-
Notifications
You must be signed in to change notification settings - Fork 82
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for configurable oAuth2 scopes #2513
Comments
I noticed that "offline_access" is available here for Admin console Line 74 in a73cf6a
I could get authentication to work for admin console, but not for anything more. @damianujma for the ACS-6601 |
Maybe there is no need for a configurable setting for this, just add by default to IdentityServiceFacadeFactoryBean. Reference why I needed this change to get it to work with Authentik: https://docs.goauthentik.io/docs/providers/oauth2/#refresh_token |
More references to "offline_access" are needed for the refresh token to be issued: https://auth0.com/docs/secure/tokens/refresh-tokens/get-refresh-tokens interesting discussion manfredsteyer/angular-oauth2-oidc#1241 on how to interpret the standard. |
The oAuth2 scopes that Alfresco request from the authentication server needs to be configurable.
Currently hardcoded:
https://github.com/Alfresco/alfresco-community-repo/blob/master/repository/src/main/java/org/alfresco/repo/security/authentication/identityservice/IdentityServiceFacadeFactoryBean.java#L384
Explanation
Trying to implement oAuth2 with Authentik, https://goauthentik.io I got an error saying "ERROR [site.servlet.AIMSFilter] [http-nio-8080-exec-2] Resulted in Error while doing refresh token refreshToken cannot be null"
Tracked it down to that you have to grant the "offline_access" scope for Authentik to send it
goauthentik/authentik#8660
I assume this also means the client (Alfresco has to request it), bit that is currently not possible.
Side note: I think using Authentik can be a good reference implementation to test that Alfresco has good support for oAuth2, and not just with keycloak.
The text was updated successfully, but these errors were encountered: