80f4fccd35
* don't open inspector by default when debug is enabled Signed-off-by: Jens Langhammer <jens@goauthentik.io> * encode error in fragment when using hybrid grant_type Signed-off-by: Jens Langhammer <jens@goauthentik.io> * require nonce for all response_types that get an id_token from the authorization endpoint Signed-off-by: Jens Langhammer <jens@goauthentik.io> * don't set empty family_name Signed-off-by: Jens Langhammer <jens@goauthentik.io> * only set at_hash when response has token Signed-off-by: Jens Langhammer <jens@goauthentik.io> * cleaner way to get login time Signed-off-by: Jens Langhammer <jens@goauthentik.io> * remove authentication requirement from authentication flow Signed-off-by: Jens Langhammer <jens@goauthentik.io> * use wrapper Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix auth_time not being handled correctly Signed-off-by: Jens Langhammer <jens@goauthentik.io> * minor cleanup Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add test files Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix tests Signed-off-by: Jens Langhammer <jens@goauthentik.io> * remove USER_LOGIN_AUTHENTICATED Signed-off-by: Jens Langhammer <jens@goauthentik.io> * rework prompt=login handling Signed-off-by: Jens Langhammer <jens@goauthentik.io> * also set last login uid for max_age check to prevent double login when max_age and prompt=login is set Signed-off-by: Jens Langhammer <jens@goauthentik.io> --------- Signed-off-by: Jens Langhammer <jens@goauthentik.io>
48 lines
1.8 KiB
YAML
48 lines
1.8 KiB
YAML
version: 1
|
|
metadata:
|
|
labels:
|
|
blueprints.goauthentik.io/system: "true"
|
|
name: System - OAuth2 Provider - Scopes
|
|
entries:
|
|
- identifiers:
|
|
managed: goauthentik.io/providers/oauth2/scope-openid
|
|
model: authentik_providers_oauth2.scopemapping
|
|
attrs:
|
|
name: "authentik default OAuth Mapping: OpenID 'openid'"
|
|
scope_name: openid
|
|
expression: |
|
|
# This scope is required by the OpenID-spec, and must as such exist in authentik.
|
|
# The scope by itself does not grant any information
|
|
return {}
|
|
- identifiers:
|
|
managed: goauthentik.io/providers/oauth2/scope-email
|
|
model: authentik_providers_oauth2.scopemapping
|
|
attrs:
|
|
name: "authentik default OAuth Mapping: OpenID 'email'"
|
|
scope_name: email
|
|
description: "Email address"
|
|
expression: |
|
|
return {
|
|
"email": request.user.email,
|
|
"email_verified": True
|
|
}
|
|
- identifiers:
|
|
managed: goauthentik.io/providers/oauth2/scope-profile
|
|
model: authentik_providers_oauth2.scopemapping
|
|
attrs:
|
|
name: "authentik default OAuth Mapping: OpenID 'profile'"
|
|
scope_name: profile
|
|
description: "General Profile Information"
|
|
expression: |
|
|
return {
|
|
# Because authentik only saves the user's full name, and has no concept of first and last names,
|
|
# the full name is used as given name.
|
|
# You can override this behaviour in custom mappings, i.e. `request.user.name.split(" ")`
|
|
"name": request.user.name,
|
|
"given_name": request.user.name,
|
|
"preferred_username": request.user.username,
|
|
"nickname": request.user.username,
|
|
# groups is not part of the official userinfo schema, but is a quasi-standard
|
|
"groups": [group.name for group in request.user.ak_groups.all()],
|
|
}
|