Add Additional Scopes to Maximize Functionality from Custom idP (#80)

* add additional scopes to config schema

Keep original groups setting for backwards compatibility.

* fix weird text issue

* Add support for additional scopes in OIDC setup

* fix compile error

* Update documentation to include description of additional oidc scopes

* clarify documentation

custom_components/auth_oidc/__init__.py

@@ -17,6 +17,7 @@ from .config import (
     DISPLAY_NAME,
     ID_TOKEN_SIGNING_ALGORITHM,
     GROUPS_SCOPE,
+    ADDITIONAL_SCOPES,
     FEATURES,
     CLAIMS,
     ROLES,
@@ -66,6 +67,13 @@ async def async_setup(hass: HomeAssistant, config):
     groups_scope = my_config.get(GROUPS_SCOPE, "groups")
     if include_groups_scope:
         scope += " " + groups_scope
+    # Add additional scopes if configured
+    additional_scopes = my_config.get(ADDITIONAL_SCOPES, [])
+    if additional_scopes:
+        # Ensure we have a space before adding additional scopes
+        if scope:
+            scope += " "
+        scope += " ".join(additional_scopes)
 
     # Create the OIDC client
     oidc_client = oidc_client = OIDCClient(

custom_components/auth_oidc/config.py

@@ -8,6 +8,7 @@ DISCOVERY_URL = "discovery_url"
 DISPLAY_NAME = "display_name"
 ID_TOKEN_SIGNING_ALGORITHM = "id_token_signing_alg"
 GROUPS_SCOPE = "groups_scope"
+ADDITIONAL_SCOPES = "additional_scopes"
 FEATURES = "features"
 FEATURES_AUTOMATIC_USER_LINKING = "automatic_user_linking"
 FEATURES_AUTOMATIC_PERSON_CREATION = "automatic_person_creation"
@@ -46,6 +47,9 @@ CONFIG_SCHEMA = vol.Schema(
                 # String value to allow changing the groups scope
                 # Defaults to 'groups' which is used by Authelia and Authentik
                 vol.Optional(GROUPS_SCOPE, default="groups"): vol.Coerce(str),
+                # Additional scopes to request from the OIDC provider
+                # Optional, this field is unnecessary if you only use the openid and profile scopes.
+                vol.Optional(ADDITIONAL_SCOPES, default=[]): vol.Coerce(list[str]),
                 # Which features should be enabled/disabled?
                 # Optional, defaults to sane/secure defaults
                 vol.Optional(FEATURES): vol.Schema(

docs/configuration.md

@@ -127,6 +127,7 @@ Here's a table of all options that you can set:
 | `display_name`              | `string` | No       | `"OpenID Connect (SSO)"` | The name to display on the login screen, both for the Home Assistant screen and the OIDC welcome screen.                                                                |
 | `id_token_signing_alg`       | `string` | No       | `RS256`              | The signing algorithm that is used for your id_tokens.
 | `groups_scope`  | `string` | No       | `groups`           | Override the default grups scope with another scope of your choice. |
+| `additional_scopes`|`list of strings`| No        | `empty list`    | Add additional scopes to request for custom identity provider configurations in addition to the automatic `openid` and `profile` scopes and the `groups_scope` configuration option |
 | `features.automatic_user_linking`   | `boolean`| No       | `false`          | Automatically links users to existing Home Assistant users based on the OIDC username claim. Disabled by default for security. When disabled, OIDC users will get their own new user profile upon first login.     |
 | `features.automatic_person_creation` | `boolean` | No       | `true`          | Automatically creates a person entry for new user profiles created by this integration. Recommended if you would like to assign presence detection to OIDC users.                                            |
 | `features.disable_rfc7636`  | `boolean`| No       | `false`         | Disables PKCE (RFC 7636) for OIDC providers that don't support it. You should not need this with most providers.                                    |