From 9260935572b87d0b61d4c4d025c695e621b9341e Mon Sep 17 00:00:00 2001
From: Dean <deanhannigan@gmail.com>
Date: Thu, 18 Aug 2022 10:59:40 +0100
Subject: [PATCH 1/7] Added scope customisation to the OIDC SSO configuration.
 Users can add or remove whichever scopes they like except 'openid'. They can
 revert to our core default values if they run into any issues

---
 packages/bbui/src/Tags/Tag.svelte             |   3 +-
 .../builder/portal/manage/auth/index.svelte   | 203 +++++++++++++++++-
 .../worker/src/api/controllers/global/auth.ts |  15 +-
 .../worker/src/api/routes/global/configs.js   |   1 +
 4 files changed, 219 insertions(+), 3 deletions(-)

diff --git a/packages/bbui/src/Tags/Tag.svelte b/packages/bbui/src/Tags/Tag.svelte
index f7089decdb..9c4cb6e583 100644
--- a/packages/bbui/src/Tags/Tag.svelte
+++ b/packages/bbui/src/Tags/Tag.svelte
@@ -8,6 +8,7 @@
   export let invalid = false
   export let disabled = false
   export let closable = false
+  export let onClick
 </script>
 
 <div
@@ -31,7 +32,7 @@
   {/if}
   <span class="spectrum-Tags-itemLabel"><slot /></span>
   {#if closable}
-    <ClearButton on:click />
+    <ClearButton on:click={onClick} />
   {/if}
 </div>
 
diff --git a/packages/builder/src/pages/builder/portal/manage/auth/index.svelte b/packages/builder/src/pages/builder/portal/manage/auth/index.svelte
index bc77329a32..ffc5bed7ce 100644
--- a/packages/builder/src/pages/builder/portal/manage/auth/index.svelte
+++ b/packages/builder/src/pages/builder/portal/manage/auth/index.svelte
@@ -18,6 +18,8 @@
     Body,
     Select,
     Toggle,
+    Tag,
+    Tags,
   } from "@budibase/bbui"
   import { onMount } from "svelte"
   import { API } from "api"
@@ -208,6 +210,7 @@
             providers[res.type]._id = res._id
           })
           notifications.success(`Settings saved`)
+          scopesFields[0].editing = false
         })
         .catch(() => {
           notifications.error("Failed to update auth settings")
@@ -215,6 +218,21 @@
     }
   }
 
+  let defaultScopes = ["profile", "email", "offline_access"]
+
+  const refreshScopes = idx => {
+    providers.oidc.config.configs[idx]["scopes"] =
+      providers.oidc.config.configs[idx]["scopes"]
+  }
+
+  let scopesFields = [
+    {
+      editing: false,
+      inputText: null,
+      error: null,
+    },
+  ]
+
   onMount(async () => {
     try {
       await organisation.init()
@@ -276,7 +294,7 @@
     if (!oidcDoc?._id) {
       providers.oidc = {
         type: ConfigTypes.OIDC,
-        config: { configs: [{ activated: true }] },
+        config: { configs: [{ activated: true, scopes: defaultScopes }] },
       }
     } else {
       originalOidcDoc = cloneDeep(oidcDoc)
@@ -397,10 +415,193 @@
         />
       </div>
     </Layout>
+    <span class="advanced-config">
+      <Layout gap="XS" noPadding>
+        <Heading size="XS">
+          <div class="advanced">Advanced</div>
+        </Heading>
+        <Body size="S">
+          Changes to your authentication scopes will only take effect when you
+          next log in. Please refer to your vendor documentation before
+          modification.
+        </Body>
+
+        <div class="auth-form" class:editing={scopesFields[0].editing}>
+          <Label size="L" tooltip={"Auth Scopes"}>{"Auth Scopes"}</Label>
+          {#if scopesFields[0].editing}
+            <span class="add-new">
+              <Input
+                error={scopesFields[0].error}
+                placeholder={"New Scope"}
+                bind:value={scopesFields[0].inputText}
+                on:keyup={e => {
+                  if (!scopesFields[0].inputText) {
+                    scopesFields[0].error = null
+                  }
+                  if (
+                    e.key === "Enter" ||
+                    e.keyCode === 13 ||
+                    e.code == "Space" ||
+                    e.keyCode == 32
+                  ) {
+                    let scopes = providers.oidc.config.configs[0]["scopes"]
+                      ? providers.oidc.config.configs[0]["scopes"]
+                      : [...defaultScopes]
+
+                    let update = scopesFields[0].inputText.trim()
+
+                    if (/[\\"\s]/.test(update)) {
+                      scopesFields[0].error =
+                        "Auth scopes cannot contain spaces, double quotes or backslashes"
+                      return
+                    } else if (scopes.indexOf(update) > -1) {
+                      scopesFields[0].error = "Auth scope already exists"
+                      return
+                    } else if (!update.length) {
+                      scopesFields[0].inputText = null
+                      scopesFields[0].error = null
+                      return
+                    } else {
+                      scopesFields[0].error = null
+                    }
+
+                    if (scopes.indexOf(update) == -1) {
+                      scopes.push(update)
+                      providers.oidc.config.configs[0]["scopes"] = scopes
+                    }
+                    scopesFields[0].inputText = null
+                  }
+                }}
+              />
+            </span>
+          {/if}
+
+          <div class="tag-wrap">
+            <Tags>
+              <Tag disabled={!scopesFields[0].editing} closable={false}>
+                openid
+              </Tag>
+              {#each providers.oidc.config.configs[0]["scopes"] || [...defaultScopes] as tag, idx}
+                <Tag
+                  disabled={!scopesFields[0].editing}
+                  closable={scopesFields[0].editing}
+                  onClick={() => {
+                    let idxScopes = providers.oidc.config.configs[0]["scopes"]
+                    if (idxScopes.length == 1) {
+                      idxScopes.pop()
+                    } else {
+                      idxScopes.splice(idx, 1)
+                      refreshScopes(0)
+                    }
+                  }}
+                >
+                  {tag}
+                </Tag>
+              {/each}
+
+              {#if !scopesFields[0].editing}
+                <span
+                  class="edit-icon"
+                  on:click={() => {
+                    if (!providers.oidc.config.configs[0]) {
+                      providers.oidc.config.configs[0]["scopes"] = [
+                        ...defaultScopes,
+                      ]
+                    }
+                    scopesFields[0].editing = !scopesFields[0].editing
+                  }}
+                >
+                  <Tag>Edit</Tag>
+                </span>
+              {/if}
+            </Tags>
+          </div>
+
+          {#if scopesFields[0].editing}
+            <div class="scope_actions">
+              <Button
+                quiet
+                secondary
+                size="S"
+                on:click={() => {
+                  if (originalOidcDoc.config.configs[0].scopes) {
+                    providers.oidc.config.configs[0]["scopes"] = [
+                      ...originalOidcDoc.config.configs[0]["scopes"],
+                    ]
+                  } else {
+                    delete providers.oidc.config.configs[0]?.scopes
+                  }
+                  scopesFields[0].editing = false
+                }}
+              >
+                Cancel
+              </Button>
+              <Button
+                secondary
+                size="S"
+                on:click={() => {
+                  providers.oidc.config.configs[0]["scopes"] = [
+                    ...defaultScopes,
+                  ]
+                }}
+              >
+                Use Default
+              </Button>
+            </div>
+          {/if}
+        </div>
+      </Layout>
+    </span>
   {/if}
 </Layout>
 
 <style>
+  .scope_actions {
+    display: flex;
+    align-items: center;
+    justify-content: end;
+    gap: var(--spacing-m);
+  }
+  .edit-icon :global(.spectrum-Tags-itemLabel) {
+    cursor: pointer !important;
+  }
+  .advanced-config :global(.spectrum-Tags-item) {
+    margin-top: 5px;
+    margin-left: 0px;
+  }
+
+  .auth-form {
+    display: grid;
+    grid-gap: var(--spacing-l);
+    grid-template-columns: 100px 1fr;
+  }
+
+  .auth-form.editing {
+    align-items: center;
+    grid-template-columns: unset;
+  }
+
+  .advanced-config :global(.spectrum-Tags-item:first-child) {
+    margin-left: 0px;
+    margin-right: 0px;
+  }
+  .advanced-config .auth-form.editing .tag-wrap {
+    background-color: var(
+      --spectrum-sidenav-item-background-color-selected,
+      var(--spectrum-alias-highlight-hover)
+    );
+    padding: 0px 5px 5px 5px;
+    border-radius: var(
+      --spectrum-alias-border-radius-regular,
+      var(--spectrum-global-dimension-size-50)
+    );
+  }
+  .edit-icon,
+  .edit-icon :global(.icon) {
+    display: inline-block;
+    cursor: pointer;
+  }
+
   .form-row {
     display: grid;
     grid-template-columns: 100px 1fr;
diff --git a/packages/worker/src/api/controllers/global/auth.ts b/packages/worker/src/api/controllers/global/auth.ts
index dc96554cb2..834531cd78 100644
--- a/packages/worker/src/api/controllers/global/auth.ts
+++ b/packages/worker/src/api/controllers/global/auth.ts
@@ -227,9 +227,22 @@ export const oidcPreAuth = async (ctx: any, next: any) => {
 
   setCookie(ctx, configId, Cookies.OIDC_CONFIG)
 
