DXCDT-597: Don't require all scopes for client credentials auth (#917)

* Removing requirement of scopes when authenticating with client credentials * Moving required scopes into auth file --------- Co-authored-by: Will Vedder <will.vedder@okta.com>
auth0 · Nov 21, 2023 · de12895 · de12895
1 parent 63ccef0
commit de12895
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 38 deletions.
diff --git a/internal/auth/auth.go b/internal/auth/auth.go
@@ -116,6 +116,29 @@ func WaitUntilUserLogsIn(ctx context.Context, httpClient *http.Client, state Sta
 	}
 }
 
+var RequiredScopes = []string{
+	"openid",
+	"offline_access", // for retrieving refresh token
+	"create:clients", "delete:clients", "read:clients", "update:clients",
+	"read:client_grants",
+	"create:resource_servers", "delete:resource_servers", "read:resource_servers", "update:resource_servers",
+	"create:roles", "delete:roles", "read:roles", "update:roles",
+	"create:rules", "delete:rules", "read:rules", "update:rules",
+	"create:users", "delete:users", "read:users", "update:users",
+	"read:branding", "update:branding",
+	"read:email_templates", "update:email_templates",
+	"read:email_provider",
+	"read:connections", "update:connections",
+	"read:client_keys", "read:logs", "read:tenant_settings",
+	"read:custom_domains", "create:custom_domains", "update:custom_domains", "delete:custom_domains",
+	"read:anomaly_blocks", "delete:anomaly_blocks",
+	"create:log_streams", "delete:log_streams", "read:log_streams", "update:log_streams",
+	"create:actions", "delete:actions", "read:actions", "update:actions",
+	"create:organizations", "delete:organizations", "read:organizations", "update:organizations", "read:organization_members", "read:organization_member_roles", "read:organization_connections",
+	"read:prompts", "update:prompts",
+	"read:attack_protection", "update:attack_protection",
+}
+
 // GetDeviceCode kicks-off the device authentication flow by requesting
 // a device code from Auth0. The returned state contains the
 // URI for the next step of the flow.
@@ -212,7 +235,6 @@ func GetAccessTokenFromClientCreds(ctx context.Context, args ClientCredentials)
 		TokenURL:     u.String() + "/oauth/token",
 		EndpointParams: url.Values{
 			"client_id": {args.ClientID},
-			"scope":     {strings.Join(RequiredScopesForClientCreds(), " ")},
 			"audience":  {u.String() + "/api/v2/"},
 		},
 	}

diff --git a/internal/auth/scopes.go b/internal/auth/scopes.go