feat: role claims for service user tokens (#5577)

tokens of service users can now contain role claims by requesting them through scopes
2025-08-12 03:57:32 +00:00 · 2023-04-03 14:26:51 +02:00
parent 4691298eb6
commit e688954308
6 changed files with 158 additions and 67 deletions
--- a/internal/api/oidc/client_converter.go
+++ b/internal/api/oidc/client_converter.go
@@ -112,10 +112,13 @@ func (c *Client) IsScopeAllowed(scope string) bool {
 	if strings.HasPrefix(scope, domain.SelectIDPScope) {
 		return true
 	}
-	if strings.HasPrefix(scope, ScopeUserMetaData) {
+	if scope == ScopeUserMetaData {
 		return true
 	}
-	if strings.HasPrefix(scope, ScopeResourceOwner) {
+	if scope == ScopeResourceOwner {
+		return true
+	}
+	if scope == ScopeProjectsRoles {
 		return true
 	}
 	for _, allowedScope := range c.allowedScopes {