4be238018b
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> #2641
57 lines
2.7 KiB
Markdown
57 lines
2.7 KiB
Markdown
---
|
|
title: OAuth2 Provider
|
|
---
|
|
|
|
This provider supports both generic OAuth2 as well as OpenID Connect
|
|
|
|
Scopes can be configured using Scope Mappings, a type of [Property Mappings](../../property-mappings/#scope-mapping).
|
|
|
|
| Endpoint | URL |
|
|
| -------------------- | -------------------------------------------------------------------- |
|
|
| Authorization | `/application/o/authorize/` |
|
|
| Token | `/application/o/token/` |
|
|
| User Info | `/application/o/userinfo/` |
|
|
| End Session | `/application/o/end-session/` |
|
|
| JWKS | `/application/o/<application slug>/jwks/` |
|
|
| OpenID Configuration | `/application/o/<application slug>/.well-known/openid-configuration` |
|
|
|
|
## GitHub Compatibility
|
|
|
|
This provider also exposes a GitHub-compatible endpoint. This endpoint can be used by applications, which support authenticating against GitHub Enterprise, but not generic OpenID Connect.
|
|
|
|
To use any of the GitHub Compatibility scopes, you have to use the GitHub Compatibility Endpoints.
|
|
|
|
| Endpoint | URL |
|
|
| --------------- | --------------------------- |
|
|
| Authorization | `/login/oauth/authorize` |
|
|
| Token | `/login/oauth/access_token` |
|
|
| User Info | `/user` |
|
|
| User Teams Info | `/user/teams` |
|
|
|
|
To access the user's email address, a scope of `user:email` is required. To access their groups, `read:org` is required. Because these scopes are handled by a different endpoint, they are not customisable as a Scope Mapping.
|
|
|
|
## Grant types
|
|
|
|
### `authorization_code`:
|
|
|
|
This grant is used to convert an authorization code to a refresh token. The authorization code is retrieved through the Authorization flow, and can only be used once, and expires quickly.
|
|
|
|
### `refresh_token`:
|
|
|
|
Refresh tokens can be used as long-lived tokens to access user data, and further renew the refresh token down the road.
|
|
|
|
### `client_credentials`:
|
|
|
|
See [Machine-to-machine authentication](./client_credentials)
|
|
|
|
## Scope authorization
|
|
|
|
By default, every user that has access to an application can request any of the configured scopes. Starting with authentik 2022.4, you can do additional checks for the scope in an expression policy (bound to the application):
|
|
|
|
```python
|
|
# There are additional fields set in the context, use `ak_logger.debug(request.context)` to see them.
|
|
if "my-admin-scope" in request.context["oauth_scopes"]:
|
|
return ak_is_group_member(request.user, name="my-admin-group")
|
|
return True
|
|
```
|