Hi,
I've been trying to setup proper SSO with Authentik and OIDC. I've seen the documentation on Idp General Configuration Notes and I've seen the discussion in issue #86 about “OIDC error when using Authentik”.
I’m confused about how this is supposed to work. The documentation implies that the user either does or does not have the scope attached to them. If the user does have the scope, they get access to Cert Warden. If they do not have the scope, access is denied.
But my understanding of OIDC and scopes is that scopes are a way to ask for a piece of information or a set of information. I didn’t think that a scope itself was a yes/no or true/false kind of thing.
If I have a "certwarden:superadmin" scope defined in Authentik, then every user is logged into Cert Warden, regardless of what information I do (or don’t) return as part of that scope. And if I don’t have a "certwarden:superadmin" scope defined in Authentik, then no user can login to Cert Warden.
That feels like a bug to me. Am I misunderstanding how this works?