providers/oauth2: offline access (#8026)

* improve scope check (log when application requests non-configured scopes) Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add offline_access special scope Signed-off-by: Jens Langhammer <jens@goauthentik.io> * ensure scope is set Signed-off-by: Jens Langhammer <jens@goauthentik.io> * update tests for refresh tokens Signed-off-by: Jens Langhammer <jens@goauthentik.io> * special handling of scopes for github compat Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix spec Signed-off-by: Jens Langhammer <jens@goauthentik.io> * attempt to fix oidc tests Signed-off-by: Jens Langhammer <jens@goauthentik.io> * remove hardcoded slug Signed-off-by: Jens Langhammer <jens@goauthentik.io> * check scope from authorization code instead of request Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix injection for consent stage checking incorrectly Signed-off-by: Jens Langhammer <jens@goauthentik.io> --------- Signed-off-by: Jens Langhammer <jens@goauthentik.io>
2024-01-04 19:57:11 +01:00
parent 1b36cb8331
commit 509b502d3c
15 changed files with 369 additions and 171 deletions
--- a/website/docs/providers/oauth2/index.md
+++ b/website/docs/providers/oauth2/index.md
@ -35,12 +35,20 @@ To access the user's email address, a scope of `user:email` is required. To acce

 ### `authorization_code`:

-This grant is used to convert an authorization code to a refresh token. The authorization code is retrieved through the Authorization flow, and can only be used once, and expires quickly.
+This grant is used to convert an authorization code to an access token (and optionally refresh token). The authorization code is retrieved through the Authorization flow, and can only be used once, and expires quickly.
+
+:::info
+Starting with authentik 2024.1, applications only receive an access token. To receive a refresh token, applications must be allowed to request the `offline_access` scope in authentik and also be configured to request the scope.
+:::

 ### `refresh_token`:

 Refresh tokens can be used as long-lived tokens to access user data, and further renew the refresh token down the road.

+:::info
+Starting with authentik 2024.1, this grant requires the `offline_access` scope.
+:::
+
 ### `client_credentials`:

 See [Machine-to-machine authentication](./client_credentials)
--- a/website/docs/releases/2024/v2024.1.md
+++ b/website/docs/releases/2024/v2024.1.md
@ -17,6 +17,12 @@ slug: "/releases/2024.1"
    -   `authentik_outpost_radius_requests_rejected` -> `authentik_outpost_radius_requests_rejected_total`
    -   `authentik_main_requests` -> `authentik_main_request_duration_seconds`

+-   Required `offline_access` scope for Refresh tokens
+
+    The OAuth2 provider ships with a new default scope called `offline_access`, which must be requested by applications that need a refresh token. Previously, authentik would always issue a refresh token for the _Authorization code_ and _Device code_ OAuth grants.
+
+    Applications which require will need their configuration update to include the `offline_access` scope mapping.
+
 ## New features

 -   "Pretend user exists" option for Identification stage