From 1ed6229e78754232c80a7515a294636bb73f08dc Mon Sep 17 00:00:00 2001 From: William Petit Date: Fri, 7 Mar 2025 15:09:16 +0100 Subject: [PATCH] feat: add 'UserinfoSignedResponseAlg' attribute to hydra.ory.sh_oauth2clients CRD --- api/v1alpha1/oauth2client_types.go | 5 + .../crd/bases/hydra.ory.sh_oauth2clients.yaml | 665 +++++++++--------- config/default/manager_image_patch.yaml | 2 +- config/rbac/role.yaml | 64 +- hydra/types.go | 2 + 5 files changed, 362 insertions(+), 376 deletions(-) diff --git a/api/v1alpha1/oauth2client_types.go b/api/v1alpha1/oauth2client_types.go index 720d6f3..4c75760 100644 --- a/api/v1alpha1/oauth2client_types.go +++ b/api/v1alpha1/oauth2client_types.go @@ -225,6 +225,11 @@ type OAuth2ClientSpec struct { // Indicates if a deleted OAuth2Client custom resource should delete the database row or not. // Value 1 means deletion of the OAuth2 client, value 2 means keep an orphan oauth2 client. DeletionPolicy OAuth2ClientDeletionPolicy `json:"deletionPolicy,omitempty"` + + // +kubebuilder:validation:type=string + // + // UserInfoSignedResponseAlg value specifying the JWS alg algorithm for signing UserInfo Responses + UserInfoSignedResponseAlg string `json:"userInfoSignedResponseAlg,omitempty"` } // GrantType represents an OAuth 2.0 grant type diff --git a/config/crd/bases/hydra.ory.sh_oauth2clients.yaml b/config/crd/bases/hydra.ory.sh_oauth2clients.yaml index 1d29392..54fe2df 100644 --- a/config/crd/bases/hydra.ory.sh_oauth2clients.yaml +++ b/config/crd/bases/hydra.ory.sh_oauth2clients.yaml @@ -14,358 +14,337 @@ spec: singular: oauth2client scope: Namespaced versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: OAuth2Client is the Schema for the oauth2clients API - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: - OAuth2ClientSpec defines the desired state of OAuth2Client - properties: - allowedCorsOrigins: - description: - AllowedCorsOrigins is an array of allowed CORS origins - items: - description: - RedirectURI represents a redirect URI for the client - pattern: \w+:/?/?[^\s]+ - type: string - type: array - audience: - description: - Audience is a whitelist defining the audiences this client - is allowed to request tokens for - items: - type: string - type: array - backChannelLogoutSessionRequired: - default: false - description: - BackChannelLogoutSessionRequired Boolean value specifying - whether the RP requires that a sid (session ID) Claim be - included in the Logout Token to identify the RP session with - the OP when the backchannel_logout_uri is used. If omitted, - the default value is false. - type: boolean - backChannelLogoutURI: - description: - BackChannelLogoutURI RP URL that will cause the RP to log - itself out when sent a Logout Token by the OP - pattern: (^$|^https?://.*) + - name: v1alpha1 + schema: + openAPIV3Schema: + description: OAuth2Client is the Schema for the oauth2clients API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: OAuth2ClientSpec defines the desired state of OAuth2Client + properties: + allowedCorsOrigins: + description: AllowedCorsOrigins is an array of allowed CORS origins + items: + description: RedirectURI represents a redirect URI for the client + pattern: \w+:/?/?[^\s]+ type: string - clientName: - description: - ClientName is the human-readable string name of the client - to be presented to the end-user during authorization. + type: array + audience: + description: Audience is a whitelist defining the audiences this client + is allowed to request tokens for + items: type: string - deletionPolicy: - description: |- - Indicates if a deleted OAuth2Client custom resource should delete the database row or not. - Value 0 means deletion of the OAuth2 client, value 1 means keep an orphan oauth2 client. + type: array + backChannelLogoutSessionRequired: + default: false + description: BackChannelLogoutSessionRequired Boolean value specifying + whether the RP requires that a sid (session ID) Claim be included + in the Logout Token to identify the RP session with the OP when + the backchannel_logout_uri is used. If omitted, the default value + is false. + type: boolean + backChannelLogoutURI: + description: BackChannelLogoutURI RP URL that will cause the RP to + log itself out when sent a Logout Token by the OP + pattern: (^$|^https?://.