providers/oauth2: don't handle api scope as special scope (#9910)

* providers/oauth2: don't handle api scope as special scope Signed-off-by: Jens Langhammer <jens@goauthentik.io> * make default scope selection less magic Signed-off-by: Jens Langhammer <jens@goauthentik.io> * ensure missing folder exists Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix duplicate name Signed-off-by: Jens Langhammer <jens@goauthentik.io> --------- Signed-off-by: Jens Langhammer <jens@goauthentik.io>
2024-06-01 17:16:56 +09:00
parent 1cac1492d7
commit 95d26563e7
5 changed files with 25 additions and 14 deletions
--- a/1
+++ b/1
@ -253,6 +253,7 @@ website-watch:  ## Build and watch the documentation website, updating automatic
 #########################

 docker:  ## Build a docker image of the current source tree
+	mkdir -p ${GEN_API_TS}
 	DOCKER_BUILDKIT=1 docker build . --progress plain --tag ${DOCKER_IMAGE}

 #########################
--- a/authentik/providers/oauth2/views/userinfo.py
+++ b/authentik/providers/oauth2/views/userinfo.py
@ -15,7 +15,6 @@ from authentik.core.expression.exceptions import PropertyMappingExpressionExcept
 from authentik.events.models import Event, EventAction
 from authentik.flows.challenge import PermissionDict
 from authentik.providers.oauth2.constants import (
-    SCOPE_AUTHENTIK_API,
    SCOPE_GITHUB_ORG_READ,
    SCOPE_GITHUB_USER,
    SCOPE_GITHUB_USER_EMAIL,
@ -57,7 +56,6 @@ class UserInfoView(View):
            SCOPE_GITHUB_USER_READ: _("GitHub Compatibility: Access your User Information"),
            SCOPE_GITHUB_USER_EMAIL: _("GitHub Compatibility: Access you Email addresses"),
            SCOPE_GITHUB_ORG_READ: _("GitHub Compatibility: Access your Groups"),
-            SCOPE_AUTHENTIK_API: _("authentik API Access on behalf of your user"),
        }
        for scope in scopes:
            if scope in special_scope_map:
--- a/blueprints/system/providers-oauth2.yaml
+++ b/blueprints/system/providers-oauth2.yaml
@ -56,3 +56,14 @@ entries:
        # This scope grants the application a refresh token that can be used to refresh user data
        # and let the application access authentik without the users interaction
        return {}
+  - identifiers:
+      managed: goauthentik.io/providers/oauth2/scope-authentik_api
+    model: authentik_providers_oauth2.scopemapping
+    attrs:
+      name: "authentik default OAuth Mapping: authentik API access"
+      scope_name: goauthentik.io/api
+      description: "authentik API Access on behalf of your user"
+      expression: |
+        # This scope grants the application the ability to access the authentik API
+        # on behalf of the authorizing user
+        return {}
--- a/web/src/admin/applications/wizard/methods/oauth/ak-application-wizard-authentication-by-oauth.ts
+++ b/web/src/admin/applications/wizard/methods/oauth/ak-application-wizard-authentication-by-oauth.ts
@ -3,6 +3,7 @@ import "@goauthentik/admin/common/ak-crypto-certificate-search";
 import "@goauthentik/admin/common/ak-flow-search/ak-branded-flow-search";
 import {
    clientTypeOptions,
+    defaultScopes,
    issuerModeOptions,
    redirectUriHelp,
    subjectModeOptions,
@ -225,10 +226,9 @@ export class ApplicationWizardAuthenticationByOauth extends BaseProviderPanel {
                                ${this.propertyMappings?.results.map((scope) => {
                                    let selected = false;
                                    if (!provider?.propertyMappings) {
-                                        selected =
-                                            scope.managed?.startsWith(
-                                                "goauthentik.io/providers/oauth2/scope-",
-                                            ) || false;
+                                        selected = scope.managed
+                                            ? defaultScopes.includes(scope.managed)
+                                            : false;
                                    } else {
                                        selected = Array.from(provider?.propertyMappings).some(
                                            (su) => {
--- a/web/src/admin/providers/oauth2/OAuth2ProviderForm.ts
+++ b/web/src/admin/providers/oauth2/OAuth2ProviderForm.ts
@ -48,6 +48,12 @@ export const clientTypeOptions = [
    },
 ];

+export const defaultScopes = [
+    "goauthentik.io/providers/oauth2/scope-openid",
+    "goauthentik.io/providers/oauth2/scope-email",
+    "goauthentik.io/providers/oauth2/scope-profile",
+];
+
 export const subjectModeOptions = [
    {
        label: msg("Based on the User's hashed ID"),
@ -289,14 +295,9 @@ export class OAuth2ProviderFormPage extends BaseProviderForm<OAuth2Provider> {
                            ${this.propertyMappings?.results.map((scope) => {
                                let selected = false;
                                if (!provider?.propertyMappings) {
-                                    selected =
-                                        // By default select all managed scope mappings, except offline_access
-                                        (scope.managed?.startsWith(
-                                            "goauthentik.io/providers/oauth2/scope-",
-                                        ) &&
-                                            scope.managed !==
-                                                "goauthentik.io/providers/oauth2/scope-offline_access") ||
-                                        false;
+                                    selected = scope.managed
+                                        ? defaultScopes.includes(scope.managed)
+                                        : false;
                                } else {
                                    selected = Array.from(provider?.propertyMappings).some((su) => {
                                        return su == scope.pk;