🔧 add OIDC scope option

2024-07-16 14:00:03 +02:00 · 2024-07-16 14:00:03 +02:00 · 9547c3baec
parent 66dac6ff6d
commit 9547c3baec
4 changed files with 11 additions and 3 deletions
--- a/docs/authentication.md
+++ b/docs/authentication.md
@ -15,6 +15,7 @@
  - [Setting up Keycloak](#2-setup-keycloak-users)
  - [Configuring Dashy for Keycloak](#3-enable-keycloak-in-dashy-config-file)
  - [Toubleshooting Keycloak](#troubleshooting-keycloak)
+- [OpenID Connect](#oidc)
 - [Alternative Authentication Methods](#alternative-authentication-methods)
  - [VPN](#vpn)
  - [IP-Based Access](#ip-based-access)
@ -283,6 +284,7 @@ appConfig:
    oidc:
      clientId: [registered client id]
      endpoint: [OIDC endpoint]
+      scope: [The scope(s) to request from the OIDC provider]
 ```

 Because Dashy is a SPA, a [public client](https://datatracker.ietf.org/doc/html/rfc6749#section-2.1) registration with PKCE is needed.
--- a/docs/configuring.md
+++ b/docs/configuring.md
@ -202,6 +202,7 @@ For more info, see the **[Authentication Docs](/docs/authentication.md)**
 --- | --- | --- | ---
 **`clientId`** | `string` | Required | The client id registered in the OIDC server
 **`endpoint`** | `string` | Required | The URL of the OIDC server that should be used.
+**`scope`** | `string` | Required | The scope(s) to request from the OIDC provider

 **[⬆️ Back to Top](#configuring)**

--- a/src/utils/ConfigSchema.json
+++ b/src/utils/ConfigSchema.json
@ -565,7 +565,12 @@
                  "title": "OIDC Client Id",
                  "type": "string",
                  "description": "ClientId from OIDC provider"
-                }
+                },
+                "scope" : {
+                    "title": "OIDC Scope",
+                    "type": "string",
+                    "description": "The scope(s) to request from the OIDC provider"
+                  }
              }
            },
            "enableHeaderAuth": {
--- a/src/utils/OidcAuth.js
+++ b/src/utils/OidcAuth.js
@ -13,14 +13,14 @@ const getAppConfig = () => {
 class OidcAuth {
  constructor() {
    const { auth } = getAppConfig();
-    const { clientId, endpoint } = auth.oidc;
+    const { clientId, endpoint, scope } = auth.oidc;
    const settings = {
      userStore: new WebStorageStateStore({ store: window.localStorage }),
      authority: endpoint,
      client_id: clientId,
      redirect_uri: `${window.location.origin}`,
      response_type: 'code',
-      scope: 'openid profile email roles groups',
+      scope,
      response_mode: 'query',
      filterProtocolClaims: true,
    };