*) + type: string + clientName: + description: ClientName is the human-readable string name of the client + to be presented to the end-user during authorization. + type: string + deletionPolicy: + description: |- + Indicates if a deleted OAuth2Client custom resource should delete the database row or not. + Value 1 means deletion of the OAuth2 client, value 2 means keep an orphan oauth2 client. + enum: + - 1 + - 2 + type: integer + frontChannelLogoutSessionRequired: + default: false + description: FrontChannelLogoutSessionRequired Boolean value specifying + whether the RP requires that iss (issuer) and sid (session ID) query + parameters be included to identify the RP session with the OP when + the frontchannel_logout_uri is used + type: boolean + frontChannelLogoutURI: + description: FrontChannelLogoutURI RP URL that will cause the RP to + log itself out when rendered in an iframe by the OP. An iss (issuer) + query parameter and a sid (session ID) query parameter MAY be included + by the OP to enable the RP to validate the request and to determine + which of the potentially multiple sessions is to be logged out; + if either is included, both MUST be + pattern: (^$|^https?://.*) + type: string + grantTypes: + description: GrantTypes is an array of grant types the client is allowed + to use. + items: + description: GrantType represents an OAuth 2.0 grant type enum: - - 0 - - 1 - type: integer - frontChannelLogoutSessionRequired: - default: false - description: - FrontChannelLogoutSessionRequired Boolean value specifying - whether the RP requires that iss (issuer) and sid (session - ID) query parameters be included to identify the RP session - with the OP when the frontchannel_logout_uri is used - type: boolean - frontChannelLogoutURI: - description: - FrontChannelLogoutURI RP URL that will cause the RP to log - itself out when rendered in an iframe by the OP. An iss - (issuer) query parameter and a sid (session ID) query - parameter MAY be included by the OP to enable the RP to - validate the request and to determine which of the - potentially multiple sessions is to be logged out; if either - is included, both MUST be - pattern: (^$|^https?://.*) + - client_credentials + - authorization_code + - implicit + - refresh_token type: string - grantTypes: - description: - GrantTypes is an array of grant types the client is allowed - to use. - items: - description: GrantType represents an OAuth 2.0 grant type - enum: - - client_credentials - - authorization_code - - implicit - - refresh_token + maxItems: 4 + minItems: 1 + type: array + hydraAdmin: + description: |- + HydraAdmin is the optional configuration to use for managing + this client + properties: + endpoint: + description: |- + Endpoint is the endpoint for the hydra instance on which + to set up the client. This value will override the value + provided to `--endpoint` (defaults to `"/clients"` in the + application) + pattern: (^$|^/.*) type: string - maxItems: 4 - minItems: 1 - type: array - hydraAdmin: - description: |- - HydraAdmin is the optional configuration to use for managing - this client + forwardedProto: + description: |- + ForwardedProto overrides the `--forwarded-proto` flag. The + value "off" will force this to be off even if + `--forwarded-proto` is specified + pattern: (^$|https?|off) + type: string + port: + description: |- + Port is the port for the hydra instance on + which to set up the client. This value will override the value + provided to `--hydra-port` + maximum: 65535 + type: integer + url: + description: |- + URL is the URL for the hydra instance on + which to set up the client. This value will override the value + provided to `--hydra-url` + maxLength: 64 + pattern: (^$|^https?://.*) + type: string + type: object + jwksUri: + description: JwksUri Define the URL where the JSON Web Key Set should + be fetched from when performing the private_key_jwt client authentication + method. + pattern: (^$|^https?://.*) + type: string + metadata: + description: Metadata is arbitrary data + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + postLogoutRedirectUris: + description: PostLogoutRedirectURIs is an array of the post logout + redirect URIs allowed for the application + items: + description: RedirectURI represents a redirect URI for the client + pattern: \w+:/?/?[^\s]+ + type: string + type: array + redirectUris: + description: RedirectURIs is an array of the redirect URIs allowed + for the application + items: + description: RedirectURI represents a redirect URI for the client + pattern: \w+:/?/?[^\s]+ + type: string + type: array + responseTypes: + description: |- + ResponseTypes is an array of the OAuth 2.0 response type strings that the client can + use at the authorization endpoint. + items: + description: ResponseType represents an OAuth 2.0 response type + strings + enum: + - id_token + - code + - token + - code token + - code id_token + - id_token token + - code id_token token + type: string + maxItems: 3 + minItems: 1 + type: array + scope: + description: |- + Scope is a string containing a space-separated list of scope values (as + described in Section 3.3 of OAuth 2.0 [RFC6749]) that the client + can use when requesting access tokens. + Use scopeArray instead. + pattern: ([a-zA-Z0-9\.\*]+\s?)* + type: string + scopeArray: + description: |- + Scope is an array of scope values (as described in Section 3.3 of OAuth 2.0 [RFC6749]) + that the client can use when requesting access tokens. + items: + type: string + type: array + secretName: + description: SecretName points to the K8s secret that contains this + client's ID and password + maxLength: 253 + minLength: 1 + pattern: '[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*' + type: string + skipConsent: + default: false + description: SkipConsent skips the consent screen for this client. + type: boolean + tokenEndpointAuthMethod: + allOf: + - enum: + - client_secret_basic + - client_secret_post + - private_key_jwt + - none + - enum: + - client_secret_basic + - client_secret_post + - private_key_jwt + - none + description: Indication which authentication method should be used + for the token endpoint + type: string + tokenLifespans: + description: |- + TokenLifespans is the configuration to use for managing different token lifespans + depending on the used grant type. + properties: + authorization_code_grant_access_token_lifespan: + description: |- + AuthorizationCodeGrantAccessTokenLifespan is the access token lifespan + issued on an authorization_code grant. + pattern: '[0-9]+(ns|us|ms|s|m|h)' + type: string + authorization_code_grant_id_token_lifespan: + description: |- + AuthorizationCodeGrantIdTokenLifespan is the id token lifespan + issued on an authorization_code grant. + pattern: '[0-9]+(ns|us|ms|s|m|h)' + type: string + authorization_code_grant_refresh_token_lifespan: + description: |- + AuthorizationCodeGrantRefreshTokenLifespan is the refresh token lifespan + issued on an authorization_code grant. + pattern: '[0-9]+(ns|us|ms|s|m|h)' + type: string + client_credentials_grant_access_token_lifespan: + description: |- + AuthorizationCodeGrantRefreshTokenLifespan is the access token lifespan + issued on a client_credentials grant. + pattern: '[0-9]+(ns|us|ms|s|m|h)' + type: string + implicit_grant_access_token_lifespan: + description: |- + ImplicitGrantAccessTokenLifespan is the access token lifespan + issued on an implicit grant. + pattern: '[0-9]+(ns|us|ms|s|m|h)' + type: string + implicit_grant_id_token_lifespan: + description: |- + ImplicitGrantIdTokenLifespan is the id token lifespan + issued on an implicit grant. + pattern: '[0-9]+(ns|us|ms|s|m|h)' + type: string + jwt_bearer_grant_access_token_lifespan: + description: |- + JwtBearerGrantAccessTokenLifespan is the access token lifespan + issued on a jwt_bearer grant. + pattern: '[0-9]+(ns|us|ms|s|m|h)' + type: string + refresh_token_grant_access_token_lifespan: + description: |- + RefreshTokenGrantAccessTokenLifespan is the access token lifespan + issued on a refresh_token grant. + pattern: '[0-9]+(ns|us|ms|s|m|h)' + type: string + refresh_token_grant_id_token_lifespan: + description: |- + RefreshTokenGrantIdTokenLifespan is the id token lifespan + issued on a refresh_token grant. + pattern: '[0-9]+(ns|us|ms|s|m|h)' + type: string + refresh_token_grant_refresh_token_lifespan: + description: |- + RefreshTokenGrantRefreshTokenLifespan is the refresh token lifespan + issued on a refresh_token grant. + pattern: '[0-9]+(ns|us|ms|s|m|h)' + type: string + type: object + userInfoSignedResponseAlg: + description: UserInfoSignedResponseAlg value specifying the JWS alg + algorithm for signing UserInfo Responses + type: string + required: + - grantTypes + - secretName + type: object + status: + description: OAuth2ClientStatus defines the observed state of OAuth2Client + properties: + conditions: + items: + description: OAuth2ClientCondition contains condition information + for an OAuth2Client properties: - endpoint: - description: |- - Endpoint is the endpoint for the hydra instance on which - to set up the client. This value will override the value - provided to `--endpoint` (defaults to `"/clients"` in the - application) - pattern: (^$|^/.*) + status: + enum: + - "True" + - "False" + - Unknown type: string - forwardedProto: - description: |- - ForwardedProto overrides the `--forwarded-proto` flag. The - value "off" will force this to be off even if - `--forwarded-proto` is specified - pattern: (^$|https?