Allow "scope" to be set in the token #32
Conversation
main.go
Outdated
| @@ -82,6 +83,7 @@ func parseFlags() (*config, error) { | |||
| flag.StringVar(&cfg.oidc.audience, "oidc.audience", "", "The audience for whom the access token is intended, see https://openid.net/specs/openid-connect-core-1_0.html#IDToken.") | |||
| flag.StringVar(&cfg.oidc.username, "oidc.username", "", "The username to use for OIDC authentication. If both username and password are set then grant_type is set to password.") | |||
| flag.StringVar(&cfg.oidc.password, "oidc.password", "", "The password to use for OIDC authentication. If both username and password are set then grant_type is set to password.") | |||
| flag.StringVar(&cfg.scope, "scope", "", "The scope to be included in the payload data of the token.") | |||
There was a problem hiding this comment.
Probably a good idea to use flag.StringSliceVar here, as there might be multiple scopes to include?
There was a problem hiding this comment.
Multiple scopes are supported by a single "scope" key, and the value being a string with each scope separated by spaces. If you simply change to StringSliceVar and the corresponding data types to []string, it tries to send multiple scope parameters, you get the following error:
level=error name=token-refresher ts=2023-09-18T15:08:05.355519306Z caller=main.go:244 msg="failed to get token" err="oauth2: cannot fetch token: 400 Bad Request\nResponse: {\"error\":\"invalid_request\",\"error_description\":\"duplicated parameter\"}"
My latest change now supports multiple scopes in the following ways:
--scope="openid offline_access"
--scope="openid,offline_access"
--scope="openid" --scope="offline_access"
main.go
Outdated
| @@ -82,6 +83,7 @@ func parseFlags() (*config, error) { | |||
| flag.StringVar(&cfg.oidc.audience, "oidc.audience", "", "The audience for whom the access token is intended, see https://openid.net/specs/openid-connect-core-1_0.html#IDToken.") | |||
| flag.StringVar(&cfg.oidc.username, "oidc.username", "", "The username to use for OIDC authentication. If both username and password are set then grant_type is set to password.") | |||
| flag.StringVar(&cfg.oidc.password, "oidc.password", "", "The password to use for OIDC authentication. If both username and password are set then grant_type is set to password.") | |||
| flag.StringSliceVar(&cfg.scope, "scope", []string{""}, "The scope to be included in the payload data of the token. Scopes can either be comma-separated or space-separated.") | |||
There was a problem hiding this comment.
| flag.StringSliceVar(&cfg.scope, "scope", []string{""}, "The scope to be included in the payload data of the token. Scopes can either be comma-separated or space-separated.") | |
| flag.StringSliceVar(&cfg.scope, "scope", []string{""}, "The scope to be included in the payload data of the token. Scopes can either be comma-separated or space-separated.") |
There was a problem hiding this comment.
@lindseyburnett I don't think that the values to the flag can be space-separated. The shell will interpret the second or third scopes as separate arguments to the program and Go will parse them as additional arguments that are not associated to the flag. Perhaps they can be space-separated if the scopes are wrapped in quotes to indicate that it's one single value. pflag definitely allows for comma-separation and specifying the flag multiple times, e.g. --scope X --scope Y --scope Z
There was a problem hiding this comment.
You're absolutely right. Space-separated will need to be wrapped in quotes. All three of these variations worked for me:
--scope="openid offline_access"
--scope=openid,offline_access
--scope=openid --scope=offline_access
Personally, my first choice would be to use the first variation because it's so similar to how I would manually get a token via the command line.
TOKEN=$(curl --request POST \
--url https://sso.redhat.com/auth/realms/redhat-external/protocol/openid-connect/token \
--header 'content-type: application/x-www-form-urlencoded' \
--data scope='openid offline_access' \
--data grant_type=client_credentials \
--data client_id=REDACTED \
--data client_secret=REDACTED | jq .access_token | tr -d '"')There was a problem hiding this comment.
Yup, as per StringSliceVar goDoc comment all of these are valid. :)
Ignore jetbrains IDE generated subdir
Co-authored-by: Lucas Servén Marín <lserven@gmail.com>
lindseyburnett
force-pushed
the
lburnett/include_scope
branch
from
5718e44
to
18ce5c5
Compare
We've come across an observatorium instance that needs to have a token including
scopein the payload, or else it fails to authenticate.Verified change by including
--scope="openid offline_access --file="token.out"and verifying the "token.out" file contains a jwt. When decoded, the payload data includes: