From 4b426c899a4e29374f37b35430787d89dbb782c8 Mon Sep 17 00:00:00 2001
From: Livio Amstutz <livio.a@gmail.com>
Date: Tue, 2 Feb 2021 11:41:50 +0100
Subject: [PATCH] scopes

---
 pkg/op/tokenrequest.go | 20 +++++++++++++++++++-
 pkg/rp/key.go          | 15 +++++++++------
 2 files changed, 28 insertions(+), 7 deletions(-)

diff --git a/pkg/op/tokenrequest.go b/pkg/op/tokenrequest.go
index 1345005..5cb872e 100644
--- a/pkg/op/tokenrequest.go
+++ b/pkg/op/tokenrequest.go
@@ -192,7 +192,7 @@ func JWTProfile(w http.ResponseWriter, r *http.Request, exchanger JWTAuthorizati
 	}
 
 	//TODO: filter scopes
-	tokenRequest.Scopes = profileRequest.Scope
+	tokenRequest.Scopes = ValidateJWTProfileScopes(tokenRequest., profileRequest.Scope)
 
 	resp, err := CreateJWTTokenResponse(r.Context(), tokenRequest, exchanger)
 	if err != nil {
@@ -215,6 +215,24 @@ func ParseJWTProfileRequest(r *http.Request, decoder utils.Decoder) (*oidc.JWTPr
 	return tokenReq, nil
 }
 
+func ValidateJWTProfileScopes(client Client, scopes []string) []string {
+	for i := len(scopes) - 1; i >= 0; i-- {
+		scope := scopes[i]
+		if !(scope == oidc.ScopeOpenID ||
+			scope == oidc.ScopeProfile ||
+			scope == oidc.ScopeEmail ||
+			scope == oidc.ScopePhone ||
+			scope == oidc.ScopeAddress ||
+			scope == oidc.ScopeOfflineAccess) && //TODO: allowed
+			!client.IsScopeAllowed(scope) {
+			scopes[i] = scopes[len(scopes)-1]
+			scopes[len(scopes)-1] = ""
+			scopes = scopes[:len(scopes)-1]
+		}
+	}
+	return scopes
+}
+
 func TokenExchange(w http.ResponseWriter, r *http.Request, exchanger Exchanger) {
 	tokenRequest, err := ParseTokenExchangeRequest(w, r)
 	if err != nil {
diff --git a/pkg/rp/key.go b/pkg/rp/key.go
index 58a92d1..26d8bf5 100644
--- a/pkg/rp/key.go
+++ b/pkg/rp/key.go
@@ -11,13 +11,16 @@ const (
 )
 
 type keyFile struct {
-	Type     string `json:"type"` // serviceaccount or application
-	KeyID    string `json:"keyId"`
-	Key      string `json:"key"`
-	Issuer   string `json:"issuer"`
+	Type   string `json:"type"` // serviceaccount or application
+	KeyID  string `json:"keyId"`
+	Key    string `json:"key"`
+	Issuer string `json:"issuer"`
+
+	//serviceaccount
+	UserID string `json:"userId"`
+
+	//application
 	ClientID string `json:"clientId"`
-	//TokenURL  string `json:"token_uri"`
-	//ProjectID string `json:"project_id"`
 }
 
 func ConfigFromKeyFile(path string) (*keyFile, error) {