Grant the Pinniped STS scope in authorize/callback handlers.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-09 09:36:45 -06:00 · 2020-12-09 09:36:45 -06:00 · 644cb687b9
commit 644cb687b9
parent bebe25c32e
2 changed files with 5 additions and 1 deletions
--- a/internal/oidc/auth/auth_handler.go
+++ b/internal/oidc/auth/auth_handler.go
@ -63,6 +63,9 @@ func NewHandler(
 		// at this time, however we will temporarily grant the scope just in case that changes in a future release of fosite.
 		oidc.GrantScopeIfRequested(authorizeRequester, coreosoidc.ScopeOfflineAccess)

+		// Grant the Pinniped STS scope if requested.
+		oidc.GrantScopeIfRequested(authorizeRequester, "pinniped.sts.unrestricted")
+
 		now := time.Now()
 		_, err = oauthHelper.NewAuthorizeResponse(r.Context(), authorizeRequester, &openid.DefaultSession{
 			Claims: &jwt.IDTokenClaims{
--- a/internal/oidc/callback/callback_handler.go
+++ b/internal/oidc/callback/callback_handler.go
@ -71,9 +71,10 @@ func NewHandler(
 			return httperr.New(http.StatusBadRequest, "error using state downstream auth params")
 		}

-		// Automatically grant the openid and offline_access scopes, but only if they were requested.
+		// Automatically grant the openid, offline_access, and Pinniped STS scopes, but only if they were requested.
 		oidc.GrantScopeIfRequested(authorizeRequester, coreosoidc.ScopeOpenID)
 		oidc.GrantScopeIfRequested(authorizeRequester, coreosoidc.ScopeOfflineAccess)
+		oidc.GrantScopeIfRequested(authorizeRequester, "pinniped.sts.unrestricted")

 		token, err := upstreamIDPConfig.ExchangeAuthcodeAndValidateTokens(
 			r.Context(),