OIDC & certwarden:superadmin Scope

jmartindf

Hi,

I've been trying to setup proper SSO with Authentik and OIDC. I've seen the documentation on Idp General Configuration Notes and I've seen the discussion in issue #86 about “OIDC error when using Authentik”.

I’m confused about how this is supposed to work. The documentation implies that the user either does or does not have the scope attached to them. If the user does have the scope, they get access to Cert Warden. If they do not have the scope, access is denied.

But my understanding of OIDC and scopes is that scopes are a way to ask for a piece of information or a set of information. I didn’t think that a scope itself was a yes/no or true/false kind of thing.

If I have a "certwarden:superadmin" scope defined in Authentik, then every user is logged into Cert Warden, regardless of what information I do (or don’t) return as part of that scope. And if I don’t have a "certwarden:superadmin" scope defined in Authentik, then no user can login to Cert Warden.

That feels like a bug to me. Am I misunderstanding how this works?

gregtwallace

I don't use Authentik so I'm not familiar with it beyond the Issue thread you linked to. (The write up in the docs was done by a user, not me.)

I don't think every user should automatically be able to request any scope. For example, Auth0 has a toggle for Enable RBAC to enforce permissions / roles.

What is the alternative suggestion for constraining access?