fix: support client customized scopes for OpenID (#9880)

Fixes #9238
2025-11-09 05:34:56 -05:00 · 2020-06-22 12:08:50 -07:00
parent cae09d8b84
commit e92434c2e7
7 changed files with 72 additions and 22 deletions
--- a/cmd/config/identity/openid/help.go
+++ b/cmd/config/identity/openid/help.go
@@ -44,6 +44,12 @@ var (
 			Optional:    true,
 			Type:        "string",
 		},
+		config.HelpKV{
+			Key:         Scopes,
+			Description: `Comma separated list of OpenID scopes for server, defaults to advertised scopes from discovery document e.g. "email,admin"`,
+			Optional:    true,
+			Type:        "csv",
+		},
 		config.HelpKV{
 			Key:         config.Comment,
 			Description: config.DefaultComment,
--- a/cmd/config/identity/openid/jwt.go
+++ b/cmd/config/identity/openid/jwt.go
@@ -24,6 +24,7 @@ import (
 	"io"
 	"net/http"
 	"strconv"
+	"strings"
 	"time"

 	jwtgo "github.com/dgrijalva/jwt-go"
@@ -217,12 +218,14 @@ const (
 	ClaimName   = "claim_name"
 	ClaimPrefix = "claim_prefix"
 	ClientID    = "client_id"
+	Scopes      = "scopes"

 	EnvIdentityOpenIDClientID    = "MINIO_IDENTITY_OPENID_CLIENT_ID"
 	EnvIdentityOpenIDJWKSURL     = "MINIO_IDENTITY_OPENID_JWKS_URL"
 	EnvIdentityOpenIDURL         = "MINIO_IDENTITY_OPENID_CONFIG_URL"
 	EnvIdentityOpenIDClaimName   = "MINIO_IDENTITY_OPENID_CLAIM_NAME"
 	EnvIdentityOpenIDClaimPrefix = "MINIO_IDENTITY_OPENID_CLAIM_PREFIX"
+	EnvIdentityOpenIDScopes      = "MINIO_IDENTITY_OPENID_SCOPES"
 )

 // DiscoveryDoc - parses the output from openid-configuration
@@ -287,6 +290,10 @@ var (
 			Key:   ClaimPrefix,
 			Value: "",
 		},
+		config.KV{
+			Key:   Scopes,
+			Value: "",
+		},
 		config.KV{
 			Key:   JwksURL,
 			Value: "",
@@ -331,6 +338,19 @@ func LookupConfig(kvs config.KVS, transport *http.Transport, closeRespFn func(io
 		}
 	}

+	if scopeList := env.Get(EnvIdentityOpenIDScopes, kvs.Get(Scopes)); scopeList != "" {
+		var scopes []string
+		for _, scope := range strings.Split(scopeList, ",") {
+			scope = strings.TrimSpace(scope)
+			if scope == "" {
+				return c, config.Errorf("empty scope value is not allowed '%s', please refer to our documentation", scopeList)
+			}
+			scopes = append(scopes, scope)
+		}
+		// Replace the discovery document scopes by client customized scopes.
+		c.DiscoveryDoc.ScopesSupported = scopes
+	}
+
 	if c.ClaimName == "" {
 		c.ClaimName = iampolicy.PolicyName
 	}