feat: map Scope from membership in stack token (#994)

Co-authored-by: David Ragot <[email protected]>
formancehq · Dec 11, 2023 · 69d29d0 · 69d29d0
1 parent 5bf1d06
commit 69d29d0
Showing 1 changed file with 20 additions and 0 deletions.
diff --git a/pkg/oidc/grant_type_bearer.go b/pkg/oidc/grant_type_bearer.go
@@ -106,6 +106,15 @@ func grantTypeBearer(issuer string, p JWTAuthorizationGrantExchanger) http.Handl
 			op.RequestError(w, r, err)
 			return
 		}
+
+		tokens, err := ParseAssertion(profileRequest.Assertion)
+		if err != nil {
+			op.RequestError(w, r, err)
+			return
+		}
+
+		tokenRequest.Scopes = tokens.Scopes
+
 		resp, err := CreateJWTTokenResponse(r.Context(), issuer, tokenRequest, p, client)
 		if err != nil {
 			op.RequestError(w, r, err)
@@ -116,6 +125,17 @@ func grantTypeBearer(issuer string, p JWTAuthorizationGrantExchanger) http.Handl
 	}
 }
 
+func ParseAssertion(assertion string) (*oidc.AccessTokenClaims, error) {
+	var claims = new(oidc.AccessTokenClaims)
+
+	_, err := oidc.ParseToken(assertion, claims)
+	if err != nil {
+		return nil, err
+	}
+
+	return claims, nil
+}
+
 func CreateJWTTokenResponse(ctx context.Context, issuer string, tokenRequest *oidc.JWTTokenRequest, creator op.TokenCreator, client op.Client) (*oidc.AccessTokenResponse, error) {
 	id, exp, err := creator.Storage().CreateAccessToken(ctx, tokenRequest)
 	if err != nil {