feat: make oidc scopes configurable (#49)

* feat: make oidc scopes configurable Why: enable service accounts without offline_access scope * Make docs * Force openid scope * Change scope flag to a toggle for offline_access
observatorium · Jun 16, 2023 · 751b92b · 751b92b
1 parent 8ffcdb0
commit 751b92b
Show file tree

Hide file tree

Showing 3 changed files with 21 additions and 6 deletions.
diff --git a/README.md b/README.md
@@ -119,6 +119,7 @@ Flags:
       --oidc.client-id string       The OIDC client ID, see https://tools.ietf.org/html/rfc6749#section-2.3.
       --oidc.client-secret string   The OIDC client secret, see https://tools.ietf.org/html/rfc6749#section-2.3.
       --oidc.issuer-url string      The OIDC issuer URL, see https://openid.net/specs/openid-connect-discovery-1_0.html#IssuerDiscovery.
+      --oidc.offline-access         If set to false, oidc scope offline_access will not be requested, see https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest (default true)
       --tenant string               The name of the tenant.
 
 Global Flags:

diff --git a/pkg/cmd/login.go b/pkg/cmd/login.go
@@ -51,6 +51,7 @@ func NewLoginCmd(ctx context.Context) *cobra.Command {
 	cmd.Flags().StringVar(&tenantCfg.OIDC.ClientSecret, "oidc.client-secret", "", "The OIDC client secret, see https://tools.ietf.org/html/rfc6749#section-2.3.")
 	cmd.Flags().StringVar(&tenantCfg.OIDC.ClientID, "oidc.client-id", "", "The OIDC client ID, see https://tools.ietf.org/html/rfc6749#section-2.3.")
 	cmd.Flags().StringVar(&tenantCfg.OIDC.Audience, "oidc.audience", "", "The audience for whom the access token is intended, see https://openid.net/specs/openid-connect-core-1_0.html#IDToken.")
+	cmd.Flags().BoolVar(&tenantCfg.OIDC.OfflineAccess, "oidc.offline-access", true, "If set to false, oidc scope offline_access will not be requested, see https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest")
 
 	cmd.Flags().BoolVar(&disableOIDCCheck, "disable.oidc-check", false, "If set to true, OIDC flags will not be checked while saving tenant details locally.")
 

diff --git a/pkg/config/config.go b/pkg/config/config.go
@@ -78,10 +78,11 @@ type TenantConfig struct {
 type OIDCConfig struct {
 	Token *oauth2.Token `json:"token"`
 
-	Audience     string `json:"audience"`
-	ClientID     string `json:"clientID"`
-	ClientSecret string `json:"clientSecret"`
-	IssuerURL    string `json:"issuerURL"`
+	Audience      string `json:"audience"`
+	ClientID      string `json:"clientID"`
+	ClientSecret  string `json:"clientSecret"`
+	IssuerURL     string `json:"issuerURL"`
+	OfflineAccess bool   `json:"offlineAccess"`
 }
 
 // Client returns a OAuth2 HTTP client based on the configuration for a tenant.
@@ -92,11 +93,17 @@ func (t *TenantConfig) Client(ctx context.Context, logger log.Logger) (*http.Cli
 			return nil, fmt.Errorf("constructing oidc provider: %w", err)
 		}
 
+		scopes := []string{"openid"}
+
+		if t.OIDC.OfflineAccess {
+			scopes = append(scopes, "offline_access")
+		}
+
 		ccc := clientcredentials.Config{
 			ClientID:     t.OIDC.ClientID,
 			ClientSecret: t.OIDC.ClientSecret,
 			TokenURL:     provider.Endpoint().TokenURL,
-			Scopes:       []string{"openid", "offline_access"},
+			Scopes:       scopes,
 		}
 
 		if t.OIDC.Audience != "" {
@@ -138,11 +145,17 @@ func (t *TenantConfig) Transport(ctx context.Context, logger log.Logger) (http.R
 			return nil, fmt.Errorf("constructing oidc provider: %w", err)
 		}
 
+		scopes := []string{"openid"}
+
+		if t.OIDC.OfflineAccess {
+			scopes = append(scopes, "offline_access")
+		}
+
 		ccc := clientcredentials.Config{
 			ClientID:     t.OIDC.ClientID,
 			ClientSecret: t.OIDC.ClientSecret,
 			TokenURL:     provider.Endpoint().TokenURL,
-			Scopes:       []string{"openid", "offline_access"},
+			Scopes:       scopes,
 		}
 
 		if t.OIDC.Audience != "" {