eliott/authentik
1
0
Fork 0
mirror of https://github.com/goauthentik/authentik synced 2026-04-25 17:15:26 +02:00
Code Issues Packages Projects Releases Wiki Activity
21,711 Commits 321 Branches 440 Tags
cce646b132229d531b1a868099794615e42fda66
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
Sai Asish Y cce646b132 providers/oauth2: clip device authorization scope against the provider's ScopeMapping set (#21701) 
* providers/oauth2: clip device authorization scope against the provider's ScopeMapping set

DeviceView.parse_request stored the raw request scope straight onto the
DeviceToken:

	self.scopes = self.request.POST.get("scope", "").split(" ")
	...
	token = DeviceToken.objects.create(..., _scope=" ".join(self.scopes))

The token-exchange side then reads those scopes back directly:

	if SCOPE_OFFLINE_ACCESS in self.params.device_code.scope:
		refresh_token = RefreshToken(...)
		...

so a caller that adds offline_access to the device authorization
request body gets a refresh_token at the exchange, even when the
provider has no offline_access ScopeMapping configured. Every other
grant type clips scope against ScopeMapping for the provider inside
TokenParams.__check_scopes, but the device authorization endpoint
runs before TokenParams is ever constructed, so the clip never
happens for the device flow.

Combined with #20828 (missing client_secret verification on device
code exchange for confidential clients, now being fixed separately)
and the lack of per-app opt-out for the device flow, this gives any
caller that knows the client_id a path to an offline refresh token
against any OIDC application the deployment exposes.

Intersect the requested scope set with the provider's ScopeMapping
names before we ever persist the DeviceToken. offline_access that is
not configured is silently dropped, matching __check_scopes on the
other grant types. Configured offline_access still flows through
unchanged.

