Add support for addition oauth scopes

zeroflucs-given · Dec 21, 2023 · a7fd24c · a7fd24c
1 parent df2119c
commit a7fd24c
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 8 deletions.
diff --git a/README.md b/README.md
@@ -176,6 +176,7 @@ OIDC Provider:
   --providers.oidc.issuer-url=                          Issuer URL [$PROVIDERS_OIDC_ISSUER_URL]
   --providers.oidc.client-id=                           Client ID [$PROVIDERS_OIDC_CLIENT_ID]
   --providers.oidc.client-secret=                       Client Secret [$PROVIDERS_OIDC_CLIENT_SECRET]
+  --providers.oidc.scopes=                              Optional additional scopes to request [$PROVIDERS_OIDC_SCOPES]
   --providers.oidc.resource=                            Optional resource indicator [$PROVIDERS_OIDC_RESOURCE]
 
 Generic OAuth2 Provider:

diff --git a/internal/provider/oidc.go b/internal/provider/oidc.go
@@ -3,16 +3,18 @@ package provider
 import (
 	"context"
 	"errors"
+	"strings"
 
 	"github.com/coreos/go-oidc"
 	"golang.org/x/oauth2"
 )
 
 // OIDC provider
 type OIDC struct {
-	IssuerURL    string `long:"issuer-url" env:"ISSUER_URL" description:"Issuer URL"`
-	ClientID     string `long:"client-id" env:"CLIENT_ID" description:"Client ID"`
-	ClientSecret string `long:"client-secret" env:"CLIENT_SECRET" description:"Client Secret" json:"-"`
+	IssuerURL        string `long:"issuer-url" env:"ISSUER_URL" description:"Issuer URL"`
+	ClientID         string `long:"client-id" env:"CLIENT_ID" description:"Client ID"`
+	ClientSecret     string `long:"client-secret" env:"CLIENT_SECRET" description:"Client Secret" json:"-"`
+	AdditionalScopes string `long:"additional-scopes" env:"ADDITIONAL_SCOPES" description:"Additional Scopes"`
 
 	OAuthProvider
 
@@ -51,6 +53,9 @@ func (o *OIDC) Setup() error {
 		Scopes: []string{oidc.ScopeOpenID, "profile", "email"},
 	}
 
+	additionalScopes := strings.Split(o.AdditionalScopes, ",")
+	o.Config.Scopes = append(o.Config.Scopes, additionalScopes...)
+
 	// Create OIDC verifier
 	o.verifier = o.provider.Verifier(&oidc.Config{
 		ClientID: o.ClientID,

diff --git a/internal/provider/oidc_test.go b/internal/provider/oidc_test.go
@@ -52,7 +52,7 @@ func TestOIDCGetLoginURL(t *testing.T) {
 		"client_id":     []string{"idtest"},
 		"redirect_uri":  []string{"http://example.com/_oauth"},
 		"response_type": []string{"code"},
-		"scope":         []string{"openid profile email"},
+		"scope":         []string{"openid profile email groups"},
 		"state":         []string{"state"},
 	}
 	assert.Equal(expectedQs, qs)
@@ -78,7 +78,7 @@ func TestOIDCGetLoginURL(t *testing.T) {
 		"client_id":     []string{"idtest"},
 		"redirect_uri":  []string{"http://example.com/_oauth"},
 		"response_type": []string{"code"},
-		"scope":         []string{"openid profile email"},
+		"scope":         []string{"openid profile email groups"},
 		"state":         []string{"state"},
 		"resource":      []string{"resourcetest"},
 	}
@@ -152,9 +152,10 @@ func setupOIDCTest(t *testing.T, bodyValues map[string]map[string]string) (*OIDC
 
 	// Setup provider
 	p := OIDC{
-		ClientID:     "idtest",
-		ClientSecret: "sectest",
-		IssuerURL:    serverURL.String(),
+		ClientID:         "idtest",
+		ClientSecret:     "sectest",
+		IssuerURL:        serverURL.String(),
+		AdditionalScopes: "groups",
 	}
 
 	// Initialise config/verifier