+  const db = getGlobalDB()
+  const config = await core.db.getScopedConfig(db, {
+    type: Configs.OIDC,
+    group: ctx.query.group,
+  })
+
+  const chosenConfig = config.configs.filter((c: any) => c.uuid === configId)[0]
+
+  let authScopes =
+    chosenConfig.scopes?.length > 0
+      ? chosenConfig.scopes
+      : ["profile", "email", "offline_access"]
+
   return passport.authenticate(strategy, {
     // required 'openid' scope is added by oidc strategy factory
-    scope: ["profile", "email", "offline_access"], //auth0 offline_access scope required for the refresh token behaviour.
+    scope: authScopes,
   })(ctx, next)
 }
 
diff --git a/packages/worker/src/api/routes/global/configs.js b/packages/worker/src/api/routes/global/configs.js
index c4beb57600..e08611b73a 100644
--- a/packages/worker/src/api/routes/global/configs.js
+++ b/packages/worker/src/api/routes/global/configs.js
@@ -53,6 +53,7 @@ function oidcValidation() {
         name: Joi.string().allow("", null),
         uuid: Joi.string().required(),
         activated: Joi.boolean().required(),
+        scopes: Joi.array().optional()
       })
     ).required(true)
   }).unknown(true)

From 5452958805228284a7ad23a8e0ffb757987e2729 Mon Sep 17 00:00:00 2001
From: Dean <deanhannigan@gmail.com>
Date: Thu, 18 Aug 2022 11:50:52 +0100
Subject: [PATCH 2/7] Adding fix for empty scopes

---
 .../builder/src/pages/builder/portal/manage/auth/index.svelte   | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/packages/builder/src/pages/builder/portal/manage/auth/index.svelte b/packages/builder/src/pages/builder/portal/manage/auth/index.svelte
index ffc5bed7ce..e6ed4eac68 100644
--- a/packages/builder/src/pages/builder/portal/manage/auth/index.svelte
+++ b/packages/builder/src/pages/builder/portal/manage/auth/index.svelte
@@ -503,7 +503,7 @@
                 <span
                   class="edit-icon"
                   on:click={() => {
-                    if (!providers.oidc.config.configs[0]) {
+                    if (!providers.oidc.config.configs[0]["scopes"]) {
                       providers.oidc.config.configs[0]["scopes"] = [
                         ...defaultScopes,
                       ]

From ba2aaf87e761d887177511c98e9558e4e646aee4 Mon Sep 17 00:00:00 2001
From: Dean <deanhannigan@gmail.com>
Date: Thu, 18 Aug 2022 14:58:22 +0100
Subject: [PATCH 3/7] UX feedback changes

---
 .../builder/portal/manage/auth/index.svelte   | 207 ++++++------------
 1 file changed, 70 insertions(+), 137 deletions(-)

diff --git a/packages/builder/src/pages/builder/portal/manage/auth/index.svelte b/packages/builder/src/pages/builder/portal/manage/auth/index.svelte
index e6ed4eac68..cd5f28085e 100644
--- a/packages/builder/src/pages/builder/portal/manage/auth/index.svelte
+++ b/packages/builder/src/pages/builder/portal/manage/auth/index.svelte
@@ -210,7 +210,6 @@
             providers[res.type]._id = res._id
           })
           notifications.success(`Settings saved`)
-          scopesFields[0].editing = false
         })
         .catch(() => {
           notifications.error("Failed to update auth settings")
@@ -227,7 +226,7 @@
 
   let scopesFields = [
     {
-      editing: false,
+      editing: true,
       inputText: null,
       error: null,
     },
@@ -418,7 +417,19 @@
     <span class="advanced-config">
       <Layout gap="XS" noPadding>
         <Heading size="XS">
-          <div class="advanced">Advanced</div>
+          <div class="auth-scopes">
+            <div>Advanced</div>
+            <Button
+              secondary
+              newStyles
+              size="S"
+              on:click={() => {
+                providers.oidc.config.configs[0]["scopes"] = [...defaultScopes]
+              }}
+            >
+              Restore Defaults
+            </Button>
+          </div>
         </Heading>
         <Body size="S">
           Changes to your authentication scopes will only take effect when you
@@ -426,64 +437,59 @@
           modification.
         </Body>
 
