Don't request profile scope from IdPs in https://oauth2.sigstore.dev/auth

[letmaik]

For some reason, the OIDC proxy provider https://oauth2.sigstore.dev/auth requests profile scope against Google and Microsoft. It shouldn't do that, openid email is enough.

Side-note: Is this proxy provider going to stay? It seems like it would complicate the whole attestation story even more, see #80.

[dlorenc]

Thanks for the pointer! I think we need profile for GitHub, we'll have to check whether we can configure the scopes for each provider.

@bobcallaway is on vacation for another week, he's been evaluating whether we'll keep the proxy, move to another one, or remove it.

[bobcallaway]

I've fixed the google scopes, but fixing the MSFT ones will require a code change.

And yes, you're correct that having a proxy provider does complicate the attestation story a bit, but it does have some benefits as well. As Dan noted, I'm working on a doc that will compare/contrast the alternatives here and will post it for community feedback shortly.

[bobcallaway]

MSFT is now fixed as well at https://oauth2.sigstore.dev/auth

[lukehinds]

can we close ?