cameleer/cameleer-server
1
0
Fork 0
Code Issues 42 Pull Requests Actions Packages Projects Releases Wiki Activity

feat: hardcode Logto org scopes in auth flow, hide from admin UI
All checks were successful
CI / cleanup-branch (push) Has been skipped
Details
CI / build (push) Successful in 1m48s
Details
CI / docker (push) Successful in 1m24s
Details
CI / deploy-feature (push) Has been skipped
Details
CI / deploy (push) Successful in 39s
Details

Browse Source 
Always include urn:logto:scope:organizations and
urn:logto:scope:organization_roles in OIDC auth requests. These are
required for role mapping in multi-tenant setups and harmless for
non-Logto providers (unknown scopes ignored per OIDC spec).

Filter them from the OIDC admin config page so they don't confuse
standalone server admins or SaaS tenants.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
hsiegeln
2026-04-10 15:37:40 +02:00
parent 0d610be3dc
commit f0658cbd07
3 changed files with 12 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
ui/src/auth/LoginPage.tsx
View File

@@ -14,6 +14,10 @@ interface OidcInfo {
additionalScopes?: string[];
}
// Logto org scopes required for role mapping in multi-tenant setups.
// Always requested, harmless for non-Logto providers (unknown scopes are ignored per OIDC spec).
const PLATFORM_SCOPES = ['urn:logto:scope:organizations', 'urn:logto:scope:organization_roles'];
const SUBTITLES = [
"Prove you're not a mirage",
"Only authorized cameleers beyond this dune",
@@ -76,7 +80,7 @@ export function LoginPage() {
if (oidc && !forceLocal && !autoRedirected.current) {
autoRedirected.current = true;
const redirectUri = `${window.location.origin}${config.basePath}oidc/callback`;
const scopes = ['openid', 'email', 'profile', ...(oidc.additionalScopes || [])];
const scopes = ['openid', 'email', 'profile', ...PLATFORM_SCOPES, ...(oidc.additionalScopes || [])];
const params = new URLSearchParams({
response_type: 'code',
client_id: oidc.clientId,
@@ -100,7 +104,7 @@ export function LoginPage() {
if (!oidc) return;
setOidcLoading(true);
const redirectUri = `${window.location.origin}${config.basePath}oidc/callback`;
const scopes = ['openid', 'email', 'profile', ...(oidc.additionalScopes || [])];
const scopes = ['openid', 'email', 'profile', ...PLATFORM_SCOPES, ...(oidc.additionalScopes || [])];
const params = new URLSearchParams({
response_type: 'code',
client_id: oidc.clientId,

3
ui/src/auth/OidcCallback.tsx
View File

@@ -31,7 +31,8 @@ export function OidcCallback() {
api.GET('/auth/oidc/config').then(({ data }) => {
if (data?.authorizationEndpoint && data?.clientId) {
const redirectUri = `${window.location.origin}${config.basePath}oidc/callback`;
const scopes = ['openid', 'email', 'profile', ...(data.additionalScopes || [])];
const PLATFORM_SCOPES = ['urn:logto:scope:organizations', 'urn:logto:scope:organization_roles'];
const scopes = ['openid', 'email', 'profile', ...PLATFORM_SCOPES, ...(data.additionalScopes || [])];
const p = new URLSearchParams({
response_type: 'code',
client_id: data.clientId,