feat: make groups scope optional to support azure with OIDC

docs/reference/deploy/master-config-reference.rst

@@ -1753,6 +1753,7 @@ used for :ref:`remote user <remote-users>` management.
           groups_attribute_name: "XYZ"
           display_name_attribute_name: "XYZ"
           always_redirect: true
+          exclude_groups_scope: false
 
 ``enabled``
 ===========
@@ -1830,6 +1831,13 @@ sign-in page. This redirection persists unless the user explicitly signs out wit
 SSO user attempts to use an expired session token, they are directly redirected to the SSO provider
 and returned to the requested page after authentication.
 
+``exclude_groups_scope``
+========================
+
+Specifies if the groups scope should be excluded for this OIDC Provider. For most OIDC providers
+like Okta, this should be false (or blank) if you'd like to provision group memberships. But for
+some providers like Azure, which do not support groups scope, this should be set to true.
+
 **********
  ``saml``
 **********

helm/charts/determined/templates/master-config.yaml

@@ -122,6 +122,9 @@ stringData:
       {{- if .Values.oidc.alwaysRedirect }}
       always_redirect: {{ .Values.oidc.alwaysRedirect }}
       {{- end }}
+      {{- if .Values.oidc.excludeGroupsScope }}
+      exclude_groups_scope: {{ .Values.oidc.excludeGroupsScope }}
+      {{- end }}
     {{- end }}
 
     {{- if .Values.scim }}

helm/charts/determined/values.yaml

@@ -125,6 +125,7 @@ useNodePortForMaster: false
 #   groupsAttributeName:
 #   displayNameAttributeName:
 #   alwaysRedirect:
+#   excludeGroupsScope:
 
 # scim (EE-only) enables System for Cross-domain Identity Management (SCIM) integration, which is
 # only available if enterpriseEdition is true. It allows administrators to easily and securely

master/internal/config/oidc_config.go

@@ -18,6 +18,7 @@ type OIDCConfig struct {
 	GroupsAttributeName         string `json:"groups_attribute_name"`
 	DisplayNameAttributeName    string `json:"display_name_attribute_name"`
 	AlwaysRedirect              bool   `json:"always_redirect"`
+	ExcludeGroupsScope          bool   `json:"exclude_groups_scope"`
 }
 
 // Validate implements the check.Validatable interface.

master/internal/plugin/oidc/service.go

@@ -80,7 +80,10 @@ func New(db *db.PgDB, config config.OIDCConfig, pachEnabled bool) (*Service, err
 		return nil, fmt.Errorf("client secret has not been set")
 	}
 
-	scope := []string{oidc.ScopeOpenID, "profile", "email", "groups"}
+	scope := []string{oidc.ScopeOpenID, "profile", "email"}
+	if !config.ExcludeGroupsScope {
+		scope = append(scope, "groups")
+	}
 	if pachEnabled {
 		scope = append(scope, "audience:server:client_id:pachd")
 	}