Compare commits
10 Commits
996cd767b7
...
1ed6229e78
| Author | SHA1 | Date | |
|---|---|---|---|
| 1ed6229e78 | |||
| e9be45f0b4 | |||
| 7ae57adaa1 | |||
| b04e0a4ab2 | |||
| 80bb30395b | |||
| e61e2e6041 | |||
| 7f165b64cc | |||
| 0cc8ddf593 | |||
| d25e97d335 | |||
| 050546c301 |
14
.github/workflows/licenses.yml
vendored
14
.github/workflows/licenses.yml
vendored
@ -8,10 +8,12 @@ on:
|
||||
push:
|
||||
branches:
|
||||
- main
|
||||
- v3
|
||||
- master
|
||||
|
||||
jobs:
|
||||
check:
|
||||
licenses:
|
||||
name: License compliance
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Install script
|
||||
@ -20,8 +22,14 @@ jobs:
|
||||
token: ${{ secrets.ORY_BOT_PAT || secrets.GITHUB_TOKEN }}
|
||||
- name: Check licenses
|
||||
uses: ory/ci/licenses/check@master
|
||||
- name: Write licenses
|
||||
- name: Write, commit, push licenses
|
||||
uses: ory/ci/licenses/write@master
|
||||
if:
|
||||
${{ github.ref == 'refs/heads/main' || github.ref ==
|
||||
'refs/heads/master' }}
|
||||
'refs/heads/master' || github.ref == 'refs/heads/v3' }}
|
||||
with:
|
||||
author-email:
|
||||
${{ secrets.ORY_BOT_PAT &&
|
||||
'60093411+ory-bot@users.noreply.github.com' ||
|
||||
format('{0}@users.noreply.github.com', github.actor) }}
|
||||
author-name: ${{ secrets.ORY_BOT_PAT && 'ory-bot' || github.actor }}
|
||||
|
||||
176
.reports/dep-licenses.csv
Normal file
176
.reports/dep-licenses.csv
Normal file
@ -0,0 +1,176 @@
|
||||
|
||||
"github.com/go-logr/logr","Apache-2.0"
|
||||
"github.com/asaskevich/govalidator","MIT"
|
||||
"github.com/go-openapi/errors","Apache-2.0"
|
||||
"github.com/go-openapi/runtime","Apache-2.0"
|
||||
"github.com/go-openapi/strfmt","Apache-2.0"
|
||||
"github.com/go-openapi/swag","Apache-2.0"
|
||||
"github.com/google/uuid","BSD-3-Clause"
|
||||
"github.com/josharian/intern","MIT"
|
||||
"github.com/mailru/easyjson","MIT"
|
||||
"github.com/mitchellh/mapstructure","MIT"
|
||||
"github.com/oklog/ulid","Apache-2.0"
|
||||
"go.mongodb.org/mongo-driver","Apache-2.0"
|
||||
"golang.org/x/sync/errgroup","BSD-3-Clause"
|
||||
"gopkg.in/yaml.v3","MIT"
|
||||
"github.com/fsnotify/fsnotify","BSD-3-Clause"
|
||||
"github.com/nxadm/tail","MIT"
|
||||
"github.com/nxadm/tail/ratelimiter","MIT"
|
||||
"github.com/onsi/ginkgo","MIT"
|
||||
"github.com/onsi/ginkgo/reporters/stenographer/support/go-colorable","MIT"
|
||||
"golang.org/x/sys/unix","BSD-3-Clause"
|
||||
"gopkg.in/tomb.v1","BSD-3-Clause"
|
||||
"github.com/google/go-cmp/cmp","BSD-3-Clause"
|
||||
"github.com/onsi/gomega","MIT"
|
||||
"golang.org/x/net/html","BSD-3-Clause"
|
||||
"golang.org/x/text","BSD-3-Clause"
|
||||
"gopkg.in/yaml.v3","MIT"
|
||||
"github.com/asaskevich/govalidator","MIT"
|
||||
"github.com/beorn7/perks/quantile","MIT"
|
||||
"github.com/cespare/xxhash/v2","MIT"
|
||||
"github.com/davecgh/go-spew/spew","ISC"
|
||||
"github.com/emicklei/go-restful/v3","MIT"
|
||||
"github.com/evanphx/json-patch/v5","BSD-3-Clause"
|
||||
"github.com/fsnotify/fsnotify","BSD-3-Clause"
|
||||
"github.com/go-logr/logr","Apache-2.0"
|
||||
"github.com/go-logr/stdr","Apache-2.0"
|
||||
"github.com/go-logr/zapr","Apache-2.0"
|
||||
"github.com/go-openapi/analysis","Apache-2.0"
|
||||
"github.com/go-openapi/errors","Apache-2.0"
|
||||
"github.com/go-openapi/jsonpointer","Apache-2.0"
|
||||
"github.com/go-openapi/jsonreference","Apache-2.0"
|
||||
"github.com/go-openapi/loads","Apache-2.0"
|
||||
"github.com/go-openapi/runtime","Apache-2.0"
|
||||
"github.com/go-openapi/runtime/middleware/denco","MIT"
|
||||
"github.com/go-openapi/spec","Apache-2.0"
|
||||
"github.com/go-openapi/strfmt","Apache-2.0"
|
||||
"github.com/go-openapi/swag","Apache-2.0"
|
||||
"github.com/go-openapi/validate","Apache-2.0"
|
||||
"github.com/gogo/protobuf","BSD-3-Clause"
|
||||
"github.com/golang/groupcache/lru","Apache-2.0"
|
||||
"github.com/golang/protobuf","BSD-3-Clause"
|
||||
"github.com/google/gnostic-models","Apache-2.0"
|
||||
"github.com/google/go-cmp/cmp","BSD-3-Clause"
|
||||
"github.com/google/gofuzz","Apache-2.0"
|
||||
"github.com/google/uuid","BSD-3-Clause"
|
||||
"github.com/imdario/mergo","BSD-3-Clause"
|
||||
"github.com/josharian/intern","MIT"
|
||||
"github.com/json-iterator/go","MIT"
|
||||
