AcadeNice/AcadeDoc
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix(oidc): defaut OIDC_SCOPES align Authentik (sans 'groups')

Browse source 
Authentik n'expose pas un scope 'groups' standard — demander ce scope
inconnu peut faire echouer l'authorize selon la config provider. Les
groups arrivent dans le claim 'groups' du scope 'profile' par defaut.

Defaut passe de 'openid email profile groups' vers 'openid email profile'.
Update env.example + ACADENICE_PATCHES.md doc associee.
This commit is contained in:
Corentin JOGUET 2026-05-07 21:28:40 +02:00
parent 07d0b66fda
commit 06c46f7b9b
3 changed files with 7 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
.env.example
View file

@ -66,7 +66,9 @@ LOG_HTTP=false
# OIDC_CLIENT_ID= # OIDC_CLIENT_ID=
# OIDC_CLIENT_SECRET= # OIDC_CLIENT_SECRET=
# OIDC_REDIRECT_URI=http://localhost:3000/api/auth/oidc/callback # OIDC_REDIRECT_URI=http://localhost:3000/api/auth/oidc/callback
# OIDC_SCOPES=openid email profile groups # Authentik : 'groups' n'est pas un scope standard — les groups arrivent
# dans le claim 'groups' du scope 'profile' par defaut.
# OIDC_SCOPES=openid email profile
# OIDC_PROVIDER_NAME=Authentik # OIDC_PROVIDER_NAME=Authentik
# #
# Just-in-time provisioning for unknown emails. Strict by default — set # Just-in-time provisioning for unknown emails. Strict by default — set

2
ACADENICE_PATCHES.md
View file

@ -109,7 +109,7 @@ Branche fork : `acadenice/main`
| `OIDC_CLIENT_ID` | (vide) | requis | | `OIDC_CLIENT_ID` | (vide) | requis |
| `OIDC_CLIENT_SECRET` | (vide) | requis | | `OIDC_CLIENT_SECRET` | (vide) | requis |
| `OIDC_REDIRECT_URI` | `${APP_URL}/api/auth/oidc/callback` | derive auto si non set | | `OIDC_REDIRECT_URI` | `${APP_URL}/api/auth/oidc/callback` | derive auto si non set |
| `OIDC_SCOPES` | `openid email profile groups` | | | `OIDC_SCOPES` | `openid email profile` | Authentik : `groups` claim arrive via le scope `profile` (pas un scope standard) |
| `OIDC_PROVIDER_NAME` | `SSO` | label affiche sur le bouton | | `OIDC_PROVIDER_NAME` | `SSO` | label affiche sur le bouton |
| `OIDC_AUTO_PROVISION` | `false` | si true : cree le user a la volee si email inconnu | | `OIDC_AUTO_PROVISION` | `false` | si true : cree le user a la volee si email inconnu |
| `OIDC_DEFAULT_WORKSPACE_ID` | (vide) | requis si multi-workspace + auto-provision | | `OIDC_DEFAULT_WORKSPACE_ID` | (vide) | requis si multi-workspace + auto-provision |

7
apps/server/src/integrations/environment/environment.service.ts
View file

@ -356,10 +356,9 @@ export class EnvironmentService {
} }
getOidcScopes(): string { getOidcScopes(): string {
return this.configService.get<string>( // Authentik n'expose pas un scope `groups` standard — les groups arrivent
'OIDC_SCOPES', // dans le claim `groups` du scope `profile` par defaut.
'openid email profile groups', return this.configService.get<string>('OIDC_SCOPES', 'openid email profile');
);
} }
getOidcProviderName(): string { getOidcProviderName(): string {