Dynamic Scopes support dexidp#2960

Signed-off-by: Andy Lo-A-Foe <[email protected]>
philips-forks · Jan 27, 2024 · b4bdf7b · b4bdf7b
1 parent 62c2c2f
commit b4bdf7b
Show file tree

Hide file tree

Showing 5 changed files with 32 additions and 3 deletions.
diff --git a/cmd/dex/config.go b/cmd/dex/config.go
@@ -147,6 +147,8 @@ type OAuth2 struct {
 	AlwaysShowLoginScreen bool `json:"alwaysShowLoginScreen"`
 	// This is the connector that can be used for password grant
 	PasswordConnector string `json:"passwordConnector"`
+	// List of additional scope prefixes to allow
+	AllowedScopePrefixes []string `json:"allowedScopePrefixes"`
 }
 
 // Web is the config format for the HTTP server.

diff --git a/cmd/dex/serve.go b/cmd/dex/serve.go
@@ -266,6 +266,9 @@ func runServe(options serveOptions) error {
 	if len(c.Web.AllowedOrigins) > 0 {
 		logger.Infof("config allowed origins: %s", c.Web.AllowedOrigins)
 	}
+	if len(c.OAuth2.AllowedScopePrefixes) > 0 {
+		logger.Infof("config allowed scope prefixes: %s", strings.Join(c.OAuth2.AllowedScopePrefixes, ","))
+	}
 
 	// explicitly convert to UTC.
 	now := func() time.Time { return time.Now().UTC() }
@@ -280,6 +283,7 @@ func runServe(options serveOptions) error {
 		PasswordConnector:      c.OAuth2.PasswordConnector,
 		AllowedOrigins:         c.Web.AllowedOrigins,
 		AllowedHeaders:         c.Web.AllowedHeaders,
+		AllowedScopePrefixes:   c.OAuth2.AllowedScopePrefixes,
 		Issuer:                 c.Issuer,
 		Storage:                s,
 		Web:                    c.Frontend,

diff --git a/server/handlers.go b/server/handlers.go
@@ -1141,7 +1141,16 @@ func (s *Server) handlePasswordGrant(w http.ResponseWriter, r *http.Request, cli
 		default:
 			peerID, ok := parseCrossClientScope(scope)
 			if !ok {
-				unrecognized = append(unrecognized, scope)
+				var recognized bool
+				for _, prefix := range s.allowedScopePrefixes {
+					if strings.HasPrefix(scope, prefix) {
+						recognized = true
+						break
+					}
+				}
+				if !recognized {
+					unrecognized = append(unrecognized, scope)
+				}
 				continue
 			}
 

diff --git a/server/oauth2.go b/server/oauth2.go
@@ -93,6 +93,7 @@ func tokenErr(w http.ResponseWriter, typ, description string, statusCode int) er
 	return nil
 }
 
+//nolint
 const (
 	errInvalidRequest          = "invalid_request"
 	errUnauthorizedClient      = "unauthorized_client"
@@ -521,7 +522,16 @@ func (s *Server) parseAuthorizationRequest(r *http.Request) (*storage.AuthReques
 		default:
 			peerID, ok := parseCrossClientScope(scope)
 			if !ok {
-				unrecognized = append(unrecognized, scope)
+				var recognized bool
+				for _, prefix := range s.allowedScopePrefixes {
+					if strings.HasPrefix(scope, prefix) {
+						recognized = true
+						break
+					}
+				}
+				if !recognized {
+					unrecognized = append(unrecognized, scope)
+				}
 				continue
 			}
 

diff --git a/server/server.go b/server/server.go
@@ -109,7 +109,8 @@ type Config struct {
 
 	PrometheusRegistry *prometheus.Registry
 
-	HealthChecker gosundheit.Health
+	HealthChecker        gosundheit.Health
+	AllowedScopePrefixes []string
 }
 
 // WebConfig holds the server's frontend templates and asset configuration.
@@ -178,6 +179,8 @@ type Server struct {
 
 	supportedGrantTypes []string
 
+	allowedScopePrefixes []string
+
 	now func() time.Time
 
 	idTokensValidFor       time.Duration
@@ -293,6 +296,7 @@ func newServer(ctx context.Context, c Config, rotationStrategy rotationStrategy)
 		storage:                newKeyCacher(c.Storage, now),
 		supportedResponseTypes: supportedRes,
 		supportedGrantTypes:    supportedGrants,
+		allowedScopePrefixes:   c.AllowedScopePrefixes,
 		idTokensValidFor:       value(c.IDTokensValidFor, 24*time.Hour),
 		authRequestsValidFor:   value(c.AuthRequestsValidFor, 24*time.Hour),
 		deviceRequestsValidFor: value(c.DeviceRequestsValidFor, 5*time.Minute),