From 41cc6d26fff2ec39c86be2c8a775a8354355b63d Mon Sep 17 00:00:00 2001
From: Masaki Yatsu <yatsu@yatsu.info>
Date: Fri, 19 Sep 2025 18:13:11 +0900
Subject: [PATCH] fix(lakekeeper): set OpenID scope and token lifespan

---
 lakekeeper/justfile                        | 11 ++++++++++-
 lakekeeper/lakekeeper-values.gomplate.yaml |  6 ++++++
 2 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/lakekeeper/justfile b/lakekeeper/justfile
index 3b97c42..36fe139 100644
--- a/lakekeeper/justfile
+++ b/lakekeeper/justfile
@@ -105,6 +105,10 @@ create-oidc-client:
     fi
     echo "Creating Lakekeeper OAuth client in Keycloak..."
 
+    # Ensure lakekeeper scope exists
+    echo "Creating 'lakekeeper' client scope if it doesn't exist..."
+    just keycloak::create-client-scope ${KEYCLOAK_REALM} lakekeeper "Lakekeeper API scope"
+
     # Check if client already exists
     if just keycloak::client-exists ${KEYCLOAK_REALM} lakekeeper &>/dev/null; then
         echo "Client 'lakekeeper' already exists, skipping creation..."
@@ -117,9 +121,14 @@ create-oidc-client:
             client_id=lakekeeper \
             redirect_url="https://${LAKEKEEPER_HOST}/ui/callback" \
             post_logout_redirect_uris="https://${LAKEKEEPER_HOST}/ui/logout,https://${LAKEKEEPER_HOST}/ui/,https://${LAKEKEEPER_HOST}/" \
-            access_token_lifespan="43200"
+            access_token_lifespan="43200" \
+            scopes="openid,profile,lakekeeper"
     fi
 
+    # Ensure the lakekeeper scope is added to the client (for both existing and new clients)
+    echo "Adding 'lakekeeper' scope to client..."
+    just keycloak::add-scope-to-client ${KEYCLOAK_REALM} lakekeeper lakekeeper
+
     # Add audience mapper to include 'lakekeeper' in JWT audience
     echo "Adding audience mapper for JWT token..."
     just keycloak::add-audience-mapper lakekeeper lakekeeper
diff --git a/lakekeeper/lakekeeper-values.gomplate.yaml b/lakekeeper/lakekeeper-values.gomplate.yaml
index f14d976..f9a284d 100644
--- a/lakekeeper/lakekeeper-values.gomplate.yaml
+++ b/lakekeeper/lakekeeper-values.gomplate.yaml
@@ -12,6 +12,12 @@ catalog:
     LAKEKEEPER__OPENID_AUDIENCE: "lakekeeper"
     LAKEKEEPER__UI__OPENID_CLIENT_ID: "lakekeeper"
     LAKEKEEPER__UI__OPENID_SCOPE: "openid profile lakekeeper"
+    {{- if .Env.LAKEKEEPER_TOKEN_TTL }}
+    LAKEKEEPER__TOKEN_TTL: "{{ .Env.LAKEKEEPER_TOKEN_TTL }}"
+    {{- end }}
+    {{- if .Env.LAKEKEEPER_API_TOKEN_EXPIRY }}
+    LAKEKEEPER__API_TOKEN_EXPIRY: "{{ .Env.LAKEKEEPER_API_TOKEN_EXPIRY }}"
+    {{- end }}
 
   # Secret management configuration
   secrets: