From bec7bbb59c6f7891ce6da9793de071636e3dba9a Mon Sep 17 00:00:00 2001
From: Yee Hing Tong <wild-endeavor@users.noreply.github.com>
Date: Wed, 8 Nov 2023 10:09:03 +0800
Subject: [PATCH] add a short comment (#4341)

Signed-off-by: Yee Hing Tong <wild-endeavor@users.noreply.github.com>
---
 flyteadmin/auth/token.go | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/flyteadmin/auth/token.go b/flyteadmin/auth/token.go
index 9b90a2d108..97029c870a 100644
--- a/flyteadmin/auth/token.go
+++ b/flyteadmin/auth/token.go
@@ -131,7 +131,12 @@ func IdentityContextFromIDTokenToken(ctx context.Context, tokenStr, clientID str
 		logger.Infof(ctx, "Failed to unmarshal claims from id token, err: %v", err)
 	}
 
-	// TODO: Document why automatically specify "all" scope
+	// This path is used when a user logs into the UI and when you login through the UI, you should have all the capabilities your identity
+	// allows you to have, which is denoted by the "all" scope.
+	// There was a plan to one day define one of a handful of scopes (all, proj admin, user, viewer) and if you configure your IDP
+	// to issue the right scopes, admin can do very light weight 'AuthZ' on admin based on these scopes, but until that plan is effected,
+	// we just use this single scope that Admin expects for all methods
+	// And because not all IdPs allow us to configure the Identity Token claims, the scope needs to live here.
 	return NewIdentityContext(idToken.Audience[0], idToken.Subject, "", idToken.IssuedAt,
 		sets.NewString(ScopeAll), userInfo, claims)
 }