mirror of
https://github.com/goauthentik/authentik
synced 2026-04-25 17:15:26 +02:00
1b9653901c
* clean up roles and permissions This was purposefully not included in `2025.12` to split the changes up. The main content of this patch is in the migrations. Everything else follows more or less automatically. * add breaking change warning to release notes * add `ak_groups` --> `groups` deprecated proxy * fixup! add `ak_groups` --> `groups` deprecated proxy * fixup! add `ak_groups` --> `groups` deprecated proxy * fixup! add `ak_groups` --> `groups` deprecated proxy * add configuration warning to default notifications blueprint * add rudimentary tests for User.ak_groups * remove no longer used permissions * clarify deprecation Co-authored-by: Jens L. <jens@goauthentik.io> Signed-off-by: Simonyi Gergő <28359278+gergosimonyi@users.noreply.github.com> * remove integration changes These will be included in a separate PR once this is released. --------- Signed-off-by: Simonyi Gergő <28359278+gergosimonyi@users.noreply.github.com> Co-authored-by: Jens L. <jens@goauthentik.io>
82 lines
3.3 KiB
YAML
82 lines
3.3 KiB
YAML
version: 1
|
|
metadata:
|
|
labels:
|
|
blueprints.goauthentik.io/system: "true"
|
|
name: System - OAuth2 Provider - Scopes
|
|
entries:
|
|
- identifiers:
|
|
managed: goauthentik.io/providers/oauth2/scope-openid
|
|
model: authentik_providers_oauth2.scopemapping
|
|
attrs:
|
|
name: "authentik default OAuth Mapping: OpenID 'openid'"
|
|
scope_name: openid
|
|
expression: |
|
|
# This scope is required by the OpenID-spec, and must as such exist in authentik.
|
|
# The scope by itself does not grant any information
|
|
return {}
|
|
- identifiers:
|
|
managed: goauthentik.io/providers/oauth2/scope-email
|
|
model: authentik_providers_oauth2.scopemapping
|
|
attrs:
|
|
name: "authentik default OAuth Mapping: OpenID 'email'"
|
|
scope_name: email
|
|
description: "Email address"
|
|
expression: |
|
|
return {
|
|
"email": request.user.email,
|
|
"email_verified": False
|
|
}
|
|
- identifiers:
|
|
managed: goauthentik.io/providers/oauth2/scope-profile
|
|
model: authentik_providers_oauth2.scopemapping
|
|
attrs:
|
|
name: "authentik default OAuth Mapping: OpenID 'profile'"
|
|
scope_name: profile
|
|
description: "General Profile Information"
|
|
expression: |
|
|
return {
|
|
# Because authentik only saves the user's full name, and has no concept of first and last names,
|
|
# the full name is used as given name.
|
|
# You can override this behaviour in custom mappings, i.e. `request.user.name.split(" ")`
|
|
"name": request.user.name,
|
|
"given_name": request.user.name,
|
|
"preferred_username": request.user.username,
|
|
"nickname": request.user.username,
|
|
"groups": [group.name for group in request.user.groups.all()],
|
|
}
|
|
- identifiers:
|
|
managed: goauthentik.io/providers/oauth2/scope-entitlements
|
|
model: authentik_providers_oauth2.scopemapping
|
|
attrs:
|
|
name: "authentik default OAuth Mapping: Application Entitlements"
|
|
scope_name: entitlements
|
|
description: "Application entitlements"
|
|
expression: |
|
|
entitlements = [entitlement.name for entitlement in request.user.app_entitlements(provider.application)]
|
|
return {
|
|
"entitlements": entitlements,
|
|
"roles": entitlements,
|
|
}
|
|
- identifiers:
|
|
managed: goauthentik.io/providers/oauth2/scope-offline_access
|
|
model: authentik_providers_oauth2.scopemapping
|
|
attrs:
|
|
name: "authentik default OAuth Mapping: OpenID 'offline_access'"
|
|
scope_name: offline_access
|
|
description: "Access to request new tokens without interaction"
|
|
expression: |
|
|
# This scope grants the application a refresh token that can be used to refresh user data
|
|
# and let the application access authentik without the users interaction
|
|
return {}
|
|
- identifiers:
|
|
managed: goauthentik.io/providers/oauth2/scope-authentik_api
|
|
model: authentik_providers_oauth2.scopemapping
|
|
attrs:
|
|
name: "authentik default OAuth Mapping: authentik API access"
|
|
scope_name: goauthentik.io/api
|
|
description: "authentik API Access on behalf of your user"
|
|
expression: |
|
|
# This scope grants the application the ability to access the authentik API
|
|
# on behalf of the authorizing user
|
|
return {}
|