From 64d247cfeb924e0843e6173f2ac969a42ba64212 Mon Sep 17 00:00:00 2001
From: Caleb Doxsey <cdoxsey@pomerium.com>
Date: Wed, 17 Feb 2021 08:51:13 -0700
Subject: [PATCH] onelogin: fix default scopes for v2 (#1896)

---
 internal/identity/oidc/onelogin/onelogin.go | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/internal/identity/oidc/onelogin/onelogin.go b/internal/identity/oidc/onelogin/onelogin.go
index e2552c61e..3b79c12e6 100644
--- a/internal/identity/oidc/onelogin/onelogin.go
+++ b/internal/identity/oidc/onelogin/onelogin.go
@@ -6,6 +6,7 @@ package onelogin
 import (
 	"context"
 	"fmt"
+	"strings"
 
 	oidc "github.com/coreos/go-oidc/v3/oidc"
 
@@ -20,7 +21,10 @@ const (
 	defaultProviderURL = "https://openid-connect.onelogin.com/oidc"
 )
 
-var defaultScopes = []string{oidc.ScopeOpenID, "profile", "email", "groups", "offline_access"}
+var (
+	defaultV1Scopes = []string{oidc.ScopeOpenID, "profile", "email", "groups", "offline_access"}
+	defaultV2Scopes = []string{oidc.ScopeOpenID, "profile", "email", "groups"} // v2 does not support offline_access
+)
 
 // Provider is an OneLogin implementation of the Authenticator interface.
 type Provider struct {
@@ -34,8 +38,10 @@ func New(ctx context.Context, o *oauth.Options) (*Provider, error) {
 	if o.ProviderURL == "" {
 		o.ProviderURL = defaultProviderURL
 	}
-	if len(o.Scopes) == 0 {
-		o.Scopes = defaultScopes
+	if strings.Contains(o.ProviderURL, "/oidc/2") {
+		o.Scopes = defaultV2Scopes
+	} else {
+		o.Scopes = defaultV1Scopes
 	}
 	genericOidc, err := pom_oidc.New(ctx, o)
 	if err != nil {