--- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.15.0 name: oauth2clients.hydra.ory.sh spec: group: hydra.ory.sh names: kind: OAuth2Client listKind: OAuth2ClientList plural: oauth2clients singular: oauth2client scope: Namespaced versions: - name: v1alpha1 schema: openAPIV3Schema: description: OAuth2Client is the Schema for the oauth2clients API properties: apiVersion: description: |- APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: description: |- Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: description: OAuth2ClientSpec defines the desired state of OAuth2Client properties: allowedCorsOrigins: description: AllowedCorsOrigins is an array of allowed CORS origins items: description: RedirectURI represents a redirect URI for the client pattern: \w+:/?/?[^\s]+ type: string type: array audience: description: Audience is a whitelist defining the audiences this client is allowed to request tokens for items: type: string type: array backChannelLogoutSessionRequired: default: false description: BackChannelLogoutSessionRequired Boolean value specifying whether the RP requires that a sid (session ID) Claim be included in the Logout Token to identify the RP session with the OP when the backchannel_logout_uri is used. If omitted, the default value is false. type: boolean backChannelLogoutURI: description: BackChannelLogoutURI RP URL that will cause the RP to log itself out when sent a Logout Token by the OP pattern: (^$|^https?://.*) type: string clientName: description: ClientName is the human-readable string name of the client to be presented to the end-user during authorization. type: string deletionPolicy: description: |- Indicates if a deleted OAuth2Client custom resource should delete the database row or not. Value 1 means deletion of the OAuth2 client, value 2 means keep an orphan oauth2 client. enum: - 1 - 2 type: integer frontChannelLogoutSessionRequired: default: false description: FrontChannelLogoutSessionRequired Boolean value specifying whether the RP requires that iss (issuer) and sid (session ID) query parameters be included to identify the RP session with the OP when the frontchannel_logout_uri is used type: boolean frontChannelLogoutURI: description: FrontChannelLogoutURI RP URL that will cause the RP to log itself out when rendered in an iframe by the OP. An iss (issuer) query parameter and a sid (session ID) query parameter MAY be included by the OP to enable the RP to validate the request and to determine which of the potentially multiple sessions is to be logged out; if either is included, both MUST be pattern: (^$|^https?://.*) type: string grantTypes: description: GrantTypes is an array of grant types the client is allowed to use. items: description: GrantType represents an OAuth 2.0 grant type enum: - client_credentials - authorization_code - implicit - refresh_token type: string maxItems: 4 minItems: 1 type: array hydraAdmin: description: |- HydraAdmin is the optional configuration to use for managing this client properties: endpoint: description: |- Endpoint is the endpoint for the hydra instance on which to set up the client. This value will override the value provided to `--endpoint` (defaults to `"/clients"` in the application) pattern: (^$|^/.*) type: string forwardedProto: description: |- ForwardedProto overrides the `--forwarded-proto` flag. The value "off" will force this to be off even if `--forwarded-proto` is specified pattern: (^$|https?|off) type: string port: description: |- Port is the port for the hydra instance on which to set up the client. This value will override the value provided to `--hydra-port` maximum: 65535 type: integer url: description: |- URL is the URL for the hydra instance on which to set up the client. This value will override the value provided to `--hydra-url` maxLength: 64 pattern: (^$|^https?://.*) type: string type: object jwksUri: description: JwksUri Define the URL where the JSON Web Key Set should be fetched from when performing the private_key_jwt client authentication method. pattern: (^$|^https?://.*) type: string metadata: description: Metadata is arbitrary data nullable: true type: object x-kubernetes-preserve-unknown-fields: true postLogoutRedirectUris: description: PostLogoutRedirectURIs is an array of the post logout redirect URIs allowed for the application items: description: RedirectURI represents a redirect URI for the client pattern: \w+:/?/?[^\s]+ type: string type: array redirectUris: description: RedirectURIs is an array of the redirect URIs allowed for the application items: description: RedirectURI represents a redirect URI for the client pattern: \w+:/?/?[^\s]+ type: string type: array responseTypes: description: |- ResponseTypes is an array of the OAuth 2.0 response type strings that the client can use at the authorization endpoint. items: description: ResponseType represents an OAuth 2.0 response type strings enum: - id_token - code - token - code token - code id_token - id_token token - code id_token token type: string maxItems: 3 minItems: 1 type: array scope: description: |- Scope is a string containing a space-separated list of scope values (as described in Section 3.3 of OAuth 2.0 [RFC6749]) that the client can use when requesting access tokens. Use scopeArray instead. pattern: ([a-zA-Z0-9\.\*]+\s?)* type: string scopeArray: description: |- Scope is an array of scope values (as described in Section 3.3 of OAuth 2.0 [RFC6749]) that the client can use when requesting access tokens. items: type: string type: array secretName: description: SecretName points to the K8s secret that contains this client's ID and password maxLength: 253 minLength: 1 pattern: '[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*' type: string skipConsent: default: false description: SkipConsent skips the consent screen for this client. type: boolean tokenEndpointAuthMethod: allOf: - enum: - client_secret_basic - client_secret_post - private_key_jwt - none - enum: - client_secret_basic - client_secret_post - private_key_jwt - none description: Indication which authentication method should be used for the token endpoint type: string tokenLifespans: description: |- TokenLifespans is the configuration to use for managing different token lifespans depending on the used grant type. properties: authorization_code_grant_access_token_lifespan: description: |- AuthorizationCodeGrantAccessTokenLifespan is the access token lifespan issued on an authorization_code grant. pattern: '[0-9]+(ns|us|ms|s|m|h)' type: string authorization_code_grant_id_token_lifespan: description: |- AuthorizationCodeGrantIdTokenLifespan is the id token lifespan issued on an authorization_code grant. pattern: '[0-9]+(ns|us|ms|s|m|h)' type: string authorization_code_grant_refresh_token_lifespan: description: |- AuthorizationCodeGrantRefreshTokenLifespan is the refresh token lifespan issued on an authorization_code grant. pattern: '[0-9]+(ns|us|ms|s|m|h)' type: string client_credentials_grant_access_token_lifespan: description: |- AuthorizationCodeGrantRefreshTokenLifespan is the access token lifespan issued on a client_credentials grant. pattern: '[0-9]+(ns|us|ms|s|m|h)' type: string implicit_grant_access_token_lifespan: description: |- ImplicitGrantAccessTokenLifespan is the access token lifespan issued on an implicit grant. pattern: '[0-9]+(ns|us|ms|s|m|h)' type: string implicit_grant_id_token_lifespan: description: |- ImplicitGrantIdTokenLifespan is the id token lifespan issued on an implicit grant. pattern: '[0-9]+(ns|us|ms|s|m|h)' type: string jwt_bearer_grant_access_token_lifespan: description: |- JwtBearerGrantAccessTokenLifespan is the access token lifespan issued on a jwt_bearer grant. pattern: '[0-9]+(ns|us|ms|s|m|h)' type: string refresh_token_grant_access_token_lifespan: description: |- RefreshTokenGrantAccessTokenLifespan is the access token lifespan issued on a refresh_token grant. pattern: '[0-9]+(ns|us|ms|s|m|h)' type: string refresh_token_grant_id_token_lifespan: description: |- RefreshTokenGrantIdTokenLifespan is the id token lifespan issued on a refresh_token grant. pattern: '[0-9]+(ns|us|ms|s|m|h)' type: string refresh_token_grant_refresh_token_lifespan: description: |- RefreshTokenGrantRefreshTokenLifespan is the refresh token lifespan issued on a refresh_token grant. pattern: '[0-9]+(ns|us|ms|s|m|h)' type: string type: object userInfoSignedResponseAlg: description: UserInfoSignedResponseAlg value specifying the JWS alg algorithm for signing UserInfo Responses type: string required: - grantTypes - secretName type: object status: description: OAuth2ClientStatus defines the observed state of OAuth2Client properties: conditions: items: description: OAuth2ClientCondition contains condition information for an OAuth2Client properties: status: enum: - "True" - "False" - Unknown type: string type: type: string required: - status - type type: object type: array observedGeneration: description: ObservedGeneration represents the most recent generation observed by the daemon set controller. format: int64 type: integer reconciliationError: description: ReconciliationError represents an error that occurred during the reconciliation process properties: description: description: Description is the description of the reconciliation error type: string statusCode: description: Code is the status code of the reconciliation error type: string type: object type: object type: object served: true storage: true subresources: status: {}