-
Notifications
You must be signed in to change notification settings - Fork 204
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
enable using default scopes from authorization server #1405
Conversation
src/OidcClientSettings.ts
Outdated
* https://datatracker.ietf.org/doc/html/rfc6749#section-3.3 describes behavior when omitting scopes from sign in requests | ||
* If the IDP supports default scopes, this setting will ignore the scopes property passed to the config | ||
*/ | ||
useIdpDefaultScopes?: boolean; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the current behavior when not specifying a scope value is to default the value to "openid". Changing that would be a breaking change for the library.
This field was added to prevent a breaking change.
If the maintainers are OK with a breaking change, I think it would be more straightforward to remove the default value for scope instead of adding this new property. I can set up a PR for that approach if it is desired over adding this property.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good point, lets keep this settings property for now. This give us time to decide when to do the breaking change. I will have to make a v4.0.0 for this change...
Can you immediately deprecate the new property?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
sure thing. The deprecated tag has been added and pushed. Thanks @pamapa
I was looking more into this implementation. I think it would be awesome if the library supported this feature, but I realized that the doc I linked to in the description is the part of the OAuth spec file. The OIDC authentication request spec does state that the openid
scope is required for a valid authentication request.
The OIDC specs does also state
"If the openid scope value is not present, the behavior is entirely unspecified."
If it would make it more clear, I could also rename the property to allowScopeOmission
or something similar.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The OIDC authentication request spec does state that the
openid
scope is required for a valid authentication request.
Oh yes, that makes the @deprecated
invalid :-) Also its better to keep the type of scope string
. I guess you can deal with empty string...
According to https://datatracker.ietf.org/doc/html/rfc6749#section-3.3:
"If the client omits the scope parameter when requesting
authorization, the authorization server MUST either process the
request using a pre-defined default value or fail the request
indicating an invalid scope. The authorization server SHOULD
document its scope requirements and default value (if defined)."
the new property could be named omitScopeWhenRequesting
?
What kind of Idp are you using for this feature?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We're using ForgeRock (now part of Ping Identity) as our IDP. We do have the ability to define the IDP behavior when scope is not provided.
I've removed the updates to the scope typing so it is no longer optional where it was not optional before. The new property has been renamed omitScopeWhenRequesting
and that property value is solely responsible for including the scope
query param in the authorization requests now. The overall changes in this PR are much smaller now. Thanks for all the feedback and suggestions.
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #1405 +/- ##
==========================================
+ Coverage 80.53% 80.56% +0.03%
==========================================
Files 45 45
Lines 1731 1734 +3
Branches 344 347 +3
==========================================
+ Hits 1394 1397 +3
Misses 299 299
Partials 38 38
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
This reverts commit 7667e58.
@pamapa looks like this won't be part of the 3.1.0 release? Are there any updates or anything else I can do on this PR to help get it merged? |
Good that you ask. Do you have an actual use-case why you would need such a feature and let us know? You will also need to rebase against main, as it as now merge conflicts. |
Ah. missed the merge conflicts. Those are resolved now. there are three use cases we are interested in for the default scopes
|
Thanks for your time and help with this @pamapa ! It's greatly appreciated |
Thanks for contributing! |
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [oidc-client-ts](https://github.com/authts/oidc-client-ts) | dependencies | minor | [`3.0.1` -> `3.1.0`](https://renovatebot.com/diffs/npm/oidc-client-ts/3.0.1/3.1.0) | --- ### Release Notes <details> <summary>authts/oidc-client-ts (oidc-client-ts)</summary> ### [`v3.1.0`](https://github.com/authts/oidc-client-ts/releases/tag/v3.1.0) [Compare Source](authts/oidc-client-ts@v3.0.1...v3.1.0) oidc-client-ts v3.1.0 is a minor release. No longer using `crypto-js` package, but built-in browser [crypto.subtle](https://developer.mozilla.org/en-US/docs/Web/API/Crypto/subtle) module. Crypto.subtle is available only in [secure contexts](https://developer.mozilla.org/en-US/docs/Web/Security/Secure_Contexts) (HTTPS). Also have a look into the [migration](https://github.com/authts/oidc-client-ts/blob/main/docs/migration.md) info. #### Changelog: - Fixes: - [#​1666](authts/oidc-client-ts#1666): fix link in docs to issue - [#​1600](authts/oidc-client-ts#1600): updated docs about logger - [#​1589](authts/oidc-client-ts#1589): fix compiler error for target=ES2022 - [#​1539](authts/oidc-client-ts#1539): fix small typo in `signinCallback` doc in UserManager.ts - [#​1504](authts/oidc-client-ts#1504): typo in sample app config - [#​1490](authts/oidc-client-ts#1490): fix the return type of `signinCallback` - [#​1443](authts/oidc-client-ts#1443): fixes typos in docs - Features: - [#​1672](authts/oidc-client-ts#1672): make `signoutCallback` return signout response if request_type is so:r - [#​1626](authts/oidc-client-ts#1626): add `popupSignal` property to `signinPopup` and `signoutPop` - [#​1580](authts/oidc-client-ts#1580): add dpop docs - [#​1569](authts/oidc-client-ts#1569): add dpop nonce support - [#​1457](authts/oidc-client-ts#1457): add extra headers - [#​1461](authts/oidc-client-ts#1461): add demonstrating proof of possession - [#​1430](authts/oidc-client-ts#1430): add global `requestTimeoutInSeconds` setting - [#​1405](authts/oidc-client-ts#1405): allow using default scopes from authorization server thanks to [@​klues](https://github.com/klues), [@​smujmaiku](https://github.com/smujmaiku), [@​mftruso](https://github.com/mftruso), [@​peetck](https://github.com/peetck), [@​dbfr3qs](https://github.com/dbfr3qs), [@​mottykohn](https://github.com/mottykohn), [@​noshiro-pf](https://github.com/noshiro-pf), [@​dbfr3qs](https://github.com/dbfr3qs), [@​grjan7](https://github.com/grjan7) and [@​natergj](https://github.com/natergj) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOC4xMDkuMCIsInVwZGF0ZWRJblZlciI6IjM4LjEwOS4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=--> Reviewed-on: https://git.tristess.app/alexandresoro/ouca/pulls/191 Reviewed-by: Alexandre Soro <[email protected]> Co-authored-by: renovate <[email protected]> Co-committed-by: renovate <[email protected]>
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [oidc-client-ts](https://github.com/authts/oidc-client-ts) | dependencies | minor | [`3.0.1` -> `3.1.0`](https://renovatebot.com/diffs/npm/oidc-client-ts/3.0.1/3.1.0) | --- ### Release Notes <details> <summary>authts/oidc-client-ts (oidc-client-ts)</summary> ### [`v3.1.0`](https://github.com/authts/oidc-client-ts/releases/tag/v3.1.0) [Compare Source](authts/oidc-client-ts@v3.0.1...v3.1.0) oidc-client-ts v3.1.0 is a minor release. No longer using `crypto-js` package, but built-in browser [crypto.subtle](https://developer.mozilla.org/en-US/docs/Web/API/Crypto/subtle) module. Crypto.subtle is available only in [secure contexts](https://developer.mozilla.org/en-US/docs/Web/Security/Secure_Contexts) (HTTPS). Also have a look into the [migration](https://github.com/authts/oidc-client-ts/blob/main/docs/migration.md) info. #### Changelog: - Fixes: - [#​1666](authts/oidc-client-ts#1666): fix link in docs to issue - [#​1600](authts/oidc-client-ts#1600): updated docs about logger - [#​1589](authts/oidc-client-ts#1589): fix compiler error for target=ES2022 - [#​1539](authts/oidc-client-ts#1539): fix small typo in `signinCallback` doc in UserManager.ts - [#​1504](authts/oidc-client-ts#1504): typo in sample app config - [#​1490](authts/oidc-client-ts#1490): fix the return type of `signinCallback` - [#​1443](authts/oidc-client-ts#1443): fixes typos in docs - Features: - [#​1672](authts/oidc-client-ts#1672): make `signoutCallback` return signout response if request_type is so:r - [#​1626](authts/oidc-client-ts#1626): add `popupSignal` property to `signinPopup` and `signoutPop` - [#​1580](authts/oidc-client-ts#1580): add dpop docs - [#​1569](authts/oidc-client-ts#1569): add dpop nonce support - [#​1457](authts/oidc-client-ts#1457): add extra headers - [#​1461](authts/oidc-client-ts#1461): add demonstrating proof of possession - [#​1430](authts/oidc-client-ts#1430): add global `requestTimeoutInSeconds` setting - [#​1405](authts/oidc-client-ts#1405): allow using default scopes from authorization server thanks to [@​klues](https://github.com/klues), [@​smujmaiku](https://github.com/smujmaiku), [@​mftruso](https://github.com/mftruso), [@​peetck](https://github.com/peetck), [@​dbfr3qs](https://github.com/dbfr3qs), [@​mottykohn](https://github.com/mottykohn), [@​noshiro-pf](https://github.com/noshiro-pf), [@​dbfr3qs](https://github.com/dbfr3qs), [@​grjan7](https://github.com/grjan7) and [@​natergj](https://github.com/natergj) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOC4xMTAuMiIsInVwZGF0ZWRJblZlciI6IjM4LjExMC4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=--> Reviewed-on: https://git.tristess.app/alexandresoro/ouca/pulls/196 Reviewed-by: Alexandre Soro <[email protected]> Co-authored-by: renovate <[email protected]> Co-committed-by: renovate <[email protected]>
OAuth allows for the authorization server to provide default scopes when no scopes are specified by the requestor as described in https://datatracker.ietf.org/doc/html/rfc6749#section-3.3
This allows for the library to be configured to rely on the default scopes.
Closes/fixes # n/a
Checklist