Dynamic Scopes support #2960

Signed-off-by: Andy Lo-A-Foe <andy.loafoe@gmail.com>

Author: loafoe

cmd/dex/config.go

@@ -245,6 +245,8 @@ type OAuth2 struct {
 	PasswordConnector string `json:"passwordConnector"`
 	// PKCE configuration
 	PKCE PKCE `json:"pkce"`
+	// List of additional scope prefixes to allow
+	AllowedScopePrefixes []string `json:"allowedScopePrefixes"`
 }
 
 // PKCE holds the PKCE (Proof Key for Code Exchange) configuration.

cmd/dex/serve.go

@@ -297,6 +297,9 @@ func runServe(options serveOptions) error {
 	if featureflags.ContinueOnConnectorFailure.Enabled() {
 		logger.Info("continue on connector failure feature flag enabled")
 	}
+	if len(c.OAuth2.AllowedScopePrefixes) > 0 {
+		logger.Info("config allowed scope prefixes", "prefixes", strings.Join(c.OAuth2.AllowedScopePrefixes, ","))
+	}
 
 	// explicitly convert to UTC.
 	now := func() time.Time { return time.Now().UTC() }

server/handlers.go

@@ -1548,7 +1548,16 @@ func (s *Server) handlePasswordGrant(w http.ResponseWriter, r *http.Request, cli
 		default:
 			peerID, ok := parseCrossClientScope(scope)
 			if !ok {
-				unrecognized = append(unrecognized, scope)
+				var recognized bool
+				for _, prefix := range s.allowedScopePrefixes {
+					if strings.HasPrefix(scope, prefix) {
+						recognized = true
+						break
+					}
+				}
+				if !recognized {
+					unrecognized = append(unrecognized, scope)
+				}
 				continue
 			}
 

server/oauth2.go

@@ -118,6 +118,7 @@ func tokenErr(w http.ResponseWriter, typ, description string, statusCode int) er
 	return nil
 }
 
+//nolint
 const (
 	errInvalidRequest          = "invalid_request"
 	errUnauthorizedClient      = "unauthorized_client"
@@ -566,7 +567,16 @@ func (s *Server) parseAuthorizationRequest(r *http.Request) (*storage.AuthReques
 		default:
 			peerID, ok := parseCrossClientScope(scope)
 			if !ok {
-				unrecognized = append(unrecognized, scope)
+				var recognized bool
+				for _, prefix := range s.allowedScopePrefixes {
+					if strings.HasPrefix(scope, prefix) {
+						recognized = true
+						break
+					}
+				}
+				if !recognized {
+					unrecognized = append(unrecognized, scope)
+				}
 				continue
 			}
 

server/server.go

@@ -147,6 +147,8 @@ type Config struct {
 
 	// DefaultMFAChain is applied to clients that don't specify their own mfaChain.
 	DefaultMFAChain []string
+
+	AllowedScopePrefixes []string
 }
 
 // SessionConfig holds resolved session configuration.
@@ -237,6 +239,8 @@ type Server struct {
 
 	pkce PKCEConfig
 
+	allowedScopePrefixes []string
+
 	now func() time.Time
 
 	idTokensValidFor       time.Duration
@@ -365,6 +369,7 @@ func newServer(ctx context.Context, c Config) (*Server, error) {
 		supportedResponseTypes: supportedRes,
 		supportedGrantTypes:    supportedGrants,
 		pkce:                   c.PKCE,
+		allowedScopePrefixes:   c.AllowedScopePrefixes,
 		idTokensValidFor:       value(c.IDTokensValidFor, 24*time.Hour),
 		authRequestsValidFor:   value(c.AuthRequestsValidFor, 24*time.Hour),
 		deviceRequestsValidFor: value(c.DeviceRequestsValidFor, 5*time.Minute),