fix(openid-client): pass provided scope in auth request (#539)

* fix(openid-client): pass provided scope in auth request * test: should generate auth request with all configured scope
GluuFederation · May 31, 2023 · 68342bd · 68342bd
1 parent 9c9e274
commit 68342bd
Show file tree

Hide file tree

Showing 3 changed files with 38 additions and 0 deletions.
diff --git a/config/test.js b/config/test.js
@@ -228,6 +228,25 @@ const passportConfigAuthorizedResponse = {
       usePKCE: 'true',
       params: '{"preselectedExternalProvider": "tEmp", "acr_values": "duo"}'
     }
+  }, {
+    id: 'oidccedev6_scope_test',
+    displayName: 'openid-client-ce-dev6-pkce-flow',
+    type: 'openid-client',
+    mapping: 'openid-client',
+    passportStrategyId: 'openid-client',
+    enabled: true,
+    callbackUrl: 'https://gluu.test.ce6.local.org/passport/auth/oidccedev6_pkce/callback',
+    requestForEmail: false,
+    emailLinkingSafe: false,
+    options: {
+      client_id: 'b4e0f241-a8c1-4c75-8fc8-4ae7163e9795',
+      client_secret: 'nmGIw7bAIKjrACXODzjPJyfYDaECAWSzzE1Temqz',
+      scope: '["openid", "email", "profile", "custom_scope"]',
+      issuer: 'https://gluu.test.ce6.local.org',
+      token_endpoint_auth_method: 'client_secret_post',
+      usePKCE: 'true',
+      params: '{"preselectedExternalProvider": "tEmp", "acr_values": "duo"}'
+    }
   }]
 }
 

diff --git a/server/routes.js b/server/routes.js
@@ -99,6 +99,10 @@ function validateProvider (req, res, next) {
 
   if (providerConfData) {
     // Attach some info for later use
+    if (providerConfData.type === 'openid-client') {
+      const scope = providerConfData.options.scope
+      providerConfData.passportAuthnParams.scope = scope && scope.length > 1 && scope.join(' ')
+    }
     req.passportAuthenticateParams = providerConfData.passportAuthnParams
     next()
   } else {

diff --git a/test/providers.spec.js b/test/providers.spec.js
@@ -58,5 +58,20 @@ describe('provider.js', () => {
       assert.match(response.headers.location, /preselectedExternalProvider=tEmp/)
       assert.match(response.headers.location, /acr_values=duo/)
     })
+
+    it('should generate auth request with all configured scope in openid-client', async () => {
+      const tokenResponse = await got(
+        'http://127.0.0.1:8090/passport/token',
+        { responseType: 'json' }
+      )
+      const token = tokenResponse.body.token_
+      const oidcProviderId = 'oidccedev6_scope_test'
+      const response = await got(
+          `http://127.0.0.1:8090/passport/auth/${oidcProviderId}/${token}`,
+          { throwHttpErrors: false, followRedirect: false }
+      )
+      assertResponse(response)
+      assert.match(response.headers.location, /scope=openid%20email%20profile%20custom_scope/)
+    })
   })
 })