From 1ee68ad4c84abc8c9e9dd785e0cdf8a4c0fe93a9 Mon Sep 17 00:00:00 2001 From: Matthew DeVenny Date: Thu, 7 Dec 2023 11:30:49 -0700 Subject: [PATCH] Add the ability to configure the scopes passed to the authorization request Signed-off-by: Matthew DeVenny --- README.md | 1 + server.go | 15 +++++++++++++-- 2 files changed, 14 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index e5e1828..16a1607 100644 --- a/README.md +++ b/README.md @@ -19,6 +19,7 @@ This repository builds a Docker Image that protects an upstream server using [Ok ### Optional +- `AUTH_SCOPE` - Defaults to `openid profile`. Okta token auth scopes - note if you override this `openid` is necessary for authentication requests. - `APP_POST_LOGIN_URL` - After authentication is complete, redirect to an application-specific URL. The `state` query parameter will hold the original URL. - `COOKIE_DOMAIN` - Defaults to current domain only. Set in order to allow use on subdomains. - `COOKIE_NAME` - Defaults to `okta-jwt`. The name of the cookie that holds the Identity Token diff --git a/server.go b/server.go index 83cc801..1ce4db3 100644 --- a/server.go +++ b/server.go @@ -33,6 +33,7 @@ type config struct { httpClient *http.Client issuer string //ISSUER ssoPath string //SSO_PATH + authScope string //AUTH_SCOPE verifier *jwtverifier.JwtVerifier } @@ -90,6 +91,15 @@ func getConfig() *config { } } + authScope := os.Getenv("AUTH_SCOPE") + if authScope == "" { + authScope = "openid profile" + } else { + if !strings.Contains(authScope, "openid") { + log.Fatalln("AUTH_SCOPE must contain openid") + } + } + httpClient := &http.Client{ Timeout: requestTimeOutSeconds, } @@ -153,6 +163,7 @@ func getConfig() *config { httpClient: httpClient, issuer: issuer, ssoPath: ssoPath, + authScope: authScope, verifier: verifier, } } @@ -555,7 +566,7 @@ func getJWT(r *http.Request, code string, conf *config) (string, error) { "&client_secret=" + url.QueryEscape(conf.clientSecret) + "&redirect_uri=" + url.QueryEscape(loginRedirect) + "&grant_type=authorization_code" + - "&scope=openid profile") + "&scope=" + url.QueryEscape(conf.authScope)) req, err := http.NewRequest("POST", conf.endpointToken, bytes.NewBuffer(reqBody)) if err != nil { @@ -662,7 +673,7 @@ func redirectURL(r *http.Request, conf *config, requestURI string) string { return conf.endpointAuthorize + "?client_id=" + url.QueryEscape(conf.clientID) + "&response_type=code" + - "&scope=openid profile" + + "&scope=" + url.QueryEscape(conf.authScope) + "&nonce=123" + "&redirect_uri=" + url.QueryEscape(loginRedirect) + "&state=" + url.QueryEscape(requestURLStr)