From 4913df229741f7179d3d834425db2a5546b5e561 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Tue, 1 Oct 2024 08:54:14 -0400 Subject: [PATCH] adjustments for support of PKCE OIDC --- salt/kratos/defaults.yaml | 1 + salt/kratos/soc_kratos.yaml | 5 +++++ salt/nginx/etc/nginx.conf | 2 +- 3 files changed, 7 insertions(+), 1 deletion(-) diff --git a/salt/kratos/defaults.yaml b/salt/kratos/defaults.yaml index 1e2eef5ed..b62e4d2ce 100644 --- a/salt/kratos/defaults.yaml +++ b/salt/kratos/defaults.yaml @@ -6,6 +6,7 @@ kratos: id: SSO mapper_url: file:///kratos-conf/oidc.jsonnet subject_source: userinfo + pkce: auto scope: - email - profile diff --git a/salt/kratos/soc_kratos.yaml b/salt/kratos/soc_kratos.yaml index a362bb299..86227aa37 100644 --- a/salt/kratos/soc_kratos.yaml +++ b/salt/kratos/soc_kratos.yaml @@ -70,6 +70,11 @@ kratos: global: True forcedType: "[]string" helpLink: oidc.html + pkce: + description: Set to 'force' if the OIDC provider does not support auto-detection of PKCE, but does support PKCE. Set to `never` to disable PKCE. The default setting automatically attempts to detect if PKCE is supported. The provider's `well-known/openid-configuration` JSON response must contain the `S256` algorithm within the `code_challenge_methods_supported` list in order for the auto-detection to correctly detect PKCE is supported. + global: True + forcedType: string + helpLink: oidc.html requested_claims: id_token: email: diff --git a/salt/nginx/etc/nginx.conf b/salt/nginx/etc/nginx.conf index 1c77426ef..1e45f0db5 100644 --- a/salt/nginx/etc/nginx.conf +++ b/salt/nginx/etc/nginx.conf @@ -193,7 +193,7 @@ http { proxy_set_header X-Forwarded-Proto $scheme; } - location ~ ^/auth/.*?(login|oidc/callback/) { + location ~ ^/auth/.*?(login|oidc/callback) { rewrite /auth/(.*) /$1 break; limit_req zone=auth_throttle burst={{ NGINXMERGED.config.throttle_login_burst }} nodelay; limit_req_status 429;