|off) - type: string - port: - description: |- - Port is the port for the hydra instance on - which to set up the client. This value will override the value - provided to `--hydra-port` - maximum: 65535 - type: integer - url: - description: |- - URL is the URL for the hydra instance on - which to set up the client. This value will override the value - provided to `--hydra-url` - maxLength: 64 - pattern: (^$|^https?://.*) + type: type: string + required: + - status + - type type: object - jwksUri: + type: array + observedGeneration: + description: ObservedGeneration represents the most recent generation + observed by the daemon set controller. + format: int64 + type: integer + reconciliationError: + description: ReconciliationError represents an error that occurred + during the reconciliation process + properties: description: - JwksUri Define the URL where the JSON Web Key Set should be - fetched from when performing the private_key_jwt client - authentication method. - pattern: (^$|^https?://.*) - type: string - metadata: - description: Metadata is arbitrary data - nullable: true - type: object - x-kubernetes-preserve-unknown-fields: true - postLogoutRedirectUris: - description: - PostLogoutRedirectURIs is an array of the post logout - redirect URIs allowed for the application - items: - description: - RedirectURI represents a redirect URI for the client - pattern: \w+:/?/?[^\s]+ + description: Description is the description of the reconciliation + error type: string - type: array - redirectUris: - description: - RedirectURIs is an array of the redirect URIs allowed for - the application - items: - description: - RedirectURI represents a redirect URI for the client - pattern: \w+:/?/?[^\s]+ + statusCode: + description: Code is the status code of the reconciliation error type: string - type: array - responseTypes: - description: |- - ResponseTypes is an array of the OAuth 2.0 response type strings that the client can - use at the authorization endpoint. - items: - description: - ResponseType represents an OAuth 2.0 response type strings - enum: - - id_token - - code - - token - - code token - - code id_token - - id_token token - - code id_token token - type: string - maxItems: 3 - minItems: 1 - type: array - scope: - description: |- - Scope is a string containing a space-separated list of scope values (as - described in Section 3.3 of OAuth 2.0 [RFC6749]) that the client - can use when requesting access tokens. - Use scopeArray instead. - pattern: ([a-zA-Z0-9\.\*]+\s?)* - type: string - scopeArray: - description: |- - Scope is an array of scope values (as described in Section 3.3 of OAuth 2.0 [RFC6749]) - that the client can use when requesting access tokens. - items: - type: string - type: array - secretName: - description: - SecretName points to the K8s secret that contains this - client's ID and password - maxLength: 253 - minLength: 1 - pattern: '[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*' - type: string - skipConsent: - default: false - description: - SkipConsent skips the consent screen for this client. - type: boolean - tokenEndpointAuthMethod: - allOf: - - enum: - - client_secret_basic - - client_secret_post - - private_key_jwt - - none - - enum: - - client_secret_basic - - client_secret_post - - private_key_jwt - - none - description: - Indication which authentication method should be used for - the token endpoint - type: string - tokenLifespans: - description: |- - TokenLifespans is the configuration to use for managing different token lifespans - depending on the used grant type. - properties: - authorization_code_grant_access_token_lifespan: - description: |- - AuthorizationCodeGrantAccessTokenLifespan is the access token lifespan - issued on an authorization_code grant. - pattern: "[0-9]+(ns|us|ms|s|m|h)" - type: string - authorization_code_grant_id_token_lifespan: - description: |- - AuthorizationCodeGrantIdTokenLifespan is the id token lifespan - issued on an authorization_code grant. - pattern: "[0-9]+(ns|us|ms|s|m|h)" - type: string - authorization_code_grant_refresh_token_lifespan: - description: |- - AuthorizationCodeGrantRefreshTokenLifespan is the refresh token lifespan - issued on an authorization_code grant. - pattern: "[0-9]+(ns|us|ms|s|m|h)" - type: string - client_credentials_grant_access_token_lifespan: - description: |- - AuthorizationCodeGrantRefreshTokenLifespan is the access token lifespan - issued on a client_credentials grant. - pattern: "[0-9]+(ns|us|ms|s|m|h)" - type: string - implicit_grant_access_token_lifespan: - description: |- - ImplicitGrantAccessTokenLifespan is the access token lifespan - issued on an implicit