nomad

kemko/nomad

Fork 0

mirror of https://github.com/kemko/nomad.git synced 2026-01-01 16:05:42 +03:00

Commit Graph

Author	SHA1	Message	Date
Daniel Bennett	5c8e436de9	auth: oidc: disable pkce by default (#25600 ) our goal of "enable by default, only for new auth methods" proved to be unwieldy, so instead make it a simple bool, disabled by default.	2025-04-07 12:36:09 -05:00
Daniel Bennett	6a0c4f5a3d	auth: oidc: enable pkce only on new auth methods (#25593 ) trying not to violate the principle of least astonishment. we want to only auto-enable PKCE on new auth methods, rather than new or updated auth methods, to avoid a scenario where a Nomad admin updates an auth method sometime in the future -- something innocent like a new client secret -- and their OIDC provider doesn't like PKCE. the main concern is that the provider won't like PKCE in a totally confusing way. error messages rarely say PKCE directly, so why the user's auth method suddenly broke would be a big mystery. this means that to enable it on existing auth methods, you would set `OIDCDisablePKCE = false`, and the double- negative doesn't feel right, so instead, swap the language, so enabling it on existing methods reads sensibly, and to disable it on new methods reads ok-enough: `OIDCEnablePKCE = false`	2025-04-03 10:56:17 -05:00
Daniel Bennett	8c609ad762	docs: oidc client assertions and pkce (#25375 )	2025-03-20 09:14:17 -05:00

Author

SHA1

Message

Date

Daniel Bennett

5c8e436de9

auth: oidc: disable pkce by default (#25600 )

our goal of "enable by default, only for new auth methods"
proved to be unwieldy, so instead make it a simple bool,
disabled by default.

2025-04-07 12:36:09 -05:00

Daniel Bennett

6a0c4f5a3d

auth: oidc: enable pkce only on new auth methods (#25593 )

trying not to violate the principle of least astonishment.

we want to only auto-enable PKCE on *new* auth methods,
rather than *new or updated* auth methods, to avoid a
scenario where a Nomad admin updates an auth method
sometime in the future -- something innocent like a new
client secret -- and their OIDC provider doesn't like PKCE.

the main concern is that the provider won't like PKCE
in a totally confusing way. error messages rarely
say PKCE directly, so why the user's auth method
suddenly broke would be a big mystery.

this means that to enable it on existing auth methods,
you would set `OIDCDisablePKCE = false`, and the double-
negative doesn't feel right, so instead, swap the language,
so enabling it on *existing* methods reads sensibly, and to
disable it on *new* methods reads ok-enough:
`OIDCEnablePKCE = false`

2025-04-03 10:56:17 -05:00

Daniel Bennett

8c609ad762

docs: oidc client assertions and pkce (#25375 )

2025-03-20 09:14:17 -05:00

3 Commits