add scopes config variable

WhammyLeaf · WhammyLeaf · commit 0ab422d615cb · 2025-11-26T21:30:58.000Z
diff --git a/config.go b/config.go
@@ -3,6 +3,7 @@ package oauth
 import (
 	"fmt"
 	"strconv"
+	"strings"
 
 	"github.com/tuannvm/oauth-mcp-proxy/provider"
 )
@@ -19,6 +20,7 @@ type Config struct {
 	Audience     string
 	ClientID     string
 	ClientSecret string
+	Scopes       []string
 
 	// Server configuration
 	ServerURL string // Full URL of the MCP server
@@ -226,6 +228,12 @@ func (b *ConfigBuilder) WithJWTSecret(secret []byte) *ConfigBuilder {
 	return b
 }
 
+// WithScopes sets the OIDC scopes
+func (b *ConfigBuilder) WithScopes(scopes []string) *ConfigBuilder {
+	b.config.Scopes = scopes
+	return b
+}
+
 // WithLogger sets the logger
 func (b *ConfigBuilder) WithLogger(logger Logger) *ConfigBuilder {
 	b.config.Logger = logger
@@ -307,6 +315,7 @@ func FromEnv() (*Config, error) {
 	}
 
 	jwtSecret := getEnv("JWT_SECRET", "")
+	scopes := strings.Split(getEnv("OIDC_SCOPES", ""), " ")
 
 	return NewConfigBuilder().
 		WithMode(getEnv("OAUTH_MODE", "")).
@@ -316,6 +325,7 @@ func FromEnv() (*Config, error) {
 		WithAudience(getEnv("OIDC_AUDIENCE", "")).
 		WithClientID(getEnv("OIDC_CLIENT_ID", "")).
 		WithClientSecret(getEnv("OIDC_CLIENT_SECRET", "")).
+		WithScopes(scopes).
 		WithSkipAudienceCheck(parseBoolEnv("OIDC_SKIP_AUDIENCE_CHECK", false)).
 		WithSkipIssuerCheck(parseBoolEnv("OIDC_SKIP_ISSUER_CHECK", false)).
 		WithSkipExpiryCheck(parseBoolEnv("OIDC_SKIP_EXPIRY_CHECK", false)).
diff --git a/handlers.go b/handlers.go
@@ -46,6 +46,7 @@ type OAuth2Config struct {
 	Audience     string
 	ClientID     string
 	ClientSecret string
+	Scopes       []string
 
 	// Server configuration
 	MCPHost string
@@ -96,7 +97,7 @@ func NewOAuth2Handler(cfg *OAuth2Config, logger Logger) *OAuth2Handler {
 		ClientID:     cfg.ClientID,
 		ClientSecret: cfg.ClientSecret,
 		Endpoint:     endpoint,
-		Scopes:       []string{"openid", "profile", "email"},
+		Scopes:       cfg.Scopes,
 	}
 
 	// Log client configuration type for debugging
@@ -177,6 +178,11 @@ func NewOAuth2ConfigFromConfig(cfg *Config, version string) *OAuth2Config {
 		mcpURL = getEnv("MCP_URL", fmt.Sprintf("%s://%s:%s", scheme, mcpHost, mcpPort))
 	}
 
+	scopes := cfg.Scopes
+	if len(scopes) == 0 {
+		scopes = []string{"openid", "profile", "email"}
+	}
+
 	return &OAuth2Config{
 		Enabled:         true,
 		Mode:            cfg.Mode,
@@ -186,6 +192,7 @@ func NewOAuth2ConfigFromConfig(cfg *Config, version string) *OAuth2Config {
 		Audience:        cfg.Audience,
 		ClientID:        cfg.ClientID,
 		ClientSecret:    cfg.ClientSecret,
+		Scopes:          scopes,
 		MCPHost:         mcpHost,
 		MCPPort:         mcpPort,
 		MCPURL:          mcpURL,
diff --git a/metadata.go b/metadata.go
@@ -242,7 +242,7 @@ func (h *OAuth2Handler) HandleOIDCDiscovery(w http.ResponseWriter, r *http.Reque
 		"token_endpoint_auth_methods_supported": []string{"none"},
 		"code_challenge_methods_supported":      []string{"plain", "S256"},
 		"subject_types_supported":               []string{"public"},
-		"scopes_supported":                      []string{"openid", "profile", "email"},
+		"scopes_supported":                      h.config.Scopes,
 	}
 
 	// Add provider-specific fields

Original file line number	Diff line number	Diff line change
`@@ -242,7 +242,7 @@ func (h OAuth2Handler) HandleOIDCDiscovery(w http.ResponseWriter, r http.Reque`
`242`	`242`	`"token_endpoint_auth_methods_supported": []string{"none"},`
`243`	`243`	`"code_challenge_methods_supported": []string{"plain", "S256"},`
`244`	`244`	`"subject_types_supported": []string{"public"},`
`245`		`- "scopes_supported": []string{"openid", "profile", "email"},`
	`245`	`+ "scopes_supported": h.config.Scopes,`
`246`	`246`	`}`
`247`	`247`
`248`	`248`	`// Add provider-specific fields`