oauth questions: why consent? why default OauthUserScope openid and profile?

[SnoopAir]

Hi,

I tried to setup Gokapi in conjunction with authentic. Eventually I made it work. Unfortunately I could not find docu or examples for the config.json file. Already knowing that Method = 1 means oauth was a lucky hit. But knowing all the (optional and mandatory) values for it was tricky. I'm still not sure I have all I need; or better: not any unused ones. Did I miss some documentation?

Especially I was surprised to see that by default, gokapi will ALWAYS add profile and openid in the scope which made me end up with "openid profile openid profile email" - so duplicated. Is it supposed to be that way?

Another thing is not something which is not working but surprised me as it is the first time I'm facing it. gokapi uses the possibility to request a consent from the user in the oauth workflow telling him which data it is requesting (beside it's not telling about openid and profile explicitly but only "general SOMETHING..."). As I configure which data is provided on the oauth server side (aka authentik) for this specific client, I'm already limit the data send to the client aka gokapi in this case. So it's little bothering to have another screen and click to continue before getting logged in.

Would it be possible to have config variable, i.e. in the Authentication section to switch this on/off?

[Forceu]

Hi, have you run the setup? Normally manually editing the config.json is not required. There are configuration examples for some providers - although authentik is not included, it should be quite similar: https://gokapi.readthedocs.io/en/stable/examples.html#openid-connect-configuration

Please note that with the coming 2.0 release, there are a couple of changes to openID, I would recommend downloading the beta in your case.

[SnoopAir]

Thanks @Forceu for your reply. I used the setup process. Albeit I have to admit I did not setup OAuth at that point I first started lcoally, so no FQD, no OAuth provider. Thus that definitely contributed to the fact that I needed to find that out later on. And as you said, there is unfortunately no config example for authentik.

But I just tried to start from scratch again (thanks to docker). I did not manage to configure everything the right way on the first shot. But comparing my working config file and the one created with the setup processes showed me the differences and adding a few things it worked again.

But it does not solve the consent screen part. As far as I understand the topic, this is a fixed parameter which gokapi sends to the oauth provider. I believe it should be the same for people using authelia or other providers. If not, I would be curious to know how there config files looks like.

But for now this is my config file - maybe it helps other people trying out to use authentik:

{ "Authentication": { "Method": 1, "SaltAdmin": "REDACTED", "SaltFiles": "REDACTED", "Username": "", "Password": "", "HeaderKey": "", "OauthProvider": "https://authentik.xxx.yyyy/application/o/gokapi/", "OAuthClientId": "REDACTED", "OAuthClientSecret": "REDACTED> "OauthUserScope": "email", "OauthGroupScope": "", "OAuthRecheckInterval": 12, "HeaderUsers": null, "OAuthGroups": [], "OauthUsers": [] }, "Port": ":53842", "ServerUrl": "https://gokapi.xxx.yyy/", "RedirectUrl": "https://gokapi.xxx.yyy/admin", "PublicName": "REDACTED", "DataDir": "data", "DatabaseUrl": "sqlite://./data/gokapi.sqlite", "ConfigVersion": 21, "LengthId": 15, "MaxFileSizeMB": 102400, "MaxMemory": 50, "ChunkSize": 45, "MaxParallelUploads": 4, "Encryption": { "Level": 0, "Cipher": null, "Salt": "", "Checksum": "", "ChecksumSalt": "" }, "UseSsl": false, "PicturesAlwaysLocal": false, "SaveIp": true, "IncludeFilename": true }