Skip to content

Commit

Permalink
feat: make oidc scopes configurable
Browse files Browse the repository at this point in the history 
Why: enable service accounts without offline_access scope
  • Loading branch information
@RaphaelBut
RaphaelBut committed Jun 2, 2023
1 parent 8ffcdb0 commit 3bf3be7
Show file tree
Hide file tree
Showing 2 changed files with 8 additions and 6 deletions.
1 change: 1 addition & 0 deletions pkg/cmd/login.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,7 @@ func NewLoginCmd(ctx context.Context) *cobra.Command {
cmd.Flags().StringVar(&tenantCfg.OIDC.ClientSecret, "oidc.client-secret", "", "The OIDC client secret, see https://tools.ietf.org/html/rfc6749#section-2.3.")
cmd.Flags().StringVar(&tenantCfg.OIDC.ClientID, "oidc.client-id", "", "The OIDC client ID, see https://tools.ietf.org/html/rfc6749#section-2.3.")
cmd.Flags().StringVar(&tenantCfg.OIDC.Audience, "oidc.audience", "", "The audience for whom the access token is intended, see https://openid.net/specs/openid-connect-core-1_0.html#IDToken.")
cmd.Flags().StringSliceVar(&tenantCfg.OIDC.Scopes, "oidc.scopes", []string{"openid", "offline_access"}, "Optional scopes, must contain 'openid', see https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest")

cmd.Flags().BoolVar(&disableOIDCCheck, "disable.oidc-check", false, "If set to true, OIDC flags will not be checked while saving tenant details locally.")

Expand Down
13 changes: 7 additions & 6 deletions pkg/config/config.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -78,10 +78,11 @@ type TenantConfig struct {
type OIDCConfig struct {
Token *oauth2.Token `json:"token"`

Audience string `json:"audience"`
ClientID string `json:"clientID"`
ClientSecret string `json:"clientSecret"`
IssuerURL string `json:"issuerURL"`
Audience string `json:"audience"`
ClientID string `json:"clientID"`
ClientSecret string `json:"clientSecret"`
IssuerURL string `json:"issuerURL"`
Scopes []string `json:"scopes"`
}

// Client returns a OAuth2 HTTP client based on the configuration for a tenant.
Expand All @@ -96,7 +97,7 @@ func (t *TenantConfig) Client(ctx context.Context, logger log.Logger) (*http.Cli
ClientID: t.OIDC.ClientID,
ClientSecret: t.OIDC.ClientSecret,
TokenURL: provider.Endpoint().TokenURL,
Scopes: []string{"openid", "offline_access"},
Scopes: t.OIDC.Scopes,
}

if t.OIDC.Audience != "" {
Expand Down Expand Up @@ -142,7 +143,7 @@ func (t *TenantConfig) Transport(ctx context.Context, logger log.Logger) (http.R
ClientID: t.OIDC.ClientID,
ClientSecret: t.OIDC.ClientSecret,
TokenURL: provider.Endpoint().TokenURL,
Scopes: []string{"openid", "offline_access"},
Scopes: t.OIDC.Scopes,
}

if t.OIDC.Audience != "" {
Expand Down

0 comments on commit 3bf3be7

Please sign in to comment.