Allow specifying scopes in OIDC provider

traPtitech · Jan 13, 2024 · 64eb3f4 · 64eb3f4
1 parent 860cdf1
commit 64eb3f4
Show file tree

Hide file tree

Showing 4 changed files with 12 additions and 11 deletions.
diff --git a/README.md b/README.md
@@ -203,6 +203,7 @@ OIDC Provider:
       --providers.oidc.issuer-url=                          Issuer URL [$PROVIDERS_OIDC_ISSUER_URL]
       --providers.oidc.client-id=                           Client ID [$PROVIDERS_OIDC_CLIENT_ID]
       --providers.oidc.client-secret=                       Client Secret [$PROVIDERS_OIDC_CLIENT_SECRET]
+      --providers.oidc.scope=                               Scopes (default: profile, email) [$PROVIDERS_OIDC_SCOPE]
       --providers.oidc.prompt=                              Optional prompt query [$PROVIDERS_OIDC_PROMPT]
       --providers.oidc.resource=                            Optional resource indicator [$PROVIDERS_OIDC_RESOURCE]
 
@@ -212,8 +213,8 @@ Generic OAuth2 Provider:
       --providers.generic-oauth.user-url=                   URL used to retrieve user info [$PROVIDERS_GENERIC_OAUTH_USER_URL]
       --providers.generic-oauth.client-id=                  Client ID [$PROVIDERS_GENERIC_OAUTH_CLIENT_ID]
       --providers.generic-oauth.client-secret=              Client Secret [$PROVIDERS_GENERIC_OAUTH_CLIENT_SECRET]
-      --providers.generic-oauth.scope=                      Scopes (default: profile, email) [$PROVIDERS_GENERIC_OAUTH_SCOPE]
       --providers.generic-oauth.token-style=[header|query]  How token is presented when querying the User URL (default: header) [$PROVIDERS_GENERIC_OAUTH_TOKEN_STYLE]
+      --providers.generic-oauth.scope=                      Scopes (default: profile, email) [$PROVIDERS_GENERIC_OAUTH_SCOPE]
       --providers.generic-oauth.prompt=                     Optional prompt query [$PROVIDERS_GENERIC_OAUTH_PROMPT]
       --providers.generic-oauth.resource=                   Optional resource indicator [$PROVIDERS_GENERIC_OAUTH_RESOURCE]
 

diff --git a/internal/provider/generic_oauth.go b/internal/provider/generic_oauth.go
@@ -11,13 +11,12 @@ import (
 
 // GenericOAuth provider
 type GenericOAuth struct {
-	AuthURL      string   `long:"auth-url" env:"AUTH_URL" description:"Auth/Login URL"`
-	TokenURL     string   `long:"token-url" env:"TOKEN_URL" description:"Token URL"`
-	UserURL      string   `long:"user-url" env:"USER_URL" description:"URL used to retrieve user info"`
-	ClientID     string   `long:"client-id" env:"CLIENT_ID" description:"Client ID"`
-	ClientSecret string   `long:"client-secret" env:"CLIENT_SECRET" description:"Client Secret" json:"-"`
-	Scopes       []string `long:"scope" env:"SCOPE" env-delim:"," default:"profile" default:"email" description:"Scopes"`
-	TokenStyle   string   `long:"token-style" env:"TOKEN_STYLE" default:"header" choice:"header" choice:"query" description:"How token is presented when querying the User URL"`
+	AuthURL      string `long:"auth-url" env:"AUTH_URL" description:"Auth/Login URL"`
+	TokenURL     string `long:"token-url" env:"TOKEN_URL" description:"Token URL"`
+	UserURL      string `long:"user-url" env:"USER_URL" description:"URL used to retrieve user info"`
+	ClientID     string `long:"client-id" env:"CLIENT_ID" description:"Client ID"`
+	ClientSecret string `long:"client-secret" env:"CLIENT_SECRET" description:"Client Secret" json:"-"`
+	TokenStyle   string `long:"token-style" env:"TOKEN_STYLE" default:"header" choice:"header" choice:"query" description:"How token is presented when querying the User URL"`
 
 	OAuthProvider
 }

diff --git a/internal/provider/oidc.go b/internal/provider/oidc.go
@@ -50,7 +50,7 @@ func (o *OIDC) Setup() error {
 		Endpoint:     o.provider.Endpoint(),
 
 		// "openid" is a required scope for OpenID Connect flows.
-		Scopes: []string{oidc.ScopeOpenID, "profile", "email"},
+		Scopes: append([]string{oidc.ScopeOpenID}, o.Scopes...),
 	}
 
 	// Create OIDC verifier

diff --git a/internal/provider/providers.go b/internal/provider/providers.go
@@ -45,8 +45,9 @@ func GetUser(r io.Reader, UserPath string) (string, error) {
 
 // OAuthProvider is a provider using the oauth2 library
 type OAuthProvider struct {
-	Prompt   string `long:"prompt" env:"PROMPT" description:"Optional prompt query"`
-	Resource string `long:"resource" env:"RESOURCE" description:"Optional resource indicator"`
+	Scopes   []string `long:"scope" env:"SCOPE" env-delim:"," default:"profile" default:"email" description:"Scopes"`
+	Prompt   string   `long:"prompt" env:"PROMPT" description:"Optional prompt query"`
+	Resource string   `long:"resource" env:"RESOURCE" description:"Optional resource indicator"`
 
 	Config *oauth2.Config
 	ctx    context.Context