grant. - pattern: "[0-9]+(ns|us|ms|s|m|h)" - type: string - implicit_grant_id_token_lifespan: - description: |- - ImplicitGrantIdTokenLifespan is the id token lifespan - issued on an implicit grant. - pattern: "[0-9]+(ns|us|ms|s|m|h)" - type: string - jwt_bearer_grant_access_token_lifespan: - description: |- - JwtBearerGrantAccessTokenLifespan is the access token lifespan - issued on a jwt_bearer grant. - pattern: "[0-9]+(ns|us|ms|s|m|h)" - type: string - refresh_token_grant_access_token_lifespan: - description: |- - RefreshTokenGrantAccessTokenLifespan is the access token lifespan - issued on a refresh_token grant. - pattern: "[0-9]+(ns|us|ms|s|m|h)" - type: string - refresh_token_grant_id_token_lifespan: - description: |- - RefreshTokenGrantIdTokenLifespan is the id token lifespan - issued on a refresh_token grant. - pattern: "[0-9]+(ns|us|ms|s|m|h)" - type: string - refresh_token_grant_refresh_token_lifespan: - description: |- - RefreshTokenGrantRefreshTokenLifespan is the refresh token lifespan - issued on a refresh_token grant. - pattern: "[0-9]+(ns|us|ms|s|m|h)" - type: string - type: object - required: - - grantTypes - - secretName - type: object - status: - description: - OAuth2ClientStatus defines the observed state of OAuth2Client - properties: - conditions: - items: - description: - OAuth2ClientCondition contains condition information for - an OAuth2Client - properties: - status: - enum: - - "True" - - "False" - - Unknown - type: string - type: - type: string - required: - - status - - type - type: object - type: array - observedGeneration: - description: - ObservedGeneration represents the most recent generation - observed by the daemon set controller. - format: int64 - type: integer - reconciliationError: - description: - ReconciliationError represents an error that occurred during - the reconciliation process - properties: - description: - description: - Description is the description of the reconciliation - error - type: string - statusCode: - description: - Code is the status code of the reconciliation error - type: string - type: object - type: object - type: object - served: true - storage: true - subresources: - status: {} + type: object + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/config/default/manager_image_patch.yaml b/config/default/manager_image_patch.yaml index 8bd5ca7..c7a30f0 100644 --- a/config/default/manager_image_patch.yaml +++ b/config/default/manager_image_patch.yaml @@ -8,6 +8,6 @@ spec: spec: containers: # Change the value of image field below to your controller image URL - - image: controller:latest + - image: reg.cadoles.com/wpetit/hydra-maester name: manager imagePullPolicy: IfNotPresent diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index def103e..08b823d 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -4,35 +4,35 @@ kind: ClusterRole metadata: name: manager-role rules: - - apiGroups: - - "" - resources: - - secrets - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - - apiGroups: - - hydra.ory.sh - resources: - - oauth2clients - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - - apiGroups: - - hydra.ory.sh - resources: - - oauth2clients/status - verbs: - - get - - patch - - update +- apiGroups: + - "" + resources: + - secrets + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - hydra.ory.sh + resources: + - oauth2clients + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - hydra.ory.sh + resources: + - oauth2clients/status + verbs: + - get + - patch + - update diff --git a/hydra/types.go b/hydra/types.go index f8aa5ef..64bb832 100644 --- a/hydra/types.go +++ b/hydra/types.go @@ -44,6 +44,7 @@ type OAuth2ClientJSON struct { RefreshTokenGrantAccessTokenLifespan string `json:"refresh_token_grant_access_token_lifespan,omitempty"` RefreshTokenGrantIdTokenLifespan string `json:"refresh_token_grant_id_token_lifespan,omitempty"` RefreshTokenGrantRefreshTokenLifespan string `json:"refresh_token_grant_refresh_token_lifespan,omitempty"` + UserInfoSignedResponseAlg string `json:"userinfo_signed_response_alg,omitempty"` } // Oauth2ClientCredentials represents client ID and password fetched from a @@ -104,6 +105,7 @@ func FromOAuth2Client(c *hydrav1alpha1.OAuth2Client) (*OAuth2ClientJSON, error) RefreshTokenGrantAccessTokenLifespan: c.Spec.TokenLifespans.RefreshTokenGrantAccessTokenLifespan, RefreshTokenGrantIdTokenLifespan: c.Spec.TokenLifespans.RefreshTokenGrantIdTokenLifespan, RefreshTokenGrantRefreshTokenLifespan: c.Spec.TokenLifespans.RefreshTokenGrantRefreshTokenLifespan, + UserInfoSignedResponseAlg: c.Spec.UserInfoSignedResponseAlg, }, nil } -- 2.17.1