feat: patch oauth2-proxy to support scopes as groups

pkgs/default.nix

@@ -1,3 +1,4 @@
 [
   (import ./caddy.nix)
+  (import ./oauth2-proxy)
 ]

pkgs/oauth2-proxy/0001-scopes-as-groups.patch

@@ -0,0 +1,44 @@
+diff --git a/providers/oidc.go b/providers/oidc.go
+index aadaf7c5..18b03a3e 100644
+--- a/providers/oidc.go
++++ b/providers/oidc.go
+@@ -10,6 +10,7 @@ import (
+ 	"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/options"
+ 	"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/sessions"
+ 	"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/logger"
++	"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/requests"
+ 	"golang.org/x/oauth2"
+ )
+ 
+@@ -80,6 +81,31 @@ func (p *OIDCProvider) Redeem(ctx context.Context, redirectURL, code, codeVerifi
+ // EnrichSession is called after Redeem to allow providers to enrich session fields
+ // such as User, Email, Groups with provider specific API calls.
+ func (p *OIDCProvider) EnrichSession(ctx context.Context, s *sessions.SessionState) error {
++	// Fallback to ValidateURL if ProfileURL not set for legacy compatibility
++	profileURL := p.ValidateURL.String()
++	if p.ProfileURL.String() != "" {
++		profileURL = p.ProfileURL.String()
++	}
++
++	json, err := requests.New(profileURL).
++		WithContext(ctx).
++		SetHeader("Authorization", "Bearer "+s.AccessToken).
++		Do().
++		UnmarshalSimpleJSON()
++	if err != nil {
++		logger.Errorf("failed making request %v", err)
++		return err
++	}
++
++	groups, err := json.Get("scopes").StringArray()
++	if err == nil {
++		for _, group := range groups {
++			if group != "" {
++				s.Groups = append(s.Groups, group)
++			}
++		}
++	}
++
+ 	// If a mandatory email wasn't set, error at this point.
+ 	if s.Email == "" {
+ 		return errors.New("neither the id_token nor the profileURL set an email")

pkgs/oauth2-proxy/default.nix

@@ -0,0 +1,5 @@
+final: prev: {
+  oauth2-proxy = prev.oauth2-proxy.overrideAttrs (_: {
+    patches = [./0001-scopes-as-groups.patch];
+  });
+}