feat(oauth: generate client credentials locally

dsluijk · Dec 11, 2022 · 2538d39 · 2538d39
1 parent 86febea
commit 2538d39
Show file tree

Hide file tree

Showing 3 changed files with 25 additions and 0 deletions.
diff --git a/src/akapi/provider/create_oauth.rs b/src/akapi/provider/create_oauth.rs
@@ -44,6 +44,8 @@ pub struct CreateOAuthProviderBody {
     pub authorization_flow: String,
     pub property_mappings: Vec<String>,
     pub client_type: crd::ClientType,
+    pub client_id: String,
+    pub client_secret: String,
     pub access_code_validity: String,
     pub token_validity: String,
     pub include_claims_in_id_token: bool,

diff --git a/src/resources/authentik_provider_oauth/crd.rs b/src/resources/authentik_provider_oauth/crd.rs
@@ -1,4 +1,5 @@
 use kube::CustomResource;
+use rand::{distributions::Alphanumeric, thread_rng, Rng};
 use schemars::JsonSchema;
 use serde::{Deserialize, Serialize};
 
@@ -19,6 +20,10 @@ pub struct AuthentikOAuthProviderSpec {
     #[validate(length(min = 1))]
     pub flow: String,
     pub client_type: ClientType,
+    #[serde(default = "default_client_id")]
+    pub client_id: String,
+    #[serde(default = "default_client_secret")]
+    pub client_secret: String,
     pub scopes: Vec<String>,
     #[validate(length(min = 1))]
     pub redirect_uris: Vec<String>,
@@ -60,6 +65,22 @@ pub enum IssuerMode {
 }
 
 // -- Default value functions from here on.
+fn default_client_id() -> String {
+    thread_rng()
+        .sample_iter(&Alphanumeric)
+        .take(255)
+        .map(char::from)
+        .collect()
+}
+
+fn default_client_secret() -> String {
+    thread_rng()
+        .sample_iter(&Alphanumeric)
+        .take(255)
+        .map(char::from)
+        .collect()
+}
+
 fn default_access_code_validity() -> String {
     "minutes=1".to_string()
 }

diff --git a/src/resources/authentik_provider_oauth/provider.rs b/src/resources/authentik_provider_oauth/provider.rs
@@ -97,6 +97,8 @@ pub async fn reconcile(obj: &crd::AuthentikOAuthProvider, client: Client) -> Res
             authorization_flow: flow.pk,
             property_mappings: scopes,
             client_type: obj.spec.client_type.clone(),
+            client_id: obj.spec.client_id.clone(),
+            client_secret: obj.spec.client_secret.clone(),
             include_claims_in_id_token: obj.spec.claims_in_token,
             redirect_uris: obj.spec.redirect_uris.join("\n"),
             access_code_validity: obj.spec.access_code_validity.clone(),