github-starred/frp

Fork 0

mirror of https://github.com/fatedier/frp.git synced 2026-05-15 16:15:49 -06:00

[GH-ISSUE #3177] [Feature Request] Allow for OIDC "scope" to be defined #2550

New issue

Closed

opened 2026-05-05 13:38:27 -06:00 by gitea-mirror · 6 comments

gitea-mirror commented

2026-05-05 13:38:27 -06:00

Owner

Originally created by @mattfeury on GitHub (Nov 17, 2022).
Original GitHub issue: https://github.com/fatedier/frp/issues/3177

Originally assigned to: @blizard863 on GitHub.

Hello,

Currently trying to use FRP with oidc and auth0. Things work well, but it appears that the oidc calls hardcode the "Scopes" to the "audience" parameter. da51adc276/pkg/auth/oidc.go (L105)

In auth0, we have defined scopes, e.g. users:read etc that are substantially different from the audience. Attempting to use it with the sensible defaults fails because it's trying to validate a scope that doesn't exist. Client has not been granted scopes {audience_value}. It seems that conflating audience with scope is problematic, at least for auth0, so i'd rather be able to define those values separately. does anyone see issue with this? seems like it's really that one offending line.

Describe alternatives you've considered

i've tried to use oidc_additional_* fields, but it appears that oidc_additional_scope can not be overwritten:

couldn't generate OIDC token for login: oauth2: cannot overwrite parameter "scope"

Affected area

Docs
Installation
Performance and Scalability
Security
User Experience
Test and Release
Developer Infrastructure
Client Plugin
Server Plugin
Extensions
Others

Originally created by @mattfeury on GitHub (Nov 17, 2022). Original GitHub issue: https://github.com/fatedier/frp/issues/3177 Originally assigned to: @blizard863 on GitHub. Hello, Currently trying to use FRP with oidc and auth0. Things work well, but it appears that the oidc calls hardcode the "Scopes" to the "audience" parameter. https://github.com/fatedier/frp/blob/da51adc27670f495478f50634462954319e4fc14/pkg/auth/oidc.go#L105 In auth0, we have defined scopes, e.g. `users:read` etc that are substantially different from the audience. Attempting to use it with the sensible defaults fails because it's trying to validate a scope that doesn't exist. `Client has not been granted scopes {audience_value}`. It seems that conflating audience with scope is problematic, at least for auth0, so i'd rather be able to define those values separately. does anyone see issue with this? seems like it's really that one offending line. ### Describe alternatives you've considered i've tried to use `oidc_additional_*` fields, but it appears that `oidc_additional_scope` can not be overwritten: ``` couldn't generate OIDC token for login: oauth2: cannot overwrite parameter "scope" ``` ### Affected area - [ ] Docs - [ ] Installation - [ ] Performance and Scalability - [X] Security - [ ] User Experience - [ ] Test and Release - [ ] Developer Infrastructure - [ ] Client Plugin - [ ] Server Plugin - [ ] Extensions - [ ] Others

gitea-mirror closed this issue

2026-05-05 13:38:28 -06:00

gitea-mirror commented

2026-05-05 13:38:30 -06:00

Author

Owner

@fatedier commented on GitHub (Nov 18, 2022):

cc @blizard863

@fatedier commented on GitHub (Nov 18, 2022): cc @blizard863

gitea-mirror commented

2026-05-05 13:38:31 -06:00

Author

Owner

@blizard863 commented on GitHub (Nov 20, 2022):

When I test by auth0 service, the client OidcAudience field must be set empty. You can have a try.

I test by auth0 and authing service. The following configs can all pass.

auth0

# frpc.ini
authentication_method = oidc
oidc_client_id = pEtG3mpBQ7******2i3KqoBOJ
oidc_client_secret = F3492WS5pG7w5F49I74Tq7c******LDvF3o6UOe
oidc_audience = "" // should be empty
oidc_token_endpoint_url = https://dev-***.us.auth0.com/oauth/token


# frps.ini
authentication_method = oidc
oidc_issuer = https://dev-***.us.auth0.com/
oidc_audience = https://dev-***.us.auth0.com/api/v2/

authing

frpc

authentication_method = oidc
oidc_client_id = 6211e411e******a41819
oidc_client_secret = e71227a1dff04******5cb92fd8
oidc_audience = foobar // this config cannot be empty, but anything
oidc_token_endpoint_url = https://****.authing.cn/oidc/token


frps

authentication_method = oidc
oidc_issuer = https://****.authing.cn/oidc
; oidc_audience = ""   // the config is useless.

I also think use audience value to scopes is confused. In oidc spec, scopes is an open field to be set and no audience field.

https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims.

https://www.rfc-editor.org/rfc/rfc6749

I think the proper config is:

oidc_audience -> oidc_scopes

@blizard863 commented on GitHub (Nov 20, 2022): When I test by auth0 service, the client OidcAudience field must be set empty. You can have a try. I test by auth0 and authing service. The following configs can all pass. # auth0 ``` # frpc.ini authentication_method = oidc oidc_client_id = pEtG3mpBQ7******2i3KqoBOJ oidc_client_secret = F3492WS5pG7w5F49I74Tq7c******LDvF3o6UOe oidc_audience = "" // should be empty oidc_token_endpoint_url = https://dev-***.us.auth0.com/oauth/token # frps.ini authentication_method = oidc oidc_issuer = https://dev-***.us.auth0.com/ oidc_audience = https://dev-***.us.auth0.com/api/v2/ ``` # authing ``` frpc authentication_method = oidc oidc_client_id = 6211e411e******a41819 oidc_client_secret = e71227a1dff04******5cb92fd8 oidc_audience = foobar // this config cannot be empty, but anything oidc_token_endpoint_url = https://****.authing.cn/oidc/token frps authentication_method = oidc oidc_issuer = https://****.authing.cn/oidc ; oidc_audience = "" // the config is useless. ``` I also think use audience value to scopes is confused. In oidc spec, scopes is an open field to be set and no audience field. https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims. <img width="607" alt="image" src="https://user-images.githubusercontent.com/4812302/202906199-d7ee7308-0c29-4a51-911b-b9ec4e54c5d8.png"> <img width="686" alt="image" src="https://user-images.githubusercontent.com/4812302/202906223-d1b633e2-9c86-4a9b-8aee-a0ef926b5d76.png"> https://www.rfc-editor.org/rfc/rfc6749 I think the proper config is: oidc_audience -> oidc_scopes

gitea-mirror commented

2026-05-05 13:38:32 -06:00

Author

Owner

@blizard863 commented on GitHub (Nov 20, 2022):

And in oidc official website, the scopes and audience is seperated, not equal.

https://openidconnect.net/

So it is need to define a scopes args, not just use audience.

@blizard863 commented on GitHub (Nov 20, 2022): And in oidc official website, the scopes and audience is seperated, not equal. ![image](https://user-images.githubusercontent.com/4812302/202906486-14fd3fba-eee5-4fb3-8dc2-d66572606fb0.png) https://openidconnect.net/ --- ### So it is need to define a scopes args, not just use audience.

gitea-mirror commented

2026-05-05 13:38:33 -06:00

Author

Owner

@mattfeury commented on GitHub (Nov 21, 2022):

When I test by auth0 service, the client OidcAudience field must be set empty. You can have a try.

I test by auth0 and authing service. The following configs can all pass.

auth0
# frpc.ini
authentication_method = oidc
oidc_client_id = pEtG3mpBQ7******2i3KqoBOJ
oidc_client_secret = F3492WS5pG7w5F49I74Tq7c******LDvF3o6UOe
oidc_audience = "" // should be empty
oidc_token_endpoint_url = https://dev-***.us.auth0.com/oauth/token


# frps.ini
authentication_method = oidc
oidc_issuer = https://dev-***.us.auth0.com/
oidc_audience = https://dev-***.us.auth0.com/api/v2/

when i attempt this, i get:

couldn't generate OIDC token for login: oauth2: cannot fetch token: 403 Forbidden
Response: {"error":"access_denied","error_description":"No audience parameter was provided, and no default audience has been configured"}

but regardless, it sounds like, based on your second comment, that we are agreed that we need to allow a scopes argument.

@mattfeury commented on GitHub (Nov 21, 2022): > When I test by auth0 service, the client OidcAudience field must be set empty. You can have a try. > > I test by auth0 and authing service. The following configs can all pass. > > # auth0 > ``` > # frpc.ini > authentication_method = oidc > oidc_client_id = pEtG3mpBQ7******2i3KqoBOJ > oidc_client_secret = F3492WS5pG7w5F49I74Tq7c******LDvF3o6UOe > oidc_audience = "" // should be empty > oidc_token_endpoint_url = https://dev-***.us.auth0.com/oauth/token > > > # frps.ini > authentication_method = oidc > oidc_issuer = https://dev-***.us.auth0.com/ > oidc_audience = https://dev-***.us.auth0.com/api/v2/ > ``` when i attempt this, i get: ``` couldn't generate OIDC token for login: oauth2: cannot fetch token: 403 Forbidden Response: {"error":"access_denied","error_description":"No audience parameter was provided, and no default audience has been configured"} ``` but regardless, it sounds like, based on your second comment, that we are agreed that we need to allow a scopes argument.

gitea-mirror commented

2026-05-05 13:38:34 -06:00

Author

Owner

@blizard863 commented on GitHub (Nov 23, 2022):

Yes, I will test it again and refine the arguments.

@blizard863 commented on GitHub (Nov 23, 2022): Yes, I will test it again and refine the arguments.

gitea-mirror commented

2026-05-05 13:38:34 -06:00

Author

Owner

@mattfeury commented on GitHub (Nov 29, 2022):

Yes, I will test it again and refine the arguments.

made a PR here! https://github.com/fatedier/frp/pull/3192
feel free to let me know what you think or tweak as desired

@mattfeury commented on GitHub (Nov 29, 2022): > Yes, I will test it again and refine the arguments. made a PR here! https://github.com/fatedier/frp/pull/3192 feel free to let me know what you think or tweak as desired