@@ -22037,6 +22037,63 @@

        "type": "string"

       },

       "description": "RedirectURIs is the valid redirection URIs associated with a client"

+     },

+     "scopeRestrictions": {

+      "type": "array",

+      "items": {

+       "$ref": "v1.ScopeRestriction"

+      },

+      "description": "ScopeRestrictions describes which scopes this client can request.  Each requested scope is checked against each restriction.  If any restriction matches, then the scope is allowed. If no restriction matches, then the scope is denied."

+     },

+     "allowAnyScope": {

+      "type": "boolean",

+      "description": "AllowAnyScope indicates that the client is allowed to request a token unconstrained by scopes. If this is true, then ScopeRestrictions is ignored."

+     }

+    }

+   },

+   "v1.ScopeRestriction": {

+    "id": "v1.ScopeRestriction",

+    "description": "ScopeRestriction describe one restriction on scopes.  Exactly one option must be non-nil.",

+    "properties": {

+     "literals": {

+      "type": "array",

+      "items": {

+       "type": "string"

+      },

+      "description": "ExactValues means the scope has to match a particular set of strings exactly"

+     },

+     "clusterRole": {

+      "$ref": "v1.ClusterRoleScopeRestriction",

+      "description": "ClusterRole describes a set of restrictions for cluster role scoping."

+     }

+    }

+   },

+   "v1.ClusterRoleScopeRestriction": {

+    "id": "v1.ClusterRoleScopeRestriction",

+    "description": "ClusterRoleScopeRestriction describes restrictions on cluster role scopes",

+    "required": [

+     "roleNames",

+     "namespaces",

+     "allowEscalation"

+    ],

+    "properties": {

+     "roleNames": {

+      "type": "array",

+      "items": {

+       "type": "string"

+      },

+      "description": "RoleNames is the list of cluster roles that can referenced.  * means anything"

+     },

+     "namespaces": {

+      "type": "array",

+      "items": {

+       "type": "string"

+      },

+      "description": "Namespaces is the list of namespaces that can be referenced.  * means any of them (including *)"

+     },

+     "allowEscalation": {

+      "type": "boolean",

+      "description": "AllowEscalation indicates whether you can request roles and their escalating resources"

      }

     }

    },

@@ -14,6 +14,7 @@ import (

 	"github.com/golang/glog"

 	"github.com/openshift/origin/pkg/auth/authenticator"

 	"github.com/openshift/origin/pkg/auth/server/csrf"

+	scopeauthorizer "github.com/openshift/origin/pkg/authorization/authorizer/scope"

 	oapi "github.com/openshift/origin/pkg/oauth/api"

 	"github.com/openshift/origin/pkg/oauth/registry/oauthclient"

 	"github.com/openshift/origin/pkg/oauth/registry/oauthclientauthorization"

@@ -118,6 +119,12 @@ func (l *Grant) handleForm(user user.Info, w http.ResponseWriter, req *http.Requ

 		return

 	}

+	if err := scopeauthorizer.ValidateScopeRestrictions(client, scope.Split(scopes)...); err != nil {

+		failure := fmt.Sprintf("%v requested illegal scopes (%v): %v", client.Name, scopes, err)

+		l.failed(failure, w, req)

+		return

+	}

+

 	uri, err := getBaseURL(req)

 	if err != nil {

 		glog.Errorf("Unable to generate base URL: %v", err)

@@ -185,6 +192,11 @@ func (l *Grant) handleGrant(user user.Info, w http.ResponseWriter, req *http.Req

 		l.failed("Could not find client for client_id", w, req)

 		return

 	}

+	if err := scopeauthorizer.ValidateScopeRestrictions(client, scope.Split(scopes)...); err != nil {

+		failure := fmt.Sprintf("%v requested illegal scopes (%v): %v", client.Name, scopes, err)

+		l.failed(failure, w, req)

+		return

+	}

 	clientAuthID := l.authregistry.ClientAuthorizationName(user.GetName(), client.Name)

@@ -36,9 +36,13 @@ func badAuth(err error) *testAuth {

 	return &testAuth{Success: false, User: nil, Err: err}

 }

-func goodClientRegistry(clientID string, redirectURIs []string) *test.ClientRegistry {

-	client := &oapi.OAuthClient{ObjectMeta: kapi.ObjectMeta{Name: clientID}, Secret: "mysecret", RedirectURIs: redirectURIs}

+func goodClientRegistry(clientID string, redirectURIs []string, literalScopes []string, unrestrictedScopes bool) *test.ClientRegistry {

+	client := &oapi.OAuthClient{ObjectMeta: kapi.ObjectMeta{Name: clientID}, Secret: "mysecret", RedirectURIs: redirectURIs, AllowAnyScope: unrestrictedScopes}

 	client.Name = clientID

+	if len(literalScopes) > 0 {

+		client.ScopeRestrictions = []oapi.ScopeRestriction{{ExactValues: literalScopes}}

+	}

+

 	return &test.ClientRegistry{Client: client}

 }

 func badClientRegistry(err error) *test.ClientRegistry {

@@ -79,7 +83,7 @@ func TestGrant(t *testing.T) {

 		"display form": {

 			CSRF:           &csrf.FakeCSRF{Token: "test"},

 			Auth:           goodAuth("username"),

-			ClientRegistry: goodClientRegistry("myclient", []string{"myredirect"}),

+			ClientRegistry: goodClientRegistry("myclient", []string{"myredirect"}, []string{"myscope1", "myscope2"}, false),

 			AuthRegistry:   emptyAuthRegistry(),

 			Path:           "/grant?client_id=myclient&scopes=myscope1%20myscope2&redirect_uri=/myredirect&then=/authorize",

@@ -133,7 +137,7 @@ func TestGrant(t *testing.T) {

 		"error when POST fails CSRF": {

 			CSRF:           &csrf.FakeCSRF{Token: "test"},

 			Auth:           goodAuth("username"),

-			ClientRegistry: goodClientRegistry("myclient", []string{"myredirect"}),

+			ClientRegistry: goodClientRegistry("myclient", []string{"myredirect"}, []string{"myscope1", "myscope2"}, false),

 			AuthRegistry:   emptyAuthRegistry(),

 			Path:           "/grant",

 			PostValues: url.Values{

@@ -181,7 +185,7 @@ func TestGrant(t *testing.T) {

 		"successful create grant with redirect": {

 			CSRF:           &csrf.FakeCSRF{Token: "test"},

 			Auth:           goodAuth("username"),

-			ClientRegistry: goodClientRegistry("myclient", []string{"myredirect"}),

+			ClientRegistry: goodClientRegistry("myclient", []string{"myredirect"}, []string{"myscope1", "myscope2"}, false),

 			AuthRegistry:   emptyAuthRegistry(),

 			Path:           "/grant",

 			PostValues: url.Values{

@@ -201,7 +205,7 @@ func TestGrant(t *testing.T) {

 		"successful create grant without redirect": {

 			CSRF:           &csrf.FakeCSRF{Token: "test"},

 			Auth:           goodAuth("username"),

-			ClientRegistry: goodClientRegistry("myclient", []string{"myredirect"}),

+			ClientRegistry: goodClientRegistry("myclient", []string{"myredirect"}, []string{"myscope1", "myscope2"}, false),

 			AuthRegistry:   emptyAuthRegistry(),

 			Path:           "/grant",

 			PostValues: url.Values{

@@ -223,7 +227,7 @@ func TestGrant(t *testing.T) {

 		"successful update grant with identical scopes": {

 			CSRF:           &csrf.FakeCSRF{Token: "test"},

 			Auth:           goodAuth("username"),

-			ClientRegistry: goodClientRegistry("myclient", []string{"myredirect"}),

+			ClientRegistry: goodClientRegistry("myclient", []string{"myredirect"}, []string{"myscope1", "myscope2"}, false),

 			AuthRegistry:   existingAuthRegistry([]string{"myscope2", "myscope1"}),

 			Path:           "/grant",

 			PostValues: url.Values{

@@ -243,7 +247,7 @@ func TestGrant(t *testing.T) {

 		"successful update grant with additional scopes": {

 			CSRF:           &csrf.FakeCSRF{Token: "test"},

 			Auth:           goodAuth("username"),

-			ClientRegistry: goodClientRegistry("myclient", []string{"myredirect"}),

+			ClientRegistry: goodClientRegistry("myclient", []string{"myredirect"}, []string{"newscope1", "existingscope1", "existingscope2"}, false),

 			AuthRegistry:   existingAuthRegistry([]string{"existingscope2", "existingscope1"}),

 			Path:           "/grant",

 			PostValues: url.Values{

@@ -263,7 +267,7 @@ func TestGrant(t *testing.T) {

 		"successful reject grant": {

 			CSRF:           &csrf.FakeCSRF{Token: "test"},

 			Auth:           goodAuth("username"),

-			ClientRegistry: goodClientRegistry("myclient", []string{"myredirect"}),

+			ClientRegistry: goodClientRegistry("myclient", []string{"myredirect"}, []string{"myscope1", "myscope2"}, false),

 			AuthRegistry:   existingAuthRegistry([]string{"existingscope2", "existingscope1"}),

 			Path:           "/grant",

 			PostValues: url.Values{

@@ -12,6 +12,7 @@ import (

 	authorizationapi "github.com/openshift/origin/pkg/authorization/api"

 	"github.com/openshift/origin/pkg/authorization/rulevalidation"

+	oauthapi "github.com/openshift/origin/pkg/oauth/api"

 	userapi "github.com/openshift/origin/pkg/user/api"

 )

@@ -135,6 +136,8 @@ var escalatingScopeResources = []unversioned.GroupResource{

 // role:<clusterrole name>:<namespace to allow the cluster role, * means all>

 type clusterRoleEvaluator struct{}

+var clusterRoleEvaluatorInstance = clusterRoleEvaluator{}

+

 func (clusterRoleEvaluator) Handles(scope string) bool {

 	return strings.HasPrefix(scope, ClusterRoleIndicator)

 }

@@ -267,3 +270,102 @@ func getAPIGroupSet(rule authorizationapi.PolicyRule) sets.String {

 	return apiGroups

 }

+

+func ValidateScopeRestrictions(client *oauthapi.OAuthClient, scopes ...string) error {

+	if client.AllowAnyScope {

+		return nil

+	}

+	if len(scopes) == 0 {

+		return fmt.Errorf("%v may not request unscoped tokens", client.Name)

+	}

+

+	errs := []error{}

+	for _, scope := range scopes {

+		if err := validateScopeRestrictions(client, scope); err != nil {

+			errs = append(errs, err)

+		}

+	}

+

+	return kutilerrors.NewAggregate(errs)

+}

+

+func validateScopeRestrictions(client *oauthapi.OAuthClient, scope string) error {

+	errs := []error{}

+

+	if client.AllowAnyScope {

+		return nil

+	}

+

+	for _, restriction := range client.ScopeRestrictions {

+		if len(restriction.ExactValues) > 0 {

+			if err := ValidateLiteralScopeRestrictions(scope, restriction.ExactValues); err != nil {

+				errs = append(errs, err)

+				continue

+			}

+			return nil

+		}

+

+		if restriction.ClusterRole != nil {

+			if !clusterRoleEvaluatorInstance.Handles(scope) {

+				continue

+			}

+			if err := ValidateClusterRoleScopeRestrictions(scope, *restriction.ClusterRole); err != nil {

+				errs = append(errs, err)

+				continue

+			}

+			return nil

+		}

+	}

+

+	// if we got here, then nothing matched.   If we already have errors, do nothing, otherwise add one to make it report failed.

+	if len(errs) == 0 {

+		errs = append(errs, fmt.Errorf("%v did not match any scope restriction", scope))

+	}

+

+	return kutilerrors.NewAggregate(errs)

+}

+

+func ValidateLiteralScopeRestrictions(scope string, literals []string) error {

+	for _, literal := range literals {

+		if literal == scope {

+			return nil

+		}

+	}

+

+	return fmt.Errorf("%v not found in %v", scope, literals)

+}

+

+func ValidateClusterRoleScopeRestrictions(scope string, restriction oauthapi.ClusterRoleScopeRestriction) error {

+	role, namespace, escalating, err := clusterRoleEvaluatorInstance.parseScope(scope)

+	if err != nil {

+		return err

+	}

+

+	foundName := false

+	for _, restrictedRoleName := range restriction.RoleNames {

+		if restrictedRoleName == "*" || restrictedRoleName == role {

+			foundName = true

+			break

+		}

+	}

+	if !foundName {

+		return fmt.Errorf("%v does not use an approved name", scope)

+	}

+

+	foundNamespace := false

+	for _, restrictedNamespace := range restriction.Namespaces {

+		if restrictedNamespace == "*" || restrictedNamespace == namespace {

+			foundNamespace = true

+			break

+		}

+	}

+	if !foundNamespace {

+		return fmt.Errorf("%v does not use an approved namespace", scope)

+	}

+

+	if escalating && !restriction.AllowEscalation {

+		return fmt.Errorf("%v is not allowed to escalate", scope)

+	}

+

+	return nil

+}

new file mode 100644

@@ -0,0 +1,158 @@

+package scope

+

+import (

+	"strings"

+	"testing"

+

+	oauthapi "github.com/openshift/origin/pkg/oauth/api"

+)

+

+func TestValidateScopeRestrictions(t *testing.T) {

+	testCases := []struct {

+		name   string

+		scopes []string

+		client *oauthapi.OAuthClient

+

+		expectedErrors []string

+	}{

+		{

+			name:   "unrestricted allows any",

+			scopes: []string{"one"},

+			client: &oauthapi.OAuthClient{AllowAnyScope: true},

+		},

+		{

+			name:   "unrestricted allows empty",

+			scopes: []string{""},

+			client: &oauthapi.OAuthClient{AllowAnyScope: true},

+		},

+		{

+			name:   "unrestricted allows none",

+			scopes: []string{},

+			client: &oauthapi.OAuthClient{AllowAnyScope: true},

+		},

+		{

+			name:           "no restrictions denies any",

+			scopes:         []string{"one"},

+			client:         &oauthapi.OAuthClient{},

+			expectedErrors: []string{`one did not match any scope restriction`},

+		},

+		{

+			name:           "no restrictions denies empty",

+			scopes:         []string{""},

+			client:         &oauthapi.OAuthClient{},

+			expectedErrors: []string{`did not match any scope restriction`},

+		},

+		{

+			name:           "no restrictions denies none",

+			scopes:         []string{},

+			client:         &oauthapi.OAuthClient{},

+			expectedErrors: []string{`may not request unscoped tokens`},

+		},

+		{

+			name:   "simple literal",

+			scopes: []string{"one"},

+			client: &oauthapi.OAuthClient{

+				ScopeRestrictions: []oauthapi.ScopeRestriction{{ExactValues: []string{"two", "one"}}},

+			},

+		},

+		{

+			name:   "simple must match",

+			scopes: []string{"missing"},

+			client: &oauthapi.OAuthClient{

+				ScopeRestrictions: []oauthapi.ScopeRestriction{{ExactValues: []string{"two", "one"}}},

+			},

+			expectedErrors: []string{`missing not found in [two one]`},

+		},

+		{

+			name:   "cluster role name must match",

+			scopes: []string{ClusterRoleIndicator + "three:alfa"},

+			client: &oauthapi.OAuthClient{

+				ScopeRestrictions: []oauthapi.ScopeRestriction{{ClusterRole: &oauthapi.ClusterRoleScopeRestriction{

+					RoleNames:       []string{"one", "two"},

+					Namespaces:      []string{"alfa", "bravo"},

+					AllowEscalation: false,

+				}}},

+			},

+			expectedErrors: []string{`role:three:alfa does not use an approved name`},

+		},

+		{

+			name:   "cluster role namespace must match",

+			scopes: []string{ClusterRoleIndicator + "two:charlie"},

+			client: &oauthapi.OAuthClient{

+				ScopeRestrictions: []oauthapi.ScopeRestriction{{ClusterRole: &oauthapi.ClusterRoleScopeRestriction{

+					RoleNames:       []string{"one", "two"},

+					Namespaces:      []string{"alfa", "bravo"},

+					AllowEscalation: false,

+				}}},

+			},

+			expectedErrors: []string{`role:two:charlie does not use an approved namespace`},

+		},

+		{

+			name:   "cluster role escalation must match",

+			scopes: []string{ClusterRoleIndicator + "two:bravo:!"},

+			client: &oauthapi.OAuthClient{

+				ScopeRestrictions: []oauthapi.ScopeRestriction{{ClusterRole: &oauthapi.ClusterRoleScopeRestriction{

+					RoleNames:       []string{"one", "two"},

+					Namespaces:      []string{"alfa", "bravo"},

+					AllowEscalation: false,

+				}}},

+			},

+			expectedErrors: []string{`role:two:bravo:! is not allowed to escalate`},

+		},

+		{

+			name:   "cluster role matches",

+			scopes: []string{ClusterRoleIndicator + "two:bravo:!"},

+			client: &oauthapi.OAuthClient{

+				ScopeRestrictions: []oauthapi.ScopeRestriction{{ClusterRole: &oauthapi.ClusterRoleScopeRestriction{

+					RoleNames:       []string{"one", "two"},

+					Namespaces:      []string{"alfa", "bravo"},

+					AllowEscalation: true,

+				}}},

+			},

+		},

+		{

+			name:   "cluster role matches 2",

+			scopes: []string{ClusterRoleIndicator + "two:bravo"},

+			client: &oauthapi.OAuthClient{

+				ScopeRestrictions: []oauthapi.ScopeRestriction{{ClusterRole: &oauthapi.ClusterRoleScopeRestriction{

+					RoleNames:       []string{"one", "two"},

+					Namespaces:      []string{"alfa", "bravo"},

+					AllowEscalation: false,

+				}}},

+			},

+		},

+		{

+			name:   "cluster role star matches",

+			scopes: []string{ClusterRoleIndicator + "two:bravo"},

+			client: &oauthapi.OAuthClient{

+				ScopeRestrictions: []oauthapi.ScopeRestriction{{ClusterRole: &oauthapi.ClusterRoleScopeRestriction{

+					RoleNames:       []string{"one", "two", "*"},

+					Namespaces:      []string{"alfa", "bravo", "*"},

+					AllowEscalation: true,

+				}}},

+			},

+		},

+	}

+

+	for _, tc := range testCases {

+		err := ValidateScopeRestrictions(tc.client, tc.scopes...)

+		if err != nil && len(tc.expectedErrors) == 0 {

+			t.Errorf("%s: unexpected error: %v", tc.name, err)

+			continue

+		}

+		if err == nil && len(tc.expectedErrors) > 0 {

+			t.Errorf("%s: missing error: %v", tc.name, tc.expectedErrors)

+			continue

+		}

+		if err == nil && len(tc.expectedErrors) == 0 {

+			continue

+		}

+

+		for _, expectedErr := range tc.expectedErrors {

+			if !strings.Contains(err.Error(), expectedErr) {

+				t.Errorf("%s: error %v missing %v", tc.name, err, expectedErr)

+			}

+		}

+	}

+

+}

@@ -83,13 +83,14 @@ const (

 func (c *AuthConfig) InstallAPI(container *restful.Container) ([]string, error) {

 	mux := c.getMux(container)

-	accessTokenStorage := accesstokenetcd.NewREST(c.EtcdHelper, c.EtcdBackends...)

-	accessTokenRegistry := accesstokenregistry.NewRegistry(accessTokenStorage)

-	authorizeTokenStorage := authorizetokenetcd.NewREST(c.EtcdHelper, c.EtcdBackends...)

-	authorizeTokenRegistry := authorizetokenregistry.NewRegistry(authorizeTokenStorage)

 	clientStorage := clientetcd.NewREST(c.EtcdHelper)

 	clientRegistry := clientregistry.NewRegistry(clientStorage)

-	clientAuthStorage := clientauthetcd.NewREST(c.EtcdHelper)

+

+	accessTokenStorage := accesstokenetcd.NewREST(c.EtcdHelper, clientRegistry, c.EtcdBackends...)

+	accessTokenRegistry := accesstokenregistry.NewRegistry(accessTokenStorage)

+	authorizeTokenStorage := authorizetokenetcd.NewREST(c.EtcdHelper, clientRegistry, c.EtcdBackends...)

+	authorizeTokenRegistry := authorizetokenregistry.NewRegistry(authorizeTokenStorage)

+	clientAuthStorage := clientauthetcd.NewREST(c.EtcdHelper, clientRegistry)

 	clientAuthRegistry := clientauthregistry.NewRegistry(clientAuthStorage)

 	errorPageHandler, err := c.getErrorHandler()

@@ -242,6 +243,8 @@ func ensureOAuthClient(client oauthapi.OAuthClient, clientRegistry clientregistr

 		if len(existing.Secret) == 0 {

 			existing.Secret = client.Secret

 		}

+		// Ensure the correct scope setting

+		existing.AllowAnyScope = client.AllowAnyScope

 		// Preserve redirects for clients other than the CLI client

 		// The CLI client doesn't care about the redirect URL, just the token or error fragment

@@ -270,6 +273,7 @@ func CreateOrUpdateDefaultOAuthClients(masterPublicAddr string, assetPublicAddre

 			Secret:                uuid.New(),

 			RespondWithChallenges: false,

 			RedirectURIs:          assetPublicAddresses,

+			AllowAnyScope:         true,

 		}

 		if err := ensureOAuthClient(webConsoleClient, clientRegistry, true); err != nil {

 			return err

@@ -282,6 +286,7 @@ func CreateOrUpdateDefaultOAuthClients(masterPublicAddr string, assetPublicAddre

 			Secret:                uuid.New(),

 			RespondWithChallenges: false,

 			RedirectURIs:          []string{masterPublicAddr + path.Join(OpenShiftOAuthAPIPrefix, tokenrequest.DisplayTokenEndpoint)},

+			AllowAnyScope:         true,

 		}

 		if err := ensureOAuthClient(browserClient, clientRegistry, true); err != nil {

 			return err

@@ -294,6 +299,7 @@ func CreateOrUpdateDefaultOAuthClients(masterPublicAddr string, assetPublicAddre

 			Secret:                uuid.New(),

 			RespondWithChallenges: true,

 			RedirectURIs:          []string{masterPublicAddr + path.Join(OpenShiftOAuthAPIPrefix, tokenrequest.ImplicitTokenEndpoint)},

+			AllowAnyScope:         true,

 		}

 		if err := ensureOAuthClient(cliClient, clientRegistry, false); err != nil {

 			return err

@@ -64,6 +64,7 @@ import (

 	"github.com/openshift/origin/pkg/image/registry/imagestreamtag"

 	accesstokenetcd "github.com/openshift/origin/pkg/oauth/registry/oauthaccesstoken/etcd"

 	authorizetokenetcd "github.com/openshift/origin/pkg/oauth/registry/oauthauthorizetoken/etcd"

+	clientregistry "github.com/openshift/origin/pkg/oauth/registry/oauthclient"

 	clientetcd "github.com/openshift/origin/pkg/oauth/registry/oauthclient/etcd"

 	clientauthetcd "github.com/openshift/origin/pkg/oauth/registry/oauthclientauthorization/etcd"

 	projectproxy "github.com/openshift/origin/pkg/project/registry/project/proxy"

@@ -490,6 +491,9 @@ func (c *MasterConfig) GetRestStorage() map[string]rest.Storage {

 		},

 	)

+	clientStorage := clientetcd.NewREST(c.EtcdHelper)

+	clientRegistry := clientregistry.NewRegistry(clientStorage)

+

 	storage := map[string]rest.Storage{

 		"images":               imageStorage,

 		"imageStreams/secrets": imageStreamSecretsStorage,

@@ -525,10 +529,10 @@ func (c *MasterConfig) GetRestStorage() map[string]rest.Storage {

 		"identities":           identityStorage,

 		"userIdentityMappings": userIdentityMappingStorage,

-		"oAuthAuthorizeTokens":      authorizetokenetcd.NewREST(c.EtcdHelper),

-		"oAuthAccessTokens":         accesstokenetcd.NewREST(c.EtcdHelper),

-		"oAuthClients":              clientetcd.NewREST(c.EtcdHelper),

-		"oAuthClientAuthorizations": clientauthetcd.NewREST(c.EtcdHelper),

+		"oAuthAuthorizeTokens":      authorizetokenetcd.NewREST(c.EtcdHelper, clientRegistry),

+		"oAuthAccessTokens":         accesstokenetcd.NewREST(c.EtcdHelper, clientRegistry),

+		"oAuthClients":              clientStorage,

+		"oAuthClientAuthorizations": clientauthetcd.NewREST(c.EtcdHelper, clientRegistry),

 		"resourceAccessReviews":      resourceAccessReviewStorage,

 		"subjectAccessReviews":       subjectAccessReviewStorage,

@@ -384,7 +384,8 @@ func newAuthorizationAttributeBuilder(requestContextMapper kapi.RequestContextMa

 }

 func getEtcdTokenAuthenticator(etcdHelper storage.Interface, groupMapper identitymapper.UserToGroupMapper) authenticator.Token {

-	accessTokenStorage := accesstokenetcd.NewREST(etcdHelper)

+	// this never does a create for access tokens, so we don't need to be able to validate scopes against the client

+	accessTokenStorage := accesstokenetcd.NewREST(etcdHelper, nil)

 	accessTokenRegistry := accesstokenregistry.NewRegistry(accessTokenStorage)

 	userStorage := useretcd.NewREST(etcdHelper)

@@ -12,6 +12,7 @@ import (

 func init() {

 	if err := api.Scheme.AddGeneratedDeepCopyFuncs(

+		DeepCopy_api_ClusterRoleScopeRestriction,

 		DeepCopy_api_OAuthAccessToken,

 		DeepCopy_api_OAuthAccessTokenList,

 		DeepCopy_api_OAuthAuthorizeToken,

@@ -20,12 +21,32 @@ func init() {

 		DeepCopy_api_OAuthClientAuthorization,

 		DeepCopy_api_OAuthClientAuthorizationList,

 		DeepCopy_api_OAuthClientList,

+		DeepCopy_api_ScopeRestriction,

 	); err != nil {

 		// if one of the deep copy functions is malformed, detect it immediately.

 		panic(err)

 	}

 }

+func DeepCopy_api_ClusterRoleScopeRestriction(in ClusterRoleScopeRestriction, out *ClusterRoleScopeRestriction, c *conversion.Cloner) error {

+	if in.RoleNames != nil {

+		in, out := in.RoleNames, &out.RoleNames

+		*out = make([]string, len(in))

+		copy(*out, in)

+	} else {

+		out.RoleNames = nil

+	}

+	if in.Namespaces != nil {

+		in, out := in.Namespaces, &out.Namespaces

+		*out = make([]string, len(in))

+		copy(*out, in)

+	} else {

+		out.Namespaces = nil

+	}

+	out.AllowEscalation = in.AllowEscalation

+	return nil

+}

+

 func DeepCopy_api_OAuthAccessToken(in OAuthAccessToken, out *OAuthAccessToken, c *conversion.Cloner) error {

 	if err := unversioned.DeepCopy_unversioned_TypeMeta(in.TypeMeta, &out.TypeMeta, c); err != nil {

 		return err

@@ -131,6 +152,18 @@ func DeepCopy_api_OAuthClient(in OAuthClient, out *OAuthClient, c *conversion.Cl

 	} else {

 		out.RedirectURIs = nil

 	}

+	if in.ScopeRestrictions != nil {

+		in, out := in.ScopeRestrictions, &out.ScopeRestrictions

+		*out = make([]ScopeRestriction, len(in))

+		for i := range in {

+			if err := DeepCopy_api_ScopeRestriction(in[i], &(*out)[i], c); err != nil {

+				return err

+			}

+		}

+	} else {

+		out.ScopeRestrictions = nil

+	}

+	out.AllowAnyScope = in.AllowAnyScope

 	return nil

 }

@@ -195,3 +228,23 @@ func DeepCopy_api_OAuthClientList(in OAuthClientList, out *OAuthClientList, c *c

 	}

 	return nil

 }

+

+func DeepCopy_api_ScopeRestriction(in ScopeRestriction, out *ScopeRestriction, c *conversion.Cloner) error {

+	if in.ExactValues != nil {

+		in, out := in.ExactValues, &out.ExactValues

+		*out = make([]string, len(in))

+		copy(*out, in)

+	} else {

+		out.ExactValues = nil

+	}

+	if in.ClusterRole != nil {

+		in, out := in.ClusterRole, &out.ClusterRole

+		*out = new(ClusterRoleScopeRestriction)

+		if err := DeepCopy_api_ClusterRoleScopeRestriction(*in, *out, c); err != nil {

+			return err

+		}

+	} else {

+		out.ClusterRole = nil

+	}

+	return nil

+}

@@ -73,6 +73,34 @@ type OAuthClient struct {

 	// RedirectURIs is the valid redirection URIs associated with a client

 	RedirectURIs []string

+

+	// ScopeRestrictions describes which scopes this client can request.  Each requested scope

+	// is checked against each restriction.  If any restriction matches, then the scope is allowed.

+	// If no restriction matches, then the scope is denied.

+	ScopeRestrictions []ScopeRestriction

+

+	// AllowAnyScope indicates that the client is allowed to request a token unconstrained by scopes.

+	// If this is true, then ScopeRestrictions is ignored.

+	AllowAnyScope bool

+}

+

+// ScopeRestriction describe one restriction on scopes.  Exactly one option must be non-nil.

+type ScopeRestriction struct {

+	// ExactValues means the scope has to match a particular set of strings exactly

+	ExactValues []string

+

+	// ClusterRole describes a set of restrictions for cluster role scoping.

+	ClusterRole *ClusterRoleScopeRestriction

+}

+

+// ClusterRoleScopeRestriction describes restrictions on cluster role scopes

+type ClusterRoleScopeRestriction struct {

+	// RoleNames is the list of cluster roles that can referenced.  * means anything

+	RoleNames []string

+	// Namespaces is the list of namespaces that can be referenced.  * means any of them (including *)

+	Namespaces []string

+	// AllowEscalation indicates whether you can request roles and their escalating resources

+	AllowEscalation bool

 }

 type OAuthClientAuthorization struct {

@@ -13,6 +13,8 @@ import (

 func init() {

 	if err := api.Scheme.AddGeneratedConversionFuncs(

+		Convert_v1_ClusterRoleScopeRestriction_To_api_ClusterRoleScopeRestriction,

+		Convert_api_ClusterRoleScopeRestriction_To_v1_ClusterRoleScopeRestriction,

 		Convert_v1_OAuthAccessToken_To_api_OAuthAccessToken,

 		Convert_api_OAuthAccessToken_To_v1_OAuthAccessToken,

 		Convert_v1_OAuthAccessTokenList_To_api_OAuthAccessTokenList,

@@ -29,12 +31,66 @@ func init() {

 		Convert_api_OAuthClientAuthorizationList_To_v1_OAuthClientAuthorizationList,

 		Convert_v1_OAuthClientList_To_api_OAuthClientList,

 		Convert_api_OAuthClientList_To_v1_OAuthClientList,

+		Convert_v1_ScopeRestriction_To_api_ScopeRestriction,

+		Convert_api_ScopeRestriction_To_v1_ScopeRestriction,

 	); err != nil {

 		// if one of the conversion functions is malformed, detect it immediately.

 		panic(err)

 	}

 }

+func autoConvert_v1_ClusterRoleScopeRestriction_To_api_ClusterRoleScopeRestriction(in *ClusterRoleScopeRestriction, out *oauth_api.ClusterRoleScopeRestriction, s conversion.Scope) error {

+	if defaulting, found := s.DefaultingInterface(reflect.TypeOf(*in)); found {

+		defaulting.(func(*ClusterRoleScopeRestriction))(in)

+	}

+	if in.RoleNames != nil {

+		in, out := &in.RoleNames, &out.RoleNames

+		*out = make([]string, len(*in))

+		copy(*out, *in)

+	} else {

+		out.RoleNames = nil

+	}

+	if in.Namespaces != nil {

+		in, out := &in.Namespaces, &out.Namespaces

+		*out = make([]string, len(*in))

+		copy(*out, *in)

+	} else {

+		out.Namespaces = nil

+	}

+	out.AllowEscalation = in.AllowEscalation

+	return nil

+}

+

+func Convert_v1_ClusterRoleScopeRestriction_To_api_ClusterRoleScopeRestriction(in *ClusterRoleScopeRestriction, out *oauth_api.ClusterRoleScopeRestriction, s conversion.Scope) error {

+	return autoConvert_v1_ClusterRoleScopeRestriction_To_api_ClusterRoleScopeRestriction(in, out, s)

+}

+

+func autoConvert_api_ClusterRoleScopeRestriction_To_v1_ClusterRoleScopeRestriction(in *oauth_api.ClusterRoleScopeRestriction, out *ClusterRoleScopeRestriction, s conversion.Scope) error {

+	if defaulting, found := s.DefaultingInterface(reflect.TypeOf(*in)); found {

+		defaulting.(func(*oauth_api.ClusterRoleScopeRestriction))(in)

+	}

+	if in.RoleNames != nil {

+		in, out := &in.RoleNames, &out.RoleNames

+		*out = make([]string, len(*in))

+		copy(*out, *in)

+	} else {

+		out.RoleNames = nil

+	}

+	if in.Namespaces != nil {

+		in, out := &in.Namespaces, &out.Namespaces

+		*out = make([]string, len(*in))

+		copy(*out, *in)

+	} else {

+		out.Namespaces = nil

+	}

+	out.AllowEscalation = in.AllowEscalation

+	return nil

+}

+

+func Convert_api_ClusterRoleScopeRestriction_To_v1_ClusterRoleScopeRestriction(in *oauth_api.ClusterRoleScopeRestriction, out *ClusterRoleScopeRestriction, s conversion.Scope) error {

+	return autoConvert_api_ClusterRoleScopeRestriction_To_v1_ClusterRoleScopeRestriction(in, out, s)

+}

+

 func autoConvert_v1_OAuthAccessToken_To_api_OAuthAccessToken(in *OAuthAccessToken, out *oauth_api.OAuthAccessToken, s conversion.Scope) error {

 	if defaulting, found := s.DefaultingInterface(reflect.TypeOf(*in)); found {

 		defaulting.(func(*OAuthAccessToken))(in)

@@ -293,6 +349,18 @@ func autoConvert_v1_OAuthClient_To_api_OAuthClient(in *OAuthClient, out *oauth_a

 	} else {

 		out.RedirectURIs = nil

 	}

+	if in.ScopeRestrictions != nil {

+		in, out := &in.ScopeRestrictions, &out.ScopeRestrictions

+		*out = make([]oauth_api.ScopeRestriction, len(*in))

+		for i := range *in {

+			if err := Convert_v1_ScopeRestriction_To_api_ScopeRestriction(&(*in)[i], &(*out)[i], s); err != nil {

+				return err

+			}

+		}

+	} else {

+		out.ScopeRestrictions = nil

+	}

+	out.AllowAnyScope = in.AllowAnyScope

 	return nil

 }

@@ -320,6 +388,18 @@ func autoConvert_api_OAuthClient_To_v1_OAuthClient(in *oauth_api.OAuthClient, ou

 	} else {

 		out.RedirectURIs = nil

 	}

+	if in.ScopeRestrictions != nil {

+		in, out := &in.ScopeRestrictions, &out.ScopeRestrictions

+		*out = make([]ScopeRestriction, len(*in))

+		for i := range *in {

+			if err := Convert_api_ScopeRestriction_To_v1_ScopeRestriction(&(*in)[i], &(*out)[i], s); err != nil {

+				return err

+			}

+		}

+	} else {

+		out.ScopeRestrictions = nil

+	}

+	out.AllowAnyScope = in.AllowAnyScope

 	return nil

 }

@@ -494,3 +574,57 @@ func autoConvert_api_OAuthClientList_To_v1_OAuthClientList(in *oauth_api.OAuthCl

 func Convert_api_OAuthClientList_To_v1_OAuthClientList(in *oauth_api.OAuthClientList, out *OAuthClientList, s conversion.Scope) error {

 	return autoConvert_api_OAuthClientList_To_v1_OAuthClientList(in, out, s)

 }

+

+func autoConvert_v1_ScopeRestriction_To_api_ScopeRestriction(in *ScopeRestriction, out *oauth_api.ScopeRestriction, s conversion.Scope) error {

+	if defaulting, found := s.DefaultingInterface(reflect.TypeOf(*in)); found {

+		defaulting.(func(*ScopeRestriction))(in)

+	}

+	if in.ExactValues != nil {

+		in, out := &in.ExactValues, &out.ExactValues

+		*out = make([]string, len(*in))

+		copy(*out, *in)

+	} else {

+		out.ExactValues = nil

+	}

+	if in.ClusterRole != nil {

+		in, out := &in.ClusterRole, &out.ClusterRole

+		*out = new(oauth_api.ClusterRoleScopeRestriction)

+		if err := Convert_v1_ClusterRoleScopeRestriction_To_api_ClusterRoleScopeRestriction(*in, *out, s); err != nil {

+			return err

+		}

+	} else {

+		out.ClusterRole = nil

+	}

+	return nil

+}

+

+func Convert_v1_ScopeRestriction_To_api_ScopeRestriction(in *ScopeRestriction, out *oauth_api.ScopeRestriction, s conversion.Scope) error {

+	return autoConvert_v1_ScopeRestriction_To_api_ScopeRestriction(in, out, s)

+}

+

+func autoConvert_api_ScopeRestriction_To_v1_ScopeRestriction(in *oauth_api.ScopeRestriction, out *ScopeRestriction, s conversion.Scope) error {

+	if defaulting, found := s.DefaultingInterface(reflect.TypeOf(*in)); found {

+		defaulting.(func(*oauth_api.ScopeRestriction))(in)

+	}

+	if in.ExactValues != nil {

+		in, out := &in.ExactValues, &out.ExactValues

+		*out = make([]string, len(*in))

+		copy(*out, *in)

+	} else {

+		out.ExactValues = nil

+	}

+	if in.ClusterRole != nil {

+		in, out := &in.ClusterRole, &out.ClusterRole

+		*out = new(ClusterRoleScopeRestriction)

+		if err := Convert_api_ClusterRoleScopeRestriction_To_v1_ClusterRoleScopeRestriction(*in, *out, s); err != nil {

+			return err

+		}

+	} else {

+		out.ClusterRole = nil

+	}

+	return nil

+}

+

+func Convert_api_ScopeRestriction_To_v1_ScopeRestriction(in *oauth_api.ScopeRestriction, out *ScopeRestriction, s conversion.Scope) error {

+	return autoConvert_api_ScopeRestriction_To_v1_ScopeRestriction(in, out, s)

+}

@@ -13,6 +13,7 @@ import (

 func init() {

 	if err := api.Scheme.AddGeneratedDeepCopyFuncs(

+		DeepCopy_v1_ClusterRoleScopeRestriction,

 		DeepCopy_v1_OAuthAccessToken,

 		DeepCopy_v1_OAuthAccessTokenList,

 		DeepCopy_v1_OAuthAuthorizeToken,

@@ -21,12 +22,32 @@ func init() {

 		DeepCopy_v1_OAuthClientAuthorization,

 		DeepCopy_v1_OAuthClientAuthorizationList,

 		DeepCopy_v1_OAuthClientList,

+		DeepCopy_v1_ScopeRestriction,

 	); err != nil {

 		// if one of the deep copy functions is malformed, detect it immediately.

 		panic(err)

 	}

 }

+func DeepCopy_v1_ClusterRoleScopeRestriction(in ClusterRoleScopeRestriction, out *ClusterRoleScopeRestriction, c *conversion.Cloner) error {

+	if in.RoleNames != nil {

+		in, out := in.RoleNames, &out.RoleNames

+		*out = make([]string, len(in))

+		copy(*out, in)

+	} else {

+		out.RoleNames = nil