Security audit #1

2026-02-03 06:59:07 -07:00 · 2026-02-03 06:59:07 -07:00 · cd04d34b23
commit cd04d34b23
parent 68bc591150
8 changed files with 131 additions and 56 deletions
--- a/authentik/blueprints/kaboot-setup-production.yaml.example
+++ b/authentik/blueprints/kaboot-setup-production.yaml.example
@ -124,7 +124,7 @@ entries:
      name: kaboot-ai-access

  # ═══════════════════════════════════════════════════════════════════════════════
-  # GROUPS SCOPE MAPPING
+  # SCOPE MAPPINGS
  # ═══════════════════════════════════════════════════════════════════════════════

  - id: groups-scope-mapping
@ -138,6 +138,17 @@ entries:
      expression: |
        return {"groups": [group.name for group in request.user.ak_groups.all()]}

+  - id: audience-scope-mapping
+    model: authentik_providers_oauth2.scopemapping
+    identifiers:
+      managed: goauthentik.io/providers/oauth2/scope-kaboot-audience
+    attrs:
+      name: "Kaboot Audience Scope"
+      scope_name: kaboot
+      description: "Include audience claim for Kaboot backend validation"
+      expression: |
+        return {"aud": "kaboot-spa"}
+
  # ═══════════════════════════════════════════════════════════════════════════════
  # OAUTH2/OIDC PROVIDER
  # ═══════════════════════════════════════════════════════════════════════════════
@ -172,6 +183,7 @@ entries:
        - !Find [authentik_providers_oauth2.scopemapping, [scope_name, email]]
        - !Find [authentik_providers_oauth2.scopemapping, [scope_name, offline_access]]
        - !KeyOf groups-scope-mapping
+        - !KeyOf audience-scope-mapping

  # ═══════════════════════════════════════════════════════════════════════════════
  # APPLICATION