Add support for configurable oAuth2 scopes #2513
Comments
|
I noticed that "offline_access" is available here for Admin console I could get authentication to work for admin console, but not for anything more. @damianujma for the ACS-6601 |
|
Maybe there is no need for a configurable setting for this, just add by default to IdentityServiceFacadeFactoryBean. Reference why I needed this change to get it to work with Authentik: https://docs.goauthentik.io/docs/providers/oauth2/#refresh_token |
|
More references to "offline_access" are needed for the refresh token to be issued: https://auth0.com/docs/secure/tokens/refresh-tokens/get-refresh-tokens interesting discussion manfredsteyer/angular-oauth2-oidc#1241 on how to interpret the standard. |
The oAuth2 scopes that Alfresco request from the authentication server needs to be configurable.
Currently hardcoded:
https://github.com/Alfresco/alfresco-community-repo/blob/master/repository/src/main/java/org/alfresco/repo/security/authentication/identityservice/IdentityServiceFacadeFactoryBean.java#L384
Explanation
Trying to implement oAuth2 with Authentik, https://goauthentik.io I got an error saying "ERROR [site.servlet.AIMSFilter] [http-nio-8080-exec-2] Resulted in Error while doing refresh token refreshToken cannot be null"
Tracked it down to that you have to grant the "offline_access" scope for Authentik to send it
goauthentik/authentik#8660
I assume this also means the client (Alfresco has to request it), bit that is currently not possible.
Side note: I think using Authentik can be a good reference implementation to test that Alfresco has good support for oAuth2, and not just with keycloak.
The text was updated successfully, but these errors were encountered: