feat: add support for public clients and disabling standard auth flow

docs/configuration/uds-operator.md

@@ -168,6 +168,29 @@ variables:
 
 See [configuring Istio Ingress](https://uds.defenseunicorns.com/core/configuration/istio/ingress/#configure-domain-name-and-tls-for-istio-gateways) for the relevant documentation on configuring ingress certificates.
 
+### Creating a UDS Package with a Device Flow client
+
+Some applications may not have a web UI / server component to login to and may instead grant OAuth tokens to devices.  This flow is known as the [OAuth 2.0 Device Authorization Grant](https://oauth.net/2/device-flow/) and is supported in a UDS Package with the following configuration:
+
+```yaml
+apiVersion: uds.dev/v1alpha1
+kind: Package
+metadata:
+  name: fulcio
+  namespace: fulcio-system
+spec:
+  sso:
+  sso:
+    - name: Sigstore Login
+      clientId: sigstore
+      standardFlowEnabled: false
+      publicClient: true
+      attributes:
+        oauth2.device.authorization.grant.enabled: "true"
+```
+
+This configuration does not create a secret in the cluster and instead tells the UDS Operator to create a public client (one that requires no auth secret) that enables the `oauth2.device.authorization.grant.enabled` flow and disables the standard redirect auth flow.  Because this creates a public client configuration that deviates from this is limited - if your application requires both the Device Authorization Grant and the standard flow this is currently not supported without creating two separate clients.
+
 ## Exemption
 
 - **Exemption Scope:**

src/pepr/operator/controllers/keycloak/client-sync.ts

@@ -158,22 +158,24 @@ async function syncClient(
   }
 
   // Create or update the client secret
-  const generation = (pkg.metadata?.generation ?? 0).toString();
-  await K8s(kind.Secret).Apply({
-    metadata: {
-      namespace: pkg.metadata!.namespace,
-      // Use the CR secret name if provided, otherwise use the client name
-      name: secretName || name,
-      labels: {
-        "uds/package": pkg.metadata!.name,
-        "uds/generation": generation,
+  if (!client.publicClient) {
+    const generation = (pkg.metadata?.generation ?? 0).toString();
+    await K8s(kind.Secret).Apply({
+      metadata: {
+        namespace: pkg.metadata!.namespace,
+        // Use the CR secret name if provided, otherwise use the client name
+        name: secretName || name,
+        labels: {
+          "uds/package": pkg.metadata!.name,
+          "uds/generation": generation,
+        },
+
+        // Use the CR as the owner ref for each VirtualService
+        ownerReferences: getOwnerRef(pkg),
       },
-
-      // Use the CR as the owner ref for each VirtualService
-      ownerReferences: getOwnerRef(pkg),
-    },
-    data: generateSecretData(client, secretTemplate),
-  });
+      data: generateSecretData(client, secretTemplate),
+    });
+  }
 
   return client;
 }

src/pepr/operator/crd/generated/package-v1alpha1.ts

@@ -549,11 +549,15 @@ export interface Sso {
    * Specifies the protocol of the client, either 'openid-connect' or 'saml'
    */
   protocol?: Protocol;
+  /**
+   * Defines whether the client requires a client secret for authentication
+   */
+  publicClient?: boolean;
   /**
    * Valid URI pattern a browser can redirect to after a successful login. Simple wildcards
    * are allowed such as 'https://unicorns.uds.dev/*'
    */
-  redirectUris: string[];
+  redirectUris?: string[];
   /**
    * Root URL appended to relative URLs
    */
@@ -570,6 +574,10 @@ export interface Sso {
    * A template for the generated secret
    */
   secretTemplate?: { [key: string]: string };
+  /**
+   * Enables the standard OpenID Connect redirect based authentication with authorization code.
+   */
+  standardFlowEnabled?: boolean;
   /**
    * Allowed CORS origins. To permit all origins of Valid Redirect URIs, add '+'. This does
    * not include the '*' wildcard though. To permit all origins, explicitly add '*'.

src/pepr/operator/crd/index.ts

@@ -8,6 +8,7 @@ export {
   Status as PkgStatus,
   RemoteGenerated,
   Sso,
+  Protocol,
   Package as UDSPackage,
 } from "./generated/package-v1alpha1";
 

src/pepr/operator/crd/sources/package/v1alpha1.ts

@@ -252,7 +252,7 @@ const sso = {
   type: "array",
   items: {
     type: "object",
-    required: ["clientId", "name", "redirectUris"],
+    required: ["clientId", "name"],
     properties: {
       enableAuthserviceSelector: {
         description:
@@ -335,6 +335,17 @@ const sso = {
         type: "boolean",
         default: false,
       },
+      standardFlowEnabled: {
+        description:
+          "Enables the standard OpenID Connect redirect based authentication with authorization code.",
+        type: "boolean",
+        default: true,
+      },
+      publicClient: {
+        description: "Defines whether the client requires a client secret for authentication",
+        type: "boolean",
+        default: false,
+      },
       clientAuthenticatorType: {
         description: "The client authenticator type",
         type: "string",