Merge pull request #116 from nais/auth-scopes-prompt

add config for additional oauth scopes

Author: tronghn

charts/Feature.yaml

@@ -114,6 +114,12 @@ values:
     config:
       type: string
 
+  oauth.additionalScopes:
+    displayName: OAuth additional scopes
+    description: List of additional scopes to use in the OAuth login flow
+    config:
+      type: string_array
+
   staticServiceAccounts:
     displayName: Static nais-api service accounts
     description: JSON-encoded list of static service accounts

charts/templates/deployment.yaml

@@ -72,6 +72,8 @@ spec:
               value: "https://{{ .Values.host }}/oauth2/callback"
             - name: OAUTH_FRONTEND_URL
               value: "https://{{ .Values.host }}"
+            - name: OAUTH_ADDITIONAL_SCOPES
+              value: "{{ .Values.oauth.additionalScopes | join "," }}"
             - name: LISTEN_ADDRESS
               value: ":3000"
             - name: INTERNAL_LISTEN_ADDRESS

charts/values.yaml

@@ -49,6 +49,7 @@ oauth: # mapped in fasit
   issuer: "https://accounts.google.com"
   clientID: ""
   clientSecret: ""
+  additionalScopes: []
 
 slack:
   feedbackChannel: "console-user-feedback"

go.mod

@@ -1,8 +1,6 @@
 module github.com/nais/api
 
-go 1.24.0
-
-toolchain go1.24.1
+go 1.24.1
 
 tool (
 	github.com/99designs/gqlgen

internal/auth/authn/handler.go

@@ -75,8 +75,13 @@ func (h *handler) Login(w http.ResponseWriter, r *http.Request) {
 		Secure:   true,
 		HttpOnly: true,
 	})
-	consentUrl := h.oauth2Config.AuthCodeURL(oauthState, oauth2.SetAuthURLParam("prompt", "select_account"))
-	http.Redirect(w, r, consentUrl, http.StatusFound)
+
+	opts := make([]oauth2.AuthCodeOption, 0)
+
+	if prompt := r.URL.Query().Get("prompt"); prompt != "" {
+		opts = append(opts, oauth2.SetAuthURLParam("prompt", prompt))
+	}
+	http.Redirect(w, r, h.oauth2Config.AuthCodeURL(oauthState, opts...), http.StatusFound)
 }
 
 func (h *handler) Callback(w http.ResponseWriter, r *http.Request) {

internal/auth/authn/oidc.go

@@ -12,7 +12,7 @@ type OIDC struct {
 	provider *oidc.Provider
 }
 
-func NewOIDC(ctx context.Context, issuer, clientID, clientSecret, redirectURL string) (*OIDC, error) {
+func NewOIDC(ctx context.Context, issuer, clientID, clientSecret, redirectURL string, additionalScopes []string) (*OIDC, error) {
 	provider, err := oidc.NewProvider(ctx, issuer)
 	if err != nil {
 		return nil, err
@@ -25,7 +25,7 @@ func NewOIDC(ctx context.Context, issuer, clientID, clientSecret, redirectURL st
 			ClientSecret: clientSecret,
 			Endpoint:     provider.Endpoint(),
 			RedirectURL:  redirectURL,
-			Scopes:       []string{oidc.ScopeOpenID, "profile", "email"},
+			Scopes:       append([]string{oidc.ScopeOpenID, "profile", "email"}, additionalScopes...),
 		},
 	}, nil
 }

internal/cmd/api/api.go

@@ -299,7 +299,7 @@ func loadEnvFile(log logrus.FieldLogger) error {
 }
 
 func setupAuthHandler(ctx context.Context, cfg oAuthConfig, log logrus.FieldLogger) (authn.Handler, error) {
-	cf, err := authn.NewOIDC(ctx, cfg.Issuer, cfg.ClientID, cfg.ClientSecret, cfg.RedirectURL)
+	cf, err := authn.NewOIDC(ctx, cfg.Issuer, cfg.ClientID, cfg.ClientSecret, cfg.RedirectURL, cfg.AdditionalScopes)
 	if err != nil {
 		return nil, err
 	}

internal/cmd/api/config.go

@@ -89,6 +89,9 @@ type oAuthConfig struct {
 
 	// RedirectURL The URL that Google will redirect back to after performing authentication.
 	RedirectURL string `env:"OAUTH_REDIRECT_URL"`
+
+	// AdditionalScopes is a list of additional scopes to request in the OAuth login flow.
+	AdditionalScopes []string `env:"OAUTH_ADDITIONAL_SCOPES"`
 }
 
 type unleashConfig struct {

mise.toml

@@ -2,7 +2,7 @@
 pin = true
 
 [tools]
-go = "1.24.0"
+go = "1.24.1"
 helm = "3.17.1"
 node = "lts"
 protoc = "29.3"

pkg/apiclient/go.mod

@@ -1,6 +1,6 @@
 module github.com/nais/api/pkg/apiclient
 
-go 1.24
+go 1.24.1
 
 require (
 	github.com/stretchr/testify v1.10.0