Skip to content

Commit

Permalink
Dynamic Scopes support #2960
Browse files Browse the repository at this point in the history
Signed-off-by: Andy Lo-A-Foe <[email protected]>
  • Loading branch information
loafoe committed Aug 15, 2023
1 parent a9d1fd3 commit 3505983
Show file tree
Hide file tree
Showing 5 changed files with 32 additions and 3 deletions.
2 changes: 2 additions & 0 deletions cmd/dex/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -141,6 +141,8 @@ type OAuth2 struct {
AlwaysShowLoginScreen bool `json:"alwaysShowLoginScreen"`
// This is the connector that can be used for password grant
PasswordConnector string `json:"passwordConnector"`
// List of additional scope prefixes to allow
AllowedScopePrefixes []string `json:"allowedScopePrefixes"`
}

// Web is the config format for the HTTP server.
Expand Down
4 changes: 4 additions & 0 deletions cmd/dex/serve.go
Original file line number Diff line number Diff line change
Expand Up @@ -252,6 +252,9 @@ func runServe(options serveOptions) error {
if len(c.Web.AllowedOrigins) > 0 {
logger.Infof("config allowed origins: %s", c.Web.AllowedOrigins)
}
if len(c.OAuth2.AllowedScopePrefixes) > 0 {
logger.Infof("config allowed scope prefixes: %s", strings.Join(c.OAuth2.AllowedScopePrefixes, ","))
}

// explicitly convert to UTC.
now := func() time.Time { return time.Now().UTC() }
Expand All @@ -265,6 +268,7 @@ func runServe(options serveOptions) error {
AlwaysShowLoginScreen: c.OAuth2.AlwaysShowLoginScreen,
PasswordConnector: c.OAuth2.PasswordConnector,
AllowedOrigins: c.Web.AllowedOrigins,
AllowedScopePrefixes: c.OAuth2.AllowedScopePrefixes,
Issuer: c.Issuer,
Storage: s,
Web: c.Frontend,
Expand Down
11 changes: 10 additions & 1 deletion server/handlers.go
Original file line number Diff line number Diff line change
Expand Up @@ -1122,7 +1122,16 @@ func (s *Server) handlePasswordGrant(w http.ResponseWriter, r *http.Request, cli
default:
peerID, ok := parseCrossClientScope(scope)
if !ok {
unrecognized = append(unrecognized, scope)
var recognized bool
for _, prefix := range s.allowedScopePrefixes {
if strings.HasPrefix(scope, prefix) {
recognized = true
break
}
}
if !recognized {
unrecognized = append(unrecognized, scope)
}
continue
}

Expand Down
12 changes: 11 additions & 1 deletion server/oauth2.go
Original file line number Diff line number Diff line change
Expand Up @@ -93,6 +93,7 @@ func tokenErr(w http.ResponseWriter, typ, description string, statusCode int) er
return nil
}

// nolint
const (
errInvalidRequest = "invalid_request"
errUnauthorizedClient = "unauthorized_client"
Expand Down Expand Up @@ -504,7 +505,16 @@ func (s *Server) parseAuthorizationRequest(r *http.Request) (*storage.AuthReques
default:
peerID, ok := parseCrossClientScope(scope)
if !ok {
unrecognized = append(unrecognized, scope)
var recognized bool
for _, prefix := range s.allowedScopePrefixes {
if strings.HasPrefix(scope, prefix) {
recognized = true
break
}
}
if !recognized {
unrecognized = append(unrecognized, scope)
}
continue
}

Expand Down
6 changes: 5 additions & 1 deletion server/server.go
Original file line number Diff line number Diff line change
Expand Up @@ -106,7 +106,8 @@ type Config struct {

PrometheusRegistry *prometheus.Registry

HealthChecker gosundheit.Health
HealthChecker gosundheit.Health
AllowedScopePrefixes []string
}

// WebConfig holds the server's frontend templates and asset configuration.
Expand Down Expand Up @@ -175,6 +176,8 @@ type Server struct {

supportedGrantTypes []string

allowedScopePrefixes []string

now func() time.Time

idTokensValidFor time.Duration
Expand Down Expand Up @@ -287,6 +290,7 @@ func newServer(ctx context.Context, c Config, rotationStrategy rotationStrategy)
storage: newKeyCacher(c.Storage, now),
supportedResponseTypes: supportedRes,
supportedGrantTypes: supportedGrants,
allowedScopePrefixes: c.AllowedScopePrefixes,
idTokensValidFor: value(c.IDTokensValidFor, 24*time.Hour),
authRequestsValidFor: value(c.AuthRequestsValidFor, 24*time.Hour),
deviceRequestsValidFor: value(c.DeviceRequestsValidFor, 5*time.Minute),
Expand Down

0 comments on commit 3505983

Please sign in to comment.