From 9cbb4041651661666a425424c969bceae8cbe311 Mon Sep 17 00:00:00 2001
From: Herman Slatman <hermanslatman@hotmail.com>
Date: Wed, 2 Oct 2024 17:54:42 +0200
Subject: [PATCH] Add `--remove-scope` flag

---
 command/ca/provisioner/provisioner.go | 5 +++++
 command/ca/provisioner/update.go      | 1 +
 2 files changed, 6 insertions(+)

diff --git a/command/ca/provisioner/provisioner.go b/command/ca/provisioner/provisioner.go
index 4d53460ed..4f276b9dd 100644
--- a/command/ca/provisioner/provisioner.go
+++ b/command/ca/provisioner/provisioner.go
@@ -611,6 +611,11 @@ Use the '--group' flag multiple times to configure multiple groups.`,
 		Name: "scope",
 		Usage: `The <scope> list used to validate the scopes extension in an OpenID Connect token.
 Use the '--scope' flag multiple times to configure multiple scopes.`,
+	}
+	oidcRemoveScopeFlag = cli.StringSliceFlag{
+		Name: "remove-scope",
+		Usage: `Remove the <scope> used to validate the scopes extension in an OpenID Connect token.
+Use the '--remove-scope' flag multiple times to remove multiple scopes.`,
 	}
 	oidcAuthParamFlag = cli.StringSliceFlag{
 		Name: "auth-param",
diff --git a/command/ca/provisioner/update.go b/command/ca/provisioner/update.go
index 9db64796c..fa64543fa 100644
--- a/command/ca/provisioner/update.go
+++ b/command/ca/provisioner/update.go
@@ -129,6 +129,7 @@ SCEP
 			oidcGroupFlag,
 			oidcTenantIDFlag,
 			oidcScopeFlag,
+			oidcRemoveScopeFlag,
 			oidcAuthParamFlag,
 
 			// X5C Root Flag