From 916c47cf2fcc173879f2644ad1fbfe18eec4b1b3 Mon Sep 17 00:00:00 2001
From: Ralph Bean <rbean@redhat.com>
Date: Fri, 17 Feb 2017 10:44:47 -0500
Subject: [PATCH 1/4] Remove unused OIDC scopes.

---
 contrib/submit_build.py | 2 --
 1 file changed, 2 deletions(-)

diff --git a/contrib/submit_build.py b/contrib/submit_build.py
index ea9cfd83..3d7dd5dd 100644
--- a/contrib/submit_build.py
+++ b/contrib/submit_build.py
@@ -78,8 +78,6 @@ if not token:
         'nonce': random.randint(100, 10000),
         'scope': ' '.join([
             'openid',
-            'profile',
-            'email',
             'https://id.fedoraproject.org/scope/groups',
         ]),
         'client_id': 'mbs-authorizer',

From 20d1abfcfc1e265231e8b0e1aeee6f70a0acc417 Mon Sep 17 00:00:00 2001
From: Ralph Bean <rbean@redhat.com>
Date: Fri, 17 Feb 2017 10:44:52 -0500
Subject: [PATCH 2/4] Add OIDC scope for MBS permissions.

Added here:  https://infrastructure.fedoraproject.org/cgit/ansible.git/commit/?id=87503b8ed96813c259eb5b31afef1fc0cbdc7027
---
 contrib/submit_build.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/contrib/submit_build.py b/contrib/submit_build.py
index 3d7dd5dd..e8660ca4 100644
--- a/contrib/submit_build.py
+++ b/contrib/submit_build.py
@@ -79,6 +79,7 @@ if not token:
         'scope': ' '.join([
             'openid',
             'https://id.fedoraproject.org/scope/groups',
+            'https://mbs.fedoraproject.org/oidc/submit-build',
         ]),
         'client_id': 'mbs-authorizer',
     }) + "&redirect_uri=http://localhost:13747/"

From 54770cdc23d899509de33af506ac481b3ee620ce Mon Sep 17 00:00:00 2001
From: Ralph Bean <rbean@redhat.com>
Date: Fri, 17 Feb 2017 10:55:37 -0500
Subject: [PATCH 3/4] Check that our required OIDC scopes are present.

---
 module_build_service/auth.py | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/module_build_service/auth.py b/module_build_service/auth.py
index 144df004..90966867 100644
--- a/module_build_service/auth.py
+++ b/module_build_service/auth.py
@@ -102,6 +102,17 @@ def get_user(request):
     if not "active" in data or not data["active"]:
         raise Unauthorized("OIDC token invalid or expired.")
 
+    presented_scopes = data['scope']
+    required_scopes = [
+        'openid',
+        'https://id.fedoraproject.org/scope/groups',
+        'https://mbs.fedoraproject.org/oidc/submit-build',
+    ]
+    for scope in required_scopes:
+        if scope not in presented_scopes:
+            raise Unauthorized("Required OIDC scope %r not present: %r" % (
+                scope, presented_scopes))
+
     try:
         extended_data = _get_user_info(token)
     except Exception as e:

From ef14008927800d60a7ffa2cf95f53a56f19e2422 Mon Sep 17 00:00:00 2001
From: Ralph Bean <rbean@redhat.com>
Date: Mon, 20 Feb 2017 08:41:36 -0500
Subject: [PATCH 4/4] Split this string, at @puiterwijk's suggestion.

---
 module_build_service/auth.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/module_build_service/auth.py b/module_build_service/auth.py
index 90966867..6d657256 100644
--- a/module_build_service/auth.py
+++ b/module_build_service/auth.py
@@ -102,7 +102,7 @@ def get_user(request):
     if not "active" in data or not data["active"]:
         raise Unauthorized("OIDC token invalid or expired.")
 
-    presented_scopes = data['scope']
+    presented_scopes = data['scope'].split(' ')
     required_scopes = [
         'openid',
         'https://id.fedoraproject.org/scope/groups',