psa-systems/bunyip
8
0
Fork 0
Code Issues Pull requests Projects Releases 2 Packages Wiki Activity Actions

feat(oidc): seed mokosh-apps + drillmark as public PKCE clients #41

Merged
YousifShkara merged 1 commit from feat/bunyip-op-cutover into main 2026-06-02 23:57:15 +02:00
Conversation 0 Commits 1 Files changed 1 +54
YousifShkara commented 2026-06-02 23:57:12 +02:00
Owner
Copy link

Stage-1 of the bunyip-as-OP / mokosh-as-RP cutover (docs/new-auth/mokosh in the docs repo). Adds two oauth_clients rows so bunyip-api's /oauth2/authorize accepts the two browser SPAs that will move off mokosh-server's IdP onto bunyip-api's:

Both are public (no secret, PKCE-required) per §2.2 of the cutover doc. Audience is the Resource Server's URL so the RS-side verifier can pin aud and reject tokens minted for the other service. The older mokosh-server confidential row (20260502000048) is left untouched; it'll be cleaned up in a later migration once mokosh-server's IdP code is deleted.

Stage-1 of the bunyip-as-OP / mokosh-as-RP cutover (docs/new-auth/mokosh in the docs repo). Adds two oauth_clients rows so bunyip-api's /oauth2/authorize accepts the two browser SPAs that will move off mokosh-server's IdP onto bunyip-api's: - mokosh-apps (msp.a8n.systems) targets audience https://api.msp.a8n.systems - drillmark (drillmark.a8n.systems) targets audience https://api.drillmark.a8n.systems Both are public (no secret, PKCE-required) per §2.2 of the cutover doc. Audience is the Resource Server's URL so the RS-side verifier can pin aud and reject tokens minted for the other service. The older mokosh-server confidential row (20260502000048) is left untouched; it'll be cleaned up in a later migration once mokosh-server's IdP code is deleted.
feat(oidc): seed mokosh-apps + drillmark as public PKCE clients
All checks were successful
Create release / Create release from merged PR (pull_request) Has been skipped
Details
Check / fmt / clippy / build / test (pull_request) Successful in 1m22s
Details
786ec10876 
Stage-1 of the bunyip-as-OP / mokosh-as-RP cutover (docs/new-auth/mokosh in the docs repo). Adds two oauth_clients rows so bunyip-api's /oauth2/authorize accepts the two browser SPAs that will move off mokosh-server's IdP onto bunyip-api's:

- mokosh-apps (msp.a8n.systems) targets audience https://api.msp.a8n.systems
- drillmark (drillmark.a8n.systems) targets audience https://api.drillmark.a8n.systems

Both are public (no secret, PKCE-required) per §2.2 of the cutover doc. Audience is the Resource Server's URL so the RS-side verifier can pin aud and reject tokens minted for the other service. The older mokosh-server confidential row (20260502000048) is left untouched; it'll be cleaned up in a later migration once mokosh-server's IdP code is deleted.
YousifShkara deleted branch feat/bunyip-op-cutover 2026-06-02 23:57:15 +02:00
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
YousifShkara
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
psa-systems/bunyip!41
No description provided.