DXCDT-296: Supporting additional scopes when authenticating as user #561
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
willvedd
commented
Dec 15, 2022
| // Start kicks-off the device authentication flow by requesting | ||
| // a device code from Auth0. The returned state contains the | ||
| // URI for the next step of the flow. | ||
| func (a *Authenticator) Start(ctx context.Context) (State, error) { |
There was a problem hiding this comment.
A bit of a refactor here. Removing the Start function because it only exists as a function wrapper for getDeviceCode. Further, the name wasn't descriptive of what the function did.
willvedd
commented
Dec 15, 2022
| // GetDeviceCode kicks-off the device authentication flow by requesting | ||
| // a device code from Auth0. The returned state contains the | ||
| // URI for the next step of the flow. | ||
| func (a *Authenticator) GetDeviceCode(ctx context.Context, additionalScopes []string) (State, error) { |
There was a problem hiding this comment.
The only functional change here is the addition of the additionalScopes argument, which enables the passing of additional scopes when requesting a grant.
willvedd
commented
Dec 15, 2022
internal/auth/auth.go
Outdated
| if err != nil { | ||
| return State{}, fmt.Errorf("failed to create the request: %w", err) | ||
| } | ||
| scopesToRequest := append(requiredScopes, additionalScopes...) |
There was a problem hiding this comment.
Change to note – combining the required scopes with additional scopes.
…auth0-cli into DXCDT-296-dynamic-scoping
…auth0-cli into DXCDT-296-dynamic-scoping
Widcket
reviewed
Dec 15, 2022
| @@ -27,6 +28,7 @@ auth0 login --domain <tenant-domain> --client-id <client-id> --client-secret <cl | |||
| --client-secret string Client secret of the application when authenticating via client credentials. | |||
| --domain string Tenant domain of the application when authenticating via client credentials. | |||
| -h, --help help for login | |||
| --scopes strings Additional scopes to request when authenticating via device code flow. By default, only scopes for first-class functions are requested. Primarily useful when using the api command to execute arbitrary Management API requests. | |||
There was a problem hiding this comment.
Any way we can support the use case mentioned in #556 (only X scopes when scripting)? Note that as we add support for more and more resources, the number of scopes requested initially will keep going up. This is probably fine for human usage, but for machine usage we'll probably want to find an alternative.
There was a problem hiding this comment.
Absolutely. However, that is a separate task. This PR only pertains to scoping with respect to device code flow, whereas #556 is concerned with client credentials. I think that work is better suited for its own PR.
sergiught
reviewed
Dec 16, 2022
sergiught
approved these changes
Dec 16, 2022
willvedd
added a commit
that referenced
this pull request
Dec 21, 2022
* DXCDT-287: Remove format flag in favor of json flag (#533) * DXCDT-288: Add perms alias for permissions subcommand (#534) * DXCDT-286: Relegate --force flag from global context (#535) * DXCDT-286: Hide global flags from commands when not applicable (#536) * [1/4] DXCDT-266: Move domains subcommand one level up the hierarchy (#539) * [2/4] DXCDT-266: Bring branding emails command under email templates (#540) * Back-merging `main` into `v1` (#543) DXCDT-293: Access token management for client credentials (#537) * Storing and refreshing access token for client credentials * Removing unnecessary comment * Removing tenant name from being stored, removing flag declarations * Removing tenant name from being stored * Fixing erroneous delete * Simplifying ExpiresAt assignment * Remove duplicate addTenant in tenants add command * Remove setting scopes on tenant when using client credentials * Refactor how we check for token expiration while preparing the tenant * Refactor cli.prepareTenant func * Refactor cli.setup func Co-authored-by: Will Vedder <will.vedder@okta.com> Co-authored-by: Sergiu Ghitea <sergiu.ghitea@okta.com> Co-authored-by: Will Vedder <will.vedder@okta.com> Co-authored-by: Sergiu Ghitea <sergiu.ghitea@okta.com> * [3/4] DXCDT-266: Rename branding cmd to universal-login (#541) * [4/4] DXCDT-266: Update docs after branding command refactor (#542) * DXCDT-283: Remove `config` command (#532) Co-authored-by: Will Vedder <will.vedder@okta.com> * DXCDT-267: Consolidate `auth0 add tenants` into `auth0 login` (1/x) (#546) Co-authored-by: Will Vedder <will.vedder@okta.com> Co-authored-by: Sergiu Ghitea <sergiu.ghitea@okta.com> * DXCDT-267: Graceful handling of access token regeneration (2/x) (#547) Co-authored-by: Rita Zerrizuela <zeta@widcket.com> Co-authored-by: Will Vedder <will.vedder@okta.com> Co-authored-by: Sergiu Ghitea <sergiu.ghitea@okta.com> * DXCDT-298: Interactive login prompt (3/x) (#551) Co-authored-by: Rita Zerrizuela <zeta@widcket.com> Co-authored-by: Will Vedder <will.vedder@okta.com> Co-authored-by: Sergiu Ghitea <28300158+sergiught@users.noreply.github.com> Co-authored-by: Sergiu Ghitea <sergiu.ghitea@okta.com> * DXCDT-295: Refactor quickstarts command to use quickstart meta URL (#553) * DXCDT-297: Remove env var ingestion (#554) Removing environment variable ingestion, removing unnecessary comment Co-authored-by: Will Vedder <will.vedder@okta.com> * DXCDT-271: Add ci step to check that docs are up to date (#560) * DXCDT-271: Move bundle install out of make docs and into docs-start (#562) * DXCDT-296: Supporting additional scopes when authenticating as user (#561) * Adding additional scopes support via --scopes flag * Adding additional scopes support via --scopes flag * Removing logging * Uncommenting scope, removing Start function * Condensing error to single line * Fixing linting errors * Changing test * Updating docs * Unpluralizing text, setting nil default value * Fixing bad help text * Tiny refactors on the login cmd * Fixing linting error * Update internal/auth/auth.go Co-authored-by: Will Vedder <will.vedder@okta.com> Co-authored-by: Rita Zerrizuela <zeta@widcket.com> Co-authored-by: Sergiu Ghitea <sergiu.ghitea@okta.com> Co-authored-by: Sergiu Ghitea <28300158+sergiught@users.noreply.github.com> * DXCDT-271: Fix generated docs (#563) * Rename build_doc to doc-gen * Downgrade json flag from persistent to local * Update doc pages * DXCDT-272 Add install script and update README (#564) Co-authored-by: Will Vedder <willvedd@gmail.com> Co-authored-by: Will Vedder <will.vedder@okta.com> * DXCDT-273: Authentication documentation (#565) Co-authored-by: Will Vedder <will.vedder@okta.com> * Updating README * Targeting main branch before we forget to change back Co-authored-by: Sergiu Ghitea <28300158+sergiught@users.noreply.github.com> Co-authored-by: Will Vedder <will.vedder@okta.com> Co-authored-by: Sergiu Ghitea <sergiu.ghitea@okta.com> Co-authored-by: Rita Zerrizuela <zeta@widcket.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
🔧 Changes
In #538 we added nearly all of the Management API scopes to enable out-the-box support for the
apicommand. In hindsight, this over-provisioning of scopes was unnecessary and at worse a liability for some. Instead, we're only provisioning scopes for first-class CLI features during initial grant, additional scopes can be requested with the--scopesflag duringauth0 login. Example:This flag provides a flexible means of providing feature parity through the
apicommand while not overtly violating the principle of least privilege. Also, a nice side effect of this change is that new Management API features that come with accompanying scopes have immediate support, no need to wait for those scopes to be added to the code base.In addition to supporting this behavior, 403 "insufficient scope" errors are detected and a crafted error message is made to guide the user to rectify using the
--scopesflag. See:📚 References
Related PRs:
🔬 Testing
📝 Checklist