From 06c46f7b9b4f4619f10ce4b6ccb9271bcd2f5744 Mon Sep 17 00:00:00 2001 From: Corentin Date: Thu, 7 May 2026 21:28:40 +0200 Subject: [PATCH] fix(oidc): defaut OIDC_SCOPES align Authentik (sans 'groups') MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Authentik n'expose pas un scope 'groups' standard — demander ce scope inconnu peut faire echouer l'authorize selon la config provider. Les groups arrivent dans le claim 'groups' du scope 'profile' par defaut. Defaut passe de 'openid email profile groups' vers 'openid email profile'. Update env.example + ACADENICE_PATCHES.md doc associee. --- .env.example | 4 +++- ACADENICE_PATCHES.md | 2 +- .../src/integrations/environment/environment.service.ts | 7 +++---- 3 files changed, 7 insertions(+), 6 deletions(-) diff --git a/.env.example b/.env.example index 6973b4c3..806c6c49 100644 --- a/.env.example +++ b/.env.example @@ -66,7 +66,9 @@ LOG_HTTP=false # OIDC_CLIENT_ID= # OIDC_CLIENT_SECRET= # OIDC_REDIRECT_URI=http://localhost:3000/api/auth/oidc/callback -# OIDC_SCOPES=openid email profile groups +# Authentik : 'groups' n'est pas un scope standard — les groups arrivent +# dans le claim 'groups' du scope 'profile' par defaut. +# OIDC_SCOPES=openid email profile # OIDC_PROVIDER_NAME=Authentik # # Just-in-time provisioning for unknown emails. Strict by default — set diff --git a/ACADENICE_PATCHES.md b/ACADENICE_PATCHES.md index 54378d06..802c2383 100644 --- a/ACADENICE_PATCHES.md +++ b/ACADENICE_PATCHES.md @@ -109,7 +109,7 @@ Branche fork : `acadenice/main` | `OIDC_CLIENT_ID` | (vide) | requis | | `OIDC_CLIENT_SECRET` | (vide) | requis | | `OIDC_REDIRECT_URI` | `${APP_URL}/api/auth/oidc/callback` | derive auto si non set | -| `OIDC_SCOPES` | `openid email profile groups` | | +| `OIDC_SCOPES` | `openid email profile` | Authentik : `groups` claim arrive via le scope `profile` (pas un scope standard) | | `OIDC_PROVIDER_NAME` | `SSO` | label affiche sur le bouton | | `OIDC_AUTO_PROVISION` | `false` | si true : cree le user a la volee si email inconnu | | `OIDC_DEFAULT_WORKSPACE_ID` | (vide) | requis si multi-workspace + auto-provision | diff --git a/apps/server/src/integrations/environment/environment.service.ts b/apps/server/src/integrations/environment/environment.service.ts index 4bf6ef01..910222d2 100644 --- a/apps/server/src/integrations/environment/environment.service.ts +++ b/apps/server/src/integrations/environment/environment.service.ts @@ -356,10 +356,9 @@ export class EnvironmentService { } getOidcScopes(): string { - return this.configService.get( - 'OIDC_SCOPES', - 'openid email profile groups', - ); + // Authentik n'expose pas un scope `groups` standard — les groups arrivent + // dans le claim `groups` du scope `profile` par defaut. + return this.configService.get('OIDC_SCOPES', 'openid email profile'); } getOidcProviderName(): string {