From bc35216fa4df6570590deac5aad3a2639f6ba9e2 Mon Sep 17 00:00:00 2001 From: Allison Doami Date: Thu, 12 Dec 2024 14:31:19 -0800 Subject: [PATCH 1/7] feat: Add scopes option to client --- oidc_cli/oidc_impl/client/client.go | 18 +++++++++++------- oidc_cli/oidc_impl/token_getter.go | 4 ++-- 2 files changed, 13 insertions(+), 9 deletions(-) diff --git a/oidc_cli/oidc_impl/client/client.go b/oidc_cli/oidc_impl/client/client.go index 1d7e4688..15743108 100644 --- a/oidc_cli/oidc_impl/client/client.go +++ b/oidc_cli/oidc_impl/client/client.go @@ -36,7 +36,7 @@ type Config struct { } // NewClient returns a new client -func NewClient(ctx context.Context, config *Config, clientOptions ...Option) (*Client, error) { +func NewClient(ctx context.Context, config *Config, scopes []string, clientOptions ...Option) (*Client, error) { provider, err := oidc.NewProvider(ctx, config.IssuerURL) if err != nil { return nil, errors.Wrap(err, "could not create oidc provider") @@ -47,16 +47,20 @@ func NewClient(ctx context.Context, config *Config, clientOptions ...Option) (*C return nil, err } - oauthConfig := &oauth2.Config{ - ClientID: config.ClientID, - RedirectURL: fmt.Sprintf("http://localhost:%d", server.GetBoundPort()), - Endpoint: provider.Endpoint(), - Scopes: []string{ + if len(scopes) == 0 { + scopes = []string{ oidc.ScopeOpenID, oidc.ScopeOfflineAccess, "email", "groups", - }, + } + } + + oauthConfig := &oauth2.Config{ + ClientID: config.ClientID, + RedirectURL: fmt.Sprintf("http://localhost:%d", server.GetBoundPort()), + Endpoint: provider.Endpoint(), + Scopes: scopes, } oidcConfig := &oidc.Config{ diff --git a/oidc_cli/oidc_impl/token_getter.go b/oidc_cli/oidc_impl/token_getter.go index a6bda730..20e0d369 100644 --- a/oidc_cli/oidc_impl/token_getter.go +++ b/oidc_cli/oidc_impl/token_getter.go @@ -17,7 +17,7 @@ const ( // GetToken gets an oidc token. // It handles caching with a default cache and keyring storage. -func GetToken(ctx context.Context, clientID string, issuerURL string, clientOptions ...client.Option) (*client.Token, error) { +func GetToken(ctx context.Context, clientID string, issuerURL string, scopes []string, clientOptions ...client.Option) (*client.Token, error) { fileLock, err := pidlock.NewLock(lockFilePath) if err != nil { return nil, errors.Wrap(err, "unable to create lock") @@ -34,7 +34,7 @@ func GetToken(ctx context.Context, clientID string, issuerURL string, clientOpti }, } - c, err := client.NewClient(ctx, conf, clientOptions...) + c, err := client.NewClient(ctx, conf, scopes, clientOptions...) if err != nil { return nil, errors.Wrap(err, "Unable to create client") } From c7c147c8e6511a72dc502d89127c0028a447e7a7 Mon Sep 17 00:00:00 2001 From: Allison Doami Date: Thu, 12 Dec 2024 14:37:27 -0800 Subject: [PATCH 2/7] empty --- oidc_cli/aws_sts.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/oidc_cli/aws_sts.go b/oidc_cli/aws_sts.go index 3fa2fdb6..0d2698e1 100644 --- a/oidc_cli/aws_sts.go +++ b/oidc_cli/aws_sts.go @@ -71,7 +71,7 @@ func (tf *tokenFetcher) fetchFullToken(ctx context.Context) (*client.Token, erro tf.mu.Lock() defer tf.mu.Unlock() - return oidc_impl.GetToken(ctx, tf.conf.OIDCClientID, tf.conf.OIDCIssuerURL) + return oidc_impl.GetToken(ctx, tf.conf.OIDCClientID, tf.conf.OIDCIssuerURL, []string{}) } func (tf *tokenFetcher) FetchToken(ctx context.Context) ([]byte, error) { From b4901ba6bef8648755f126a7558a50ca440196b7 Mon Sep 17 00:00:00 2001 From: Allison Doami Date: Mon, 16 Dec 2024 14:45:47 -0800 Subject: [PATCH 3/7] feedback --- oidc_cli/oidc_impl/client/client.go | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/oidc_cli/oidc_impl/client/client.go b/oidc_cli/oidc_impl/client/client.go index 15743108..4d5df33a 100644 --- a/oidc_cli/oidc_impl/client/client.go +++ b/oidc_cli/oidc_impl/client/client.go @@ -47,20 +47,22 @@ func NewClient(ctx context.Context, config *Config, scopes []string, clientOptio return nil, err } - if len(scopes) == 0 { - scopes = []string{ - oidc.ScopeOpenID, - oidc.ScopeOfflineAccess, - "email", - "groups", - } + oauth_scopes := []string{ + oidc.ScopeOpenID, + oidc.ScopeOfflineAccess, + "email", + "groups", + } + + if len(scopes) > 0 { + oauth_scopes = scopes } oauthConfig := &oauth2.Config{ ClientID: config.ClientID, RedirectURL: fmt.Sprintf("http://localhost:%d", server.GetBoundPort()), Endpoint: provider.Endpoint(), - Scopes: scopes, + Scopes: oauth_scopes, } oidcConfig := &oidc.Config{ From 867c81c7c9a34974ea5390265c7ed55549a22c45 Mon Sep 17 00:00:00 2001 From: Allison Doami Date: Tue, 17 Dec 2024 10:02:14 -0800 Subject: [PATCH 4/7] updates --- oidc_cli/aws_sts.go | 2 +- oidc_cli/oidc_impl/client/client.go | 19 ++++--------------- oidc_cli/oidc_impl/token_getter.go | 4 ++-- 3 files changed, 7 insertions(+), 18 deletions(-) diff --git a/oidc_cli/aws_sts.go b/oidc_cli/aws_sts.go index 0d2698e1..3fa2fdb6 100644 --- a/oidc_cli/aws_sts.go +++ b/oidc_cli/aws_sts.go @@ -71,7 +71,7 @@ func (tf *tokenFetcher) fetchFullToken(ctx context.Context) (*client.Token, erro tf.mu.Lock() defer tf.mu.Unlock() - return oidc_impl.GetToken(ctx, tf.conf.OIDCClientID, tf.conf.OIDCIssuerURL, []string{}) + return oidc_impl.GetToken(ctx, tf.conf.OIDCClientID, tf.conf.OIDCIssuerURL) } func (tf *tokenFetcher) FetchToken(ctx context.Context) ([]byte, error) { diff --git a/oidc_cli/oidc_impl/client/client.go b/oidc_cli/oidc_impl/client/client.go index 4d5df33a..5126759f 100644 --- a/oidc_cli/oidc_impl/client/client.go +++ b/oidc_cli/oidc_impl/client/client.go @@ -19,7 +19,7 @@ import ( // Client is an oauth client type Client struct { provider *oidc.Provider - oauthConfig *oauth2.Config + OauthConfig *oauth2.Config verifier *oidc.IDTokenVerifier server *server @@ -36,7 +36,7 @@ type Config struct { } // NewClient returns a new client -func NewClient(ctx context.Context, config *Config, scopes []string, clientOptions ...Option) (*Client, error) { +func NewClient(ctx context.Context, config *Config, clientOptions ...Option) (*Client, error) { provider, err := oidc.NewProvider(ctx, config.IssuerURL) if err != nil { return nil, errors.Wrap(err, "could not create oidc provider") @@ -47,22 +47,11 @@ func NewClient(ctx context.Context, config *Config, scopes []string, clientOptio return nil, err } - oauth_scopes := []string{ - oidc.ScopeOpenID, - oidc.ScopeOfflineAccess, - "email", - "groups", - } - - if len(scopes) > 0 { - oauth_scopes = scopes - } - oauthConfig := &oauth2.Config{ ClientID: config.ClientID, RedirectURL: fmt.Sprintf("http://localhost:%d", server.GetBoundPort()), Endpoint: provider.Endpoint(), - Scopes: oauth_scopes, + Scopes: []string{oidc.ScopeOpenID, oidc.ScopeOfflineAccess, "email", "groups"}, } oidcConfig := &oidc.Config{ @@ -74,7 +63,7 @@ func NewClient(ctx context.Context, config *Config, scopes []string, clientOptio clientConfig := &Client{ provider: provider, verifier: verifier, - oauthConfig: oauthConfig, + OauthConfig: oauthConfig, server: server, customMessages: map[oidcStatus]string{ diff --git a/oidc_cli/oidc_impl/token_getter.go b/oidc_cli/oidc_impl/token_getter.go index 20e0d369..a6bda730 100644 --- a/oidc_cli/oidc_impl/token_getter.go +++ b/oidc_cli/oidc_impl/token_getter.go @@ -17,7 +17,7 @@ const ( // GetToken gets an oidc token. // It handles caching with a default cache and keyring storage. -func GetToken(ctx context.Context, clientID string, issuerURL string, scopes []string, clientOptions ...client.Option) (*client.Token, error) { +func GetToken(ctx context.Context, clientID string, issuerURL string, clientOptions ...client.Option) (*client.Token, error) { fileLock, err := pidlock.NewLock(lockFilePath) if err != nil { return nil, errors.Wrap(err, "unable to create lock") @@ -34,7 +34,7 @@ func GetToken(ctx context.Context, clientID string, issuerURL string, scopes []s }, } - c, err := client.NewClient(ctx, conf, scopes, clientOptions...) + c, err := client.NewClient(ctx, conf, clientOptions...) if err != nil { return nil, errors.Wrap(err, "Unable to create client") } From 7ae2a993ee56e52dd991cabe5ef9899175e78d10 Mon Sep 17 00:00:00 2001 From: Allison Doami Date: Tue, 17 Dec 2024 10:04:39 -0800 Subject: [PATCH 5/7] uppercase --- oidc_cli/oidc_impl/client/client.go | 10 +++++----- oidc_cli/oidc_impl/client/config_options.go | 2 +- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/oidc_cli/oidc_impl/client/client.go b/oidc_cli/oidc_impl/client/client.go index 5126759f..68f8732c 100644 --- a/oidc_cli/oidc_impl/client/client.go +++ b/oidc_cli/oidc_impl/client/client.go @@ -105,7 +105,7 @@ func (c *Client) idTokenFromOauth2Token( // RefreshToken will fetch a new token func (c *Client) RefreshToken(ctx context.Context, oldToken *Token) (*Token, error) { - logrus.Debugf("refresh scopes: %#v", c.oauthConfig.Scopes) + logrus.Debugf("refresh scopes: %#v", c.OauthConfig.Scopes) newToken, err := c.refreshToken(ctx, oldToken) // if we could refresh successfully, do so. @@ -130,7 +130,7 @@ func (c *Client) refreshToken(ctx context.Context, token *Token) (*Token, error) Expiry: token.Expiry, } - tokenSource := c.oauthConfig.TokenSource(ctx, oauthToken) + tokenSource := c.OauthConfig.TokenSource(ctx, oauthToken) newOauth2Token, err := tokenSource.Token() if err != nil { @@ -163,7 +163,7 @@ func (c *Client) refreshToken(ctx context.Context, token *Token) (*Token, error) // GetAuthCodeURL gets the url to the oauth2 consent page func (c *Client) GetAuthCodeURL(oauthMaterial *oauthMaterial) string { - return c.oauthConfig.AuthCodeURL( + return c.OauthConfig.AuthCodeURL( oauthMaterial.State, oauth2.SetAuthURLParam("grant_type", "refresh_token"), oauth2.SetAuthURLParam("code_challenge", oauthMaterial.CodeChallenge), @@ -182,12 +182,12 @@ func (c *Client) ValidateState(ourState []byte, otherState []byte) error { // Exchange will exchange a token func (c *Client) Exchange(ctx context.Context, code string, codeVerifier string) (*oauth2.Token, error) { - token, err := c.oauthConfig.Exchange( + token, err := c.OauthConfig.Exchange( ctx, code, oauth2.SetAuthURLParam("grant_type", "authorization_code"), oauth2.SetAuthURLParam("code_verifier", codeVerifier), - oauth2.SetAuthURLParam("client_id", c.oauthConfig.ClientID), + oauth2.SetAuthURLParam("client_id", c.OauthConfig.ClientID), ) return token, errors.Wrap(err, "failed to exchange oauth token") } diff --git a/oidc_cli/oidc_impl/client/config_options.go b/oidc_cli/oidc_impl/client/config_options.go index b0f89506..cb1719dd 100644 --- a/oidc_cli/oidc_impl/client/config_options.go +++ b/oidc_cli/oidc_impl/client/config_options.go @@ -20,6 +20,6 @@ var SetSuccessMessage = func(successMessage string) Option { var SetOauth2AuthStyle = func(authStyle oauth2.AuthStyle) Option { return func(c *Client) { - c.oauthConfig.Endpoint.AuthStyle = authStyle + c.OauthConfig.Endpoint.AuthStyle = authStyle } } From 7de7eb0965da82dc15058ce0e472675abb2a5866 Mon Sep 17 00:00:00 2001 From: Allison Doami Date: Tue, 17 Dec 2024 10:06:05 -0800 Subject: [PATCH 6/7] spacing --- oidc_cli/oidc_impl/client/client.go | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/oidc_cli/oidc_impl/client/client.go b/oidc_cli/oidc_impl/client/client.go index 68f8732c..bdd9b87c 100644 --- a/oidc_cli/oidc_impl/client/client.go +++ b/oidc_cli/oidc_impl/client/client.go @@ -51,7 +51,12 @@ func NewClient(ctx context.Context, config *Config, clientOptions ...Option) (*C ClientID: config.ClientID, RedirectURL: fmt.Sprintf("http://localhost:%d", server.GetBoundPort()), Endpoint: provider.Endpoint(), - Scopes: []string{oidc.ScopeOpenID, oidc.ScopeOfflineAccess, "email", "groups"}, + Scopes: []string{ + oidc.ScopeOpenID, + oidc.ScopeOfflineAccess, + "email", + "groups", + }, } oidcConfig := &oidc.Config{ From bb7f3b45329ccf9fb3bf6bd238dca3f695f3ee3c Mon Sep 17 00:00:00 2001 From: Allison Doami Date: Tue, 17 Dec 2024 16:48:30 -0800 Subject: [PATCH 7/7] setscopeoptions --- oidc_cli/oidc_impl/client/config_options.go | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/oidc_cli/oidc_impl/client/config_options.go b/oidc_cli/oidc_impl/client/config_options.go index cb1719dd..813f2604 100644 --- a/oidc_cli/oidc_impl/client/config_options.go +++ b/oidc_cli/oidc_impl/client/config_options.go @@ -23,3 +23,9 @@ var SetOauth2AuthStyle = func(authStyle oauth2.AuthStyle) Option { c.OauthConfig.Endpoint.AuthStyle = authStyle } } + +var SetScopeOptions = func(scopes []string) Option { + return func(c *Client) { + c.OauthConfig.Scopes = scopes + } +}