feat: support custom IDP origin in CF UAA password grant#206
Open
feat: support custom IDP origin in CF UAA password grant#206
Conversation
The go-cfclient/v3 library already supports config.Origin() to pass the
login_hint parameter to the CF UAA token endpoint, but the provider never
used it. This prevents authentication when a custom identity provider is
configured (e.g., SAP IAS with a non-default origin).
This commit adds an optional "origin" field to the credentials JSON and
passes it via config.Origin() when set. The change is fully backwards
compatible — omitting the origin field preserves existing behavior.
Credentials JSON with origin:
{"email":"...","password":"...","origin":"custom-idp-origin"}
Signed-off-by: Simon Jarke <simon.jarke@abs-gmbh.de>
Sim-Jar
requested a deployment
to
pr-e2e-approval
GitHub Actions
Waiting
|
|
BREAKING CHANGE: All 16 CRDs (14 managed resources + ProviderConfig + ProviderConfigUsage) are now namespace-scoped instead of cluster-scoped. Existing cluster-scoped CRs must be recreated as namespaced resources. - Upgrade crossplane-runtime to v2.1.0, controller-runtime to v0.22.0 - Update all import paths to crossplane-runtime/v2 - Use ManagedResourceSpec (v2) replacing ResourceSpec (v1) - Use NamespacedReference/NamespacedSelector for cross-resource refs - Use TypedProviderConfigUsage with Kind field - Use ModernManaged interface for ProviderConfig lookup with namespace - Remove External Secret Store (ESS) support (removed in v2) - Remove Management Policies feature flag (always enabled in v2) - Remove StoreConfig CRD and apis/v1alpha1 package - Regenerate all CRDs, deepcopy, managed, and resolver code - Add namespace to example YAMLs Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Sim-Jar
requested a deployment
to
pr-e2e-approval
GitHub Actions
Waiting
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds support for custom identity provider (IDP) authentication in the CF UAA password grant flow.
The
go-cfclient/v3library already supportsconfig.Origin()to pass thelogin_hintparameter to the CF UAA token endpoint, but the provider never used it. This prevents authentication when a custom IDP is configured (e.g., SAP Identity Authentication Service with a non-default origin).Changes (2 lines of logic):
Originfield toCfCredentialsstruct (json:"origin,omitempty")config.Origin(cred.Origin)when the field is non-emptyFully backwards compatible — omitting the
originfield preserves existing behavior.Credentials JSON
{"email":"user@example.com","password":"...","origin":"custom-idp-origin"}Closes #204
Test plan
go build ./internal/clients/compiles successfullyarrevqqkn-platform)originfield works identically to current behavior