move oauth common things

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

authentik/api/authentication.py

@@ -10,10 +10,10 @@ from rest_framework.exceptions import AuthenticationFailed
 from rest_framework.request import Request
 from structlog.stdlib import get_logger
 
+from authentik.common.oauth.constants import SCOPE_AUTHENTIK_API
 from authentik.core.middleware import CTX_AUTH_VIA
 from authentik.core.models import Token, TokenIntents, User
 from authentik.outposts.models import Outpost
-from authentik.providers.oauth2.constants import SCOPE_AUTHENTIK_API
 
 LOGGER = get_logger()
 

authentik/api/tests/test_auth.py

@@ -10,12 +10,12 @@ from rest_framework.exceptions import AuthenticationFailed
 
 from authentik.api.authentication import bearer_auth
 from authentik.blueprints.tests import reconcile_app
+from authentik.common.oauth.constants import SCOPE_AUTHENTIK_API
 from authentik.core.models import Token, TokenIntents, User, UserTypes
 from authentik.core.tests.utils import create_test_admin_user, create_test_flow
 from authentik.lib.generators import generate_id
 from authentik.outposts.apps import MANAGED_OUTPOST
 from authentik.outposts.models import Outpost
-from authentik.providers.oauth2.constants import SCOPE_AUTHENTIK_API
 from authentik.providers.oauth2.models import AccessToken, OAuth2Provider
 
 

authentik/providers/oauth2/id_token.py

@@ -9,15 +9,15 @@ from django.http import HttpRequest
 from django.utils import timezone
 from django.utils.translation import gettext_lazy as _
 
-from authentik.core.models import default_token_duration
+from authentik.common.oauth.constants import (
-from authentik.events.signals import get_login_event
-from authentik.lib.generators import generate_id
-from authentik.providers.oauth2.constants import (
     ACR_AUTHENTIK_DEFAULT,
     AMR_MFA,
     AMR_PASSWORD,
     AMR_WEBAUTHN,
 )
+from authentik.core.models import default_token_duration
+from authentik.events.signals import get_login_event
+from authentik.lib.generators import generate_id
 from authentik.stages.password.stage import PLAN_CONTEXT_METHOD, PLAN_CONTEXT_METHOD_ARGS
 
 if TYPE_CHECKING:

authentik/providers/oauth2/tests/test_authorize.py

@@ -7,13 +7,13 @@ from django.urls import reverse
 from django.utils.timezone import now
 
 from authentik.blueprints.tests import apply_blueprint
+from authentik.common.oauth.constants import TOKEN_TYPE
+from authentik.common.oauth.errors import AuthorizeError, ClientIdError, RedirectUriError
 from authentik.core.models import Application
 from authentik.core.tests.utils import create_test_admin_user, create_test_flow
 from authentik.events.models import Event, EventAction
 from authentik.lib.generators import generate_id
 from authentik.lib.utils.time import timedelta_from_string
-from authentik.providers.oauth2.constants import TOKEN_TYPE
-from authentik.providers.oauth2.errors import AuthorizeError, ClientIdError, RedirectUriError
 from authentik.providers.oauth2.models import (
     AccessToken,
     AuthorizationCode,

authentik/providers/oauth2/tests/test_introspect.py

@@ -7,10 +7,10 @@ from dataclasses import asdict
 from django.urls import reverse
 from django.utils import timezone
 
+from authentik.common.oauth.constants import ACR_AUTHENTIK_DEFAULT
 from authentik.core.models import Application
 from authentik.core.tests.utils import create_test_admin_user, create_test_cert, create_test_flow
 from authentik.lib.generators import generate_id
-from authentik.providers.oauth2.constants import ACR_AUTHENTIK_DEFAULT
 from authentik.providers.oauth2.models import (
     AccessToken,
     IDToken,

authentik/providers/oauth2/tests/test_token.py

@@ -8,16 +8,16 @@ from django.urls import reverse
 from django.utils import timezone
 
 from authentik.blueprints.tests import apply_blueprint
-from authentik.core.models import Application
+from authentik.common.oauth.constants import (
-from authentik.core.tests.utils import create_test_admin_user, create_test_flow
-from authentik.events.models import Event, EventAction
-from authentik.lib.generators import generate_id, generate_key
-from authentik.providers.oauth2.constants import (
     GRANT_TYPE_AUTHORIZATION_CODE,
     GRANT_TYPE_REFRESH_TOKEN,
     TOKEN_TYPE,
 )
-from authentik.providers.oauth2.errors import TokenError
+from authentik.common.oauth.errors import TokenError
+from authentik.core.models import Application
+from authentik.core.tests.utils import create_test_admin_user, create_test_flow
+from authentik.events.models import Event, EventAction
+from authentik.lib.generators import generate_id, generate_key
 from authentik.providers.oauth2.models import (
     AccessToken,
     AuthorizationCode,

authentik/providers/oauth2/tests/test_token_cc_jwt_provider.py

@@ -9,17 +9,17 @@ from django.utils.timezone import now
 from jwt import decode
 
 from authentik.blueprints.tests import apply_blueprint
-from authentik.core.models import Application, Group
+from authentik.common.oauth.constants import (
-from authentik.core.tests.utils import create_test_cert, create_test_flow, create_test_user
-from authentik.lib.generators import generate_id
-from authentik.policies.models import PolicyBinding
-from authentik.providers.oauth2.constants import (
     GRANT_TYPE_CLIENT_CREDENTIALS,
     SCOPE_OPENID,
     SCOPE_OPENID_EMAIL,
     SCOPE_OPENID_PROFILE,
     TOKEN_TYPE,
 )
+from authentik.core.models import Application, Group
+from authentik.core.tests.utils import create_test_cert, create_test_flow, create_test_user
+from authentik.lib.generators import generate_id
+from authentik.policies.models import PolicyBinding
 from authentik.providers.oauth2.models import (
     AccessToken,
     OAuth2Provider,

authentik/providers/oauth2/tests/test_token_cc_jwt_source.py

@@ -8,17 +8,17 @@ from django.urls import reverse
 from jwt import decode
 
 from authentik.blueprints.tests import apply_blueprint
-from authentik.core.models import Application, Group
+from authentik.common.oauth.constants import (
-from authentik.core.tests.utils import create_test_cert, create_test_flow
-from authentik.lib.generators import generate_id
-from authentik.policies.models import PolicyBinding
-from authentik.providers.oauth2.constants import (
     GRANT_TYPE_CLIENT_CREDENTIALS,
     SCOPE_OPENID,
     SCOPE_OPENID_EMAIL,
     SCOPE_OPENID_PROFILE,
     TOKEN_TYPE,
 )
+from authentik.core.models import Application, Group
+from authentik.core.tests.utils import create_test_cert, create_test_flow
+from authentik.lib.generators import generate_id
+from authentik.policies.models import PolicyBinding
 from authentik.providers.oauth2.models import (
     OAuth2Provider,
     RedirectURI,

authentik/providers/oauth2/tests/test_token_cc_standard.py

@@ -7,10 +7,7 @@ from django.urls import reverse
 from jwt import decode
 
 from authentik.blueprints.tests import apply_blueprint
-from authentik.core.models import Application, Group, Token, TokenIntents, UserTypes
+from authentik.common.oauth.constants import (
-from authentik.core.tests.utils import create_test_admin_user, create_test_cert, create_test_flow
-from authentik.policies.models import PolicyBinding
-from authentik.providers.oauth2.constants import (
     GRANT_TYPE_CLIENT_CREDENTIALS,
     GRANT_TYPE_PASSWORD,
     SCOPE_OPENID,
@@ -18,7 +15,10 @@ from authentik.providers.oauth2.constants import (
     SCOPE_OPENID_PROFILE,
     TOKEN_TYPE,
 )
-from authentik.providers.oauth2.errors import TokenError
+from authentik.common.oauth.errors import TokenError
+from authentik.core.models import Application, Group, Token, TokenIntents, UserTypes
+from authentik.core.tests.utils import create_test_admin_user, create_test_cert, create_test_flow
+from authentik.policies.models import PolicyBinding
 from authentik.providers.oauth2.models import (
     AccessToken,
     OAuth2Provider,

