Request groups scope for whynot OIDC role
This commit is contained in:
parent
adf865611c
commit
3527bc1cae
7 changed files with 74 additions and 5 deletions
|
|
@ -58,6 +58,12 @@ openbao:
|
|||
allowed_redirect_uris:
|
||||
- https://bao.coulomb.social/ui/vault/auth/netkingdom/oidc/callback
|
||||
- http://localhost:8250/oidc/callback
|
||||
- http://127.0.0.1:8250/oidc/callback
|
||||
oidc_scopes:
|
||||
- openid
|
||||
- profile
|
||||
- email
|
||||
- groups
|
||||
user_claim: sub
|
||||
groups_claim: groups
|
||||
bound_claims:
|
||||
|
|
@ -104,6 +110,14 @@ verification:
|
|||
- OIDC role read showed the whynot-design bound claim, read policy, and callback URIs.
|
||||
- Metadata read showed catalog-id whynot-design-npm-publish.
|
||||
- Secret field presence check found NPM_AUTH_TOKEN without printing or recording the value.
|
||||
- at: '2026-06-28T11:20:06+00:00'
|
||||
actor: codex
|
||||
kind: non_secret_oidc_role_correction
|
||||
result: applied
|
||||
details:
|
||||
- Positive login reported missing groups claim because the role did not request the groups scope.
|
||||
- Updated auth/netkingdom/role/whynot-design-workload-kv-read with oidc_scopes openid/profile/email/groups.
|
||||
- Added the 127.0.0.1 local CLI callback URI alongside localhost and browser callbacks.
|
||||
lifecycle:
|
||||
deactivate: Disable ops-warden catalog entry and remove or detach auth role policy.
|
||||
rotate: Replace NPM_AUTH_TOKEN value directly in OpenBao and record non-secret rotation
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue