Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit8f4b99b

Browse files
committed
feat: expose external scopes in OAuth2 metadata endpoints
Replace empty slice placeholders with rbac.ExternalScopeNames() topublish supported OAuth2 scopes from the curated RBAC scope catalog inboth authorization server and protected resource metadata endpoints.Update tests to verify proper scope exposure instead of empty arrays.
1 parentfd6e329 commit8f4b99b

File tree

3 files changed

+20
-17
lines changed

3 files changed

+20
-17
lines changed

‎coderd/oauth2_metadata_test.go‎

Lines changed: 5 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -10,6 +10,7 @@ import (
1010
"github.com/stretchr/testify/require"
1111

1212
"github.com/coder/coder/v2/coderd/coderdtest"
13+
"github.com/coder/coder/v2/coderd/rbac"
1314
"github.com/coder/coder/v2/codersdk"
1415
"github.com/coder/coder/v2/testutil"
1516
)
@@ -46,6 +47,8 @@ func TestOAuth2AuthorizationServerMetadata(t *testing.T) {
4647
require.Contains(t,metadata.GrantTypesSupported,"authorization_code")
4748
require.Contains(t,metadata.GrantTypesSupported,"refresh_token")
4849
require.Contains(t,metadata.CodeChallengeMethodsSupported,"S256")
50+
// Supported scopes are published from the curated catalog
51+
require.Equal(t,rbac.ExternalScopeNames(),metadata.ScopesSupported)
4952
}
5053

5154
funcTestOAuth2ProtectedResourceMetadata(t*testing.T) {
@@ -80,7 +83,6 @@ func TestOAuth2ProtectedResourceMetadata(t *testing.T) {
8083
// RFC 6750 bearer tokens are now supported as fallback methods
8184
require.Contains(t,metadata.BearerMethodsSupported,"header")
8285
require.Contains(t,metadata.BearerMethodsSupported,"query")
83-
// ScopesSupported can be empty until scope system is implemented
84-
// Empty slice is marshaled as empty array, but can be nil when unmarshaled
85-
require.True(t,len(metadata.ScopesSupported)==0)
86+
// Supported scopes are published from the curated catalog
87+
require.Equal(t,rbac.ExternalScopeNames(),metadata.ScopesSupported)
8688
}

‎coderd/oauth2provider/metadata.go‎

Lines changed: 10 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,7 @@ import (
55
"net/url"
66

77
"github.com/coder/coder/v2/coderd/httpapi"
8+
"github.com/coder/coder/v2/coderd/rbac"
89
"github.com/coder/coder/v2/codersdk"
910
)
1011

@@ -13,15 +14,14 @@ func GetAuthorizationServerMetadata(accessURL *url.URL) http.HandlerFunc {
1314
returnfunc(rw http.ResponseWriter,r*http.Request) {
1415
ctx:=r.Context()
1516
metadata:= codersdk.OAuth2AuthorizationServerMetadata{
16-
Issuer:accessURL.String(),
17-
AuthorizationEndpoint:accessURL.JoinPath("/oauth2/authorize").String(),
18-
TokenEndpoint:accessURL.JoinPath("/oauth2/tokens").String(),
19-
RegistrationEndpoint:accessURL.JoinPath("/oauth2/register").String(),// RFC 7591
20-
ResponseTypesSupported: []string{"code"},
21-
GrantTypesSupported: []string{"authorization_code","refresh_token"},
22-
CodeChallengeMethodsSupported: []string{"S256"},
23-
// TODO: Implement scope system
24-
ScopesSupported: []string{},
17+
Issuer:accessURL.String(),
18+
AuthorizationEndpoint:accessURL.JoinPath("/oauth2/authorize").String(),
19+
TokenEndpoint:accessURL.JoinPath("/oauth2/tokens").String(),
20+
RegistrationEndpoint:accessURL.JoinPath("/oauth2/register").String(),// RFC 7591
21+
ResponseTypesSupported: []string{"code"},
22+
GrantTypesSupported: []string{"authorization_code","refresh_token"},
23+
CodeChallengeMethodsSupported: []string{"S256"},
24+
ScopesSupported:rbac.ExternalScopeNames(),
2525
TokenEndpointAuthMethodsSupported: []string{"client_secret_post"},
2626
}
2727
httpapi.Write(ctx,rw,http.StatusOK,metadata)
@@ -35,8 +35,7 @@ func GetProtectedResourceMetadata(accessURL *url.URL) http.HandlerFunc {
3535
metadata:= codersdk.OAuth2ProtectedResourceMetadata{
3636
Resource:accessURL.String(),
3737
AuthorizationServers: []string{accessURL.String()},
38-
// TODO: Implement scope system based on RBAC permissions
39-
ScopesSupported: []string{},
38+
ScopesSupported:rbac.ExternalScopeNames(),
4039
// RFC 6750 Bearer Token methods supported as fallback methods in api key middleware
4140
BearerMethodsSupported: []string{"header","query"},
4241
}

‎coderd/oauth2provider/metadata_test.go‎

Lines changed: 5 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,7 @@ import (
88
"github.com/stretchr/testify/require"
99

1010
"github.com/coder/coder/v2/coderd/coderdtest"
11+
"github.com/coder/coder/v2/coderd/rbac"
1112
"github.com/coder/coder/v2/codersdk"
1213
"github.com/coder/coder/v2/testutil"
1314
)
@@ -35,6 +36,8 @@ func TestOAuth2AuthorizationServerMetadata(t *testing.T) {
3536
require.Contains(t,metadata.GrantTypesSupported,"authorization_code")
3637
require.Contains(t,metadata.GrantTypesSupported,"refresh_token")
3738
require.Contains(t,metadata.CodeChallengeMethodsSupported,"S256")
39+
// Supported scopes are published from the curated catalog
40+
require.Equal(t,rbac.ExternalScopeNames(),metadata.ScopesSupported)
3841
}
3942

4043
funcTestOAuth2ProtectedResourceMetadata(t*testing.T) {
@@ -60,7 +63,6 @@ func TestOAuth2ProtectedResourceMetadata(t *testing.T) {
6063
// RFC 6750 bearer tokens are now supported as fallback methods
6164
require.Contains(t,metadata.BearerMethodsSupported,"header")
6265
require.Contains(t,metadata.BearerMethodsSupported,"query")
63-
// ScopesSupported can be empty until scope system is implemented
64-
// Empty slice is marshaled as empty array, but can be nil when unmarshaled
65-
require.True(t,len(metadata.ScopesSupported)==0)
66+
// Supported scopes are published from the curated catalog
67+
require.Equal(t,rbac.ExternalScopeNames(),metadata.ScopesSupported)
6668
}

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp