Compare commits
No commits in common. "issue-151" and "master" have entirely different histories.
@ -225,11 +225,6 @@ type OAuth2ClientSpec struct {
|
|||||||
// Indicates if a deleted OAuth2Client custom resource should delete the database row or not.
|
// Indicates if a deleted OAuth2Client custom resource should delete the database row or not.
|
||||||
// Value 1 means deletion of the OAuth2 client, value 2 means keep an orphan oauth2 client.
|
// Value 1 means deletion of the OAuth2 client, value 2 means keep an orphan oauth2 client.
|
||||||
DeletionPolicy OAuth2ClientDeletionPolicy `json:"deletionPolicy,omitempty"`
|
DeletionPolicy OAuth2ClientDeletionPolicy `json:"deletionPolicy,omitempty"`
|
||||||
|
|
||||||
// +kubebuilder:validation:type=string
|
|
||||||
//
|
|
||||||
// UserInfoSignedResponseAlg value specifying the JWS alg algorithm for signing UserInfo Responses
|
|
||||||
UserInfoSignedResponseAlg string `json:"userInfoSignedResponseAlg,omitempty"`
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// GrantType represents an OAuth 2.0 grant type
|
// GrantType represents an OAuth 2.0 grant type
|
||||||
|
|||||||
@ -37,64 +37,75 @@ spec:
|
|||||||
metadata:
|
metadata:
|
||||||
type: object
|
type: object
|
||||||
spec:
|
spec:
|
||||||
description: OAuth2ClientSpec defines the desired state of OAuth2Client
|
description:
|
||||||
|
OAuth2ClientSpec defines the desired state of OAuth2Client
|
||||||
properties:
|
properties:
|
||||||
allowedCorsOrigins:
|
allowedCorsOrigins:
|
||||||
description: AllowedCorsOrigins is an array of allowed CORS origins
|
description:
|
||||||
|
AllowedCorsOrigins is an array of allowed CORS origins
|
||||||
items:
|
items:
|
||||||
description: RedirectURI represents a redirect URI for the client
|
description:
|
||||||
|
RedirectURI represents a redirect URI for the client
|
||||||
pattern: \w+:/?/?[^\s]+
|
pattern: \w+:/?/?[^\s]+
|
||||||
type: string
|
type: string
|
||||||
type: array
|
type: array
|
||||||
audience:
|
audience:
|
||||||
description: Audience is a whitelist defining the audiences this client
|
description:
|
||||||
|
Audience is a whitelist defining the audiences this client
|
||||||
is allowed to request tokens for
|
is allowed to request tokens for
|
||||||
items:
|
items:
|
||||||
type: string
|
type: string
|
||||||
type: array
|
type: array
|
||||||
backChannelLogoutSessionRequired:
|
backChannelLogoutSessionRequired:
|
||||||
default: false
|
default: false
|
||||||
description: BackChannelLogoutSessionRequired Boolean value specifying
|
description:
|
||||||
whether the RP requires that a sid (session ID) Claim be included
|
BackChannelLogoutSessionRequired Boolean value specifying
|
||||||
in the Logout Token to identify the RP session with the OP when
|
whether the RP requires that a sid (session ID) Claim be
|
||||||
the backchannel_logout_uri is used. If omitted, the default value
|
included in the Logout Token to identify the RP session with
|
||||||
is false.
|
the OP when the backchannel_logout_uri is used. If omitted,
|
||||||
|
the default value is false.
|
||||||
type: boolean
|
type: boolean
|
||||||
backChannelLogoutURI:
|
backChannelLogoutURI:
|
||||||
description: BackChannelLogoutURI RP URL that will cause the RP to
|
description:
|
||||||
log itself out when sent a Logout Token by the OP
|
BackChannelLogoutURI RP URL that will cause the RP to log
|
||||||
|
itself out when sent a Logout Token by the OP
|
||||||
pattern: (^$|^https?://.*)
|
pattern: (^$|^https?://.*)
|
||||||
type: string
|
type: string
|
||||||
clientName:
|
clientName:
|
||||||
description: ClientName is the human-readable string name of the client
|
description:
|
||||||
|
ClientName is the human-readable string name of the client
|
||||||
to be presented to the end-user during authorization.
|
to be presented to the end-user during authorization.
|
||||||
type: string
|
type: string
|
||||||
deletionPolicy:
|
deletionPolicy:
|
||||||
description: |-
|
description: |-
|
||||||
Indicates if a deleted OAuth2Client custom resource should delete the database row or not.
|
Indicates if a deleted OAuth2Client custom resource should delete the database row or not.
|
||||||
Value 1 means deletion of the OAuth2 client, value 2 means keep an orphan oauth2 client.
|
Value 0 means deletion of the OAuth2 client, value 1 means keep an orphan oauth2 client.
|
||||||
enum:
|
enum:
|
||||||
|
- 0
|
||||||
- 1
|
- 1
|
||||||
- 2
|
|
||||||
type: integer
|
type: integer
|
||||||
frontChannelLogoutSessionRequired:
|
frontChannelLogoutSessionRequired:
|
||||||
default: false
|
default: false
|
||||||
description: FrontChannelLogoutSessionRequired Boolean value specifying
|
description:
|
||||||
whether the RP requires that iss (issuer) and sid (session ID) query
|
FrontChannelLogoutSessionRequired Boolean value specifying
|
||||||
parameters be included to identify the RP session with the OP when
|
whether the RP requires that iss (issuer) and sid (session
|
||||||
the frontchannel_logout_uri is used
|
ID) query parameters be included to identify the RP session
|
||||||
|
with the OP when the frontchannel_logout_uri is used
|
||||||
type: boolean
|
type: boolean
|
||||||
frontChannelLogoutURI:
|
frontChannelLogoutURI:
|
||||||
description: FrontChannelLogoutURI RP URL that will cause the RP to
|
description:
|
||||||
log itself out when rendered in an iframe by the OP. An iss (issuer)
|
FrontChannelLogoutURI RP URL that will cause the RP to log
|
||||||
query parameter and a sid (session ID) query parameter MAY be included
|
itself out when rendered in an iframe by the OP. An iss
|
||||||
by the OP to enable the RP to validate the request and to determine
|
(issuer) query parameter and a sid (session ID) query
|
||||||
which of the potentially multiple sessions is to be logged out;
|
parameter MAY be included by the OP to enable the RP to
|
||||||
if either is included, both MUST be
|
validate the request and to determine which of the
|
||||||
|
potentially multiple sessions is to be logged out; if either
|
||||||
|
is included, both MUST be
|
||||||
pattern: (^$|^https?://.*)
|
pattern: (^$|^https?://.*)
|
||||||
type: string
|
type: string
|
||||||
grantTypes:
|
grantTypes:
|
||||||
description: GrantTypes is an array of grant types the client is allowed
|
description:
|
||||||
|
GrantTypes is an array of grant types the client is allowed
|
||||||
to use.
|
to use.
|
||||||
items:
|
items:
|
||||||
description: GrantType represents an OAuth 2.0 grant type
|
description: GrantType represents an OAuth 2.0 grant type
|
||||||
@ -144,9 +155,10 @@ spec:
|
|||||||
type: string
|
type: string
|
||||||
type: object
|
type: object
|
||||||
jwksUri:
|
jwksUri:
|
||||||
description: JwksUri Define the URL where the JSON Web Key Set should
|
description:
|
||||||
be fetched from when performing the private_key_jwt client authentication
|
JwksUri Define the URL where the JSON Web Key Set should be
|
||||||
method.
|
fetched from when performing the private_key_jwt client
|
||||||
|
authentication method.
|
||||||
pattern: (^$|^https?://.*)
|
pattern: (^$|^https?://.*)
|
||||||
type: string
|
type: string
|
||||||
metadata:
|
metadata:
|
||||||
@ -155,18 +167,22 @@ spec:
|
|||||||
type: object
|
type: object
|
||||||
x-kubernetes-preserve-unknown-fields: true
|
x-kubernetes-preserve-unknown-fields: true
|
||||||
postLogoutRedirectUris:
|
postLogoutRedirectUris:
|
||||||
description: PostLogoutRedirectURIs is an array of the post logout
|
description:
|
||||||
|
PostLogoutRedirectURIs is an array of the post logout
|
||||||
redirect URIs allowed for the application
|
redirect URIs allowed for the application
|
||||||
items:
|
items:
|
||||||
description: RedirectURI represents a redirect URI for the client
|
description:
|
||||||
|
RedirectURI represents a redirect URI for the client
|
||||||
pattern: \w+:/?/?[^\s]+
|
pattern: \w+:/?/?[^\s]+
|
||||||
type: string
|
type: string
|
||||||
type: array
|
type: array
|
||||||
redirectUris:
|
redirectUris:
|
||||||
description: RedirectURIs is an array of the redirect URIs allowed
|
description:
|
||||||
for the application
|
RedirectURIs is an array of the redirect URIs allowed for
|
||||||
|
the application
|
||||||
items:
|
items:
|
||||||
description: RedirectURI represents a redirect URI for the client
|
description:
|
||||||
|
RedirectURI represents a redirect URI for the client
|
||||||
pattern: \w+:/?/?[^\s]+
|
pattern: \w+:/?/?[^\s]+
|
||||||
type: string
|
type: string
|
||||||
type: array
|
type: array
|
||||||
@ -175,8 +191,8 @@ spec:
|
|||||||
ResponseTypes is an array of the OAuth 2.0 response type strings that the client can
|
ResponseTypes is an array of the OAuth 2.0 response type strings that the client can
|
||||||
use at the authorization endpoint.
|
use at the authorization endpoint.
|
||||||
items:
|
items:
|
||||||
description: ResponseType represents an OAuth 2.0 response type
|
description:
|
||||||
strings
|
ResponseType represents an OAuth 2.0 response type strings
|
||||||
enum:
|
enum:
|
||||||
- id_token
|
- id_token
|
||||||
- code
|
- code
|
||||||
@ -205,7 +221,8 @@ spec:
|
|||||||
type: string
|
type: string
|
||||||
type: array
|
type: array
|
||||||
secretName:
|
secretName:
|
||||||
description: SecretName points to the K8s secret that contains this
|
description:
|
||||||
|
SecretName points to the K8s secret that contains this
|
||||||
client's ID and password
|
client's ID and password
|
||||||
maxLength: 253
|
maxLength: 253
|
||||||
minLength: 1
|
minLength: 1
|
||||||
@ -213,7 +230,8 @@ spec:
|
|||||||
type: string
|
type: string
|
||||||
skipConsent:
|
skipConsent:
|
||||||
default: false
|
default: false
|
||||||
description: SkipConsent skips the consent screen for this client.
|
description:
|
||||||
|
SkipConsent skips the consent screen for this client.
|
||||||
type: boolean
|
type: boolean
|
||||||
tokenEndpointAuthMethod:
|
tokenEndpointAuthMethod:
|
||||||
allOf:
|
allOf:
|
||||||
@ -227,8 +245,9 @@ spec:
|
|||||||
- client_secret_post
|
- client_secret_post
|
||||||
- private_key_jwt
|
- private_key_jwt
|
||||||
- none
|
- none
|
||||||
description: Indication which authentication method should be used
|
description:
|
||||||
for the token endpoint
|
Indication which authentication method should be used for
|
||||||
|
the token endpoint
|
||||||
type: string
|
type: string
|
||||||
tokenLifespans:
|
tokenLifespans:
|
||||||
description: |-
|
description: |-
|
||||||
@ -239,78 +258,76 @@ spec:
|
|||||||
description: |-
|
description: |-
|
||||||
AuthorizationCodeGrantAccessTokenLifespan is the access token lifespan
|
AuthorizationCodeGrantAccessTokenLifespan is the access token lifespan
|
||||||
issued on an authorization_code grant.
|
issued on an authorization_code grant.
