fix: add OIDC_SCOPE env var and document it across all config files

Fixes #306 — OIDC scopes were hardcoded to 'openid email profile', causing OIDC_ADMIN_CLAIM-based role mapping to fail when the required scope (e.g. 'groups') wasn't requested. The new OIDC_SCOPE variable defaults to 'openid email profile groups' so group-based admin mapping works out of the box. Variable is now documented in README, docker-compose, .env.example, and the Helm chart values.
2026-04-02 07:46:27 +02:00
parent b1cca15f6f
commit 32b63adc68
5 changed files with 11 additions and 1 deletions
--- a/server/src/routes/oidc.ts
+++ b/server/src/routes/oidc.ts
@@ -138,7 +138,7 @@ router.get('/login', async (req: Request, res: Response) => {
      response_type: 'code',
      client_id: config.clientId,
      redirect_uri: redirectUri,
-      scope: 'openid email profile',
+      scope: process.env.OIDC_SCOPE || 'openid email profile groups',
      state,
    });