authentik/providers/oauth2/tests/test_token_cc_standard_compat.py

@@ -8,10 +8,7 @@ from django.urls import reverse
 from jwt import decode
 
 from authentik.blueprints.tests import apply_blueprint
-from authentik.core.models import Application, Group, Token, TokenIntents, UserTypes
+from authentik.common.oauth.constants import (
-from authentik.core.tests.utils import create_test_admin_user, create_test_cert, create_test_flow
-from authentik.policies.models import PolicyBinding
-from authentik.providers.oauth2.constants import (
     GRANT_TYPE_CLIENT_CREDENTIALS,
     GRANT_TYPE_PASSWORD,
     SCOPE_OPENID,
@@ -19,7 +16,10 @@ from authentik.providers.oauth2.constants import (
     SCOPE_OPENID_PROFILE,
     TOKEN_TYPE,
 )
-from authentik.providers.oauth2.errors import TokenError
+from authentik.common.oauth.errors import TokenError
+from authentik.core.models import Application, Group, Token, TokenIntents, UserTypes
+from authentik.core.tests.utils import create_test_admin_user, create_test_cert, create_test_flow
+from authentik.policies.models import PolicyBinding
 from authentik.providers.oauth2.models import (
     OAuth2Provider,
     RedirectURI,

authentik/providers/oauth2/tests/test_token_cc_user_pw.py

@@ -7,10 +7,7 @@ from django.urls import reverse
 from jwt import decode
 
 from authentik.blueprints.tests import apply_blueprint
-from authentik.core.models import Application, Group, Token, TokenIntents, UserTypes
+from authentik.common.oauth.constants import (
-from authentik.core.tests.utils import create_test_admin_user, create_test_cert, create_test_flow
-from authentik.policies.models import PolicyBinding
-from authentik.providers.oauth2.constants import (
     GRANT_TYPE_CLIENT_CREDENTIALS,
     GRANT_TYPE_PASSWORD,
     SCOPE_OPENID,
@@ -18,7 +15,10 @@ from authentik.providers.oauth2.constants import (
     SCOPE_OPENID_PROFILE,
     TOKEN_TYPE,
 )
-from authentik.providers.oauth2.errors import TokenError
+from authentik.common.oauth.errors import TokenError
+from authentik.core.models import Application, Group, Token, TokenIntents, UserTypes
+from authentik.core.tests.utils import create_test_admin_user, create_test_cert, create_test_flow
+from authentik.policies.models import PolicyBinding
 from authentik.providers.oauth2.models import (
     OAuth2Provider,
     RedirectURI,

authentik/providers/oauth2/tests/test_token_device.py

@@ -6,14 +6,14 @@ from django.test import RequestFactory
 from django.urls import reverse
 
 from authentik.blueprints.tests import apply_blueprint
-from authentik.core.models import Application
+from authentik.common.oauth.constants import (
-from authentik.core.tests.utils import create_test_admin_user, create_test_cert, create_test_flow
-from authentik.lib.generators import generate_code_fixed_length, generate_id
-from authentik.providers.oauth2.constants import (
     GRANT_TYPE_DEVICE_CODE,
     SCOPE_OPENID,
     SCOPE_OPENID_EMAIL,
 )
+from authentik.core.models import Application
+from authentik.core.tests.utils import create_test_admin_user, create_test_cert, create_test_flow
+from authentik.lib.generators import generate_code_fixed_length, generate_id
 from authentik.providers.oauth2.models import (
     AccessToken,
     DeviceToken,

authentik/providers/oauth2/tests/test_token_pkce.py

@@ -6,10 +6,10 @@ from hashlib import sha256
 from django.test import RequestFactory
 from django.urls import reverse
 
+from authentik.common.oauth.constants import GRANT_TYPE_AUTHORIZATION_CODE
 from authentik.core.models import Application
 from authentik.core.tests.utils import create_test_admin_user, create_test_flow
 from authentik.lib.generators import generate_id
-from authentik.providers.oauth2.constants import GRANT_TYPE_AUTHORIZATION_CODE
 from authentik.providers.oauth2.models import (
     AuthorizationCode,
     OAuth2Provider,

authentik/providers/oauth2/utils.py

@@ -11,9 +11,9 @@ from django.http.response import HttpResponseRedirect
 from django.utils.cache import patch_vary_headers
 from structlog.stdlib import get_logger
 
+from authentik.common.oauth.errors import BearerTokenError
 from authentik.core.middleware import CTX_AUTH_VIA, KEY_USER
 from authentik.events.models import Event, EventAction
-from authentik.providers.oauth2.errors import BearerTokenError
 from authentik.providers.oauth2.models import AccessToken, OAuth2Provider
 
 LOGGER = get_logger()

authentik/providers/oauth2/views/authorize.py

@@ -15,6 +15,23 @@ from django.utils import timezone
 from django.utils.translation import gettext as _
 from structlog.stdlib import get_logger
 
+from authentik.common.oauth.constants import (
+    PKCE_METHOD_PLAIN,
+    PKCE_METHOD_S256,
+    PROMPT_CONSENT,
+    PROMPT_LOGIN,
+    PROMPT_NONE,
+    SCOPE_GITHUB,
+    SCOPE_OFFLINE_ACCESS,
+    SCOPE_OPENID,
+    TOKEN_TYPE,
+)
+from authentik.common.oauth.errors import (
+    AuthorizeError,
+    ClientIdError,
+    OAuth2Error,
+    RedirectUriError,
+)
 from authentik.core.models import Application
 from authentik.events.models import Event, EventAction
 from authentik.events.signals import get_login_event
@@ -31,23 +48,6 @@ from authentik.lib.utils.time import timedelta_from_string
 from authentik.lib.views import bad_request_message
 from authentik.policies.types import PolicyRequest
 from authentik.policies.views import PolicyAccessView, RequestValidationError
-from authentik.providers.oauth2.constants import (
-    PKCE_METHOD_PLAIN,
-    PKCE_METHOD_S256,
-    PROMPT_CONSENT,
-    PROMPT_LOGIN,
-    PROMPT_NONE,
-    SCOPE_GITHUB,
-    SCOPE_OFFLINE_ACCESS,
-    SCOPE_OPENID,
-    TOKEN_TYPE,
-)
-from authentik.providers.oauth2.errors import (
-    AuthorizeError,
-    ClientIdError,
-    OAuth2Error,
-    RedirectUriError,
-)
 from authentik.providers.oauth2.id_token import IDToken
 from authentik.providers.oauth2.models import (
     AccessToken,

authentik/providers/oauth2/views/github.py

@@ -6,7 +6,7 @@ from django.utils.text import slugify
 from django.views import View
 from django.views.decorators.csrf import csrf_exempt
 
-from authentik.providers.oauth2.constants import SCOPE_GITHUB_ORG_READ, SCOPE_GITHUB_USER_EMAIL
+from authentik.common.oauth.constants import SCOPE_GITHUB_ORG_READ, SCOPE_GITHUB_USER_EMAIL
 from authentik.providers.oauth2.models import RefreshToken
 from authentik.providers.oauth2.utils import protected_resource_view
 

authentik/providers/oauth2/views/introspection.py

@@ -8,7 +8,7 @@ from django.views import View
 from django.views.decorators.csrf import csrf_exempt
 from structlog.stdlib import get_logger
 
-from authentik.providers.oauth2.errors import TokenIntrospectionError
+from authentik.common.oauth.errors import TokenIntrospectionError
 from authentik.providers.oauth2.models import AccessToken, IDToken, OAuth2Provider, RefreshToken
 from authentik.providers.oauth2.utils import TokenResponse, authenticate_provider
 

authentik/providers/oauth2/views/provider.py

@@ -8,9 +8,7 @@ from django.views import View
 from guardian.shortcuts import get_anonymous_user
 from structlog.stdlib import get_logger
 
-from authentik.core.expression.exceptions import PropertyMappingExpressionException
+from authentik.common.oauth.constants import (
-from authentik.core.models import Application
-from authentik.providers.oauth2.constants import (
     ACR_AUTHENTIK_DEFAULT,
     GRANT_TYPE_AUTHORIZATION_CODE,
     GRANT_TYPE_CLIENT_CREDENTIALS,
@@ -22,6 +20,8 @@ from authentik.providers.oauth2.constants import (
     PKCE_METHOD_S256,
     SCOPE_OPENID,
 )
+from authentik.core.expression.exceptions import PropertyMappingExpressionException
+from authentik.core.models import Application
 from authentik.providers.oauth2.models import (
     OAuth2Provider,
     ResponseMode,

authentik/providers/oauth2/views/token.py

@@ -20,6 +20,20 @@ from jwt import PyJWK, PyJWT, PyJWTError, decode
 from sentry_sdk import start_span
 from structlog.stdlib import get_logger
 
+from authentik.common.oauth.constants import (
+    CLIENT_ASSERTION,
+    CLIENT_ASSERTION_TYPE,
+    CLIENT_ASSERTION_TYPE_JWT,
+    GRANT_TYPE_AUTHORIZATION_CODE,
+    GRANT_TYPE_CLIENT_CREDENTIALS,
+    GRANT_TYPE_DEVICE_CODE,
+    GRANT_TYPE_PASSWORD,
+    GRANT_TYPE_REFRESH_TOKEN,
+    PKCE_METHOD_S256,
+    SCOPE_OFFLINE_ACCESS,
+    TOKEN_TYPE,
+)
+from authentik.common.oauth.errors import DeviceCodeError, TokenError, UserAuthError
 from authentik.core.middleware import CTX_AUTH_VIA
 from authentik.core.models import (
     USER_ATTRIBUTE_EXPIRES,
@@ -37,20 +51,6 @@ from authentik.events.signals import get_login_event
 from authentik.flows.planner import PLAN_CONTEXT_APPLICATION
 from authentik.lib.utils.time import timedelta_from_string
 from authentik.policies.engine import PolicyEngine
-from authentik.providers.oauth2.constants import (
-    CLIENT_ASSERTION,
-    CLIENT_ASSERTION_TYPE,
-    CLIENT_ASSERTION_TYPE_JWT,
-    GRANT_TYPE_AUTHORIZATION_CODE,
-    GRANT_TYPE_CLIENT_CREDENTIALS,
-    GRANT_TYPE_DEVICE_CODE,
-    GRANT_TYPE_PASSWORD,
-    GRANT_TYPE_REFRESH_TOKEN,
-    PKCE_METHOD_S256,
-    SCOPE_OFFLINE_ACCESS,
-    TOKEN_TYPE,
-)
-from authentik.providers.oauth2.errors import DeviceCodeError, TokenError, UserAuthError
 from authentik.providers.oauth2.id_token import IDToken
 from authentik.providers.oauth2.models import (
     AccessToken,

authentik/providers/oauth2/views/token_revoke.py

@@ -8,7 +8,7 @@ from django.views import View
 from django.views.decorators.csrf import csrf_exempt
 from structlog.stdlib import get_logger
 
-from authentik.providers.oauth2.errors import TokenRevocationError
+from authentik.common.oauth.errors import TokenRevocationError
 from authentik.providers.oauth2.models import AccessToken, ClientTypes, OAuth2Provider, RefreshToken
 from authentik.providers.oauth2.utils import (
     TokenResponse,

authentik/providers/oauth2/views/userinfo.py

@@ -11,16 +11,16 @@ from django.views import View
 from django.views.decorators.csrf import csrf_exempt
 from structlog.stdlib import get_logger
 
-from authentik.core.expression.exceptions import PropertyMappingExpressionException
+from authentik.common.oauth.constants import (
-from authentik.events.models import Event, EventAction
-from authentik.flows.challenge import PermissionDict
-from authentik.providers.oauth2.constants import (
     SCOPE_GITHUB_ORG_READ,
     SCOPE_GITHUB_USER,
     SCOPE_GITHUB_USER_EMAIL,
     SCOPE_GITHUB_USER_READ,
     SCOPE_OPENID,
 )
+from authentik.core.expression.exceptions import PropertyMappingExpressionException
+from authentik.events.models import Event, EventAction
+from authentik.flows.challenge import PermissionDict
 from authentik.providers.oauth2.models import (
     BaseGrantModel,
     OAuth2Provider,

authentik/sources/oauth/types/gitlab.py

@@ -7,6 +7,7 @@ and https://docs.gitlab.com/ee/integration/openid_connect_provider.html
 
 from typing import Any
 
+from authentik.common.oauth.constants import SCOPE_OPENID, SCOPE_OPENID_EMAIL, SCOPE_OPENID_PROFILE
 from authentik.sources.oauth.models import AuthorizationCodeAuthMethod, OAuthSource
 from authentik.sources.oauth.types.registry import SourceType, registry
 from authentik.sources.oauth.views.redirect import OAuthRedirect
@@ -17,7 +18,7 @@ class GitLabOAuthRedirect(OAuthRedirect):
 
     def get_additional_parameters(self, source: OAuthSource):
         return {
-            "scope": ["read_user", "openid", "profile", "email"],
+            "scope": ["read_user", SCOPE_OPENID, SCOPE_OPENID_PROFILE, SCOPE_OPENID_EMAIL],
         }
 
 

authentik/sources/oauth/types/google.py

@@ -2,6 +2,7 @@
 
 from typing import Any
 
+from authentik.common.oauth.constants import SCOPE_OPENID_EMAIL, SCOPE_OPENID_PROFILE
 from authentik.sources.oauth.models import AuthorizationCodeAuthMethod
 from authentik.sources.oauth.types.registry import SourceType, registry
 from authentik.sources.oauth.views.redirect import OAuthRedirect
@@ -12,7 +13,7 @@ class GoogleOAuthRedirect(OAuthRedirect):
 
     def get_additional_parameters(self, source):  # pragma: no cover
         return {
-            "scope": ["email", "profile"],
+            "scope": [SCOPE_OPENID_PROFILE, SCOPE_OPENID_EMAIL],
         }
 
 

authentik/sources/oauth/types/mailcow.py

@@ -5,6 +5,7 @@ from typing import Any
 from requests.exceptions import RequestException
 from structlog.stdlib import get_logger
 
+from authentik.common.oauth.constants import SCOPE_OPENID_PROFILE
 from authentik.sources.oauth.clients.oauth2 import OAuth2Client
 from authentik.sources.oauth.models import AuthorizationCodeAuthMethod
 from authentik.sources.oauth.types.registry import SourceType, registry
@@ -19,7 +20,7 @@ class MailcowOAuthRedirect(OAuthRedirect):
 
     def get_additional_parameters(self, source):  # pragma: no cover
         return {
-            "scope": ["profile"],
+            "scope": [SCOPE_OPENID_PROFILE],
         }
 
 

authentik/sources/oauth/types/oidc.py

@@ -4,6 +4,7 @@ from typing import Any
 
 from requests.auth import AuthBase, HTTPBasicAuth
 
+from authentik.common.oauth.constants import SCOPE_OPENID, SCOPE_OPENID_EMAIL, SCOPE_OPENID_PROFILE
 from authentik.sources.oauth.clients.oauth2 import UserprofileHeaderAuthClient
 from authentik.sources.oauth.models import AuthorizationCodeAuthMethod, OAuthSource
 from authentik.sources.oauth.types.registry import SourceType, registry
@@ -16,7 +17,7 @@ class OpenIDConnectOAuthRedirect(OAuthRedirect):
 
     def get_additional_parameters(self, source: OAuthSource):  # pragma: no cover
         return {
-            "scope": ["openid", "email", "profile"],
+            "scope": [SCOPE_OPENID, SCOPE_OPENID_PROFILE, SCOPE_OPENID_EMAIL],
         }
 
 

authentik/sources/oauth/types/okta.py

@@ -2,6 +2,7 @@
 
 from typing import Any
 
+from authentik.common.oauth.constants import SCOPE_OPENID, SCOPE_OPENID_EMAIL, SCOPE_OPENID_PROFILE
 from authentik.sources.oauth.models import OAuthSource
 from authentik.sources.oauth.types.oidc import OpenIDConnectOAuth2Callback
 from authentik.sources.oauth.types.registry import SourceType, registry
@@ -13,7 +14,7 @@ class OktaOAuthRedirect(OAuthRedirect):
 
     def get_additional_parameters(self, source: OAuthSource):  # pragma: no cover
         return {
-            "scope": ["openid", "email", "profile"],
+            "scope": [SCOPE_OPENID, SCOPE_OPENID_PROFILE, SCOPE_OPENID_EMAIL],
         }
 
 

tests/e2e/test_provider_oauth2_grafana.py

@@ -7,18 +7,18 @@ from selenium.webdriver.common.by import By
 from selenium.webdriver.support import expected_conditions as ec
 
 from authentik.blueprints.tests import apply_blueprint, reconcile_app
+from authentik.common.oauth.constants import (
+    SCOPE_OFFLINE_ACCESS,
+    SCOPE_OPENID,
+    SCOPE_OPENID_EMAIL,
+    SCOPE_OPENID_PROFILE,
+)
 from authentik.core.models import Application
 from authentik.core.tests.utils import create_test_cert
 from authentik.flows.models import Flow
 from authentik.lib.generators import generate_id, generate_key
 from authentik.policies.expression.models import ExpressionPolicy
 from authentik.policies.models import PolicyBinding
-from authentik.providers.oauth2.constants import (
-    SCOPE_OFFLINE_ACCESS,
-    SCOPE_OPENID,
-    SCOPE_OPENID_EMAIL,
-    SCOPE_OPENID_PROFILE,
-)
 from authentik.providers.oauth2.models import (
     ClientTypes,
     OAuth2Provider,

tests/e2e/test_provider_oidc.py

@@ -7,18 +7,18 @@ from selenium.webdriver.common.by import By
 from selenium.webdriver.support import expected_conditions as ec
 
 from authentik.blueprints.tests import apply_blueprint, reconcile_app
+from authentik.common.oauth.constants import (
+    SCOPE_OFFLINE_ACCESS,
+    SCOPE_OPENID,
+    SCOPE_OPENID_EMAIL,
+    SCOPE_OPENID_PROFILE,
+)
 from authentik.core.models import Application
 from authentik.core.tests.utils import create_test_cert
 from authentik.flows.models import Flow
 from authentik.lib.generators import generate_id, generate_key
 from authentik.policies.expression.models import ExpressionPolicy
 from authentik.policies.models import PolicyBinding
-from authentik.providers.oauth2.constants import (
-    SCOPE_OFFLINE_ACCESS,
-    SCOPE_OPENID,
-    SCOPE_OPENID_EMAIL,
-    SCOPE_OPENID_PROFILE,
-)
 from authentik.providers.oauth2.models import (
     ClientTypes,
     OAuth2Provider,

tests/e2e/test_provider_oidc_implicit.py

@@ -7,18 +7,18 @@ from selenium.webdriver.common.by import By
 from selenium.webdriver.support import expected_conditions as ec
 
 from authentik.blueprints.tests import apply_blueprint, reconcile_app
+from authentik.common.oauth.constants import (
+    SCOPE_OFFLINE_ACCESS,
+    SCOPE_OPENID,
+    SCOPE_OPENID_EMAIL,
+    SCOPE_OPENID_PROFILE,
+)
 from authentik.core.models import Application
 from authentik.core.tests.utils import create_test_cert
 from authentik.flows.models import Flow
 from authentik.lib.generators import generate_id, generate_key
 from authentik.policies.expression.models import ExpressionPolicy
 from authentik.policies.models import PolicyBinding
-from authentik.providers.oauth2.constants import (
-    SCOPE_OFFLINE_ACCESS,
-    SCOPE_OPENID,
-    SCOPE_OPENID_EMAIL,
-    SCOPE_OPENID_PROFILE,
-)
 from authentik.providers.oauth2.models import (
     ClientTypes,
     OAuth2Provider,