Describe the bug

We switched our oidc secret configuration to the externalSecret. We specified only OIDC_CLIENT_ID, OIDC_CLIENT_SECRET and the OIDC_ISSUER_URL, omitting the OIDC_SCOPES variable. However, the Deployment template in the helm chart still adds the -oidc-scopes arg.

To Reproduce

Steps to reproduce the bug:

1. Install the helm chart with these values:

config:
  oidc:
    secret:
      create: false
    externalSecret:
      enabled: true
      name: oidc

2. Make sure to have a k8s secret with the above three mentioned variables set.
3. Logout of your IDP, in our case Entra
4. Try to login to headlamp via SignIn
5. Receive this error from the IDP

Failed to exchange token: oauth2: "invalid_request" "AADSTS900144: The request body must contain the following parameter: 'code'. Trace ID: xxx Correlation ID: xxx Timestamp: 2025-11-28 15:10:09Z" "https://login.microsoftonline.com/error?code=900144"

Environment (please provide info about your environment):

• Installation type: In-Cluster via Helm
• Headlamp Version: 0.38.0
• Other: Entra applications are configured according to the documentation, without the AKS part:
  https://headlamp.dev/docs/latest/installation/in-cluster/azure-entra-id/

Are you able to fix this issue?

Yes. We can add another if block to add the parameter only if it is actually set at this location: