From b908bac387a188744d58ec87102d77eaa319d2ff Mon Sep 17 00:00:00 2001
From: Benjamin Dauvergne <bdauvergne@entrouvert.com>
Date: Wed, 8 Mar 2017 14:42:41 +0100
Subject: [PATCH] idp_oidc: add setting for list of scopes (fixes #15611)

---
 src/authentic2_idp_oidc/app_settings.py | 4 ++++
 src/authentic2_idp_oidc/views.py        | 7 ++++---
 2 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/src/authentic2_idp_oidc/app_settings.py b/src/authentic2_idp_oidc/app_settings.py
index 0c34bc9..8039cb0 100644
--- a/src/authentic2_idp_oidc/app_settings.py
+++ b/src/authentic2_idp_oidc/app_settings.py
@@ -22,6 +22,10 @@ class AppSettings(object):
     def JWKSET(self):
         return self._setting('JWKSET', [])
 
+    @property
+    def SCOPES(self):
+        return self._setting('SCOPES', [])
+
 import sys
 
 app_settings = AppSettings('A2_IDP_OIDC_')
diff --git a/src/authentic2_idp_oidc/views.py b/src/authentic2_idp_oidc/views.py
index 3399e6e..66933fc 100644
--- a/src/authentic2_idp_oidc/views.py
+++ b/src/authentic2_idp_oidc/views.py
@@ -136,10 +136,11 @@ def authorize(request, *args, **kwargs):
                                    error_description='openid scope is missing',
                                    state=state,
                                    fragment=fragment)
-    if not (scopes <= set(['openid', 'profile', 'email'])):
+    allowed_scopes = app_settings.SCOPES or ['openid', 'email', 'profile']
+    if not (scopes <= set(allowed_scopes)):
         return authorization_error(request, redirect_uri, 'invalid_scope',
-                                   error_description='only openid, profile and email scopes are '
-                                   'supported',
+                                   error_description='only %s scopes are '
+                                   'supported %s' % (','.join(allowed_scopes), scopes),
                                    state=state,
                                    fragment=fragment)
 
-- 
2.1.4