Skip to content

Commit 75dfa5c

Browse files
committed
oidc: add constants for "email" and "profile" scopes
I've intentionally left out "address" and "phone" since they seem extremely dated compared to modern privacy practices. We shouldn't encourage their use. Fixes #385 Fixes #387
1 parent a89f046 commit 75dfa5c

6 files changed

Lines changed: 25 additions & 5 deletions

File tree

README.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -73,7 +73,7 @@ oauth2Config := oauth2.Config{
7373
Endpoint: provider.Endpoint(),
7474

7575
// "openid" is a required scope for OpenID Connect flows.
76-
Scopes: []string{oidc.ScopeOpenID, "profile", "email"},
76+
Scopes: []string{oidc.ScopeOpenID, oidc.ScopeProfile, oidc.ScopeEmail},
7777
}
7878

7979
// Create an ID Token verifier.

example/idtoken/app.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -59,7 +59,7 @@ func main() {
5959
ClientSecret: clientSecret,
6060
Endpoint: provider.Endpoint(),
6161
RedirectURL: "http://127.0.0.1:5556/auth/google/callback",
62-
Scopes: []string{oidc.ScopeOpenID, "profile", "email"},
62+
Scopes: []string{oidc.ScopeOpenID, oidc.ScopeProfile, oidc.ScopeEmail},
6363
}
6464

6565
http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {

example/logout/app.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -104,7 +104,7 @@ func main() {
104104
ClientSecret: clientSecret,
105105
Endpoint: provider.Endpoint(),
106106
RedirectURL: callbackURL,
107-
Scopes: []string{oidc.ScopeOpenID, "profile", "email"},
107+
Scopes: []string{oidc.ScopeOpenID, oidc.ScopeProfile, oidc.ScopeEmail},
108108
}
109109

110110
http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {

example/userinfo/app.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -54,7 +54,7 @@ func main() {
5454
ClientSecret: clientSecret,
5555
Endpoint: provider.Endpoint(),
5656
RedirectURL: "http://127.0.0.1:5556/auth/google/callback",
57-
Scopes: []string{oidc.ScopeOpenID, "profile", "email"},
57+
Scopes: []string{oidc.ScopeOpenID, oidc.ScopeProfile, oidc.ScopeEmail},
5858
}
5959

6060
http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {

oidc/doc.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -17,7 +17,7 @@
1717
// // Discovery returns the OAuth2 endpoints.
1818
// Endpoint: provider.Endpoint(),
1919
// // "openid" is a required scope for OpenID Connect flows.
20-
// Scopes: []string{oidc.ScopeOpenID, "profile", "email"},
20+
// Scopes: []string{oidc.ScopeOpenID, oidc.ScopeProfile, oidc.ScopeEmail},
2121
// }
2222
//
2323
// idTokenVerifier := provider.Verifier(&oidc.Config{ClientID: clientID})

oidc/oidc.go

Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -23,6 +23,26 @@ const (
2323
// ScopeOpenID is the mandatory scope for all OpenID Connect OAuth2 requests.
2424
ScopeOpenID = "openid"
2525

26+
// ScopeProfile can be used to request information about the user's profile,
27+
// such as "name", "picture", etc.
28+
//
29+
// The exact set of claims supported by identity providers differs widely,
30+
// though "name" and "picture" are commonly returned.
31+
//
32+
// See: https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims
33+
ScopeProfile = "profile"
34+
35+
// ScopeEmail can be used to request the user's email address through the
36+
// "email" and "email_verified" claims.
37+
//
38+
// What it means to verify an email isn't well defined. Clients can
39+
// generally throw out emails when the "emvail_verified" claim is false, but
40+
// should consult identity provider specific docs if attempting to ensure
41+
// that the user controls the returned email address.
42+
//
43+
// See: https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims
44+
ScopeEmail = "email"
45+
2646
// ScopeOfflineAccess is an optional scope defined by OpenID Connect for requesting
2747
// OAuth2 refresh tokens.
2848
//

0 commit comments

Comments
 (0)