feat(oauth): add oidc groups scope

aarushtools · aarushtools · commit 99123cf42b43 · 2025-10-07T17:54:43.000-04:00
diff --git a/intranet/apps/oauth/validators.py b/intranet/apps/oauth/validators.py
@@ -2,6 +2,9 @@
 
 
 class IonOIDCValidator(OAuth2Validator):
+    oidc_claim_scope = OAuth2Validator.oidc_claim_scope.copy()
+    oidc_claim_scope.update({"groups": "groups"})  # manually add it since groups is not part of the standard OIDC spec
+
     def get_additional_claims(self, request):
         claims = {}
         user = request.user
@@ -24,4 +27,11 @@ def get_additional_claims(self, request):
                 }
             )
 
+        if "groups" in request.scopes:
+            claims.update(
+                {
+                    "groups": list(user.groups.values_list("name", flat=True)),
+                }
+            )
+
         return claims
diff --git a/intranet/settings/__init__.py b/intranet/settings/__init__.py
@@ -648,6 +648,9 @@ def get_oidc_private_key():
         "email": (
             "Access your notification email using OpenID Connect. This is either your personal email or, if unset, your @tjhsst.edu email address."
         ),
+        "groups": (
+            "Access groups you are in using OpenID Connect, such as your grade level."
+        )
     },
     # OAuth refresh tokens expire in 30 days
     "REFRESH_TOKEN_EXPIRE_SECONDS": 60 * 60 * 24 * 30,
