feat: add scope for pach_d integration in OIDC (#1172)

determined-ai · Feb 29, 2024 · 01f5364 · 01f5364
1 parent 05154bd
commit 01f5364
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 3 deletions.
diff --git a/master/internal/plugin/oidc/service.go b/master/internal/plugin/oidc/service.go
@@ -57,7 +57,7 @@ type IDTokenClaims struct {
 var errNotProvisioned = echo.NewHTTPError(http.StatusNotFound, "user has not been provisioned")
 
 // New initiates an OIDC Service.
-func New(db *db.PgDB, config config.OIDCConfig) (*Service, error) {
+func New(db *db.PgDB, config config.OIDCConfig, pachEnabled bool) (*Service, error) {
 	ctx := context.Background()
 
 	provider, err := oidc.NewProvider(ctx, config.IDPSSOURL)
@@ -80,6 +80,11 @@ func New(db *db.PgDB, config config.OIDCConfig) (*Service, error) {
 		return nil, fmt.Errorf("client secret has not been set")
 	}
 
+	scope := []string{oidc.ScopeOpenID, "profile", "email", "groups"}
+	if pachEnabled {
+		scope = append(scope, "audience:server:client_id:pachd")
+	}
+
 	return &Service{
 		config:   config,
 		db:       db,
@@ -89,7 +94,7 @@ func New(db *db.PgDB, config config.OIDCConfig) (*Service, error) {
 			ClientSecret: secret,
 			Endpoint:     provider.Endpoint(),
 			RedirectURL:  ru.String(),
-			Scopes:       []string{oidc.ScopeOpenID, "profile", "email", "groups"},
+			Scopes:       scope,
 		},
 	}, nil
 }

diff --git a/master/internal/plugin/sso/sso.go b/master/internal/plugin/sso/sso.go
@@ -132,7 +132,13 @@ func RegisterAPIHandlers(config *config.Config, db *db.PgDB, echo *echo.Echo) er
 
 	if config.OIDC.Enabled {
 		log.Info("OIDC is enabled")
-		oidcService, err := oidc.New(db, config.OIDC)
+		var pachEnabled bool
+		if config.Integrations.Pachyderm.Address != "" {
+			pachEnabled = true
+		} else {
+			pachEnabled = false
+		}
+		oidcService, err := oidc.New(db, config.OIDC, pachEnabled)
 		if err != nil {
 			return errors.Wrap(err, "error creating OIDC service")
 		}