Merge pull request #18826 from ljocha/release_24.1

[24.1] prevent "missing refresh_token" errors by supporting <extra_scopes> also with Keycloak backend

lib/galaxy/authnz/custos_authnz.py

@@ -62,6 +62,7 @@ class CustosAuthnzConfiguration:
     pkce_support: bool
     accepted_audiences: List[str]
     extra_params: Optional[dict]
+    extra_scopes: List[str]
     authorization_endpoint: Optional[str]
     token_endpoint: Optional[str]
     end_session_endpoint: Optional[str]
@@ -98,6 +99,7 @@ def __init__(self, provider, oidc_config, oidc_backend_config, idphint=None):
                 )
             ),
             extra_params={},
+            extra_scopes=oidc_backend_config.get("extra_scopes", []),
             authorization_endpoint=None,
             token_endpoint=None,
             end_session_endpoint=None,
@@ -156,6 +158,7 @@ def _get_provider_specific_scopes(self):
     def authenticate(self, trans, idphint=None):
         base_authorize_url = self.config.authorization_endpoint
         scopes = ["openid", "email", "profile"]
+        scopes.extend(self.config.extra_scopes)
         scopes.extend(self._get_provider_specific_scopes())
         oauth2_session = self._create_oauth2_session(scope=scopes)
         nonce = generate_nonce()

lib/galaxy/authnz/managers.py

@@ -213,6 +213,8 @@ def _parse_custos_config(self, config_xml):
             rtv["ca_bundle"] = config_xml.find("ca_bundle").text
         if config_xml.find("icon") is not None:
             rtv["icon"] = config_xml.find("icon").text
+        if config_xml.find("extra_scopes") is not None:
+            rtv["extra_scopes"] = listify(config_xml.find("extra_scopes").text)
         if config_xml.find("pkce_support") is not None:
             rtv["pkce_support"] = asbool(config_xml.find("pkce_support").text)
         if config_xml.find("accepted_audiences") is not None: