From b7fda91d0749f30015b0dc12c5cb709adc00f4cc Mon Sep 17 00:00:00 2001
From: Will Vedder <will.vedder@okta.com>
Date: Thu, 1 Dec 2022 16:53:08 -0500
Subject: [PATCH] Add all management API scopes to requiredScopes in auth pkg

---
 internal/auth/auth.go      | 59 +++++++++++++++++++++++++++-----------
 internal/auth/auth_test.go | 38 ++++++++++++++++++++----
 2 files changed, 75 insertions(+), 22 deletions(-)

diff --git a/internal/auth/auth.go b/internal/auth/auth.go
index 1168cdb0c..2a61fdc1b 100644
--- a/internal/auth/auth.go
+++ b/internal/auth/auth.go
@@ -26,23 +26,50 @@ const (
 
 var requiredScopes = []string{
 	"openid",
-	"offline_access", // <-- to get a refresh token.
-	"create:clients", "delete:clients", "read:clients", "update:clients",
-	"create:resource_servers", "delete:resource_servers", "read:resource_servers", "update:resource_servers",
-	"create:roles", "delete:roles", "read:roles", "update:roles",
-	"create:rules", "delete:rules", "read:rules", "update:rules",
-	"create:users", "delete:users", "read:users", "update:users",
-	"read:branding", "update:branding",
-	"read:email_templates", "update:email_templates",
-	"read:connections", "update:connections",
-	"read:client_keys", "read:logs", "read:tenant_settings",
-	"read:custom_domains", "create:custom_domains", "update:custom_domains", "delete:custom_domains",
-	"read:anomaly_blocks", "delete:anomaly_blocks",
-	"create:log_streams", "delete:log_streams", "read:log_streams", "update:log_streams",
-	"create:actions", "delete:actions", "read:actions", "update:actions",
-	"create:organizations", "delete:organizations", "read:organizations", "update:organizations", "read:organization_members", "read:organization_member_roles",
-	"read:prompts", "update:prompts",
+	"offline_access", // This is used to retrieve a refresh token.
+	"create:clients", "read:clients", "update:clients", "delete:clients",
+	"read:client_keys",
+	"create:client_grants", "read:client_grants", "update:client_grants", "delete:client_grants",
+	"create:resource_servers", "read:resource_servers", "update:resource_servers", "delete:resource_servers",
+	"create:connections", "read:connections", "update:connections", "delete:connections",
+	"create:users", "read:users", "update:users", "delete:users",
+	"create:roles", "read:roles", "update:roles", "delete:roles",
+	"create:actions", "read:actions", "update:actions", "delete:actions",
+	"read:triggers", "update:triggers",
+	"create:rules", "read:rules", "update:rules", "delete:rules",
+	"read:rules_configs", "update:rules_configs", "delete:rules_configs",
+	"create:hooks", "read:hooks", "update:hooks", "delete:hooks",
 	"read:attack_protection", "update:attack_protection",
+	"create:organizations", "read:organizations", "update:organizations", "delete:organizations",
+	"create:organization_members", "read:organization_members", "delete:organization_members",
+	"create:organization_connections", "read:organization_connections", "update:organization_connections", "delete:organization_connections",
+	"create:organization_member_roles", "read:organization_member_roles", "delete:organization_member_roles",
+	"create:organization_invitations", "read:organization_invitations", "delete:organization_invitations",
+	"read:prompts", "update:prompts",
+	"read:branding", "update:branding", "delete:branding",
+	"create:custom_domains", "read:custom_domains", "update:custom_domains", "delete:custom_domains",
+	"create:email_provider", "read:email_provider", "update:email_provider", "delete:email_provider",
+	"create:email_templates", "read:email_templates", "update:email_templates",
+	"read:tenant_settings", "update:tenant_settings",
+	"read:anomaly_blocks", "delete:anomaly_blocks",
+	"create:log_streams", "read:log_streams", "update:log_streams", "delete:log_streams",
+	"read:stats",
+	"read:insights",
+	"read:logs",
+	"create:shields", "read:shields", "update:shields", "delete:shields",
+	"create:users_app_metadata", "read:users_app_metadata", "update:users_app_metadata", "delete:users_app_metadata",
+	"create:user_custom_blocks", "read:user_custom_blocks", "delete:user_custom_blocks",
+	"create:user_tickets",
+	"blacklist:tokens",
+	"read:grants", "delete:grants",
+	"read:mfa_policies", "update:mfa_policies",
+	"read:guardian_factors", "update:guardian_factors",
+	"read:guardian_enrollments", "delete:guardian_enrollments",
+	"create:guardian_enrollment_tickets",
+	"read:user_idp_tokens",
+	"create:passwords_checking_job", "delete:passwords_checking_job",
+	"read:limits", "update:limits",
+	"read:entitlements",
 }
 
 // Authenticator is used to facilitate the login process.
diff --git a/internal/auth/auth_test.go b/internal/auth/auth_test.go
index 20e675b3a..0d360d326 100644
--- a/internal/auth/auth_test.go
+++ b/internal/auth/auth_test.go
@@ -3,14 +3,24 @@ package auth
 import "testing"
 
 func TestRequiredScopes(t *testing.T) {
-	t.Run("verify CRUD", func(t *testing.T) {
+	t.Run("Verify CRUD scopes", func(t *testing.T) {
 		crudResources := []string{
 			"clients",
+			"client_grants",
+			"connections",
 			"log_streams",
 			"resource_servers",
 			"roles",
 			"rules",
 			"users",
+			"actions",
+			"hooks",
+			"organizations",
+			"organization_connections",
+			"custom_domains",
+			"email_provider",
+			"shields",
+			"users_app_metadata",
 		}
 		crudPrefixes := []string{"create:", "delete:", "read:", "update:"}
 
@@ -25,13 +35,29 @@ func TestRequiredScopes(t *testing.T) {
 		}
 	})
 
-	t.Run("verify special scopes", func(t *testing.T) {
+	t.Run("Verify special scopes", func(t *testing.T) {
 		list := []string{
-			"read:branding", "update:branding",
-			"read:connections", "update:connections",
-			"read:custom_domains", "create:custom_domains", "update:custom_domains", "delete:custom_domains",
-			"read:client_keys", "read:logs", "read:tenant_settings",
+			"read:branding", "update:branding", "delete:branding",
+			"read:triggers", "update:triggers",
+			"read:client_keys",
+			"read:logs",
+			"read:tenant_settings", "update:tenant_settings",
 			"read:anomaly_blocks", "delete:anomaly_blocks",
+			"read:attack_protection", "update:attack_protection",
+			"read:prompts", "update:prompts",
+			"read:stats",
+			"read:insights",
+			"create:user_tickets",
+			"blacklist:tokens",
+			"read:grants", "delete:grants",
+			"read:mfa_policies", "update:mfa_policies",
+			"read:guardian_factors", "update:guardian_factors",
+			"read:guardian_enrollments", "delete:guardian_enrollments",
+			"create:guardian_enrollment_tickets",
+			"read:user_idp_tokens",
+			"create:passwords_checking_job", "delete:passwords_checking_job",
+			"read:limits", "update:limits",
+			"read:entitlements",
 		}
 
 		for _, v := range list {