Add enable_aws_email_tag

cabinetoffice · Feb 15, 2024 · fe11b7a · fe11b7a
1 parent 1f59324
commit fe11b7a
Showing 1 changed file with 4 additions and 0 deletions.
diff --git a/sso_oidc.py b/sso_oidc.py
@@ -151,6 +151,7 @@ def get_available_scopes() -> list:
         "profile",
         "user_attribute:global:read",
         "user_attribute:global:write",
+        "enable_aws_email_tag",
     ]
 
 
@@ -213,6 +214,9 @@ def generate_id_token(
         payload["email_verified"] = True
         payload["preferred_username"] = email
 
+    if "enable_aws_email_tag" in scopes:
+        payload["https://aws.amazon.com/tags"] = {"principal_tags": {"Email": [email]}}
+
     if "profile" in scopes:
         dn = None
         if "attributes" in user and "display_name" in user["attributes"]: