diff --git a/README.md b/README.md index af3d76c..298f2c3 100644 --- a/README.md +++ b/README.md @@ -66,6 +66,7 @@ With the default configuration, [a person entry](https://www.home-assistant.io/i | `features.automatic_user_linking` | `boolean`| No | `false` | Automatically links users to existing Home Assistant users based on the OIDC username claim. Disabled by default for security. When disabled, OIDC users will get their own new user profile upon first login. | | `features.automatic_person_creation` | `boolean` | No | `true` | Automatically creates a person entry for new user profiles created by this integration. Recommended if you would like to assign presence detection to OIDC users. | | `features.disable_rfc7636` | `boolean`| No | `false` | Disables PKCE (RFC 7636) for OIDC providers that don't support it. You should not need this with most providers. | +| `features.include_groups_scope` | `boolean` | No | `true` | Include the 'groups' scope in the OIDC request. Set to `false` to exclude it. | | `claims.display_name` | `string` | No | `name` | The claim to use to obtain the display name. | `claims.username` | `string` | No | `preferred_username` | The claim to use to obtain the username. | `claims.groups` | `string` | No | `groups` | The claim to use to obtain the user's group(s). | @@ -134,6 +135,8 @@ Currently, this is a pre-alpha, so I welcome issues but I cannot guarantee I can - [ ] Configure Dependabot for automatic updates - [ ] Configure tests - [ ] Consider use of setup UI instead of YAML (see https://github.com/christiaangoossens/hass-oidc-auth/discussions/6) +- [ ] Create a configurable bool for scope "groups" to activate/deactivate +- [ ] Make scope "groups" a configurable custom scope Currently waiting on HA feature additions: diff --git a/custom_components/auth_oidc/__init__.py b/custom_components/auth_oidc/__init__.py index a0534b5..998c619 100644 --- a/custom_components/auth_oidc/__init__.py +++ b/custom_components/auth_oidc/__init__.py @@ -20,6 +20,7 @@ from .config import ( CLAIMS, ROLES, NETWORK, + FEATURES_INCLUDE_GROUPS_SCOPE, ) # pylint: enable=useless-import-alias @@ -53,7 +54,10 @@ async def async_setup(hass: HomeAssistant, config): _LOGGER.info("Registered OIDC provider") # We only use openid, profile & groups, never email - scope = "openid profile groups" + include_groups_scope = my_config[FEATURES].get(FEATURES_INCLUDE_GROUPS_SCOPE, True) + scope = "openid profile" + if include_groups_scope: + scope += " groups" oidc_client = oidc_client = OIDCClient( hass=hass, diff --git a/custom_components/auth_oidc/config.py b/custom_components/auth_oidc/config.py index be8baa6..507035e 100644 --- a/custom_components/auth_oidc/config.py +++ b/custom_components/auth_oidc/config.py @@ -11,6 +11,7 @@ FEATURES = "features" FEATURES_AUTOMATIC_USER_LINKING = "automatic_user_linking" FEATURES_AUTOMATIC_PERSON_CREATION = "automatic_person_creation" FEATURES_DISABLE_PKCE = "disable_rfc7636" +FEATURES_INCLUDE_GROUPS_SCOPE = "include_groups_scope" CLAIMS = "claims" CLAIMS_DISPLAY_NAME = "display_name" CLAIMS_USERNAME = "username" @@ -56,6 +57,10 @@ CONFIG_SCHEMA = vol.Schema( # Feature flag to disable PKCE to support OIDC servers that do not # allow additional parameters and don't support RFC 7636 vol.Optional(FEATURES_DISABLE_PKCE): vol.Coerce(bool), + # Make a bool which activates and deactivates scope 'groups' + vol.Optional( + FEATURES_INCLUDE_GROUPS_SCOPE, default=True + ): vol.Coerce(bool), } ), # Determine which specific claims will be used from the id_token