Feature-Gated Permissions Scope

This scope may not be present on all auth providers.

README.md

@@ -53,6 +53,7 @@ The following switches are available:
 | Switch                            | Purpose                                                               |
 |-----------------------------------|-----------------------------------------------------------------------|
 | show_engagement_forum_activity    | Show the forum activity on the course engagement page                 |
+| enable_oidc_permissions_scope     | Retrieve general permissions from the OIDC provider.                  |
 
 
 Authentication & Authorization

analytics_dashboard/analytics_dashboard/backends.py

@@ -6,8 +6,8 @@
 
 from django.conf import settings
 import django.dispatch
-
 from social.backends.open_id import OpenIdConnectAuth
+from waffle import switch_is_active
 
 
 # pylint: disable=abstract-method
@@ -18,7 +18,7 @@ class EdXOpenIdConnect(OpenIdConnectAuth):
     REDIRECT_STATE = False
     ID_KEY = 'preferred_username'
 
-    DEFAULT_SCOPE = ['openid', 'profile', 'email', 'permissions'] + settings.COURSE_PERMISSIONS_SCOPE
+    DEFAULT_SCOPE = ['openid', 'profile', 'email'] + settings.COURSE_PERMISSIONS_SCOPE
     ID_TOKEN_ISSUER = settings.SOCIAL_AUTH_EDX_OIDC_URL_ROOT
     AUTHORIZATION_URL = '{0}/authorize/'.format(settings.SOCIAL_AUTH_EDX_OIDC_URL_ROOT)
     ACCESS_TOKEN_URL = '{0}/access_token/'.format(settings.SOCIAL_AUTH_EDX_OIDC_URL_ROOT)
@@ -101,6 +101,14 @@ def _map_user_details(self, response):
 
         return dest
 
+    def get_scope(self):
+        scope = super(EdXOpenIdConnect, self).get_scope()
+
+        if switch_is_active('enable_oidc_permissions_scope'):
+            scope.append('permissions')
+
+        return scope
+
 
 def _to_language(locale):
     """