habsi/authentik
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

providers/oauth2: pass scope and other parameters to access policy request context

Browse Source 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

#2641
This commit is contained in:
Jens Langhammer
2022-04-01 21:39:05 +02:00
parent 71c6313c46
commit 4be238018b
5 changed files with 44 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
website/docs/providers/oauth2/client_credentials.md
View File

@ -51,5 +51,5 @@ Input JWTs are checked to be signed by any of the selected *Verification certifi
To do additional checks, you can use *[Expression policies](../../policies/expression)*:
```python
return request.context["JWT"]["iss"] == "https://my.issuer"
return request.context["oauth_jwt"]["iss"] == "https://my.issuer"
```

11
website/docs/providers/oauth2/index.md
View File

@ -43,3 +43,14 @@ Refresh tokens can be used as long-lived tokens to access user data, and further
### `client_credentials`:
See [Machine-to-machine authentication](./client_credentials)
## Scope authorization
By default, every user that has access to an application can request any of the configured scopes. Starting with authentik 2022.4, you can do additional checks for the scope in an expression policy (bound to the application):
```python
# There are additional fields set in the context, use `ak_logger.debug(request.context)` to see them.
if "my-admin-scope" in request.context["oauth_scopes"]:
return ak_is_group_member(request.user, name="my-admin-group")
return True
```