Make ID token lifetimes configurable on OIDCClient resources

generated/latest/README.adoc

@@ -937,6 +937,7 @@ Must only contain the following values: - authorization_code: allows the client
 | *`allowedScopes`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-config-v1alpha1-scope[$$Scope$$] array__ | allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. +
 
 Must only contain the following values: - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). This scope must always be listed. - offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow. This scope must be listed if allowedGrantTypes lists refresh_token. - pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange, which is a step in the process to be able to get a cluster credential for the user. openid, username and groups scopes must be listed when this scope is present. This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange. - username: The client is allowed to request that ID tokens contain the user's username. Without the username scope being requested and allowed, the ID token will not contain the user's username. - groups: The client is allowed to request that ID tokens contain the user's group membership, if their group membership is discoverable by the Supervisor. Without the groups scope being requested and allowed, the ID token will not contain groups.
+| *`tokenLifetimes`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-config-v1alpha1-oidcclienttokenlifetimes[$$OIDCClientTokenLifetimes$$]__ | tokenLifetimes are the optional overrides of token lifetimes for an OIDCClient.
 |===
 
 
@@ -959,6 +960,23 @@ OIDCClientStatus is a struct that describes the actual state of an OIDCClient.
 |===
 
 
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-config-v1alpha1-oidcclienttokenlifetimes"]
+==== OIDCClientTokenLifetimes 
+
+OIDCClientTokenLifetimes describes the optional overrides of token lifetimes for an OIDCClient.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-config-v1alpha1-oidcclientspec[$$OIDCClientSpec$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`idTokenSeconds`* __integer__ | idTokenSeconds is the lifetime of ID tokens issued to this client, in seconds. This will choose the lifetime of ID tokens returned by the authorization flow and the refresh grant. It will not influence the lifetime of the ID tokens returned by RFC8693 token exchange. When null, a short-lived default value will be used. This value must be between 120 and 1,800 seconds (30 minutes), inclusive. It is recommended to make these tokens short-lived to force the client to perform the refresh grant often, because the refresh grant will check with the external identity provider to decide if it is acceptable for the end user to continue their session, and will update the end user's group memberships from the external identity provider. Giving these tokens a long life is will allow the end user to continue to use a token while avoiding these updates from the external identity provider. However, some web applications may have reasons specific to the design of that application to prefer longer lifetimes.
+|===
+
+
 [id="{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-config-v1alpha1-redirecturi"]
 ==== RedirectURI (string) 
 

generated/latest/apis/supervisor/config/v1alpha1/types_oidcclient.go

@@ -1,4 +1,4 @@
-// Copyright 2022-2023 the Pinniped contributors. All Rights Reserved.
+// Copyright 2022-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package v1alpha1
@@ -71,6 +71,28 @@ type OIDCClientSpec struct {
 	// +listType=set
 	// +kubebuilder:validation:MinItems=1
 	AllowedScopes []Scope `json:"allowedScopes"`
+
+	// tokenLifetimes are the optional overrides of token lifetimes for an OIDCClient.
+	// +optional
+	TokenLifetimes OIDCClientTokenLifetimes `json:"tokenLifetimes,omitempty"`
+}
+
+// OIDCClientTokenLifetimes describes the optional overrides of token lifetimes for an OIDCClient.
+type OIDCClientTokenLifetimes struct {
+	// idTokenSeconds is the lifetime of ID tokens issued to this client, in seconds. This will choose the lifetime of
+	// ID tokens returned by the authorization flow and the refresh grant. It will not influence the lifetime of the ID
+	// tokens returned by RFC8693 token exchange. When null, a short-lived default value will be used.
+	// This value must be between 120 and 1,800 seconds (30 minutes), inclusive. It is recommended to make these tokens
+	// short-lived to force the client to perform the refresh grant often, because the refresh grant will check with the
+	// external identity provider to decide if it is acceptable for the end user to continue their session, and will
+	// update the end user's group memberships from the external identity provider. Giving these tokens a long life is
+	// will allow the end user to continue to use a token while avoiding these updates from the external identity
+	// provider. However, some web applications may have reasons specific to the design of that application to prefer
+	// longer lifetimes.
+	// +kubebuilder:validation:Minimum=120
+	// +kubebuilder:validation:Maximum=1800
+	// +optional
+	IDTokenSeconds *int32 `json:"idTokenSeconds,omitempty"`
 }
 
 // OIDCClientStatus is a struct that describes the actual state of an OIDCClient.

generated/latest/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go

@@ -374,6 +374,7 @@ func (in *OIDCClientSpec) DeepCopyInto(out *OIDCClientSpec) {
 		*out = make([]Scope, len(*in))
 		copy(*out, *in)
 	}
+	in.TokenLifetimes.DeepCopyInto(&out.TokenLifetimes)
 	return
 }
 
@@ -409,3 +410,24 @@ func (in *OIDCClientStatus) DeepCopy() *OIDCClientStatus {
 	in.DeepCopyInto(out)
 	return out
 }
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OIDCClientTokenLifetimes) DeepCopyInto(out *OIDCClientTokenLifetimes) {
+	*out = *in
+	if in.IDTokenSeconds != nil {
+		in, out := &in.IDTokenSeconds, &out.IDTokenSeconds
+		*out = new(int32)
+		**out = **in
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientTokenLifetimes.
+func (in *OIDCClientTokenLifetimes) DeepCopy() *OIDCClientTokenLifetimes {
+	if in == nil {
+		return nil
+	}
+	out := new(OIDCClientTokenLifetimes)
+	in.DeepCopyInto(out)
+	return out
+}