Skip to content

Commit

Permalink
Add default scopes based on provider
Browse files Browse the repository at this point in the history 
Signed-off-by: Jan-Otto Kröpke <mail@jkroepke.de>
  • Loading branch information
@jkroepke
jkroepke committed Oct 29, 2023
1 parent 9385d1d commit e0da7a7
Show file tree
Hide file tree
Showing 8 changed files with 28 additions and 17 deletions.
1 change: 0 additions & 1 deletion docs/Providers.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -55,6 +55,5 @@ After registering the app, you will receive an OAuth2 client ID and secret. Thes
- `CONFIG_OAUTH2_CLIENT_SECRET=$CLIENT_SECRET`
- `CONFIG_OAUTH2_ENDPOINT_AUTH=https://github.com/login/oauth/authorize`
- `CONFIG_OAUTH2_ENDPOINT_TOKEN=https://github.com/login/oauth/access_token`
- `CONFIG_OAUTH2_SCOPES=user:email read:org`
- `CONFIG_OAUTH2_VALIDATE_GROUPS=org`
- `CONFIG_OAUTH2_VALIDATE_ROLES=org:team`
2 changes: 1 addition & 1 deletion internal/config/config.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -179,7 +179,7 @@ func FlagSet() *flag.FlagSet {
flagSet.StringSlice(
"oauth2.scopes",
Defaults.OAuth2.Scopes,
"oauth2 token scopes. (env: CONFIG_OAUTH2_SCOPES)",
"oauth2 token scopes. Defaults depends on oauth2.provider (env: CONFIG_OAUTH2_SCOPES)",
)
flagSet.Bool(
"version",
Expand Down
2 changes: 1 addition & 1 deletion internal/config/defaults.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,6 @@ var Defaults = Config{
IPAddr: false,
Issuer: true,
},
Scopes: []string{"openid", "profile"},
Scopes: []string{},
},
}
19 changes: 13 additions & 6 deletions internal/oauth2/provider.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -65,6 +65,11 @@ func NewProvider(logger *slog.Logger, conf config.Config) (Provider, error) {
return Provider{}, fmt.Errorf("error getting endpoints: %w", err)
}

scopes := conf.OAuth2.Scopes
if len(scopes) == 0 {
scopes = provider.GetDefaultScopes()
}

if endpoints == (oauth2.Endpoint{}) {
if !utils.IsURLEmpty(conf.OAuth2.Endpoints.Discovery) {
logger.Info(utils.StringConcat(
Expand All @@ -81,25 +86,25 @@ func NewProvider(logger *slog.Logger, conf config.Config) (Provider, error) {
))
}

return newProviderWithDiscovery(conf, logger, provider, options, redirectURI)
return newProviderWithDiscovery(conf, logger, provider, options, redirectURI, scopes)
}

logger.Info(utils.StringConcat(
"manually configure oauth2 provider with provider ",
provider.GetName(), " and endpoints ", endpoints.AuthURL, " and ", endpoints.TokenURL,
))

return newProviderWithEndpoints(conf, provider, options, redirectURI, endpoints)
return newProviderWithEndpoints(conf, provider, options, redirectURI, endpoints, scopes)
}

func newProviderWithEndpoints(
conf config.Config, provider oidcProvider, options []rp.Option, redirectURI string, endpoints oauth2.Endpoint,
conf config.Config, provider oidcProvider, options []rp.Option, redirectURI string, endpoints oauth2.Endpoint, scopes []string,
) (Provider, error) {
rpConfig := &oauth2.Config{
ClientID: conf.OAuth2.Client.ID,
ClientSecret: conf.OAuth2.Client.Secret,
RedirectURL: redirectURI,
Scopes: conf.OAuth2.Scopes,
Scopes: scopes,
Endpoint: endpoints,
}

Expand All @@ -114,15 +119,17 @@ func newProviderWithEndpoints(
}, nil
}

func newProviderWithDiscovery(conf config.Config, _ *slog.Logger, provider oidcProvider, options []rp.Option, redirectURI string) (Provider, error) {
func newProviderWithDiscovery(conf config.Config, _ *slog.Logger, provider oidcProvider,
options []rp.Option, redirectURI string, scopes []string) (Provider, error) {

Check failure on line 123 in internal/oauth2/provider.go

View workflow job for this annotation

GitHub Actions / lint 

File is not `gofumpt`-ed (gofumpt)

// expLogger := logging.ToContext(context.Background(), logger)s
relayingParty, err := rp.NewRelyingPartyOIDC(
context.Background(),
conf.OAuth2.Issuer.String(),
conf.OAuth2.Client.ID,
conf.OAuth2.Client.Secret,
redirectURI,
conf.OAuth2.Scopes,
scopes,
options...,
)
if err != nil {
Expand Down
8 changes: 5 additions & 3 deletions internal/oauth2/providers/generic/main.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,8 +4,6 @@ import (
"github.com/jkroepke/openvpn-auth-oauth2/internal/config"
)

const Name = "generic"

type Provider struct {
Conf config.Config
}
Expand All @@ -17,5 +15,9 @@ func NewProvider(conf config.Config) *Provider {
}

func (p *Provider) GetName() string {
return Name
return "generic"
}

func (p *Provider) GetDefaultScopes() []string {
return []string{"openid", "profile"}
}
8 changes: 5 additions & 3 deletions internal/oauth2/providers/github/main.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,8 +5,6 @@ import (
"github.com/jkroepke/openvpn-auth-oauth2/internal/oauth2/providers/generic"
)

const Name = "github"

type Provider struct {
*generic.Provider
}
Expand All @@ -18,5 +16,9 @@ func NewProvider(conf config.Config) *Provider {
}

func (p *Provider) GetName() string {
return Name
return "github"
}

func (p *Provider) GetDefaultScopes() []string {
return []string{"user:email", "read:org"}
}
1 change: 1 addition & 0 deletions internal/oauth2/types.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ type Provider struct {

type oidcProvider interface {
CheckUser(ctx context.Context, session state.State, user types.UserData, tokens *oidc.Tokens[*oidc.IDTokenClaims]) error
GetDefaultScopes() []string
GetEndpoints(conf config.Config) (oauth2.Endpoint, error)
GetName() string
GetUser(ctx context.Context, tokens *oidc.Tokens[*oidc.IDTokenClaims]) (types.UserData, error)
Expand Down
4 changes: 2 additions & 2 deletions tests/docker-compose.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -72,14 +72,14 @@ services:
user nobody
group nogroup
#auth-gen-token 240 120
#auth-gen-token
management 0.0.0.0 8081 /etc/openvpn/password.txt
management-hold
management-client-auth
#plugin /plugin/openvpn-auth-oauth2.so /plugin/config.yaml
reneg-sec 30
reneg-sec 120
auth-user-pass-optional
EOF
Expand Down

0 comments on commit e0da7a7

Please sign in to comment.