Add groups scope option & fixup features.include_groups_scope (#42)

2025-02-15 13:25:04 +01:00
parent 29a2545396
commit d565380435
3 changed files with 19 additions and 5 deletions
--- a/custom_components/auth_oidc/init.py
+++ b/custom_components/auth_oidc/init.py
@@ -16,6 +16,7 @@ from .config import (
    DISCOVERY_URL,
    DISPLAY_NAME,
    ID_TOKEN_SIGNING_ALGORITHM,
+    GROUPS_SCOPE,
    FEATURES,
    CLAIMS,
    ROLES,
@@ -53,12 +54,20 @@ async def async_setup(hass: HomeAssistant, config):

    _LOGGER.info("Registered OIDC provider")

-    # We only use openid, profile & groups, never email
-    include_groups_scope = my_config[FEATURES].get(FEATURES_INCLUDE_GROUPS_SCOPE, True)
+    # Set the correct scopes
+    # Always use 'openid' & 'profile' as they are specified in the OIDC spec
+    # All servers should support this
    scope = "openid profile"
-    if include_groups_scope:
-        scope += " groups"

+    # Include groups if requested (default is to include 'groups'
+    # as a scope for Authelia & Authentik)
+    features_config = my_config.get(FEATURES, {})
+    include_groups_scope = features_config.get(FEATURES_INCLUDE_GROUPS_SCOPE, True)
+    groups_scope = my_config.get(GROUPS_SCOPE, "groups")
+    if include_groups_scope:
+        scope += " " + groups_scope
+
+    # Create the OIDC client
    oidc_client = oidc_client = OIDCClient(
        hass=hass,
        discovery_url=my_config.get(DISCOVERY_URL),
--- a/custom_components/auth_oidc/config.py
+++ b/custom_components/auth_oidc/config.py
@@ -7,6 +7,7 @@ CLIENT_SECRET = "client_secret"
 DISCOVERY_URL = "discovery_url"
 DISPLAY_NAME = "display_name"
 ID_TOKEN_SIGNING_ALGORITHM = "id_token_signing_alg"
+GROUPS_SCOPE = "groups_scope"
 FEATURES = "features"
 FEATURES_AUTOMATIC_USER_LINKING = "automatic_user_linking"
 FEATURES_AUTOMATIC_PERSON_CREATION = "automatic_person_creation"
@@ -42,6 +43,9 @@ CONFIG_SCHEMA = vol.Schema(
                # Should we enforce a specific signing algorithm on the id tokens?
                # Defaults to RS256/RSA-pubkey
                vol.Optional(ID_TOKEN_SIGNING_ALGORITHM): vol.Coerce(str),
+                # String value to allow changing the groups scope
+                # Defaults to 'groups' which is used by Authelia and Authentik
+                vol.Optional(GROUPS_SCOPE, default="groups"): vol.Coerce(str),
                # Which features should be enabled/disabled?
                # Optional, defaults to sane/secure defaults
                vol.Optional(FEATURES): vol.Schema(
@@ -57,7 +61,7 @@ CONFIG_SCHEMA = vol.Schema(
                        # Feature flag to disable PKCE to support OIDC servers that do not
                        # allow additional parameters and don't support RFC 7636
                        vol.Optional(FEATURES_DISABLE_PKCE): vol.Coerce(bool),
-                        # Make a bool which activates and deactivates scope 'groups'
+                        # Boolean which activates and deactivates scope 'groups'
                        vol.Optional(
                            FEATURES_INCLUDE_GROUPS_SCOPE, default=True
                        ): vol.Coerce(bool),