feat: patch oauth2-proxy to support scopes as groups

2025-10-11 07:10:39 +02:00 · 2023-06-23 15:20:58 +02:00 · 2023-06-23 15:20:58 +02:00 · eb9ee0bf0d
commit eb9ee0bf0d
parent 1a0378ee5c
7 changed files with 65 additions and 16 deletions
--- a/modules/oauth2-proxy.nix
+++ b/modules/oauth2-proxy.nix
@ -99,12 +99,14 @@ in {

      cookie.domain = ".${cfg.cookieDomain}";
      cookie.secure = true;
-      cookie.httpOnly = false;
-      cookie.refresh = "5m";
+      # FIXME disabled because of errors. My closest guess is that this
+      # reuses refresh tokens but kanidm forbids that. Not sure though.
+      #cookie.refresh = "5m";
      cookie.expire = "30m";

      reverseProxy = true;
      httpAddress = "unix:///run/oauth2_proxy/oauth2_proxy.sock";
+      redirectURL = "https://${cfg.portalDomain}/oauth2/callback";
      setXauthrequest = true;

      extraConfig = {
@ -112,12 +114,10 @@ in {
        code-challenge-method = "S256";
        # Share the cookie with all subpages
        whitelist-domain = ".${cfg.cookieDomain}";
-        redirect-url = "https://${cfg.portalDomain}/oauth2/callback";
        set-authorization-header = true;
        pass-access-token = true;
        skip-jwt-bearer-tokens = true;
        upstream = "static://202";
-        # TODO allowed group?
      };
    };