|
||||||
pattern: '[0-9]+(ns|us|ms|s|m|h)'
|
pattern: "[0-9]+(ns|us|ms|s|m|h)"
|
||||||
type: string
|
type: string
|
||||||
authorization_code_grant_id_token_lifespan:
|
authorization_code_grant_id_token_lifespan:
|
||||||
description: |-
|
description: |-
|
||||||
AuthorizationCodeGrantIdTokenLifespan is the id token lifespan
|
AuthorizationCodeGrantIdTokenLifespan is the id token lifespan
|
||||||
issued on an authorization_code grant.
|
issued on an authorization_code grant.
|
||||||
pattern: '[0-9]+(ns|us|ms|s|m|h)'
|
pattern: "[0-9]+(ns|us|ms|s|m|h)"
|
||||||
type: string
|
type: string
|
||||||
authorization_code_grant_refresh_token_lifespan:
|
authorization_code_grant_refresh_token_lifespan:
|
||||||
description: |-
|
description: |-
|
||||||
AuthorizationCodeGrantRefreshTokenLifespan is the refresh token lifespan
|
AuthorizationCodeGrantRefreshTokenLifespan is the refresh token lifespan
|
||||||
issued on an authorization_code grant.
|
issued on an authorization_code grant.
|
||||||
pattern: '[0-9]+(ns|us|ms|s|m|h)'
|
pattern: "[0-9]+(ns|us|ms|s|m|h)"
|
||||||
type: string
|
type: string
|
||||||
client_credentials_grant_access_token_lifespan:
|
client_credentials_grant_access_token_lifespan:
|
||||||
description: |-
|
description: |-
|
||||||
AuthorizationCodeGrantRefreshTokenLifespan is the access token lifespan
|
AuthorizationCodeGrantRefreshTokenLifespan is the access token lifespan
|
||||||
issued on a client_credentials grant.
|
issued on a client_credentials grant.
|
||||||
pattern: '[0-9]+(ns|us|ms|s|m|h)'
|
pattern: "[0-9]+(ns|us|ms|s|m|h)"
|
||||||
type: string
|
type: string
|
||||||
implicit_grant_access_token_lifespan:
|
implicit_grant_access_token_lifespan:
|
||||||
description: |-
|
description: |-
|
||||||
ImplicitGrantAccessTokenLifespan is the access token lifespan
|
ImplicitGrantAccessTokenLifespan is the access token lifespan
|
||||||
issued on an implicit grant.
|
issued on an implicit grant.
|
||||||
pattern: '[0-9]+(ns|us|ms|s|m|h)'
|
pattern: "[0-9]+(ns|us|ms|s|m|h)"
|
||||||
type: string
|
type: string
|
||||||
implicit_grant_id_token_lifespan:
|
implicit_grant_id_token_lifespan:
|
||||||
description: |-
|
description: |-
|
||||||
ImplicitGrantIdTokenLifespan is the id token lifespan
|
ImplicitGrantIdTokenLifespan is the id token lifespan
|
||||||
issued on an implicit grant.
|
issued on an implicit grant.
|
||||||
pattern: '[0-9]+(ns|us|ms|s|m|h)'
|
pattern: "[0-9]+(ns|us|ms|s|m|h)"
|
||||||
type: string
|
type: string
|
||||||
jwt_bearer_grant_access_token_lifespan:
|
jwt_bearer_grant_access_token_lifespan:
|
||||||
description: |-
|
description: |-
|
||||||
JwtBearerGrantAccessTokenLifespan is the access token lifespan
|
JwtBearerGrantAccessTokenLifespan is the access token lifespan
|
||||||
issued on a jwt_bearer grant.
|
issued on a jwt_bearer grant.
|
||||||
pattern: '[0-9]+(ns|us|ms|s|m|h)'
|
pattern: "[0-9]+(ns|us|ms|s|m|h)"
|
||||||
type: string
|
type: string
|
||||||
refresh_token_grant_access_token_lifespan:
|
refresh_token_grant_access_token_lifespan:
|
||||||
description: |-
|
description: |-
|
||||||
RefreshTokenGrantAccessTokenLifespan is the access token lifespan
|
RefreshTokenGrantAccessTokenLifespan is the access token lifespan
|
||||||
issued on a refresh_token grant.
