cameleer/cameleer-server
1
0
Fork 0
Code Issues 42 Pull Requests Actions Packages Projects Releases Wiki Activity

feat: hardcode Logto org scopes in auth flow, hide from admin UI
All checks were successful
CI / cleanup-branch (push) Has been skipped
Details
CI / build (push) Successful in 1m48s
Details
CI / docker (push) Successful in 1m24s
Details
CI / deploy-feature (push) Has been skipped
Details
CI / deploy (push) Successful in 39s
Details

Browse Source 
Always include urn:logto:scope:organizations and
urn:logto:scope:organization_roles in OIDC auth requests. These are
required for role mapping in multi-tenant setups and harmless for
non-Logto providers (unknown scopes ignored per OIDC spec).

Filter them from the OIDC admin config page so they don't confuse
standalone server admins or SaaS tenants.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
hsiegeln
2026-04-10 15:37:40 +02:00
parent 0d610be3dc
commit f0658cbd07
3 changed files with 12 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
ui/src/pages/Admin/OidcConfigPage.tsx
View File

@@ -23,6 +23,9 @@ interface OidcFormData {
additionalScopes: string[];
}
// Platform-managed scopes — always requested by the auth flow, hidden from the admin UI
const PLATFORM_SCOPES = new Set(['urn:logto:scope:organizations', 'urn:logto:scope:organization_roles']);
const EMPTY_CONFIG: OidcFormData = {
enabled: false,
autoSignup: true,
@@ -61,7 +64,7 @@ export default function OidcConfigPage() {
userIdClaim: data.userIdClaim ?? 'sub',
defaultRoles: data.defaultRoles ?? ['VIEWER'],
audience: (data as any).audience ?? '',
additionalScopes: (data as any).additionalScopes ?? [],
additionalScopes: ((data as any).additionalScopes ?? []).filter((s: string) => !PLATFORM_SCOPES.has(s)),
}))
.catch(() => setForm(EMPTY_CONFIG));
}, []);