From 843171845f0a677a2ff6e269062950aa9e040ebe Mon Sep 17 00:00:00 2001
From: Sheogorath <sheogorath@shivering-isles.com>
Date: Sat, 6 Jan 2024 03:58:53 +0100
Subject: [PATCH] feat(oauth2-proxy): Configure usage of PKCE code challenges

This patch should help to make sure, that nothing uses plaintext
signatures.
---
 shared/applications/oauth2-proxy.yaml | 21 +++++++++++----------
 1 file changed, 11 insertions(+), 10 deletions(-)

diff --git a/shared/applications/oauth2-proxy.yaml b/shared/applications/oauth2-proxy.yaml
index 76d1578d8..3d49a5e32 100644
--- a/shared/applications/oauth2-proxy.yaml
+++ b/shared/applications/oauth2-proxy.yaml
@@ -11,8 +11,8 @@ sops:
     azure_kv: []
     hc_vault: []
     age: []
-    lastmodified: "2023-12-31T03:55:59Z"
-    mac: ENC[AES256_GCM,data:OFMMZUW51e+Ql/6l7R7tnmhf7Bzec1UnYP1QIzm189eJqTeAI79XZgrAisuBgQ8ulyP3dHHxeOwPdoj8VPCwLa4hcDqiNtOHbKGd5DD2Z9YILOc2GmXWwBy86nNSyY8EvV3hYBHXCIxcM+CYbMVJkiCAK0X6sOJQtr4xDUUhClY=,iv:cTVO7JItFLWhdoM+IbHC5oOH7QFoFZ/YxTZd54VEsrQ=,tag:DTpeq4ozgyDgQU+2GYyEjQ==,type:str]
+    lastmodified: "2024-01-06T02:58:46Z"
+    mac: ENC[AES256_GCM,data:Uqimu0kwTEE3tpJqcW12BJVwAU9+xGHBdK4XiLOGyfaT99JWkTBccsEONJFhhW8Jk1BaWDK8ZzIUjDVenCbtaGMDLkQSRJ8b3Uv2gYjU/hVLOOQ0n1UYoTod3l9Kfs1PMHU9HKIRTpkat9ArwVt59cs4npVBN2QfIsbc+/6E0Lg=,iv:B9MewnTYtZ/pgOtbnzDlgbOGWlj3YUiEe1rYyo5yRvw=,tag:fMwmg+LCxb6Z/h29HYVdeQ==,type:str]
     pgp:
         - created_at: "2023-09-15T23:29:01Z"
           enc: |-
@@ -96,8 +96,8 @@ sops:
     azure_kv: []
     hc_vault: []
     age: []
-    lastmodified: "2023-12-31T03:55:59Z"
-    mac: ENC[AES256_GCM,data:OFMMZUW51e+Ql/6l7R7tnmhf7Bzec1UnYP1QIzm189eJqTeAI79XZgrAisuBgQ8ulyP3dHHxeOwPdoj8VPCwLa4hcDqiNtOHbKGd5DD2Z9YILOc2GmXWwBy86nNSyY8EvV3hYBHXCIxcM+CYbMVJkiCAK0X6sOJQtr4xDUUhClY=,iv:cTVO7JItFLWhdoM+IbHC5oOH7QFoFZ/YxTZd54VEsrQ=,tag:DTpeq4ozgyDgQU+2GYyEjQ==,type:str]
+    lastmodified: "2024-01-06T02:58:46Z"
+    mac: ENC[AES256_GCM,data:Uqimu0kwTEE3tpJqcW12BJVwAU9+xGHBdK4XiLOGyfaT99JWkTBccsEONJFhhW8Jk1BaWDK8ZzIUjDVenCbtaGMDLkQSRJ8b3Uv2gYjU/hVLOOQ0n1UYoTod3l9Kfs1PMHU9HKIRTpkat9ArwVt59cs4npVBN2QfIsbc+/6E0Lg=,iv:B9MewnTYtZ/pgOtbnzDlgbOGWlj3YUiEe1rYyo5yRvw=,tag:fMwmg+LCxb6Z/h29HYVdeQ==,type:str]
     pgp:
         - created_at: "2023-09-15T23:29:01Z"
           enc: |-
@@ -153,6 +153,7 @@ data:
           silence-ping-logging: "true"
           scope: openid email profile
           oidc-groups-claim: memberof
+          code-challenge-method: 'S256'
         replicaCount: 2
         securityContext:
           enabled: true
@@ -178,8 +179,8 @@ sops:
     azure_kv: []
     hc_vault: []
     age: []
-    lastmodified: "2023-12-31T03:55:59Z"
-    mac: ENC[AES256_GCM,data:OFMMZUW51e+Ql/6l7R7tnmhf7Bzec1UnYP1QIzm189eJqTeAI79XZgrAisuBgQ8ulyP3dHHxeOwPdoj8VPCwLa4hcDqiNtOHbKGd5DD2Z9YILOc2GmXWwBy86nNSyY8EvV3hYBHXCIxcM+CYbMVJkiCAK0X6sOJQtr4xDUUhClY=,iv:cTVO7JItFLWhdoM+IbHC5oOH7QFoFZ/YxTZd54VEsrQ=,tag:DTpeq4ozgyDgQU+2GYyEjQ==,type:str]
+    lastmodified: "2024-01-06T02:58:46Z"
+    mac: ENC[AES256_GCM,data:Uqimu0kwTEE3tpJqcW12BJVwAU9+xGHBdK4XiLOGyfaT99JWkTBccsEONJFhhW8Jk1BaWDK8ZzIUjDVenCbtaGMDLkQSRJ8b3Uv2gYjU/hVLOOQ0n1UYoTod3l9Kfs1PMHU9HKIRTpkat9ArwVt59cs4npVBN2QfIsbc+/6E0Lg=,iv:B9MewnTYtZ/pgOtbnzDlgbOGWlj3YUiEe1rYyo5yRvw=,tag:fMwmg+LCxb6Z/h29HYVdeQ==,type:str]
     pgp:
         - created_at: "2023-09-15T23:29:01Z"
           enc: |-
@@ -244,8 +245,8 @@ sops:
     azure_kv: []
     hc_vault: []
     age: []
-    lastmodified: "2023-12-31T03:55:59Z"
-    mac: ENC[AES256_GCM,data:OFMMZUW51e+Ql/6l7R7tnmhf7Bzec1UnYP1QIzm189eJqTeAI79XZgrAisuBgQ8ulyP3dHHxeOwPdoj8VPCwLa4hcDqiNtOHbKGd5DD2Z9YILOc2GmXWwBy86nNSyY8EvV3hYBHXCIxcM+CYbMVJkiCAK0X6sOJQtr4xDUUhClY=,iv:cTVO7JItFLWhdoM+IbHC5oOH7QFoFZ/YxTZd54VEsrQ=,tag:DTpeq4ozgyDgQU+2GYyEjQ==,type:str]
+    lastmodified: "2024-01-06T02:58:46Z"
+    mac: ENC[AES256_GCM,data:Uqimu0kwTEE3tpJqcW12BJVwAU9+xGHBdK4XiLOGyfaT99JWkTBccsEONJFhhW8Jk1BaWDK8ZzIUjDVenCbtaGMDLkQSRJ8b3Uv2gYjU/hVLOOQ0n1UYoTod3l9Kfs1PMHU9HKIRTpkat9ArwVt59cs4npVBN2QfIsbc+/6E0Lg=,iv:B9MewnTYtZ/pgOtbnzDlgbOGWlj3YUiEe1rYyo5yRvw=,tag:fMwmg+LCxb6Z/h29HYVdeQ==,type:str]
     pgp:
         - created_at: "2023-09-15T23:29:01Z"
           enc: |-
@@ -303,8 +304,8 @@ sops:
     azure_kv: []
     hc_vault: []
     age: []
-    lastmodified: "2023-12-31T03:55:59Z"
-    mac: ENC[AES256_GCM,data:OFMMZUW51e+Ql/6l7R7tnmhf7Bzec1UnYP1QIzm189eJqTeAI79XZgrAisuBgQ8ulyP3dHHxeOwPdoj8VPCwLa4hcDqiNtOHbKGd5DD2Z9YILOc2GmXWwBy86nNSyY8EvV3hYBHXCIxcM+CYbMVJkiCAK0X6sOJQtr4xDUUhClY=,iv:cTVO7JItFLWhdoM+IbHC5oOH7QFoFZ/YxTZd54VEsrQ=,tag:DTpeq4ozgyDgQU+2GYyEjQ==,type:str]
+    lastmodified: "2024-01-06T02:58:46Z"
+    mac: ENC[AES256_GCM,data:Uqimu0kwTEE3tpJqcW12BJVwAU9+xGHBdK4XiLOGyfaT99JWkTBccsEONJFhhW8Jk1BaWDK8ZzIUjDVenCbtaGMDLkQSRJ8b3Uv2gYjU/hVLOOQ0n1UYoTod3l9Kfs1PMHU9HKIRTpkat9ArwVt59cs4npVBN2QfIsbc+/6E0Lg=,iv:B9MewnTYtZ/pgOtbnzDlgbOGWlj3YUiEe1rYyo5yRvw=,tag:fMwmg+LCxb6Z/h29HYVdeQ==,type:str]
     pgp:
         - created_at: "2023-09-15T23:29:01Z"
           enc: |-
-- 
GitLab