ory · aeneasr · Jun 8, 2020 · Jun 4, 2020
@@ -84,6 +84,9 @@ type OAuth2ClientSpec struct {
 	// RedirectURIs is an array of the redirect URIs allowed for the application
 	RedirectURIs []RedirectURI `json:"redirectUris,omitempty"`
 
+	// PostLogoutRedirectURIs is an array of the post logout redirect URIs allowed for the application
+	PostLogoutRedirectURIs []RedirectURI `json:"postLogoutRedirectUris,omitempty"`
+
 	// Audience is a whitelist defining the audiences this client is allowed to request tokens for
 	Audience []string `json:"audience,omitempty"`
 
@@ -105,7 +108,7 @@ type OAuth2ClientSpec struct {
 	// this client
 	HydraAdmin HydraAdmin `json:"hydraAdmin,omitempty"`
 
-	// +kubebuilder:validation:Enum=;client_secret_basic;client_secret_post;private_key_jwt;none
+	// +kubebuilder:validation:Enum=client_secret_basic;client_secret_post;private_key_jwt;none
 	//
 	// Indication which authentication method shoud be used for the token endpoint
 	TokenEndpointAuthMethod TokenEndpointAuthMethod `json:"tokenEndpointAuthMethod,omitempty"`
@@ -126,7 +129,7 @@ type ResponseType string
 // RedirectURI represents a redirect URI for the client
 type RedirectURI string
 
-// +kubebuilder:validation:Enum=;client_secret_basic;client_secret_post;private_key_jwt;none
+// +kubebuilder:validation:Enum=client_secret_basic;client_secret_post;private_key_jwt;none
 // TokenEndpointAuthMethod represents an authentication method for token endpoint
 type TokenEndpointAuthMethod string
 
@@ -176,6 +179,7 @@ func (c *OAuth2Client) ToOAuth2ClientJSON() *hydra.OAuth2ClientJSON {
 		GrantTypes:              grantToStringSlice(c.Spec.GrantTypes),
 		ResponseTypes:           responseToStringSlice(c.Spec.ResponseTypes),
 		RedirectURIs:            redirectToStringSlice(c.Spec.RedirectURIs),
+		PostLogoutRedirectURIs:  redirectToStringSlice(c.Spec.PostLogoutRedirectURIs),
 		Audience:                c.Spec.Audience,
 		Scope:                   c.Spec.Scope,
 		Owner:                   fmt.Sprintf("%s/%s", c.Name, c.Namespace),

@@ -106,6 +106,7 @@ func TestCreateAPI(t *testing.T) {
 				"invalid scope":                 func() { created.Spec.Scope = "" },
 				"missing secret name":           func() { created.Spec.SecretName = "" },
 				"invalid redirect URI":          func() { created.Spec.RedirectURIs = []RedirectURI{"invalid"} },
+				"invalid logout redirect URI":   func() { created.Spec.PostLogoutRedirectURIs = []RedirectURI{"invalid"} },
 				"invalid hydra url":             func() { created.Spec.HydraAdmin.URL = "invalid" },
 				"invalid hydra port high":       func() { created.Spec.HydraAdmin.Port = 65536 },
 				"invalid hydra endpoint":        func() { created.Spec.HydraAdmin.Endpoint = "invalid" },

@@ -20,6 +20,7 @@ limitations under the License.
 package v1alpha1
 
 import (
+	"encoding/json"
 	runtime "k8s.io/apimachinery/pkg/runtime"
 )
 
@@ -115,7 +116,22 @@ func (in *OAuth2ClientSpec) DeepCopyInto(out *OAuth2ClientSpec) {
 		*out = make([]RedirectURI, len(*in))
 		copy(*out, *in)
 	}
+	if in.PostLogoutRedirectURIs != nil {
+		in, out := &in.PostLogoutRedirectURIs, &out.PostLogoutRedirectURIs
+		*out = make([]RedirectURI, len(*in))
+		copy(*out, *in)
+	}
+	if in.Audience != nil {
+		in, out := &in.Audience, &out.Audience
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
 	out.HydraAdmin = in.HydraAdmin
+	if in.Metadata != nil {
+		in, out := &in.Metadata, &out.Metadata
+		*out = make(json.RawMessage, len(*in))
+		copy(*out, *in)
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OAuth2ClientSpec.

@@ -387,6 +387,12 @@ spec:
           type: object
         spec:
           properties:
+            audience:
+              description: Audience is a whitelist defining the audiences this client
+                is allowed to request tokens for
+              items:
+                type: string
+              type: array
             grantTypes:
               description: GrantTypes is an array of grant types the client is allowed
                 to use.
@@ -430,16 +436,22 @@ spec:
                   pattern: (^$|^https?://.*)
                   type: string
               type: object
-            redirectUris:
-              description: RedirectURIs is an array of the redirect URIs allowed for
-                the application
+            metadata:
+              description: Metadata is abritrary data
+              format: byte
+              type: string
+            postLogoutRedirectUris:
+              description: PostLogoutRedirectURIs is an array of the post logout redirect
+                URIs allowed for the application
               items:
                 pattern: \w+:/?/?[^\s]+
                 type: string
               type: array
-            audience:
-              description: Audience is a whitelist defining the audiences this client is allowed to request tokens for
+            redirectUris:
+              description: RedirectURIs is an array of the redirect URIs allowed for
+                the application
               items:
+                pattern: \w+:/?/?[^\s]+
                 type: string
               type: array
             responseTypes:
@@ -454,17 +466,6 @@ spec:
               maxItems: 3
               minItems: 1
               type: array
-            tokenEndpointAuthMethod:
-              description: Indication which authentication method shoud be used for the token endpoint.
-              type: string
-              enum:
-              - client_secret_basic
-              - client_secret_post
-              - private_key_jwt
-              - none
-            metadata:
-              description: Metadata is arbitrary data. This JSON will be stored into client and can be used to hold custom properties
-              type: object
             scope:
               description: Scope is a string containing a space-separated list of
                 scope values (as described in Section 3.3 of OAuth 2.0 [RFC6749])
@@ -478,6 +479,15 @@ spec:
               minLength: 1
               pattern: '[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*'
               type: string
+            tokenEndpointAuthMethod:
+              description: Indication which authentication method shoud be used for
+                the token endpoint
+              enum:
+              - client_secret_basic
+              - client_secret_post
+              - private_key_jwt
+              - none
+              type: string
           required:
           - grantTypes
           - scope

@@ -19,6 +19,8 @@ spec:
   redirectUris:
     - https://client/account
     - http://localhost:8080
+  postLogoutRedirectUris:
+    - https://client/logout
   audience:
     - audience-a
     - audience-b

@@ -29,6 +29,8 @@ spec:
   redirectUris:
     - https://client/account
     - http://localhost:8080
+  postLogoutRedirectUris:
+    - https://client/logout
   audience:
     - audience-a
     - audience-b

@@ -484,12 +484,13 @@ func testInstance(name, secretName string) *hydrav1alpha1.OAuth2Client {
 			Namespace: tstNamespace,
 		},
 		Spec: hydrav1alpha1.OAuth2ClientSpec{
-			GrantTypes:    []hydrav1alpha1.GrantType{"client_credentials"},
-			ResponseTypes: []hydrav1alpha1.ResponseType{"token"},
-			Scope:         "a b c",
-			RedirectURIs:  []hydrav1alpha1.RedirectURI{"https://example.com"},
-			Audience:      []string{"audience-a"},
-			SecretName:    secretName,
+			GrantTypes:             []hydrav1alpha1.GrantType{"client_credentials"},
+			ResponseTypes:          []hydrav1alpha1.ResponseType{"token"},
+			Scope:                  "a b c",
+			RedirectURIs:           []hydrav1alpha1.RedirectURI{"https://example.com"},
+			PostLogoutRedirectURIs: []hydrav1alpha1.RedirectURI{"https://example.com/logout"},
+			Audience:               []string{"audience-a"},
+			SecretName:             secretName,
 			HydraAdmin: hydrav1alpha1.HydraAdmin{
 				URL:            "http://hydra-admin",
 				Port:           4445,

@@ -12,6 +12,7 @@ type OAuth2ClientJSON struct {
 	Secret                  *string         `json:"client_secret,omitempty"`
 	GrantTypes              []string        `json:"grant_types"`
 	RedirectURIs            []string        `json:"redirect_uris,omitempty"`
+	PostLogoutRedirectURIs  []string        `json:"post_logout_redirect_uris,omitempty"`
 	ResponseTypes           []string        `json:"response_types,omitempty"`
 	Audience                []string        `json:"audience,omitempty"`
 	Scope                   string          `json:"scope"`