diff --git a/TeachingRecordSystem/src/TeachingRecordSystem.AuthorizeAccess/Controllers/OAuth2Controller.cs b/TeachingRecordSystem/src/TeachingRecordSystem.AuthorizeAccess/Controllers/OAuth2Controller.cs index 8add1d424..3c04ff7b1 100644 --- a/TeachingRecordSystem/src/TeachingRecordSystem.AuthorizeAccess/Controllers/OAuth2Controller.cs +++ b/TeachingRecordSystem/src/TeachingRecordSystem.AuthorizeAccess/Controllers/OAuth2Controller.cs @@ -25,6 +25,18 @@ public async Task Authorize() var request = HttpContext.GetOpenIddictServerRequest() ?? throw new InvalidOperationException("The OpenID Connect request cannot be retrieved."); + if (!request.HasScope(CustomScopes.TeachingRecord)) + { + return Forbid( + authenticationSchemes: OpenIddictServerAspNetCoreDefaults.AuthenticationScheme, + properties: new AuthenticationProperties(new Dictionary() + { + [OpenIddictServerAspNetCoreConstants.Properties.Error] = Errors.InvalidRequest, + [OpenIddictServerAspNetCoreConstants.Properties.ErrorDescription] = + $"Requests must include the {CustomScopes.TeachingRecord} scope." + })); + } + var clientId = request.ClientId!; var client = await dbContext.ApplicationUsers.SingleAsync(u => u.ClientId == clientId); diff --git a/TeachingRecordSystem/src/TeachingRecordSystem.AuthorizeAccess/CustomScopes.cs b/TeachingRecordSystem/src/TeachingRecordSystem.AuthorizeAccess/CustomScopes.cs new file mode 100644 index 000000000..d950fdfe6 --- /dev/null +++ b/TeachingRecordSystem/src/TeachingRecordSystem.AuthorizeAccess/CustomScopes.cs @@ -0,0 +1,6 @@ +namespace TeachingRecordSystem.AuthorizeAccess; + +public static class CustomScopes +{ + public const string TeachingRecord = "teaching_record"; +} diff --git a/TeachingRecordSystem/src/TeachingRecordSystem.AuthorizeAccess/Program.cs b/TeachingRecordSystem/src/TeachingRecordSystem.AuthorizeAccess/Program.cs index 4590bfc8c..1ed8a3193 100644 --- a/TeachingRecordSystem/src/TeachingRecordSystem.AuthorizeAccess/Program.cs +++ b/TeachingRecordSystem/src/TeachingRecordSystem.AuthorizeAccess/Program.cs @@ -81,8 +81,7 @@ .SetTokenEndpointUris("oauth2/token") .SetUserinfoEndpointUris("oauth2/userinfo"); - // TODO - add teaching record scopes - options.RegisterScopes(Scopes.Email, Scopes.Profile); + options.RegisterScopes(Scopes.Email, Scopes.Profile, CustomScopes.TeachingRecord); options.AllowAuthorizationCodeFlow(); diff --git a/TeachingRecordSystem/src/TeachingRecordSystem.AuthorizeAccess/TestAppConfiguration.cs b/TeachingRecordSystem/src/TeachingRecordSystem.AuthorizeAccess/TestAppConfiguration.cs index bebc0e312..b209a90d7 100644 --- a/TeachingRecordSystem/src/TeachingRecordSystem.AuthorizeAccess/TestAppConfiguration.cs +++ b/TeachingRecordSystem/src/TeachingRecordSystem.AuthorizeAccess/TestAppConfiguration.cs @@ -35,6 +35,7 @@ public static WebApplicationBuilder AddTestApp(this WebApplicationBuilder builde options.Scope.Add("openid"); options.Scope.Add("email"); options.Scope.Add("profile"); + options.Scope.Add(CustomScopes.TeachingRecord); }); } else diff --git a/TeachingRecordSystem/src/TeachingRecordSystem.Core/DataStore/Postgres/Models/User.cs b/TeachingRecordSystem/src/TeachingRecordSystem.Core/DataStore/Postgres/Models/User.cs index 457aa4c97..bca7b21ef 100644 --- a/TeachingRecordSystem/src/TeachingRecordSystem.Core/DataStore/Postgres/Models/User.cs +++ b/TeachingRecordSystem/src/TeachingRecordSystem.Core/DataStore/Postgres/Models/User.cs @@ -105,7 +105,8 @@ public void EnsureConfiguredForOneLogin() Permissions.GrantTypes.AuthorizationCode, Permissions.ResponseTypes.Code, Permissions.Scopes.Email, - Permissions.Scopes.Profile), + Permissions.Scopes.Profile, + $"{Permissions.Prefixes.Scope}teaching_record"), RedirectUris = CreateJsonArray(RedirectUris!.ToArray()), PostLogoutRedirectUris = CreateJsonArray(PostLogoutRedirectUris!.ToArray()), Requirements = CreateJsonArray(Requirements.Features.ProofKeyForCodeExchange)