Merge pull request #13 from int128/extra-scopes

Add extra-scopes support
2026-04-22 01:06:43 +00:00 · 2018-09-02 14:20:35 +09:00
parent a91c020f46 d4fb49613d
commit 9bf8a89577
8 changed files with 36 additions and 0 deletions
--- a/README.md
+++ b/README.md
@@ -208,6 +208,7 @@ Key | Direction | Value
 `client-secret`                   | IN (Required) | Client Secret of the provider.
 `idp-certificate-authority`       | IN (Optional) | CA certificate path of the provider.
 `idp-certificate-authority-data`  | IN (Optional) | Base64 encoded CA certificate of the provider.
+`extra-scopes`                    | IN (Optional) | Scopes to request to the provider (comma separated).
 `id-token`                        | OUT | ID token got from the provider.
 `refresh-token`                   | OUT | Refresh token got from the provider.

--- a/cli/cli.go
+++ b/cli/cli.go
@@ -70,6 +70,7 @@ func (c *CLI) Run(ctx context.Context) error {
 		Issuer:          authProvider.IDPIssuerURL(),
 		ClientID:        authProvider.ClientID(),
 		ClientSecret:    authProvider.ClientSecret(),
+		ExtraScopes:     authProvider.ExtraScopes(),
 		Client:          &http.Client{Transport: &http.Transport{TLSClientConfig: tlsConfig}},
 		ServerPort:      8000,
 		SkipOpenBrowser: c.SkipOpenBrowser,
--- a/e2e/authserver/authserver.go
+++ b/e2e/authserver/authserver.go
@@ -23,6 +23,7 @@ const ServerKey = "authserver/testdata/server.key"
 // Config represents server configuration.
 type Config struct {
 	Issuer string
+	Scope  string
 	Cert   string
 	Key    string
 }
--- a/e2e/authserver/handler.go
+++ b/e2e/authserver/handler.go
@@ -22,6 +22,7 @@ type handler struct {
 	authCode  string

 	Issuer     string
+	Scope      string // Default to openid
 	IDToken    string
 	PrivateKey struct{ N, E string }
 }
@@ -33,6 +34,10 @@ func newHandler(t *testing.T, c *Config) *handler {
 		jwks:      readTemplate(t, "oidc-jwks.json"),
 		authCode:  "3d24a8bd-35e6-457d-999e-e04bb1dfcec7",
 		Issuer:    c.Issuer,
+		Scope:     c.Scope,
+	}
+	if h.Scope == "" {
+		h.Scope = "openid"
 	}

 	token := jwt.NewWithClaims(jwt.SigningMethodRS256, jwt.StandardClaims{
@@ -83,6 +88,9 @@ func (h *handler) serveHTTP(w http.ResponseWriter, r *http.Request) error {
 		// Authentication Response
 		// http://openid.net/specs/openid-connect-core-1_0.html#AuthResponse
 		q := r.URL.Query()
+		if h.Scope != q.Get("scope") {
+			return fmt.Errorf("scope wants %s but %s", h.Scope, q.Get("scope"))
+		}
 		to := fmt.Sprintf("%s?state=%s&code=%s", q.Get("redirect_uri"), q.Get("state"), h.authCode)
 		http.Redirect(w, r, to, 302)
 	case m == "POST" && p == "/protocol/openid-connect/token":
--- a/e2e/e2e_test.go
+++ b/e2e/e2e_test.go
@@ -37,6 +37,18 @@ func TestE2E(t *testing.T) {
 			authserver.Config{Issuer: "http://localhost:9000"},
 			&tls.Config{},
 		},
+		"ExtraScope": {
+			kubeconfigValues{
+				Issuer:      "http://localhost:9000",
+				ExtraScopes: "profile groups",
+			},
+			cli.CLI{},
+			authserver.Config{
+				Issuer: "http://localhost:9000",
+				Scope:  "profile groups openid",
+			},
+			&tls.Config{},
+		},
 		"SkipTLSVerify": {
 			kubeconfigValues{Issuer: "https://localhost:9000"},
 			cli.CLI{SkipTLSVerify: true},
--- a/e2e/kubeconfig.go
+++ b/e2e/kubeconfig.go
@@ -9,6 +9,7 @@ import (

 type kubeconfigValues struct {
 	Issuer                      string
+	ExtraScopes                 string
 	IDPCertificateAuthority     string
 	IDPCertificateAuthorityData string
 }
--- a/e2e/testdata/kubeconfig.yaml
+++ b/e2e/testdata/kubeconfig.yaml
@@ -19,6 +19,9 @@ users:
        client-id: kubernetes
        client-secret: a3c508c3-73c9-42e2-ab14-487a1bf67c33
        idp-issuer-url: {{ .Issuer }}
+#{{ if .ExtraScopes }}
+        extra-scopes: {{ .ExtraScopes }}
+#{{ end }}
 #{{ if .IDPCertificateAuthority }}
        idp-certificate-authority: {{ .IDPCertificateAuthority }}
 #{{ end }}
--- a/kubeconfig/auth.go
+++ b/kubeconfig/auth.go
@@ -2,6 +2,7 @@ package kubeconfig

 import (
 	"fmt"
+	"strings"

 	"k8s.io/client-go/tools/clientcmd/api"
 )
@@ -55,6 +56,14 @@ func (c *OIDCAuthProvider) IDPCertificateAuthorityData() string {
 	return c.Config["idp-certificate-authority-data"]
 }

+// ExtraScopes returns the extra-scopes.
+func (c *OIDCAuthProvider) ExtraScopes() []string {
+	if c.Config["extra-scopes"] == "" {
+		return []string{}
+	}
+	return strings.Split(c.Config["extra-scopes"], ",")
+}
+
 // SetIDToken replaces the id-token.
 func (c *OIDCAuthProvider) SetIDToken(idToken string) {
 	c.Config["id-token"] = idToken