalid lifespan implicit access token": func() { created.Spec.TokenLifespans.ImplicitGrantAccessTokenLifespan = "invalid" },
"invalid lifespan implicit id token": func() { created.Spec.TokenLifespans.ImplicitGrantIdTokenLifespan = "invalid" },
"invalid lifespan jwt bearer access token": func() { created.Spec.TokenLifespans.JwtBearerGrantAccessTokenLifespan = "invalid" },
"invalid lifespan refresh token access token": func() { created.Spec.TokenLifespans.RefreshTokenGrantAccessTokenLifespan = "invalid" },
"invalid lifespan refresh token id token": func() { created.Spec.TokenLifespans.RefreshTokenGrantIdTokenLifespan = "invalid" },
"invalid lifespan refresh token refresh token": func() { created.Spec.TokenLifespans.RefreshTokenGrantRefreshTokenLifespan = "invalid" },
} { } {
t.Run(fmt.Sprintf("case=%s", desc), func(t *testing.T) { t.Run(fmt.Sprintf("case=%s", desc), func(t *testing.T) {
resetTestClient() resetTestClient()
@ -158,10 +168,11 @@ func resetTestClient() {
Namespace: "default", Namespace: "default",
}, },
Spec: OAuth2ClientSpec{ Spec: OAuth2ClientSpec{
GrantTypes: []GrantType{"implicit", "client_credentials", "authorization_code", "refresh_token"}, GrantTypes: []GrantType{"implicit", "client_credentials", "authorization_code", "refresh_token"},
ResponseTypes: []ResponseType{"id_token", "code", "token"}, ResponseTypes: []ResponseType{"id_token", "code", "token"},
Scope: "read,write", Scope: "read,write",
SecretName: "secret-name", SecretName: "secret-name",
TokenLifespans: TokenLifespans{},
}, },
} }
} }

16
api/v1alpha1/zz_generated.deepcopy.go
View File

@ -148,6 +148,7 @@ func (in *OAuth2ClientSpec) DeepCopyInto(out *OAuth2ClientSpec) {
copy(*out, *in) copy(*out, *in)
} }
out.HydraAdmin = in.HydraAdmin out.HydraAdmin = in.HydraAdmin
out.TokenLifespans = in.TokenLifespans
in.Metadata.DeepCopyInto(&out.Metadata) in.Metadata.DeepCopyInto(&out.Metadata)
} }
@ -196,3 +197,18 @@ func (in *ReconciliationError) DeepCopy() *ReconciliationError {
in.DeepCopyInto(out) in.DeepCopyInto(out)
return out return out
} }
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *TokenLifespans) DeepCopyInto(out *TokenLifespans) {
*out = *in
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TokenLifespans.
func (in *TokenLifespans) DeepCopy() *TokenLifespans {
if in == nil {
return nil
}
out := new(TokenLifespans)
in.DeepCopyInto(out)
return out
}

66
config/crd/bases/hydra.ory.sh_oauth2clients.yaml
View File

@ -233,6 +233,72 @@ spec:
Indication which authentication method shoud be used for the Indication which authentication method shoud be used for the
token endpoint token endpoint
type: string type: string
tokenLifespans:
description: |-
TokenLifespans is the configuration to use for managing different token lifespans
depending on the used grant type.
properties:
authorization_code_grant_access_token_lifespan:
description: |-
AuthorizationCodeGrantAccessTokenLifespan is the access token lifespan
issued on an authorization_code grant.
pattern: "[0-9]+(ns|us|ms|s|m|h)"
type: string
authorization_code_grant_id_token_lifespan:
description: |-
AuthorizationCodeGrantIdTokenLifespan is the id token lifespan
issued on an authorization_code grant.
pattern: "[0-9]+(ns|us|ms|s|m|h)"
type: string
authorization_code_grant_refresh_token_lifespan:
description: |-
AuthorizationCodeGrantRefreshTokenLifespan is the refresh token lifespan
issued on an authorization_code grant.
pattern: "[0-9]+(ns|us|ms|s|m|h)"
type: string
client_credentials_grant_access_token_lifespan:
description: |-
AuthorizationCodeGrantRefreshTokenLifespan is the access token lifespan
issued on a client_credentials grant.
pattern: "[0-9]+(ns|us|ms|s|m|h)"
type: string
implicit_grant_access_token_lifespan:
description: |-
ImplicitGrantAccessTokenLifespan is the access token lifespan
issued on an implicit grant.
pattern: "[0-9]+(ns|us|ms|s|m|h)"
type: string
implicit_grant_id_token_lifespan:
description: |-
ImplicitGrantIdTokenLifespan is the id token lifespan
issued on an implicit grant.
pattern: "[0-9]+(ns|us|ms|s|m|h)"
type: string
jwt_bearer_grant_access_token_lifespan:
description: |-
JwtBearerGrantAccessTokenLifespan is the access token lifespan
issued on a jwt_bearer grant.
pattern: "[0-9]+(ns|us|ms|s|m|h)"
type: string
refresh_token_grant_access_token_lifespan:
description: |-
RefreshTokenGrantAccessTokenLifespan is the access token lifespan
issued on a refresh_token grant.
pattern: "[0-9]+(ns|us|ms|s|m|h)"
type: string
refresh_token_grant_id_token_lifespan:
description: |-
RefreshTokenGrantIdTokenLifespan is the id token lifespan
issued on a refresh_token grant.
pattern: "[0-9]+(ns|us|ms|s|m|h)"
type: string
refresh_token_grant_refresh_token_lifespan:
description: |-
RefreshTokenGrantRefreshTokenLifespan is the refresh token lifespan
issued on a refresh_token grant.
pattern: "[0-9]+(ns|us|ms|s|m|h)"
type: string
type: object
required: required:
- grantTypes - grantTypes
- scope - scope

1
hydra/client_test.go
View File

@ -53,6 +53,7 @@ var testOAuthJSONPost = &hydra.OAuth2ClientJSON{
FrontChannelLogoutSessionRequired: false, FrontChannelLogoutSessionRequired: false,
BackChannelLogoutURI: "https://localhost/backchannel-logout", BackChannelLogoutURI: "https://localhost/backchannel-logout",
BackChannelLogoutSessionRequired: false, BackChannelLogoutSessionRequired: false,
AuthorizationCodeGrantAccessTokenLifespan: "6h",
} }
var testOAuthJSONPut = &hydra.OAuth2ClientJSON{ var testOAuthJSONPut = &hydra.OAuth2ClientJSON{

58
hydra/types.go
View File

@ -14,25 +14,35 @@ import (
// OAuth2ClientJSON represents an OAuth2 client digestible by ORY Hydra // OAuth2ClientJSON represents an OAuth2 client digestible by ORY Hydra
type OAuth2ClientJSON struct { type OAuth2ClientJSON struct {
ClientName string `json:"client_name,omitempty"` ClientName string `json:"client_name,omitempty"`
ClientID *string `json:"client_id,omitempty"` ClientID *string `json:"client_id,omitempty"`
Secret *string `json:"client_secret,omitempty"` Secret *string `json:"client_secret,omitempty"`
GrantTypes []string `json:"grant_types"` GrantTypes []string `json:"grant_types"`
RedirectURIs []string `json:"redirect_uris,omitempty"` RedirectURIs []string `json:"redirect_uris,omitempty"`
PostLogoutRedirectURIs []string `json:"post_logout_redirect_uris,omitempty"` PostLogoutRedirectURIs []string `json:"post_logout_redirect_uris,omitempty"`
AllowedCorsOrigins []string `json:"allowed_cors_origins,omitempty"` AllowedCorsOrigins []string `json:"allowed_cors_origins,omitempty"`
ResponseTypes []string `json:"response_types,omitempty"` ResponseTypes []string `json:"response_types,omitempty"`
Audience []string `json:"audience,omitempty"` Audience []string `json:"audience,omitempty"`
Scope string `json:"scope"` Scope string `json:"scope"`
SkipConsent bool `json:"skip_consent,omitempty"` SkipConsent bool `json:"skip_consent,omitempty"`
Owner string `json:"owner"` Owner string `json:"owner"`
TokenEndpointAuthMethod string `json:"token_endpoint_auth_method,omitempty"` TokenEndpointAuthMethod string `json:"token_endpoint_auth_method,omitempty"`
Metadata json.RawMessage `json:"metadata,omitempty"` Metadata json.RawMessage `json:"metadata,omitempty"`
JwksUri string `json:"jwks_uri,omitempty"` JwksUri string `json:"jwks_uri,omitempty"`
FrontChannelLogoutSessionRequired bool `json:"frontchannel_logout_session_required"` FrontChannelLogoutSessionRequired bool `json:"frontchannel_logout_session_required"`
FrontChannelLogoutURI string `json:"frontchannel_logout_uri"` FrontChannelLogoutURI string `json:"frontchannel_logout_uri"`
BackChannelLogoutSessionRequired bool `json:"backchannel_logout_session_required"` BackChannelLogoutSessionRequired bool `json:"backchannel_logout_session_required"`
BackChannelLogoutURI string `json:"backchannel_logout_uri"` BackChannelLogoutURI string `json:"backchannel_logout_uri"`
AuthorizationCodeGrantAccessTokenLifespan string `json:"authorization_code_grant_access_token_lifespan,omitempty"`
AuthorizationCodeGrantIdTokenLifespan string `json:"authorization_code_grant_id_token_lifespan,omitempty"`
AuthorizationCodeGrantRefreshTokenLifespan string `json:"authorization_code_grant_refresh_token_lifespan,omitempty"`
ClientCredentialsGrantAccessTokenLifespan string `json:"client_credentials_grant_access_token_lifespan,omitempty"`
ImplicitGrantAccessTokenLifespan string `json:"implicit_grant_access_token_lifespan,omitempty"`
ImplicitGrantIdTokenLifespan string `json:"implicit_grant_id_token_lifespan,omitempty"`
JwtBearerGrantAccessTokenLifespan string `json:"jwt_bearer_grant_access_token_lifespan,omitempty"`
RefreshTokenGrantAccessTokenLifespan string `json:"refresh_token_grant_access_token_lifespan,omitempty"`
RefreshTokenGrantIdTokenLifespan string `json:"refresh_token_grant_id_token_lifespan,omitempty"`
RefreshTokenGrantRefreshTokenLifespan string `json:"refresh_token_grant_refresh_token_lifespan,omitempty"`
} }
// Oauth2ClientCredentials represents client ID and password fetched from a // Oauth2ClientCredentials represents client ID and password fetched from a
@ -74,6 +84,16 @@ func FromOAuth2Client(c *hydrav1alpha1.OAuth2Client) (*OAuth2ClientJSON, error)
FrontChannelLogoutSessionRequired: c.Spec.BackChannelLogoutSessionRequired, FrontChannelLogoutSessionRequired: c.Spec.BackChannelLogoutSessionRequired,
BackChannelLogoutSessionRequired: c.Spec.BackChannelLogoutSessionRequired, BackChannelLogoutSessionRequired: c.Spec.BackChannelLogoutSessionRequired,
BackChannelLogoutURI: c.Spec.BackChannelLogoutURI, BackChannelLogoutURI: c.Spec.BackChannelLogoutURI,
AuthorizationCodeGrantAccessTokenLifespan: c.Spec.TokenLifespans.AuthorizationCodeGrantAccessTokenLifespan,
AuthorizationCodeGrantIdTokenLifespan: c.Spec.TokenLifespans.AuthorizationCodeGrantIdTokenLifespan,
AuthorizationCodeGrantRefreshTokenLifespan: c.Spec.TokenLifespans.AuthorizationCodeGrantRefreshTokenLifespan,
ClientCredentialsGrantAccessTokenLifespan: c.Spec.TokenLifespans.ClientCredentialsGrantAccessTokenLifespan,
ImplicitGrantAccessTokenLifespan: c.Spec.TokenLifespans.ImplicitGrantAccessTokenLifespan,
ImplicitGrantIdTokenLifespan: c.Spec.TokenLifespans.ImplicitGrantIdTokenLifespan,
JwtBearerGrantAccessTokenLifespan: c.Spec.TokenLifespans.JwtBearerGrantAccessTokenLifespan,
RefreshTokenGrantAccessTokenLifespan: c.Spec.TokenLifespans.RefreshTokenGrantAccessTokenLifespan,
RefreshTokenGrantIdTokenLifespan: c.Spec.TokenLifespans.RefreshTokenGrantIdTokenLifespan,
RefreshTokenGrantRefreshTokenLifespan: c.Spec.TokenLifespans.RefreshTokenGrantRefreshTokenLifespan,
}, nil }, nil
} }