gitadmin/ArchiTools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(auth): Faza B NextAuth Authentik scope=enrichment + forward access_token

Browse Source 
Authentik OIDC provider now requests `openid email profile enrichment`
(from AUTHENTIK_SCOPES env, Infisical-fetched at boot). The enrichment
scope triggers Authentik scope mapping pk=41b23bc3-bdd8-4a61-b975-
6e0eff56df72 which emits enrichment_scope + is_beletage_group claims
based on LDAP group membership (Arhitecti/Administrators/Domain Admins
→ scope=full + is_beletage_group=true).

jwt callback captures account.access_token on first sign-in; session
callback exposes it as session.accessToken so api.gis.ac calls can
forward it. Used by Faza D thin client (src/lib/gis-api-client.ts,
pending) to authenticate against api.gis.ac.

Without scope=enrichment, every architools user falls through to
scope=none on api.gis.ac → 403 on every parcel/enrichment read.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Claude VM
2026-05-18 08:01:16 +03:00
parent 54b78c2dcf
commit 403b6b37f1
1 changed files with 15 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/core/auth/auth-options.ts
+15 -1
View File
@@ -7,10 +7,23 @@ export const authOptions: NextAuthOptions = {
clientId: process.env.AUTHENTIK_CLIENT_ID || "", clientId: process.env.AUTHENTIK_CLIENT_ID || "",
clientSecret: process.env.AUTHENTIK_CLIENT_SECRET || "", clientSecret: process.env.AUTHENTIK_CLIENT_SECRET || "",
issuer: process.env.AUTHENTIK_ISSUER || "", issuer: process.env.AUTHENTIK_ISSUER || "",
authorization: {
params: {
scope:
process.env.AUTHENTIK_SCOPES ||
"openid email profile enrichment",
},
},
}), }),
], ],
callbacks: { callbacks: {
async jwt({ token, user, profile }) { async jwt({ token, user, profile, account }) {
// First sign-in: capture Authentik OIDC access_token so api.gis.ac
// calls can forward it. Carries enrichment_scope + is_beletage_group
// claims (mapped server-side in Authentik from LDAP group Arhitecti).
if (account?.access_token) {
token.accessToken = account.access_token;
}
if (user) { if (user) {
token.id = user.id; token.id = user.id;
} }
@@ -41,6 +54,7 @@ export const authOptions: NextAuthOptions = {
(session.user as any).role = token.role || "user"; (session.user as any).role = token.role || "user";
(session.user as any).company = token.company || "group"; (session.user as any).company = token.company || "group";
} }
(session as any).accessToken = token.accessToken;
return session; return session;
}, },
}, },