fix: Change OIDC flag for generated MCP kubeconfigs

Kukkerem · web-flow · commit fe8d1a1cca3d · 2025-08-11T16:06:51.000+02:00
diff --git a/api/core/v1alpha1/authentication_types.go b/api/core/v1alpha1/authentication_types.go
@@ -9,10 +9,11 @@ const (
 	OIDCParameterClientID     = "oidc-client-id"
 	OIDCParameterClientSecret = "oidc-client-secret"
 	OIDCParameterExtraScope   = "oidc-extra-scope"
-	OIDCParameterUsePKCE      = "oidc-use-pkce"
+	OIDCParameterPKCEMethod   = "oidc-pkce-method"
 	OIDCParameterGrantType    = "grant-type"
 
 	OIDCDefaultExtraScopes = "offline_access,email,profile"
+	OIDCDefaultPKCEMethod  = "auto"
 	OIDCDefaultGrantType   = "auto"
 )
 
diff --git a/internal/controller/core/apiserver/utils/access.go b/internal/controller/core/apiserver/utils/access.go
@@ -283,7 +283,7 @@ func CreateOIDCKubeconfig(ctx context.Context, crateClient client.Client, cluste
 	contexts := make(map[string]*clientcmdapi.Context)
 
 	flags := map[string]openmcpv1alpha1.SingleOrMultiStringValue{
-		openmcpv1alpha1.OIDCParameterUsePKCE:    {},
+		openmcpv1alpha1.OIDCParameterPKCEMethod: {Value: openmcpv1alpha1.OIDCDefaultPKCEMethod},
 		openmcpv1alpha1.OIDCParameterGrantType:  {Value: openmcpv1alpha1.OIDCDefaultGrantType},
 		openmcpv1alpha1.OIDCParameterExtraScope: {Values: strings.Split(openmcpv1alpha1.OIDCDefaultExtraScopes, ",")},
 	}
diff --git a/internal/controller/core/authentication/controller_test.go b/internal/controller/core/authentication/controller_test.go
@@ -268,7 +268,7 @@ var _ = Describe("CO-1153 Authentication Controller", func() {
 		Expect(systemIdP.Exec.Args).To(ContainElements("--oidc-extra-scope=email"))
 		Expect(systemIdP.Exec.Args).To(ContainElements("--oidc-extra-scope=profile"))
 		Expect(systemIdP.Exec.Args).To(ContainElements("--oidc-extra-scope=offline_access"))
-		Expect(systemIdP.Exec.Args).To(ContainElements("--oidc-use-pkce"))
+		Expect(systemIdP.Exec.Args).To(ContainElements("--oidc-pkce-method=auto"))
 		Expect(systemIdP.Exec.Args).To(ContainElements("--grant-type=auto"))
 
 		openIdConnect := getOpenIDConnect()
@@ -550,7 +550,7 @@ var _ = Describe("CO-1153 Authentication Controller", func() {
 		Expect(systemIdP.Exec.Args).To(ContainElements("--oidc-client-secret=myclientsecret"))
 		Expect(systemIdP.Exec.Args).To(ContainElements("--oidc-extra-scope=scope1"))
 		Expect(systemIdP.Exec.Args).To(ContainElements("--oidc-extra-scope=scope2"))
-		Expect(systemIdP.Exec.Args).To(ContainElements("--oidc-use-pkce"))
+		Expect(systemIdP.Exec.Args).To(ContainElements("--oidc-pkce-method=auto"))
 		Expect(systemIdP.Exec.Args).To(ContainElements("--grant-type=auto"))
 		Expect(systemIdP.Exec.Args).To(ContainElements("--extra-param=foo"))
 		Expect(systemIdP.Exec.Args).To(ContainElements("--extra-repeatable=bar1"))

Original file line number	Diff line number	Diff line change
`@@ -283,7 +283,7 @@ func CreateOIDCKubeconfig(ctx context.Context, crateClient client.Client, cluste`
`283`	`283`	`contexts := make(map[string]*clientcmdapi.Context)`
`284`	`284`
`285`	`285`	`flags := map[string]openmcpv1alpha1.SingleOrMultiStringValue{`
`286`		`- openmcpv1alpha1.OIDCParameterUsePKCE: {},`
	`286`	`+ openmcpv1alpha1.OIDCParameterPKCEMethod: {Value: openmcpv1alpha1.OIDCDefaultPKCEMethod},`
`287`	`287`	`openmcpv1alpha1.OIDCParameterGrantType: {Value: openmcpv1alpha1.OIDCDefaultGrantType},`
`288`	`288`	`openmcpv1alpha1.OIDCParameterExtraScope: {Values: strings.Split(openmcpv1alpha1.OIDCDefaultExtraScopes, ",")},`
`289`	`289`	`}`