b-283271112 Add "additionalScopes" under webSsoConfig for the "groups" (

GoogleCloudPlatform#8744)
nevzheng · Aug 25, 2023 · af7728a · af7728a
1 parent 7a5ccb4
commit af7728a
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 0 deletions.
diff --git a/mmv1/products/iamworkforcepool/WorkforcePoolProvider.yaml b/mmv1/products/iamworkforcepool/WorkforcePoolProvider.yaml
@@ -312,3 +312,10 @@ properties:
             values:
               - :MERGE_USER_INFO_OVER_ID_TOKEN_CLAIMS
               - :ONLY_ID_TOKEN_CLAIMS
+          - !ruby/object:Api::Type::Array
+            name: additionalScopes
+            description: |
+              Additional scopes to request for in the OIDC authentication request on top of scopes requested by default. By default, the `openid`, `profile` and `email` scopes that are supported by the identity provider are requested.
+              Each additional scope may be at most 256 characters. A maximum of 10 additional scopes may be configured.
+            required: false
+            item_type: Api::Type::String
diff --git a/mmv1/templates/terraform/examples/iam_workforce_pool_provider_oidc_full.tf.erb b/mmv1/templates/terraform/examples/iam_workforce_pool_provider_oidc_full.tf.erb
@@ -22,6 +22,7 @@ resource "google_iam_workforce_pool_provider" "<%= ctx[:primary_resource_id] %>"
     web_sso_config {
       response_type             = "CODE"
       assertion_claims_behavior = "MERGE_USER_INFO_OVER_ID_TOKEN_CLAIMS"
+      additional_scopes         = ["groups", "roles"]
     }
   }
   display_name        = "Display name"

diff --git a/...arty/terraform/services/iamworkforcepool/resource_iam_workforce_pool_provider_test.go.erb b/...arty/terraform/services/iamworkforcepool/resource_iam_workforce_pool_provider_test.go.erb
@@ -180,6 +180,7 @@ resource "google_iam_workforce_pool_provider" "my_provider" {
     web_sso_config {
       response_type             = "CODE"
       assertion_claims_behavior = "MERGE_USER_INFO_OVER_ID_TOKEN_CLAIMS"
+      additional_scopes         = ["groups", "roles"]
     }
   }
   display_name        = "Display name"
@@ -216,6 +217,7 @@ resource "google_iam_workforce_pool_provider" "my_provider" {
     web_sso_config {
       response_type             = "ID_TOKEN"
       assertion_claims_behavior = "ONLY_ID_TOKEN_CLAIMS"
+      additional_scopes         = ["new-groups"]
     }
   }
   display_name        = "New Display name"
@@ -247,6 +249,7 @@ resource "google_iam_workforce_pool_provider" "my_provider" {
     web_sso_config {
       response_type             = "ID_TOKEN"
       assertion_claims_behavior = "ONLY_ID_TOKEN_CLAIMS"
+      additional_scopes         = ["new-groups"]
     }
   }
   display_name        = "New Display name"