feat: map Scope from membership in stack token (#994)

Co-authored-by: David Ragot <[email protected]>
formancehq · Dec 11, 2023 · e5a0197 · e5a0197 · vercel · Dec 11, 2023
1 parent 3ecf1d6
commit e5a0197
Show file tree

Hide file tree

Showing 2 changed files with 30 additions and 8 deletions.
diff --git a/ee/auth/pkg/oidc/grant_type_bearer.go b/ee/auth/pkg/oidc/grant_type_bearer.go
@@ -106,6 +106,15 @@ func grantTypeBearer(issuer string, p JWTAuthorizationGrantExchanger) http.Handl
 			op.RequestError(w, r, err)
 			return
 		}
+
+		tokens, err := ParseAssertion(profileRequest.Assertion)
+		if err != nil {
+			op.RequestError(w, r, err)
+			return
+		}
+
+		tokenRequest.Scopes = tokens.Scopes
+
 		resp, err := CreateJWTTokenResponse(r.Context(), issuer, tokenRequest, p, client)
 		if err != nil {
 			op.RequestError(w, r, err)
@@ -116,6 +125,17 @@ func grantTypeBearer(issuer string, p JWTAuthorizationGrantExchanger) http.Handl
 	}
 }
 
+func ParseAssertion(assertion string) (*oidc.AccessTokenClaims, error) {
+	var claims = new(oidc.AccessTokenClaims)
+
+	_, err := oidc.ParseToken(assertion, claims)
+	if err != nil {
+		return nil, err
+	}
+
+	return claims, nil
+}
+
 func CreateJWTTokenResponse(ctx context.Context, issuer string, tokenRequest *oidc.JWTTokenRequest, creator op.TokenCreator, client op.Client) (*oidc.AccessTokenResponse, error) {
 	id, exp, err := creator.Storage().CreateAccessToken(ctx, tokenRequest)
 	if err != nil {

diff --git a/tests/integration/suite/auth-jwt-bearer.go b/tests/integration/suite/auth-jwt-bearer.go
@@ -3,6 +3,11 @@ package suite
 import (
 	"bytes"
 	"encoding/json"
+	"net/http"
+	"net/url"
+	"strings"
+	"time"
+
 	"github.com/formancehq/stack/libs/go-libs/collectionutils"
 	. "github.com/formancehq/stack/tests/integration/internal"
 	"github.com/formancehq/stack/tests/integration/internal/modules"
@@ -11,10 +16,6 @@ import (
 	. "github.com/onsi/gomega"
 	"github.com/zitadel/oidc/v2/pkg/oidc"
 	"golang.org/x/oauth2"
-	"net/http"
-	"net/url"
-	"strings"
-	"time"
 )
 
 type claims struct {
@@ -38,7 +39,7 @@ func forgeSecurityToken(scopes ...string) string {
 }
 
 func exchangeSecurityToken(securityToken string, scopes ...string) *oauth2.Token {
-	scopes = append(scopes, "openid", "email")
+	scopes = append(scopes, "email")
 	form := url.Values{
 		"grant_type": []string{"urn:ietf:params:oauth:grant-type:jwt-bearer"},
 		"assertion":  []string{securityToken},
@@ -65,22 +66,23 @@ var _ = WithModules([]*Module{modules.Auth}, func() {
 		securityToken string
 	)
 	BeforeEach(func() {
-		securityToken = forgeSecurityToken("scope1")
+		securityToken = forgeSecurityToken("openid scope1")
 	})
 	When("exchanging security token against an access token", func() {
 		var (
 			token *oauth2.Token
 		)
 		BeforeEach(func() {
-			token = exchangeSecurityToken(securityToken, "scope1")
+			token = exchangeSecurityToken(securityToken, "other_scope1 other_scope2")
 		})
-		It("should be ok", func() {
+		It("should be ok, even if wrong scope are asked", func() {
 			accessTokenClaims := &oidc.AccessTokenClaims{}
 			_, err := oidc.ParseToken(token.AccessToken, accessTokenClaims)
 			Expect(err).To(Succeed())
 
 			Expect(accessTokenClaims.Scopes).To(HaveLen(2))
 			Expect(collectionutils.Contains(accessTokenClaims.Scopes, "scope1")).To(BeTrue())
+			Expect(collectionutils.Contains(accessTokenClaims.Scopes, "openid")).To(BeTrue())
 		})
 	})
 })