diff --git a/.changelog/2131.txt b/.changelog/2131.txt new file mode 100644 index 00000000000..d32928a2d05 --- /dev/null +++ b/.changelog/2131.txt @@ -0,0 +1,3 @@ +```release-note:enhancement +access_application: Add support for Hybrid/Implicit flows and options +``` diff --git a/access_application.go b/access_application.go index 75ef4f31cb4..a1357bc6f82 100644 --- a/access_application.go +++ b/access_application.go @@ -210,6 +210,11 @@ type RefreshTokenOptions struct { Lifetime string `json:"lifetime,omitempty"` } +type HybridAndImplicitOptions struct { + ReturnIDTokenFromAuthorizationEndpoint *bool `json:"return_id_token_from_authorization_endpoint,omitempty"` + ReturnAccessTokenFromAuthorizationEndpoint *bool `json:"return_access_token_from_authorization_endpoint,omitempty"` +} + type SaasApplication struct { // Items common to both SAML and OIDC AppID string `json:"app_id,omitempty"` @@ -230,16 +235,17 @@ type SaasApplication struct { SamlAttributeTransformJsonata string `json:"saml_attribute_transform_jsonata"` // OIDC saas app - ClientID string `json:"client_id,omitempty"` - ClientSecret string `json:"client_secret,omitempty"` - RedirectURIs []string `json:"redirect_uris,omitempty"` - GrantTypes []string `json:"grant_types,omitempty"` - Scopes []string `json:"scopes,omitempty"` - AppLauncherURL string `json:"app_launcher_url,omitempty"` - GroupFilterRegex string `json:"group_filter_regex,omitempty"` - CustomClaims []OIDCClaimConfig `json:"custom_claims,omitempty"` - AllowPKCEWithoutClientSecret *bool `json:"allow_pkce_without_client_secret,omitempty"` - RefreshTokenOptions *RefreshTokenOptions `json:"refresh_token_options,omitempty"` + ClientID string `json:"client_id,omitempty"` + ClientSecret string `json:"client_secret,omitempty"` + RedirectURIs []string `json:"redirect_uris,omitempty"` + GrantTypes []string `json:"grant_types,omitempty"` + Scopes []string `json:"scopes,omitempty"` + AppLauncherURL string `json:"app_launcher_url,omitempty"` + GroupFilterRegex string `json:"group_filter_regex,omitempty"` + CustomClaims []OIDCClaimConfig `json:"custom_claims,omitempty"` + AllowPKCEWithoutClientSecret *bool `json:"allow_pkce_without_client_secret,omitempty"` + RefreshTokenOptions *RefreshTokenOptions `json:"refresh_token_options,omitempty"` + HybridAndImplicitOptions *HybridAndImplicitOptions `json:"hybrid_and_implicit_options,omitempty"` } type AccessAppLauncherCustomization struct { diff --git a/access_application_test.go b/access_application_test.go index 086479c95ea..bf643c58482 100644 --- a/access_application_test.go +++ b/access_application_test.go @@ -1112,7 +1112,7 @@ func TestCreateOIDCSaasAccessApplications(t *testing.T) { "client_id": "737646a56ab1df6ec9bddc7e5ca84eaf3b0768850f3ffb5d74f1534911fe3893", "client_secret": "secret", "redirect_uris": ["https://saas.example.com"], - "grant_types": ["authorization_code"], + "grant_types": ["authorization_code", "hybrid", "implicit"], "scopes": ["openid", "email", "profile", "groups"], "app_launcher_url": "https://saas.example.com", "group_filter_regex": ".*", @@ -1126,7 +1126,11 @@ func TestCreateOIDCSaasAccessApplications(t *testing.T) { "required": true, "scope": "profile" } - ] + ], + "hybrid_and_implicit_options": { + "return_id_token_from_authorization_endpoint": true, + "return_access_token_from_authorization_endpoint": true + } } } } @@ -1156,7 +1160,7 @@ func TestCreateOIDCSaasAccessApplications(t *testing.T) { ClientID: "737646a56ab1df6ec9bddc7e5ca84eaf3b0768850f3ffb5d74f1534911fe3893", ClientSecret: "secret", RedirectURIs: []string{"https://saas.example.com"}, - GrantTypes: []string{"authorization_code"}, + GrantTypes: []string{"authorization_code", "hybrid", "implicit"}, Scopes: []string{"openid", "email", "profile", "groups"}, AppLauncherURL: "https://saas.example.com", GroupFilterRegex: ".*", @@ -1169,6 +1173,10 @@ func TestCreateOIDCSaasAccessApplications(t *testing.T) { Scope: "profile", }, }, + HybridAndImplicitOptions: &HybridAndImplicitOptions{ + ReturnIDTokenFromAuthorizationEndpoint: BoolPtr(true), + ReturnAccessTokenFromAuthorizationEndpoint: BoolPtr(true), + }, }, CreatedAt: &createdAt, UpdatedAt: &updatedAt, @@ -1182,6 +1190,7 @@ func TestCreateOIDCSaasAccessApplications(t *testing.T) { Name: "Admin Saas Site", SaasApplication: &SaasApplication{ AuthType: "oidc", + GrantTypes: []string{"authorization_code", "hybrid", "implicit"}, RedirectURIs: []string{"https://saas.example.com"}, AppLauncherURL: "https://saas.example.com", GroupFilterRegex: ".*", @@ -1194,6 +1203,10 @@ func TestCreateOIDCSaasAccessApplications(t *testing.T) { Scope: "profile", }, }, + HybridAndImplicitOptions: &HybridAndImplicitOptions{ + ReturnIDTokenFromAuthorizationEndpoint: BoolPtr(true), + ReturnAccessTokenFromAuthorizationEndpoint: BoolPtr(true), + }, }, SessionDuration: "24h", }) @@ -1208,6 +1221,7 @@ func TestCreateOIDCSaasAccessApplications(t *testing.T) { Name: "Admin Saas Site", SaasApplication: &SaasApplication{ AuthType: "oidc", + GrantTypes: []string{"authorization_code", "hybrid", "implicit"}, RedirectURIs: []string{"https://saas.example.com"}, AppLauncherURL: "https://saas.example.com", GroupFilterRegex: ".*", @@ -1220,6 +1234,10 @@ func TestCreateOIDCSaasAccessApplications(t *testing.T) { Scope: "profile", }, }, + HybridAndImplicitOptions: &HybridAndImplicitOptions{ + ReturnIDTokenFromAuthorizationEndpoint: BoolPtr(true), + ReturnAccessTokenFromAuthorizationEndpoint: BoolPtr(true), + }, }, SessionDuration: "24h", })