add config for additional oauth scopes

Co-authored-by: Christer Edvartsen <[email protected]>

Author: tronghn

charts/Feature.yaml

@@ -114,6 +114,12 @@ values:
     config:
       type: string
 
+  oauth.additionalScopes:
+    displayName: OAuth additional scopes
+    description: List of additional scopes to use in the OAuth login flow
+    config:
+      type: string_array
+
   staticServiceAccounts:
     displayName: Static nais-api service accounts
     description: JSON-encoded list of static service accounts

charts/templates/deployment.yaml

@@ -72,6 +72,8 @@ spec:
               value: "https://{{ .Values.host }}/oauth2/callback"
             - name: OAUTH_FRONTEND_URL
               value: "https://{{ .Values.host }}"
+            - name: OAUTH_ADDITIONAL_SCOPES
+              value: "{{ .Values.oauth.additionalScopes | join "," }}"
             - name: LISTEN_ADDRESS
               value: ":3000"
             - name: INTERNAL_LISTEN_ADDRESS

charts/values.yaml

@@ -49,6 +49,7 @@ oauth: # mapped in fasit
   issuer: "https://accounts.google.com"
   clientID: ""
   clientSecret: ""
+  additionalScopes: []
 
 slack:
   feedbackChannel: "console-user-feedback"

internal/auth/authn/oidc.go

@@ -12,7 +12,7 @@ type OIDC struct {
 	provider *oidc.Provider
 }
 
-func NewOIDC(ctx context.Context, issuer, clientID, clientSecret, redirectURL string) (*OIDC, error) {
+func NewOIDC(ctx context.Context, issuer, clientID, clientSecret, redirectURL string, additionalScopes []string) (*OIDC, error) {
 	provider, err := oidc.NewProvider(ctx, issuer)
 	if err != nil {
 		return nil, err
@@ -25,7 +25,7 @@ func NewOIDC(ctx context.Context, issuer, clientID, clientSecret, redirectURL st
 			ClientSecret: clientSecret,
 			Endpoint:     provider.Endpoint(),
 			RedirectURL:  redirectURL,
-			Scopes:       []string{oidc.ScopeOpenID, "profile", "email"},
+			Scopes:       append([]string{oidc.ScopeOpenID, "profile", "email"}, additionalScopes...),
 		},
 	}, nil
 }

internal/cmd/api/api.go

@@ -299,7 +299,7 @@ func loadEnvFile(log logrus.FieldLogger) error {
 }
 
 func setupAuthHandler(ctx context.Context, cfg oAuthConfig, log logrus.FieldLogger) (authn.Handler, error) {
-	cf, err := authn.NewOIDC(ctx, cfg.Issuer, cfg.ClientID, cfg.ClientSecret, cfg.RedirectURL)
+	cf, err := authn.NewOIDC(ctx, cfg.Issuer, cfg.ClientID, cfg.ClientSecret, cfg.RedirectURL, cfg.AdditionalScopes)
 	if err != nil {
 		return nil, err
 	}

internal/cmd/api/config.go

@@ -89,6 +89,9 @@ type oAuthConfig struct {
 
 	// RedirectURL The URL that Google will redirect back to after performing authentication.
 	RedirectURL string `env:"OAUTH_REDIRECT_URL"`
+
+	// AdditionalScopes is a list of additional scopes to request in the OAuth login flow.
+	AdditionalScopes []string `env:"OAUTH_ADDITIONAL_SCOPES"`
 }
 
 type unleashConfig struct {