From addb8a83e6e7058290e9668740891c7177d75664 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Torjus=20H=C3=A5kestad?= <torjus@usit.uio.no>
Date: Mon, 9 Feb 2026 19:39:10 +0100
Subject: [PATCH] vault: request groups scope in OIDC roles

---
 terraform/vault/oidc.tf | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/terraform/vault/oidc.tf b/terraform/vault/oidc.tf
index 30f49f4..b94e761 100644
--- a/terraform/vault/oidc.tf
+++ b/terraform/vault/oidc.tf
@@ -26,6 +26,7 @@ resource "vault_jwt_auth_backend_role" "admin" {
   groups_claim = "groups"
   bound_claims = { groups = "admins" }
   role_type    = "oidc"
+  oidc_scopes  = ["openid", "profile", "email", "groups"]
 
   allowed_redirect_uris = [
     "https://vault.home.2rjus.net:8200/ui/vault/auth/oidc/oidc/callback",
@@ -41,6 +42,7 @@ resource "vault_jwt_auth_backend_role" "default" {
   user_claim   = "preferred_username"
   groups_claim = "groups"
   role_type    = "oidc"
+  oidc_scopes  = ["openid", "profile", "email", "groups"]
 
   allowed_redirect_uris = [
     "https://vault.home.2rjus.net:8200/ui/vault/auth/oidc/oidc/callback",