"github.com/mailru/easyjson","MIT"
|
||||
"github.com/matttproud/golang_protobuf_extensions/pbutil","Apache-2.0"
|
||||
"github.com/mitchellh/mapstructure","MIT"
|
||||
"github.com/modern-go/concurrent","Apache-2.0"
|
||||
"github.com/modern-go/reflect2","Apache-2.0"
|
||||
"github.com/munnerz/goautoneg","BSD-3-Clause"
|
||||
"github.com/oklog/ulid","Apache-2.0"
|
||||
"github.com/opentracing/opentracing-go","Apache-2.0"
|
||||
"github.com/ory/hydra-maester","Apache-2.0"
|
||||
"github.com/pkg/errors","BSD-2-Clause"
|
||||
"github.com/prometheus/client_golang/prometheus","Apache-2.0"
|
||||
"github.com/prometheus/client_model/go","Apache-2.0"
|
||||
"github.com/prometheus/common","Apache-2.0"
|
||||
"github.com/prometheus/common/internal/bitbucket.org/ww/goautoneg","BSD-3-Clause"
|
||||
"github.com/prometheus/procfs","Apache-2.0"
|
||||
"github.com/spf13/pflag","BSD-3-Clause"
|
||||
"go.mongodb.org/mongo-driver","Apache-2.0"
|
||||
"go.opentelemetry.io/otel","Apache-2.0"
|
||||
"go.opentelemetry.io/otel/metric","Apache-2.0"
|
||||
"go.opentelemetry.io/otel/trace","Apache-2.0"
|
||||
"go.uber.org/multierr","MIT"
|
||||
"go.uber.org/zap","MIT"
|
||||
"golang.org/x/exp/maps","BSD-3-Clause"
|
||||
"golang.org/x/net","BSD-3-Clause"
|
||||
"golang.org/x/oauth2","BSD-3-Clause"
|
||||
"golang.org/x/sync/errgroup","BSD-3-Clause"
|
||||
"golang.org/x/sys/unix","BSD-3-Clause"
|
||||
"golang.org/x/term","BSD-3-Clause"
|
||||
"golang.org/x/text","BSD-3-Clause"
|
||||
"golang.org/x/time/rate","BSD-3-Clause"
|
||||
"gomodules.xyz/jsonpatch/v2","Apache-2.0"
|
||||
"google.golang.org/protobuf","BSD-3-Clause"
|
||||
"gopkg.in/inf.v0","BSD-3-Clause"
|
||||
"gopkg.in/yaml.v2","Apache-2.0"
|
||||
"gopkg.in/yaml.v3","MIT"
|
||||
"k8s.io/api","Apache-2.0"
|
||||
"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions","Apache-2.0"
|
||||
"k8s.io/apimachinery/pkg","Apache-2.0"
|
||||
"k8s.io/apimachinery/third_party/forked/golang","BSD-3-Clause"
|
||||
"k8s.io/client-go","Apache-2.0"
|
||||
"k8s.io/klog/v2","Apache-2.0"
|
||||
"k8s.io/kube-openapi/pkg","Apache-2.0"
|
||||
"k8s.io/kube-openapi/pkg/internal/third_party/go-json-experiment/json","BSD-3-Clause"
|
||||
"k8s.io/kube-openapi/pkg/validation/spec","Apache-2.0"
|
||||
"k8s.io/utils","Apache-2.0"
|
||||
"k8s.io/utils/internal/third_party/forked/golang/net","BSD-3-Clause"
|
||||
"sigs.k8s.io/controller-runtime","Apache-2.0"
|
||||
"sigs.k8s.io/json","Apache-2.0"
|
||||
"sigs.k8s.io/json","BSD-3-Clause"
|
||||
"sigs.k8s.io/structured-merge-diff/v4","Apache-2.0"
|
||||
"sigs.k8s.io/yaml","MIT"
|
||||
"sigs.k8s.io/yaml","BSD-3-Clause"
|
||||
"github.com/stretchr/testify","MIT"
|
||||
"k8s.io/api","Apache-2.0"
|
||||
"k8s.io/apimachinery","Apache-2.0"
|
||||
"k8s.io/client-go","Apache-2.0"
|
||||
"github.com/beorn7/perks/quantile","MIT"
|
||||
"github.com/cespare/xxhash/v2","MIT"
|
||||
"github.com/davecgh/go-spew/spew","ISC"
|
||||
"github.com/emicklei/go-restful/v3","MIT"
|
||||
"github.com/evanphx/json-patch/v5","BSD-3-Clause"
|
||||
"github.com/fsnotify/fsnotify","BSD-3-Clause"
|
||||
"github.com/go-logr/logr","Apache-2.0"
|
||||
"github.com/go-openapi/jsonpointer","Apache-2.0"
|
||||
"github.com/go-openapi/jsonreference","Apache-2.0"
|
||||
"github.com/go-openapi/swag","Apache-2.0"
|
||||
"github.com/gogo/protobuf","BSD-3-Clause"
|
||||
"github.com/golang/groupcache/lru","Apache-2.0"
|
||||
"github.com/golang/protobuf","BSD-3-Clause"
|
||||
"github.com/google/gnostic-models","Apache-2.0"
|
||||
"github.com/google/go-cmp/cmp","BSD-3-Clause"
|
||||
"github.com/google/gofuzz","Apache-2.0"
|
||||
"github.com/google/uuid","BSD-3-Clause"
|
||||
"github.com/imdario/mergo","BSD-3-Clause"
|
||||
"github.com/josharian/intern","MIT"
|
||||
"github.com/json-iterator/go","MIT"
|
||||
"github.com/mailru/easyjson","MIT"
|
||||
"github.com/matttproud/golang_protobuf_extensions/pbutil","Apache-2.0"
|
||||
"github.com/modern-go/concurrent","Apache-2.0"
|
||||
"github.com/modern-go/reflect2","Apache-2.0"
|
||||
"github.com/munnerz/goautoneg","BSD-3-Clause"
|
||||
"github.com/pkg/errors","BSD-2-Clause"
|
||||
"github.com/prometheus/client_golang/prometheus","Apache-2.0"
|
||||
"github.com/prometheus/client_model/go","Apache-2.0"
|
||||
"github.com/prometheus/common","Apache-2.0"
|
||||
"github.com/prometheus/common/internal/bitbucket.org/ww/goautoneg","BSD-3-Clause"
|
||||
"github.com/prometheus/procfs","Apache-2.0"
|
||||
"github.com/spf13/pflag","BSD-3-Clause"
|
||||
"golang.org/x/exp/maps","BSD-3-Clause"
|
||||
"golang.org/x/net","BSD-3-Clause"
|
||||
"golang.org/x/oauth2","BSD-3-Clause"
|
||||
"golang.org/x/sys/unix","BSD-3-Clause"
|
||||
"golang.org/x/term","BSD-3-Clause"
|
||||
"golang.org/x/text","BSD-3-Clause"
|
||||
"golang.org/x/time/rate","BSD-3-Clause"
|
||||
"gomodules.xyz/jsonpatch/v2","Apache-2.0"
|
||||
"google.golang.org/protobuf","BSD-3-Clause"
|
||||
"gopkg.in/inf.v0","BSD-3-Clause"
|
||||
"gopkg.in/yaml.v2","Apache-2.0"
|
||||
"gopkg.in/yaml.v3","MIT"
|
||||
"k8s.io/api","Apache-2.0"
|
||||
"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions","Apache-2.0"
|
||||
"k8s.io/apimachinery/pkg","Apache-2.0"
|
||||
"k8s.io/apimachinery/third_party/forked/golang","BSD-3-Clause"
|
||||
"k8s.io/client-go","Apache-2.0"
|
||||
"k8s.io/klog/v2","Apache-2.0"
|
||||
"k8s.io/kube-openapi/pkg","Apache-2.0"
|
||||
"k8s.io/kube-openapi/pkg/internal/third_party/go-json-experiment/json","BSD-3-Clause"
|
||||
"k8s.io/kube-openapi/pkg/validation/spec","Apache-2.0"
|
||||
"k8s.io/utils","Apache-2.0"
|
||||
"k8s.io/utils/internal/third_party/forked/golang/net","BSD-3-Clause"
|
||||
"sigs.k8s.io/controller-runtime","Apache-2.0"
|
||||
"sigs.k8s.io/json","Apache-2.0"
|
||||
"sigs.k8s.io/json","BSD-3-Clause"
|
||||
"sigs.k8s.io/structured-merge-diff/v4","Apache-2.0"
|
||||
"sigs.k8s.io/yaml","MIT"
|
||||
"sigs.k8s.io/yaml","BSD-3-Clause"
|
||||
|
||||
|
@ -225,6 +225,11 @@ type OAuth2ClientSpec struct {
|
||||
// Indicates if a deleted OAuth2Client custom resource should delete the database row or not.
|
||||
// Value 1 means deletion of the OAuth2 client, value 2 means keep an orphan oauth2 client.
|
||||
DeletionPolicy OAuth2ClientDeletionPolicy `json:"deletionPolicy,omitempty"`
|
||||
|
||||
// +kubebuilder:validation:type=string
|
||||
//
|
||||
// UserInfoSignedResponseAlg value specifying the JWS alg algorithm for signing UserInfo Responses
|
||||
UserInfoSignedResponseAlg string `json:"userInfoSignedResponseAlg,omitempty"`
|
||||
}
|
||||
|
||||
// GrantType represents an OAuth 2.0 grant type
|
||||
|
||||
@ -14,358 +14,337 @@ spec:
|
||||
singular: oauth2client
|
||||
scope: Namespaced
|
||||
versions:
|
||||
- name: v1alpha1
|
||||
schema:
|
||||
openAPIV3Schema:
|
||||
description: OAuth2Client is the Schema for the oauth2clients API
|
||||
properties:
|
||||
apiVersion:
|
||||
description: |-
|
||||
APIVersion defines the versioned schema of this representation of an object.
|
||||
Servers should convert recognized schemas to the latest internal value, and
|
||||
may reject unrecognized values.
|
||||
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
|
||||
type: string
|
||||
kind:
|
||||
description: |-
|
||||
Kind is a string value representing the REST resource this object represents.
|
||||
Servers may infer this from the endpoint the client submits requests to.
|
||||
Cannot be updated.
|
||||
In CamelCase.
|
||||
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
|
||||
type: string
|
||||
metadata:
|
||||
type: object
|
||||
spec:
|
||||
description:
|
||||
OAuth2ClientSpec defines the desired state of OAuth2Client
|
||||
properties:
|
||||
allowedCorsOrigins:
|
||||
description:
|
||||
AllowedCorsOrigins is an array of allowed CORS origins
|
||||
items:
|
||||
description:
|
||||
RedirectURI represents a redirect URI for the client
|
||||
pattern: \w+:/?/?[^\s]+
|
||||
type: string
|
||||
type: array
|
||||
audience:
|
||||
description:
|
||||
Audience is a whitelist defining the audiences this client
|
||||
is allowed to request tokens for
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
backChannelLogoutSessionRequired:
|
||||
default: false
|
||||
description:
|
||||
BackChannelLogoutSessionRequired Boolean value specifying
|
||||
whether the RP requires that a sid (session ID) Claim be
|
||||
included in the Logout Token to identify the RP session with
|
||||
the OP when the backchannel_logout_uri is used. If omitted,
|
||||
the default value is false.
|
||||
type: boolean
|
||||
backChannelLogoutURI:
|
||||
description:
|
||||
BackChannelLogoutURI RP URL that will cause the RP to log
|
||||
itself out when sent a Logout Token by the OP
|
||||
pattern: (^$|^https?://.*)
|
||||
- name: v1alpha1
|
||||
schema:
|
||||
openAPIV3Schema:
|
||||
description: OAuth2Client is the Schema for the oauth2clients API
|
||||
properties:
|
||||
apiVersion:
|
||||
description: |-
|
||||
APIVersion defines the versioned schema of this representation of an object.
|
||||
Servers should convert recognized schemas to the latest internal value, and
|
||||
may reject unrecognized values.
|
||||
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
|
||||
type: string
|
||||
kind:
|
||||
description: |-
|
||||
Kind is a string value representing the REST resource this object represents.
|
||||
Servers may infer this from the endpoint the client submits requests to.
|
||||
Cannot be updated.
|
||||
In CamelCase.
|
||||
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
|
||||
type: string
|
||||
metadata:
|
||||
type: object
|
||||
spec:
|
||||
description: OAuth2ClientSpec defines the desired state of OAuth2Client
|
||||
properties:
|
||||
allowedCorsOrigins:
|
||||
description: AllowedCorsOrigins is an array of allowed CORS origins
|
||||
items:
|
||||
description: RedirectURI represents a redirect URI for the client
|
||||
pattern: \w+:/?/?[^\s]+
|
||||
type: string
|
||||
clientName:
|
||||
description:
|
||||
ClientName is the human-readable string name of the client
|
||||
to be presented to the end-user during authorization.
|
||||
type: array
|
||||
audience:
|
||||
description: Audience is a whitelist defining the audiences this client
|
||||
is allowed to request tokens for
|
||||
items:
|
||||
type: string
|
||||
deletionPolicy:
|
||||
description: |-
|
||||
Indicates if a deleted OAuth2Client custom resource should delete the database row or not.
|
||||
Value 0 means deletion of the OAuth2 client, value 1 means keep an orphan oauth2 client.
|
||||
type: array
|
||||
backChannelLogoutSessionRequired:
|
||||
default: false
|
||||
description: BackChannelLogoutSessionRequired Boolean value specifying
|
||||
whether the RP requires that a sid (session ID) Claim be included
|
||||
in the Logout Token to identify the RP session with the OP when
|
||||
the backchannel_logout_uri is used. If omitted, the default value
|
||||
is false.
|
||||
type: boolean
|
||||
backChannelLogoutURI:
|
||||
description: BackChannelLogoutURI RP URL that will cause the RP to
|
||||
log itself out when sent a Logout Token by the OP
|
||||
pattern: (^$|^https?://.*)
|
||||
type: string
|
||||
clientName:
|
||||
description: ClientName is the human-readable string name of the client
|
||||
to be presented to the end-user during authorization.
|
||||
type: string
|
||||
deletionPolicy:
|
||||
description: |-
|
||||
Indicates if a deleted OAuth2Client custom resource should delete the database row or not.
|
||||
Value 1 means deletion of the OAuth2 client, value 2 means keep an orphan oauth2 client.
|
||||
enum:
|
||||
- 1
|
||||
- 2
|
||||
type: integer
|
||||
frontChannelLogoutSessionRequired:
|
||||
default: false
|
||||
description: FrontChannelLogoutSessionRequired Boolean value specifying
|
||||
whether the RP requires that iss (issuer) and sid (session ID) query
|
||||
parameters be included to identify the RP session with the OP when
|
||||
the frontchannel_logout_uri is used
|
||||
type: boolean
|
||||
frontChannelLogoutURI:
|
||||
description: FrontChannelLogoutURI RP URL that will cause the RP to
|
||||
log itself out when rendered in an iframe by the OP. An iss (issuer)
|
||||
query parameter and a sid (session ID) query parameter MAY be included
|
||||
by the OP to enable the RP to validate the request and to determine
|
||||
which of the potentially multiple sessions is to be logged out;
|
||||
if either is included, both MUST be
|
||||
pattern: (^$|^https?://.*)
|
||||
type: string
|
||||
grantTypes:
|
||||
description: GrantTypes is an array of grant types the client is allowed
|
||||
to use.
|
||||
items:
|
||||
description: GrantType represents an OAuth 2.0 grant type
|
||||
enum:
|
||||
- 0
|
||||
- 1
|
||||
type: integer
|
||||
frontChannelLogoutSessionRequired:
|
||||
default: false
|
||||
description:
|
||||
FrontChannelLogoutSessionRequired Boolean value specifying
|
||||
whether the RP requires that iss (issuer) and sid (session
|
||||
ID) query parameters be included to identify the RP session
|
||||
with the OP when the frontchannel_logout_uri is used
|
||||
type: boolean
|
||||
frontChannelLogoutURI:
|
||||
description:
|
||||
FrontChannelLogoutURI RP URL that will cause the RP to log
|
||||
itself out when rendered in an iframe by the OP. An iss
|
||||
(issuer) query parameter and a sid (session ID) query
|
||||
parameter MAY be included by the OP to enable the RP to
|
||||
validate the request and to determine which of the
|
||||
potentially multiple sessions is to be logged out; if either
|
||||
is included, both MUST be
|
||||
pattern: (^$|^https?://.*)
|
||||
- client_credentials
|
||||
- authorization_code
|
||||
- implicit
|
||||
- refresh_token
|
||||
type: string
|
||||
grantTypes:
|
||||
description:
|
||||
GrantTypes is an array of grant types the client is allowed
|
||||
to use.
|
||||
items:
|
||||
description: GrantType represents an OAuth 2.0 grant type
|
||||
enum:
|
||||
- client_credentials
|
||||
- authorization_code
|
||||
- implicit
|
||||
- refresh_token
|
||||
maxItems: 4
|
||||
minItems: 1
|
||||
type: array
|
||||
hydraAdmin:
|
||||
description: |-
|
||||
HydraAdmin is the optional configuration to use for managing
|
||||
this client
|
||||
properties:
|
||||
endpoint:
|
||||
description: |-
|
||||
Endpoint is the endpoint for the hydra instance on which
|
||||
to set up the client. This value will override the value
|
||||
provided to `--endpoint` (defaults to `"/clients"` in the
|
||||
application)
|
||||
pattern: (^$|^/.*)
|
||||
type: string
|
||||
maxItems: 4
|
||||
minItems: 1
|
||||
type: array
|
||||
hydraAdmin:
|
||||
description: |-
|
||||
HydraAdmin is the optional configuration to use for managing
|
||||
this client
|
||||
forwardedProto:
|
||||
description: |-
|
||||
ForwardedProto overrides the `--forwarded-proto` flag. The
|
||||
value "off" will force this to be off even if
|
||||
`--forwarded-proto` is specified
|
||||
pattern: (^$|https?|off)
|
||||
type: string
|
||||
port:
|
||||
description: |-
|
||||
Port is the port for the hydra instance on
|
||||
which to set up the client. This value will override the value
|
||||
provided to `--hydra-port`
|
||||
maximum: 65535
|
||||
type: integer
|
||||
url:
|
||||
description: |-
|
||||
URL is the URL for the hydra instance on
|
||||
which to set up the client. This value will override the value
|
||||
provided to `--hydra-url`
|
||||
maxLength: 64
|
||||
pattern: (^$|^https?://.*)
|
||||
type: string
|
||||
type: object
|
||||
jwksUri:
|
||||
description: JwksUri Define the URL where the JSON Web Key Set should
|
||||
be fetched from when performing the private_key_jwt client authentication
|
||||
method.
|
||||
pattern: (^$|^https?://.*)
|
||||
type: string
|
||||
metadata:
|
||||
description: Metadata is arbitrary data
|
||||
nullable: true
|
||||
type: object
|
||||
x-kubernetes-preserve-unknown-fields: true
|
||||
postLogoutRedirectUris:
|
||||
description: PostLogoutRedirectURIs is an array of the post logout
|
||||
redirect URIs allowed for the application
|
||||
items:
|
||||
description: RedirectURI represents a redirect URI for the client
|
||||
pattern: \w+:/?/?[^\s]+
|
||||
type: string
|
||||
type: array
|
||||
redirectUris:
|
||||
description: RedirectURIs is an array of the redirect URIs allowed
|
||||
for the application
|
||||
items:
|
||||
description: RedirectURI represents a redirect URI for the client
|
||||
pattern: \w+:/?/?[^\s]+
|
||||
type: string
|
||||
type: array
|
||||
responseTypes:
|
||||
description: |-
|
||||
ResponseTypes is an array of the OAuth 2.0 response type strings that the client can
|
||||
use at the authorization endpoint.
|
||||
items:
|
||||
description: ResponseType represents an OAuth 2.0 response type
|
||||
strings
|
||||
enum:
|
||||
- id_token
|
||||
- code
|
||||
- token
|
||||
- code token
|
||||
- code id_token
|
||||
- id_token token
|
||||
- code id_token token
|
||||
type: string
|
||||
maxItems: 3
|
||||
minItems: 1
|
||||
type: array
|
||||
scope:
|
||||
description: |-
|
||||
Scope is a string containing a space-separated list of scope values (as
|
||||
described in Section 3.3 of OAuth 2.0 [RFC6749]) that the client
|
||||
can use when requesting access tokens.
|
||||
Use scopeArray instead.
|
||||
pattern: ([a-zA-Z0-9\.\*]+\s?)*
|
||||
type: string
|
||||
scopeArray:
|
||||
description: |-
|
||||
Scope is an array of scope values (as described in Section 3.3 of OAuth 2.0 [RFC6749])
|
||||
that the client can use when requesting access tokens.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
secretName:
|
||||
description: SecretName points to the K8s secret that contains this
|
||||
client's ID and password
|
||||
maxLength: 253
|
||||
minLength: 1
|
||||
pattern: '[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*'
|
||||
type: string
|
||||
skipConsent:
|
||||
default: false
|
||||
description: SkipConsent skips the consent screen for this client.
|
||||
type: boolean
|
||||
tokenEndpointAuthMethod:
|
||||
allOf:
|
||||
- enum:
|
||||
- client_secret_basic
|
||||
- client_secret_post
|
||||
- private_key_jwt
|
||||
- none
|
||||
- enum:
|
||||
- client_secret_basic
|
||||
- client_secret_post
|
||||
- private_key_jwt
|
||||
- none
|
||||
description: Indication which authentication method should be used
|
||||
for the token endpoint
|
||||
type: string
|
||||
tokenLifespans:
|
||||
description: |-
|
||||
TokenLifespans is the configuration to use for managing different token lifespans
|
||||
depending on the used grant type.
|
||||
properties:
|
||||
authorization_code_grant_access_token_lifespan:
|
||||
description: |-
|
||||
AuthorizationCodeGrantAccessTokenLifespan is the access token lifespan
|
||||
issued on an authorization_code grant.
