Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Incorrect examples for specifying scopes for IdP #44

Open
iautom8things opened this issue Mar 15, 2021 · 5 comments
Open

Incorrect examples for specifying scopes for IdP #44

iautom8things opened this issue Mar 15, 2021 · 5 comments

Comments

@iautom8things
Copy link

iautom8things commented Mar 15, 2021
edited
Loading

Hopefully this project is still being maintained. I had issues trying to adjust the scopes as per the example in the readme. I dug down into the source and SimpleSamlPHP + the deps and determined that it looks like the example is wrong.

              // ...
              'urlAuthorizeOptions' => [
                  'prompt' => 'always',
              ],
              // Scopes are shown outside of urlAuthorizeOptions and incorrectly named `scopes`, pluralized
              'scopes' = ['email', 'profile'],
              'scopeSeparator' => ' ',
              // ...
              // `scope` needs to go in urlAuthorizeOptions
              'urlAuthorizeOptions' => [
                  'prompt' => 'always',
                  'scope' = ['email', 'profile'],
              ],
              // ...

Determined this by:

  1. following the examples and having it not work
  2. then seeing that urlAuthorizeOptions is what is passed into getAuthorizationUrl and then following through to League's AbstractProvider to see how that url is generated
@iautom8things iautom8things changed the title Incorrect examples Incorrect examples for specifying scopes for IdP Mar 15, 2021
@pradtke
Copy link
Contributor

pradtke commented Mar 16, 2021

Hi @iautom8things ,

Thanks for the report. Are you using a custom providerClass? The default provider is the GenericProvider which looks at the scopes for the default scopes to use in connections. You can see the AbstractProvider calling this->getDefaultScopes(); in the lines you linked. You can see the parameters configurable on a GenericProvider here

@iautom8things
Copy link
Author

@pradtke I'm not using a custom providerClass. All I've done is install the latest simplesamlphp, and install this authoauth2 module.

Are you suggesting that the example should work? I can experimentally see that those scopes are not included in the upstream IdP. It was only when I moved the scopes into the urlAuthorizeOptions that the request to the IdP included the configured scopes.

@pradtke
Copy link
Contributor

pradtke commented Jun 21, 2021

@iautom8things sorry for the delay getting back to you. This came up again in #51 . It looks like if you are using OIDC auth source (authoauth2:OpenIDConnect) instead of OAuth2 (authoauth2:OAuth2) then the support options are different, and setting scopes was not supported. Being able to set scopes on authoauth2:OpenIDConnect should be supported in the next release.

@iautom8things
Copy link
Author

iautom8things commented Jun 22, 2021
edited
Loading

What's the difference between how I was able to solve this (adding scope to the urlAuthorizeOptions) and adding scopes at the top level, which I'm assuming is what you mean that will be coming in a future release?

@pradtke
Copy link
Contributor

pradtke commented Jun 22, 2021

Functionality wise there is no difference, and no need for you to make any changes. The addition of supporting scopes on the OIDC authsource is only to improve configuration consistency with the OAuth2 authsource. Most of the documentation examples are for the OAuth2 authsource and people naturally assume configuration options work for both.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@iautom8things @pradtke