From 39aa66204ce8da52b401692dc1cdc6272f835b89 Mon Sep 17 00:00:00 2001
From: David Hadley <davehadley@users.noreply.github.com>
Date: Fri, 30 Jan 2026 15:54:14 +0000
Subject: [PATCH 1/2] feat(frontend): set keycloak scope from environment
 variable

---
 frontend/README.md                         | 1 +
 frontend/configure.sh                      | 1 +
 frontend/dashboard/.env.production         | 1 +
 frontend/dashboard/src/RelayEnvironment.ts | 2 ++
 frontend/dashboard/src/vite-env.d.ts       | 1 +
 5 files changed, 6 insertions(+)

diff --git a/frontend/README.md b/frontend/README.md
index 025731f52..e89a4805c 100644
--- a/frontend/README.md
+++ b/frontend/README.md
@@ -9,6 +9,7 @@
    - VITE_KEYCLOAK_URL
    - VITE_KEYCLOAK_REALM
    - VITE_KEYCLOAK_CLIENT
+   - VITE_KEYCLOAK_SCOPE
    - VITE_GRAPH_URL
    - VITE_GRAPH_WS_URL
 5. yarn dev in frontend/dashboard
diff --git a/frontend/configure.sh b/frontend/configure.sh
index 560d40f25..622319859 100644
--- a/frontend/configure.sh
+++ b/frontend/configure.sh
@@ -23,6 +23,7 @@ replace_placeholder() {
 replace_placeholder KEYCLOAK_URL
 replace_placeholder KEYCLOAK_REALM
 replace_placeholder KEYCLOAK_CLIENT
+replace_placeholder KEYCLOAK_SCOPE
 replace_placeholder GRAPH_URL
 replace_placeholder GRAPH_WS_URL
 
diff --git a/frontend/dashboard/.env.production b/frontend/dashboard/.env.production
index 94f0df337..d961a0cfa 100644
--- a/frontend/dashboard/.env.production
+++ b/frontend/dashboard/.env.production
@@ -1,5 +1,6 @@
 VITE_KEYCLOAK_URL = "{{ KEYCLOAK_URL }}"
 VITE_KEYCLOAK_REALM = "{{ KEYCLOAK_REALM }}"
 VITE_KEYCLOAK_CLIENT = "{{ KEYCLOAK_CLIENT }}"
+VITE_KEYCLOAK_SCOPE = "{{ KEYCLOAK_SCOPE }}"
 VITE_GRAPH_URL = "{{ GRAPH_URL }}"
 VITE_GRAPH_WS_URL = "{{ GRAPH_WS_URL }}"
diff --git a/frontend/dashboard/src/RelayEnvironment.ts b/frontend/dashboard/src/RelayEnvironment.ts
index 5c417847c..7b87c40de 100644
--- a/frontend/dashboard/src/RelayEnvironment.ts
+++ b/frontend/dashboard/src/RelayEnvironment.ts
@@ -13,6 +13,7 @@ import { createClient } from "graphql-ws";
 
 const HTTP_ENDPOINT = import.meta.env.VITE_GRAPH_URL;
 const WS_ENDPOINT = import.meta.env.VITE_GRAPH_WS_URL;
+const KEYCLOAK_SCOPE = import.meta.env.VITE_KEYCLOAK_SCOPE;
 
 const keycloak = await getKeycloak();
 
@@ -24,6 +25,7 @@ function ensureKeycloakInit(): Promise<boolean> {
     kcinitPromise = keycloak
       .init({
         onLoad: "login-required",
+        scope: KEYCLOAK_SCOPE,
       })
       .catch((err: unknown) => {
         console.error("Keycloak init failed", err);
diff --git a/frontend/dashboard/src/vite-env.d.ts b/frontend/dashboard/src/vite-env.d.ts
index 724bcc19d..5f40aceda 100644
--- a/frontend/dashboard/src/vite-env.d.ts
+++ b/frontend/dashboard/src/vite-env.d.ts
@@ -4,6 +4,7 @@ interface ImportMetaEnv {
   readonly VITE_KEYCLOAK_URL: string;
   readonly VITE_KEYCLOAK_REALM: string;
   readonly VITE_KEYCLOAK_CLIENT: string;
+  readonly VITE_KEYCLOAK_SCOPE: string;
   readonly VITE_GRAPH_URL: string;
   readonly VITE_GRAPH_WS_URL: string;
 }

From 9f7a80291f26a799396ce6ed79cda0bc3e0517bf Mon Sep 17 00:00:00 2001
From: David Hadley <davehadley@users.noreply.github.com>
Date: Fri, 30 Jan 2026 15:55:50 +0000
Subject: [PATCH 2/2] feat(charts): update pollux keycloak to identity-dev

---
 charts/dashboard/Chart.yaml                                | 2 +-
 charts/dashboard/staging-values.yaml                       | 7 ++++---
 charts/dashboard/templates/deployment.yaml                 | 2 ++
 charts/workflows-cluster/Chart.lock                        | 6 +++---
 charts/workflows-cluster/Chart.yaml                        | 4 ++--
 charts/workflows-cluster/charts/secrets/Chart.yaml         | 2 +-
 .../charts/secrets/templates/argo-server-sso.yaml          | 2 +-
 charts/workflows-cluster/staging-values.yaml               | 2 +-
 charts/workflows/Chart.yaml                                | 2 +-
 charts/workflows/staging-values.yaml                       | 2 +-
 10 files changed, 17 insertions(+), 14 deletions(-)

diff --git a/charts/dashboard/Chart.yaml b/charts/dashboard/Chart.yaml
index dd22ba827..5584f22bc 100644
--- a/charts/dashboard/Chart.yaml
+++ b/charts/dashboard/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 name: dashboard
 description: A dashboard for Diamond workflows
 type: application
-version: 0.2.10
+version: 0.2.11
 appVersion: 0.1.11
 dependencies:
   - name: common
diff --git a/charts/dashboard/staging-values.yaml b/charts/dashboard/staging-values.yaml
index b2584c29e..2f952f502 100644
--- a/charts/dashboard/staging-values.yaml
+++ b/charts/dashboard/staging-values.yaml
@@ -1,7 +1,8 @@
 configuration:
-  keycloakUrl: https://authn.diamond.ac.uk
-  keycloakRealm: master
-  keycloakClient: workflows-dashboard-staging
+  keycloakUrl: https://identity-dev.diamond.ac.uk
+  keycloakRealm: dls
+  keycloakClient: workflows-ui-dev
+  keycloakScope: "openid profile posix-uid email"
   graphUrl: https://staging.workflows.diamond.ac.uk/graphql
   graphWsUrl: wss://staging.workflows.diamond.ac.uk/graphql/ws
   sourceDir: "/usr/share/nginx/html"
diff --git a/charts/dashboard/templates/deployment.yaml b/charts/dashboard/templates/deployment.yaml
index 8921540a2..fe7f37d3a 100644
--- a/charts/dashboard/templates/deployment.yaml
+++ b/charts/dashboard/templates/deployment.yaml
@@ -58,6 +58,8 @@ spec:
               value: {{ .Values.configuration.keycloakRealm }}
             - name: KEYCLOAK_CLIENT
               value: {{ .Values.configuration.keycloakClient }}
+            - name: KEYCLOAK_SCOPE
+              value: {{ .Values.configuration.keycloakScope }}
             - name: GRAPH_URL
               value: {{ .Values.configuration.graphUrl }}
             - name: GRAPH_WS_URL
diff --git a/charts/workflows-cluster/Chart.lock b/charts/workflows-cluster/Chart.lock
index 72a904d3a..e2af92662 100644
--- a/charts/workflows-cluster/Chart.lock
+++ b/charts/workflows-cluster/Chart.lock
@@ -7,6 +7,6 @@ dependencies:
   version: 0.27.0
 - name: secrets
   repository: file://./charts/secrets
-  version: 0.0.3
-digest: sha256:ae868d10980562867d5d047808451ef241ed988f6166c1f11db12e2fc88f45bd
-generated: "2026-01-14T13:30:29.267274419Z"
+  version: 0.0.4
+digest: sha256:34c635039e08cc1bc5fa12001c88d0b7596dda404db587568154b2531ce0b466
+generated: "2026-01-30T16:04:48.848347184Z"
diff --git a/charts/workflows-cluster/Chart.yaml b/charts/workflows-cluster/Chart.yaml
index 81e650313..e4574bb28 100644
--- a/charts/workflows-cluster/Chart.yaml
+++ b/charts/workflows-cluster/Chart.yaml
@@ -3,7 +3,7 @@ name: workflows-cluster
 description: A virtual cluster for Data Analysis workflows
 type: application
 
-version: 0.9.24
+version: 0.9.25
 dependencies:
   - name: common
     version: 2.23.0
@@ -13,5 +13,5 @@ dependencies:
     version: 0.27.0
   - name: secrets
     repository: file://./charts/secrets
-    version: 0.0.3
+    version: 0.0.4
     condition: secrets.enabled
diff --git a/charts/workflows-cluster/charts/secrets/Chart.yaml b/charts/workflows-cluster/charts/secrets/Chart.yaml
index 9e2201399..1632fe006 100644
--- a/charts/workflows-cluster/charts/secrets/Chart.yaml
+++ b/charts/workflows-cluster/charts/secrets/Chart.yaml
@@ -3,7 +3,7 @@ name: secrets
 description: Sealed secrets for the workflows platform
 type: application
 
-version: 0.0.3
+version: 0.0.4
 
 dependencies:
   - name: common
diff --git a/charts/workflows-cluster/charts/secrets/templates/argo-server-sso.yaml b/charts/workflows-cluster/charts/secrets/templates/argo-server-sso.yaml
index dfa9dd46d..36eebc075 100644
--- a/charts/workflows-cluster/charts/secrets/templates/argo-server-sso.yaml
+++ b/charts/workflows-cluster/charts/secrets/templates/argo-server-sso.yaml
@@ -20,7 +20,7 @@ metadata:
   namespace: workflows
 spec:
   encryptedData:
-    secret: AgB5elGRu/IrD/d1knub5wwJ3Ze31tqondUAptsDg9gSKJ8dO1uIYazS6IS3kX3E0MHTte6jeLCPKQfYu73+DxWHWSYjrJ3ABRR+kENvySG3T956lxBx51fzNgJVyk1VlzWeF7aMYSy3b4LuIDepankH6kmwFVTOyDBoXBOl5v3EoFc5/99F+6eOMrVj5EEGqnpMOqSi2o+sC4E55QRvKL0Icx7T5MqQCTPYPf12MOR8QyAufCl16RqdJpUj3Mhhtvj3ias8cCPoclpGzGm7Wx5T8cUQaz81R39Lorwni8xY6EeZM+g/jGYkBbj8YJWMeL/exGTayfGe7cx8N/UT70oQolNacvisIah0RqtRZbOd3rzO5ObTm80oa456TW9q6AsX1EI0LHQn7LAxXYkbu9qjF9rKkhezj35fs1GTluyUf76XYgI62/RZThMke5rGc4aJcoNFgFfxCTqcgLHFjrk8kb9oh3DO8O3QGLzZiXfH1t7uQAZq8yWeBDz1bTPZTniON0pYaUVm88kDjylxjgBdtqXun0e7icLIadc+L8znc73lL3Zn4J7KpuYnYfY1Etj3Pr7SFjrnAQ1WJ1Yennbg61gEIDCxFIh0epbT/wSqHlEuY1KIvZQHa7xNQh19JrYX4NFFJohOqymXQFqfSohv3nVgmkIZ0vCthv/NIbD7LXJeOnvl4k/MABtM9+xLCIkT/Rjt+04=
+    secret: AgCaf5x+5MNmis2Q6oGEFZdEmG86xz9ikbtDAsdv5gfml4Wsv+va8Vy92+jcNsRAqjfixmjiEKbHr4eESelHmbHdzefrRaP5MzlnCygilLiFd5pGDlzXQaHjnBW1ItfpG3fCWg1X95FhpmcFnYObBWlz8LhFqEc2W4l+E1xDn1MOcoAqnnOUSv3K0UIir6io0/K/tcS9LXL0q32UIkwLb/P6a8NiqkbaY8+Tgv+CXL0c00T3tLqUggCDty6SbyOTidIomSGlXBUmz0TTClAjUFqZc4coi2PSmLNkoRbxaTBJXrFa21SOTKIcqqfEK5YK0QTAwWV7qD/LUmJ2QC0v7nOCqPJLQXDb9YK08D8TXABCcoYCwUcQvilT28eiFx8okLflL6VktxBPqiH78U6HznvMcilFW3ELY/vCEcj3S3WpMkTvh9AE0fPYmKtAJKVXv0977dJ0OQ618uzhXyagqkD/U4XBEcw9cly4++P0qN0hntCDdvswgDj/hqEWqKIqwYFbPJ5PM9bxVPAFTpb0azB4Gr8N+/MhdrhHLLNuw+lvPMPT+FPHiJwPKmEtsTV5XsBFr6hk/ypswmoBc+MibBTOuPbY6L+YIWRbGZk14lq3UzZiBVhFgQme6WhpFu6HgWL71+UTLDUU+DcwCrTXOBfCNqUYhLgaxAGfH9uuF0OjzN6QouyLOupvoq/xoHd3mc9ItwJiGTxRWvjJ+h47m2R4tx0Yv0xCqfpght6QXe7LCA==
   template:
     metadata:
       name: argo-server-sso
diff --git a/charts/workflows-cluster/staging-values.yaml b/charts/workflows-cluster/staging-values.yaml
index 0970e87f1..8a02a2d35 100644
--- a/charts/workflows-cluster/staging-values.yaml
+++ b/charts/workflows-cluster/staging-values.yaml
@@ -80,7 +80,7 @@ ingress:
 authenticationConfiguration:
   jwt:
     - issuer:
-        url: https://authn.diamond.ac.uk/realms/master
+        url: https://identity-dev.diamond.ac.uk/realms/dls
         audiences:
           - workflows-cluster-staging
           - graph
diff --git a/charts/workflows/Chart.yaml b/charts/workflows/Chart.yaml
index a872c22da..3f57f2a1b 100644
--- a/charts/workflows/Chart.yaml
+++ b/charts/workflows/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 name: workflows
 description: Data Analysis workflow orchestration
 type: application
-version: 0.13.36
+version: 0.13.37
 dependencies:
   - name: argo-workflows
     repository: https://argoproj.github.io/argo-helm
diff --git a/charts/workflows/staging-values.yaml b/charts/workflows/staging-values.yaml
index 23db28579..a6316b491 100644
--- a/charts/workflows/staging-values.yaml
+++ b/charts/workflows/staging-values.yaml
@@ -13,7 +13,7 @@ oauth2-proxy:
           clientSecretFile: /etc/alpha/secret
           id: authn
           oidcConfig:
-            issuerURL: https://authn.diamond.ac.uk/realms/master
+            issuerURL: https://identity-dev.diamond.ac.uk/realms/dls
             insecureAllowUnverifiedEmail: true
             audienceClaims:
               - aud