From 586f79e5d04f552e45186ebf1923c05dcaeaa357 Mon Sep 17 00:00:00 2001 From: harkon Date: Wed, 3 Dec 2025 12:32:55 +0200 Subject: [PATCH] fix: use managed system scopes in production blueprint --- infra/base/authentik/bootstrap-prod.yaml | 90 +++++++----------------- 1 file changed, 27 insertions(+), 63 deletions(-) diff --git a/infra/base/authentik/bootstrap-prod.yaml b/infra/base/authentik/bootstrap-prod.yaml index 240250c..70d98cc 100644 --- a/infra/base/authentik/bootstrap-prod.yaml +++ b/infra/base/authentik/bootstrap-prod.yaml @@ -51,45 +51,6 @@ entries: - !Find [authentik_core.group, [name, "Administrators"]] # --- Scope mappings (find existing ones and get stable IDs) ----------------- - - id: scope_openid - model: authentik_providers_oauth2.scopemapping - identifiers: - scope_name: openid - attrs: - name: "openid" - expression: | - return { - "sub": user.uid, - "iss": request.build_absolute_uri("/"), - } - - - id: scope_profile - model: authentik_providers_oauth2.scopemapping - identifiers: - scope_name: profile - attrs: - name: "profile" - expression: | - return { - "name": user.name, - "given_name": user.name, - "preferred_username": user.username, - "nickname": user.username, - "groups": [group.name for group in request.user.ak_groups.all()] - } - - - id: scope_email - model: authentik_providers_oauth2.scopemapping - identifiers: - scope_name: email - attrs: - name: "email" - expression: | - return { - "email": user.email, - "email_verified": True - } - - id: scope_groups model: authentik_providers_oauth2.scopemapping identifiers: @@ -101,15 +62,6 @@ entries: "groups": [group.name for group in request.user.ak_groups.all()] } - - id: scope_offline - model: authentik_providers_oauth2.scopemapping - identifiers: - scope_name: offline_access - attrs: - name: "offline_access" - expression: | - return {} - # --- AI Tax Agent API (Production) ----------------------------------------- - model: authentik_providers_oauth2.oauth2provider state: present @@ -134,20 +86,23 @@ entries: scope_mappings: - !Find [ authentik_providers_oauth2.scopemapping, - [scope_name, "openid"], + [managed, "goauthentik.io/providers/oauth2/scope-openid"], ] - !Find [ authentik_providers_oauth2.scopemapping, - [scope_name, "profile"], + [managed, "goauthentik.io/providers/oauth2/scope-profile"], + ] + - !Find [ + authentik_providers_oauth2.scopemapping, + [managed, "goauthentik.io/providers/oauth2/scope-email"], ] - - !Find [authentik_providers_oauth2.scopemapping, [scope_name, "email"]] - !Find [ authentik_providers_oauth2.scopemapping, [scope_name, "groups"], ] - !Find [ authentik_providers_oauth2.scopemapping, - [scope_name, "offline_access"], + [managed, "goauthentik.io/providers/oauth2/scope-offline_access"], ] authorization_flow: !Find [authentik_flows.flow, [slug, "default-authentication-flow"]] @@ -195,20 +150,23 @@ entries: scope_mappings: - !Find [ authentik_providers_oauth2.scopemapping, - [scope_name, "openid"], + [managed, "goauthentik.io/providers/oauth2/scope-openid"], ] - !Find [ authentik_providers_oauth2.scopemapping, - [scope_name, "profile"], + [managed, "goauthentik.io/providers/oauth2/scope-profile"], + ] + - !Find [ + authentik_providers_oauth2.scopemapping, + [managed, "goauthentik.io/providers/oauth2/scope-email"], ] - - !Find [authentik_providers_oauth2.scopemapping, [scope_name, "email"]] - !Find [ authentik_providers_oauth2.scopemapping, [scope_name, "groups"], ] - !Find [ authentik_providers_oauth2.scopemapping, - [scope_name, "offline_access"], + [managed, "goauthentik.io/providers/oauth2/scope-offline_access"], ] authorization_flow: !Find [authentik_flows.flow, [slug, "default-authentication-flow"]] @@ -258,20 +216,23 @@ entries: scope_mappings: - !Find [ authentik_providers_oauth2.scopemapping, - [scope_name, "openid"], + [managed, "goauthentik.io/providers/oauth2/scope-openid"], ] - !Find [ authentik_providers_oauth2.scopemapping, - [scope_name, "profile"], + [managed, "goauthentik.io/providers/oauth2/scope-profile"], + ] + - !Find [ + authentik_providers_oauth2.scopemapping, + [managed, "goauthentik.io/providers/oauth2/scope-email"], ] - - !Find [authentik_providers_oauth2.scopemapping, [scope_name, "email"]] - !Find [ authentik_providers_oauth2.scopemapping, [scope_name, "groups"], ] - !Find [ authentik_providers_oauth2.scopemapping, - [scope_name, "offline_access"], + [managed, "goauthentik.io/providers/oauth2/scope-offline_access"], ] authorization_flow: !Find [authentik_flows.flow, [slug, "default-authentication-flow"]] @@ -318,12 +279,15 @@ entries: property_mappings: - !Find [ authentik_providers_oauth2.scopemapping, - [scope_name, "openid"], + [managed, "goauthentik.io/providers/oauth2/scope-openid"], ] - - !Find [authentik_providers_oauth2.scopemapping, [scope_name, "email"]] - !Find [ authentik_providers_oauth2.scopemapping, - [scope_name, "profile"], + [managed, "goauthentik.io/providers/oauth2/scope-email"], + ] + - !Find [ + authentik_providers_oauth2.scopemapping, + [managed, "goauthentik.io/providers/oauth2/scope-profile"], ] - !Find [ authentik_providers_oauth2.scopemapping,