From 01f5364fd8791376e17961a0449ed51fd7da6c9c Mon Sep 17 00:00:00 2001
From: Saloni Gupta <131198887+salonig23@users.noreply.github.com>
Date: Mon, 29 Jan 2024 18:05:02 -0800
Subject: [PATCH] feat: add scope for pach_d integration in OIDC (#1172)

---
 master/internal/plugin/oidc/service.go | 9 +++++++--
 master/internal/plugin/sso/sso.go      | 8 +++++++-
 2 files changed, 14 insertions(+), 3 deletions(-)

diff --git a/master/internal/plugin/oidc/service.go b/master/internal/plugin/oidc/service.go
index 39a50280d2b7..3239a5565fa2 100644
--- a/master/internal/plugin/oidc/service.go
+++ b/master/internal/plugin/oidc/service.go
@@ -57,7 +57,7 @@ type IDTokenClaims struct {
 var errNotProvisioned = echo.NewHTTPError(http.StatusNotFound, "user has not been provisioned")
 
 // New initiates an OIDC Service.
-func New(db *db.PgDB, config config.OIDCConfig) (*Service, error) {
+func New(db *db.PgDB, config config.OIDCConfig, pachEnabled bool) (*Service, error) {
 	ctx := context.Background()
 
 	provider, err := oidc.NewProvider(ctx, config.IDPSSOURL)
@@ -80,6 +80,11 @@ func New(db *db.PgDB, config config.OIDCConfig) (*Service, error) {
 		return nil, fmt.Errorf("client secret has not been set")
 	}
 
+	scope := []string{oidc.ScopeOpenID, "profile", "email", "groups"}
+	if pachEnabled {
+		scope = append(scope, "audience:server:client_id:pachd")
+	}
+
 	return &Service{
 		config:   config,
 		db:       db,
@@ -89,7 +94,7 @@ func New(db *db.PgDB, config config.OIDCConfig) (*Service, error) {
 			ClientSecret: secret,
 			Endpoint:     provider.Endpoint(),
 			RedirectURL:  ru.String(),
-			Scopes:       []string{oidc.ScopeOpenID, "profile", "email", "groups"},
+			Scopes:       scope,
 		},
 	}, nil
 }
diff --git a/master/internal/plugin/sso/sso.go b/master/internal/plugin/sso/sso.go
index b9b417270e99..f6c8c41edbe2 100644
--- a/master/internal/plugin/sso/sso.go
+++ b/master/internal/plugin/sso/sso.go
@@ -132,7 +132,13 @@ func RegisterAPIHandlers(config *config.Config, db *db.PgDB, echo *echo.Echo) er
 
 	if config.OIDC.Enabled {
 		log.Info("OIDC is enabled")
-		oidcService, err := oidc.New(db, config.OIDC)
+		var pachEnabled bool
+		if config.Integrations.Pachyderm.Address != "" {
+			pachEnabled = true
+		} else {
+			pachEnabled = false
+		}
+		oidcService, err := oidc.New(db, config.OIDC, pachEnabled)
 		if err != nil {
 			return errors.Wrap(err, "error creating OIDC service")
 		}