From de12895c484daac3861f90bae4e3dae2be9bdb25 Mon Sep 17 00:00:00 2001 From: Will Vedder Date: Tue, 21 Nov 2023 15:01:40 -0500 Subject: [PATCH] DXCDT-597: Don't require all scopes for client credentials auth (#917) * Removing requirement of scopes when authenticating with client credentials * Moving required scopes into auth file --------- Co-authored-by: Will Vedder --- internal/auth/auth.go | 24 +++++++++++++++++++++++- internal/auth/scopes.go | 37 ------------------------------------- 2 files changed, 23 insertions(+), 38 deletions(-) delete mode 100644 internal/auth/scopes.go diff --git a/internal/auth/auth.go b/internal/auth/auth.go index b42af5af2..ef8786d35 100644 --- a/internal/auth/auth.go +++ b/internal/auth/auth.go @@ -116,6 +116,29 @@ func WaitUntilUserLogsIn(ctx context.Context, httpClient *http.Client, state Sta } } +var RequiredScopes = []string{ + "openid", + "offline_access", // for retrieving refresh token + "create:clients", "delete:clients", "read:clients", "update:clients", + "read:client_grants", + "create:resource_servers", "delete:resource_servers", "read:resource_servers", "update:resource_servers", + "create:roles", "delete:roles", "read:roles", "update:roles", + "create:rules", "delete:rules", "read:rules", "update:rules", + "create:users", "delete:users", "read:users", "update:users", + "read:branding", "update:branding", + "read:email_templates", "update:email_templates", + "read:email_provider", + "read:connections", "update:connections", + "read:client_keys", "read:logs", "read:tenant_settings", + "read:custom_domains", "create:custom_domains", "update:custom_domains", "delete:custom_domains", + "read:anomaly_blocks", "delete:anomaly_blocks", + "create:log_streams", "delete:log_streams", "read:log_streams", "update:log_streams", + "create:actions", "delete:actions", "read:actions", "update:actions", + "create:organizations", "delete:organizations", "read:organizations", "update:organizations", "read:organization_members", "read:organization_member_roles", "read:organization_connections", + "read:prompts", "update:prompts", + "read:attack_protection", "update:attack_protection", +} + // GetDeviceCode kicks-off the device authentication flow by requesting // a device code from Auth0. The returned state contains the // URI for the next step of the flow. @@ -212,7 +235,6 @@ func GetAccessTokenFromClientCreds(ctx context.Context, args ClientCredentials) TokenURL: u.String() + "/oauth/token", EndpointParams: url.Values{ "client_id": {args.ClientID}, - "scope": {strings.Join(RequiredScopesForClientCreds(), " ")}, "audience": {u.String() + "/api/v2/"}, }, } diff --git a/internal/auth/scopes.go b/internal/auth/scopes.go deleted file mode 100644 index a9d31dcfb..000000000 --- a/internal/auth/scopes.go +++ /dev/null @@ -1,37 +0,0 @@ -package auth - -var RequiredScopes = []string{ - "openid", - "offline_access", // for retrieving refresh token - "create:clients", "delete:clients", "read:clients", "update:clients", - "read:client_grants", - "create:resource_servers", "delete:resource_servers", "read:resource_servers", "update:resource_servers", - "create:roles", "delete:roles", "read:roles", "update:roles", - "create:rules", "delete:rules", "read:rules", "update:rules", - "create:users", "delete:users", "read:users", "update:users", - "read:branding", "update:branding", - "read:email_templates", "update:email_templates", - "read:email_provider", - "read:connections", "update:connections", - "read:client_keys", "read:logs", "read:tenant_settings", - "read:custom_domains", "create:custom_domains", "update:custom_domains", "delete:custom_domains", - "read:anomaly_blocks", "delete:anomaly_blocks", - "create:log_streams", "delete:log_streams", "read:log_streams", "update:log_streams", - "create:actions", "delete:actions", "read:actions", "update:actions", - "create:organizations", "delete:organizations", "read:organizations", "update:organizations", "read:organization_members", "read:organization_member_roles", "read:organization_connections", - "read:prompts", "update:prompts", - "read:attack_protection", "update:attack_protection", -} - -// RequiredScopesForClientCreds returns minimum scopes required when authenticating with client credentials. -func RequiredScopesForClientCreds() []string { - var min []string - for _, s := range RequiredScopes { - // Both "offline_access" and "openid" scopes only apply to device-flow authentication - // and should be ignored when authenticating with client credentials - if s != "offline_access" && s != "openid" { - min = append(min, s) - } - } - return min -}