From e16b905bcacf19e4961528ba358bdba30384efdd Mon Sep 17 00:00:00 2001 From: William Petit Date: Mon, 6 Nov 2023 15:57:27 +0100 Subject: [PATCH] feat: configurable scopes and issuer check skipping --- client.go | 3 ++- cmd/server/container.go | 3 ++- internal/config/config.go | 29 ++++++++++++++++------------- option.go | 19 +++++++++++++------ 4 files changed, 33 insertions(+), 21 deletions(-) diff --git a/client.go b/client.go index ad15c5f..9ddfa6a 100644 --- a/client.go +++ b/client.go @@ -189,7 +189,8 @@ func NewClient(opts ...OptionFunc) *Client { } verifier := opt.Provider.Verifier(&oidc.Config{ - ClientID: opt.ClientID, + ClientID: opt.ClientID, + SkipIssuerCheck: opt.SkipIssuerCheck, }) return &Client{oauth2, opt.Provider, verifier, opt.AcrValues} diff --git a/cmd/server/container.go b/cmd/server/container.go index f300345..3a2d227 100644 --- a/cmd/server/container.go +++ b/cmd/server/container.go @@ -92,8 +92,9 @@ func getServiceContainer(ctx context.Context, conf *config.Config) (*service.Con ctn.Provide(oidc.ServiceName, oidc.ServiceProvider( oidc.WithCredentials(conf.OIDC.ClientID, conf.OIDC.ClientSecret), oidc.WithProvider(provider), - oidc.WithScopes("email", "openid"), + oidc.WithScopes(conf.OIDC.Scopes...), oidc.WithAcrValues(conf.OIDC.AcrValues), + oidc.WithSkipIssuerCheck(conf.OIDC.SkipIssuerVerification), )) return ctn, nil diff --git a/internal/config/config.go b/internal/config/config.go index e8a8f71..86f6b05 100644 --- a/internal/config/config.go +++ b/internal/config/config.go @@ -48,14 +48,15 @@ type HTTPConfig struct { } type OIDCConfig struct { - ClientID string `yaml:"clientId" env:"OIDC_CLIENT_ID"` - ClientSecret string `yaml:"clientSecret" env:"OIDC_CLIENT_SECRET"` - IssuerURL string `yaml:"issuerUrl" env:"OIDC_ISSUER_URL"` - RedirectURL string `yaml:"redirectUrl" env:"OIDC_REDIRECT_URL"` - PostLogoutRedirectURL string `yaml:"postLogoutRedirectURL" env:"OIDC_POST_LOGOUT_REDIRECT_URL"` - InsecureSkipVerify bool `yaml:"insecureSkipVerify" env:"OIDC_INSECURE_SKIP_VERIFY"` - AcrValues string `yaml:"acrValues" env:"OIDC_ACR_VALUES"` - SkipIssuerVerification bool `yaml:"skipIssuerVerification" env:"OIDC_SKIP_ISSUER_VERIFICATION"` + ClientID string `yaml:"clientId" env:"OIDC_CLIENT_ID"` + ClientSecret string `yaml:"clientSecret" env:"OIDC_CLIENT_SECRET"` + IssuerURL string `yaml:"issuerUrl" env:"OIDC_ISSUER_URL"` + RedirectURL string `yaml:"redirectUrl" env:"OIDC_REDIRECT_URL"` + PostLogoutRedirectURL string `yaml:"postLogoutRedirectURL" env:"OIDC_POST_LOGOUT_REDIRECT_URL"` + InsecureSkipVerify bool `yaml:"insecureSkipVerify" env:"OIDC_INSECURE_SKIP_VERIFY"` + AcrValues string `yaml:"acrValues" env:"OIDC_ACR_VALUES"` + SkipIssuerVerification bool `yaml:"skipIssuerVerification" env:"OIDC_SKIP_ISSUER_VERIFICATION"` + Scopes []string `yaml:"scopes" env:"OIDC_SCOPES"` } type LogConfig struct { @@ -86,11 +87,13 @@ func NewDefault() *Config { PublicDir: "public", }, OIDC: OIDCConfig{ - IssuerURL: "http://localhost:4444/", - RedirectURL: "http://localhost:3002/oauth2/callback", - PostLogoutRedirectURL: "http://localhost:3002", - InsecureSkipVerify: false, - AcrValues: "", + IssuerURL: "http://localhost:4444/", + RedirectURL: "http://localhost:3002/oauth2/callback", + PostLogoutRedirectURL: "http://localhost:3002", + InsecureSkipVerify: false, + SkipIssuerVerification: false, + AcrValues: "", + Scopes: []string{"openid", "email"}, }, } } diff --git a/option.go b/option.go index d959ede..7835000 100644 --- a/option.go +++ b/option.go @@ -9,12 +9,13 @@ import ( type OptionFunc func(*Option) type Option struct { - Provider *oidc.Provider - ClientID string - ClientSecret string - RedirectURL string - Scopes []string - AcrValues string + Provider *oidc.Provider + ClientID string + ClientSecret string + RedirectURL string + Scopes []string + AcrValues string + SkipIssuerCheck bool } func WithRedirectURL(url string) OptionFunc { @@ -42,6 +43,12 @@ func WithAcrValues(acrValues string) OptionFunc { } } +func WithSkipIssuerCheck(skip bool) OptionFunc { + return func(opt *Option) { + opt.SkipIssuerCheck = skip + } +} + func NewProvider(ctx context.Context, issuer string, skipIssuerVerification bool) (*oidc.Provider, error) { if skipIssuerVerification { ctx = oidc.InsecureIssuerURLContext(ctx, issuer)