Skip to content

Commit

Permalink
Dynamic Scopes support dexidp#2960
Browse files Browse the repository at this point in the history
Signed-off-by: Andy Lo-A-Foe <[email protected]>
  • Loading branch information
loafoe committed Aug 30, 2024
1 parent 65b8ebd commit 1bdd3a6
Show file tree
Hide file tree
Showing 5 changed files with 32 additions and 3 deletions.
2 changes: 2 additions & 0 deletions cmd/dex/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -149,6 +149,8 @@ type OAuth2 struct {
AlwaysShowLoginScreen bool `json:"alwaysShowLoginScreen"`
// This is the connector that can be used for password grant
PasswordConnector string `json:"passwordConnector"`
// List of additional scope prefixes to allow
AllowedScopePrefixes []string `json:"allowedScopePrefixes"`
}

// Web is the config format for the HTTP server.
Expand Down
4 changes: 4 additions & 0 deletions cmd/dex/serve.go
Original file line number Diff line number Diff line change
Expand Up @@ -280,6 +280,9 @@ func runServe(options serveOptions) error {
if len(c.Web.AllowedOrigins) > 0 {
logger.Info("config allowed origins", "origins", c.Web.AllowedOrigins)
}
if len(c.OAuth2.AllowedScopePrefixes) > 0 {
logger.Info("config allowed scope prefixes", "prefixes", strings.Join(c.OAuth2.AllowedScopePrefixes, ","))
}

// explicitly convert to UTC.
now := func() time.Time { return time.Now().UTC() }
Expand All @@ -295,6 +298,7 @@ func runServe(options serveOptions) error {
Headers: c.Web.Headers.ToHTTPHeader(),
AllowedOrigins: c.Web.AllowedOrigins,
AllowedHeaders: c.Web.AllowedHeaders,
AllowedScopePrefixes: c.OAuth2.AllowedScopePrefixes,
Issuer: c.Issuer,
Storage: s,
Web: c.Frontend,
Expand Down
11 changes: 10 additions & 1 deletion server/handlers.go
Original file line number Diff line number Diff line change
Expand Up @@ -1143,7 +1143,16 @@ func (s *Server) handlePasswordGrant(w http.ResponseWriter, r *http.Request, cli
default:
peerID, ok := parseCrossClientScope(scope)
if !ok {
unrecognized = append(unrecognized, scope)
var recognized bool
for _, prefix := range s.allowedScopePrefixes {
if strings.HasPrefix(scope, prefix) {
recognized = true
break
}
}
if !recognized {
unrecognized = append(unrecognized, scope)
}
continue
}

Expand Down
12 changes: 11 additions & 1 deletion server/oauth2.go
Original file line number Diff line number Diff line change
Expand Up @@ -93,6 +93,7 @@ func tokenErr(w http.ResponseWriter, typ, description string, statusCode int) er
return nil
}

// nolint
const (
errInvalidRequest = "invalid_request"
errUnauthorizedClient = "unauthorized_client"
Expand Down Expand Up @@ -551,7 +552,16 @@ func (s *Server) parseAuthorizationRequest(r *http.Request) (*storage.AuthReques
default:
peerID, ok := parseCrossClientScope(scope)
if !ok {
unrecognized = append(unrecognized, scope)
var recognized bool
for _, prefix := range s.allowedScopePrefixes {
if strings.HasPrefix(scope, prefix) {
recognized = true
break
}
}
if !recognized {
unrecognized = append(unrecognized, scope)
}
continue
}

Expand Down
6 changes: 5 additions & 1 deletion server/server.go
Original file line number Diff line number Diff line change
Expand Up @@ -120,7 +120,8 @@ type Config struct {

PrometheusRegistry *prometheus.Registry

HealthChecker gosundheit.Health
HealthChecker gosundheit.Health
AllowedScopePrefixes []string
}

// WebConfig holds the server's frontend templates and asset configuration.
Expand Down Expand Up @@ -189,6 +190,8 @@ type Server struct {

supportedGrantTypes []string

allowedScopePrefixes []string

now func() time.Time

idTokensValidFor time.Duration
Expand Down Expand Up @@ -304,6 +307,7 @@ func newServer(ctx context.Context, c Config, rotationStrategy rotationStrategy)
storage: newKeyCacher(c.Storage, now),
supportedResponseTypes: supportedRes,
supportedGrantTypes: supportedGrants,
allowedScopePrefixes: c.AllowedScopePrefixes,
idTokensValidFor: value(c.IDTokensValidFor, 24*time.Hour),
authRequestsValidFor: value(c.AuthRequestsValidFor, 24*time.Hour),
deviceRequestsValidFor: value(c.DeviceRequestsValidFor, 5*time.Minute),
Expand Down

0 comments on commit 1bdd3a6

Please sign in to comment.