-
Notifications
You must be signed in to change notification settings - Fork 21
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: add support for public clients and disabling standard auth flow #630
Conversation
(note - though not directly required this also makes |
This allows disabling
Ideally using a public client is like a policy violation that somehow has to actually be marked as allowed. I don't think uds-operator's own policies really map well to this though. If Lula(?) was ready, I guess we could use it to detect all Packages with public clients. For the device flow, I think |
Enabling the device flow is an attribute you add to the client: https://github.com/defenseunicorns/uds-package-sigstore/pull/19/files#diff-84cee30d5e16b64372e9b71dc11e8d2643001f0fdd881c71f76768372ed18edeR13 The redirectUris, post logout redirectUris, and webOrigins are disabled when standard flow is disabled. |
We could disallow a public client for anything but device flow attributed standardAuthFlow disabled clients |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is fine I guess, the allowed configurations are limited enough that it should never be possible to use with a web client.
🤖 I have created a release *beep* *boop* --- ## [0.25.1](v0.25.0...v0.25.1) (2024-08-06) ### Bug Fixes * switch metrics-server to optional everywhere ([#641](#641)) ([43c5bd5](43c5bd5)) ### Miscellaneous * add debug logs for istio injection logic ([#602](#602)) ([9075436](9075436)) * add support for public clients and disabling standard auth flow ([#630](#630)) ([38151d7](38151d7)) * **deps:** update dependency defenseunicorns/uds-common to v0.11.0 ([#617](#617)) ([997cf37](997cf37)) * **deps:** update dependency weaveworks/eksctl to v0.188.0 ([#623](#623)) ([3081044](3081044)) * **deps:** update uds to v0.14.0 ([#612](#612)) ([7fe927e](7fe927e)) * update codeowners ([#637](#637)) ([eec5017](eec5017)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Description
This enables support for public clients and allows disabling the standard flow in a client to fully support the OAuth device flow.
You can see an example of how this would be implemented here: https://github.com/defenseunicorns/uds-package-sigstore/pull/19/files#diff-84cee30d5e16b64372e9b71dc11e8d2643001f0fdd881c71f76768372ed18edeR10
Related Issue
Fixes #509
Type of change
Checklist before merging