version: 1 metadata: labels: blueprints.goauthentik.io/system: "true" name: System - OAuth2 Provider - Scopes entries: - identifiers: managed: goauthentik.io/providers/oauth2/scope-openid model: authentik_providers_oauth2.scopemapping attrs: name: "authentik default OAuth Mapping: OpenID 'openid'" scope_name: openid expression: | # This scope is required by the OpenID-spec, and must as such exist in authentik. # The scope by itself does not grant any information return {} - identifiers: managed: goauthentik.io/providers/oauth2/scope-email model: authentik_providers_oauth2.scopemapping attrs: name: "authentik default OAuth Mapping: OpenID 'email'" scope_name: email description: "Email address" expression: | return { "email": request.user.email, "email_verified": True } - identifiers: managed: goauthentik.io/providers/oauth2/scope-profile model: authentik_providers_oauth2.scopemapping attrs: name: "authentik default OAuth Mapping: OpenID 'profile'" scope_name: profile description: "General Profile Information" expression: | return { # Because authentik only saves the user's full name, and has no concept of first and last names, # the full name is used as given name. # You can override this behaviour in custom mappings, i.e. `request.user.name.split(" ")` "name": request.user.name, "given_name": request.user.name, "preferred_username": request.user.username, "nickname": request.user.username, # groups is not part of the official userinfo schema, but is a quasi-standard "groups": [group.name for group in request.user.ak_groups.all()], } - identifiers: managed: goauthentik.io/providers/oauth2/scope-offline_access model: authentik_providers_oauth2.scopemapping attrs: name: "authentik default OAuth Mapping: OpenID 'offline_access'" scope_name: offline_access description: "Access to request new tokens without interaction" expression: | # This scope grants the application a refresh token that can be used to refresh user data # and let the application access authentik without the users interaction return {}