fix(auth): 🔒️ Update redirect URIs for OAuth clients

Removes the public client configuration and updates the Grafana redirect URI to the correct domain.

Modifies OAuth scopes to include groups for improved permission management.

otc/observability.t09.de/stacks/core/dex/values.yaml

@@ -59,11 +59,6 @@ config:
   enablePasswordDB: false
 
   staticClients:
-    - id: public-client
-      public: true
-      name: 'Public Client'
-      redirectURIs:
-        - 'https://localhost/oidc/callback'
     - id: controller-argocd-dex
       name: ArgoCD Client
       redirectURIs:
@@ -71,6 +66,6 @@ config:
       secret: "{{`{{ .Env.OIDC_DEX_ARGO_CLIENT_SECRET }}`}}"
     - id: grafana
       redirectURIs:
-        - "https://localhost/login/generic_oauth"
+        - "https://grafana.observability.t09.de/login/generic_oauth"
       name: "Grafana"
       secret: "thisisasecret"

otc/observability.t09.de/stacks/observability/grafana-operator/manifests/grafana.yaml

@@ -52,9 +52,9 @@ spec:
       use_refresh_token: "true"
       client_id: grafana
       client_secret: "thisisasecret" # $__file{/etc/secrets/auth_generic_oauth/client_secret}
-      scopes: openid email profile offline_access
+      scopes: openid email profile offline_access groups
       auth_url: https://dex.observability.t09.de/auth
       token_url: https://dex.observability.t09.de/token
       api_url: https://dex.observability.t09.de/userinfo
-      redirect_uri: https://localhost/login/generic_oauth
+      redirect_uri: https://grafana.observability.t09.de/login/generic_oauth
       # role_attribute_path: ""