{ "description": "OIDCClient describes the configuration of an OIDC client.", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object.\nServers should convert recognized schemas to the latest internal value, and\nmay reject unrecognized values.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": "string" }, "kind": { "description": "Kind is a string value representing the REST resource this object represents.\nServers may infer this from the endpoint the client submits requests to.\nCannot be updated.\nIn CamelCase.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string" }, "metadata": { "type": "object" }, "spec": { "description": "Spec of the OIDC client.", "properties": { "allowedGrantTypes": { "description": "allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this\nclient.\n\n\nMust only contain the following values:\n- authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to\n authenticate users. This grant must always be listed.\n- refresh_token: allows the client to perform refresh grants for the user to extend the user's session.\n This grant must be listed if allowedScopes lists offline_access.\n- urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange,\n which is a step in the process to be able to get a cluster credential for the user.\n This grant must be listed if allowedScopes lists pinniped:request-audience.", "items": { "enum": [ "authorization_code", "refresh_token", "urn:ietf:params:oauth:grant-type:token-exchange" ], "type": "string" }, "minItems": 1, "type": "array", "x-kubernetes-list-type": "set" }, "allowedRedirectURIs": { "description": "allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this\nclient. Any other uris will be rejected.\nMust be a URI with the https scheme, unless the hostname is 127.0.0.1 or ::1 which may use the http scheme.\nPort numbers are not required for 127.0.0.1 or ::1 and are ignored when checking for a matching redirect_uri.", "items": { "pattern": "^https://.+|^http://(127\\.0\\.0\\.1|\\[::1\\])(:\\d+)?/", "type": "string" }, "minItems": 1, "type": "array", "x-kubernetes-list-type": "set" }, "allowedScopes": { "description": "allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client.\n\n\nMust only contain the following values:\n- openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat).\n This scope must always be listed.\n- offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow.\n This scope must be listed if allowedGrantTypes lists refresh_token.\n- pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange,\n which is a step in the process to be able to get a cluster credential for the user.\n openid, username and groups scopes must be listed when this scope is present.\n This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange.\n- username: The client is allowed to request that ID tokens contain the user's username.\n Without the username scope being requested and allowed, the ID token will not contain the user's username.\n- groups: The client is allowed to request that ID tokens contain the user's group membership,\n if their group membership is discoverable by the Supervisor.\n Without the groups scope being requested and allowed, the ID token will not contain groups.", "items": { "enum": [ "openid", "offline_access", "username", "groups", "pinniped:request-audience" ], "type": "string" }, "minItems": 1, "type": "array", "x-kubernetes-list-type": "set" }, "tokenLifetimes": { "description": "tokenLifetimes are the optional overrides of token lifetimes for an OIDCClient.", "properties": { "idTokenSeconds": { "description": "idTokenSeconds is the lifetime of ID tokens issued to this client, in seconds. This will choose the lifetime of\nID tokens returned by the authorization flow and the refresh grant. It will not influence the lifetime of the ID\ntokens returned by RFC8693 token exchange. When null, a short-lived default value will be used.\nThis value must be between 120 and 1,800 seconds (30 minutes), inclusive. It is recommended to make these tokens\nshort-lived to force the client to perform the refresh grant often, because the refresh grant will check with the\nexternal identity provider to decide if it is acceptable for the end user to continue their session, and will\nupdate the end user's group memberships from the external identity provider. Giving these tokens a long life is\nwill allow the end user to continue to use a token while avoiding these updates from the external identity\nprovider. However, some web applications may have reasons specific to the design of that application to prefer\nlonger lifetimes.", "format": "int32", "maximum": 1800, "minimum": 120, "type": "integer" } }, "type": "object", "additionalProperties": false } }, "required": [ "allowedGrantTypes", "allowedRedirectURIs", "allowedScopes" ], "type": "object", "additionalProperties": false }, "status": { "description": "Status of the OIDC client.", "properties": { "conditions": { "description": "conditions represent the observations of an OIDCClient's current state.", "items": { "description": "Condition contains details for one aspect of the current state of this API Resource.\n---\nThis struct is intended for direct use as an array at the field path .status.conditions. For example,\n\n\n\ttype FooStatus struct{\n\t // Represents the observations of a foo's current state.\n\t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t // other fields\n\t}", "properties": { "lastTransitionTime": { "description": "lastTransitionTime is the last time the condition transitioned from one status to another.\nThis should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.", "format": "date-time", "type": "string" }, "message": { "description": "message is a human readable message indicating details about the transition.\nThis may be an empty string.", "maxLength": 32768, "type": "string" }, "observedGeneration": { "description": "observedGeneration represents the .metadata.generation that the condition was set based upon.\nFor instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date\nwith respect to the current state of the instance.", "format": "int64", "minimum": 0, "type": "integer" }, "reason": { "description": "reason contains a programmatic identifier indicating the reason for the condition's last transition.\nProducers of specific condition types may define expected values and meanings for this field,\nand whether the values are considered a guaranteed API.\nThe value should be a CamelCase string.\nThis field may not be empty.", "maxLength": 1024, "minLength": 1, "pattern": "^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$", "type": "string" }, "status": { "description": "status of the condition, one of True, False, Unknown.", "enum": [ "True", "False", "Unknown" ], "type": "string" }, "type": { "description": "type of condition in CamelCase or in foo.example.com/CamelCase.\n---\nMany .condition.type values are consistent across resources like Available, but because arbitrary conditions can be\nuseful (see .node.status.conditions), the ability to deconflict is important.\nThe regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)", "maxLength": 316, "pattern": "^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$", "type": "string" } }, "required": [ "lastTransitionTime", "message", "reason", "status", "type" ], "type": "object", "additionalProperties": false }, "type": "array", "x-kubernetes-list-map-keys": [ "type" ], "x-kubernetes-list-type": "map" }, "phase": { "default": "Pending", "description": "phase summarizes the overall status of the OIDCClient.", "enum": [ "Pending", "Ready", "Error" ], "type": "string" }, "totalClientSecrets": { "description": "totalClientSecrets is the current number of client secrets that are detected for this OIDCClient.", "format": "int32", "type": "integer" } }, "type": "object", "additionalProperties": false } }, "required": [ "spec" ], "type": "object" }