Skip to content

providers/oauth2: allow property mappings to override scope claim in access tokens#19226

Merged
BeryJu merged 2 commits intogoauthentik:mainfrom
lx-industries:fix/oauth2-scope-claim-override
Jan 15, 2026
Merged

providers/oauth2: allow property mappings to override scope claim in access tokens#19226
BeryJu merged 2 commits intogoauthentik:mainfrom
lx-industries:fix/oauth2-scope-claim-override

Conversation

@JMLX42
Copy link
Contributor

@JMLX42 JMLX42 commented Jan 7, 2026
edited by dewi-tik
Loading

Summary

Changes

  • Modified IDToken.to_access_token() in authentik/providers/oauth2/id_token.py to use setdefault() for the scope claim
  • Added test case test_scope_claim_override_via_property_mapping to verify property mappings can override the scope claim

Root Cause

In authentik/providers/oauth2/id_token.py:155, the to_access_token() method unconditionally overwrote the scope claim after property mapping claims were merged via to_dict():

final["scope"] = " ".join(token.scope)  # BUG: Unconditionally overwrites!

Fix

Changed to use setdefault() which only sets the default if no scope key exists:

final.setdefault("scope", " ".join(token.scope))

Test plan

  • Added new test test_scope_claim_override_via_property_mapping that verifies property mappings can override the scope claim
  • All existing OAuth2 token tests pass (no regressions)

Closes #19224

JMLX42 added 2 commits January 7, 2026 14:19
@JMLX42
test(oauth2): add failing test for scope claim override via property …
8e3d4d6 
…mapping

Reproduces issue goauthentik#19224 where property mappings cannot override the scope claim.
@JMLX42
fix(oauth2): allow property mappings to override scope claim in acces…
75ce089 
…s tokens

Previously, the scope claim in access tokens was unconditionally set to
the requested scopes, ignoring any custom scope value returned by
property mappings.

This change uses setdefault() instead of direct assignment, so the
default scope is only set if no custom scope was provided by property
mappings.

Fixes goauthentik#19224
@JMLX42 JMLX42 requested a review from a team as a code owner January 7, 2026 13:26
@netlify
Copy link

netlify bot commented Jan 7, 2026

Deploy Preview for authentik-docs ready!

Name Link
🔨 Latest commit 75ce089
🔍 Latest deploy log https://app.netlify.com/projects/authentik-docs/deploys/695e5efe9cab010008dcce27
😎 Deploy Preview https://deploy-preview-19226--authentik-docs.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@BeryJu BeryJu changed the title fix(oauth2): allow property mappings to override scope claim in access tokens providers/oauth2: allow property mappings to override scope claim in access tokens Jan 7, 2026
@github-project-automation github-project-automation bot moved this from Todo to In Progress in authentik Core Jan 8, 2026
@BeryJu BeryJu added area:backend backport/version-2025.12 Add this label to PRs to backport changes to version-2025.12 labels Jan 8, 2026
@codecov
Copy link

codecov bot commented Jan 8, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 93.33%. Comparing base (6e9972f) to head (75ce089).
⚠️ Report is 167 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main   #19226      +/-   ##
==========================================
+ Coverage   92.86%   93.33%   +0.46%     
==========================================
  Files         949      949              
  Lines       52372    52387      +15     
==========================================
+ Hits        48635    48894     +259     
+ Misses       3737     3493     -244
Flag Coverage Δ
conformance 38.73% <6.25%> (-0.01%) ⬇️
e2e 44.62% <6.25%> (+1.94%) ⬆️
integration 23.37% <0.00%> (-0.06%) ⬇️
unit 91.60% <100.00%> (+0.02%) ⬆️
unit-migrate 91.64% <100.00%> (+0.02%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@BeryJu BeryJu merged commit 3e37821 into goauthentik:main Jan 15, 2026
183 of 187 checks passed
@github-project-automation github-project-automation bot moved this from In Progress to Done in authentik Core Jan 15, 2026
authentik-automation bot pushed a commit that referenced this pull request Jan 15, 2026
@JMLX42 @authentik-automation
providers/oauth2: allow property mappings to override scope claim in …
d26c05b 
…access tokens (#19226)

* test(oauth2): add failing test for scope claim override via property mapping

Reproduces issue #19224 where property mappings cannot override the scope claim.

