From b4d5d7f2bff593fb8b5508d69c1852d5b4737b52 Mon Sep 17 00:00:00 2001 From: Seth Date: Wed, 9 Jul 2025 02:55:37 -0500 Subject: [PATCH] Add Additional Scopes to Maximize Functionality from Custom idP (#80) * add additional scopes to config schema Keep original groups setting for backwards compatibility. * fix weird text issue * Add support for additional scopes in OIDC setup * fix compile error * Update documentation to include description of additional oidc scopes * clarify documentation --- custom_components/auth_oidc/__init__.py | 8 ++++++++ custom_components/auth_oidc/config.py | 4 ++++ docs/configuration.md | 1 + 3 files changed, 13 insertions(+) diff --git a/custom_components/auth_oidc/__init__.py b/custom_components/auth_oidc/__init__.py index 4d0ab86..2a604d8 100644 --- a/custom_components/auth_oidc/__init__.py +++ b/custom_components/auth_oidc/__init__.py @@ -17,6 +17,7 @@ from .config import ( DISPLAY_NAME, ID_TOKEN_SIGNING_ALGORITHM, GROUPS_SCOPE, + ADDITIONAL_SCOPES, FEATURES, CLAIMS, ROLES, @@ -66,6 +67,13 @@ async def async_setup(hass: HomeAssistant, config): groups_scope = my_config.get(GROUPS_SCOPE, "groups") if include_groups_scope: scope += " " + groups_scope + # Add additional scopes if configured + additional_scopes = my_config.get(ADDITIONAL_SCOPES, []) + if additional_scopes: + # Ensure we have a space before adding additional scopes + if scope: + scope += " " + scope += " ".join(additional_scopes) # Create the OIDC client oidc_client = oidc_client = OIDCClient( diff --git a/custom_components/auth_oidc/config.py b/custom_components/auth_oidc/config.py index 4959b45..9ab9755 100644 --- a/custom_components/auth_oidc/config.py +++ b/custom_components/auth_oidc/config.py @@ -8,6 +8,7 @@ DISCOVERY_URL = "discovery_url" DISPLAY_NAME = "display_name" ID_TOKEN_SIGNING_ALGORITHM = "id_token_signing_alg" GROUPS_SCOPE = "groups_scope" +ADDITIONAL_SCOPES = "additional_scopes" FEATURES = "features" FEATURES_AUTOMATIC_USER_LINKING = "automatic_user_linking" FEATURES_AUTOMATIC_PERSON_CREATION = "automatic_person_creation" @@ -46,6 +47,9 @@ CONFIG_SCHEMA = vol.Schema( # String value to allow changing the groups scope # Defaults to 'groups' which is used by Authelia and Authentik vol.Optional(GROUPS_SCOPE, default="groups"): vol.Coerce(str), + # Additional scopes to request from the OIDC provider + # Optional, this field is unnecessary if you only use the openid and profile scopes. + vol.Optional(ADDITIONAL_SCOPES, default=[]): vol.Coerce(list[str]), # Which features should be enabled/disabled? # Optional, defaults to sane/secure defaults vol.Optional(FEATURES): vol.Schema( diff --git a/docs/configuration.md b/docs/configuration.md index 42ffb70..4c2e4be 100644 --- a/docs/configuration.md +++ b/docs/configuration.md @@ -127,6 +127,7 @@ Here's a table of all options that you can set: | `display_name` | `string` | No | `"OpenID Connect (SSO)"` | The name to display on the login screen, both for the Home Assistant screen and the OIDC welcome screen. | | `id_token_signing_alg` | `string` | No | `RS256` | The signing algorithm that is used for your id_tokens. | `groups_scope` | `string` | No | `groups` | Override the default grups scope with another scope of your choice. | +| `additional_scopes`|`list of strings`| No | `empty list` | Add additional scopes to request for custom identity provider configurations in addition to the automatic `openid` and `profile` scopes and the `groups_scope` configuration option | | `features.automatic_user_linking` | `boolean`| No | `false` | Automatically links users to existing Home Assistant users based on the OIDC username claim. Disabled by default for security. When disabled, OIDC users will get their own new user profile upon first login. | | `features.automatic_person_creation` | `boolean` | No | `true` | Automatically creates a person entry for new user profiles created by this integration. Recommended if you would like to assign presence detection to OIDC users. | | `features.disable_rfc7636` | `boolean`| No | `false` | Disables PKCE (RFC 7636) for OIDC providers that don't support it. You should not need this with most providers. |