From 644cb687b97a9dd0192502c5f4951c3795c8b799 Mon Sep 17 00:00:00 2001 From: Matt Moyer Date: Wed, 9 Dec 2020 09:36:45 -0600 Subject: [PATCH] Grant the Pinniped STS scope in authorize/callback handlers. Signed-off-by: Matt Moyer --- internal/oidc/auth/auth_handler.go | 3 +++ internal/oidc/callback/callback_handler.go | 3 ++- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/internal/oidc/auth/auth_handler.go b/internal/oidc/auth/auth_handler.go index 1998b72a..61ab7529 100644 --- a/internal/oidc/auth/auth_handler.go +++ b/internal/oidc/auth/auth_handler.go @@ -63,6 +63,9 @@ func NewHandler( // at this time, however we will temporarily grant the scope just in case that changes in a future release of fosite. oidc.GrantScopeIfRequested(authorizeRequester, coreosoidc.ScopeOfflineAccess) + // Grant the Pinniped STS scope if requested. + oidc.GrantScopeIfRequested(authorizeRequester, "pinniped.sts.unrestricted") + now := time.Now() _, err = oauthHelper.NewAuthorizeResponse(r.Context(), authorizeRequester, &openid.DefaultSession{ Claims: &jwt.IDTokenClaims{ diff --git a/internal/oidc/callback/callback_handler.go b/internal/oidc/callback/callback_handler.go index 3c85ee4c..2cea6c2e 100644 --- a/internal/oidc/callback/callback_handler.go +++ b/internal/oidc/callback/callback_handler.go @@ -71,9 +71,10 @@ func NewHandler( return httperr.New(http.StatusBadRequest, "error using state downstream auth params") } - // Automatically grant the openid and offline_access scopes, but only if they were requested. + // Automatically grant the openid, offline_access, and Pinniped STS scopes, but only if they were requested. oidc.GrantScopeIfRequested(authorizeRequester, coreosoidc.ScopeOpenID) oidc.GrantScopeIfRequested(authorizeRequester, coreosoidc.ScopeOfflineAccess) + oidc.GrantScopeIfRequested(authorizeRequester, "pinniped.sts.unrestricted") token, err := upstreamIDPConfig.ExchangeAuthcodeAndValidateTokens( r.Context(),