Add configurable scopes to generic oauth2 support

2017-04-07 14:58:35 -05:00 · 2017-04-07 14:58:35 -05:00 · 84f1263357
parent 51fdcdb944
commit 84f1263357
3 changed files with 32 additions and 19 deletions
--- a/docs/auth.md
+++ b/docs/auth.md
@ -132,6 +132,17 @@ The generic OAuth2 provider has many settings that are required.
 * `GENERIC_TOKEN_URL` : OAuth 2.0 provider's token endpoint [endpoint](https://tools.ietf.org/html/rfc6749#section-3.2) is used by the client to obtain an access token
 * `TOKEN_SECRET` : Used to validate OAuth [state](https://tools.ietf.org/html/rfc6749#section-4.1.1) response. (see above)

+#### Optional Scopes
+By default chronograf will ask for the `user:email`
+[scope](https://tools.ietf.org/html/rfc6749#section-3.3)
+of the client.  If your
+provider scopes email access under a different scope or scopes provide them as 
+comma separated values in the `GENERIC_SCOPES` environment variable.
+
+```sh
+export GENERIC_SCOPES="openid,email" # Requests access to openid and email scopes
+```
+
 #### Optional Email domains
 Also, the generic OAuth2 provider has a few optional parameters as well.

--- a/oauth2/generic.go
+++ b/oauth2/generic.go
@ -18,14 +18,15 @@ var _ Provider = &Generic{}
 // cookie.  This cookie's value is a JWT containing the user's primary
 // email address.
 type Generic struct {
-	PageName     string // Name displayed on the login page
-	ClientID     string
-	ClientSecret string
-	Domains      []string // Optional email domain checking
-	AuthURL      string
-	TokenURL     string
-	APIURL       string // APIURL returns OpenID Userinfo
-	Logger       chronograf.Logger
+	PageName       string // Name displayed on the login page
+	ClientID       string
+	ClientSecret   string
+	RequiredScopes []string
+	Domains        []string // Optional email domain checking
+	AuthURL        string
+	TokenURL       string
+	APIURL         string // APIURL returns OpenID Userinfo
+	Logger         chronograf.Logger
 }

 // Name is the name of the provider
@ -46,10 +47,9 @@ func (g *Generic) Secret() string {
 	return g.ClientSecret
 }

-// Scopes for generic is only the email address
+// Scopes for generic provider required of the client.
 func (g *Generic) Scopes() []string {
-	scopes := []string{"user:email"}
-	return scopes
+	return g.RequiredScopes
 }

 // Config is the Generic OAuth2 exchange information and endpoints
--- a/server/server.go
+++ b/server/server.go
@ -70,6 +70,7 @@ type Server struct {
 	GenericName         string   `long:"generic-name" description:"Generic OAuth2 name presented on the login page"  env:"GENERIC_NAME"`
 	GenericClientID     string   `long:"generic-client-id" description:"Generic OAuth2 Client ID. Can be used own OAuth2 service."  env:"GENERIC_CLIENT_ID"`
 	GenericClientSecret string   `long:"generic-client-secret" description:"Generic OAuth2 Client Secret" env:"GENERIC_CLIENT_SECRET"`
+	GenericScopes       []string `long:"generic-scopes" description:"Scopes requested by provider of web client." default:"user:email" env:"GENERIC_SCOPES" env-delim:","`
 	GenericDomains      []string `long:"generic-domains" description:"Email domain users' email address to have (example.com)" env:"GENERIC_DOMAINS" env-delim:","`
 	GenericAuthURL      string   `long:"generic-auth-url" description:"OAuth 2.0 provider's authorization endpoint URL" env:"GENERIC_AUTH_URL"`
 	GenericTokenURL     string   `long:"generic-token-url" description:"OAuth 2.0 provider's token endpoint URL" env:"GENERIC_TOKEN_URL"`
@ -155,14 +156,15 @@ func (s *Server) herokuOAuth(logger chronograf.Logger, auth oauth2.Authenticator

 func (s *Server) genericOAuth(logger chronograf.Logger, auth oauth2.Authenticator) (oauth2.Provider, oauth2.Mux, func() bool) {
 	gen := oauth2.Generic{
-		PageName:     s.GenericName,
-		ClientID:     s.GenericClientID,
-		ClientSecret: s.GenericClientSecret,
-		Domains:      s.GenericDomains,
-		AuthURL:      s.GenericAuthURL,
-		TokenURL:     s.GenericTokenURL,
-		APIURL:       s.GenericAPIURL,
-		Logger:       logger,
+		PageName:       s.GenericName,
+		ClientID:       s.GenericClientID,
+		ClientSecret:   s.GenericClientSecret,
+		RequiredScopes: s.GenericScopes,
+		Domains:        s.GenericDomains,
+		AuthURL:        s.GenericAuthURL,
+		TokenURL:       s.GenericTokenURL,
+		APIURL:         s.GenericAPIURL,
+		Logger:         logger,
 	}
 	jwt := oauth2.NewJWT(s.TokenSecret)
 	genMux := oauth2.NewAuthMux(&gen, auth, jwt, logger)