diff --git a/java/google/registry/config/RegistryConfig.java b/java/google/registry/config/RegistryConfig.java
index 2a17ca4ab..dd40397ee 100644
--- a/java/google/registry/config/RegistryConfig.java
+++ b/java/google/registry/config/RegistryConfig.java
@@ -925,7 +925,7 @@ public final class RegistryConfig {
}
/**
- * Provides the OAuth scopes to check for on access tokens.
+ * Provides the OAuth scopes to check for access tokens.
*
* This list should be a superset of the required OAuth scope set provided below.
*
@@ -933,14 +933,14 @@ public final class RegistryConfig {
* API, which requires at least one of:
*
*
- * - https://www.googleapis.com/auth/appengine.apis
- * - https://www.googleapis.com/auth/cloud-platform
+ * - https://www.googleapis.com/auth/appengine.apis
+ *
- https://www.googleapis.com/auth/cloud-platform
*
*/
@Provides
@Config("availableOauthScopes")
- public static ImmutableSet provideAvailableOauthScopes() {
- return ImmutableSet.of("https://www.googleapis.com/auth/userinfo.email");
+ public static ImmutableSet provideAvailableOauthScopes(RegistryConfigSettings config) {
+ return ImmutableSet.copyOf(config.oAuth.availableOauthScopes);
}
/**
@@ -951,15 +951,15 @@ public final class RegistryConfig {
*/
@Provides
@Config("requiredOauthScopes")
- public static ImmutableSet provideRequiredOauthScopes() {
- return ImmutableSet.of("https://www.googleapis.com/auth/userinfo.email");
+ public static ImmutableSet provideRequiredOauthScopes(RegistryConfigSettings config) {
+ return ImmutableSet.copyOf(config.oAuth.requiredOauthScopes);
}
/** Provides the allowed OAuth client IDs (could be multibinding). */
@Provides
@Config("allowedOauthClientIds")
- public static ImmutableSet provideAllowedOauthClientIds() {
- return ImmutableSet.of("PUT.YOUR.PROXY.CLIENT.ID.HERE", "PUT.YOUR.REGTOOL.CLIENT.ID.HERE");
+ public static ImmutableSet provideAllowedOauthClientIds(RegistryConfigSettings config) {
+ return ImmutableSet.copyOf(config.oAuth.allowedOauthClientIds);
}
/**
diff --git a/java/google/registry/config/RegistryConfigSettings.java b/java/google/registry/config/RegistryConfigSettings.java
index 54f1eb7f5..b91336f80 100644
--- a/java/google/registry/config/RegistryConfigSettings.java
+++ b/java/google/registry/config/RegistryConfigSettings.java
@@ -22,6 +22,7 @@ public class RegistryConfigSettings {
public AppEngine appEngine;
public GSuite gSuite;
+ public OAuth oAuth;
public RegistryPolicy registryPolicy;
public Datastore datastore;
public Caching caching;
@@ -46,6 +47,13 @@ public class RegistryConfigSettings {
}
}
+ /** Configuration options for OAuth settings. */
+ public static class OAuth {
+ public List availableOauthScopes;
+ public List requiredOauthScopes;
+ public List allowedOauthClientIds;
+ }
+
/** Configuration options for the G Suite account used by Nomulus. */
public static class GSuite {
public String domainName;
diff --git a/java/google/registry/config/files/default-config.yaml b/java/google/registry/config/files/default-config.yaml
index 07b71764f..26bf09bef 100644
--- a/java/google/registry/config/files/default-config.yaml
+++ b/java/google/registry/config/files/default-config.yaml
@@ -123,6 +123,19 @@ caching:
# premium price entries that exist.
staticPremiumListMaxCachedEntries: 200000
+oAuth:
+ # OAuth scopes to check for access tokens. Superset of requiredOauthScopes.
+ availableOauthScopes:
+ - https://www.googleapis.com/auth/userinfo.email
+
+ # OAuth scopes required for authenticating. Subset of availableOauthScopes.
+ requiredOauthScopes:
+ - https://www.googleapis.com/auth/userinfo.email
+
+ # OAuth client Ids that are allowed to authenticate and communicate with
+ # backend services, e. g. nomulus tool, EPP proxy, etc.
+ allowedOauthClientIds: []
+
rde:
# URL prefix of ICANN's server to upload RDE reports to. Nomulus adds /TLD/ID
# to the end of this to construct the full URL.