Request groups scope for whynot OIDC role

This commit is contained in:
2026-06-28 13:23:14 +02:00
parent adf865611c
commit 3527bc1cae
7 changed files with 74 additions and 5 deletions

View File

@@ -142,8 +142,13 @@ class CredentialChangeTests(unittest.TestCase):
[
"https://bao.coulomb.social/ui/vault/auth/netkingdom/oidc/callback",
"http://localhost:8250/oidc/callback",
"http://127.0.0.1:8250/oidc/callback",
],
)
self.assertEqual(
payload["oidc_scopes"],
["openid", "profile", "email", "groups"],
)
def test_apply_plan_refuses_unapproved_ccr(self) -> None:
with self.assertRaises(SystemExit):
@@ -170,6 +175,8 @@ class CredentialChangeTests(unittest.TestCase):
self.assertIn('role_payload_file="$(mktemp)"', rendered)
self.assertIn('"bound_claims": {', rendered)
self.assertIn('"allowed_redirect_uris": [', rendered)
self.assertIn('"oidc_scopes": [', rendered)
self.assertIn('"groups"', rendered)
self.assertIn(
'"https://bao.coulomb.social/ui/vault/auth/netkingdom/oidc/callback"',
rendered,