Merge pull request #606 from liouk/pkce-oauth-client

AUTH-356: Add openshift-cli-client OAuth Client
openshift · Jul 3, 2023 · 39a1e26 · 39a1e26
2 parents 0a9ebf8 + e623f2f
commit 39a1e26
Show file tree

Hide file tree

Showing 13 changed files with 1,367 additions and 20 deletions.
diff --git a/pkg/controllers/oauthclientscontroller/oauthclientscontroller.go b/pkg/controllers/oauthclientscontroller/oauthclientscontroller.go
@@ -117,26 +117,30 @@ func (c *oauthsClientsController) getCanonicalRouteHost(expectedHost string) (st
 }
 
 func (c *oauthsClientsController) ensureBootstrappedOAuthClients(ctx context.Context, masterPublicURL string) error {
-	browserClient := oauthv1.OAuthClient{
-		ObjectMeta:            metav1.ObjectMeta{Name: "openshift-browser-client"},
-		Secret:                base64.RawURLEncoding.EncodeToString(randomBits(256)),
-		RespondWithChallenges: false,
-		RedirectURIs:          []string{oauthdiscovery.OpenShiftOAuthTokenDisplayURL(masterPublicURL)},
-		GrantMethod:           oauthv1.GrantHandlerAuto,
-	}
-	if err := ensureOAuthClient(ctx, c.oauthClientClient, browserClient); err != nil {
-		return fmt.Errorf("unable to get %q bootstrapped OAuth client: %v", browserClient.Name, err)
-	}
-
-	cliClient := oauthv1.OAuthClient{
-		ObjectMeta:            metav1.ObjectMeta{Name: "openshift-challenging-client"},
-		Secret:                "",
-		RespondWithChallenges: true,
-		RedirectURIs:          []string{oauthdiscovery.OpenShiftOAuthTokenImplicitURL(masterPublicURL)},
-		GrantMethod:           oauthv1.GrantHandlerAuto,
-	}
-	if err := ensureOAuthClient(ctx, c.oauthClientClient, cliClient); err != nil {
-		return fmt.Errorf("unable to get %q bootstrapped CLI OAuth client: %v", browserClient.Name, err)
+	for _, client := range []oauthv1.OAuthClient{
+		{
+			ObjectMeta:            metav1.ObjectMeta{Name: "openshift-browser-client"},
+			Secret:                base64.RawURLEncoding.EncodeToString(randomBits(256)),
+			RespondWithChallenges: false,
+			RedirectURIs:          []string{oauthdiscovery.OpenShiftOAuthTokenDisplayURL(masterPublicURL)},
+			GrantMethod:           oauthv1.GrantHandlerAuto,
+		},
+		{
+			ObjectMeta:            metav1.ObjectMeta{Name: "openshift-challenging-client"},
+			Secret:                "",
+			RespondWithChallenges: true,
+			RedirectURIs:          []string{oauthdiscovery.OpenShiftOAuthTokenImplicitURL(masterPublicURL)},
+			GrantMethod:           oauthv1.GrantHandlerAuto,
+		},
+		{
+			ObjectMeta:   metav1.ObjectMeta{Name: "openshift-cli-client"},
+			RedirectURIs: []string{"http://127.0.0.1/callback", "http://[::1]/callback"},
+			GrantMethod:  oauthv1.GrantHandlerAuto,
+		},
+	} {
+		if err := ensureOAuthClient(ctx, c.oauthClientClient, client); err != nil {
+			return fmt.Errorf("unable to ensure existence of a bootstrapped OAuth client %q: %w", client.Name, err)
+		}
 	}
 
 	return nil