-        <div class="auth-form" class:editing={scopesFields[0].editing}>
-          <Label size="L" tooltip={"Auth Scopes"}>{"Auth Scopes"}</Label>
-          {#if scopesFields[0].editing}
-            <span class="add-new">
-              <Input
-                error={scopesFields[0].error}
-                placeholder={"New Scope"}
-                bind:value={scopesFields[0].inputText}
-                on:keyup={e => {
-                  if (!scopesFields[0].inputText) {
+        <div class="auth-form">
+          <span class="add-new">
+            <Label size="L" tooltip={"Auth Scopes"}>{"Auth Scopes"}</Label>
+            <Input
+              error={scopesFields[0].error}
+              placeholder={"New Scope"}
+              bind:value={scopesFields[0].inputText}
+              on:keyup={e => {
+                if (!scopesFields[0].inputText) {
+                  scopesFields[0].error = null
+                }
+                if (
+                  e.key === "Enter" ||
+                  e.keyCode === 13 ||
+                  e.code == "Space" ||
+                  e.keyCode == 32
+                ) {
+                  let scopes = providers.oidc.config.configs[0]["scopes"]
+                    ? providers.oidc.config.configs[0]["scopes"]
+                    : [...defaultScopes]
+
+                  let update = scopesFields[0].inputText.trim()
+
+                  if (/[\\"\s]/.test(update)) {
+                    scopesFields[0].error =
+                      "Auth scopes cannot contain spaces, double quotes or backslashes"
+                    return
+                  } else if (scopes.indexOf(update) > -1) {
+                    scopesFields[0].error = "Auth scope already exists"
+                    return
+                  } else if (!update.length) {
+                    scopesFields[0].inputText = null
+                    scopesFields[0].error = null
+                    return
+                  } else {
                     scopesFields[0].error = null
                   }
-                  if (
-                    e.key === "Enter" ||
-                    e.keyCode === 13 ||
-                    e.code == "Space" ||
-                    e.keyCode == 32
-                  ) {
-                    let scopes = providers.oidc.config.configs[0]["scopes"]
-                      ? providers.oidc.config.configs[0]["scopes"]
-                      : [...defaultScopes]
 
-                    let update = scopesFields[0].inputText.trim()
-
-                    if (/[\\"\s]/.test(update)) {
-                      scopesFields[0].error =
-                        "Auth scopes cannot contain spaces, double quotes or backslashes"
-                      return
-                    } else if (scopes.indexOf(update) > -1) {
-                      scopesFields[0].error = "Auth scope already exists"
-                      return
-                    } else if (!update.length) {
-                      scopesFields[0].inputText = null
-                      scopesFields[0].error = null
-                      return
-                    } else {
-                      scopesFields[0].error = null
-                    }
-
-                    if (scopes.indexOf(update) == -1) {
-                      scopes.push(update)
-                      providers.oidc.config.configs[0]["scopes"] = scopes
-                    }
-                    scopesFields[0].inputText = null
+                  if (scopes.indexOf(update) == -1) {
+                    scopes.push(update)
+                    providers.oidc.config.configs[0]["scopes"] = scopes
                   }
-                }}
-              />
-            </span>
-          {/if}
-
+                  scopesFields[0].inputText = null
+                }
+              }}
+            />
+          </span>
           <div class="tag-wrap">
+            <span />
             <Tags>
-              <Tag disabled={!scopesFields[0].editing} closable={false}>
-                openid
-              </Tag>
+              <Tag closable={false}>openid</Tag>
               {#each providers.oidc.config.configs[0]["scopes"] || [...defaultScopes] as tag, idx}
                 <Tag
-                  disabled={!scopesFields[0].editing}
                   closable={scopesFields[0].editing}
                   onClick={() => {
                     let idxScopes = providers.oidc.config.configs[0]["scopes"]
@@ -498,57 +504,8 @@
                   {tag}
                 </Tag>
               {/each}
-
-              {#if !scopesFields[0].editing}
-                <span
-                  class="edit-icon"
-                  on:click={() => {
-                    if (!providers.oidc.config.configs[0]["scopes"]) {
-                      providers.oidc.config.configs[0]["scopes"] = [
-                        ...defaultScopes,
-                      ]
-                    }
-                    scopesFields[0].editing = !scopesFields[0].editing
-                  }}
-                >
-                  <Tag>Edit</Tag>
-                </span>
-              {/if}
             </Tags>
           </div>
-
-          {#if scopesFields[0].editing}
-            <div class="scope_actions">
-              <Button
-                quiet
-                secondary
-                size="S"
-                on:click={() => {
-                  if (originalOidcDoc.config.configs[0].scopes) {
-                    providers.oidc.config.configs[0]["scopes"] = [
-                      ...originalOidcDoc.config.configs[0]["scopes"],
-                    ]
-                  } else {
-                    delete providers.oidc.config.configs[0]?.scopes
-                  }
-                  scopesFields[0].editing = false
-                }}
-              >
-                Cancel
-              </Button>
-              <Button
-                secondary
-                size="S"
-                on:click={() => {
-                  providers.oidc.config.configs[0]["scopes"] = [
-                    ...defaultScopes,
-                  ]
-                }}
-              >
-                Use Default
-              </Button>
-            </div>
-          {/if}
         </div>
       </Layout>
     </span>
@@ -556,50 +513,26 @@
 </Layout>
 
 <style>
-  .scope_actions {
+  .auth-scopes {
     display: flex;
+    justify-content: space-between;
     align-items: center;
-    justify-content: end;
-    gap: var(--spacing-m);
-  }
-  .edit-icon :global(.spectrum-Tags-itemLabel) {
-    cursor: pointer !important;
-  }
-  .advanced-config :global(.spectrum-Tags-item) {
-    margin-top: 5px;
-    margin-left: 0px;
   }
 
-  .auth-form {
+  .advanced-config :global(.spectrum-Tags-item) {
+    margin-left: 0px;
+    margin-top: var(--spacing-m);
+    margin-right: var(--spacing-m);
+  }
+
+  .auth-form > * {
     display: grid;
     grid-gap: var(--spacing-l);
     grid-template-columns: 100px 1fr;
   }
 
-  .auth-form.editing {
-    align-items: center;
-    grid-template-columns: unset;
-  }
-
-  .advanced-config :global(.spectrum-Tags-item:first-child) {
-    margin-left: 0px;
-    margin-right: 0px;
-  }
-  .advanced-config .auth-form.editing .tag-wrap {
-    background-color: var(
-      --spectrum-sidenav-item-background-color-selected,
-      var(--spectrum-alias-highlight-hover)
-    );
-    padding: 0px 5px 5px 5px;
-    border-radius: var(
-      --spectrum-alias-border-radius-regular,
-      var(--spectrum-global-dimension-size-50)
-    );
-  }
-  .edit-icon,
-  .edit-icon :global(.icon) {
-    display: inline-block;
-    cursor: pointer;
+  .advanced-config .auth-form .tag-wrap {
+    padding: 0px 5px 5px 0px;
   }
 
   .form-row {

From a1609c0bdee736aa4ed1865c7878780146f9ced3 Mon Sep 17 00:00:00 2001
From: Dean <deanhannigan@gmail.com>
Date: Fri, 19 Aug 2022 12:59:31 +0100
Subject: [PATCH 4/7] Added authentication integration tests

---
 .../adminAndManagement/authentication.spec.js | 155 ++++++++++++++++++
 .../builder/portal/manage/auth/index.svelte   |   2 +-
 2 files changed, 156 insertions(+), 1 deletion(-)
 create mode 100644 packages/builder/cypress/integration/adminAndManagement/authentication.spec.js

diff --git a/packages/builder/cypress/integration/adminAndManagement/authentication.spec.js b/packages/builder/cypress/integration/adminAndManagement/authentication.spec.js
new file mode 100644
index 0000000000..8bdbd69db0
--- /dev/null
+++ b/packages/builder/cypress/integration/adminAndManagement/authentication.spec.js
@@ -0,0 +1,155 @@
+import filterTests from "../../support/filterTests"
+// const interact = require("../support/interact")
+
+filterTests(["smoke", "all"], () => {
+  context("Auth Configuration", () => {
+    before(() => {
+      cy.login()
+    })
+
+    it("Should allow updating of the OIDC config", () => {
+      cy.get(".spectrum-SideNav li").contains("Auth").click()
+      cy.location().should(loc => {
+        expect(loc.pathname).to.eq("/builder/portal/manage/auth")
+      })
+      cy.get("div.content").scrollTo("bottom")
+      cy.get(".spectrum-Toast .spectrum-ClearButton").click()
+
+      cy.get("input[data-cy=configUrl]").type("http://budi-auth.com/v2")
+      cy.get("input[data-cy=clientID]").type("34ac6a13-f24a-4b52-c70d-fa544ffd11b2")
+      cy.get("input[data-cy=clientSecret]").type("12A8Q~4nS_DWhOOJ2vWIRsNyDVsdtXPD.Zxa9df_")
+
+      cy.get("button[data-cy=oidc-save]").should("not.be.disabled");
+
+      cy.intercept("POST", "/api/global/configs").as("updateAuth")
+      cy.get("button[data-cy=oidc-save]").contains("Save").click({force: true})
+      cy.wait("@updateAuth")
+      cy.get("@updateAuth").its("response.statusCode").should("eq", 200)
+
+      cy.get(".spectrum-Toast-content")
+        .contains("Settings saved")
+        .should("be.visible")
+    })
+
+    it("Should display default scopes in advanced config.", () => {
+      cy.get(".spectrum-SideNav li").contains("Auth").click()
+      cy.location().should(loc => {
+        expect(loc.pathname).to.eq("/builder/portal/manage/auth")
+      })
+      cy.get("div.content").scrollTo("bottom")
+
+      cy.get(".spectrum-Tags").find(".spectrum-Tags-item").its("length").should("eq", 4)
+
+      cy.get(".spectrum-Tags-item").contains("openid")
+      cy.get(".spectrum-Tags-item").contains("openid").find(".spectrum-ClearButton").should("not.exist")
+
+      cy.get(".spectrum-Tags-item").contains("offline_access")
+      cy.get(".spectrum-Tags-item").contains("email")
+      cy.get(".spectrum-Tags-item").contains("profile")
+    })
+
+    it("Add a new scopes", () => {
+      cy.get(".spectrum-SideNav li").contains("Auth").click()
+      cy.location().should(loc => {
+        expect(loc.pathname).to.eq("/builder/portal/manage/auth")
+      })
+      cy.get("div.content").scrollTo("bottom")
+
+      cy.get("[data-cy=new-scope-input]").type("Sample{enter}")
+      cy.get(".spectrum-Tags").find(".spectrum-Tags-item").its("length").should("eq", 5)
+      cy.get(".spectrum-Tags-item").contains("Sample")
+
+      cy.get(".auth-form input.spectrum-Textfield-input").type("Another ")
+      cy.get(".spectrum-Tags").find(".spectrum-Tags-item").its("length").should("eq", 6)
+      cy.get(".spectrum-Tags-item").contains("Another")
+      
+      cy.get("button[data-cy=oidc-save]").should("not.be.disabled");
+
+      cy.intercept("POST", "/api/global/configs").as("updateAuth")
+      cy.get("button[data-cy=oidc-save]").contains("Save").click({force: true})
+      cy.wait("@updateAuth")
+      cy.get("@updateAuth").its("response.statusCode").should("eq", 200)
+
+      cy.reload()
+
+      cy.get("div.content").scrollTo("bottom")
+
+      cy.get(".spectrum-Tags-item").contains("openid")
+      cy.get(".spectrum-Tags-item").contains("offline_access")
+      cy.get(".spectrum-Tags-item").contains("email")
+      cy.get(".spectrum-Tags-item").contains("profile")
+      cy.get(".spectrum-Tags-item").contains("Sample")
+      cy.get(".spectrum-Tags-item").contains("Another")
+    })
+
+    it("Should allow the removal of auth scopes", () => {
+      cy.get(".spectrum-SideNav li").contains("Auth").click()
+      cy.location().should(loc => {
+        expect(loc.pathname).to.eq("/builder/portal/manage/auth")
+      })
+      cy.get("div.content").scrollTo("bottom")
+
+      cy.get(".spectrum-Tags-item").contains("offline_access").parent().find(".spectrum-ClearButton").click()
+      cy.get(".spectrum-Tags-item").contains("profile").parent().find(".spectrum-ClearButton").click()
+
+      cy.get(".spectrum-Tags").find(".spectrum-Tags-item").its("length").should("eq", 4)
+
+      cy.get(".spectrum-Tags-item").contains("offline_access").should("not.exist")
+      cy.get(".spectrum-Tags-item").contains("profile").should("not.exist")
+
+      cy.get("button[data-cy=oidc-save]").should("not.be.disabled");
+
+      cy.intercept("POST", "/api/global/configs").as("updateAuth")
+      cy.get("button[data-cy=oidc-save]").contains("Save").click({force: true})
+      cy.wait("@updateAuth")
+      cy.get("@updateAuth").its("response.statusCode").should("eq", 200)
+
+      cy.get(".spectrum-Toast-content")
+        .contains("Settings saved")
+        .should("be.visible")
+
+      cy.reload()
+
+      cy.get(".spectrum-Tags").find(".spectrum-Tags-item").its("length").should("eq", 4)
+
+      cy.get(".spectrum-Tags-item").contains("offline_access").should("not.exist")
+      cy.get(".spectrum-Tags-item").contains("profile").should("not.exist")
+    })
+
+    it("Should allow auth scopes to be reset to the core defaults.", () => {
+      cy.get(".spectrum-SideNav li").contains("Auth").click()
+
+      cy.get("div.content").scrollTo("bottom")
+
+      cy.get("[data-cy=restore-oidc-default-scopes]").click({force: true})
+
+      cy.get(".spectrum-Tags").find(".spectrum-Tags-item").its("length").should("eq", 4)
+
+      cy.get(".spectrum-Tags-item").contains("openid")
+      cy.get(".spectrum-Tags-item").contains("offline_access")
+      cy.get(".spectrum-Tags-item").contains("email")
+      cy.get(".spectrum-Tags-item").contains("profile")
+    })
+
+    it("Should not allow invalid characters in the auth scopes", () => {
+      cy.get("[data-cy=new-scope-input]").type("thisIsInvalid\\{enter}")
+      cy.get(".spectrum-Form-itemField .error").contains("Auth scopes cannot contain spaces, double quotes or backslashes")
+      cy.get(".spectrum-Tags").find(".spectrum-Tags-item").its("length").should("eq", 4)
+
+      cy.get("[data-cy=new-scope-input]").clear()
+
+      cy.get("[data-cy=new-scope-input]").type("alsoInvalid\"{enter}")
+      cy.get(".spectrum-Form-itemField .error").contains("Auth scopes cannot contain spaces, double quotes or backslashes")
+      cy.get(".spectrum-Tags").find(".spectrum-Tags-item").its("length").should("eq", 4)
+
+      cy.get("[data-cy=new-scope-input]").clear()
+    })
+
+    it("Should not allow duplicate auth scopes", () => {
+      cy.get("[data-cy=new-scope-input]").type("offline_access{enter}")
+      cy.get(".spectrum-Form-itemField .error").contains("Auth scope already exists")
+      cy.get(".spectrum-Tags").find(".spectrum-Tags-item").its("length").should("eq", 4)
+    })
+
+  })
+})
\ No newline at end of file
diff --git a/packages/builder/src/pages/builder/portal/manage/auth/index.svelte b/packages/builder/src/pages/builder/portal/manage/auth/index.svelte
index cd5f28085e..56aff57da3 100644
--- a/packages/builder/src/pages/builder/portal/manage/auth/index.svelte
+++ b/packages/builder/src/pages/builder/portal/manage/auth/index.svelte
@@ -439,7 +439,7 @@
 
         <div class="auth-form">
           <span class="add-new">
-            <Label size="L" tooltip={"Auth Scopes"}>{"Auth Scopes"}</Label>
+            <Label size="L">{"Auth Scopes"}</Label>
             <Input
               error={scopesFields[0].error}
               placeholder={"New Scope"}

From de437c3cb8fdb720a488d1f21b93c323391cbe8c Mon Sep 17 00:00:00 2001
From: Dean <deanhannigan@gmail.com>
Date: Fri, 19 Aug 2022 14:33:51 +0100
Subject: [PATCH 5/7] Added missing cypress hooks

---
 .../src/pages/builder/portal/manage/auth/index.svelte      | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/packages/builder/src/pages/builder/portal/manage/auth/index.svelte b/packages/builder/src/pages/builder/portal/manage/auth/index.svelte
index 56aff57da3..b1006ad294 100644
--- a/packages/builder/src/pages/builder/portal/manage/auth/index.svelte
+++ b/packages/builder/src/pages/builder/portal/manage/auth/index.svelte
@@ -147,7 +147,6 @@
 
   async function save(docs) {
     let calls = []
-
     // Only if the user has provided an image, upload it
     if (image) {
       let data = new FormData()
@@ -159,7 +158,6 @@
         })
       )
     }
-
     docs.forEach(element => {
       // Delete unsupported fields
       delete element.createdAt
@@ -201,7 +199,6 @@
         }
       }
     })
-
     if (calls.length) {
       Promise.all(calls)
         .then(data => {
@@ -362,6 +359,7 @@
             size="s"
             cta
             on:click={() => save([providers.oidc])}
+            dataCy={"oidc-save"}
           >
             Save
           </Button>
@@ -379,6 +377,7 @@
             bind:value={providers.oidc.config.configs[0][field.name]}
             readonly={field.readonly}
             placeholder={field.placeholder}
+            dataCy={field.name}
           />
         </div>
       {/each}
@@ -426,6 +425,7 @@
               on:click={() => {
                 providers.oidc.config.configs[0]["scopes"] = [...defaultScopes]
               }}
+              dataCy={"restore-oidc-default-scopes"}
             >
               Restore Defaults
             </Button>
@@ -441,6 +441,7 @@
           <span class="add-new">
             <Label size="L">{"Auth Scopes"}</Label>
             <Input
+              dataCy={"new-scope-input"}
               error={scopesFields[0].error}
               placeholder={"New Scope"}
               bind:value={scopesFields[0].inputText}

From 30f7fc1daa1e48fe23d1690e4bd7f35752462d9e Mon Sep 17 00:00:00 2001
From: Dean <deanhannigan@gmail.com>
Date: Fri, 19 Aug 2022 15:56:12 +0100
Subject: [PATCH 6/7] Ensure OIDC config is disabled to prevent auth issues in
 test suite

---
 .../adminAndManagement/authentication.spec.js | 23 +++++++++++++++++++
 .../builder/portal/manage/auth/index.svelte   |  1 +
 2 files changed, 24 insertions(+)

diff --git a/packages/builder/cypress/integration/adminAndManagement/authentication.spec.js b/packages/builder/cypress/integration/adminAndManagement/authentication.spec.js
index 8bdbd69db0..5cc42cb59a 100644
--- a/packages/builder/cypress/integration/adminAndManagement/authentication.spec.js
+++ b/packages/builder/cypress/integration/adminAndManagement/authentication.spec.js
@@ -7,6 +7,29 @@ filterTests(["smoke", "all"], () => {
       cy.login()
     })
 
+    after(() => {
+      cy.get(".spectrum-SideNav li").contains("Auth").click()
+      cy.location().should(loc => {
+        expect(loc.pathname).to.eq("/builder/portal/manage/auth")
+      })
+
+      cy.get("[data-cy=new-scope-input]").clear()
+
+      cy.get("div.content").scrollTo("bottom")
+      cy.get("[data-cy=oidc-active]").click()
+
+      cy.get("[data-cy=oidc-active]").should('not.be.checked')
+
+      cy.intercept("POST", "/api/global/configs").as("updateAuth")
+      cy.get("button[data-cy=oidc-save]").contains("Save").click({force: true})
+      cy.wait("@updateAuth")
+      cy.get("@updateAuth").its("response.statusCode").should("eq", 200)
+
+      cy.get(".spectrum-Toast-content")
+        .contains("Settings saved")
+        .should("be.visible")
+    })
+
     it("Should allow updating of the OIDC config", () => {
       cy.get(".spectrum-SideNav li").contains("Auth").click()
       cy.location().should(loc => {
diff --git a/packages/builder/src/pages/builder/portal/manage/auth/index.svelte b/packages/builder/src/pages/builder/portal/manage/auth/index.svelte
index b1006ad294..fc56c2cdef 100644
--- a/packages/builder/src/pages/builder/portal/manage/auth/index.svelte
+++ b/packages/builder/src/pages/builder/portal/manage/auth/index.svelte
@@ -408,6 +408,7 @@
       <div class="form-row">
         <Label size="L">Activated</Label>
         <Toggle
+          dataCy={"oidc-active"}
           text=""
           bind:value={providers.oidc.config.configs[0].activated}
         />

From 422c38fce76b370f7285a1f770cb77ebd722523e Mon Sep 17 00:00:00 2001
From: Dean <deanhannigan@gmail.com>
Date: Mon, 22 Aug 2022 12:38:23 +0100
Subject: [PATCH 7/7] Minor updates

---
 packages/bbui/src/Tags/Tag.svelte                     |  3 +--
 .../src/pages/builder/portal/manage/auth/index.svelte | 11 +++++------
 2 files changed, 6 insertions(+), 8 deletions(-)

diff --git a/packages/bbui/src/Tags/Tag.svelte b/packages/bbui/src/Tags/Tag.svelte
index 9c4cb6e583..f7089decdb 100644
--- a/packages/bbui/src/Tags/Tag.svelte
+++ b/packages/bbui/src/Tags/Tag.svelte
@@ -8,7 +8,6 @@
   export let invalid = false
   export let disabled = false
   export let closable = false
-  export let onClick
 </script>
 
 <div
@@ -32,7 +31,7 @@
   {/if}
   <span class="spectrum-Tags-itemLabel"><slot /></span>
   {#if closable}
-    <ClearButton on:click={onClick} />
+    <ClearButton on:click />
   {/if}
 </div>
 
diff --git a/packages/builder/src/pages/builder/portal/manage/auth/index.svelte b/packages/builder/src/pages/builder/portal/manage/auth/index.svelte
index fc56c2cdef..733d7eee92 100644
--- a/packages/builder/src/pages/builder/portal/manage/auth/index.svelte
+++ b/packages/builder/src/pages/builder/portal/manage/auth/index.svelte
@@ -31,6 +31,8 @@
     OIDC: "oidc",
   }
 
+  const HasSpacesRegex = /[\\"\s]/
+
   // Some older google configs contain a manually specified value - retain the functionality to edit the field
   // When there is no value or we are in the cloud - prohibit editing the field, must use platform url to change
   $: googleCallbackUrl = undefined
@@ -462,7 +464,7 @@
 
                   let update = scopesFields[0].inputText.trim()
 
-                  if (/[\\"\s]/.test(update)) {
+                  if (HasSpacesRegex.test(update)) {
                     scopesFields[0].error =
                       "Auth scopes cannot contain spaces, double quotes or backslashes"
                     return
@@ -475,13 +477,10 @@
                     return
                   } else {
                     scopesFields[0].error = null
-                  }
-
-                  if (scopes.indexOf(update) == -1) {
                     scopes.push(update)
                     providers.oidc.config.configs[0]["scopes"] = scopes
+                    scopesFields[0].inputText = null
                   }
-                  scopesFields[0].inputText = null
                 }
               }}
             />
@@ -493,7 +492,7 @@
               {#each providers.oidc.config.configs[0]["scopes"] || [...defaultScopes] as tag, idx}
                 <Tag
                   closable={scopesFields[0].editing}
-                  onClick={() => {
+                  on:click={() => {
                     let idxScopes = providers.oidc.config.configs[0]["scopes"]
                     if (idxScopes.length == 1) {
                       idxScopes.pop()