Fixes #20825

Signed-off-by: SAY-5 <SAY-5@users.noreply.github.com>

* rework and add tests

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: SAY-5 <SAY-5@users.noreply.github.com>
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: SAY-5 <SAY-5@users.noreply.github.com>
Co-authored-by: Jens Langhammer <jens@goauthentik.io>
2026-04-23 13:44:44 +02:00
.cargo
packages/ak-common/config: init (#21256)
2026-04-02 15:05:35 +02:00
.github
root: update rustls-webpki (#21769)
2026-04-22 13:00:11 +02:00
.vscode
core, web: Vendored client follow-ups (#21174)
2026-03-26 18:33:24 +01:00
authentik
providers/oauth2: clip device authorization scope against the provider's ScopeMapping set (#21701)
2026-04-23 13:44:44 +02:00
blueprints
flows: add warning message for expired password reset links (#21395)
2026-04-22 15:09:05 +02:00
cmd
root: allow listening on multiple IPs (#20930)
2026-03-19 15:46:47 +00:00
internal
internal/outpost: serialize websocket writes to prevent panic (#21728)
2026-04-23 02:33:10 +02:00
lifecycle
core: bump library/golang from cd8540d to 982ae92 in /lifecycle/container (#21793)
2026-04-23 10:19:37 +01:00
locale
stages/user_write: refuse to write id/pk claims onto the user model (#21667)
2026-04-23 11:03:12 +02:00
packages
flows: add warning message for expired password reset links (#21395)
2026-04-22 15:09:05 +02:00
schemas
enterprise/providers: WS-Federation (#19583)
2026-01-28 17:43:16 +01:00
scripts
scripts/api_filter_schema: fix authentication (#21644)
2026-04-16 16:19:32 +00:00
tests
core: bump axllent/mailpit from v1.29.5 to v1.29.6 in /tests/e2e (#21398)
2026-04-06 10:07:55 +01:00
web
core, web: update translations (#21785)
2026-04-23 10:39:13 +02:00
website
core: bump library/nginx from 3acc8b9 to 6e23479 in /website (#21794)
2026-04-23 11:20:09 +02:00
.dockerignore
packages/ak-lib: init (#21257)
2026-03-31 11:33:46 +02:00
.editorconfig
website: add netlify cache plugin (#15113)
2025-06-18 15:07:15 +02:00
.gitattributes
packages/django-dramatiq-postgres: fix default value for HTTPServerThread (#21216)
2026-03-28 20:57:46 +01:00
.gitignore
root: cleanup API generation (#21172)
2026-03-26 13:48:01 +00:00
.prettierignore
core, web: Vendored client follow-ups (#21174)
2026-03-26 18:33:24 +01:00
Cargo.lock
core: bump rand from 0.8.5 to 0.8.6 in the cargo group across 1 directory (#21783)
2026-04-23 02:02:24 +02:00
Cargo.toml
core: bump tokio from 1.52.0 to 1.52.1 (#21774)
2026-04-22 13:55:34 +02:00
CODE_OF_CONDUCT.md
website: remove the last updated option from footer (#13493)
2025-03-12 18:59:21 +00:00
CODEOWNERS
packages/ak-lib: init (#21257)
2026-03-31 11:33:46 +02:00
CONTRIBUTING.md
root: clean up README (#16286)
2025-09-02 21:38:53 +00:00
cspell.config.jsonc
policies/event_matcher: Add query option to filter events (#21618)
2026-04-16 01:52:11 +02:00
go.mod
core: bump github.com/pires/go-proxyproto from 0.11.0 to 0.12.0 (#21770)
2026-04-22 13:54:42 +02:00
go.sum
core: bump github.com/pires/go-proxyproto from 0.11.0 to 0.12.0 (#21770)
2026-04-22 13:54:42 +02:00
LICENSE
enterprise: initial license (#5293)
2023-04-19 16:13:45 +02:00
Makefile
packages/clients: only generate needed endpoints (#21578)
2026-04-15 13:11:25 +00:00
manage.py
*: replace Celery with Dramatiq (#13492)
2025-07-28 17:00:09 +02:00
package-lock.json
web: bump cspell from 9.7.0 to 10.0.0 (#21427)
2026-04-07 15:15:53 +01:00
package.json
web: bump cspell from 9.7.0 to 10.0.0 (#21427)
2026-04-07 15:15:53 +01:00
pyproject.toml
core: bump fido2 from 2.1.1 to 2.2.0 (#21772)
2026-04-22 13:55:13 +02:00
README.md
root: Fix transifex link (#17696)
2025-10-24 19:01:42 +02:00
rust-toolchain.toml
core: bump rust-toolchain from 1.94.1 to 1.95.0 (#21660)
2026-04-17 23:48:49 +01:00
schema.yml
flows: add warning message for expired password reset links (#21395)
2026-04-22 15:09:05 +02:00
SECURITY.md
security: add item to intended behavior section of security policy (#21430)
2026-04-07 13:00:26 +02:00
tsconfig.json
core, web: Vendored client follow-ups (#21174)
2026-03-26 18:33:24 +01:00
uv.lock
core: bump fido2 from 2.1.1 to 2.2.0 (#21772)
2026-04-22 13:55:13 +02:00

README.md

authentik logo

Join Discord GitHub Workflow Status GitHub Workflow Status GitHub Workflow Status Code Coverage Latest version

What is authentik?

authentik is an open-source Identity Provider (IdP) for modern SSO. It supports SAML, OAuth2/OIDC, LDAP, RADIUS, and more, designed for self-hosting from small labs to large production clusters.

Our enterprise offering is available for organizations to securely replace existing IdPs such as Okta, Auth0, Entra ID, and Ping Identity for robust, large-scale identity management.

Installation

  • Docker Compose: recommended for small/test setups. See the documentation.
  • Kubernetes (Helm Chart): recommended for larger setups. See the documentation and the Helm chart repository.
  • AWS CloudFormation: deploy on AWS using our official templates. See the documentation.
  • DigitalOcean Marketplace: one-click deployment via the official Marketplace app. See the app listing.

Screenshots

Light Dark

Development and contributions

See the Developer Documentation for information about setting up local build environments, testing your contributions, and our contribution process.

Security

Please see SECURITY.md.

Adoption

Using authentik? We'd love to hear your story and feature your logo. Email us at hello@goauthentik.io or open a GitHub Issue/PR!

License

MIT License CC BY-SA 4.0 authentik EE License

Reference in New Issue View Git Blame Copy Permalink
Description
Mirrored from GitHub
Readme MIT 959 MiB
Languages
Python 54.9%
TypeScript 34.9%
Go 4.4%
CSS 2.1%
JavaScript 1.5%
Other 2.1%