Request groups scope for whynot OIDC role
This commit is contained in:
@@ -98,7 +98,14 @@ Role payload:
|
||||
"role_type": "oidc",
|
||||
"allowed_redirect_uris": [
|
||||
"https://bao.coulomb.social/ui/vault/auth/netkingdom/oidc/callback",
|
||||
"http://localhost:8250/oidc/callback"
|
||||
"http://localhost:8250/oidc/callback",
|
||||
"http://127.0.0.1:8250/oidc/callback"
|
||||
],
|
||||
"oidc_scopes": [
|
||||
"openid",
|
||||
"profile",
|
||||
"email",
|
||||
"groups"
|
||||
],
|
||||
"user_claim": "sub",
|
||||
"groups_claim": "groups",
|
||||
@@ -119,7 +126,14 @@ cat >"$role_payload_file" <<'JSON'
|
||||
{
|
||||
"allowed_redirect_uris": [
|
||||
"https://bao.coulomb.social/ui/vault/auth/netkingdom/oidc/callback",
|
||||
"http://localhost:8250/oidc/callback"
|
||||
"http://localhost:8250/oidc/callback",
|
||||
"http://127.0.0.1:8250/oidc/callback"
|
||||
],
|
||||
"oidc_scopes": [
|
||||
"openid",
|
||||
"profile",
|
||||
"email",
|
||||
"groups"
|
||||
],
|
||||
"bound_claims": {
|
||||
"groups": [
|
||||
@@ -192,7 +206,7 @@ Only after these are true:
|
||||
- secret metadata confirmed;
|
||||
- policy exists and is scoped to the corrected `coulomb/whynot-design` path;
|
||||
- OIDC role exists and binds only `groups=["whynot-design"]` with approved
|
||||
browser and local CLI callback URIs;
|
||||
browser/local CLI callback URIs and `groups` OIDC scope;
|
||||
- positive verification passed;
|
||||
- negative verification passed;
|
||||
|
||||
|
||||
Reference in New Issue
Block a user