From 539853a69542a0f83e23820077ff99b1d4d8645d Mon Sep 17 00:00:00 2001 From: Nikos Date: Fri, 29 Mar 2024 12:25:23 +0200 Subject: [PATCH] fix: Specify client authn method This is needed because if the method is not specified, the go client will try to hit the token endpoint again, but with a different client authn method if the first one fails. The problem is that the go client does not try to parse the error it got from the provider, which in the device flow most of the time will be authorization_pending. --- hack/flow-test/main.go | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/hack/flow-test/main.go b/hack/flow-test/main.go index 2dbcc0f0..bc9b857e 100644 --- a/hack/flow-test/main.go +++ b/hack/flow-test/main.go @@ -202,6 +202,7 @@ func deviceFlow(specs *EnvSpec, logger *zap.SugaredLogger) { AuthURL: specs.AuthURL, TokenURL: specs.TokenURL, DeviceAuthURL: specs.DeviceAuthURL, + AuthStyle: oauth2.AuthStyleInHeader, } } @@ -238,7 +239,7 @@ run the following command: $(KUBECTL) get secret -o yaml iam-tls | yq '.data' copy the ca.crt and tls.crt into /usr/local/share/ca-certificates/ and run update-ca-certificates to get those certs added to the system pool (and trust them), you might need to do the same (trust) in your chrome/firefox/safari browser -after that you should be able to point openssl or certigo to the forwarded ingress on your localhost (port 8443) and +after that you should be able to point openssl or certigo to the forwarded ingress on your localhost (port 8443) and verify that the cert is valid ############################################################ use the hydra cli to create a client: