- continued refactoring the auth handler to share more code between
the two supported browserless flows: OIDC and LDAP/AD
- the upstreamldap package should not know about the concept of
OIDC granted scopes, so refactored it to be a skipGroups bool
- Simplify the error handling in the authorize endpoint by making the
private helper functions return fosite-style errors, and having
one place that writes those errors to the response.
- Some types of errors were previously returned as regular http-style
errors. Those have all been converted to be returned as oauth-style
errors (which can be redirects to the client), except for http method
not found errors. This is a change in behavior from the client's point
of view, but only when those unexpected errors happen. These types of
errors are more consistent with RFC6749 section 4.1.2.1.
- Avoids using the httperr package for error handling.
- Create a struct for the handler as a first step toward making smaller
functions with fewer parameters.
To make the subject of the downstream ID token more unique when
there are multiple IDPs. It is possible to define two IDPs in a
FederationDomain using the same identity provider CR, in which
case the only thing that would make the subject claim different
is adding the IDP display name into the values of the subject claim.
