Documentation
¶
Overview ¶
Package oidcserver implements the minimal local OIDC provider used by local clusters.
Index ¶
Constants ¶
const LocalSub = "test-user"
LocalSub is the `sub` claim baked into every token the local fake OIDC issues. Exported so callers (e.g. `podplane local start` configuring kubectl) can build deterministic user names without performing a login first.
Variables ¶
This section is empty.
Functions ¶
func Handler ¶
func Handler(issuerURL string, key *rsa.PrivateKey, validateClientID func(clientID string) error) (http.Handler, error)
Handler returns an http.Handler implementing a minimal local OIDC provider.
The handler is intended to be mounted at the root of issuerURL (the caller is responsible for stripping any path prefix). It serves:
GET /.well-known/openid-configuration GET /.well-known/jwks.json GET /authorize — auto-approves and 302-redirects with `code` POST /token — handles authorization_code and refresh_token grants
Tokens are signed with the supplied RSA private key and contain hard-coded "test-user" identity claims; this is strictly for local development. validateClientID is called with client_id before a token is issued.
func IssueLocalToken ¶
func IssueLocalToken(key *rsa.PrivateKey, issuerURL, clusterID string) (string, error)
IssueLocalToken signs and returns a fresh id_token suitable for the local fake OIDC. Identity claims are hard-coded to LocalSub / "test@localhost" with the system:masters group — this is a local development fixture only. clusterID becomes the audience and must match the apiserver's configured --oidc-client-id; issuerURL must match its --oidc-issuer-url.
func LoadOrCreateKeypair ¶
func LoadOrCreateKeypair(path string) (*rsa.PrivateKey, error)
LoadOrCreateKeypair returns an RSA private key persisted at path, generating and writing a fresh 2048-bit key if the file does not exist.
Types ¶
This section is empty.
Source Files