|
||||
pattern: '[0-9]+(ns|us|ms|s|m|h)'
|
||||
type: string
|
||||
authorization_code_grant_id_token_lifespan:
|
||||
description: |-
|
||||
AuthorizationCodeGrantIdTokenLifespan is the id token lifespan
|
||||
issued on an authorization_code grant.
|
||||
pattern: '[0-9]+(ns|us|ms|s|m|h)'
|
||||
type: string
|
||||
authorization_code_grant_refresh_token_lifespan:
|
||||
description: |-
|
||||
AuthorizationCodeGrantRefreshTokenLifespan is the refresh token lifespan
|
||||
issued on an authorization_code grant.
|
||||
pattern: '[0-9]+(ns|us|ms|s|m|h)'
|
||||
type: string
|
||||
client_credentials_grant_access_token_lifespan:
|
||||
description: |-
|
||||
AuthorizationCodeGrantRefreshTokenLifespan is the access token lifespan
|
||||
issued on a client_credentials grant.
|
||||
pattern: '[0-9]+(ns|us|ms|s|m|h)'
|
||||
type: string
|
||||
implicit_grant_access_token_lifespan:
|
||||
description: |-
|
||||
ImplicitGrantAccessTokenLifespan is the access token lifespan
|
||||
issued on an implicit grant.
|
||||
pattern: '[0-9]+(ns|us|ms|s|m|h)'
|
||||
type: string
|
||||
implicit_grant_id_token_lifespan:
|
||||
description: |-
|
||||
ImplicitGrantIdTokenLifespan is the id token lifespan
|
||||
issued on an implicit grant.
|
||||
pattern: '[0-9]+(ns|us|ms|s|m|h)'
|
||||
type: string
|
||||
jwt_bearer_grant_access_token_lifespan:
|
||||
description: |-
|
||||
JwtBearerGrantAccessTokenLifespan is the access token lifespan
|
||||
issued on a jwt_bearer grant.
|
||||
pattern: '[0-9]+(ns|us|ms|s|m|h)'
|
||||
type: string
|
||||
refresh_token_grant_access_token_lifespan:
|
||||
description: |-
|
||||
RefreshTokenGrantAccessTokenLifespan is the access token lifespan
|
||||
issued on a refresh_token grant.
|
||||
pattern: '[0-9]+(ns|us|ms|s|m|h)'
|
||||
type: string
|
||||
refresh_token_grant_id_token_lifespan:
|
||||
description: |-
|
||||
RefreshTokenGrantIdTokenLifespan is the id token lifespan
|
||||
issued on a refresh_token grant.
|
||||
pattern: '[0-9]+(ns|us|ms|s|m|h)'
|
||||
type: string
|
||||
refresh_token_grant_refresh_token_lifespan:
|
||||
description: |-
|
||||
RefreshTokenGrantRefreshTokenLifespan is the refresh token lifespan
|
||||
issued on a refresh_token grant.
|
||||
pattern: '[0-9]+(ns|us|ms|s|m|h)'
|
||||
type: string
|
||||
type: object
|
||||
userInfoSignedResponseAlg:
|
||||
description: UserInfoSignedResponseAlg value specifying the JWS alg
|
||||
algorithm for signing UserInfo Responses
|
||||
type: string
|
||||
required:
|
||||
- grantTypes
|
||||
- secretName
|
||||
type: object
|
||||
status:
|
||||
description: OAuth2ClientStatus defines the observed state of OAuth2Client
|
||||
properties:
|
||||
conditions:
|
||||
items:
|
||||
description: OAuth2ClientCondition contains condition information
|
||||
for an OAuth2Client
|
||||
properties:
|
||||
endpoint:
|
||||
description: |-
|
||||
Endpoint is the endpoint for the hydra instance on which
|
||||
to set up the client. This value will override the value
|
||||
provided to `--endpoint` (defaults to `"/clients"` in the
|
||||
application)
|
||||
pattern: (^$|^/.*)
|
||||
status:
|
||||
enum:
|
||||
- "True"
|
||||
- "False"
|
||||
- Unknown
|
||||
type: string
|
||||
forwardedProto:
|
||||
description: |-
|
||||
ForwardedProto overrides the `--forwarded-proto` flag. The
|
||||
value "off" will force this to be off even if
|
||||
`--forwarded-proto` is specified
|
||||
pattern: (^$|https?|off)
|
||||
type: string
|
||||
port:
|
||||
description: |-
|
||||
Port is the port for the hydra instance on
|
||||
which to set up the client. This value will override the value
|
||||
provided to `--hydra-port`
|
||||
maximum: 65535
|
||||
type: integer
|
||||
url:
|
||||
description: |-
|
||||
URL is the URL for the hydra instance on
|
||||
which to set up the client. This value will override the value
|
||||
provided to `--hydra-url`
|
||||
maxLength: 64
|
||||
pattern: (^$|^https?://.*)
|
||||
type:
|
||||
type: string
|
||||
required:
|
||||
- status
|
||||
- type
|
||||
type: object
|
||||
jwksUri:
|
||||
type: array
|
||||
observedGeneration:
|
||||
description: ObservedGeneration represents the most recent generation
|
||||
observed by the daemon set controller.
|
||||
format: int64
|
||||
type: integer
|
||||
reconciliationError:
|
||||
description: ReconciliationError represents an error that occurred
|
||||
during the reconciliation process
|
||||
properties:
|
||||
description:
|
||||
JwksUri Define the URL where the JSON Web Key Set should be
|
||||
fetched from when performing the private_key_jwt client
|
||||
authentication method.