* fix(oauth2): allow property mappings to override scope claim in access tokens

Previously, the scope claim in access tokens was unconditionally set to
the requested scopes, ignoring any custom scope value returned by
property mappings.

This change uses setdefault() instead of direct assignment, so the
default scope is only set if no custom scope was provided by property
mappings.

Fixes #19224
@authentik-automation authentik-automation bot mentioned this pull request Jan 15, 2026
Merged
@authentik-automation
Copy link
Contributor

authentik-automation bot commented Jan 15, 2026

🍒 Cherry-pick to version-2025.12 created: #19480

BeryJu pushed a commit that referenced this pull request Jan 15, 2026
@JMLX42 @BeryJu
providers/oauth2: allow property mappings to override scope claim in …
54d7d19 
…access tokens (#19226)

* test(oauth2): add failing test for scope claim override via property mapping

Reproduces issue #19224 where property mappings cannot override the scope claim.

* fix(oauth2): allow property mappings to override scope claim in access tokens

Previously, the scope claim in access tokens was unconditionally set to
the requested scopes, ignoring any custom scope value returned by
property mappings.

This change uses setdefault() instead of direct assignment, so the
default scope is only set if no custom scope was provided by property
mappings.

Fixes #19224
BeryJu pushed a commit that referenced this pull request Jan 15, 2026
@authentik-automation @JMLX42
providers/oauth2: allow property mappings to override scope claim in …
afc2be6 
…access tokens (cherry-pick #19226 to version-2025.12) (#19480)

providers/oauth2: allow property mappings to override scope claim in access tokens (#19226)

* test(oauth2): add failing test for scope claim override via property mapping

Reproduces issue #19224 where property mappings cannot override the scope claim.

* fix(oauth2): allow property mappings to override scope claim in access tokens

Previously, the scope claim in access tokens was unconditionally set to
the requested scopes, ignoring any custom scope value returned by
property mappings.

This change uses setdefault() instead of direct assignment, so the
default scope is only set if no custom scope was provided by property
mappings.

Fixes #19224

Co-authored-by: Jean-Marc Le Roux <jeanmarc.leroux@aerys.in>
kensternberg-authentik added a commit that referenced this pull request Jan 31, 2026
@kensternberg-authentik
Merge branch 'main' into dev
3cd4afb 
* main: (47 commits)
  endpoints/connectors/agent: add tests for IA endpoint stage (#19487)
  website/docs: limiting permissions of AD service account (#19483)
  endpoints/connectors/agent: Skip Endpoint stage on device IA & fix confusing identification subtext (#19482)
  root: adjust makefile for non-brew macos (#19479)
  providers/oauth2: allow property mappings to override scope claim in access tokens (#19226)
  revert: lib: use orjson for structlog json (#19478)
  stages/authenticator_webauthn: Update FIDO MDS3 & Passkey aaguid blobs (#19464)
  core: bump library/nginx from `e3a22a7` to `c881927` in /website (#19469)
  core: bump library/node from 25.2.1-trixie to 25.3.0-trixie in /website (#19468)
  web: bump prettier from 3.7.4 to 3.8.0 in /web (#19471)
  website/integrations: add MinIO AIStor configuration via environment variables (#19337)
  root: upgrade ruff lint for 3.14 (#19461)
  lib: use orjson for structlog json (#19462)
  ci: fix checkout stable (for 2025.12) (#19448)
  root: Python 3.14 (#17313)
  core: bump channels from 4.3.1 to 4.3.2 (#19458)
  core: bump mypy from 1.18.2 to 1.19.1 (#19457)
  core: bump google-api-python-client from 2.177.0 to 2.188.0 (#19443)
  core: bump selenium from 4.32.0 to 4.39.0 (#19455)
  core: bump msgraph-sdk from 1.39.0 to 1.52.0 (#19454)
  ...
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@BeryJu BeryJu BeryJu approved these changes

Assignees

@BeryJu BeryJu

Labels

area:backend backport/version-2025.12 Add this label to PRs to backport changes to version-2025.12

Projects

authentik Core
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

The scope claim cannot be overriden with a Property Mapping

3 participants

@JMLX42 @BeryJu @dewi-tik