EVEREST-1799 Configure OIDC scope

commands/settings/oidc/configure.go

@@ -18,10 +18,12 @@ package oidc
 
 import (
 	"os"
+	"strings"
 
 	"github.com/spf13/cobra"
 
 	"github.com/percona/everest/pkg/cli"
+	"github.com/percona/everest/pkg/common"
 	"github.com/percona/everest/pkg/logger"
 	"github.com/percona/everest/pkg/oidc"
 	"github.com/percona/everest/pkg/output"
@@ -33,7 +35,7 @@ var (
 		Args:    cobra.NoArgs,
 		Long:    "Configure OIDC settings",
 		Short:   "Configure OIDC settings",
-		Example: `everestctl settings oidc configure --issuer-url https://example.com --client-id 123456`,
+		Example: `everestctl settings oidc configure --issuer-url https://example.com --client-id 123456 --scopes openid,profile,email,groups`,
 		PreRun:  settingsOIDCConfigurePreRun,
 		Run:     settingsOIDCConfigureRun,
 	}
@@ -42,8 +44,9 @@ var (
 
 func init() {
 	// local command flags
-	settingsOIDCConfigureCmd.Flags().StringVar(&settingsOIDCConfigureCfg.IssuerURL, cli.FlagOIDCIssueURL, "", "OIDC issuer url")
-	settingsOIDCConfigureCmd.Flags().StringVar(&settingsOIDCConfigureCfg.ClientID, cli.FlagOIDCIssueClientID, "", "OIDC application client ID")
+	settingsOIDCConfigureCmd.Flags().StringVar(&settingsOIDCConfigureCfg.IssuerURL, cli.FlagOIDCIssuerURL, "", "OIDC issuer url")
+	settingsOIDCConfigureCmd.Flags().StringVar(&settingsOIDCConfigureCfg.ClientID, cli.FlagOIDCClientID, "", "OIDC application client ID")
+	settingsOIDCConfigureCmd.Flags().StringVar(&settingsOIDCConfigureCfg.Scopes, cli.FlagOIDCScopes, strings.Join(common.DefaultOIDCScopes, ","), "Comma-separated list of scopes")
 }
 
 func settingsOIDCConfigurePreRun(cmd *cobra.Command, _ []string) { //nolint:revive

docs/spec/openapi.yml

@@ -2136,9 +2136,15 @@ components:
         issuerURL:
           type: string
           description: OIDC provider url
+        scopes:
+          type: array
+          items:
+            type: string
+          description: OIDC scopes
       required:
         - clientId
         - issuerURL
+        - scopes
     DatabaseClusterList:
       description: DatabaseClusterList is an object that contains the list of the existing database clusters.
       properties:

go.mod

@@ -38,7 +38,7 @@ require (
 	github.com/operator-framework/api v0.27.0
 	github.com/operator-framework/operator-lifecycle-manager v0.27.0
 	github.com/percona/everest-operator v0.6.0-dev1.0.20250131090446-40b6d1d65b10
-	github.com/percona/percona-helm-charts/charts/everest v0.0.0-20250130165745-fd11e0611fa8
+	github.com/percona/percona-helm-charts/charts/everest v0.0.0-20250205100220-bfc757bae052
 	github.com/rodaine/table v1.3.0
 	github.com/spf13/cobra v1.8.1
 	github.com/stretchr/testify v1.10.0

go.sum

@@ -2223,8 +2223,8 @@ github.com/percona/everest-operator v0.6.0-dev1.0.20250131090446-40b6d1d65b10 h1
 github.com/percona/everest-operator v0.6.0-dev1.0.20250131090446-40b6d1d65b10/go.mod h1:jpmlzDw0avyNWwmlBABbaHNZO4/G3q9AonI1GoXfQfE=
 github.com/percona/percona-backup-mongodb v1.8.1-0.20241212160532-0157f87a7eee h1:LtitxWyhBqCNjIZqdvsSEPBd2HPg11lDBlIExTQAbGQ=
 github.com/percona/percona-backup-mongodb v1.8.1-0.20241212160532-0157f87a7eee/go.mod h1:zikIUTNTflfcth3ZJRqhvW8+7Jj38aVlg+wSV1jwnxo=
-github.com/percona/percona-helm-charts/charts/everest v0.0.0-20250130165745-fd11e0611fa8 h1:4j5gNewAo45zr42kf9mp36s2ff5+OFZJEM26bvpyw1c=
-github.com/percona/percona-helm-charts/charts/everest v0.0.0-20250130165745-fd11e0611fa8/go.mod h1:j5Ci48Azwb4Xs4XvZQNfleWCn2uyiZywazklxNH1ut4=
+github.com/percona/percona-helm-charts/charts/everest v0.0.0-20250205100220-bfc757bae052 h1:iTiSwfEzVWbFhTF9vu5/keuPZhqGZKUiBSGB52oAWos=
+github.com/percona/percona-helm-charts/charts/everest v0.0.0-20250205100220-bfc757bae052/go.mod h1:j5Ci48Azwb4Xs4XvZQNfleWCn2uyiZywazklxNH1ut4=
 github.com/percona/percona-postgresql-operator v0.0.0-20241007204305-35d61aa5aebd h1:9RCUfPUxbdXuL/247r77DJmRSowDzA2xzZC9FpuLuUw=
 github.com/percona/percona-postgresql-operator v0.0.0-20241007204305-35d61aa5aebd/go.mod h1:ICbLstSO4zhYo+SFSciIWO9rLHQg29GJ1335L0tfhR0=
 github.com/percona/percona-server-mongodb-operator v1.19.0 h1:X67Vx2jDYhSzyVfQZBKiVIjV3MICpyMLmon/m7y8tUo=

internal/server/handlers/k8s/kubernetes.go

@@ -82,6 +82,7 @@ func (h *k8sHandler) GetSettings(ctx context.Context) (*api.Settings, error) {
 		OidcConfig: api.OIDCConfig{
 			ClientId:  config.ClientID,
 			IssuerURL: config.IssuerURL,
+			Scopes:    config.Scopes,
 		},
 	}, nil
 }

pkg/cli/flags.go

@@ -76,10 +76,12 @@ const (
 
 	// settings flags
 
-	// FlagOIDCIssueURL is the name of the issuer-url flag.
-	FlagOIDCIssueURL = "issuer-url"
-	// FlagOIDCIssueClientID is the name of the client-id flag.
-	FlagOIDCIssueClientID = "client-id"
+	// FlagOIDCIssuerURL is the name of the issuer-url flag.
+	FlagOIDCIssuerURL = "issuer-url"
+	// FlagOIDCClientID is the name of the client-id flag.
+	FlagOIDCClientID = "client-id"
+	// FlagOIDCScopes is the name of the scope flag.
+	FlagOIDCScopes = "scopes"
 	// FlagRBACPolicyFile is the name of the policy-file flag.
 	FlagRBACPolicyFile = "policy-file"
 )

pkg/common/settings.go

@@ -5,15 +5,19 @@ import (
 	"gopkg.in/yaml.v3"
 )
 
+// DefaultOIDCScopes is the default scopes for OIDC.
+var DefaultOIDCScopes = []string{"openid", "profile", "email"}
+
 // EverestSettings represents the everest settings.
 type EverestSettings struct {
 	OIDCConfigRaw string `mapstructure:"oidc.config"`
 }
 
 // OIDCConfig represents the OIDC provider configuration.
 type OIDCConfig struct {
-	IssuerURL string `yaml:"issuerUrl"`
-	ClientID  string `yaml:"clientId"`
+	IssuerURL string   `yaml:"issuerUrl"`
+	ClientID  string   `yaml:"clientId"`
+	Scopes    []string `yaml:"scopes"`
 }
 
