Custom scopes (#58)

* make docker image prefix and name configurable in the docker build script * customizable scopes to request for OidcConfig instead of default "openid profile email" * update crd Co-authored-by: Mario Hros <[email protected]>
ibm-cloud-security · Mar 10, 2020 · 299839c · 299839c
1 parent 179fda2
commit 299839c
Show file tree

Hide file tree

Showing 7 changed files with 37 additions and 14 deletions.
diff --git a/README.md b/README.md
@@ -137,6 +137,7 @@ Depending on whether you're protecting frontend or backend applications, create
     | `clientSecretRef` | object | no | A reference secret that is used to authenticate the client. This can be used in place of the `clientSecret`. |
     | `clientSecretRef.name` | string |yes | The name of the Kubernetes Secret that contains the `clientSecret`. |
     | `clientSecretRef.key` | string | yes | The field within the Kubernetes Secret that contains the `clientSecret`. |
+    | `scopes` | array[string] | no | The scopes to request (`openid profile email` by default). |
 
 
 * For backend applications: The OAuth 2.0 Bearer token spec defines a pattern for protecting APIs by using [JSON Web Tokens (JWTs)](https://tools.ietf.org/html/rfc7519.html). Using the following configuration as an example, define a `JwtConfig` CRD that contains the public key resource, which is used to validate token signatures.

diff --git a/adapter/client/client.go b/adapter/client/client.go
@@ -2,18 +2,20 @@ package client
 
 import (
 	"errors"
+	"strings"
 
 	"go.uber.org/zap"
 
 	"github.com/ibm-cloud-security/app-identity-and-access-adapter/adapter/authserver"
-	"github.com/ibm-cloud-security/app-identity-and-access-adapter/adapter/pkg/apis/policies/v1"
+	v1 "github.com/ibm-cloud-security/app-identity-and-access-adapter/adapter/pkg/apis/policies/v1"
 )
 
 // Client encapsulates an authn/z client object
 type Client interface {
 	Name() string
 	ID() string
 	Secret() string
+	Scope() string
 	AuthorizationServer() authserver.AuthorizationServerService
 	ExchangeGrantCode(code string, redirectURI string) (*authserver.TokenResponse, error)
 	RefreshToken(refreshToken string) (*authserver.TokenResponse, error)
@@ -36,6 +38,13 @@ func (c *remoteClient) Secret() string {
 	return c.ClientSecret
 }
 
+func (c *remoteClient) Scope() string {
+	if len(c.Scopes) == 0 {
+		return "openid profile email"
+	}
+	return strings.Join(c.Scopes, " ")
+}
+
 func (c *remoteClient) AuthorizationServer() authserver.AuthorizationServerService {
 	return c.authServer
 }

diff --git a/adapter/pkg/apis/policies/v1/oidc_config.go b/adapter/pkg/apis/policies/v1/oidc_config.go
@@ -17,17 +17,18 @@ type OidcConfig struct {
 
 // OidcConfigSpec is the spec for a OidcConfig resource
 type OidcConfigSpec struct {
-	ClientName       string
-	AuthMethod       string `json:"authMethod"`
-	ClientID         string `json:"clientId"`
-	DiscoveryURL     string `json:"discoveryUrl"`
-	ClientSecret     string `json:"clientSecret"`
+	ClientName      string
+	AuthMethod      string          `json:"authMethod"`
+	ClientID        string          `json:"clientId"`
+	DiscoveryURL    string          `json:"discoveryUrl"`
+	ClientSecret    string          `json:"clientSecret"`
 	ClientSecretRef ClientSecretRef `json:"clientSecretRef"`
+	Scopes          []string        `json:"scopes"`
 }
 
 type ClientSecretRef struct {
-	Name	string `json:"name"`
-	Key		string `json:"key"`
+	Name string `json:"name"`
+	Key  string `json:"key"`
 }
 
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object

diff --git a/adapter/strategy/web/utils.go b/adapter/strategy/web/utils.go
@@ -11,7 +11,7 @@ import (
 	"go.uber.org/zap"
 
 	"github.com/ibm-cloud-security/app-identity-and-access-adapter/adapter/client"
-	"github.com/ibm-cloud-security/app-identity-and-access-adapter/config/template"
+	authnz "github.com/ibm-cloud-security/app-identity-and-access-adapter/config/template"
 )
 
 const (
@@ -60,7 +60,7 @@ func generateAuthorizationURL(c client.Client, redirectURI string, state string)
 		"client_id":     {c.ID()},
 		"response_type": {"code"},
 		"redirect_uri":  {redirectURI},
-		"scope":         {"openid profile email"},
+		"scope":         {c.Scope()},
 		"state":         {state},
 	}
 

diff --git a/bin/docker_build_tag_push.sh b/bin/docker_build_tag_push.sh
@@ -58,13 +58,13 @@ function buildAndDeploy() {
 }
 
 
-IMAGE_REGISTRY_NAMESPACE=ibmcloudsecurity
-APP_NAME=app-identity-and-access-adapter
+IMAGE_REGISTRY_NAMESPACE=${IMAGE_REGISTRY_NAMESPACE:-ibmcloudsecurity}
+APP_NAME=${APP_NAME:-app-identity-and-access-adapter}
 TAG=$(buildTag $1)
 IMAGE_TAG=${IMAGE_REGISTRY_NAMESPACE}/${APP_NAME}:${TAG}
 sourceDir="$(dirname "${BASH_SOURCE[0]}")"
 
 # Execute
 checkTools
 buildAndDeploy
-export IMAGE_TEST_TAG=${TAG}
+export IMAGE_TEST_TAG=${TAG}
diff --git a/helm/appidentityandaccessadapter/templates/oidc-config.yaml b/helm/appidentityandaccessadapter/templates/oidc-config.yaml
@@ -47,3 +47,8 @@ spec:
                             required:
                             - name
                             - key
+                        scopes:
+                            type: array
+                            items:
+                                type: string
+                            minItems: 1
diff --git a/tests/fake/client.go b/tests/fake/client.go
@@ -1,6 +1,8 @@
 package fake
 
-import "github.com/ibm-cloud-security/app-identity-and-access-adapter/adapter/authserver"
+import (
+	"github.com/ibm-cloud-security/app-identity-and-access-adapter/adapter/authserver"
+)
 
 type TokenResponse struct {
 	Res *authserver.TokenResponse
@@ -13,6 +15,7 @@ type Client struct {
 	ClientName    string
 	ClientID      string
 	ClientSecret  string
+	Scopes        []string
 }
 
 func NewClient(tokenResponse *TokenResponse) *Client {
@@ -37,6 +40,10 @@ func (m *Client) Secret() string {
 	return m.ClientSecret
 }
 
+func (m *Client) Scope() string {
+	return "openid profile email"
+}
+
 func (m *Client) AuthorizationServer() authserver.AuthorizationServerService {
 	return m.Server
 }