Skip to content

Bug: setProviderDefaults can't set scope properly #1903

New issue
New issue
Closed
Closed
Bug: setProviderDefaults can't set scope properly#1903
@yuanqiuye

Description

@yuanqiuye
yuanqiuye
opened on Nov 17, 2022

Expected Behavior

oauth2-proxy/providers/github.go

Lines 66 to 74 in fd2807c

func NewGitHubProvider(p *ProviderData, opts options.GitHubOptions) *GitHubProvider {
p.setProviderDefaults(providerDefaults{
name: githubProviderName,
loginURL: githubDefaultLoginURL,
redeemURL: githubDefaultRedeemURL,
profileURL: nil,
validateURL: githubDefaultValidateURL,
scope: githubDefaultScope,
})

The githubDefaultScope should be set properly, but it doesn't.

It affects all providers that use setProviderDefaults to initialize scope.

Current Behavior

oauth2-proxy/providers/providers.go

Lines 34 to 71 in fd2807c

func NewProvider(providerConfig options.Provider) (Provider, error) {
providerData, err := newProviderDataFromConfig(providerConfig)
if err != nil {
return nil, fmt.Errorf("could not create provider data: %v", err)
}
switch providerConfig.Type {
case options.ADFSProvider:
return NewADFSProvider(providerData, providerConfig.ADFSConfig), nil
case options.AzureProvider:
return NewAzureProvider(providerData, providerConfig.AzureConfig), nil
case options.BitbucketProvider:
return NewBitbucketProvider(providerData, providerConfig.BitbucketConfig), nil
case options.DigitalOceanProvider:
return NewDigitalOceanProvider(providerData), nil
case options.FacebookProvider:
return NewFacebookProvider(providerData), nil
case options.GitHubProvider:
return NewGitHubProvider(providerData, providerConfig.GitHubConfig), nil
case options.GitLabProvider:
return NewGitLabProvider(providerData, providerConfig.GitLabConfig)
case options.GoogleProvider:
return NewGoogleProvider(providerData, providerConfig.GoogleConfig)
case options.KeycloakProvider:
return NewKeycloakProvider(providerData, providerConfig.KeycloakConfig), nil
case options.KeycloakOIDCProvider:
return NewKeycloakOIDCProvider(providerData, providerConfig.KeycloakConfig), nil
case options.LinkedInProvider:
return NewLinkedInProvider(providerData), nil
case options.LoginGovProvider:
return NewLoginGovProvider(providerData, providerConfig.LoginGovConfig)
case options.NextCloudProvider:
return NewNextcloudProvider(providerData), nil
case options.OIDCProvider:
return NewOIDCProvider(providerData, providerConfig.OIDCConfig), nil
default:
return nil, fmt.Errorf("unknown provider type %q", providerConfig.Type)
}
}

newProviderDataFromConfig is before providers' constructor,

oauth2-proxy/providers/providers.go

Lines 155 to 169 in fd2807c

if p.Scope == "" {
p.Scope = "openid email profile"
if len(providerConfig.AllowedGroups) > 0 {
p.Scope += " groups"
}
}
if providerConfig.OIDCConfig.UserIDClaim == "" {
providerConfig.OIDCConfig.UserIDClaim = "email"
}
p.setAllowedGroups(providerConfig.AllowedGroups)
return p, nil
}

so if p.Scope is blank, p.Scope will automatically set to "openid email profile".
It will cause the check of p.Scope is useless in

oauth2-proxy/providers/provider_data.go

Lines 190 to 204 in fd2807c

func (p *ProviderData) setProviderDefaults(defaults providerDefaults) {
p.ProviderName = defaults.name
p.LoginURL = defaultURL(p.LoginURL, defaults.loginURL)
p.RedeemURL = defaultURL(p.RedeemURL, defaults.redeemURL)
p.ProfileURL = defaultURL(p.ProfileURL, defaults.profileURL)
p.ValidateURL = defaultURL(p.ValidateURL, defaults.validateURL)
if p.Scope == "" {
p.Scope = defaults.scope
}
if p.UserClaim == "" {
p.UserClaim = oidcUserClaim
}
}

Possible Solution

Maybe can make a function just like defaultURL

oauth2-proxy/providers/provider_data.go

Lines 207 to 218 in fd2807c

func defaultURL(u *url.URL, d *url.URL) *url.URL {
if u != nil && u.String() != "" {
// The value is already set
return u
}
// If the default is given, return that
if d != nil {
return d
}
return &url.URL{}
}

to set scope properly in setProviderDefaults

  • Version used: 7.4.0

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions