website/docs: clarify OAuth2 provider overview#22144
Open
Conversation
✅ Deploy Preview for authentik-integrations ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
✅ Deploy Preview for authentik-docs ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #22144 +/- ##
==========================================
- Coverage 93.24% 93.22% -0.03%
==========================================
Files 1027 1027
Lines 59598 59598
Branches 400 400
==========================================
- Hits 55571 55558 -13
- Misses 4027 4040 +13
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
Contributor
|
authentik PR Installation instructions Instructions for docker-composeAdd the following block to your AUTHENTIK_IMAGE=ghcr.io/goauthentik/dev-server
AUTHENTIK_TAG=gh-ca1844ae709331890b7542fc9c56f76b28b7b5f4
AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)sAfterwards, run the upgrade commands from the latest release notes. Instructions for KubernetesAdd the following block to your authentik:
outposts:
container_image_base: ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
global:
image:
repository: ghcr.io/goauthentik/dev-server
tag: gh-ca1844ae709331890b7542fc9c56f76b28b7b5f4Afterwards, run the upgrade commands from the latest release notes. |
dewi-tik
requested changes
May 8, 2026
| authentik can act as the OpenID Provider (OP), where authentik is the identity provider, or as the Relying Party (RP), where authentik uses an external OAuth 2.0 or OIDC provider for authentication. To use authentik as the OP, create an OAuth 2.0 provider and attach it to an application. To use authentik as the RP, configure an OAuth [source](../../../users-sources/sources/index.md). The same authentik instance can act as both an OP and an RP. | ||
|
|
||
| All standard OAuth 2.0 flows (authorization code, client_credentials, implicit, hybrid, device code) and grant types are supported in authentik, and we follow the [OIDC spec](https://openid.net/specs/openid-connect-core-1_0.html). OAuth 2.0 in authentik supports OAuth, PKCE, [Github compatibility](./github-compatibility.md) and the RP receives data from our scope mapping system. | ||
| authentik supports the standard OAuth 2.0 flows and grant types, including authorization code, client credentials, implicit, hybrid, refresh token, and device code. authentik also follows the [OIDC spec](https://openid.net/specs/openid-connect-core-1_0.html), supports PKCE and [GitHub compatibility](./github-compatibility.md), and uses scope mappings to control the claims returned to the RP. |
Contributor
There was a problem hiding this comment.
Scope mappings should be a link to property mappings
| ## authentik and OAuth 2.0 | ||
|
|
||
| It's important to understand how authentik works with and supports the OAuth 2.0 protocol, so before taking a [closer look at OAuth 2.0 protocol](#about-oauth-20-and-oidc) itself, let's cover a bit about authentik. | ||
| Before looking at the [OAuth 2.0 protocol](#about-oauth-20-and-oidc), it helps to understand the roles authentik can play. |
Contributor
There was a problem hiding this comment.
Suggested change
| Before looking at the [OAuth 2.0 protocol](#about-oauth-20-and-oidc), it helps to understand the roles authentik can play. | |
| Before looking at the [OAuth 2.0 protocol](#about-oauth-20-and-oidc), it helps to understand the roles that authentik can play. |
| authentik can act as the OpenID Provider (OP), where authentik is the identity provider, or as the Relying Party (RP), where authentik uses an external OAuth 2.0 or OIDC provider for authentication. To use authentik as the OP, create an OAuth 2.0 provider and attach it to an application. To use authentik as the RP, configure an OAuth [source](../../../users-sources/sources/index.md). The same authentik instance can act as both an OP and an RP. | ||
|
|
||
| All standard OAuth 2.0 flows (authorization code, client_credentials, implicit, hybrid, device code) and grant types are supported in authentik, and we follow the [OIDC spec](https://openid.net/specs/openid-connect-core-1_0.html). OAuth 2.0 in authentik supports OAuth, PKCE, [Github compatibility](./github-compatibility.md) and the RP receives data from our scope mapping system. | ||
| authentik supports the standard OAuth 2.0 flows and grant types, including authorization code, client credentials, implicit, hybrid, refresh token, and device code. authentik also follows the [OIDC spec](https://openid.net/specs/openid-connect-core-1_0.html), supports PKCE and [GitHub compatibility](./github-compatibility.md), and uses scope mappings to control the claims returned to the RP. |
Contributor
There was a problem hiding this comment.
