From da54ce6ee020a9718f55ec30c614607d411f55c8 Mon Sep 17 00:00:00 2001
From: Elias Schneider <login@eliasschneider.com>
Date: Mon, 25 Nov 2024 12:21:17 +0100
Subject: [PATCH] feat: add config variable to specify the requested OIDC sopes

---
 backend/prisma/seed/config.seed.ts                 | 4 ++++
 backend/src/oauth/provider/genericOidc.provider.ts | 2 +-
 frontend/src/i18n/translations/en-US.ts            | 3 +++
 3 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/backend/prisma/seed/config.seed.ts b/backend/prisma/seed/config.seed.ts
index 26a39a32..b038467f 100644
--- a/backend/prisma/seed/config.seed.ts
+++ b/backend/prisma/seed/config.seed.ts
@@ -288,6 +288,10 @@ const configVariables: ConfigVariables = {
       type: "boolean",
       defaultValue: "false",
     },
+    "oidc-scope": {
+      type: "string",
+      defaultValue: "openid email profile",
+    },
     "oidc-usernameClaim": {
       type: "string",
       defaultValue: "",
diff --git a/backend/src/oauth/provider/genericOidc.provider.ts b/backend/src/oauth/provider/genericOidc.provider.ts
index 3348321f..72d36d88 100644
--- a/backend/src/oauth/provider/genericOidc.provider.ts
+++ b/backend/src/oauth/provider/genericOidc.provider.ts
@@ -70,7 +70,7 @@ export abstract class GenericOidcProvider implements OAuthProvider<OidcToken> {
       new URLSearchParams({
         client_id: this.config.get(`oauth.${this.name}-clientId`),
         response_type: "code",
-        scope: "openid profile email",
+        scope: this.config.get(`oauth.${this.name}-scope`),
         redirect_uri: this.getRedirectUri(),
         state,
         nonce,
diff --git a/frontend/src/i18n/translations/en-US.ts b/frontend/src/i18n/translations/en-US.ts
index bc7292b1..31419ca3 100644
--- a/frontend/src/i18n/translations/en-US.ts
+++ b/frontend/src/i18n/translations/en-US.ts
@@ -566,6 +566,9 @@ export default {
   "admin.config.oauth.oidc-sign-out": "Sign out from OpenID Connect",
   "admin.config.oauth.oidc-sign-out.description":
     "Whether the “Sign out” button will sign out from the OpenID Connect provider",
+  "admin.config.oauth.oidc-scope": "OpenID Connect scope",
+  "admin.config.oauth.oidc-scope.description":
+    "Scopes which should be requested from the OpenID Connect provider.",
   "admin.config.oauth.oidc-username-claim": "OpenID Connect username claim",
   "admin.config.oauth.oidc-username-claim.description":
     "Username claim in OpenID Connect ID token. Leave it blank if you don't know what this config is.",