feat: configurable scopes and issuer check skipping

client.go

@@ -189,7 +189,8 @@ func NewClient(opts ...OptionFunc) *Client {
 	}
 
 	verifier := opt.Provider.Verifier(&oidc.Config{
-		ClientID: opt.ClientID,
+		ClientID:        opt.ClientID,
+		SkipIssuerCheck: opt.SkipIssuerCheck,
 	})
 
 	return &Client{oauth2, opt.Provider, verifier, opt.AcrValues}

cmd/server/container.go

@@ -92,8 +92,9 @@ func getServiceContainer(ctx context.Context, conf *config.Config) (*service.Con
 	ctn.Provide(oidc.ServiceName, oidc.ServiceProvider(
 		oidc.WithCredentials(conf.OIDC.ClientID, conf.OIDC.ClientSecret),
 		oidc.WithProvider(provider),
-		oidc.WithScopes("email", "openid"),
+		oidc.WithScopes(conf.OIDC.Scopes...),
 		oidc.WithAcrValues(conf.OIDC.AcrValues),
+		oidc.WithSkipIssuerCheck(conf.OIDC.SkipIssuerVerification),
 	))
 
 	return ctn, nil

internal/config/config.go

@@ -48,14 +48,15 @@ type HTTPConfig struct {
 }
 
 type OIDCConfig struct {
-	ClientID               string `yaml:"clientId"  env:"OIDC_CLIENT_ID"`
+	ClientID               string   `yaml:"clientId"  env:"OIDC_CLIENT_ID"`
-	ClientSecret           string `yaml:"clientSecret"  env:"OIDC_CLIENT_SECRET"`
+	ClientSecret           string   `yaml:"clientSecret"  env:"OIDC_CLIENT_SECRET"`
-	IssuerURL              string `yaml:"issuerUrl"  env:"OIDC_ISSUER_URL"`
+	IssuerURL              string   `yaml:"issuerUrl"  env:"OIDC_ISSUER_URL"`
-	RedirectURL            string `yaml:"redirectUrl"  env:"OIDC_REDIRECT_URL"`
+	RedirectURL            string   `yaml:"redirectUrl"  env:"OIDC_REDIRECT_URL"`
-	PostLogoutRedirectURL  string `yaml:"postLogoutRedirectURL"  env:"OIDC_POST_LOGOUT_REDIRECT_URL"`
+	PostLogoutRedirectURL  string   `yaml:"postLogoutRedirectURL"  env:"OIDC_POST_LOGOUT_REDIRECT_URL"`
-	InsecureSkipVerify     bool   `yaml:"insecureSkipVerify" env:"OIDC_INSECURE_SKIP_VERIFY"`
+	InsecureSkipVerify     bool     `yaml:"insecureSkipVerify" env:"OIDC_INSECURE_SKIP_VERIFY"`
-	AcrValues              string `yaml:"acrValues" env:"OIDC_ACR_VALUES"`
+	AcrValues              string   `yaml:"acrValues" env:"OIDC_ACR_VALUES"`
-	SkipIssuerVerification bool   `yaml:"skipIssuerVerification" env:"OIDC_SKIP_ISSUER_VERIFICATION"`
+	SkipIssuerVerification bool     `yaml:"skipIssuerVerification" env:"OIDC_SKIP_ISSUER_VERIFICATION"`
+	Scopes                 []string `yaml:"scopes" env:"OIDC_SCOPES"`
 }
 
 type LogConfig struct {
@@ -86,11 +87,13 @@ func NewDefault() *Config {
 			PublicDir:               "public",
 		},
 		OIDC: OIDCConfig{
-			IssuerURL:             "http://localhost:4444/",
+			IssuerURL:              "http://localhost:4444/",
-			RedirectURL:           "http://localhost:3002/oauth2/callback",
+			RedirectURL:            "http://localhost:3002/oauth2/callback",
-			PostLogoutRedirectURL: "http://localhost:3002",
+			PostLogoutRedirectURL:  "http://localhost:3002",
-			InsecureSkipVerify:    false,
+			InsecureSkipVerify:     false,
-			AcrValues:             "",
+			SkipIssuerVerification: false,
+			AcrValues:              "",
+			Scopes:                 []string{"openid", "email"},
 		},
 	}
 }

option.go

@@ -9,12 +9,13 @@ import (
 type OptionFunc func(*Option)
 
 type Option struct {
-	Provider     *oidc.Provider
+	Provider        *oidc.Provider
-	ClientID     string
+	ClientID        string
-	ClientSecret string
+	ClientSecret    string
-	RedirectURL  string
+	RedirectURL     string
-	Scopes       []string
+	Scopes          []string
-	AcrValues    string
+	AcrValues       string
+	SkipIssuerCheck bool
 }
 
 func WithRedirectURL(url string) OptionFunc {
@@ -42,6 +43,12 @@ func WithAcrValues(acrValues string) OptionFunc {
 	}
 }
 
+func WithSkipIssuerCheck(skip bool) OptionFunc {
+	return func(opt *Option) {
+		opt.SkipIssuerCheck = skip
+	}
+}
+
 func NewProvider(ctx context.Context, issuer string, skipIssuerVerification bool) (*oidc.Provider, error) {
 	if skipIssuerVerification {
 		ctx = oidc.InsecureIssuerURLContext(ctx, issuer)