From fda9b137a7993f8c776d4aad3c5d1149ebb3122f Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 3 Feb 2025 15:02:25 +0100
Subject: [PATCH 1/3] core: bump ua-parser from 1.0.0 to 1.0.1 (#12922)

Bumps [ua-parser](https://github.com/ua-parser/uap-python) from 1.0.0 to 1.0.1.
- [Release notes](https://github.com/ua-parser/uap-python/releases)
- [Commits](https://github.com/ua-parser/uap-python/compare/1.0.0...1.0.1)

---
updated-dependencies:
- dependency-name: ua-parser
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 poetry.lock | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/poetry.lock b/poetry.lock
index 31e943e6b1e5..cc5bd1d0fe66 100644
--- a/poetry.lock
+++ b/poetry.lock
@@ -5197,13 +5197,13 @@ files = [
 
 [[package]]
 name = "ua-parser"
-version = "1.0.0"
+version = "1.0.1"
 description = "Python port of Browserscope's user agent parser"
 optional = false
 python-versions = ">=3.9"
 files = [
-    {file = "ua_parser-1.0.0-py3-none-any.whl", hash = "sha256:5b31133606a781f56692caa11a9671a9f330c22604b3c4957a7ba18c152212d0"},
-    {file = "ua_parser-1.0.0.tar.gz", hash = "sha256:a9740f53f4fbb72b7a03d304cae32a2785cafc55e8207efb74877bba17c35324"},
+    {file = "ua_parser-1.0.1-py3-none-any.whl", hash = "sha256:b059f2cb0935addea7e551251cbbf42e9a8872f86134163bc1a4f79e0945ffea"},
+    {file = "ua_parser-1.0.1.tar.gz", hash = "sha256:f9d92bf19d4329019cef91707aecc23c6d65143ad7e29a233f0580fb0d15547d"},
 ]
 
 [package.dependencies]

From 7a6d7919c8e92cab03f6b10bcd1ebb7b6a9a2b71 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 3 Feb 2025 15:04:59 +0100
Subject: [PATCH 2/3] core: bump webauthn from 2.5.0 to 2.5.1 (#12923)

Bumps [webauthn](https://github.com/duo-labs/py_webauthn) from 2.5.0 to 2.5.1.
- [Release notes](https://github.com/duo-labs/py_webauthn/releases)
- [Changelog](https://github.com/duo-labs/py_webauthn/blob/master/CHANGELOG.md)
- [Commits](https://github.com/duo-labs/py_webauthn/compare/v2.5.0...v2.5.1)

---
updated-dependencies:
- dependency-name: webauthn
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 poetry.lock | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/poetry.lock b/poetry.lock
index cc5bd1d0fe66..95e6f9594bb9 100644
--- a/poetry.lock
+++ b/poetry.lock
@@ -5491,13 +5491,13 @@ files = [
 
 [[package]]
 name = "webauthn"
-version = "2.5.0"
+version = "2.5.1"
 description = "Pythonic WebAuthn"
 optional = false
 python-versions = "*"
 files = [
-    {file = "webauthn-2.5.0-py3-none-any.whl", hash = "sha256:d978b40bee53a3b283e4a867718ff8269b049c9d66c184eff137338810e98be6"},
-    {file = "webauthn-2.5.0.tar.gz", hash = "sha256:6b3d2e2a5636686829f528227865e19582700d6c107ef0a1256ef150b5bd4599"},
+    {file = "webauthn-2.5.1-py3-none-any.whl", hash = "sha256:86d1faa11ec26ebe49b9388d8c3d09bff4dca6c23d3c7e2dd066e99896d694f0"},
+    {file = "webauthn-2.5.1.tar.gz", hash = "sha256:f1b7447bae1056e110a9e71ff287f639d05d4d14589911d75fea255c3a03aff0"},
 ]
 
 [package.dependencies]

From e4b6df3f27008c35feae0bcd1b9cc0b8cd90b52d Mon Sep 17 00:00:00 2001
From: "Jens L." <jens@goauthentik.io>
Date: Mon, 3 Feb 2025 15:29:26 +0100
Subject: [PATCH 3/3] providers/oauth2: include scope in token response
 (#12921)

* fix scope param missing from token response

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

# Conflicts:
#	authentik/enterprise/providers/ssf/signals.py
#	authentik/enterprise/providers/ssf/tasks.py
#	authentik/enterprise/providers/ssf/tests/test_stream.py

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
---
 authentik/providers/oauth2/tests/test_token.py | 3 +++
 authentik/providers/oauth2/views/token.py      | 4 ++++
 2 files changed, 7 insertions(+)

diff --git a/authentik/providers/oauth2/tests/test_token.py b/authentik/providers/oauth2/tests/test_token.py
index c2e897182ab9..2ddcc76e4dac 100644
--- a/authentik/providers/oauth2/tests/test_token.py
+++ b/authentik/providers/oauth2/tests/test_token.py
@@ -150,6 +150,7 @@ def test_auth_code_view(self):
                 "id_token": provider.encode(
                     access.id_token.to_dict(),
                 ),
+                "scope": "",
             },
         )
         self.validate_jwt(access, provider)
@@ -242,6 +243,7 @@ def test_refresh_token_view(self):
                 "id_token": provider.encode(
                     access.id_token.to_dict(),
                 ),
+                "scope": "offline_access",
             },
         )
         self.validate_jwt(access, provider)
@@ -301,6 +303,7 @@ def test_refresh_token_view_invalid_origin(self):
                 "id_token": provider.encode(
                     access.id_token.to_dict(),
                 ),
+                "scope": "offline_access",
             },
         )
 
diff --git a/authentik/providers/oauth2/views/token.py b/authentik/providers/oauth2/views/token.py
index 9ee25dd555ed..ba8d571d8870 100644
--- a/authentik/providers/oauth2/views/token.py
+++ b/authentik/providers/oauth2/views/token.py
@@ -627,6 +627,7 @@ def create_code_response(self) -> dict[str, Any]:
         response = {
             "access_token": access_token.token,
             "token_type": TOKEN_TYPE,
+            "scope": " ".join(access_token.scope),
             "expires_in": int(
                 timedelta_from_string(self.provider.access_token_validity).total_seconds()
             ),
@@ -710,6 +711,7 @@ def create_refresh_response(self) -> dict[str, Any]:
             "access_token": access_token.token,
             "refresh_token": refresh_token.token,
             "token_type": TOKEN_TYPE,
+            "scope": " ".join(access_token.scope),
             "expires_in": int(
                 timedelta_from_string(self.provider.access_token_validity).total_seconds()
             ),
@@ -736,6 +738,7 @@ def create_client_credentials_response(self) -> dict[str, Any]:
         return {
             "access_token": access_token.token,
             "token_type": TOKEN_TYPE,
+            "scope": " ".join(access_token.scope),
             "expires_in": int(
                 timedelta_from_string(self.provider.access_token_validity).total_seconds()
             ),
@@ -767,6 +770,7 @@ def create_device_code_response(self) -> dict[str, Any]:
         response = {
             "access_token": access_token.token,
             "token_type": TOKEN_TYPE,
+            "scope": " ".join(access_token.scope),
             "expires_in": int(
                 timedelta_from_string(self.provider.access_token_validity).total_seconds()
             ),