[Enhancement]: OpenID Connect add setting for requested scopes

[RealStickman]

Type of Enhancement

Server Backend

Describe the Feature/Enhancement

Please add a setting to request specific scopes in addition to the 3 basic ones.

Something similar to this, as offered by the OpenID Connect addon for Nextcloud.

Why would this be helpful?

In practice, it's possible to have different names for the scope and its contained claim.
I usually use the application name for the scope and have a different name for the actual claim for consistency on the application side.

Scope:

Claim:

With the current settings this does not work, either I set the correct claim and the scope won't be sent at all, or I use the working scope, but can't find any groups within.

Future Implementation (Screenshot)

A simple field titled "additional scopes" would be fine.

Audiobookshelf Server Version

v2.9.0

Current Implementation (Screenshot)

Settings > Authentication > OpenID Connect Authentication

[advplyr]

Is this a duplicate of #2878?

With Authentik and KeyCloak you can name the groups however you want and setup a mapping. Maybe you are using Authelia?

[RealStickman]

No, this is about having different scope and claim names. I am using Authentik with a custom mapping to change my group names into the ones specified by Audiobookshelf.

From my understanding, scopes are some kind of container for one or mutliple claims.
Something like this

Simplified, I have this mapping.

I can change the mapping to this and it works. Here both the scope and claim are called "audiobookshelf" and I set the same value in the Audiobookshelf OIDC settings "Group Claim" field.

But scopes can also contain multiple claims. As an example, the openid scope contains these claims:

{
  "iss": "http://my-domain.auth0.com",
  "sub": "auth0|123456",
  "aud": "my_client_id",
  "exp": 1311281970,
  "iat": 1311280970,
  "name": "Jane Doe",
  "given_name": "Jane",
  "family_name": "Doe",
  "gender": "female",
  "birthdate": "0000-10-31",
  "email": "[email protected]",
  "picture": "http://example.com/janedoe/me.jpg"
}

from https://auth0.com/docs/secure/tokens/id-tokens/id-token-structure

This can also be done for custom mappings like this. Here I'm setting the Group Claim and Advanced Permission Claim within the same scope.

Visually represented something like this

With the current implementation I have to name one claim the same as the scope.
If we could specify the scope separately, the previous graphic would work.

---

After typing all this out, this is a very tiny issue most users won't ever encounter.
But it does feel more correct to separate scopes and claims.

I guess adding a note that claim == scope name in the documentation would suffice, so others don't have to spend time wondering why the heck stuff doesn't work.

[Sapd]

I guess adding a note that claim == scope name in the documentation would suffice, so others don't have to spend time wondering why the heck stuff doesn't work.

Yeah I thought (when I developed that feature) to show the claims as greyed-out box which would update with the name of the group claims etc., which would make claim == scope then clear.

But you also got a point that it makes sense to add a box and to allow to add claims to allow configurations as you showed. There then just must be a warning to the user that he also has to put in the name of the scope which contains the claim explicitly in the additional claims field.

PS: I know you just made example pictures, but to prevent you a debugging session, keep in mind that in "abspermissions" in Authentik you have to write the booleans als true python booleans like this. Otherwise they won't be provided as JSON boolean types:

abspermissions = {
  "abspermissions": {
    "canDownload": False, # Upper case without "
     "canUpload": True
     ....
   }
}