From fddcc8d6af39a4101765145a510f3e7303aee18a Mon Sep 17 00:00:00 2001 From: "David J. Allen" Date: Tue, 19 Mar 2024 15:01:47 -0600 Subject: [PATCH] Fixed issue with scope not being added to token --- internal/login.go | 8 +++++--- internal/oauth/trusted.go | 3 +++ internal/server/server.go | 2 +- 3 files changed, 9 insertions(+), 4 deletions(-) diff --git a/internal/login.go b/internal/login.go index 1641e13..caa7427 100644 --- a/internal/login.go +++ b/internal/login.go @@ -38,6 +38,8 @@ func Login(config *Config, client *oauth.Client, provider *oidc.IdentityProvider ) var button = MakeButton(authorizationUrl, "Login with "+client.Name) + var jwtClient = oauth.NewClient() + jwtClient.Scope = config.Authorization.Token.Scope // authorize oauth client and listen for callback from provider fmt.Printf("Waiting for authorization code redirect @%s/oidc/callback...\n", s.GetListenAddr()) @@ -56,17 +58,17 @@ func Login(config *Config, client *oauth.Client, provider *oidc.IdentityProvider Register: config.Authorization.Endpoints.Register, }, JwtBearerParams: flows.JwtBearerFlowParams{ - Client: oauth.NewClient(), + Client: jwtClient, IdentityProvider: provider, TrustedIssuer: &oauth.TrustedIssuer{ AllowAnySubject: false, Issuer: s.Addr, Subject: "opaal", - ExpiresAt: time.Now().Add(config.Authorization.TokenDuration), + ExpiresAt: time.Now().Add(config.Authorization.Token.Duration), Scope: []string{}, }, Verbose: config.Options.Verbose, - Refresh: config.Authorization.TokenRefresh, + Refresh: config.Authorization.Token.Refresh, }, } err = s.Login(button, provider, client, params) diff --git a/internal/oauth/trusted.go b/internal/oauth/trusted.go index 6c90dfc..936d8a9 100644 --- a/internal/oauth/trusted.go +++ b/internal/oauth/trusted.go @@ -66,6 +66,9 @@ func (client *Client) AddTrustedIssuer(url string, ti *TrustedIssuer) ([]byte, e return nil, fmt.Errorf("no valid trusted issuer provided") } + // add the client's scope to trusted issuer + ti.Scope = append(ti.Scope, client.Scope...) + quotedScopes := make([]string, len(ti.Scope)) for i, s := range ti.Scope { quotedScopes[i] = fmt.Sprintf("\"%s\"", s) diff --git a/internal/server/server.go b/internal/server/server.go index afe3af8..e98f863 100644 --- a/internal/server/server.go +++ b/internal/server/server.go @@ -122,7 +122,7 @@ func (s *Server) Login(buttons string, provider *oidc.IdentityProvider, client * http.Redirect(w, r, "/error", http.StatusBadRequest) return } - _, err := client.PerformRefreshTokenGrant(provider.Endpoints.Token, refreshToken) + _, err := params.JwtBearerParams.Client.PerformRefreshTokenGrant(provider.Endpoints.Token, refreshToken) if err != nil { fmt.Printf("failed to perform refresh token grant: %v\n", err) http.Redirect(w, r, "/error", http.StatusInternalServerError)