From ed075bc9b9b23472cf8ec1c160e9a6e71effd0ee Mon Sep 17 00:00:00 2001 From: Maycon Santos Date: Sun, 25 Jun 2023 13:59:45 +0200 Subject: [PATCH] Refactor: Configurable supported scopes (#985) * Refactor: Configurable supported scopes Previously, supported scopes were hardcoded and limited to Auth0 and Keycloak. This update removes the default set of values, providing flexibility. The value to be set for each Identity Provider (IDP) is specified in their respective documentation. * correct var * correct var * skip fetching scopes from openid-configuration --- .github/workflows/test-docker-compose-linux.yml | 1 + infrastructure_files/configure.sh | 7 ------- infrastructure_files/setup.env.example | 5 ++++- infrastructure_files/tests/setup.env | 1 + 4 files changed, 6 insertions(+), 8 deletions(-) diff --git a/.github/workflows/test-docker-compose-linux.yml b/.github/workflows/test-docker-compose-linux.yml index ef57dbe60..274edcb6b 100644 --- a/.github/workflows/test-docker-compose-linux.yml +++ b/.github/workflows/test-docker-compose-linux.yml @@ -53,6 +53,7 @@ jobs: CI_NETBIRD_MGMT_IDP: "none" CI_NETBIRD_IDP_MGMT_CLIENT_ID: testing.client.id CI_NETBIRD_IDP_MGMT_CLIENT_SECRET: testing.client.secret + CI_NETBIRD_AUTH_SUPPORTED_SCOPES: "openid profile email offline_access api email_verified" - name: check values working-directory: infrastructure_files diff --git a/infrastructure_files/configure.sh b/infrastructure_files/configure.sh index 663baa7da..6b083e29a 100755 --- a/infrastructure_files/configure.sh +++ b/infrastructure_files/configure.sh @@ -97,16 +97,9 @@ curl "${NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT}" -q -o openid-configuration.js export NETBIRD_AUTH_AUTHORITY=$(jq -r '.issuer' openid-configuration.json) export NETBIRD_AUTH_JWT_CERTS=$(jq -r '.jwks_uri' openid-configuration.json) -export NETBIRD_AUTH_SUPPORTED_SCOPES=$(jq -r '.scopes_supported | join(" ")' openid-configuration.json) export NETBIRD_AUTH_TOKEN_ENDPOINT=$(jq -r '.token_endpoint' openid-configuration.json) export NETBIRD_AUTH_DEVICE_AUTH_ENDPOINT=$(jq -r '.device_authorization_endpoint' openid-configuration.json) -if [ "$NETBIRD_USE_AUTH0" == "true" ]; then - export NETBIRD_AUTH_SUPPORTED_SCOPES="openid profile email offline_access api email_verified" -else - export NETBIRD_AUTH_SUPPORTED_SCOPES="openid profile email offline_access api" -fi - if [[ ! -z "${NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID}" ]]; then # user enabled Device Authorization Grant feature export NETBIRD_AUTH_DEVICE_AUTH_PROVIDER="hosted" diff --git a/infrastructure_files/setup.env.example b/infrastructure_files/setup.env.example index ca3725537..32523e8d0 100644 --- a/infrastructure_files/setup.env.example +++ b/infrastructure_files/setup.env.example @@ -11,7 +11,10 @@ NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT="" NETBIRD_AUTH_AUDIENCE="" # e.g. netbird-client NETBIRD_AUTH_CLIENT_ID="" -NETBIRD_AUTH_CLIENT_SECRET="" +# indicates the scopes that will be requested to the IDP +NETBIRD_AUTH_SUPPORTED_SCOPES="" +# NETBIRD_AUTH_CLIENT_SECRET is required only by Google workspace. +# NETBIRD_AUTH_CLIENT_SECRET="" # if you want to use a custom claim for the user ID instead of 'sub', set it here # NETBIRD_AUTH_USER_ID_CLAIM="" # indicates whether to use Auth0 or not: true or false diff --git a/infrastructure_files/tests/setup.env b/infrastructure_files/tests/setup.env index f28386eea..6cf1acdf4 100644 --- a/infrastructure_files/tests/setup.env +++ b/infrastructure_files/tests/setup.env @@ -6,6 +6,7 @@ NETBIRD_DOMAIN=$CI_NETBIRD_DOMAIN NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT="https://example.eu.auth0.com/.well-known/openid-configuration" # e.g. netbird-client NETBIRD_AUTH_CLIENT_ID=$CI_NETBIRD_AUTH_CLIENT_ID +NETBIRD_AUTH_SUPPORTED_SCOPES=$CI_NETBIRD_AUTH_SUPPORTED_SCOPES NETBIRD_AUTH_CLIENT_SECRET=$CI_NETBIRD_AUTH_CLIENT_SECRET # indicates whether to use Auth0 or not: true or false NETBIRD_USE_AUTH0=$CI_NETBIRD_USE_AUTH0