Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

DEP: Dynamic Scopes support #2960 #2961

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

DEP: Dynamic Scopes support #2960 #2961

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
72 changes: 72 additions & 0 deletions docs/enhancements/dynamic-scopes-2023-05-19-#2960.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,72 @@
# Dex Enhancement Proposal (DEP) 2960 - 2023-05-19 - Dynamic Scopes

## Table of Contents

- [Summary](#summary)
- [Motivation](#motivation)
- [Goals/Pain](#goals)
- [Non-Goals](#non-goals)
- [Proposal](#proposal)
- [User Experience](#user-experience)
- [Implementation Details/Notes/Constraints](#implementation-detailsnotesconstraints)
- [Risks and Mitigations](#risks-and-mitigations)
- [Alternatives](#alternatives)
- [Future Improvements](#future-improvements)

## Summary

Support Dynamic Scopes in Dex

## Context

Dex has an exhaustive list of scopes it supports. These scopes
are all defined in the OIDC spec. Many IDPs support additional scopes.
In some cases this include dynamic scopes to provide more fine grained
control on the claims. It would be great if Dex can support
these additional scopes using an opt-in configuration mechanism.

An example of another IDP providing implementing dynamic scopes is [available here](https://cloudentity.com/developers/howtos/access-control/creating-and-configuring-dynamic-scopes/#dynamic-scope-purpose)

This enhancement would provide the same capability but naturally delegate the handling
to the connectors. Combined with [DEP-2876](https://github.com/dexidp/dex/pull/2954) this
would provide a full end-to-end approach to support "Middleware" type capabilities with the
ability to drive this fully from the integrating clients.

## Motivation

Use Dex in an environment where dynamic and fine grained scope driven claims are useful.

### Goals/Pain

- Update Dex core OAuth2 config section to accept `allowedScopePrefixes`
- During runtime ensure scopes match the configured prefixes
- Ensure full backwards compatiblity in case this feature is not used

### Non-goals

## Proposal

### User Experience

- Optional configuration changes to enable dynamic scopes (prefix)
- Connectors should be updated to take advantage of these additional scopes

### Implementation Details/Notes/Constraints


- Modify the Dex OAuth2 global config to accept a list of `allowedScopePrefixes`
- Propagate this list to the handler code
- Validate passed scopes against this prefix list
- Modify select connectors to take advantage of these new scopes

### Risks and Mitigations

- Operators should ensure additional scopes to not allow unwanted claims

### Alternatives

- Similar functionality exist in non-Dex providers but changing to these is prohibitive if already invested in Dex

## Future Improvements

- Combine this functionality with core "Middleware" solution