mirror of https://github.com/dexidp/dex.git
Andy Lo-A-Foe
3 years ago
1 changed files with 72 additions and 0 deletions
@ -0,0 +1,72 @@
|
||||
# Dex Enhancement Proposal (DEP) 2960 - 2023-05-19 - Dynamic Scopes |
||||
|
||||
## Table of Contents |
||||
|
||||
- [Summary](#summary) |
||||
- [Motivation](#motivation) |
||||
- [Goals/Pain](#goals) |
||||
- [Non-Goals](#non-goals) |
||||
- [Proposal](#proposal) |
||||
- [User Experience](#user-experience) |
||||
- [Implementation Details/Notes/Constraints](#implementation-detailsnotesconstraints) |
||||
- [Risks and Mitigations](#risks-and-mitigations) |
||||
- [Alternatives](#alternatives) |
||||
- [Future Improvements](#future-improvements) |
||||
|
||||
## Summary |
||||
|
||||
Support Dynamic Scopes in Dex |
||||
|
||||
## Context |
||||
|
||||
Dex has an exhaustive list of scopes it supports. These scopes |
||||
are all defined in the OIDC spec. Many IDPs support additional scopes. |
||||
In some cases this include dynamic scopes to provide more fine grained |
||||
control on the claims. It would be great if Dex can support |
||||
these additional scopes using an opt-in configuration mechanism. |
||||
|
||||
An example of another IDP providing implementing dynamic scopes is [available here](https://cloudentity.com/developers/howtos/access-control/creating-and-configuring-dynamic-scopes/#dynamic-scope-purpose) |
||||
|
||||
This enhancement would provide the same capability but naturally delegate the handling |
||||
to the connectors. Combined with [DEP-2876](https://github.com/dexidp/dex/pull/2954) this |
||||
would provide a full end-to-end approach to support "Middleware" type capabilities with the |
||||
ability to drive this fully from the integrating clients. |
||||
|
||||
## Motivation |
||||
|
||||
Use Dex in an environment where dynamic and fine grained scope driven claims are useful. |
||||
|
||||
### Goals/Pain |
||||
|
||||
- Update Dex core OAuth2 config section to accept `allowedScopePrefixes` |
||||
- During runtime ensure scopes match the configured prefixes |
||||
- Ensure full backwards compatiblity in case this feature is not used |
||||
|
||||
### Non-goals |
||||
|
||||
## Proposal |
||||
|
||||
### User Experience |
||||
|
||||
- Optional configuration changes to enable dynamic scopes (prefix) |
||||
- Connectors should be updated to take advantage of these additional scopes |
||||
|
||||
### Implementation Details/Notes/Constraints |
||||
|
||||
|
||||
- Modify the Dex OAuth2 global config to accept a list of `allowedScopePrefixes` |
||||
- Propagate this list to the handler code |
||||
- Validate passed scopes against this prefix list |
||||
- Modify select connectors to take advantage of these new scopes |
||||
|
||||
### Risks and Mitigations |
||||
|
||||
- Operators should ensure additional scopes to not allow unwanted claims |
||||
|
||||
### Alternatives |
||||
|
||||
- Similar functionality exist in non-Dex providers but changing to these is prohibitive if already invested in Dex |
||||
|
||||
## Future Improvements |
||||
|
||||
- Combine this functionality with core "Middleware" solution |
||||
Loading…
Reference in new issue