percona · recharte · Feb 5, 2025 · Jan 27, 2025 · Jan 27, 2025 · Jan 27, 2025
@@ -18,10 +18,12 @@ package oidc
 
 import (
 	"os"
+	"strings"
 
 	"github.com/spf13/cobra"
 
 	"github.com/percona/everest/pkg/cli"
+	"github.com/percona/everest/pkg/common"
 	"github.com/percona/everest/pkg/logger"
 	"github.com/percona/everest/pkg/oidc"
 	"github.com/percona/everest/pkg/output"
@@ -33,7 +35,7 @@ var (
 		Args:    cobra.NoArgs,
 		Long:    "Configure OIDC settings",
 		Short:   "Configure OIDC settings",
-		Example: `everestctl settings oidc configure --issuer-url https://example.com --client-id 123456`,
+		Example: `everestctl settings oidc configure --issuer-url https://example.com --client-id 123456 --scopes openid,profile,email,groups`,
 		PreRun:  settingsOIDCConfigurePreRun,
 		Run:     settingsOIDCConfigureRun,
 	}
@@ -42,8 +44,9 @@ var (
 
 func init() {
 	// local command flags
-	settingsOIDCConfigureCmd.Flags().StringVar(&settingsOIDCConfigureCfg.IssuerURL, cli.FlagOIDCIssueURL, "", "OIDC issuer url")
-	settingsOIDCConfigureCmd.Flags().StringVar(&settingsOIDCConfigureCfg.ClientID, cli.FlagOIDCIssueClientID, "", "OIDC application client ID")
+	settingsOIDCConfigureCmd.Flags().StringVar(&settingsOIDCConfigureCfg.IssuerURL, cli.FlagOIDCIssuerURL, "", "OIDC issuer url")
+	settingsOIDCConfigureCmd.Flags().StringVar(&settingsOIDCConfigureCfg.ClientID, cli.FlagOIDCClientID, "", "OIDC application client ID")
+	settingsOIDCConfigureCmd.Flags().StringVar(&settingsOIDCConfigureCfg.Scopes, cli.FlagOIDCScopes, strings.Join(common.DefaultOIDCScopes, ","), "Comma-separated list of scopes")
 }
 
 func settingsOIDCConfigurePreRun(cmd *cobra.Command, _ []string) { //nolint:revive

@@ -2136,9 +2136,15 @@ components:
         issuerURL:
           type: string
           description: OIDC provider url
+        scopes:
+          type: array
+          items:
+            type: string
+          description: OIDC scopes
       required:
         - clientId
         - issuerURL
+        - scopes
     DatabaseClusterList:
       description: DatabaseClusterList is an object that contains the list of the existing database clusters.
       properties:

@@ -82,6 +82,7 @@ func (h *k8sHandler) GetSettings(ctx context.Context) (*api.Settings, error) {
 		OidcConfig: api.OIDCConfig{
 			ClientId:  config.ClientID,
 			IssuerURL: config.IssuerURL,
+			Scopes:    config.Scopes,
 		},
 	}, nil
 }

@@ -76,10 +76,12 @@ const (
 
 	// settings flags
 
-	// FlagOIDCIssueURL is the name of the issuer-url flag.
-	FlagOIDCIssueURL = "issuer-url"
-	// FlagOIDCIssueClientID is the name of the client-id flag.
-	FlagOIDCIssueClientID = "client-id"
+	// FlagOIDCIssuerURL is the name of the issuer-url flag.
+	FlagOIDCIssuerURL = "issuer-url"
+	// FlagOIDCClientID is the name of the client-id flag.
+	FlagOIDCClientID = "client-id"
+	// FlagOIDCScopes is the name of the scope flag.
+	FlagOIDCScopes = "scopes"
 	// FlagRBACPolicyFile is the name of the policy-file flag.
 	FlagRBACPolicyFile = "policy-file"
 )
@@ -5,15 +5,19 @@ import (
 	"gopkg.in/yaml.v3"
 )
 
+// DefaultOIDCScopes is the default scopes for OIDC.
+var DefaultOIDCScopes = []string{"openid", "profile", "email"}
+
 // EverestSettings represents the everest settings.
 type EverestSettings struct {
 	OIDCConfigRaw string `mapstructure:"oidc.config"`
 }
 
 // OIDCConfig represents the OIDC provider configuration.
 type OIDCConfig struct {
-	IssuerURL string `yaml:"issuerUrl"`
-	ClientID  string `yaml:"clientId"`
+	IssuerURL string   `yaml:"issuerUrl"`
+	ClientID  string   `yaml:"clientId"`
+	Scopes    []string `yaml:"scopes"`
 }
 
 // Raw converts the OIDCConfig struct to a raw YAML string.
@@ -27,7 +31,12 @@ func (c *OIDCConfig) Raw() (string, error) {
 
 // OIDCConfig returns the OIDCConfig struct from the raw string.
 func (e *EverestSettings) OIDCConfig() (OIDCConfig, error) {
-	var oidc OIDCConfig
+	oidc := OIDCConfig{
+		// Starting from v1.5.0, users can configure the OIDC scopes. In order
+		// to keep backward compatibility, we set the default scopes if they're
+		// not set.
+		Scopes: DefaultOIDCScopes,
+	}
 	err := yaml.Unmarshal([]byte(e.OIDCConfigRaw), &oidc)
 	if err != nil {
 		return OIDCConfig{}, err

@@ -19,16 +19,16 @@ func TestToMap(t *testing.T) {
 		{
 			name: "correct",
 			input: EverestSettings{
-				OIDCConfigRaw: "issuerUrl: url\nclientId: id\n",
+				OIDCConfigRaw: "issuerUrl: url\nclientId: id\nscopes:\n- openid\n - profile\n - email\n - groups\n",
 			},
-			expected: map[string]string{"oidc.config": "issuerUrl: url\nclientId: id\n"},
+			expected: map[string]string{"oidc.config": "issuerUrl: url\nclientId: id\nscopes:\n- openid\n - profile\n - email\n - groups\n"},
 		},
 		{
 			name: "empty oidc",
 			input: EverestSettings{
-				OIDCConfigRaw: "issuerUrl: \"\"\nclientId: \"\"\n",
+				OIDCConfigRaw: "issuerUrl: \"\"\nclientId: \"\"\nscopes: []\n",
 			},
-			expected: map[string]string{"oidc.config": "issuerUrl: \"\"\nclientId: \"\"\n"},
+			expected: map[string]string{"oidc.config": "issuerUrl: \"\"\nclientId: \"\"\nscopes: []\n"},
 		},
 	}
 
@@ -54,16 +54,16 @@ func TestFromMap(t *testing.T) {
 		{
 			name: "correct",
 			expected: EverestSettings{
-				OIDCConfigRaw: "issuerUrl: url\nclientId: id\n",
+				OIDCConfigRaw: "issuerUrl: url\nclientId: id\nscopes:\n- openid\n- profile\n- email\n- groups\n",
 			},
-			input: map[string]string{"oidc.config": "issuerUrl: url\nclientId: id\n"},
+			input: map[string]string{"oidc.config": "issuerUrl: url\nclientId: id\nscopes:\n- openid\n- profile\n- email\n- groups\n"},
 		},
 		{
 			name: "extra key",
 			expected: EverestSettings{
-				OIDCConfigRaw: "issuerUrl: url\nclientId: id\nextraKey: value\n",
+				OIDCConfigRaw: "issuerUrl: url\nclientId: id\nscopes:\n- openid\n- profile\n- email\n- groups\nextraKey: value\n",
 			},
-			input: map[string]string{"oidc.config": "issuerUrl: url\nclientId: id\nextraKey: value\n"},
+			input: map[string]string{"oidc.config": "issuerUrl: url\nclientId: id\nscopes:\n- openid\n- profile\n- email\n- groups\nextraKey: value\n"},
 		},
 		{
 			name: "missing key",
@@ -99,22 +99,25 @@ func TestOIDCConfig(t *testing.T) {
 			expected: OIDCConfig{
 				IssuerURL: "url",
 				ClientID:  "id",
+				Scopes:    []string{"openid", "profile", "email", "groups"},
 			},
-			rawConfig: "issuerUrl: url\nclientId: id\n",
+			rawConfig: "issuerUrl: url\nclientId: id\nscopes:\n- openid\n- profile\n- email\n- groups\n",
 		},
 		{
 			name: "extra key",
 			expected: OIDCConfig{
 				IssuerURL: "url",
 				ClientID:  "id",
+				Scopes:    []string{"openid", "profile", "email", "groups"},
 			},
-			rawConfig: "issuerUrl: url\nclientId: id\nextraKey: value\n",
+			rawConfig: "issuerUrl: url\nclientId: id\nscopes:\n- openid\n- profile\n- email\n- groups\nextraKey: value\n",
 		},
 		{
 			name: "missing key",
 			expected: OIDCConfig{
 				IssuerURL: "url",
 				ClientID:  "",
+				Scopes:    DefaultOIDCScopes,
 			},
 			rawConfig: "issuerUrl: url\n",
 		},

@@ -19,6 +19,8 @@ package oidc
 import (
 	"context"
 	"errors"
+	"slices"
+	"strings"
 
 	"github.com/AlecAivazis/survey/v2"
 	"go.uber.org/zap"
@@ -45,6 +47,8 @@ type Config struct {
 	IssuerURL string
 	// ClientID ID of the client OIDC app.
 	ClientID string
+	// Scopes requested scopes.
+	Scopes string
 }
 
 // NewOIDC returns a new OIDC struct.
@@ -71,6 +75,7 @@ func NewOIDC(c Config, l *zap.SugaredLogger) (*OIDC, error) {
 func (u *OIDC) Run(ctx context.Context) error {
 	issuerURL := u.config.IssuerURL
 	clientID := u.config.ClientID
+	scopes := strings.Split(u.config.Scopes, ",")
 
 	if issuerURL == "" {
 		if err := survey.AskOne(&survey.Input{
@@ -93,6 +98,12 @@ func (u *OIDC) Run(ctx context.Context) error {
 		return errors.New("clientID and/or issuerURL are not provided")
 	}
 
+	if !slices.ContainsFunc(scopes, func(s string) bool {
+		return s == "openid"
+	}) {
+		return errors.New("scopes must contain 'openid'")
+	}
+
 	// Check if we can connect to the provider.
 	_, err := getProviderConfig(ctx, issuerURL)
 	if err != nil {
@@ -106,6 +117,7 @@ func (u *OIDC) Run(ctx context.Context) error {
 	oidcCfg := common.OIDCConfig{
 		IssuerURL: issuerURL,
 		ClientID:  clientID,
+		Scopes:    scopes,
 	}
 
 	oidcRaw, err := oidcCfg.Raw()

@@ -28,12 +28,13 @@ const App = () => {
   useEffect(() => {
     const loadConfigs = async () => {
       try {
-        const { oidcConfig = { clientId: '', issuerURL: '' } } =
+        const { oidcConfig = { clientId: '', issuerURL: '', scopes: [] } } =
           await getEverestConfigs();
         setConfigs({
           oidc: {
             authority: oidcConfig.issuerURL,
             clientId: oidcConfig.clientId,
+            scope: oidcConfig.scopes.join(' '),
             redirectUri: `${window.location.protocol}//${window.location.host}/`,
           },
         });
@@ -72,7 +73,6 @@ const App = () => {
               oidcConfig={{
                 ...configs?.oidc,
                 redirectUri: `${window.location.protocol}//${window.location.host}/login-callback`,
-                scope: 'openid profile email groups',
                 responseType: 'code',
                 autoSignIn: false,
                 automaticSilentRenew: false,

@@ -2,13 +2,15 @@ export type EverestConfigPayload = {
   oidcConfig?: {
     issuerURL: string;
     clientId: string;
+    scopes: string[];
   };
 };
 
 export type EverestConfig = {
   oidc?: {
     authority: string;
     clientId: string;
+    scope: string;
     redirectUri?: string;
   };
 };