Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Empty scope #593

Merged
merged 4 commits into from
Sep 15, 2022
Merged

Empty scope #593

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
90845cb
ignore empty and white-space-only scope
Sep 13, 2022
7713794
enhanced test for oauth2_authorization_url() function
Sep 13, 2022
4165246
changelog entry
Sep 14, 2022
208ca61
Merge branch 'master' into empty-scope
Sep 15, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,8 @@
Unreleased changes are available as `avenga/couper:edge` container.

* **Fixed**
* Aligned the evaluation of `beta_oauth2`/`oidc` `redirect_uri` to `saml` `sp_acs_url` ([#589](https://github.com/avenga/couper/pull/589))
* Aligned the evaluation of [`beta_oauth2`](https://docs.couper.io/configuration/block/oauth2_ac)/[`oidc`](https://docs.couper.io/configuration/block/oidc) `redirect_uri` to `saml` `sp_acs_url` ([#589](https://github.com/avenga/couper/pull/589))
* Proper handling of empty [`beta_oauth2`](https://docs.couper.io/configuration/block/oauth2_ac)/[`oidc`](https://docs.couper.io/configuration/block/oidc) `scope` ([#593](https://github.com/avenga/couper/pull/593))

---

Expand Down
9 changes: 4 additions & 5 deletions config/ac_oauth2.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,8 @@
package config

import (
"strings"

"github.com/hashicorp/hcl/v2"
"github.com/hashicorp/hcl/v2/gohcl"

Expand Down Expand Up @@ -28,7 +30,7 @@ type OAuth2AC struct {
Name string `hcl:"name,label"`
RedirectURI string `hcl:"redirect_uri" docs:"The Couper endpoint for receiving the authorization code. Relative URL references are resolved against the origin of the current request URL. The origin can be changed with the {accept_forwarded_url}([settings](settings)) attribute if Couper is running behind a proxy."`
Remain hcl.Body `hcl:",remain"`
Scope *string `hcl:"scope,optional" docs:"A space separated list of requested scope values for the access token."`
Scope string `hcl:"scope,optional" docs:"A space separated list of requested scope values for the access token."`
TokenEndpoint string `hcl:"token_endpoint" docs:"The authorization server endpoint URL used for requesting the token."`
TokenEndpointAuthMethod *string `hcl:"token_endpoint_auth_method,optional" default:"client_secret_basic" docs:"Defines the method to authenticate the client at the token endpoint. If set to {client_secret_post}, the client credentials are transported in the request body. If set to {client_secret_basic}, the client credentials are transported via Basic Authentication."`
VerifierMethod string `hcl:"verifier_method" docs:"The method to verify the integrity of the authorization code flow. Available values: {ccm_s256} ({code_challenge} parameter with {code_challenge_method} {S256}), {state} ({state} parameter)"`
Expand Down Expand Up @@ -101,10 +103,7 @@ func (oa *OAuth2AC) GetRedirectURI() string {
}

func (oa *OAuth2AC) GetScope() string {
if oa.Scope == nil {
return ""
}
return *oa.Scope
return strings.TrimSpace(oa.Scope)
}

func (oa *OAuth2AC) GetAuthorizationEndpoint() (string, error) {
Expand Down
10 changes: 7 additions & 3 deletions config/ac_oidc.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,8 @@
package config

import (
"strings"

"github.com/hashicorp/hcl/v2"
"github.com/hashicorp/hcl/v2/gohcl"

Expand All @@ -27,7 +29,7 @@ type OIDC struct {
Name string `hcl:"name,label"`
Remain hcl.Body `hcl:",remain"`
RedirectURI string `hcl:"redirect_uri" docs:"The Couper endpoint for receiving the authorization code. Relative URL references are resolved against the origin of the current request URL. The origin can be changed with the {accept_forwarded_url}({settings} block) attribute if Couper is running behind a proxy."`
Scope *string `hcl:"scope,optional" docs:"A space separated list of requested scope values for the access token."`
Scope string `hcl:"scope,optional" docs:"A space separated list of requested scope values for the access token."`
TokenEndpointAuthMethod *string `hcl:"token_endpoint_auth_method,optional" docs:"Defines the method to authenticate the client at the token endpoint. If set to {client_secret_post}, the client credentials are transported in the request body. If set to {client_secret_basic}, the client credentials are transported via Basic Authentication." default:"client_secret_basic"`
ConfigurationTTL string `hcl:"configuration_ttl,optional" docs:"The duration to cache the OpenID configuration located at {configuration_url}." type:"duration" default:"1h"`
ConfigurationMaxStale string `hcl:"configuration_max_stale,optional" docs:"Duration a cached OpenID configuration stays valid after its TTL has passed." type:"duration" default:"1h"`
Expand Down Expand Up @@ -126,10 +128,12 @@ func (o *OIDC) GetRedirectURI() string {
}

func (o *OIDC) GetScope() string {
if o.Scope == nil {
scope := strings.TrimSpace(o.Scope)
if scope == "" {
return "openid"
}
return "openid " + *o.Scope

return "openid " + scope
}

func (o *OIDC) GetTokenEndpointAuthMethod() *string {
Expand Down
Loading