diff --git a/api/v1alpha1/oauth2client_types.go b/api/v1alpha1/oauth2client_types.go index 36d468e..702ef91 100644 --- a/api/v1alpha1/oauth2client_types.go +++ b/api/v1alpha1/oauth2client_types.go @@ -84,6 +84,9 @@ type OAuth2ClientSpec struct { // RedirectURIs is an array of the redirect URIs allowed for the application RedirectURIs []RedirectURI `json:"redirectUris,omitempty"` + // PostLogoutRedirectURIs is an array of the post logout redirect URIs allowed for the application + PostLogoutRedirectURIs []RedirectURI `json:"postLogoutRedirectUris,omitempty"` + // Audience is a whitelist defining the audiences this client is allowed to request tokens for Audience []string `json:"audience,omitempty"` @@ -105,7 +108,7 @@ type OAuth2ClientSpec struct { // this client HydraAdmin HydraAdmin `json:"hydraAdmin,omitempty"` - // +kubebuilder:validation:Enum=;client_secret_basic;client_secret_post;private_key_jwt;none + // +kubebuilder:validation:Enum=client_secret_basic;client_secret_post;private_key_jwt;none // // Indication which authentication method shoud be used for the token endpoint TokenEndpointAuthMethod TokenEndpointAuthMethod `json:"tokenEndpointAuthMethod,omitempty"` @@ -126,7 +129,7 @@ type ResponseType string // RedirectURI represents a redirect URI for the client type RedirectURI string -// +kubebuilder:validation:Enum=;client_secret_basic;client_secret_post;private_key_jwt;none +// +kubebuilder:validation:Enum=client_secret_basic;client_secret_post;private_key_jwt;none // TokenEndpointAuthMethod represents an authentication method for token endpoint type TokenEndpointAuthMethod string @@ -176,6 +179,7 @@ func (c *OAuth2Client) ToOAuth2ClientJSON() *hydra.OAuth2ClientJSON { GrantTypes: grantToStringSlice(c.Spec.GrantTypes), ResponseTypes: responseToStringSlice(c.Spec.ResponseTypes), RedirectURIs: redirectToStringSlice(c.Spec.RedirectURIs), + PostLogoutRedirectURIs: redirectToStringSlice(c.Spec.PostLogoutRedirectURIs), Audience: c.Spec.Audience, Scope: c.Spec.Scope, Owner: fmt.Sprintf("%s/%s", c.Name, c.Namespace), diff --git a/api/v1alpha1/oauth2client_types_test.go b/api/v1alpha1/oauth2client_types_test.go index fa61e04..b8a36cc 100644 --- a/api/v1alpha1/oauth2client_types_test.go +++ b/api/v1alpha1/oauth2client_types_test.go @@ -106,6 +106,7 @@ func TestCreateAPI(t *testing.T) { "invalid scope": func() { created.Spec.Scope = "" }, "missing secret name": func() { created.Spec.SecretName = "" }, "invalid redirect URI": func() { created.Spec.RedirectURIs = []RedirectURI{"invalid"} }, + "invalid logout redirect URI": func() { created.Spec.PostLogoutRedirectURIs = []RedirectURI{"invalid"} }, "invalid hydra url": func() { created.Spec.HydraAdmin.URL = "invalid" }, "invalid hydra port high": func() { created.Spec.HydraAdmin.Port = 65536 }, "invalid hydra endpoint": func() { created.Spec.HydraAdmin.Endpoint = "invalid" }, diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go index 9e8f1c7..164291a 100644 --- a/api/v1alpha1/zz_generated.deepcopy.go +++ b/api/v1alpha1/zz_generated.deepcopy.go @@ -20,6 +20,7 @@ limitations under the License. package v1alpha1 import ( + "encoding/json" runtime "k8s.io/apimachinery/pkg/runtime" ) @@ -115,7 +116,22 @@ func (in *OAuth2ClientSpec) DeepCopyInto(out *OAuth2ClientSpec) { *out = make([]RedirectURI, len(*in)) copy(*out, *in) } + if in.PostLogoutRedirectURIs != nil { + in, out := &in.PostLogoutRedirectURIs, &out.PostLogoutRedirectURIs + *out = make([]RedirectURI, len(*in)) + copy(*out, *in) + } + if in.Audience != nil { + in, out := &in.Audience, &out.Audience + *out = make([]string, len(*in)) + copy(*out, *in) + } out.HydraAdmin = in.HydraAdmin + if in.Metadata != nil { + in, out := &in.Metadata, &out.Metadata + *out = make(json.RawMessage, len(*in)) + copy(*out, *in) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OAuth2ClientSpec. diff --git a/config/crd/bases/hydra.ory.sh_oauth2clients.yaml b/config/crd/bases/hydra.ory.sh_oauth2clients.yaml index 697c623..e95b7e7 100644 --- a/config/crd/bases/hydra.ory.sh_oauth2clients.yaml +++ b/config/crd/bases/hydra.ory.sh_oauth2clients.yaml @@ -387,6 +387,12 @@ spec: type: object spec: properties: + audience: + description: Audience is a whitelist defining the audiences this client + is allowed to request tokens for + items: + type: string + type: array grantTypes: description: GrantTypes is an array of grant types the client is allowed to use. @@ -430,16 +436,22 @@ spec: pattern: (^$|^https?://.*) type: string type: object - redirectUris: - description: RedirectURIs is an array of the redirect URIs allowed for - the application + metadata: + description: Metadata is abritrary data + format: byte + type: string + postLogoutRedirectUris: + description: PostLogoutRedirectURIs is an array of the post logout redirect + URIs allowed for the application items: pattern: \w+:/?/?[^\s]+ type: string type: array - audience: - description: Audience is a whitelist defining the audiences this client is allowed to request tokens for + redirectUris: + description: RedirectURIs is an array of the redirect URIs allowed for + the application items: + pattern: \w+:/?/?[^\s]+ type: string type: array responseTypes: @@ -454,17 +466,6 @@ spec: maxItems: 3 minItems: 1 type: array - tokenEndpointAuthMethod: - description: Indication which authentication method shoud be used for the token endpoint. - type: string - enum: - - client_secret_basic - - client_secret_post - - private_key_jwt - - none - metadata: - description: Metadata is arbitrary data. This JSON will be stored into client and can be used to hold custom properties - type: object scope: description: Scope is a string containing a space-separated list of scope values (as described in Section 3.3 of OAuth 2.0 [RFC6749]) @@ -478,6 +479,15 @@ spec: minLength: 1 pattern: '[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*' type: string + tokenEndpointAuthMethod: + description: Indication which authentication method shoud be used for + the token endpoint + enum: + - client_secret_basic + - client_secret_post + - private_key_jwt + - none + type: string required: - grantTypes - scope diff --git a/config/samples/hydra_v1alpha1_oauth2client.yaml b/config/samples/hydra_v1alpha1_oauth2client.yaml index 750eade..19acdfd 100644 --- a/config/samples/hydra_v1alpha1_oauth2client.yaml +++ b/config/samples/hydra_v1alpha1_oauth2client.yaml @@ -19,6 +19,8 @@ spec: redirectUris: - https://client/account - http://localhost:8080 + postLogoutRedirectUris: + - https://client/logout audience: - audience-a - audience-b diff --git a/config/samples/hydra_v1alpha1_oauth2client_user_credentials.yaml b/config/samples/hydra_v1alpha1_oauth2client_user_credentials.yaml index 008e364..20f9c04 100644 --- a/config/samples/hydra_v1alpha1_oauth2client_user_credentials.yaml +++ b/config/samples/hydra_v1alpha1_oauth2client_user_credentials.yaml @@ -29,6 +29,8 @@ spec: redirectUris: - https://client/account - http://localhost:8080 + postLogoutRedirectUris: + - https://client/logout audience: - audience-a - audience-b diff --git a/controllers/oauth2client_controller_integration_test.go b/controllers/oauth2client_controller_integration_test.go index 0798ec9..acd43a9 100644 --- a/controllers/oauth2client_controller_integration_test.go +++ b/controllers/oauth2client_controller_integration_test.go @@ -484,12 +484,13 @@ func testInstance(name, secretName string) *hydrav1alpha1.OAuth2Client { Namespace: tstNamespace, }, Spec: hydrav1alpha1.OAuth2ClientSpec{ - GrantTypes: []hydrav1alpha1.GrantType{"client_credentials"}, - ResponseTypes: []hydrav1alpha1.ResponseType{"token"}, - Scope: "a b c", - RedirectURIs: []hydrav1alpha1.RedirectURI{"https://example.com"}, - Audience: []string{"audience-a"}, - SecretName: secretName, + GrantTypes: []hydrav1alpha1.GrantType{"client_credentials"}, + ResponseTypes: []hydrav1alpha1.ResponseType{"token"}, + Scope: "a b c", + RedirectURIs: []hydrav1alpha1.RedirectURI{"https://example.com"}, + PostLogoutRedirectURIs: []hydrav1alpha1.RedirectURI{"https://example.com/logout"}, + Audience: []string{"audience-a"}, + SecretName: secretName, HydraAdmin: hydrav1alpha1.HydraAdmin{ URL: "http://hydra-admin", Port: 4445, diff --git a/hydra/types.go b/hydra/types.go index 6b0aeb2..faff395 100644 --- a/hydra/types.go +++ b/hydra/types.go @@ -12,6 +12,7 @@ type OAuth2ClientJSON struct { Secret *string `json:"client_secret,omitempty"` GrantTypes []string `json:"grant_types"` RedirectURIs []string `json:"redirect_uris,omitempty"` + PostLogoutRedirectURIs []string `json:"post_logout_redirect_uris,omitempty"` ResponseTypes []string `json:"response_types,omitempty"` Audience []string `json:"audience,omitempty"` Scope string `json:"scope"`