Add the ability to configure the scopes passed to the authorization request

matthewdevenny · matthewdevenny · commit 1ee68ad4c84a · 2023-12-07T11:30:49.000-07:00
Signed-off-by: Matthew DeVenny &lt;matt@boxboat.com&gt;
diff --git a/README.md b/README.md
@@ -19,6 +19,7 @@ This repository builds a Docker Image that protects an upstream server using [Ok
 
 ### Optional
 
+- `AUTH_SCOPE` - Defaults to `openid profile`. Okta token auth scopes - note if you override this `openid` is necessary for authentication requests.
 - `APP_POST_LOGIN_URL` - After authentication is complete, redirect to an application-specific URL.  The `state` query parameter will hold the original URL.
 - `COOKIE_DOMAIN` - Defaults to current domain only.  Set in order to allow use on subdomains.
 - `COOKIE_NAME` - Defaults to `okta-jwt`. The name of the cookie that holds the Identity Token
diff --git a/server.go b/server.go
@@ -33,6 +33,7 @@ type config struct {
 	httpClient        *http.Client
 	issuer            string //ISSUER
 	ssoPath           string //SSO_PATH
+	authScope         string //AUTH_SCOPE
 	verifier          *jwtverifier.JwtVerifier
 }
 
@@ -90,6 +91,15 @@ func getConfig() *config {
 		}
 	}
 
+	authScope := os.Getenv("AUTH_SCOPE")
+	if authScope == "" {
+		authScope = "openid profile"
+	} else {
+		if !strings.Contains(authScope, "openid") {
+			log.Fatalln("AUTH_SCOPE must contain openid")
+		}
+	}
+
 	httpClient := &http.Client{
 		Timeout: requestTimeOutSeconds,
 	}
@@ -153,6 +163,7 @@ func getConfig() *config {
 		httpClient:        httpClient,
 		issuer:            issuer,
 		ssoPath:           ssoPath,
+		authScope:         authScope,
 		verifier:          verifier,
 	}
 }
@@ -555,7 +566,7 @@ func getJWT(r *http.Request, code string, conf *config) (string, error) {
 		"&client_secret=" + url.QueryEscape(conf.clientSecret) +
 		"&redirect_uri=" + url.QueryEscape(loginRedirect) +
 		"&grant_type=authorization_code" +
-		"&scope=openid profile")
+		"&scope=" + url.QueryEscape(conf.authScope))
 
 	req, err := http.NewRequest("POST", conf.endpointToken, bytes.NewBuffer(reqBody))
 	if err != nil {
@@ -662,7 +673,7 @@ func redirectURL(r *http.Request, conf *config, requestURI string) string {
 	return conf.endpointAuthorize +
 		"?client_id=" + url.QueryEscape(conf.clientID) +
 		"&response_type=code" +
-		"&scope=openid profile" +
+		"&scope=" + url.QueryEscape(conf.authScope) +
 		"&nonce=123" +
 		"&redirect_uri=" + url.QueryEscape(loginRedirect) +
 		"&state=" + url.QueryEscape(requestURLStr)
