From 8a358832f35e1821562c8a67fef3307520c36aa4 Mon Sep 17 00:00:00 2001
From: Brad Stein <Brad.Stein@gmail.com>
Date: Wed, 14 Jan 2026 02:52:51 -0300
Subject: [PATCH] vault: fix oidc scopes parsing

---
 services/vault/scripts/vault_oidc_configure.sh | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/services/vault/scripts/vault_oidc_configure.sh b/services/vault/scripts/vault_oidc_configure.sh
index 0013866..01b0696 100644
--- a/services/vault/scripts/vault_oidc_configure.sh
+++ b/services/vault/scripts/vault_oidc_configure.sh
@@ -84,7 +84,8 @@ configure_role() {
     return
   fi
   claims="$(build_bound_claims "${groups_claim}" "${role_groups}")"
-  role_args="user_claim=${user_claim} oidc_scopes=${scopes} token_policies=${role_policies} bound_audiences=${bound_audiences} bound_claims=${claims} bound_claims_type=${bound_claims_type}"
+  scopes_csv="$(printf '%s' "${scopes}" | tr ' ' ',' | tr -s ',' | sed 's/^,//;s/,$//')"
+  role_args="user_claim=${user_claim} oidc_scopes=${scopes_csv} token_policies=${role_policies} bound_audiences=${bound_audiences} bound_claims=${claims} bound_claims_type=${bound_claims_type}"
   if [ -n "${groups_claim}" ]; then
     role_args="${role_args} groups_claim=${groups_claim}"
   fi