From 61dddfa9611ff35f7d64f90325ee297ca3d06499 Mon Sep 17 00:00:00 2001
From: Daniel Sy <Daniel.Sy@telekom.de>
Date: Wed, 13 Aug 2025 15:14:11 +0200
Subject: [PATCH] =?UTF-8?q?fix(auth):=20=F0=9F=94=92=EF=B8=8F=20Update=20r?=
 =?UTF-8?q?edirect=20URIs=20for=20OAuth=20clients?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Removes the public client configuration and updates the Grafana redirect URI to the correct domain.

Modifies OAuth scopes to include groups for improved permission management.
---
 otc/observability.t09.de/stacks/core/dex/values.yaml       | 7 +------
 .../observability/grafana-operator/manifests/grafana.yaml  | 4 ++--
 2 files changed, 3 insertions(+), 8 deletions(-)

diff --git a/otc/observability.t09.de/stacks/core/dex/values.yaml b/otc/observability.t09.de/stacks/core/dex/values.yaml
index 4110f7b..251e546 100644
--- a/otc/observability.t09.de/stacks/core/dex/values.yaml
+++ b/otc/observability.t09.de/stacks/core/dex/values.yaml
@@ -59,11 +59,6 @@ config:
   enablePasswordDB: false
 
   staticClients:
-    - id: public-client
-      public: true
-      name: 'Public Client'
-      redirectURIs:
-        - 'https://localhost/oidc/callback'
     - id: controller-argocd-dex
       name: ArgoCD Client
       redirectURIs:
@@ -71,6 +66,6 @@ config:
       secret: "{{`{{ .Env.OIDC_DEX_ARGO_CLIENT_SECRET }}`}}"
     - id: grafana
       redirectURIs:
-        - "https://localhost/login/generic_oauth"
+        - "https://grafana.observability.t09.de/login/generic_oauth"
       name: "Grafana"
       secret: "thisisasecret"
diff --git a/otc/observability.t09.de/stacks/observability/grafana-operator/manifests/grafana.yaml b/otc/observability.t09.de/stacks/observability/grafana-operator/manifests/grafana.yaml
index 46c1e6c..fdfa4d0 100644
--- a/otc/observability.t09.de/stacks/observability/grafana-operator/manifests/grafana.yaml
+++ b/otc/observability.t09.de/stacks/observability/grafana-operator/manifests/grafana.yaml
@@ -52,9 +52,9 @@ spec:
       use_refresh_token: "true"
       client_id: grafana
       client_secret: "thisisasecret" # $__file{/etc/secrets/auth_generic_oauth/client_secret}
-      scopes: openid email profile offline_access
+      scopes: openid email profile offline_access groups
       auth_url: https://dex.observability.t09.de/auth
       token_url: https://dex.observability.t09.de/token
       api_url: https://dex.observability.t09.de/userinfo
-      redirect_uri: https://localhost/login/generic_oauth
+      redirect_uri: https://grafana.observability.t09.de/login/generic_oauth
       # role_attribute_path: ""