Allow scope to be passed as array

Scopes are currently passed as a scope string, separating scopes by spaces. Clients can grow to many scopes, resulting in a very long string. This change allows us to specify scopes using the property scopeArray. That way, we can separate scopes by newlines. Additionally, this allows us to comment a single scope temporarily or add a comment for a specific scope, e.g. as a reason why that client has this scope granted.
ory · Sep 18, 2024 · d02d5ca · d02d5ca
1 parent aa0bff2
commit d02d5ca
Show file tree

Hide file tree

Showing 4 changed files with 52 additions and 5 deletions.
diff --git a/api/v1alpha1/oauth2client_types.go b/api/v1alpha1/oauth2client_types.go
@@ -145,12 +145,16 @@ type OAuth2ClientSpec struct {
 	// Audience is a whitelist defining the audiences this client is allowed to request tokens for
 	Audience []string `json:"audience,omitempty"`
 
-	// +kubebuilder:validation:Pattern=([a-zA-Z0-9\.\*]+\s?)+
+	// +kubebuilder:validation:Pattern=([a-zA-Z0-9\.\*]+\s?)*
 	//
 	// Scope is a string containing a space-separated list of scope values (as
 	// described in Section 3.3 of OAuth 2.0 [RFC6749]) that the client
 	// can use when requesting access tokens.
-	Scope string `json:"scope"`
+	Scope string `json:"scope,omitempty"`
+
+	// ScopeArray is an array of scope values that the client can use when requesting access tokens.
+	// It overrides the property Scope.
+	ScopeArray []string `json:"scopeArray,omitempty"`
 
 	// +kubebuilder:validation:MinLength=1
 	// +kubebuilder:validation:MaxLength=253

diff --git a/config/crd/bases/hydra.ory.sh_oauth2clients.yaml b/config/crd/bases/hydra.ory.sh_oauth2clients.yaml
@@ -202,8 +202,15 @@ spec:
                     Scope is a string containing a space-separated list of scope values (as
                     described in Section 3.3 of OAuth 2.0 [RFC6749]) that the client
                     can use when requesting access tokens.
-                  pattern: ([a-zA-Z0-9\.\*]+\s?)+
+                  pattern: ([a-zA-Z0-9\.\*]+\s?)*
                   type: string
+                scopeArray:
+                  description: |-
+                    ScopeArray is an array of scope values that the client can use when requesting access tokens.
+                    It overrides the property Scope.
+                  items:
+                    type: string
+                  type: array
                 secretName:
                   description:
                     SecretName points to the K8s secret that contains this
@@ -301,7 +308,6 @@ spec:
                   type: object
               required:
                 - grantTypes
-                - scope
                 - secretName
               type: object
             status:

diff --git a/hydra/types.go b/hydra/types.go
@@ -6,6 +6,7 @@ package hydra
 import (
 	"encoding/json"
 	"fmt"
+	"strings"
 
 	"k8s.io/utils/ptr"
 
@@ -67,6 +68,16 @@ func FromOAuth2Client(c *hydrav1alpha1.OAuth2Client) (*OAuth2ClientJSON, error)
 		return nil, fmt.Errorf("unable to encode `metadata` property value to json: %w", err)
 	}
 
+	var scope = c.Spec.Scope
+	if c.Spec.ScopeArray != nil && c.Spec.Scope != "" {
+		fmt.Println("Warning: both `scope` and `scopeArray` are set. Using `scopeArray`")
+	}
+
+	if c.Spec.ScopeArray != nil {
+		scope = strings.Join(c.Spec.ScopeArray, " ")
+	}
+
+
 	return &OAuth2ClientJSON{
 		ClientName:                        c.Spec.ClientName,
 		GrantTypes:                        grantToStringSlice(c.Spec.GrantTypes),
@@ -75,7 +86,7 @@ func FromOAuth2Client(c *hydrav1alpha1.OAuth2Client) (*OAuth2ClientJSON, error)
 		PostLogoutRedirectURIs:            redirectToStringSlice(c.Spec.PostLogoutRedirectURIs),
 		AllowedCorsOrigins:                redirectToStringSlice(c.Spec.AllowedCorsOrigins),
 		Audience:                          c.Spec.Audience,
-		Scope:                             c.Spec.Scope,
+		Scope:                             scope,
 		SkipConsent:                       c.Spec.SkipConsent,
 		Owner:                             fmt.Sprintf("%s/%s", c.Name, c.Namespace),
 		TokenEndpointAuthMethod:           string(c.Spec.TokenEndpointAuthMethod),

diff --git a/hydra/types_test.go b/hydra/types_test.go
@@ -0,0 +1,26 @@
+package hydra_test
+
+import (
+	"testing"
+
+	hydrav1alpha1 "github.com/ory/hydra-maester/api/v1alpha1"
+	"github.com/ory/hydra-maester/hydra"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestTypes(t *testing.T) {
+	t.Run("Test ScopeArray", func(t *testing.T) {
+		c := hydrav1alpha1.OAuth2Client{
+			Spec: hydrav1alpha1.OAuth2ClientSpec{
+				ScopeArray: []string{"scope1", "scope2"},
+			},
+		}
+
+		var parsedClient, err = hydra.FromOAuth2Client(&c)
+		if err != nil {
+			assert.Fail(t, "unexpected error: %s", err)
+		}
+
+		assert.Equal(t, parsedClient.Scope, "scope1 scope2")
+	})
+}