From fd293dd1835c5135666193ba7719dfb60b545eca Mon Sep 17 00:00:00 2001
From: Chad Scharf <3904944+cscharf@users.noreply.github.com>
Date: Fri, 18 Dec 2020 11:07:31 -0500
Subject: [PATCH] Added OIDC scope management (#1049)
* added OIDC scope management
* Remove errant code comment
---
.../DynamicAuthenticationSchemeProvider.cs | 12 +++++
.../src/Sso/Utilities/OpenIdConnectScopes.cs | 53 +++++++++++++++++++
2 files changed, 65 insertions(+)
create mode 100644 bitwarden_license/src/Sso/Utilities/OpenIdConnectScopes.cs
diff --git a/bitwarden_license/src/Sso/Utilities/DynamicAuthenticationSchemeProvider.cs b/bitwarden_license/src/Sso/Utilities/DynamicAuthenticationSchemeProvider.cs
index be64d97419..959e838fca 100644
--- a/bitwarden_license/src/Sso/Utilities/DynamicAuthenticationSchemeProvider.cs
+++ b/bitwarden_license/src/Sso/Utilities/DynamicAuthenticationSchemeProvider.cs
@@ -318,6 +318,18 @@ namespace Bit.Core.Business.Sso
AuthenticationMethod = config.RedirectBehavior,
GetClaimsFromUserInfoEndpoint = config.GetClaimsFromUserInfoEndpoint,
};
+ if (!oidcOptions.Scope.Contains(OpenIdConnectScopes.OpenId))
+ {
+ oidcOptions.Scope.Add(OpenIdConnectScopes.OpenId);
+ }
+ if (!oidcOptions.Scope.Contains(OpenIdConnectScopes.Email))
+ {
+ oidcOptions.Scope.Add(OpenIdConnectScopes.Email);
+ }
+ if (!oidcOptions.Scope.Contains(OpenIdConnectScopes.Profile))
+ {
+ oidcOptions.Scope.Add(OpenIdConnectScopes.Profile);
+ }
return new DynamicAuthenticationScheme(name, name, typeof(OpenIdConnectHandler),
oidcOptions, SsoType.OpenIdConnect);
diff --git a/bitwarden_license/src/Sso/Utilities/OpenIdConnectScopes.cs b/bitwarden_license/src/Sso/Utilities/OpenIdConnectScopes.cs
new file mode 100644
index 0000000000..54b6e0a119
--- /dev/null
+++ b/bitwarden_license/src/Sso/Utilities/OpenIdConnectScopes.cs
@@ -0,0 +1,53 @@
+namespace Bit.Sso.Utilities
+{
+ ///
+ /// OpenID Connect Clients use scope values as defined in 3.3 of OAuth 2.0
+ /// [RFC6749]. These values represent the standard scope values supported
+ /// by OAuth 2.0 and therefore OIDC.
+ ///
+ ///
+ /// See: https://openid.net/specs/openid-connect-basic-1_0.html#Scopes
+ ///
+ public static class OpenIdConnectScopes
+ {
+ ///
+ /// REQUIRED. Informs the Authorization Server that the Client is making
+ /// an OpenID Connect request. If the openid scope value is not present,
+ /// the behavior is entirely unspecified.
+ ///
+ public const string OpenId = "openid";
+
+ ///
+ /// OPTIONAL. This scope value requests access to the End-User's default
+ /// profile Claims, which are: name, family_name, given_name,
+ /// middle_name, nickname, preferred_username, profile, picture,
+ /// website, gender, birthdate, zoneinfo, locale, and updated_at.
+ ///
+ public const string Profile = "profile";
+
+ ///
+ /// OPTIONAL. This scope value requests access to the email and
+ /// email_verified Claims.
+ ///
+ public const string Email = "email";
+
+ ///
+ /// OPTIONAL. This scope value requests access to the address Claim.
+ ///
+ public const string Address = "address";
+
+ ///
+ /// OPTIONAL. This scope value requests access to the phone_number and
+ /// phone_number_verified Claims.
+ ///
+ public const string Phone = "phone";
+
+ ///
+ /// OPTIONAL. This scope value requests that an OAuth 2.0 Refresh Token
+ /// be issued that can be used to obtain an Access Token that grants
+ /// access to the End-User's UserInfo Endpoint even when the End-User is
+ /// not present (not logged in).
+ ///
+ public const string OfflineAccess = "offline_access";
+ }
+}