public_git
/
oauth2-proxy
mirror of https://github.com/oauth2-proxy/oauth2-proxy.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Merge pull request #2229 from tuunit/bugfix/default-scopes-for-oidc-based-providers 

bugfix: default scopes for OIDCProvider based providers
This commit is contained in:
Joel Speed 2023-09-11 10:11:26 +01:00 committed by GitHub
parent 3c2d67d367 7683902a42
commit 854401ec00
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
8 changed files with 37 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
CHANGELOG.md
View File

@ -11,6 +11,7 @@
- [#2221](https://github.com/oauth2-proxy/oauth2-proxy/pull/2221) Backwards compatible fix for wrong environment variable name (OAUTH2_PROXY_GOOGLE_GROUPS) (@kvanzuijlen)
- [#1989](https://github.com/oauth2-proxy/oauth2-proxy/pull/1989) Fix default scope for keycloak-oidc provider
- [#2217](https://github.com/oauth2-proxy/oauth2-proxy/pull/2217) Upgrade alpine to version 3.18 (@polarctos)
- [#2229](https://github.com/oauth2-proxy/oauth2-proxy/pull/2229) bugfix: default scopes for OIDCProvider based providers
# V7.5.0

5
providers/adfs.go
View File

@ -46,10 +46,7 @@ func NewADFSProvider(p *ProviderData, opts options.ADFSOptions) *ADFSProvider {
}
}
oidcProvider := &OIDCProvider{
ProviderData: p,
SkipNonce: false,
}
oidcProvider := NewOIDCProvider(p, options.OIDCOptions{InsecureSkipNonce: false})
return &ADFSProvider{
OIDCProvider: oidcProvider,

8
providers/adfs_test.go
View File

@ -136,7 +136,13 @@ var _ = Describe("ADFS Provider Tests", func() {
It("uses defaults", func() {
providerData := NewADFSProvider(&ProviderData{}, options.ADFSOptions{}).Data()
Expect(providerData.ProviderName).To(Equal("ADFS"))
Expect(providerData.Scope).To(Equal("openid email profile"))
Expect(providerData.Scope).To(Equal(oidcDefaultScope))
})
It("uses custom scope", func() {
providerData := NewADFSProvider(&ProviderData{Scope: "openid email"}, options.ADFSOptions{}).Data()
Expect(providerData.ProviderName).To(Equal("ADFS"))
Expect(providerData.Scope).To(Equal("openid email"))
Expect(providerData.Scope).NotTo(Equal(oidcDefaultScope))
})
})

5
providers/gitlab.go
View File

@ -40,10 +40,7 @@ func NewGitLabProvider(p *ProviderData, opts options.GitLabOptions) (*GitLabProv
p.Scope = gitlabDefaultScope
}
oidcProvider := &OIDCProvider{
ProviderData: p,
SkipNonce: false,
}
oidcProvider := NewOIDCProvider(p, options.OIDCOptions{InsecureSkipNonce: false})
provider := &GitLabProvider{
OIDCProvider: oidcProvider,

9
providers/gitlab_test.go
View File

@ -170,6 +170,15 @@ var _ = Describe("Gitlab Provider Tests", func() {
b.Close()
})
Context("New Provider Init", func() {
It("creates new keycloak oidc provider with expected defaults", func() {
providerData := p.Data()
Expect(providerData.ProviderName).To(Equal(gitlabProviderName))
Expect(providerData.Scope).To(Equal(gitlabDefaultScope))
Expect(providerData.ProviderName).NotTo(Equal(oidcDefaultScope))
})
})
Context("with bad token", func() {
It("should trigger an error", func() {
p.AllowUnverifiedEmail = false

4
providers/keycloak_oidc.go
View File

@ -22,9 +22,7 @@ func NewKeycloakOIDCProvider(p *ProviderData, opts options.KeycloakOptions) *Key
})
provider := &KeycloakOIDCProvider{
OIDCProvider: &OIDCProvider{
ProviderData: p,
},
OIDCProvider: NewOIDCProvider(p, options.OIDCOptions{InsecureSkipNonce: false}),
}
provider.addAllowedRoles(opts.Roles)

12
providers/keycloak_oidc_test.go
View File

@ -67,7 +67,7 @@ func newKeycloakOIDCProvider(serverURL *url.URL, opts options.KeycloakOptions) *
Scheme: "https",
Host: "keycloak-oidc.com",
Path: "/api/v3/user"},
Scope: "openid email profile"},
},
opts)
if serverURL != nil {
@ -97,7 +97,15 @@ var _ = Describe("Keycloak OIDC Provider Tests", func() {
Expect(providerData.RedeemURL.String()).To(Equal("https://keycloak-oidc.com/oauth/token"))
Expect(providerData.ProfileURL.String()).To(Equal("https://keycloak-oidc.com/api/v3/user"))
Expect(providerData.ValidateURL.String()).To(Equal("https://keycloak-oidc.com/api/v3/user"))
Expect(providerData.Scope).To(Equal("openid email profile"))
Expect(providerData.Scope).To(Equal(oidcDefaultScope))
})
It("creates new keycloak oidc provider with custom scope", func() {
p := NewKeycloakOIDCProvider(&ProviderData{Scope: "openid email"}, options.KeycloakOptions{})
providerData := p.Data()
Expect(providerData.ProviderName).To(Equal(keycloakOIDCProviderName))
Expect(providerData.Scope).To(Equal("openid email"))
Expect(providerData.Scope).NotTo(Equal(oidcDefaultScope))
})
})

8
providers/oidc.go
View File

@ -24,8 +24,14 @@ const oidcDefaultScope = "openid email profile"
// NewOIDCProvider initiates a new OIDCProvider
func NewOIDCProvider(p *ProviderData, opts options.OIDCOptions) *OIDCProvider {
name := "OpenID Connect"
if p.ProviderName != "" {
name = p.ProviderName
}
oidcProviderDefaults := providerDefaults{
name: "OpenID Connect",
name: name,
loginURL: nil,
redeemURL: nil,
profileURL: nil,