diff --git a/authentik/providers/proxy/api.py b/authentik/providers/proxy/api.py index 853551872..af9b84630 100644 --- a/authentik/providers/proxy/api.py +++ b/authentik/providers/proxy/api.py @@ -11,6 +11,7 @@ from authentik.core.api.providers import ProviderSerializer from authentik.core.api.used_by import UsedByMixin from authentik.core.api.utils import PassiveSerializer from authentik.lib.utils.time import timedelta_from_string +from authentik.providers.oauth2.models import ScopeMapping from authentik.providers.oauth2.views.provider import ProviderInfoView from authentik.providers.proxy.models import ProxyMode, ProxyProvider @@ -110,6 +111,7 @@ class ProxyOutpostConfigSerializer(ModelSerializer): oidc_configuration = SerializerMethodField() token_validity = SerializerMethodField() + scopes_to_request = SerializerMethodField() @extend_schema_field(OpenIDConnectConfigurationSerializer) def get_oidc_configuration(self, obj: ProxyProvider): @@ -120,6 +122,14 @@ class ProxyOutpostConfigSerializer(ModelSerializer): """Get token validity as second count""" return timedelta_from_string(obj.token_validity).total_seconds() + def get_scopes_to_request(self, obj: ProxyProvider) -> list[str]: + """Get all the scope names the outpost should request, + including custom-defined ones""" + scope_names = set( + ScopeMapping.objects.filter(provider__in=[obj]).values_list("scope_name", flat=True) + ) + return list(scope_names) + class Meta: model = ProxyProvider @@ -141,6 +151,7 @@ class ProxyOutpostConfigSerializer(ModelSerializer): "mode", "cookie_domain", "token_validity", + "scopes_to_request", ] diff --git a/internal/outpost/proxyv2/application/application.go b/internal/outpost/proxyv2/application/application.go index 3d0104a40..5cd720f6b 100644 --- a/internal/outpost/proxyv2/application/application.go +++ b/internal/outpost/proxyv2/application/application.go @@ -66,7 +66,7 @@ func NewApplication(p api.ProxyOutpostConfig, c *http.Client, cs *ak.CryptoStore ClientSecret: *p.ClientSecret, RedirectURL: urlJoin(p.ExternalHost, "/akprox/callback"), Endpoint: endpoint.Endpoint, - Scopes: []string{oidc.ScopeOpenID, "profile", "email", "ak_proxy"}, + Scopes: p.ScopesToRequest, } mux := mux.NewRouter() a := &Application{ diff --git a/schema.yml b/schema.yml index 239968bcc..bde81a2b4 100644 --- a/schema.yml +++ b/schema.yml @@ -28589,11 +28589,17 @@ components: format: float nullable: true readOnly: true + scopes_to_request: + type: array + items: + type: string + readOnly: true required: - external_host - name - oidc_configuration - pk + - scopes_to_request - token_validity ProxyProvider: type: object