Request groups scope for whynot OIDC role

This commit is contained in:
tegwick 2026-06-28 13:23:14 +02:00
parent adf865611c
commit 3527bc1cae
7 changed files with 74 additions and 5 deletions

View file

@ -58,6 +58,12 @@ openbao:
allowed_redirect_uris:
- https://bao.coulomb.social/ui/vault/auth/netkingdom/oidc/callback
- http://localhost:8250/oidc/callback
- http://127.0.0.1:8250/oidc/callback
oidc_scopes:
- openid
- profile
- email
- groups
user_claim: sub
groups_claim: groups
bound_claims:
@ -104,6 +110,14 @@ verification:
- OIDC role read showed the whynot-design bound claim, read policy, and callback URIs.
- Metadata read showed catalog-id whynot-design-npm-publish.
- Secret field presence check found NPM_AUTH_TOKEN without printing or recording the value.
- at: '2026-06-28T11:20:06+00:00'
actor: codex
kind: non_secret_oidc_role_correction
result: applied
details:
- Positive login reported missing groups claim because the role did not request the groups scope.
- Updated auth/netkingdom/role/whynot-design-workload-kv-read with oidc_scopes openid/profile/email/groups.
- Added the 127.0.0.1 local CLI callback URI alongside localhost and browser callbacks.
lifecycle:
deactivate: Disable ops-warden catalog entry and remove or detach auth role policy.
rotate: Replace NPM_AUTH_TOKEN value directly in OpenBao and record non-secret rotation