OIDC Scopes Configuration Feature

[mohgho]

Description

This PR introduces two new configurable options for OIDC authentication in WireGuard Wag:

1. Configurable OIDC Scopes

   • Previously, the openid scope was hardcoded in the OIDC requests.
   • With this PR, the scopes are now configurable both via the configuration file and the dashboard.
   • The default value remains openid, ensuring backward compatibility.
   • Reason: Some external identity providers (IdPs) such as Dex, GitHub, etc., require additional scopes to be explicitly present in the authentication request for successful authorization. Hardcoding the openid scope limits flexibility and can cause issues when integrating with such IdPs. Making scopes configurable allows users to adapt the OIDC integration based on their specific IdP’s requirements.

2. Configurable OIDC Device Username Claim

   • This PR also adds support for configuring the username claim used in the OIDC Device Flow.
   • Users can now specify the desired username claim through the configuration file or the dashboard (e.g., preferred_username, email, etc.).
   • This makes it easier to customize how usernames are mapped from the OIDC token, accommodating different IdPs’ naming conventions.

---

Changes Made

• Added Authenticators.OIDC.Scopes to the configuration file and dashboard.
• Added Authenticators.OIDC.DeviceUsernameClaim to the configuration file.
• Updated OIDC authentication logic to use the configured scopes.
• Ensured backward compatibility by setting default values (openid for scopes and username for username claim).

---

How to Configure

Example Configuration File (config.json) Changes:

...
    "Authenticators": {
       . . .
        ],
        "OIDC": {
            "IssuerURL": "http://localhost:8080/",
            "ClientSecret": "AN EXAMPLE KEY",
            "ClientID": "account",
            "GroupsClaimName": "groups",
            "DeviceUsernameClaim": "preferred_username",
            "Scopes": ["openid", "profile", "email"]
...

Dashboard Changes:

In the Settings Login section of the Wag dashboard, users can now:

• Edit the OIDC Scopes field.

[NHAS]

Hi there!

This is a fantastic PR with some excellent changes. I'll have to review it later today.

The only change I'd currently ask is if you
could make these changes against the unstable branch and open a PR for merging to there instead.

Thank you!

[NHAS]

Sweet, just a note that DeviceUsernameClaim already exists in the unstable branch. However your scopes changes does not!

[NHAS]

I've merged this rather haphazardly into unstable.

So I'll be closing this, but your work has been added, just as I've moved to vue and had quite a few changes so it couldnt be easily merged from this branch

Thanks again!

[mohgho]

Hi there,

Thank you for reviewing the PR and for the kind words! I really appreciate the feedback and the effort you took to merge my work into the unstable branch, despite the challenges with the recent changes to the codebase.

It’s great to know that DeviceUsernameClaim already exists in the unstable branch—I’ll keep that in mind for future contributions! I’m glad the scopes changes were helpful, and I’m excited to see how the project evolves with the new Vue implementation.

If there’s anything else I can assist with or clarify about this PR, please don’t hesitate to reach out. Thanks again for the opportunity to contribute to this awesome project!