fix: use managed system scopes in production blueprint

infra/base/authentik/bootstrap-prod.yaml

@@ -51,45 +51,6 @@ entries:
         - !Find [authentik_core.group, [name, "Administrators"]]
 
   # --- Scope mappings (find existing ones and get stable IDs) -----------------
-  - id: scope_openid
-    model: authentik_providers_oauth2.scopemapping
-    identifiers:
-      scope_name: openid
-    attrs:
-      name: "openid"
-      expression: |
-        return {
-            "sub": user.uid,
-            "iss": request.build_absolute_uri("/"),
-        }
-
-  - id: scope_profile
-    model: authentik_providers_oauth2.scopemapping
-    identifiers:
-      scope_name: profile
-    attrs:
-      name: "profile"
-      expression: |
-        return {
-            "name": user.name,
-            "given_name": user.name,
-            "preferred_username": user.username,
-            "nickname": user.username,
-            "groups": [group.name for group in request.user.ak_groups.all()]
-        }
-
-  - id: scope_email
-    model: authentik_providers_oauth2.scopemapping
-    identifiers:
-      scope_name: email
-    attrs:
-      name: "email"
-      expression: |
-        return {
-            "email": user.email,
-            "email_verified": True
-        }
-
   - id: scope_groups
     model: authentik_providers_oauth2.scopemapping
     identifiers:
@@ -101,15 +62,6 @@ entries:
             "groups": [group.name for group in request.user.ak_groups.all()]
         }
 
-  - id: scope_offline
-    model: authentik_providers_oauth2.scopemapping
-    identifiers:
-      scope_name: offline_access
-    attrs:
-      name: "offline_access"
-      expression: |
-        return {}
-
   # --- AI Tax Agent API (Production) -----------------------------------------
   - model: authentik_providers_oauth2.oauth2provider
     state: present
@@ -134,20 +86,23 @@ entries:
       scope_mappings:
         - !Find [
             authentik_providers_oauth2.scopemapping,
-            [scope_name, "openid"],
+            [managed, "goauthentik.io/providers/oauth2/scope-openid"],
           ]
         - !Find [
             authentik_providers_oauth2.scopemapping,
-            [scope_name, "profile"],
+            [managed, "goauthentik.io/providers/oauth2/scope-profile"],
+          ]
+        - !Find [
+            authentik_providers_oauth2.scopemapping,
+            [managed, "goauthentik.io/providers/oauth2/scope-email"],
           ]
-        - !Find [authentik_providers_oauth2.scopemapping, [scope_name, "email"]]
         - !Find [
             authentik_providers_oauth2.scopemapping,
             [scope_name, "groups"],
           ]
         - !Find [
             authentik_providers_oauth2.scopemapping,
-            [scope_name, "offline_access"],
+            [managed, "goauthentik.io/providers/oauth2/scope-offline_access"],
           ]
       authorization_flow:
         !Find [authentik_flows.flow, [slug, "default-authentication-flow"]]
@@ -195,20 +150,23 @@ entries:
       scope_mappings:
         - !Find [
             authentik_providers_oauth2.scopemapping,
-            [scope_name, "openid"],
+            [managed, "goauthentik.io/providers/oauth2/scope-openid"],
           ]
         - !Find [
             authentik_providers_oauth2.scopemapping,
-            [scope_name, "profile"],
+            [managed, "goauthentik.io/providers/oauth2/scope-profile"],
+          ]
+        - !Find [
+            authentik_providers_oauth2.scopemapping,
+            [managed, "goauthentik.io/providers/oauth2/scope-email"],
           ]
-        - !Find [authentik_providers_oauth2.scopemapping, [scope_name, "email"]]
         - !Find [
             authentik_providers_oauth2.scopemapping,
             [scope_name, "groups"],
           ]
         - !Find [
             authentik_providers_oauth2.scopemapping,
-            [scope_name, "offline_access"],
+            [managed, "goauthentik.io/providers/oauth2/scope-offline_access"],
           ]
       authorization_flow:
         !Find [authentik_flows.flow, [slug, "default-authentication-flow"]]
@@ -258,20 +216,23 @@ entries:
       scope_mappings:
         - !Find [
             authentik_providers_oauth2.scopemapping,
-            [scope_name, "openid"],
+            [managed, "goauthentik.io/providers/oauth2/scope-openid"],
           ]
         - !Find [
             authentik_providers_oauth2.scopemapping,
-            [scope_name, "profile"],
+            [managed, "goauthentik.io/providers/oauth2/scope-profile"],
+          ]
+        - !Find [
+            authentik_providers_oauth2.scopemapping,
+            [managed, "goauthentik.io/providers/oauth2/scope-email"],
           ]
-        - !Find [authentik_providers_oauth2.scopemapping, [scope_name, "email"]]
         - !Find [
             authentik_providers_oauth2.scopemapping,
             [scope_name, "groups"],
           ]
         - !Find [
             authentik_providers_oauth2.scopemapping,
-            [scope_name, "offline_access"],
+            [managed, "goauthentik.io/providers/oauth2/scope-offline_access"],
           ]
       authorization_flow:
         !Find [authentik_flows.flow, [slug, "default-authentication-flow"]]
@@ -318,12 +279,15 @@ entries:
       property_mappings:
         - !Find [
             authentik_providers_oauth2.scopemapping,
-            [scope_name, "openid"],
+            [managed, "goauthentik.io/providers/oauth2/scope-openid"],
           ]
-        - !Find [authentik_providers_oauth2.scopemapping, [scope_name, "email"]]
         - !Find [
             authentik_providers_oauth2.scopemapping,
-            [scope_name, "profile"],
+            [managed, "goauthentik.io/providers/oauth2/scope-email"],
+          ]
+        - !Find [
+            authentik_providers_oauth2.scopemapping,
+            [managed, "goauthentik.io/providers/oauth2/scope-profile"],
           ]
         - !Find [
             authentik_providers_oauth2.scopemapping,