From 3601e3f49d573b319bf7b3233cfd0bf44a83eac6 Mon Sep 17 00:00:00 2001
From: Tom Wieczorek <t.wieczorek@yieldlab.de>
Date: Wed, 24 Jan 2018 08:58:50 +0100
Subject: [PATCH] Add ability to request additional claims, introduce short
 option names for OIDC stuff.

---
 README.md        |  9 +++++----
 pkg/oidc/oidc.go | 13 +++++++++----
 2 files changed, 14 insertions(+), 8 deletions(-)

diff --git a/README.md b/README.md
index 333f2c9..fc15077 100644
--- a/README.md
+++ b/README.md
@@ -15,10 +15,11 @@ solves this problem, but specifically for Google as Identity Provider.
     oidc-token-ferry [OPTIONS] <patch-kubeconfig | render-go-template | render-json>
 
     OpenID Connect Options:
-        --issuer-url=    IdP Issuer URL to be contacted (default: https://accounts.google.com)
-        --client-id=     Client ID to be used
-        --client-secret= Client Secret to be used
-        --redirect-url=  Redirect URL to be communicated to the IdP (needs to indicate "out of band") (default: urn:ietf:wg:oauth:2.0:oob)
+    -u, --issuer-url=    IdP Issuer URL to be contacted (default: https://accounts.google.com)
+    -i, --client-id=     Client ID to be used
+    -s, --client-secret= Client Secret to be used
+    -r, --redirect-url=  Redirect URL to be communicated to the IdP (needs to indicate "out of band") (default: urn:ietf:wg:oauth:2.0:oob)
+    -c, --claim=         Additional claims to be requested
 
     Help Options:
     -h, --help           Show this help message
diff --git a/pkg/oidc/oidc.go b/pkg/oidc/oidc.go
index 9dc66c5..331c91d 100644
--- a/pkg/oidc/oidc.go
+++ b/pkg/oidc/oidc.go
@@ -11,10 +11,11 @@ import (
 )
 
 type Config struct {
-	IssuerURL    string `long:"issuer-url" description:"IdP Issuer URL to be contacted" default:"https://accounts.google.com"`
-	ClientID     string `long:"client-id" required:"yes" description:"Client ID to be used"`
-	ClientSecret string `long:"client-secret" required:"yes" description:"Client Secret to be used"`
-	RedirectURL  string `long:"redirect-url" description:"Redirect URL to be communicated to the IdP (needs to indicate \"out of band\")" default:"urn:ietf:wg:oauth:2.0:oob"`
+	IssuerURL    string   `short:"u" long:"issuer-url" description:"IdP Issuer URL to be contacted" default:"https://accounts.google.com"`
+	ClientID     string   `short:"i" long:"client-id" required:"yes" description:"Client ID to be used"`
+	ClientSecret string   `short:"s" long:"client-secret" required:"yes" description:"Client Secret to be used"`
+	RedirectURL  string   `short:"r" long:"redirect-url" description:"Redirect URL to be communicated to the IdP (needs to indicate \"out of band\")" default:"urn:ietf:wg:oauth:2.0:oob"`
+	Claims       []string `short:"c" long:"claim" description:"Additional claims to be requested"`
 }
 
 type OIDCFlow struct {
@@ -56,6 +57,10 @@ func NewOpenIDConnectFlow(config *Config) (*OIDCFlow, error) {
 		Scopes: []string{oidc.ScopeOpenID},
 	}
 
+	if config.Claims != nil {
+		oauth2Config.Scopes = append(oauth2Config.Scopes, config.Claims...)
+	}
+
 	verifier := provider.Verifier(&oidc.Config{ClientID: config.ClientID})
 
 	return &OIDCFlow{