Make ID token lifetimes configurable on OIDCClient resources

2026-01-06 21:47:45 +00:00 · 2024-02-02 10:57:57 -08:00
parent 5fe94c4e2b
commit def2b35e6e
55 changed files with 1238 additions and 78 deletions
--- a/test/integration/supervisor_oidc_client_test.go
+++ b/test/integration/supervisor_oidc_client_test.go
@@ -1,4 +1,4 @@
-// Copyright 2022-2023 the Pinniped contributors. All Rights Reserved.
+// Copyright 2022-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package integration
@@ -6,6 +6,7 @@ package integration
 import (
 	"context"
 	"fmt"
+	"k8s.io/utils/ptr"
 	"sort"
 	"strings"
 	"testing"
@@ -155,6 +156,54 @@ func TestOIDCClientStaticValidation_Parallel(t *testing.T) {
 			},
 			wantErr: `OIDCClient.config.supervisor.pinniped.dev "client.oauth.pinniped.dev-hello" is invalid: spec.allowedRedirectURIs[1]: Invalid value: "oob": spec.allowedRedirectURIs[1] in body should match '^https://.+|^http://(127\.0\.0\.1|\[::1\])(:\d+)?/'`,
 		},
+		{
+			name: "ID token lifetime too small",
+			client: &supervisorconfigv1alpha1.OIDCClient{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "client.oauth.pinniped.dev-hello",
+				},
+				Spec: supervisorconfigv1alpha1.OIDCClientSpec{
+					AllowedRedirectURIs: []supervisorconfigv1alpha1.RedirectURI{
+						"http://127.0.0.1/callback",
+					},
+					AllowedGrantTypes: []supervisorconfigv1alpha1.GrantType{
+						"refresh_token",
+					},
+					AllowedScopes: []supervisorconfigv1alpha1.Scope{
+						"username",
+					},
+					TokenLifetimes: supervisorconfigv1alpha1.OIDCClientTokenLifetimes{
+						IDTokenSeconds: ptr.To[int32](119),
+					},
+				},
+			},
+			wantErr: `OIDCClient.config.supervisor.pinniped.dev "client.oauth.pinniped.dev-hello" is invalid: ` +
+				`spec.tokenLifetimes.idTokenSeconds: Invalid value: 119: spec.tokenLifetimes.idTokenSeconds in body should be greater than or equal to 120`,
+		},
+		{
+			name: "ID token lifetime too large",
+			client: &supervisorconfigv1alpha1.OIDCClient{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "client.oauth.pinniped.dev-hello",
+				},
+				Spec: supervisorconfigv1alpha1.OIDCClientSpec{
+					AllowedRedirectURIs: []supervisorconfigv1alpha1.RedirectURI{
+						"http://127.0.0.1/callback",
+					},
+					AllowedGrantTypes: []supervisorconfigv1alpha1.GrantType{
+						"refresh_token",
+					},
+					AllowedScopes: []supervisorconfigv1alpha1.Scope{
+						"username",
+					},
+					TokenLifetimes: supervisorconfigv1alpha1.OIDCClientTokenLifetimes{
+						IDTokenSeconds: ptr.To[int32](1801),
+					},
+				},
+			},
+			wantErr: `OIDCClient.config.supervisor.pinniped.dev "client.oauth.pinniped.dev-hello" is invalid: ` +
+				`spec.tokenLifetimes.idTokenSeconds: Invalid value: 1801: spec.tokenLifetimes.idTokenSeconds in body should be less than or equal to 1800`,
+		},
 		{
 			name: "bad grant type",
 			client: &supervisorconfigv1alpha1.OIDCClient{