Skip to content

enable adding custom scopes to access token#176

Open
DeemoONeill wants to merge 3 commits into
tailscale:mainfrom
DeemoONeill:feature/MO/add_additional_scopes
Open

enable adding custom scopes to access token#176
DeemoONeill wants to merge 3 commits into
tailscale:mainfrom
DeemoONeill:feature/MO/add_additional_scopes

Conversation

@DeemoONeill

@DeemoONeill DeemoONeill commented Jun 24, 2026

Copy link
Copy Markdown

These changes address one of the problems described in the following issue: #177

This enables users to set any additional scopes to be advertised at the .well-known/oauth-authorization-server end point.

it also uses the scope key in the extraClaims to validate whether the user can be granted the scope.

This solves our particular usecase which is integrating with a 3rd party service that only uses the access token, and not the id token. But i'm happy to make, or for you to make, any changes required to make this appropriate for all users.

I apologise if the code isn't up to standard, i've not written much go and not for about a year, again, happy to make any changes to conform

this adds scopes to "scopes supported" at the .wellknown endpoint
it allows the user to requests these scopes
it gates any non-openid spec scopes behind acl grants. so if a user is
granted the custom:read scope but requests custom:write. they wouldn't
be given it.

Signed-off-by: Matthew O'Neill <moneill@lunarenergy.com>
Signed-off-by: Matthew O'Neill <moneill@lunarenergy.com>
Signed-off-by: Matthew O'Neill <moneill@lunarenergy.com>
@DeemoONeill DeemoONeill force-pushed the feature/MO/add_additional_scopes branch from 3011e25 to a7fcde4 Compare June 24, 2026 12:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant