[management] Check config compatibility (#5087)

* Enforce HttpConfig overwrite when embeddedIdp is enabled * Disable offline_access scope in dashboard by default * Add group propagation foundation to embedded idp * Require groups scope in dex config for okt and pocket * remove offline_access from device default scopes
2026-04-16 07:16:38 +00:00 · 2026-01-12 17:09:03 +01:00
parent b12c084a50
commit 37abab8b69
4 changed files with 33 additions and 47 deletions
--- a/idp/dex/provider.go
+++ b/idp/dex/provider.go
@@ -792,11 +792,12 @@ func (p *Provider) resolveRedirectURI(redirectURI string) string {
 // buildOIDCConnectorConfig creates config for OIDC-based connectors
 func buildOIDCConnectorConfig(cfg *ConnectorConfig, redirectURI string) ([]byte, error) {
 	oidcConfig := map[string]interface{}{
-		"issuer":       cfg.Issuer,
-		"clientID":     cfg.ClientID,
-		"clientSecret": cfg.ClientSecret,
-		"redirectURI":  redirectURI,
-		"scopes":       []string{"openid", "profile", "email"},
+		"issuer":               cfg.Issuer,
+		"clientID":             cfg.ClientID,
+		"clientSecret":         cfg.ClientSecret,
+		"redirectURI":          redirectURI,
+		"scopes":               []string{"openid", "profile", "email"},
+		"insecureEnableGroups": true,
 	}
 	switch cfg.Type {
 	case "zitadel":
@@ -806,6 +807,9 @@ func buildOIDCConnectorConfig(cfg *ConnectorConfig, redirectURI string) ([]byte,
 		oidcConfig["claimMapping"] = map[string]string{"email": "preferred_username"}
 	case "okta":
 		oidcConfig["insecureSkipEmailVerified"] = true
+		oidcConfig["scopes"] = []string{"openid", "profile", "email", "groups"}
+	case "pocketid":
+		oidcConfig["scopes"] = []string{"openid", "profile", "email", "groups"}
 	}
 	return encodeConnectorConfig(oidcConfig)
 }