feat: allow adding additional scopes based on OIDC client config

trustification · Aug 25, 2023 · 3e60f0f · 3e60f0f
1 parent b265897
commit 3e60f0f
Show file tree

Hide file tree

Showing 3 changed files with 24 additions and 2 deletions.
diff --git a/auth/schema/auth.json b/auth/schema/auth.json
@@ -23,12 +23,20 @@
   },
   "definitions": {
     "AuthenticatorClientConfig": {
+      "description": "Configuration for OIDC client used to authenticate on the server side",
       "type": "object",
       "required": [
         "clientId",
         "issuerUrl"
       ],
       "properties": {
+        "additionalScopes": {
+          "description": "Additional scopes which get added for client\n\nThis can be useful if a client is considered to only provide identities which are supposed to have certain scopes, but don't provide them.",
+          "type": "array",
+          "items": {
+            "type": "string"
+          }
+        },
         "clientId": {
           "description": "The ID of the client",
           "type": "string"
@@ -38,14 +46,15 @@
           "type": "string"
         },
         "requiredAudience": {
-          "description": "Enforce an audience claim (`aud`) for tokens.\n\nIf present, the token must have one `aud` claim that matches.",
+          "description": "Enforce an audience claim (`aud`) for tokens.\n\nIf present, the token must have one matching `aud` claim.",
           "default": null,
           "type": [
             "string",
             "null"
           ]
         },
         "scopeMappings": {
+          "description": "Mapping table for scopes returned by the issuer to scopes which are expected by us.",
           "type": "object",
           "additionalProperties": {
             "type": "array",

diff --git a/auth/src/authenticator/config.rs b/auth/src/authenticator/config.rs
@@ -36,6 +36,7 @@ impl AuthenticatorConfig {
                     client_id: client_id.to_string(),
                     issuer_url: devmode::issuer_url(),
                     scope_mappings: default_scope_mappings(),
+                    additional_scopes: Default::default(),
                     required_audience: None,
                     tls_insecure: false,
                     tls_ca_certificates: Default::default(),
@@ -93,6 +94,7 @@ pub struct SingleAuthenticatorClientConfig {
     pub tls_ca_certificates: Vec<PathBuf>,
 }
 
+/// Configuration for OIDC client used to authenticate on the server side
 #[derive(Clone, Debug, Serialize, Deserialize, Eq, PartialEq, schemars::JsonSchema)]
 #[serde(rename_all = "camelCase")]
 pub struct AuthenticatorClientConfig {
@@ -105,6 +107,13 @@ pub struct AuthenticatorClientConfig {
     #[serde(default, skip_serializing_if = "HashMap::is_empty")]
     pub scope_mappings: HashMap<String, Vec<String>>,
 
+    /// Additional scopes which get added for client
+    ///
+    /// This can be useful if a client is considered to only provide identities which are supposed
+    /// to have certain scopes, but don't provide them.
+    #[serde(default, skip_serializing_if = "Vec::is_empty")]
+    pub additional_scopes: Vec<String>,
+
     /// Enforce an audience claim (`aud`) for tokens.
     ///
     /// If present, the token must have one matching `aud` claim.
@@ -130,6 +139,7 @@ impl SingleAuthenticatorClientConfig {
                 tls_insecure: self.tls_insecure,
                 required_audience: self.required_audience.clone(),
                 scope_mappings: default_scope_mappings(),
+                additional_scopes: Default::default(),
             })
     }
 }
diff --git a/auth/src/authenticator/mod.rs b/auth/src/authenticator/mod.rs
@@ -149,6 +149,7 @@ async fn create_client(config: AuthenticatorClientConfig) -> anyhow::Result<Auth
         client,
         audience: config.required_audience,
         scope_mappings: config.scope_mappings,
+        additional_scopes: config.additional_scopes,
     })
 }
 
@@ -157,12 +158,14 @@ pub struct AuthenticatorClient {
     client: Client<Discovered>,
     audience: Option<String>,
     scope_mappings: HashMap<String, Vec<String>>,
+    additional_scopes: Vec<String>,
 }
 
 impl AuthenticatorClient {
     /// Convert from a set of (verified!) access token claims into a [`ValidatedAccessToken`] struct.
     pub fn convert_token(&self, access_token: AccessTokenClaims) -> ValidatedAccessToken {
-        let mapped_scopes = Self::map_scopes(&access_token.scope, &self.scope_mappings);
+        let mut mapped_scopes = Self::map_scopes(&access_token.scope, &self.scope_mappings);
+        mapped_scopes.extend(self.additional_scopes.clone());
         ValidatedAccessToken {
             access_token,
             mapped_scopes,