Add support to ensure user belongs in required groups when using the OIDC provider

2025-11-06 08:59:21 +02:00 · 2020-07-28 11:42:09 -07:00
parent a87beab1a0
commit 9d59519a96
10 changed files with 281 additions and 18 deletions
--- a/pkg/validation/options.go
+++ b/pkg/validation/options.go
@@ -152,6 +152,10 @@ func Validate(o *options.Options) error {
 		}
 		if o.Scope == "" {
 			o.Scope = "openid email profile"
+
+			if len(o.AllowedGroups) > 0 {
+				o.Scope += " groups"
+			}
 		}
 	}

@@ -279,6 +283,7 @@ func parseProviderInfo(o *options.Options, msgs []string) []string {
 	case *providers.OIDCProvider:
 		p.AllowUnverifiedEmail = o.InsecureOIDCAllowUnverifiedEmail
 		p.UserIDClaim = o.UserIDClaim
+		p.GroupsClaim = o.OIDCGroupsClaim
 		if o.GetOIDCVerifier() == nil {
 			msgs = append(msgs, "oidc provider requires an oidc issuer URL")
 		} else {