Skip to content

Commit

Permalink
AUTH-6071 Add Refresh token, custom claim, and pkce without client se…
Browse files Browse the repository at this point in the history
…cret support to Access OIDC SaaS applications
  • Loading branch information
ajholland committed May 9, 2024
1 parent afb0b0f commit ded3670
Show file tree
Hide file tree
Showing 3 changed files with 79 additions and 24 deletions.
3 changes: 3 additions & 0 deletions .changelog/1981.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
```release-note:enhancement
Add Refresh Token, Custom Claims, and PKCE Without Client Secret support to Access OIDC SaaS Applications
```
28 changes: 21 additions & 7 deletions access_application.go
Original file line number Diff line number Diff line change
Expand Up @@ -199,6 +199,17 @@ type SAMLAttributeConfig struct {
Source SourceConfig `json:"source"`
}

type OIDCClaimConfig struct {
Name string `json:"name,omitempty"`
Source SourceConfig `json:"source"`
Required *bool `json:"required,omitempty"`
Scope string `json:"scope,omitempty"`
}

type RefreshTokenOptions struct {
Lifetime string `json:"lifetime,omitempty"`
}

type SaasApplication struct {
// Items common to both SAML and OIDC
AppID string `json:"app_id,omitempty"`
Expand All @@ -219,13 +230,16 @@ type SaasApplication struct {
SamlAttributeTransformJsonata string `json:"saml_attribute_transform_jsonata"`

// OIDC saas app
ClientID string `json:"client_id,omitempty"`
ClientSecret string `json:"client_secret,omitempty"`
RedirectURIs []string `json:"redirect_uris,omitempty"`
GrantTypes []string `json:"grant_types,omitempty"`
Scopes []string `json:"scopes,omitempty"`
AppLauncherURL string `json:"app_launcher_url,omitempty"`
GroupFilterRegex string `json:"group_filter_regex,omitempty"`
ClientID string `json:"client_id,omitempty"`
ClientSecret string `json:"client_secret,omitempty"`
RedirectURIs []string `json:"redirect_uris,omitempty"`
GrantTypes []string `json:"grant_types,omitempty"`
Scopes []string `json:"scopes,omitempty"`
AppLauncherURL string `json:"app_launcher_url,omitempty"`
GroupFilterRegex string `json:"group_filter_regex,omitempty"`
CustomClaims []OIDCClaimConfig `json:"custom_claims,omitempty"`
AllowPKCEWithoutClientSecret *bool `json:"allow_pkce_without_client_secret,omitempty"`
RefreshTokenOptions *RefreshTokenOptions `json:"refresh_token_options,omitempty"`
}

type AccessAppLauncherCustomization struct {
Expand Down
72 changes: 55 additions & 17 deletions access_application_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -1115,7 +1115,18 @@ func TestCreateOIDCSaasAccessApplications(t *testing.T) {
"grant_types": ["authorization_code"],
"scopes": ["openid", "email", "profile", "groups"],
"app_launcher_url": "https://saas.example.com",
"group_filter_regex": ".*"
"group_filter_regex": ".*",
"allow_pkce_without_client_secret": false,
"custom_claims": [
{
"name": "test1",
"source": {
"name": "test1"
},
"required": true,
"scope": "profile"
}
]
}
}
}
Expand All @@ -1141,14 +1152,23 @@ func TestCreateOIDCSaasAccessApplications(t *testing.T) {
LogoURL: "https://www.example.com/example.png",
SkipInterstitial: BoolPtr(true),
SaasApplication: &SaasApplication{
AuthType: "oidc",
ClientID: "737646a56ab1df6ec9bddc7e5ca84eaf3b0768850f3ffb5d74f1534911fe3893",
ClientSecret: "secret",
RedirectURIs: []string{"https://saas.example.com"},
GrantTypes: []string{"authorization_code"},
Scopes: []string{"openid", "email", "profile", "groups"},
AppLauncherURL: "https://saas.example.com",
GroupFilterRegex: ".*",
AuthType: "oidc",
ClientID: "737646a56ab1df6ec9bddc7e5ca84eaf3b0768850f3ffb5d74f1534911fe3893",
ClientSecret: "secret",
RedirectURIs: []string{"https://saas.example.com"},
GrantTypes: []string{"authorization_code"},
Scopes: []string{"openid", "email", "profile", "groups"},
AppLauncherURL: "https://saas.example.com",
GroupFilterRegex: ".*",
AllowPKCEWithoutClientSecret: BoolPtr(false),
CustomClaims: []OIDCClaimConfig{
{
Name: "test1",
Source: SourceConfig{Name: "test1"},
Required: BoolPtr(true),
Scope: "profile",
},
},
},
CreatedAt: &createdAt,
UpdatedAt: &updatedAt,
Expand All @@ -1161,10 +1181,19 @@ func TestCreateOIDCSaasAccessApplications(t *testing.T) {
actual, err := client.CreateAccessApplication(context.Background(), AccountIdentifier(testAccountID), CreateAccessApplicationParams{
Name: "Admin Saas Site",
SaasApplication: &SaasApplication{
AuthType: "oidc",
RedirectURIs: []string{"https://saas.example.com"},
AppLauncherURL: "https://saas.example.com",
GroupFilterRegex: ".*",
AuthType: "oidc",
RedirectURIs: []string{"https://saas.example.com"},
AppLauncherURL: "https://saas.example.com",
GroupFilterRegex: ".*",
AllowPKCEWithoutClientSecret: BoolPtr(false),
CustomClaims: []OIDCClaimConfig{
{
Name: "test1",
Source: SourceConfig{Name: "test1"},
Required: BoolPtr(true),
Scope: "profile",
},
},
},
SessionDuration: "24h",
})
Expand All @@ -1178,10 +1207,19 @@ func TestCreateOIDCSaasAccessApplications(t *testing.T) {
actual, err = client.CreateAccessApplication(context.Background(), ZoneIdentifier(testZoneID), CreateAccessApplicationParams{
Name: "Admin Saas Site",
SaasApplication: &SaasApplication{
AuthType: "oidc",
RedirectURIs: []string{"https://saas.example.com"},
AppLauncherURL: "https://saas.example.com",
GroupFilterRegex: ".*",
AuthType: "oidc",
RedirectURIs: []string{"https://saas.example.com"},
AppLauncherURL: "https://saas.example.com",
GroupFilterRegex: ".*",
AllowPKCEWithoutClientSecret: BoolPtr(false),
CustomClaims: []OIDCClaimConfig{
{
Name: "test1",
Source: SourceConfig{Name: "test1"},
Required: BoolPtr(true),
Scope: "profile",
},
},
},
SessionDuration: "24h",
})
Expand Down

0 comments on commit ded3670

Please sign in to comment.