Suggested change
| authentik supports the standard OAuth 2.0 flows and grant types, including authorization code, client credentials, implicit, hybrid, refresh token, and device code. authentik also follows the [OIDC spec](https://openid.net/specs/openid-connect-core-1_0.html), supports PKCE and [GitHub compatibility](./github-compatibility.md), and uses scope mappings to control the claims returned to the RP. | |
| authentik supports standard OAuth 2.0 flows and grant types, including authorization code, client credentials, implicit, hybrid, refresh token, and device code. authentik also follows the [OIDC spec](https://openid.net/specs/openid-connect-core-1_0.html), supports PKCE and [GitHub compatibility](./github-compatibility.md), and uses scope mappings to control the claims returned to the RP. |
| @@ -2,28 +2,28 @@ | |||
| title: OAuth 2.0 provider | |||
Contributor
There was a problem hiding this comment.
Suggested change
| title: OAuth 2.0 provider | |
| title: OAuth2/OpenID provider |
| @@ -66,13 +66,13 @@ | |||
| Due to how the OAuth2 provider endpoints are structured, you cannot create applications that use the slugs `authorize`, `token`, `device`, `userinfo`, `introspect`, or `revoke` as these would conflict with the global OAuth2 endpoints. | |||
Contributor
There was a problem hiding this comment.
Suggested change
| Due to how the OAuth2 provider endpoints are structured, you cannot create applications that use the slugs `authorize`, `token`, `device`, `userinfo`, `introspect`, or `revoke` as these would conflict with the global OAuth2 endpoints. | |
| Due to how the OAuth2/OpenID provider endpoints are structured, you cannot create applications that use the slugs `authorize`, `token`, `device`, `userinfo`, `introspect`, or `revoke` as these would conflict with the global OAuth2 endpoints. |
|
|
||
| ## Default & special scopes | ||
|
|
||
| When a client does not request any scopes, authentik will treat the request as if all configured scopes were requested. Depending on the configured authorization flow, consent still needs to be given, and all scopes are listed there. |
Contributor
There was a problem hiding this comment.
Suggested change
| When a client does not request any scopes, authentik treats the request as if all configured scopes were requested. Depending on the configured authorization flow, consent still needs to be given, and all scopes are listed there. |
|
|
||
| ### authentik | ||
|
|
||
| - `goauthentik.io/api`: This scope grants the refresh token access to the authentik API on behalf of the user |
Contributor
There was a problem hiding this comment.
Suggested change
| - `goauthentik.io/api`: This scope grants the refresh token access to the authentik API on behalf of the user. |
Comment on lines
181
to
184
| - `user`: No-op, is accepted for compatibility but does not give access to any resources | ||
| - `read:user`: Same as above | ||
| - `user:email`: Allows read-only access to `/user`, including email address | ||
| - `read:org`: Allows read-only access to `/user/teams`, listing all the user's groups as teams. |
Contributor
There was a problem hiding this comment.
Suggested change
| - `user`: No-op, is accepted for compatibility but does not give access to any resources. | |
| - `read:user`: Same as above. | |
| - `user:email`: Allows read-only access to `/user`, including email address. | |
| - `read:org`: Allows read-only access to `/user/teams`, listing all the user's groups as teams. |
|
|
||
| ### GitHub compatibility | ||
|
|
||
| - `user`: No-op, is accepted for compatibility but does not give access to any resources |
Contributor
There was a problem hiding this comment.
Suggested change
| - `user`: No-op; is accepted for compatibility but does not give access to any resources |
|
|
||
| ### Encryption | ||
|
|
||
| authentik can also encrypt JWTs (turning them into JWEs) it issues by selecting an **Encryption Key** in the provider. When selected, all JWTs will be encrypted symmetrically using the selected certificate. authentik uses the `RSA-OAEP-256` algorithm with the `A256CBC-HS512` encryption method. |
Contributor
There was a problem hiding this comment.
Suggested change
| authentik can also encrypt JWTs (turning them into JWEs) that it issues by selecting an **Encryption Key** in the provider. When selected, all JWTs will be encrypted using the selected certificate. authentik uses the `RSA-OAEP-256` key management algorithm with the `A256CBC-HS512` content encryption method. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.