The `scope` claim cannot be overriden with a Property Mapping

[JMLX42]

Describe the bug

Hello there!

I'm trying to override the scope OAuth claim using a Property Mapping that merges the requested OAuth scopes with some permission related scopes set using user attributes.

But the scope claim is not the one set by the Property Mapping. It is always set to the requested scopes. Using the same Property Mapping with a custom claim works. So only the claim literally named scope is affected.

How to reproduce

1. Create a property mapping

token = request.context.get('token')
oauth_scopes = " ".join(token.scope) if token else ""
user_scopes = request.user.attributes.get("gltf_live_scopes", "")
scopes = f"{oauth_scopes} {user_scopes}".strip()

ak_logger.info("test_debug", scopes=scopes)

return {
    "aud": "gltf-live",
    "scope": scopes
}

2. Assign that property mapping to the OAuth provider
3. Login
4. Inspect the JWT

{
  "aud": "gltf-live",
  "scopes": "gltf-live email openid profile"
}

Expected behavior

{
  "aud": "gltf-live",
  "scopes": "gltf-live email openid profile accessor:read accessor-sparse:read accessor-sparse-indices:read accessor-sparse-values:read asset:read buffer:read buffer-view:read camera:read gltf:read image:read mesh:read mesh-attribute:read mesh-primitive:read node:read node-extensions:read material:read material-extensions:read material-pbr-metallic-roughness:read material-normal-texture-info:read material-occlusion-texture-info:read sampler:read scene:read texture:read texture-info:read khr-lights-punctual:read khr-materials-unlit:read khr-xmp-json-ld:read accessor:write accessor-sparse:write accessor-sparse-indices:write accessor-sparse-values:write asset:write buffer:write buffer-view:write camera:write gltf:write image:write mesh:write mesh-attribute:write mesh-primitive:write node:write node-extensions:write material:write material-extensions:write material-pbr-metallic-roughness:write material-normal-texture-info:write material-occlusion-texture-info:write sampler:write scene:write texture:write texture-info:write khr-lights-punctual:write khr-materials-unlit:write khr-xmp-json-ld:write accessor:delete accessor-sparse:delete accessor-sparse-indices:delete accessor-sparse-values:delete asset:delete buffer:delete buffer-view:delete camera:delete gltf:delete image:delete mesh:delete mesh-attribute:delete mesh-primitive:delete node:delete node-extensions:delete material:delete material-extensions:delete material-pbr-metallic-roughness:delete material-normal-texture-info:delete material-occlusion-texture-info:delete sampler:delete scene:delete texture:delete texture-info:delete khr-lights-punctual:delete khr-materials-unlit:delete khr-xmp-json-ld:delete"
}

Screenshots

No response

Additional context

The logs show that the scope field is properly computed in the Property Mapping. Which means the Property Mapping is running, but the generated claim is overridden afterward.

Deployment Method

Docker

Version

2025.10.3

Relevant log output

server-1  | {"auth_via": "oauth_client_secret", "domain_url": "127.0.0.1", "event": "test_debug", "host": "127.0.0.1:9000", "level": "info", "logger": "glTF Live OAuth Mapping: OpenID 'gltf-live'", "pid": 75, "request_id": "8ccab6b5ac694aa897dea497628797d4", "schema_name": "public", "scopes": "gltf-live email openid profile accessor:read accessor-sparse:read accessor-sparse-indices:read accessor-sparse-values:read asset:read buffer:read buffer-view:read camera:read gltf:read image:read mesh:read mesh-attribute:read mesh-primitive:read node:read node-extensions:read material:read material-extensions:read material-pbr-metallic-roughness:read material-normal-texture-info:read material-occlusion-texture-info:read sampler:read scene:read texture:read texture-info:read khr-lights-punctual:read khr-materials-unlit:read khr-xmp-json-ld:read accessor:write accessor-sparse:write accessor-sparse-indices:write accessor-sparse-values:write asset:write buffer:write buffer-view:write camera:write gltf:write image:write mesh:write mesh-attribute:write mesh-primitive:write node:write node-extensions:write material:write material-extensions:write material-pbr-metallic-roughness:write material-normal-texture-info:write material-occlusion-texture-info:write sampler:write scene:write texture:write texture-info:write khr-lights-punctual:write khr-materials-unlit:write khr-xmp-json-ld:write accessor:delete accessor-sparse:delete accessor-sparse-indices:delete accessor-sparse-values:delete asset:delete buffer:delete buffer-view:delete camera:delete gltf:delete image:delete mesh:delete mesh-attribute:delete mesh-primitive:delete node:delete node-extensions:delete material:delete material-extensions:delete material-pbr-metallic-roughness:delete material-normal-texture-info:delete material-occlusion-texture-info:delete sampler:delete scene:delete texture:delete texture-info:delete khr-lights-punctual:delete khr-materials-unlit:delete khr-xmp-json-ld:delete", "timestamp": "2026-01-07T11:25:40.066757"}

[JMLX42]

Root Cause Analysis

I investigated the codebase and found the bug in authentik/providers/oauth2/id_token.py.

The Problem

In the to_access_token() method, the scope claim is unconditionally overwritten after property mapping claims are merged:

def to_access_token(self, provider: "OAuth2Provider", token: "BaseGrantModel") -> str:
    """Encode id_token for use as access token, adding fields"""
    final = self.to_dict()              # Step 1: Merges self.claims (from property mappings)
    final["azp"] = provider.client_id
    final["uid"] = generate_id()
    final["scope"] = " ".join(token.scope)  # Step 2: OVERWRITES any scope from property mappings!
    return provider.encode(final)

The Flow

1. IDToken.new() populates id_token.claims via UserInfoView.get_claims(), which evaluates all ScopeMapping property mappings
2. Property mappings can return {"scope": "custom scopes..."} which gets stored in id_token.claims
3. to_dict() correctly merges these claims via id_dict.update(self.claims)
4. But then final["scope"] = " ".join(token.scope) unconditionally overwrites whatever scope value was set by property mappings

This explains why the property mapping correctly evaluates (visible in logs) but the final JWT contains only the original scopes.

Suggested Fix

Check if scope was already set by property mappings before applying the default:

def to_access_token(self, provider: "OAuth2Provider", token: "BaseGrantModel") -> str:
    final = self.to_dict()
    final["azp"] = provider.client_id
    final["uid"] = generate_id()
    if "scope" not in final:  # Only set default if not overridden by property mapping
        final["scope"] = " ".join(token.scope)
    return provider.encode(final)

Alternatively, the default scope could be set before merging claims in to_dict(), allowing property mappings to override it.

---

Disclosure: This analysis was performed by an AI assistant (Claude) at a user's request.