feat: Support to configure oidc scope in provider config

Signed-off-by: Rolson Quadras <rolson.quadras@securekey.com>
trustbloc · Jan 12, 2022 · dbfc41d · dbfc41d
1 parent ecb6b60
commit dbfc41d
Show file tree

Hide file tree

Showing 4 changed files with 41 additions and 11 deletions.
diff --git a/cmd/auth-rest/startcmd/parameters.go b/cmd/auth-rest/startcmd/parameters.go
@@ -52,14 +52,15 @@ type oidcProvidersConfig struct {
 }
 
 type oidcProviderConfig struct {
-	URL             string `yaml:"url"`
-	ClientID        string `yaml:"clientID"`
-	ClientSecret    string `yaml:"clientSecret"`
-	Name            string `yaml:"name"`
-	SignUpLogoURL   string `yaml:"signUpLogoURL"`
-	SignInLogoURL   string `yaml:"signInLogoURL"`
-	Order           int    `yaml:"order"`
-	SkipIssuerCheck bool   `yaml:"skipIssuerCheck"`
+	URL             string   `yaml:"url"`
+	ClientID        string   `yaml:"clientID"`
+	ClientSecret    string   `yaml:"clientSecret"`
+	Name            string   `yaml:"name"`
+	SignUpLogoURL   string   `yaml:"signUpLogoURL"`
+	SignInLogoURL   string   `yaml:"signInLogoURL"`
+	Order           int      `yaml:"order"`
+	SkipIssuerCheck bool     `yaml:"skipIssuerCheck"`
+	Scopes          []string `yaml:"scopes"`
 }
 
 type bootstrapParams struct {

diff --git a/cmd/auth-rest/startcmd/start.go b/cmd/auth-rest/startcmd/start.go
@@ -555,6 +555,7 @@ func getOIDCParams(cmd *cobra.Command) (*oidcParams, error) {
 			SignInLogoURL:   v.SignInLogoURL,
 			Order:           v.Order,
 			SkipIssuerCheck: v.SkipIssuerCheck,
+			Scopes:          v.Scopes,
 		}
 	}
 

diff --git a/pkg/restapi/operation/operations.go b/pkg/restapi/operation/operations.go
@@ -117,6 +117,7 @@ type OIDCProviderConfig struct {
 	SignInLogoURL   string
 	Order           int
 	SkipIssuerCheck bool
+	Scopes          []string
 }
 
 // CookieConfig holds cookie configuration.
@@ -327,11 +328,23 @@ func (o *Operation) oidcLoginHandler(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	provConfig, ok := o.oidcProvidersConfig[providerID]
+	if !ok {
+		o.writeErrorResponse(w, http.StatusInternalServerError, "provider not supported: %s", providerID)
+
+		return
+	}
+
+	scopes := []string{oidc.ScopeOpenID}
+	if len(provConfig.Scopes) != 0 {
+		scopes = append(scopes, provConfig.Scopes...)
+	} else {
+		scopes = append(scopes, "profile", "email")
+	}
+
 	authOption := oauth2.SetAuthURLParam(providerQueryParam, providerID)
 	redirectURL := provider.OAuth2Config(
-		oidc.ScopeOpenID,
-		"profile",
-		"email",
+		scopes...,
 	).AuthCodeURL(state, oauth2.AccessTypeOnline, authOption)
 
 	http.Redirect(w, r, redirectURL, http.StatusFound)

diff --git a/pkg/restapi/operation/operations_test.go b/pkg/restapi/operation/operations_test.go
@@ -104,12 +104,27 @@ func TestOIDCLoginHandler(t *testing.T) {
 		svc.cachedOIDCProviders = map[string]oidcProvider{
 			provider: &mockOIDCProvider{},
 		}
+		svc.oidcProvidersConfig = map[string]OIDCProviderConfig{provider: {}}
 		w := httptest.NewRecorder()
 		svc.oidcLoginHandler(w, newOIDCLoginRequest(provider))
 		require.Equal(t, http.StatusFound, w.Code)
 		require.NotEmpty(t, w.Header().Get("location"))
 	})
 
+	t.Run("provider not supported", func(t *testing.T) {
+		provider := uuid.New().String()
+		config := config(t)
+		svc, err := New(config)
+		require.NoError(t, err)
+		svc.cookies = mockCookies()
+		svc.cachedOIDCProviders = map[string]oidcProvider{
+			provider: &mockOIDCProvider{},
+		}
+		w := httptest.NewRecorder()
+		svc.oidcLoginHandler(w, newOIDCLoginRequest(provider))
+		require.Equal(t, http.StatusInternalServerError, w.Code)
+	})
+
 	t.Run("internal server error if cannot open cookie store", func(t *testing.T) {
 		svc, err := New(config(t))
 		require.NoError(t, err)