providers/oauth2: if no scopes are sent in authorize request, select all configured scopes

closes #3112

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

authentik/providers/oauth2/views/authorize.py

@@ -55,6 +55,7 @@ from authentik.providers.oauth2.models import (
     OAuth2Provider,
     ResponseMode,
     ResponseTypes,
+    ScopeMapping,
 )
 from authentik.providers.oauth2.utils import HttpResponseRedirectScheme
 from authentik.providers.oauth2.views.userinfo import UserInfoView
@@ -215,6 +216,16 @@ class OAuthAuthorizationParams:
 
     def check_scope(self):
         """Ensure openid scope is set in Hybrid flows, or when requesting an id_token"""
+        if len(self.scope) == 0:
+            default_scope_names = set(
+                ScopeMapping.objects.filter(provider__in=[self.provider]).values_list(
+                    "scope_name", flat=True
+                )
+            )
+            self.scope = default_scope_names
+            LOGGER.info(
+                "No scopes requested, defaulting to all configured scopes", scopes=self.scope
+            )
         if SCOPE_OPENID not in self.scope and (
             self.grant_type == GrantTypes.HYBRID
             or self.response_type in [ResponseTypes.ID_TOKEN, ResponseTypes.ID_TOKEN_TOKEN]
@@ -240,11 +251,8 @@ class OAuthAuthorizationParams:
 
     def check_code_challenge(self):
         """PKCE validation of the transformation method."""
-        if self.code_challenge:
-            if not (self.code_challenge_method in ["plain", "S256"]):
-                raise AuthorizeError(
-                    self.redirect_uri, "invalid_request", self.grant_type, self.state
-                )
+        if self.code_challenge and self.code_challenge_method not in ["plain", "S256"]:
+            raise AuthorizeError(self.redirect_uri, "invalid_request", self.grant_type, self.state)
 
     def create_code(self, request: HttpRequest) -> AuthorizationCode:
         """Create an AuthorizationCode object for the request"""

website/docs/providers/oauth2/index.md

@@ -55,3 +55,26 @@ if "my-admin-scope" in request.context["oauth_scopes"]:
     return ak_is_group_member(request.user, name="my-admin-group")
 return True
 ```
+
+## Special scopes
+
+#### GitHub compatibility
+
+-   `user`: No-op, is accepted for compatibility but does not give access to any resources
+-   `read:user`: Same as above
+-   `user:email`: Allows read-only access to `/user`, including email address
+-   `read:org`: Allows read-only access to `/user/teams`, listing all the user's groups as teams.
+
+#### authentik
+
+-   `goauthentik.io/api`: This scope grants the refresh token access to the authentik API on behalf of the user
+
+## Default scopes
+
+:::info
+Requires authentik 2022.7
+:::
+
+When a client does not request any scopes, authentik will treat the request as if all configured scopes were requrested. Depending on the configured authorization flow, consent still needs to be given, and all scopes are listed there.
+
+This does _not_ apply to special scopes, as those are not configurable in the provider.

website/docs/releases/v2022.7.md

@@ -30,6 +30,10 @@ slug: "2022.7"
 
     Instead of having to choose between using the `:latest` tag and explicit versions like `:2022.7.1`, there are now also version-family tags (:2022.7). This allows for sticking with a single version but still getting bugfix updates.
 
+-   OAuth2 Provider default Scopes
+
+    Starting with authentik 2022.7, when an OAuth client doesn't specify any scopes, authentik will treat the request as if all the configured scopes of that provider had been requested. Normal consent is still required depending on the configured flow. No special scopes will be added, as those can't be selected in the configuration.
+
 ## Minor changes/fixes
 
 -   api: add basic jwt support with required scope (#2624)