authentik/blueprints/system/providers-oauth2.yaml

version: 1
metadata:
  labels:
    blueprints.goauthentik.io/system: "true"
  name: System - OAuth2 Provider - Scopes
entries:
  - identifiers:
      managed: goauthentik.io/providers/oauth2/scope-openid
    model: authentik_providers_oauth2.scopemapping
    attrs:
      name: "authentik default OAuth Mapping: OpenID 'openid'"
      scope_name: openid
      expression: |
        # This scope is required by the OpenID-spec, and must as such exist in authentik.
        # The scope by itself does not grant any information
        return {}
  - identifiers:
      managed: goauthentik.io/providers/oauth2/scope-email
    model: authentik_providers_oauth2.scopemapping
    attrs:
      name: "authentik default OAuth Mapping: OpenID 'email'"
      scope_name: email
      description: "Email address"
      expression: |
        return {
            "email": request.user.email,
            "email_verified": True
        }
  - identifiers:
      managed: goauthentik.io/providers/oauth2/scope-profile
    model: authentik_providers_oauth2.scopemapping
    attrs:
      name: "authentik default OAuth Mapping: OpenID 'profile'"
      scope_name: profile
      description: "General Profile Information"
      expression: |
        return {
            # Because authentik only saves the user's full name, and has no concept of first and last names,
            # the full name is used as given name.
            # You can override this behaviour in custom mappings, i.e. `request.user.name.split(" ")`
            "name": request.user.name,
            "given_name": request.user.name,
            "preferred_username": request.user.username,
            "nickname": request.user.username,
            "groups": [group.name for group in request.user.ak_groups.all()],
        }
  - identifiers:
      managed: goauthentik.io/providers/oauth2/scope-entitlements
    model: authentik_providers_oauth2.scopemapping
    attrs:
      name: "authentik default OAuth Mapping: Application Entitlements"
      scope_name: entitlements
      description: "Application entitlements"
      expression: |
        entitlements = [entitlement.name for entitlement in request.user.app_entitlements(provider.application)]
        return {
            "entitlements": entitlements,
            "roles": entitlements,
        }
  - identifiers:
      managed: goauthentik.io/providers/oauth2/scope-offline_access
    model: authentik_providers_oauth2.scopemapping
    attrs:
      name: "authentik default OAuth Mapping: OpenID 'offline_access'"
      scope_name: offline_access
      description: "Access to request new tokens without interaction"
      expression: |
        # This scope grants the application a refresh token that can be used to refresh user data
        # and let the application access authentik without the users interaction
        return {}
  - identifiers:
      managed: goauthentik.io/providers/oauth2/scope-authentik_api
    model: authentik_providers_oauth2.scopemapping
    attrs:
      name: "authentik default OAuth Mapping: authentik API access"
      scope_name: goauthentik.io/api
      description: "authentik API Access on behalf of your user"
      expression: |
        # This scope grants the application the ability to access the authentik API
        # on behalf of the authorizing user
        return {}