Fix some integration tests' handling of groups to work with Okta

test/integration/e2e_test.go

@@ -207,6 +207,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) {
 		page := browsertest.Open(t)
 
 		expectedUsername := env.SupervisorUpstreamOIDC.Username
+		expectedGroups := env.SupervisorUpstreamOIDC.ExpectedGroups
 
 		// Create a ClusterRoleBinding to give our test user from the upstream read-only access to the cluster.
 		testlib.CreateTestClusterRoleBinding(t,
@@ -277,7 +278,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) {
 		// scopes returned by the Supervisor, so list the requested scopes from the CLI flag here. This helper will
 		// assert that the expected username and groups claims/values are in the downstream ID token.
 		requireUserCanUseKubectlWithoutAuthenticatingAgain(testCtx, t, env, downstream, kubeconfigPath, sessionCachePath,
-			pinnipedExe, expectedUsername, []string{}, []string{"offline_access", "openid", "pinniped:request-audience"})
+			pinnipedExe, expectedUsername, expectedGroups, []string{"offline_access", "openid", "pinniped:request-audience"})
 	})
 
 	t.Run("with Supervisor OIDC upstream IDP and manual authcode copy-paste from browser flow", func(t *testing.T) {

test/integration/supervisor_login_test.go

@@ -1292,6 +1292,10 @@ func TestSupervisorLogin_Browser(t *testing.T) {
 			name:      "oidc upstream with downstream dynamic client happy path, requesting all scopes",
 			maybeSkip: skipNever,
 			createIDP: func(t *testing.T) string {
+				spec := basicOIDCIdentityProviderSpec()
+				spec.AuthorizationConfig = idpv1alpha1.OIDCAuthorizationConfig{
+					AdditionalScopes: env.SupervisorUpstreamOIDC.AdditionalScopes,
+				}
 				return testlib.CreateTestOIDCIdentityProvider(t, basicOIDCIdentityProviderSpec(), idpv1alpha1.PhaseReady).Name
 			},
 			createOIDCClient: func(t *testing.T, callbackURL string) (string, string) {