providers/oauth2: include scope in token response (#12921)

* fix scope param missing from token response Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix Signed-off-by: Jens Langhammer <jens@goauthentik.io> # Conflicts: # authentik/enterprise/providers/ssf/signals.py # authentik/enterprise/providers/ssf/tasks.py # authentik/enterprise/providers/ssf/tests/test_stream.py --------- Signed-off-by: Jens Langhammer <jens@goauthentik.io>
goauthentik · Feb 3, 2025 · e4b6df3 · e4b6df3
1 parent 7a6d791
commit e4b6df3
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 0 deletions.
diff --git a/authentik/providers/oauth2/tests/test_token.py b/authentik/providers/oauth2/tests/test_token.py
@@ -150,6 +150,7 @@ def test_auth_code_view(self):
                 "id_token": provider.encode(
                     access.id_token.to_dict(),
                 ),
+                "scope": "",
             },
         )
         self.validate_jwt(access, provider)
@@ -242,6 +243,7 @@ def test_refresh_token_view(self):
                 "id_token": provider.encode(
                     access.id_token.to_dict(),
                 ),
+                "scope": "offline_access",
             },
         )
         self.validate_jwt(access, provider)
@@ -301,6 +303,7 @@ def test_refresh_token_view_invalid_origin(self):
                 "id_token": provider.encode(
                     access.id_token.to_dict(),
                 ),
+                "scope": "offline_access",
             },
         )
 

diff --git a/authentik/providers/oauth2/views/token.py b/authentik/providers/oauth2/views/token.py
@@ -627,6 +627,7 @@ def create_code_response(self) -> dict[str, Any]:
         response = {
             "access_token": access_token.token,
             "token_type": TOKEN_TYPE,
+            "scope": " ".join(access_token.scope),
             "expires_in": int(
                 timedelta_from_string(self.provider.access_token_validity).total_seconds()
             ),
@@ -710,6 +711,7 @@ def create_refresh_response(self) -> dict[str, Any]:
             "access_token": access_token.token,
             "refresh_token": refresh_token.token,
             "token_type": TOKEN_TYPE,
+            "scope": " ".join(access_token.scope),
             "expires_in": int(
                 timedelta_from_string(self.provider.access_token_validity).total_seconds()
             ),
@@ -736,6 +738,7 @@ def create_client_credentials_response(self) -> dict[str, Any]:
         return {
             "access_token": access_token.token,
             "token_type": TOKEN_TYPE,
+            "scope": " ".join(access_token.scope),
             "expires_in": int(
                 timedelta_from_string(self.provider.access_token_validity).total_seconds()
             ),
@@ -767,6 +770,7 @@ def create_device_code_response(self) -> dict[str, Any]:
         response = {
             "access_token": access_token.token,
             "token_type": TOKEN_TYPE,
+            "scope": " ".join(access_token.scope),
             "expires_in": int(
                 timedelta_from_string(self.provider.access_token_validity).total_seconds()
             ),