Issues with scopes when configuring OIDC login

[leppa]

Problem

I use Authelia and want to map my OIDC to an existing user by username. This is currently not possible.

Issue description

email scope is always requested

The documentation on Single Sign-On page states:

Note! When a Single Sign-On (SSO) user sign up with the DNS Server, an account for the user is created which uses the email address as the username. If email address is not available, the preferred username is used instead. If you do not wish to use email address as the username, you can remove the 'email' scope from the SSO provider options.

This approach does not work because current implementation requests email scope unconditionally which fails Authelia's validation:

• If I remove email scope from my OIDC client configuration in Authelia, the authentication will fail because Technitium still requests it: "Pushed Authorization Request failed with error: The requested scope is invalid, unknown, or malformed. The OAuth 2.0 Client is not allowed to request scope 'roles'."

• If I leave email scope in the client configuration, Technitium will try to create a new user based on the email instead of mapping to an existing user by username.

roles scope is not documented

In addition, Technitium also requests roles scope, which does not exist in Authelia and also causes "Client is not allowed to request scope" error. This can be worked around by creating a custom scope that returns nothing. There's zero mention about the roles scope in the documentation.

Suggested fix

Technitium should not request unnecessary claims.

email scope

Make it possible to configure whether email should be used (e.g., "Use email for usernames"). Don't request email scope if not enabled.

Alternatively, provide a way to explicitly specify claim from which username should be taken. (e.g., email, preferred_username, custom claim name).

roles scope

I would assume that roles supposed to be an "alias" for groups. Make it possible to specify both names of the scope and of the claim for groups. Technitium would request the specified scope (only when it's set) and extract groups from the specified claim.

Additional information

My OIDC client configuration in Authelia:

      - client_id: '<removed>'
        client_name: 'Technitium DNS'
        client_secret: '<removed>'
        require_pkce: true
        pkce_challenge_method: 'S256'
        authorization_policy: 'admins'
        redirect_uris:
          - 'https://<removed>/sso/callback'
        scopes:
          - 'openid'
          - 'profile'
          - 'email' # Can't remove due to the issue above
          - 'groups'
          - 'roles' # Not documented, added due to the issue above
        response_types:
          - 'code'
        grant_types:
          - 'authorization_code'
        token_endpoint_auth_method: 'client_secret_post'

[ShreyasZare]

Thanks for the feedback. Will get this issue resolved soon with an update.