feat: Support OIDC scope parameter (#3192)

2022-12-08 22:46:34 -05:00 · 2022-12-08 22:46:34 -05:00 · 649df8827c
parent da51adc276
commit 649df8827c
1 changed files with 12 additions and 1 deletions
--- a/pkg/auth/oidc.go
+++ b/pkg/auth/oidc.go
@ -36,6 +36,9 @@ type OidcClientConfig struct {
 	// OidcAudience specifies the audience of the token in OIDC authentication
 	// if AuthenticationMethod == "oidc". By default, this value is "".
 	OidcAudience string `ini:"oidc_audience" json:"oidc_audience"`
+	// OidcScope specifies the scope of the token in OIDC authentication
+	// if AuthenticationMethod == "oidc". By default, this value is "".
+	OidcScope string `ini:"oidc_scope" json:"oidc_scope"`
 	// OidcTokenEndpointURL specifies the URL which implements OIDC Token Endpoint.
 	// It will be used to get an OIDC token if AuthenticationMethod == "oidc".
 	// By default, this value is "".
@ -52,6 +55,7 @@ func getDefaultOidcClientConf() OidcClientConfig {
 		OidcClientID:                 "",
 		OidcClientSecret:             "",
 		OidcAudience:                 "",
+		OidcScope:                    "",
 		OidcTokenEndpointURL:         "",
 		OidcAdditionalEndpointParams: make(map[string]string),
 	}
@ -99,10 +103,17 @@ func NewOidcAuthSetter(baseCfg BaseConfig, cfg OidcClientConfig) *OidcAuthProvid
 		eps[k] = []string{v}
 	}

+	// Previous versions hardcoded the scope to audience,
+	// so for backwards compatibility, use that if no scope is set
+	scope := cfg.OidcAudience
+	if cfg.OidcScope != "" {
+		scope = cfg.OidcScope
+	}
+
 	tokenGenerator := &clientcredentials.Config{
 		ClientID:       cfg.OidcClientID,
 		ClientSecret:   cfg.OidcClientSecret,
-		Scopes:         []string{cfg.OidcAudience},
+		Scopes:         []string{scope},
 		TokenURL:       cfg.OidcTokenEndpointURL,
 		EndpointParams: eps,
 	}