 // Raw converts the OIDCConfig struct to a raw YAML string.
@@ -27,7 +31,12 @@ func (c *OIDCConfig) Raw() (string, error) {
 
 // OIDCConfig returns the OIDCConfig struct from the raw string.
 func (e *EverestSettings) OIDCConfig() (OIDCConfig, error) {
-	var oidc OIDCConfig
+	oidc := OIDCConfig{
+		// Starting from v1.5.0, users can configure the OIDC scopes. In order
+		// to keep backward compatibility, we set the default scopes if they're
+		// not set.
+		Scopes: DefaultOIDCScopes,
+	}
 	err := yaml.Unmarshal([]byte(e.OIDCConfigRaw), &oidc)
 	if err != nil {
 		return OIDCConfig{}, err

pkg/common/settings_test.go

@@ -19,16 +19,16 @@ func TestToMap(t *testing.T) {
 		{
 			name: "correct",
 			input: EverestSettings{
-				OIDCConfigRaw: "issuerUrl: url\nclientId: id\n",
+				OIDCConfigRaw: "issuerUrl: url\nclientId: id\nscopes:\n- openid\n - profile\n - email\n - groups\n",
 			},
-			expected: map[string]string{"oidc.config": "issuerUrl: url\nclientId: id\n"},
+			expected: map[string]string{"oidc.config": "issuerUrl: url\nclientId: id\nscopes:\n- openid\n - profile\n - email\n - groups\n"},
 		},
 		{
 			name: "empty oidc",
 			input: EverestSettings{
-				OIDCConfigRaw: "issuerUrl: \"\"\nclientId: \"\"\n",
+				OIDCConfigRaw: "issuerUrl: \"\"\nclientId: \"\"\nscopes: []\n",
 			},
-			expected: map[string]string{"oidc.config": "issuerUrl: \"\"\nclientId: \"\"\n"},
+			expected: map[string]string{"oidc.config": "issuerUrl: \"\"\nclientId: \"\"\nscopes: []\n"},
 		},
 	}
 
@@ -54,16 +54,16 @@ func TestFromMap(t *testing.T) {
 		{
 			name: "correct",
 			expected: EverestSettings{
-				OIDCConfigRaw: "issuerUrl: url\nclientId: id\n",
+				OIDCConfigRaw: "issuerUrl: url\nclientId: id\nscopes:\n- openid\n- profile\n- email\n- groups\n",
 			},
-			input: map[string]string{"oidc.config": "issuerUrl: url\nclientId: id\n"},
+			input: map[string]string{"oidc.config": "issuerUrl: url\nclientId: id\nscopes:\n- openid\n- profile\n- email\n- groups\n"},
 		},
 		{
 			name: "extra key",
 			expected: EverestSettings{
-				OIDCConfigRaw: "issuerUrl: url\nclientId: id\nextraKey: value\n",
+				OIDCConfigRaw: "issuerUrl: url\nclientId: id\nscopes:\n- openid\n- profile\n- email\n- groups\nextraKey: value\n",
 			},
-			input: map[string]string{"oidc.config": "issuerUrl: url\nclientId: id\nextraKey: value\n"},
+			input: map[string]string{"oidc.config": "issuerUrl: url\nclientId: id\nscopes:\n- openid\n- profile\n- email\n- groups\nextraKey: value\n"},
 		},
 		{
 			name: "missing key",
@@ -99,22 +99,25 @@ func TestOIDCConfig(t *testing.T) {
 			expected: OIDCConfig{
 				IssuerURL: "url",
 				ClientID:  "id",
+				Scopes:    []string{"openid", "profile", "email", "groups"},
 			},
-			rawConfig: "issuerUrl: url\nclientId: id\n",
+			rawConfig: "issuerUrl: url\nclientId: id\nscopes:\n- openid\n- profile\n- email\n- groups\n",
 		},
 		{
 			name: "extra key",
 			expected: OIDCConfig{
 				IssuerURL: "url",
 				ClientID:  "id",
+				Scopes:    []string{"openid", "profile", "email", "groups"},
 			},
-			rawConfig: "issuerUrl: url\nclientId: id\nextraKey: value\n",
+			rawConfig: "issuerUrl: url\nclientId: id\nscopes:\n- openid\n- profile\n- email\n- groups\nextraKey: value\n",
 		},
 		{
 			name: "missing key",
 			expected: OIDCConfig{
 				IssuerURL: "url",
 				ClientID:  "",
+				Scopes:    DefaultOIDCScopes,
 			},
 			rawConfig: "issuerUrl: url\n",
 		},

pkg/oidc/configure.go

@@ -19,6 +19,8 @@ package oidc
 import (
 	"context"
 	"errors"
+	"slices"
+	"strings"
 
 	"github.com/AlecAivazis/survey/v2"
 	"go.uber.org/zap"
@@ -45,6 +47,8 @@ type Config struct {
 	IssuerURL string
 	// ClientID ID of the client OIDC app.
 	ClientID string
+	// Scopes requested scopes.
+	Scopes string
 }
 
 // NewOIDC returns a new OIDC struct.
@@ -71,6 +75,7 @@ func NewOIDC(c Config, l *zap.SugaredLogger) (*OIDC, error) {
 func (u *OIDC) Run(ctx context.Context) error {
 	issuerURL := u.config.IssuerURL
 	clientID := u.config.ClientID
+	scopes := strings.Split(u.config.Scopes, ",")
 
 	if issuerURL == "" {
 		if err := survey.AskOne(&survey.Input{
@@ -93,6 +98,12 @@ func (u *OIDC) Run(ctx context.Context) error {
 		return errors.New("clientID and/or issuerURL are not provided")
 	}
 
+	if !slices.ContainsFunc(scopes, func(s string) bool {
+		return s == "openid"
+	}) {
+		return errors.New("scopes must contain 'openid'")
+	}
+
 	// Check if we can connect to the provider.
 	_, err := getProviderConfig(ctx, issuerURL)
 	if err != nil {
@@ -106,6 +117,7 @@ func (u *OIDC) Run(ctx context.Context) error {
 	oidcCfg := common.OIDCConfig{
 		IssuerURL: issuerURL,
 		ClientID:  clientID,
+		Scopes:    scopes,
 	}
 
 	oidcRaw, err := oidcCfg.Raw()

ui/apps/everest/src/App.tsx

@@ -28,12 +28,13 @@ const App = () => {
   useEffect(() => {
     const loadConfigs = async () => {
       try {
-        const { oidcConfig = { clientId: '', issuerURL: '' } } =
+        const { oidcConfig = { clientId: '', issuerURL: '', scopes: [] } } =
           await getEverestConfigs();
         setConfigs({
           oidc: {
             authority: oidcConfig.issuerURL,
             clientId: oidcConfig.clientId,
+            scope: oidcConfig.scopes.join(' '),
             redirectUri: `${window.location.protocol}//${window.location.host}/`,
           },
         });
@@ -72,7 +73,6 @@ const App = () => {
               oidcConfig={{
                 ...configs?.oidc,
                 redirectUri: `${window.location.protocol}//${window.location.host}/login-callback`,
-                scope: 'openid profile email groups',
                 responseType: 'code',
                 autoSignIn: false,
                 automaticSilentRenew: false,

ui/apps/everest/src/shared-types/configs.types.ts

@@ -2,13 +2,15 @@ export type EverestConfigPayload = {
   oidcConfig?: {
     issuerURL: string;
     clientId: string;
+    scopes: string[];
   };
 };
 
 export type EverestConfig = {
   oidc?: {
     authority: string;
     clientId: string;
+    scope: string;
     redirectUri?: string;
   };
 };