Rename the "pinniped.sts.unrestricted" scope to "pinniped:request-audience".

This is a bit more clear. We're changing this now because it is a non-backwards-compatible change that we can make now since none of this RFC8693 token exchange stuff has been released yet. There is also a small typo fix in some flag usages (s/RF8693/RFC8693/) Signed-off-by: Matt Moyer <moyerm@vmware.com>
2026-01-07 14:05:50 +00:00 · 2020-12-15 21:59:57 -06:00
parent 05127f4cfb
commit 8527c363bb
12 changed files with 38 additions and 38 deletions
--- a/test/integration/supervisor_login_test.go
+++ b/test/integration/supervisor_login_test.go
@@ -133,7 +133,7 @@ func TestSupervisorLogin(t *testing.T) {
 		ClientID:    "pinniped-cli",
 		Endpoint:    discovery.Endpoint(),
 		RedirectURL: localCallbackServer.URL,
-		Scopes:      []string{"openid", "pinniped.sts.unrestricted", "offline_access"},
+		Scopes:      []string{"openid", "pinniped:request-audience", "offline_access"},
 	}

 	// Build a valid downstream authorize URL for the supervisor.
@@ -175,7 +175,7 @@ func TestSupervisorLogin(t *testing.T) {
 	callback := localCallbackServer.waitForCallback(10 * time.Second)
 	t.Logf("got callback request: %s", library.MaskTokens(callback.URL.String()))
 	require.Equal(t, stateParam.String(), callback.URL.Query().Get("state"))
-	require.ElementsMatch(t, []string{"openid", "pinniped.sts.unrestricted", "offline_access"}, strings.Split(callback.URL.Query().Get("scope"), " "))
+	require.ElementsMatch(t, []string{"openid", "pinniped:request-audience", "offline_access"}, strings.Split(callback.URL.Query().Get("scope"), " "))
 	authcode := callback.URL.Query().Get("code")
 	require.NotEmpty(t, authcode)