Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Wellknown overriding supplied scopes given in config #1

Closed
DarkKlaw opened this issue Apr 25, 2024 · 3 comments
Closed

Wellknown overriding supplied scopes given in config #1

DarkKlaw opened this issue Apr 25, 2024 · 3 comments

Comments

@DarkKlaw
Copy link

Just tried EasyOIDC to add OIDC support for a nicegui app I am prototyping.
It was quite easy to get started. I however encountered a weird issue of receiving a bad scope error when I was supplying the right scopes in the config.

After digging, we noticed that this line (

EasyOIDC/EasyOIDC/config.py

Line 114 in bbe0d67

self.scope = data['scopes_supported']
) was overriding the scope given in the config. This is a problem for my context since our keycloak instance has a lot of clients and groups and not all clients require all scopes by design.

As a solution, I suggest using the wellknown to verify the config scopes are correct rather than using them to override the value. However, I could have misunderstood the use of supplying the wellknown endpoint in the config.
@jpmanson
Copy link
Owner

Hi @DarkKlaw !

Thanks for your feedback.

You're right. The "wellknow" URL gives us the supported scopes, but that does not mean that we should implement all of them in the client. It is correct that the library should not copy that parameter and overwrite the local configuration.

We could do the following:

  1. If self.scope is not defined, then copy scopes_supported from the server (as currently done).
  2. If self.scope is defined, validate that each scope value is supported as indicated by the server in scopes_supported. For example, if the client has the scope "openid,profile,email,roles" and the server supports "openid,profile,email", then raise an error.

Any suggestions on this?
Bye!

jpmanson pushed a commit that referenced this issue Apr 28, 2024
- Fixed config.py (Issue #1)
737202b
jpmanson pushed a commit that referenced this issue Apr 30, 2024
- Fixed config.py (Issue #1)
bae6aef
jpmanson pushed a commit that referenced this issue Apr 30, 2024
- Fixed config.py (Issue #1)
8566cb4
@jpmanson
Copy link
Owner

I've implemented the new behaviour in v0.1.8

@DarkKlaw
Copy link
Author

DarkKlaw commented May 7, 2024

Hi @DarkKlaw !

Thanks for your feedback.

You're right. The "wellknow" URL gives us the supported scopes, but that does not mean that we should implement all of them in the client. It is correct that the library should not copy that parameter and overwrite the local configuration.

We could do the following:

1. If `self.scope` is not defined, then copy scopes_supported from the server (as currently done).

2. If `self.scope` is defined, validate that each scope value is supported as indicated by the server in scopes_supported. For example, if the client has the scope `"openid,profile,email,roles"` and the server supports `"openid,profile,email"`, then raise an error.

Any suggestions on this? Bye!

Sorry for the late reply. This was what I was thinking as well.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jpmanson @DarkKlaw