|
issued on a refresh_token grant.
|
||||||
pattern: '[0-9]+(ns|us|ms|s|m|h)'
|
pattern: "[0-9]+(ns|us|ms|s|m|h)"
|
||||||
type: string
|
type: string
|
||||||
refresh_token_grant_id_token_lifespan:
|
refresh_token_grant_id_token_lifespan:
|
||||||
description: |-
|
description: |-
|
||||||
RefreshTokenGrantIdTokenLifespan is the id token lifespan
|
RefreshTokenGrantIdTokenLifespan is the id token lifespan
|
||||||
issued on a refresh_token grant.
|
issued on a refresh_token grant.
|
||||||
pattern: '[0-9]+(ns|us|ms|s|m|h)'
|
pattern: "[0-9]+(ns|us|ms|s|m|h)"
|
||||||
type: string
|
type: string
|
||||||
refresh_token_grant_refresh_token_lifespan:
|
refresh_token_grant_refresh_token_lifespan:
|
||||||
description: |-
|
description: |-
|
||||||
RefreshTokenGrantRefreshTokenLifespan is the refresh token lifespan
|
RefreshTokenGrantRefreshTokenLifespan is the refresh token lifespan
|
||||||
issued on a refresh_token grant.
|
issued on a refresh_token grant.
|
||||||
pattern: '[0-9]+(ns|us|ms|s|m|h)'
|
pattern: "[0-9]+(ns|us|ms|s|m|h)"
|
||||||
type: string
|
type: string
|
||||||
type: object
|
type: object
|
||||||
userInfoSignedResponseAlg:
|
|
||||||
description: UserInfoSignedResponseAlg value specifying the JWS alg
|
|
||||||
algorithm for signing UserInfo Responses
|
|
||||||
type: string
|
|
||||||
required:
|
required:
|
||||||
- grantTypes
|
- grantTypes
|
||||||
- secretName
|
- secretName
|
||||||
type: object
|
type: object
|
||||||
status:
|
status:
|
||||||
description: OAuth2ClientStatus defines the observed state of OAuth2Client
|
description:
|
||||||
|
OAuth2ClientStatus defines the observed state of OAuth2Client
|
||||||
properties:
|
properties:
|
||||||
conditions:
|
conditions:
|
||||||
items:
|
items:
|
||||||
description: OAuth2ClientCondition contains condition information
|
description:
|
||||||
for an OAuth2Client
|
OAuth2ClientCondition contains condition information for
|
||||||
|
an OAuth2Client
|
||||||
properties:
|
properties:
|
||||||
status:
|
status:
|
||||||
enum:
|
enum:
|
||||||
@ -326,20 +343,24 @@ spec:
|
|||||||
type: object
|
type: object
|
||||||
type: array
|
type: array
|
||||||
observedGeneration:
|
observedGeneration:
|
||||||
description: ObservedGeneration represents the most recent generation
|
description:
|
||||||
|
ObservedGeneration represents the most recent generation
|
||||||
observed by the daemon set controller.
|
observed by the daemon set controller.
|
||||||
format: int64
|
format: int64
|
||||||
type: integer
|
type: integer
|
||||||
reconciliationError:
|
reconciliationError:
|
||||||
description: ReconciliationError represents an error that occurred
|
description:
|
||||||
during the reconciliation process
|
ReconciliationError represents an error that occurred during
|
||||||
|
the reconciliation process
|
||||||
properties:
|
properties:
|
||||||
description:
|
description:
|
||||||
description: Description is the description of the reconciliation
|
description:
|
||||||
|
Description is the description of the reconciliation
|
||||||
error
|
error
|
||||||
type: string
|
type: string
|
||||||
statusCode:
|
statusCode:
|
||||||
description: Code is the status code of the reconciliation error
|
description:
|
||||||
|
Code is the status code of the reconciliation error
|
||||||
type: string
|
type: string
|
||||||
type: object
|
type: object
|
||||||
type: object
|
type: object
|
||||||
|
|||||||
@ -8,6 +8,6 @@ spec:
|
|||||||
spec:
|
spec:
|
||||||
containers:
|
containers:
|
||||||
# Change the value of image field below to your controller image URL
|
# Change the value of image field below to your controller image URL
|
||||||
- image: reg.cadoles.com/wpetit/hydra-maester
|
- image: controller:latest
|
||||||
name: manager
|
name: manager
|
||||||
imagePullPolicy: IfNotPresent
|
imagePullPolicy: IfNotPresent
|
||||||
|
|||||||
@ -4,7 +4,7 @@ kind: ClusterRole
|
|||||||
metadata:
|
metadata:
|
||||||
name: manager-role
|
name: manager-role
|
||||||
rules:
|
rules:
|
||||||
- apiGroups:
|
- apiGroups:
|
||||||
- ""
|
- ""
|
||||||
resources:
|
resources:
|
||||||
- secrets
|
- secrets
|
||||||
@ -16,7 +16,7 @@ rules:
|
|||||||
- patch
|
- patch
|
||||||
- update
|
- update
|
||||||
- watch
|
- watch
|
||||||
- apiGroups:
|
- apiGroups:
|
||||||
- hydra.ory.sh
|
- hydra.ory.sh
|
||||||
resources:
|
resources:
|
||||||
- oauth2clients
|
- oauth2clients
|
||||||
@ -28,7 +28,7 @@ rules:
|
|||||||
- patch
|
- patch
|
||||||
- update
|
- update
|
||||||
- watch
|
- watch
|
||||||
- apiGroups:
|
- apiGroups:
|
||||||
- hydra.ory.sh
|
- hydra.ory.sh
|
||||||
resources:
|
resources:
|
||||||
- oauth2clients/status
|
- oauth2clients/status
|
||||||
|
|||||||
@ -44,7 +44,6 @@ type OAuth2ClientJSON struct {
|
|||||||
RefreshTokenGrantAccessTokenLifespan string `json:"refresh_token_grant_access_token_lifespan,omitempty"`
|
RefreshTokenGrantAccessTokenLifespan string `json:"refresh_token_grant_access_token_lifespan,omitempty"`
|
||||||
RefreshTokenGrantIdTokenLifespan string `json:"refresh_token_grant_id_token_lifespan,omitempty"`
|
RefreshTokenGrantIdTokenLifespan string `json:"refresh_token_grant_id_token_lifespan,omitempty"`
|
||||||
RefreshTokenGrantRefreshTokenLifespan string `json:"refresh_token_grant_refresh_token_lifespan,omitempty"`
|
RefreshTokenGrantRefreshTokenLifespan string `json:"refresh_token_grant_refresh_token_lifespan,omitempty"`
|
||||||
UserInfoSignedResponseAlg string `json:"userinfo_signed_response_alg,omitempty"`
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// Oauth2ClientCredentials represents client ID and password fetched from a
|
// Oauth2ClientCredentials represents client ID and password fetched from a
|
||||||
@ -105,7 +104,6 @@ func FromOAuth2Client(c *hydrav1alpha1.OAuth2Client) (*OAuth2ClientJSON, error)
|
|||||||
RefreshTokenGrantAccessTokenLifespan: c.Spec.TokenLifespans.RefreshTokenGrantAccessTokenLifespan,
|
RefreshTokenGrantAccessTokenLifespan: c.Spec.TokenLifespans.RefreshTokenGrantAccessTokenLifespan,
|
||||||
RefreshTokenGrantIdTokenLifespan: c.Spec.TokenLifespans.RefreshTokenGrantIdTokenLifespan,
|
RefreshTokenGrantIdTokenLifespan: c.Spec.TokenLifespans.RefreshTokenGrantIdTokenLifespan,
|
||||||
RefreshTokenGrantRefreshTokenLifespan: c.Spec.TokenLifespans.RefreshTokenGrantRefreshTokenLifespan,
|
RefreshTokenGrantRefreshTokenLifespan: c.Spec.TokenLifespans.RefreshTokenGrantRefreshTokenLifespan,
|
||||||
UserInfoSignedResponseAlg: c.Spec.UserInfoSignedResponseAlg,
|
|
||||||
}, nil
|
}, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user