Request groups scope for whynot OIDC role

2026-06-28 13:23:14 +02:00
parent adf865611c
commit 3527bc1cae
7 changed files with 74 additions and 5 deletions
--- a/scripts/credential-change.py
+++ b/scripts/credential-change.py
@@ -183,6 +183,19 @@ def validate_workload_kv_read(ccr: dict[str, Any], errors: list[str], warnings:
                errors.append(
                    f"openbao.auth.allowed_redirect_uris[{index}] must be a non-empty string"
                )
+        if auth.get("groups_claim"):
+            oidc_scopes = require_list(
+                auth.get("oidc_scopes"), "openbao.auth.oidc_scopes", errors
+            )
+            if "groups" not in oidc_scopes:
+                errors.append(
+                    "openbao.auth.oidc_scopes must include 'groups' when groups_claim is set"
+                )
+            for index, scope in enumerate(oidc_scopes):
+                if not isinstance(scope, str) or not scope.strip():
+                    errors.append(
+                        f"openbao.auth.oidc_scopes[{index}] must be a non-empty string"
+                    )
    policies = [str(policy) for policy in require_list(auth.get("policies"), "openbao.auth.policies", errors)]
    if policies != [policy_name]:
        errors.append("openbao.auth.policies must contain exactly openbao.policy_name")
@@ -362,6 +375,8 @@ def auth_payload(ccr: dict[str, Any]) -> dict[str, Any]:
        payload["groups_claim"] = auth["groups_claim"]
    if auth.get("allowed_redirect_uris"):
        payload["allowed_redirect_uris"] = auth["allowed_redirect_uris"]
+    if auth.get("oidc_scopes"):
+        payload["oidc_scopes"] = auth["oidc_scopes"]
    return payload