Allow configuration of custom OIDC Scopes in WGE (#2199)

- Needs a bit of piping through from the helm chart
weaveworks · Jan 9, 2023 · 9e47278 · 9e47278
1 parent 933a1ec
commit 9e47278
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 1 deletion.
diff --git a/charts/mccp/templates/clusters-service/configmap.yaml b/charts/mccp/templates/clusters-service/configmap.yaml
@@ -40,6 +40,7 @@ data:
   OIDC_REDIRECT_URL: {{ .Values.config.oidc.redirectURL | quote }}
   OIDC_COOKIE_DURATION: {{ .Values.config.oidc.cookieDuration | quote }}
   OIDC_CLAIM_USERNAME: {{ .Values.config.oidc.claimUsername | quote }}
+  CUSTOM_OIDC_SCOPES: {{ .Values.config.oidc.customScopes | quote }}
   OIDC_CLAIM_GROUPS: {{ .Values.config.oidc.claimGroups | quote }}
   {{- end }}
   NO_TLS: {{ not .Values.tls.enabled | quote }}

diff --git a/charts/mccp/values.yaml b/charts/mccp/values.yaml
@@ -62,6 +62,8 @@ config:
     claimGroups: ""
     # Name of secret in flux-system namespace that contains a clientId and clientSecret
     clientCredentialsSecret: ""
+    # Customise the requested scopes for then OIDC authentication flow - openid will always be requested
+    customScopes: ""
   auth:
     userAccount:
       enabled: true

diff --git a/cmd/clusters-service/app/server.go b/cmd/clusters-service/app/server.go
@@ -152,6 +152,7 @@ type OIDCAuthenticationOptions struct {
 	TokenDuration time.Duration `mapstructure:"oidc-token-duration"`
 	ClaimUsername string        `mapstructure:"oidc-claim-username"`
 	ClaimGroups   string        `mapstructure:"oidc-claim-groups"`
+	CustomScopes  []string      `mapstructure:"custom-oidc-scopes"`
 }
 
 func NewAPIServerCommand(log logr.Logger, tempDir string) *cobra.Command {
@@ -217,6 +218,7 @@ func NewAPIServerCommand(log logr.Logger, tempDir string) *cobra.Command {
 	cmd.Flags().Duration("oidc-token-duration", time.Hour, "The duration of the ID token. It should be set in the format: number + time unit (s,m,h) e.g., 20m")
 	cmd.Flags().String("oidc-claim-username", "", "JWT claim to use as the user name. By default email, which is expected to be a unique identifier of the end user. Admins can choose other claims, such as sub or name, depending on their provider")
 	cmd.Flags().String("oidc-claim-groups", "", "JWT claim to use as the user's group. If the claim is present it must be an array of strings")
+	cmd.Flags().StringSlice("custom-oidc-scopes", auth.DefaultScopes, "Customise the requested scopes for then OIDC authentication flow - openid will always be requested")
 
 	cmd.Flags().Bool("dev-mode", false, "starts the server in development mode")
 	cmd.Flags().Bool("use-k8s-cached-clients", true, "Enables the use of cached clients")
@@ -552,7 +554,7 @@ func RunInProcessGateway(ctx context.Context, addr string, setters ...Option) er
 		return errors.New("clusters manager is not set")
 	}
 	// TokenDuration at least should be set
-	if (args.OIDC == OIDCAuthenticationOptions{}) {
+	if args.OIDC.TokenDuration == 0 {
 		return errors.New("OIDC configuration is not set")
 	}
 
@@ -680,6 +682,10 @@ func RunInProcessGateway(ctx context.Context, addr string, setters ...Option) er
 		tsv.SetDevMode(args.DevMode)
 	}
 
+	if len(args.OIDC.CustomScopes) != 0 {
+		args.Log.Info("setting custom OIDC scopes", "scopes", args.OIDC.CustomScopes)
+	}
+
 	authServerConfig, err := auth.NewAuthServerConfig(
 		args.Log,
 		auth.OIDCConfig{
@@ -692,6 +698,7 @@ func RunInProcessGateway(ctx context.Context, addr string, setters ...Option) er
 				Username: args.OIDC.ClaimUsername,
 				Groups:   args.OIDC.ClaimGroups,
 			},
+			Scopes: args.OIDC.CustomScopes,
 		},
 		args.KubernetesClient,
 		tsv,