Handle scope field as string or array in DynamicClientRegistrationResponse (#2083)

amirejaz · web-flow · commit f067a0b6af3b · 2025-10-03T17:57:22.000+01:00
* support both string and array formats for scope in DynamicClientRegistrationResponse

* fix linting issues

* added tests for scopeList unmarshal

* adds parallel in tests

* fixed tests to use assert instead of reflect
diff --git a/pkg/auth/oauth/dynamic_registration.go b/pkg/auth/oauth/dynamic_registration.go
@@ -57,6 +57,60 @@ func NewDynamicClientRegistrationRequest(scopes []string, callbackPort int) *Dyn
 	return registrationRequest
 }
 
+// ScopeList represents the "scope" field in a dynamic client registration response.
+// Some servers return this as a space-delimited string per RFC 7591, while others
+// return it as a JSON array of strings. This type normalizes both into a []string.
+//
+// Examples of supported inputs:
+//
+//	"openid profile email"        → []string{"openid", "profile", "email"}
+//	["openid","profile","email"]  → []string{"openid", "profile", "email"}
+//	null                          → nil
+//	"" or ["", "  "]              → nil
+type ScopeList []string
+
+// UnmarshalJSON implements custom decoding for ScopeList. It supports both
+// string and array encodings of the "scope" field, trimming whitespace and
+// normalizing empty values to nil for consistent semantics.
+func (s *ScopeList) UnmarshalJSON(data []byte) error {
+	// Handle explicit null
+	if strings.TrimSpace(string(data)) == "null" {
+		*s = nil
+		return nil
+	}
+
+	// Case 1: space-delimited string
+	var str string
+	if err := json.Unmarshal(data, &str); err == nil {
+		if strings.TrimSpace(str) == "" {
+			*s = nil
+			return nil
+		}
+		*s = strings.Fields(str)
+		return nil
+	}
+
+	// Case 2: JSON array
+	var arr []string
+	if err := json.Unmarshal(data, &arr); err == nil {
+		cleaned := make([]string, 0, len(arr))
+		for _, v := range arr {
+			if v = strings.TrimSpace(v); v != "" {
+				cleaned = append(cleaned, v)
+			}
+		}
+		// Normalize: treat all-empty/whitespace arrays the same as ""
+		if len(cleaned) == 0 {
+			*s = nil
+		} else {
+			*s = cleaned
+		}
+		return nil
+	}
+
+	return fmt.Errorf("invalid scope format: %s", string(data))
+}
+
 // DynamicClientRegistrationResponse represents the response from dynamic client registration (RFC 7591)
 type DynamicClientRegistrationResponse struct {
 	// Required fields
@@ -70,12 +124,12 @@ type DynamicClientRegistrationResponse struct {
 	RegistrationClientURI   string `json:"registration_client_uri,omitempty"`
 
 	// Echo back the essential request fields
-	ClientName              string   `json:"client_name,omitempty"`
-	RedirectURIs            []string `json:"redirect_uris,omitempty"`
-	TokenEndpointAuthMethod string   `json:"token_endpoint_auth_method,omitempty"`
-	GrantTypes              []string `json:"grant_types,omitempty"`
-	ResponseTypes           []string `json:"response_types,omitempty"`
-	Scopes                  []string `json:"scope,omitempty"`
+	ClientName              string    `json:"client_name,omitempty"`
+	RedirectURIs            []string  `json:"redirect_uris,omitempty"`
+	TokenEndpointAuthMethod string    `json:"token_endpoint_auth_method,omitempty"`
+	GrantTypes              []string  `json:"grant_types,omitempty"`
+	ResponseTypes           []string  `json:"response_types,omitempty"`
+	Scopes                  ScopeList `json:"scope,omitempty"`
 }
 
 // RegisterClientDynamically performs dynamic client registration (RFC 7591)
diff --git a/pkg/auth/oauth/dynamic_registration_test.go b/pkg/auth/oauth/dynamic_registration_test.go
@@ -364,3 +364,79 @@ func TestDynamicClientRegistrationResponse_Validation(t *testing.T) {
 }
 
 // TestIsLocalhost is already defined in oidc_test.go
+
+// TestScopeList_UnmarshalJSON tests that the ScopeList unmarshaling works correctly.
+func TestScopeList_UnmarshalJSON(t *testing.T) {
+	t.Parallel()
+
+	tests := []struct {
+		name    string
+		jsonIn  string
+		want    []string
+		wantErr bool
+	}{
+		{
+			name:   "space-delimited string",
+			jsonIn: `"openid profile email"`,
+			want:   []string{"openid", "profile", "email"},
+		},
+		{
+			name:   "empty string => nil",
+			jsonIn: `""`,
+			want:   nil,
+		},
+		{
+			name:   "string with extra spaces",
+			jsonIn: `"  openid   profile  "`,
+			want:   []string{"openid", "profile"},
+		},
+		{
+			name:   "normal array",
+			jsonIn: `["openid","profile","email"]`,
+			want:   []string{"openid", "profile", "email"},
+		},
+		{
+			name:   "array with whitespace and empties",
+			jsonIn: `["  openid  ",""," profile "]`,
+			want:   []string{"openid", "profile"},
+		},
+		{
+			name:   "all-empty array => nil",
+			jsonIn: `["","  "]`,
+			want:   nil,
+		},
+		{
+			name:   "explicit null => nil",
+			jsonIn: `null`,
+			want:   nil,
+		},
+		{
+			name:    "invalid type (number)",
+			jsonIn:  `123`,
+			wantErr: true,
+		},
+		{
+			name:    "invalid type (object)",
+			jsonIn:  `{"not":"valid"}`,
+			wantErr: true,
+		},
+	}
+
+	for _, tt := range tests {
+		tt := tt // capture loop variable
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+
+			var s ScopeList
+			err := json.Unmarshal([]byte(tt.jsonIn), &s)
+
+			if tt.wantErr {
+				assert.Error(t, err, "expected error but got none")
+				return
+			}
+
+			assert.NoError(t, err, "unexpected unmarshal error")
+			assert.Equal(t, tt.want, []string(s))
+		})
+	}
+}
