Skip to content

feat: add client-side security scope/role accessors #1608

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
schnell18 wants to merge 2 commits into
base: main
Choose a base branch
from
Open

feat: add client-side security scope/role accessors #1608

schnell18 wants to merge 2 commits into from

Conversation

@schnell18
Copy link

@schnell18 schnell18 commented Dec 25, 2025

Summary

This PR adds client-side accessor functions to programmatically retrieve required OAuth2 scopes and roles for operations, enabling proper token exchange flows with downstream APIs.

Problem

Currently, ogen generates server-side code with scope/role information, but client-side code has no way to programmatically determine which scopes are required for operations. This prevents clients from:

  1. Requesting JWT tokens with the correct scope and audience when calling protected operations
  2. Implementing proper OAuth2 token exchange flows (RFC 8693)
  3. Building secure microservice architectures with scope-aware token management

Solution

Generate public accessor functions and private scope/role maps for client code, mirroring the server-side pattern:

For OAuth2 Security:

  • GetOAuth2ScopesFor{SecurityName}(operation string) []string
  • Private map: oauth2Scopes{SecurityName}

For Other Security (Bearer, Basic, etc.):

  • GetRolesFor{SecurityName}(operation string) []string
  • Private map: operationRoles{SecurityName}

When client and server code generation are enabled at the same time, the client will reuse the private map generated for server.

@schnell18 @overfitz
feat: add client-side security scope/role accessors
0843a43 
Generate public accessor functions and private scope/role maps for client code,
enabling programmatic lookup of required scopes/roles for operations.

This is useful for token exchange scenarios where clients need to know which
OAuth2 scopes or roles to request when obtaining tokens for downstream API calls.

Changes:
- Added GetOAuth2ScopesFor{SecurityName}(operation) accessor functions
- Added GetRolesFor{SecurityName}(operation) accessor functions for non-OAuth2 security
- Generated private scope/role maps mirroring server-side pattern
- Defensive copying prevents external modification of scope data
- Returns nil for unknown operations instead of panicking

This enhancement maintains backward compatibility and follows the same
pattern as server-side scope handling.

Signed-off-by: Justin Zhang <schnell18@gmail.com>
@schnell18 schnell18 force-pushed the feat/client_scope_accessor branch from 33faa0a to 3b44527 Compare December 25, 2025 04:59
@schnell18
chore: commit generated files
4ba5808 
Signed-off-by: Justin Zhang <schnell18@gmail.com>
@schnell18 schnell18 force-pushed the feat/client_scope_accessor branch from 3b44527 to 4ba5808 Compare December 25, 2025 04:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@schnell18