smallstep · maraino · Jun 13, 2024 · Apr 16, 2024 · Apr 16, 2024 · Apr 17, 2024
diff --git a/command/ca/provisioner/provisioner.go b/command/ca/provisioner/provisioner.go
@@ -605,6 +605,16 @@ Use the '--group' flag multiple times to configure multiple groups.`,
 		Name:  "tenant-id",
 		Usage: `The <tenant-id> used to replace the templatized tenantid value in the OpenID Configuration.`,
 	}
+	oidcScopeFlag = cli.StringSliceFlag{
+		Name: "scope",
+		Usage: `The <scope> list used to validate the scopes extension in an OpenID Connect token.
+Use the '--scope' flag multiple times to configure multiple scopes.`,
+	}
+	oidcAuthParamFlag = cli.StringSliceFlag{
+		Name: "auth-param",
+		Usage: `The <auth-param> list used to validate the auth-params extension in an OpenID Connect token.
+Use the '--auth-param' flag multiple times to configure multiple auth-params.`,
+	}
 
 	// X5C provisioner flags
 	x5cRootsFlag = cli.StringFlag{

diff --git a/command/ca/provisioner/update.go b/command/ca/provisioner/update.go
@@ -54,6 +54,8 @@ OIDC
 [**--domain**=<domain>] [**--remove-domain**=<domain>]
 [**--group**=<group>] [**--remove-group**=<group>]
 [**--admin**=<email>]... [**--remove-admin**=<email>]...
+[**--scope**=<scope>] [**--remove-scope**=<scope>]
+[**--auth-param**=<auth-param>] [**--remove-auth-param**=<auth-param>]
 [**--admin-cert**=<file>] [**--admin-key**=<file>]
 [**--admin-subject**=<subject>] [**--admin-provisioner**=<name>] [**--admin-password-file**=<file>]
 [**--ca-url**=<uri>] [**--root**=<file>] [**--context**=<name>] [**--ca-config**=<file>]
@@ -123,6 +125,8 @@ SCEP
 			oidcRemoveDomainFlag,
 			oidcGroupFlag,
 			oidcTenantIDFlag,
+			oidcScopeFlag,
+			oidcAuthParamFlag,
 
 			// X5C Root Flag
 			x5cRootsFlag,
@@ -802,6 +806,18 @@ func updateOIDCDetails(ctx *cli.Context, p *linkedca.Provisioner) error {
 		}
 		details.ConfigurationEndpoint = ce
 	}
+	if ctx.IsSet("remove-scope") {
+		details.Scopes = removeElements(details.Scopes, ctx.StringSlice("remove-scope"))
+	}
+	if ctx.IsSet("scope") {
+		details.Scopes = append(details.Scopes, ctx.StringSlice("scope")...)
+	}
+	if ctx.IsSet("remove-auth-param") {
+		details.AuthParams = removeElements(details.AuthParams, ctx.StringSlice("remove-auth-param"))
+	}
+	if ctx.IsSet("auth-param") {
+		details.AuthParams = append(details.AuthParams, ctx.StringSlice("auth-param")...)
+	}
 	return nil
 }
 

diff --git a/utils/cautils/token_generator.go b/utils/cautils/token_generator.go
@@ -124,6 +124,16 @@ func generateOIDCToken(ctx *cli.Context, p *provisioner.OIDC) (string, error) {
 	args := []string{"oauth", "--oidc", "--bare",
 		"--provider", p.ConfigurationEndpoint,
 		"--client-id", p.ClientID, "--client-secret", p.ClientSecret}
+	if len(p.Scopes) != 0 {
+		for _, keyval := range p.Scopes {
+			args = append(args, "--scope", keyval)
+		}
+	}
+	if len(p.AuthParams) != 0 {
+		for _, keyval := range p.AuthParams {
+			args = append(args, "--auth-param", keyval)
+		}
+	}
 	if ctx.Bool("console") {
 		args = append(args, "--console")
 	}