mirror of
https://github.com/goauthentik/authentik
synced 2026-04-25 17:15:26 +02:00
1b9653901c
* clean up roles and permissions This was purposefully not included in `2025.12` to split the changes up. The main content of this patch is in the migrations. Everything else follows more or less automatically. * add breaking change warning to release notes * add `ak_groups` --> `groups` deprecated proxy * fixup! add `ak_groups` --> `groups` deprecated proxy * fixup! add `ak_groups` --> `groups` deprecated proxy * fixup! add `ak_groups` --> `groups` deprecated proxy * add configuration warning to default notifications blueprint * add rudimentary tests for User.ak_groups * remove no longer used permissions * clarify deprecation Co-authored-by: Jens L. <jens@goauthentik.io> Signed-off-by: Simonyi Gergő <28359278+gergosimonyi@users.noreply.github.com> * remove integration changes These will be included in a separate PR once this is released. --------- Signed-off-by: Simonyi Gergő <28359278+gergosimonyi@users.noreply.github.com> Co-authored-by: Jens L. <jens@goauthentik.io>
123 lines
5.8 KiB
YAML
123 lines
5.8 KiB
YAML
version: 1
|
|
metadata:
|
|
name: OpenID Conformance testing
|
|
labels:
|
|
blueprints.goauthentik.io/instantiate: "false"
|
|
entries:
|
|
- identifiers:
|
|
managed: goauthentik.io/providers/oauth2/scope-address
|
|
model: authentik_providers_oauth2.scopemapping
|
|
attrs:
|
|
name: "authentik default OAuth Mapping: OpenID 'address'"
|
|
scope_name: address
|
|
description: "General Address Information"
|
|
expression: |
|
|
return {
|
|
"address": {
|
|
"formatted": "foo",
|
|
}
|
|
}
|
|
- identifiers:
|
|
managed: goauthentik.io/providers/oauth2/scope-phone
|
|
model: authentik_providers_oauth2.scopemapping
|
|
attrs:
|
|
name: "authentik default OAuth Mapping: OpenID 'phone'"
|
|
scope_name: phone
|
|
description: "General phone information"
|
|
expression: |
|
|
return {
|
|
"phone_number": "+1234",
|
|
"phone_number_verified": True,
|
|
}
|
|
- identifiers:
|
|
managed: goauthentik.io/providers/oauth2/scope-profile-oidc-standard
|
|
model: authentik_providers_oauth2.scopemapping
|
|
attrs:
|
|
name: "OIDC conformance profile"
|
|
scope_name: profile
|
|
description: "General profile information"
|
|
expression: |
|
|
return {
|
|
# Because authentik only saves the user's full name, and has no concept of first and last names,
|
|
# the full name is used as given name.
|
|
# You can override this behaviour in custom mappings, i.e. `request.user.name.split(" ")`
|
|
"name": request.user.name,
|
|
"given_name": request.user.name,
|
|
"preferred_username": request.user.username,
|
|
"nickname": request.user.username,
|
|
"groups": [group.name for group in request.user.groups.all()],
|
|
"website" : "foo",
|
|
"zoneinfo" : "foo",
|
|
"birthdate" : "2000",
|
|
"gender" : "foo",
|
|
"profile" : "foo",
|
|
"middle_name" : "foo",
|
|
"locale" : "foo",
|
|
"picture" : "foo",
|
|
"updated_at" : 1748557810,
|
|
"family_name" : "foo",
|
|
}
|
|
|
|
|
|
- model: authentik_providers_oauth2.oauth2provider
|
|
id: oidc-conformance-1
|
|
identifiers:
|
|
name: oidc-conformance-1
|
|
attrs:
|
|
authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
|
|
invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
|
|
# Required as OIDC Conformance test requires issues to be the same across multiple clients
|
|
issuer_mode: global
|
|
client_id: 4054d882aff59755f2f279968b97ce8806a926e1
|
|
client_secret: 4c7e4933009437fb486b5389d15b173109a0555dc47e0cc0949104f1925bcc6565351cb1dffd7e6818cf074f5bd50c210b565121a7328ee8bd40107fc4bbd867
|
|
redirect_uris:
|
|
- matching_mode: strict
|
|
url: https://localhost:8443/test/a/authentik/callback
|
|
- matching_mode: strict
|
|
url: https://host.docker.internal:8443/test/a/authentik/callback
|
|
property_mappings:
|
|
- !Find [authentik_providers_oauth2.scopemapping, [managed, goauthentik.io/providers/oauth2/scope-openid]]
|
|
- !Find [authentik_providers_oauth2.scopemapping, [managed, goauthentik.io/providers/oauth2/scope-email]]
|
|
- !Find [authentik_providers_oauth2.scopemapping, [managed, goauthentik.io/providers/oauth2/scope-profile-oidc-standard]]
|
|
- !Find [authentik_providers_oauth2.scopemapping, [managed, goauthentik.io/providers/oauth2/scope-address]]
|
|
- !Find [authentik_providers_oauth2.scopemapping, [managed, goauthentik.io/providers/oauth2/scope-phone]]
|
|
- !Find [authentik_providers_oauth2.scopemapping, [managed, goauthentik.io/providers/oauth2/scope-offline_access]]
|
|
signing_key: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
|
|
- model: authentik_core.application
|
|
identifiers:
|
|
slug: oidc-conformance-1
|
|
attrs:
|
|
provider: !KeyOf oidc-conformance-1
|
|
name: OIDC Conformance (1)
|
|
|
|
- model: authentik_providers_oauth2.oauth2provider
|
|
id: oidc-conformance-2
|
|
identifiers:
|
|
name: oidc-conformance-2
|
|
attrs:
|
|
authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
|
|
invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
|
|
# Required as OIDC Conformance test requires issues to be the same across multiple clients
|
|
issuer_mode: global
|
|
client_id: ad64aeaf1efe388ecf4d28fcc537e8de08bcae26
|
|
client_secret: ff2e34a5b04c99acaf7241e25a950e7f6134c86936923d8c698d8f38bd57647750d661069612c0ee55045e29fe06aa101804bdae38e8360647d595e771fea789
|
|
redirect_uris:
|
|
- matching_mode: strict
|
|
url: https://localhost:8443/test/a/authentik/callback
|
|
- matching_mode: strict
|
|
url: https://host.docker.internal:8443/test/a/authentik/callback
|
|
property_mappings:
|
|
- !Find [authentik_providers_oauth2.scopemapping, [managed, goauthentik.io/providers/oauth2/scope-openid]]
|
|
- !Find [authentik_providers_oauth2.scopemapping, [managed, goauthentik.io/providers/oauth2/scope-email]]
|
|
- !Find [authentik_providers_oauth2.scopemapping, [managed, goauthentik.io/providers/oauth2/scope-profile-oidc-standard]]
|
|
- !Find [authentik_providers_oauth2.scopemapping, [managed, goauthentik.io/providers/oauth2/scope-address]]
|
|
- !Find [authentik_providers_oauth2.scopemapping, [managed, goauthentik.io/providers/oauth2/scope-phone]]
|
|
- !Find [authentik_providers_oauth2.scopemapping, [managed, goauthentik.io/providers/oauth2/scope-offline_access]]
|
|
signing_key: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
|
|
- model: authentik_core.application
|
|
identifiers:
|
|
slug: oidc-conformance-2
|
|
attrs:
|
|
provider: !KeyOf oidc-conformance-2
|
|
name: OIDC Conformance (2)
|