Added OIDC scope management (#1049)

* added OIDC scope management * Remove errant code comment
2025-04-06 05:28:15 -05:00 · 2020-12-18 11:07:31 -05:00 · 2020-12-18 11:07:31 -05:00 · fd293dd183
commit fd293dd183
parent 97ba472606
2 changed files with 65 additions and 0 deletions
--- a/bitwarden_license/src/Sso/Utilities/DynamicAuthenticationSchemeProvider.cs
+++ b/bitwarden_license/src/Sso/Utilities/DynamicAuthenticationSchemeProvider.cs
@ -318,6 +318,18 @@ namespace Bit.Core.Business.Sso
                AuthenticationMethod = config.RedirectBehavior,
                GetClaimsFromUserInfoEndpoint = config.GetClaimsFromUserInfoEndpoint,
            };
+            if (!oidcOptions.Scope.Contains(OpenIdConnectScopes.OpenId))
+            {
+                oidcOptions.Scope.Add(OpenIdConnectScopes.OpenId);
+            }
+            if (!oidcOptions.Scope.Contains(OpenIdConnectScopes.Email))
+            {
+                oidcOptions.Scope.Add(OpenIdConnectScopes.Email);
+            }
+            if (!oidcOptions.Scope.Contains(OpenIdConnectScopes.Profile))
+            {
+                oidcOptions.Scope.Add(OpenIdConnectScopes.Profile);
+            }

            return new DynamicAuthenticationScheme(name, name, typeof(OpenIdConnectHandler),
                oidcOptions, SsoType.OpenIdConnect);
--- a/bitwarden_license/src/Sso/Utilities/OpenIdConnectScopes.cs
+++ b/bitwarden_license/src/Sso/Utilities/OpenIdConnectScopes.cs
@ -0,0 +1,53 @@
+namespace Bit.Sso.Utilities
+{
+    /// <summary>
+    /// OpenID Connect Clients use scope values as defined in 3.3 of OAuth 2.0
+    /// [RFC6749]. These values represent the standard scope values supported
+    /// by OAuth 2.0 and therefore OIDC.
+    /// </summary>
+    /// <remarks>
+    /// See: https://openid.net/specs/openid-connect-basic-1_0.html#Scopes
+    /// </remarks>
+    public static class OpenIdConnectScopes
+    {
+        /// <summary>
+        /// REQUIRED. Informs the Authorization Server that the Client is making
+        /// an OpenID Connect request. If the openid scope value is not present,
+        /// the behavior is entirely unspecified.
+        /// </summary>
+        public const string OpenId = "openid";
+
+        /// <summary>
+        /// OPTIONAL. This scope value requests access to the End-User's default
+        /// profile Claims, which are: name, family_name, given_name,
+        /// middle_name, nickname, preferred_username, profile, picture,
+        /// website, gender, birthdate, zoneinfo, locale, and updated_at.
+        /// </summary>
+        public const string Profile = "profile";
+
+        /// <summary>
+        /// OPTIONAL. This scope value requests access to the email and
+        /// email_verified Claims.
+        /// </summary>
+        public const string Email = "email";
+
+        /// <summary>
+        /// OPTIONAL. This scope value requests access to the address Claim.
+        /// </summary>
+        public const string Address = "address";
+
+        /// <summary>
+        /// OPTIONAL. This scope value requests access to the phone_number and
+        /// phone_number_verified Claims.
+        /// </summary>
+        public const string Phone = "phone";
+
+        /// <summary>
+        /// OPTIONAL. This scope value requests that an OAuth 2.0 Refresh Token
+        /// be issued that can be used to obtain an Access Token that grants
+        /// access to the End-User's UserInfo Endpoint even when the End-User is
+        /// not present (not logged in).
+        /// </summary>
+        public const string OfflineAccess = "offline_access";
+    }
+}