From 329415f2fb51767a0c60617acc22d13adc752400 Mon Sep 17 00:00:00 2001 From: Felix Clack Date: Wed, 1 Apr 2020 13:16:25 +1000 Subject: [PATCH] Add support for `connection_scope` in params Many identity providers recommend asking for permissions progressively as per the requirements of your app, rather than all up-front. Auth0 provides an option for requesting scopes for an identity provider with the `connection_scope` parameter. Right now this can only be set statically in the OmniAuth initializer. This makes it hard to progressively request extra scopes. A pattern for adding dynamic parameters to `authorize_params` already exists and is used for `connection` and `prompt`. We can extend this to add support for `connection_scope` too. The values passed to `connection_scope` are often unique to the identity provider and so will only be applied if they are supported by the connection chosen by the user or the `connection` parameter. --- lib/omniauth/strategies/auth0.rb | 4 ++-- spec/omniauth/strategies/auth0_spec.rb | 9 +++++++++ 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/lib/omniauth/strategies/auth0.rb b/lib/omniauth/strategies/auth0.rb index c890c17..5e7ee3b 100644 --- a/lib/omniauth/strategies/auth0.rb +++ b/lib/omniauth/strategies/auth0.rb @@ -86,7 +86,7 @@ def client def authorize_params params = super parsed_query = Rack::Utils.parse_query(request.query_string) - %w[connection prompt].each do |key| + %w[connection connection_scope prompt].each do |key| params[key] = parsed_query[key] if parsed_query.key?(key) end @@ -94,7 +94,7 @@ def authorize_params params[:nonce] = SecureRandom.hex # Generate leeway if none exists params[:leeway] = 60 unless params[:leeway] - + # Store authorize params in the session for token verification session['authorize_params'] = params diff --git a/spec/omniauth/strategies/auth0_spec.rb b/spec/omniauth/strategies/auth0_spec.rb index bd26406..57a12c0 100644 --- a/spec/omniauth/strategies/auth0_spec.rb +++ b/spec/omniauth/strategies/auth0_spec.rb @@ -100,6 +100,15 @@ expect(redirect_url).not_to have_query('prompt') end + it 'redirects to the hosted login page with connection_scope' do + get 'auth/auth0?connection_scope=identity_provider_scope' + expect(last_response.status).to eq(302) + redirect_url = last_response.headers['Location'] + expect(redirect_url).to start_with('https://samples.auth0.com/authorize') + expect(redirect_url) + .to have_query('connection_scope', 'identity_provider_scope') + end + it 'redirects to hosted login page with prompt=login' do get 'auth/auth0?prompt=login' expect(last_response.status).to eq(302)