goauthentik
How to define applicable OAuth scopes
Describe your question/
- How can we define applicable OAuth scopes for a
Provider/API? - How can we assign a scope (i.e. resource:delete) to one user but not to another user?
Version and Deployment (please complete the following information):
- authentik version: 2022.3.3
- Deployment: docker-compose
Under Customization -> Property mappings, you can create a scope mapping, which defines any extra data that should be included in the tokens.
Currently there is no simple way to only give certain users access to certain scopes, it should be possible via an expression policy but I think some fields might be missing
This is possible by using something like Groups to map which users have access to which scope, for example by saving the allowed scope in an attribute in the group. Then, in a policy that is bound to the application, a check can be done to see which groups the user is member of (either directly or directly+indirectly) and depending on that and the requested scopes either allow or deny the request. We'll update the docs to better demonstrate how this can be done
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
![authentik-automation[bot] avatar](https://avatars.githubusercontent.com/in/340695?v=4 "Published by a pub.dev verified publisher"){kind=small}