|
||||
pattern: (^$|^https?://.*)
|
||||
type: string
|
||||
metadata:
|
||||
description: Metadata is arbitrary data
|
||||
nullable: true
|
||||
type: object
|
||||
x-kubernetes-preserve-unknown-fields: true
|
||||
postLogoutRedirectUris:
|
||||
description:
|
||||
PostLogoutRedirectURIs is an array of the post logout
|
||||
redirect URIs allowed for the application
|
||||
items:
|
||||
description:
|
||||
RedirectURI represents a redirect URI for the client
|
||||
pattern: \w+:/?/?[^\s]+
|
||||
description: Description is the description of the reconciliation
|
||||
error
|
||||
type: string
|
||||
type: array
|
||||
redirectUris:
|
||||
description:
|
||||
RedirectURIs is an array of the redirect URIs allowed for
|
||||
the application
|
||||
items:
|
||||
description:
|
||||
RedirectURI represents a redirect URI for the client
|
||||
pattern: \w+:/?/?[^\s]+
|
||||
statusCode:
|
||||
description: Code is the status code of the reconciliation error
|
||||
type: string
|
||||
type: array
|
||||
responseTypes:
|
||||
description: |-
|
||||
ResponseTypes is an array of the OAuth 2.0 response type strings that the client can
|
||||
use at the authorization endpoint.
|
||||
items:
|
||||
description:
|
||||
ResponseType represents an OAuth 2.0 response type strings
|
||||
enum:
|
||||
- id_token
|
||||
- code
|
||||
- token
|
||||
- code token
|
||||
- code id_token
|
||||
- id_token token
|
||||
- code id_token token
|
||||
type: string
|
||||
maxItems: 3
|
||||
minItems: 1
|
||||
type: array
|
||||
scope:
|
||||
description: |-
|
||||
Scope is a string containing a space-separated list of scope values (as
|
||||
described in Section 3.3 of OAuth 2.0 [RFC6749]) that the client
|
||||
can use when requesting access tokens.
|
||||
Use scopeArray instead.
|
||||
pattern: ([a-zA-Z0-9\.\*]+\s?)*
|
||||
type: string
|
||||
scopeArray:
|
||||
description: |-
|
||||
Scope is an array of scope values (as described in Section 3.3 of OAuth 2.0 [RFC6749])
|
||||
that the client can use when requesting access tokens.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
secretName:
|
||||
description:
|
||||
SecretName points to the K8s secret that contains this
|
||||
client's ID and password
|
||||
maxLength: 253
|
||||
minLength: 1
|
||||
pattern: '[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*'
|
||||
type: string
|
||||
skipConsent:
|
||||
default: false
|
||||
description:
|
||||
SkipConsent skips the consent screen for this client.
|
||||
type: boolean
|
||||
tokenEndpointAuthMethod:
|
||||
allOf:
|
||||
- enum:
|
||||
- client_secret_basic
|
||||
- client_secret_post
|
||||
- private_key_jwt
|
||||
- none
|
||||
- enum:
|
||||
- client_secret_basic
|
||||
- client_secret_post
|
||||
- private_key_jwt
|
||||
- none
|
||||
description:
|
||||
Indication which authentication method should be used for
|
||||
the token endpoint
|
||||
type: string
|
||||
tokenLifespans:
|
||||
description: |-
|
||||
TokenLifespans is the configuration to use for managing different token lifespans
|
||||
depending on the used grant type.
|
||||
properties:
|
||||
authorization_code_grant_access_token_lifespan:
|
||||
description: |-
|
||||
AuthorizationCodeGrantAccessTokenLifespan is the access token lifespan
|
||||
issued on an authorization_code grant.
|
||||
pattern: "[0-9]+(ns|us|ms|s|m|h)"
|
||||
type: string
|
||||
authorization_code_grant_id_token_lifespan:
|
||||
description: |-
|
||||
AuthorizationCodeGrantIdTokenLifespan is the id token lifespan
|
||||
issued on an authorization_code grant.
|
||||
pattern: "[0-9]+(ns|us|ms|s|m|h)"
|
||||
type: string
|
||||
authorization_code_grant_refresh_token_lifespan:
|
||||
description: |-
|
||||
AuthorizationCodeGrantRefreshTokenLifespan is the refresh token lifespan
|
||||
issued on an authorization_code grant.
|
||||
pattern: "[0-9]+(ns|us|ms|s|m|h)"
|
||||
type: string
|
||||
client_credentials_grant_access_token_lifespan:
|
||||
description: |-
|
||||
AuthorizationCodeGrantRefreshTokenLifespan is the access token lifespan
|
||||
issued on a client_credentials grant.
|
||||
pattern: "[0-9]+(ns|us|ms|s|m|h)"
|
||||
type: string
|
||||
implicit_grant_access_token_lifespan:
|
||||
description: |-
|
||||
ImplicitGrantAccessTokenLifespan is the access token lifespan
|
||||
issued on an implicit grant.
|
||||
pattern: "[0-9]+(ns|us|ms|s|m|h)"
|
||||
type: string
|
||||
implicit_grant_id_token_lifespan:
|
||||
description: |-
|
||||
ImplicitGrantIdTokenLifespan is the id token lifespan
|
||||
issued on an implicit grant.
|
||||
pattern: "[0-9]+(ns|us|ms|s|m|h)"
|
||||
type: string
|
||||
jwt_bearer_grant_access_token_lifespan:
|
||||
description: |-
|
||||
JwtBearerGrantAccessTokenLifespan is the access token lifespan
|
||||
issued on a jwt_bearer grant.
|
||||
pattern: "[0-9]+(ns|us|ms|s|m|h)"
|
||||
type: string
|
||||
refresh_token_grant_access_token_lifespan:
|
||||
description: |-
|
||||
RefreshTokenGrantAccessTokenLifespan is the access token lifespan
|
||||
issued on a refresh_token grant.
|
||||
pattern: "[0-9]+(ns|us|ms|s|m|h)"
|
||||
type: string
|
||||
refresh_token_grant_id_token_lifespan:
|
||||
description: |-
|
||||
RefreshTokenGrantIdTokenLifespan is the id token lifespan
|
||||
issued on a refresh_token grant.
|
||||
pattern: "[0-9]+(ns|us|ms|s|m|h)"
|
||||
type: string
|
||||
refresh_token_grant_refresh_token_lifespan:
|
||||
description: |-
|
||||
RefreshTokenGrantRefreshTokenLifespan is the refresh token lifespan
|
||||
issued on a refresh_token grant.
|
||||
pattern: "[0-9]+(ns|us|ms|s|m|h)"
|
||||
type: string
|
||||
type: object
|
||||
required:
|
||||
- grantTypes
|
||||
- secretName
|
||||
type: object
|
||||
status:
|
||||
description:
|
||||
OAuth2ClientStatus defines the observed state of OAuth2Client
|
||||
properties:
|
||||
conditions:
|
||||
items:
|
||||
description:
|
||||
OAuth2ClientCondition contains condition information for
|
||||
an OAuth2Client
|
||||
properties:
|
||||
status:
|
||||
enum:
|
||||
- "True"
|
||||
- "False"
|
||||
- Unknown
|
||||
type: string
|
||||
type:
|
||||
type: string
|
||||
required:
|
||||
- status
|
||||
- type
|
||||
type: object
|
||||
type: array
|
||||
observedGeneration:
|
||||
description:
|
||||
ObservedGeneration represents the most recent generation
|
||||
observed by the daemon set controller.
|
||||
format: int64
|
||||
type: integer
|
||||
reconciliationError:
|
||||
description:
|
||||
ReconciliationError represents an error that occurred during
|
||||
the reconciliation process
|
||||
properties:
|
||||
description:
|
||||
description:
|
||||
Description is the description of the reconciliation
|
||||
error
|
||||
type: string
|
||||
statusCode:
|
||||
description:
|
||||
Code is the status code of the reconciliation error
|
||||
type: string
|
||||
type: object
|
||||
type: object
|
||||
type: object
|
||||
served: true
|
||||
storage: true
|
||||
subresources:
|
||||
status: {}
|
||||
type: object
|
||||
type: object
|
||||
type: object
|
||||
served: true
|
||||
storage: true
|
||||
subresources:
|
||||
status: {}
|
||||
|
||||
@ -8,6 +8,6 @@ spec:
|
||||
spec:
|
||||
containers:
|
||||
# Change the value of image field below to your controller image URL
|
||||
- image: controller:latest
|
||||
- image: reg.cadoles.com/wpetit/hydra-maester
|
||||
name: manager
|
||||
imagePullPolicy: IfNotPresent
|
||||
|
||||
@ -4,35 +4,35 @@ kind: ClusterRole
|
||||
metadata:
|
||||
name: manager-role
|
||||
rules:
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- secrets
|
||||
verbs:
|
||||
- create
|
||||
- delete
|
||||
- get
|
||||
- list
|
||||
- patch
|
||||
- update
|
||||
- watch
|
||||
- apiGroups:
|
||||
- hydra.ory.sh
|
||||
resources:
|
||||
- oauth2clients
|
||||
verbs:
|
||||
- create
|
||||
- delete
|
||||
- get
|
||||
- list
|
||||
- patch
|
||||
- update
|
||||
- watch
|
||||
- apiGroups:
|
||||
- hydra.ory.sh
|
||||
resources:
|
||||
- oauth2clients/status
|
||||
verbs:
|
||||
- get
|
||||
- patch
|
||||
- update
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- secrets
|
||||
verbs:
|
||||
- create
|
||||
- delete
|
||||
- get
|
||||
- list
|
||||
- patch
|
||||
- update
|
||||
- watch
|
||||
- apiGroups:
|
||||
- hydra.ory.sh
|
||||
resources:
|
||||
- oauth2clients
|
||||
verbs:
|
||||
- create
|
||||
- delete
|
||||
- get
|
||||
- list
|
||||
- patch
|
||||
- update
|
||||
- watch
|
||||
- apiGroups:
|
||||
- hydra.ory.sh
|
||||
resources:
|
||||
- oauth2clients/status
|
||||
verbs:
|
||||
- get
|
||||
- patch
|
||||
- update
|
||||
|
||||
@ -44,6 +44,7 @@ type OAuth2ClientJSON struct {
|
||||
RefreshTokenGrantAccessTokenLifespan string `json:"refresh_token_grant_access_token_lifespan,omitempty"`
|
||||
RefreshTokenGrantIdTokenLifespan string `json:"refresh_token_grant_id_token_lifespan,omitempty"`
|
||||
RefreshTokenGrantRefreshTokenLifespan string `json:"refresh_token_grant_refresh_token_lifespan,omitempty"`
|
||||
UserInfoSignedResponseAlg string `json:"userinfo_signed_response_alg,omitempty"`
|
||||
}
|
||||
|
||||
// Oauth2ClientCredentials represents client ID and password fetched from a
|
||||
@ -104,6 +105,7 @@ func FromOAuth2Client(c *hydrav1alpha1.OAuth2Client) (*OAuth2ClientJSON, error)
|
||||
RefreshTokenGrantAccessTokenLifespan: c.Spec.TokenLifespans.RefreshTokenGrantAccessTokenLifespan,
|
||||
RefreshTokenGrantIdTokenLifespan: c.Spec.TokenLifespans.RefreshTokenGrantIdTokenLifespan,
|
||||
RefreshTokenGrantRefreshTokenLifespan: c.Spec.TokenLifespans.RefreshTokenGrantRefreshTokenLifespan,
|
||||
UserInfoSignedResponseAlg: c.Spec.UserInfoSignedResponseAlg,
|
||||
}, nil
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user