Check that our required OIDC scopes are present.

2026-04-02 02:11:19 +08:00 · 2017-02-17 10:55:37 -05:00
parent 20d1abfcfc
commit 54770cdc23
1 changed files with 11 additions and 0 deletions
--- a/module_build_service/auth.py
+++ b/module_build_service/auth.py
@@ -102,6 +102,17 @@ def get_user(request):
    if not "active" in data or not data["active"]:
        raise Unauthorized("OIDC token invalid or expired.")

+    presented_scopes = data['scope']
+    required_scopes = [
+        'openid',
+        'https://id.fedoraproject.org/scope/groups',
+        'https://mbs.fedoraproject.org/oidc/submit-build',
+    ]
+    for scope in required_scopes:
+        if scope not in presented_scopes:
+            raise Unauthorized("Required OIDC scope %r not present: %r" % (
+                scope, presented_scopes))
+
    try:
        extended_data = _get_user_info(token)
    except Exception as e: