Skip to content

support response_mode=form_post in upstream OIDC IDPs #2254

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
joshuatcasey merged 1 commit into from
Mar 7, 2025
Merged

support response_mode=form_post in upstream OIDC IDPs #2254

joshuatcasey merged 1 commit into from
Mar 7, 2025

Conversation

@cfryanr
Copy link
Contributor

@cfryanr cfryanr commented Mar 6, 2025
edited
Loading

Addresses #2238.

This PR makes it possible to use response_mode=form_post with an OIDCIdentityProvider.

For example:

apiVersion: idp.supervisor.pinniped.dev/v1alpha1
kind: OIDCIdentityProvider
metadata:
  name: my-oidc-idp
  namespace: pinniped-supervisor
spec:
  issuer: https://my-oidc-provider.example.com/path
  authorizationConfig:
    additionalAuthorizeParameters:
      # This is the part that could not work before this PR.
      - name: response_mode
        value: form_post
      # End new part.
  claims:
    username: email
    groups: groups
  client:
    secretName: oidc-client-creds

This is typically not needed. However, see #2238 for a case where it might be needed when using certain versions of ADFS.

I manually tested that this works on my Mac laptop using Okta as the IDP and using the latest Safari, Chrome, Firefox, and Edge browsers (all for MacOS).

Release note:

The Pinniped Supervisor now supports using `response_mode=form_post` with an OIDCIdentityProvider.
Some versions of ADFS might require this in order for Pinniped to receive certain claims in the
ADFS-issued ID token.

@netlify
Copy link

netlify bot commented Mar 6, 2025
edited
Loading

Deploy Preview for pinniped-dev canceled.

Name Link
🔨 Latest commit 749633e
🔍 Latest deploy log https://app.netlify.com/sites/pinniped-dev/deploys/67ca2fb6937c9b0008f0f339

@cfryanr cfryanr force-pushed the rr/callback_handler_form_post branch from 445f7ce to 749633e Compare March 6, 2025 23:28
@codecov
Copy link

codecov bot commented Mar 6, 2025
edited
Loading

Codecov Report

Attention: Patch coverage is 83.05085% with 10 lines in your changes missing coverage. Please review.

Project coverage is 24.99%. Comparing base (308c76c) to head (749633e).
Report is 2 commits behind head on main.

Files with missing lines Patch % Lines
...ationdomain/endpoints/callback/callback_handler.go 82.75% 4 Missing and 1 partial ⚠️
internal/testutil/log_lines.go 0.00% 5 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #2254      +/-   ##
==========================================
+ Coverage   24.95%   24.99%   +0.04%     
==========================================
  Files         379      379              
  Lines       62172    62222      +50     
==========================================
+ Hits        15515    15555      +40     
- Misses      46322    46330       +8     
- Partials      335      337       +2

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@cfryanr cfryanr mentioned this pull request Mar 7, 2025
Closed
@joshuatcasey joshuatcasey merged commit f54834c into main Mar 7, 2025
39 checks passed
@joshuatcasey joshuatcasey deleted the rr/callback_handler_form_post branch March 7, 2025 23:40
@cfryanr cfryanr mentioned this pull request Mar 18, 2025
Closed
23 tasks
@cfryanr cfryanr mentioned this pull request Aug 1, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@joshuatcasey joshuatcasey joshuatcasey approved these changes

Assignees

No one assigned

Labels

cla-not-required

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@cfryanr @joshuatcasey @vmwclabot