From 649df8827c58080f0a3679ab48f5c673926792aa Mon Sep 17 00:00:00 2001
From: Matt Feury <mattfeury@gmail.com>
Date: Thu, 8 Dec 2022 22:46:34 -0500
Subject: [PATCH] feat: Support OIDC scope parameter (#3192)

---
 pkg/auth/oidc.go | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/pkg/auth/oidc.go b/pkg/auth/oidc.go
index 831180f4..38346c76 100644
--- a/pkg/auth/oidc.go
+++ b/pkg/auth/oidc.go
@@ -36,6 +36,9 @@ type OidcClientConfig struct {
 	// OidcAudience specifies the audience of the token in OIDC authentication
 	// if AuthenticationMethod == "oidc". By default, this value is "".
 	OidcAudience string `ini:"oidc_audience" json:"oidc_audience"`
+	// OidcScope specifies the scope of the token in OIDC authentication
+	// if AuthenticationMethod == "oidc". By default, this value is "".
+	OidcScope string `ini:"oidc_scope" json:"oidc_scope"`
 	// OidcTokenEndpointURL specifies the URL which implements OIDC Token Endpoint.
 	// It will be used to get an OIDC token if AuthenticationMethod == "oidc".
 	// By default, this value is "".
@@ -52,6 +55,7 @@ func getDefaultOidcClientConf() OidcClientConfig {
 		OidcClientID:                 "",
 		OidcClientSecret:             "",
 		OidcAudience:                 "",
+		OidcScope:                    "",
 		OidcTokenEndpointURL:         "",
 		OidcAdditionalEndpointParams: make(map[string]string),
 	}
@@ -99,10 +103,17 @@ func NewOidcAuthSetter(baseCfg BaseConfig, cfg OidcClientConfig) *OidcAuthProvid
 		eps[k] = []string{v}
 	}
 
+	// Previous versions hardcoded the scope to audience,
+	// so for backwards compatibility, use that if no scope is set
+	scope := cfg.OidcAudience
+	if cfg.OidcScope != "" {
+		scope = cfg.OidcScope
+	}
+
 	tokenGenerator := &clientcredentials.Config{
 		ClientID:       cfg.OidcClientID,
 		ClientSecret:   cfg.OidcClientSecret,
-		Scopes:         []string{cfg.OidcAudience},
+		Scopes:         []string{scope},
 		TokenURL:       cfg.OidcTokenEndpointURL,
 		EndpointParams: eps,
 	}