sources/oauth: allow overriding of all scopes

closes #3747

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

authentik/sources/oauth/tests/test_type_google.py

@@ -58,6 +58,13 @@ class TestTypeGoogle(TestCase):
                 "email%20profile"
             ),
         )
+
+    def test_authorize_url_additional(self):
+        """Test authorize URL"""
+        request = self.request_factory.get("/")
+        middleware = SessionMiddleware(dummy_get_response)
+        middleware.process_request(request)
+        request.session.save()
         self.source.additional_scopes = "foo"
         self.source.save()
         redirect = GoogleOAuthRedirect(request=request).get_redirect_url(
@@ -72,3 +79,24 @@ class TestTypeGoogle(TestCase):
                 "email%20foo%20profile"
             ),
         )
+
+    def test_authorize_url_additional_replace(self):
+        """Test authorize URL"""
+        request = self.request_factory.get("/")
+        middleware = SessionMiddleware(dummy_get_response)
+        middleware.process_request(request)
+        request.session.save()
+        self.source.additional_scopes = "*foo"
+        self.source.save()
+        redirect = GoogleOAuthRedirect(request=request).get_redirect_url(
+            source_slug=self.source.slug
+        )
+        self.assertEqual(
+            redirect,
+            (
+                f"https://accounts.google.com/o/oauth2/auth?client_id={self.source.consumer_key}&re"
+                "direct_uri=http%3A%2F%2Ftestserver%2Fsource%2Foauth%2Fcallback%2Ftest%2F&response_"
+                f"type=code&state={request.session['oauth-client-test-request-state']}&scope="
+                "foo"
+            ),
+        )

authentik/sources/oauth/views/redirect.py

@@ -44,5 +44,8 @@ class OAuthRedirect(OAuthClientMixin, RedirectView):
             params = self.get_additional_parameters(source)
             params.setdefault("scope", [])
             if source.additional_scopes != "":
-                params["scope"] += source.additional_scopes.split(" ")
+                if source.additional_scopes.startswith("*"):
+                    params["scope"] = source.additional_scopes[1:].split(" ")
+                else:
+                    params["scope"] += source.additional_scopes.split(" ")
             return client.get_redirect_url(params)

locale/en/LC_MESSAGES/django.po

@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2022-10-10 10:27+0000\n"
+"POT-Creation-Date: 2022-10-16 19:21+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -194,7 +194,6 @@ msgid "Loading..."
 msgstr ""
 
 #: authentik/core/templates/if/end_session.html:7
-#: authentik/core/templates/if/error.html:7
 msgid "End session"
 msgstr ""
 
@@ -240,7 +239,8 @@ msgid "Powered by authentik"
 msgstr ""
 
 #: authentik/core/views/apps.py:48
-#: authentik/providers/oauth2/views/authorize.py:359
+#: authentik/providers/oauth2/views/authorize.py:358
+#: authentik/providers/oauth2/views/device_init.py:68
 #: authentik/providers/saml/views/sso.py:69
 #, python-format
 msgid "You're about to sign into %(application)s."
@@ -347,11 +347,11 @@ msgid "Notification Rules"
 msgstr ""
 
 #: authentik/events/models.py:580
-msgid "Notification Webhook Mapping"
+msgid "Webhook Mapping"
 msgstr ""
 
 #: authentik/events/models.py:581
-msgid "Notification Webhook Mappings"
+msgid "Webhook Mappings"
 msgstr ""
 
 #: authentik/events/monitored_tasks.py:195
@@ -826,7 +826,8 @@ msgstr ""
 msgid "OAuth2/OpenID Providers"
 msgstr ""
 
-#: authentik/providers/oauth2/models.py:323
+#: authentik/providers/oauth2/models.py:324
+#: authentik/providers/oauth2/models.py:530
 msgid "Scopes"
 msgstr ""
 
@@ -878,12 +879,24 @@ msgstr ""
 msgid "OAuth2 Tokens"
 msgstr ""
 
-#: authentik/providers/oauth2/views/authorize.py:413
+#: authentik/providers/oauth2/models.py:542
+msgid "Device Token"
+msgstr ""
+
+#: authentik/providers/oauth2/models.py:543
+msgid "Device Tokens"
+msgstr ""
+
+#: authentik/providers/oauth2/views/authorize.py:412
 #: authentik/providers/saml/views/flows.py:86
 #, python-format
 msgid "Redirecting to %(app)s..."
 msgstr ""
 
+#: authentik/providers/oauth2/views/device_init.py:142
+msgid "Invalid code"
+msgstr ""
+
 #: authentik/providers/oauth2/views/userinfo.py:46
 #: authentik/providers/oauth2/views/userinfo.py:47
 msgid "GitHub Compatibility: Access your User Information"
@@ -965,39 +978,39 @@ msgstr ""
 msgid "NameID Property Mapping"
 msgstr ""
 
-#: authentik/providers/saml/models.py:109 authentik/sources/saml/models.py:139
+#: authentik/providers/saml/models.py:109 authentik/sources/saml/models.py:141
 msgid "SHA1"
 msgstr ""
 
-#: authentik/providers/saml/models.py:110 authentik/sources/saml/models.py:140
+#: authentik/providers/saml/models.py:110 authentik/sources/saml/models.py:142
 msgid "SHA256"
 msgstr ""
 
-#: authentik/providers/saml/models.py:111 authentik/sources/saml/models.py:141
+#: authentik/providers/saml/models.py:111 authentik/sources/saml/models.py:143
 msgid "SHA384"
 msgstr ""
 
-#: authentik/providers/saml/models.py:112 authentik/sources/saml/models.py:142
+#: authentik/providers/saml/models.py:112 authentik/sources/saml/models.py:144
 msgid "SHA512"
 msgstr ""
 
-#: authentik/providers/saml/models.py:119 authentik/sources/saml/models.py:149
+#: authentik/providers/saml/models.py:119 authentik/sources/saml/models.py:151
 msgid "RSA-SHA1"
 msgstr ""
 
-#: authentik/providers/saml/models.py:120 authentik/sources/saml/models.py:150
+#: authentik/providers/saml/models.py:120 authentik/sources/saml/models.py:152
 msgid "RSA-SHA256"
 msgstr ""
 
-#: authentik/providers/saml/models.py:121 authentik/sources/saml/models.py:151
+#: authentik/providers/saml/models.py:121 authentik/sources/saml/models.py:153
 msgid "RSA-SHA384"
 msgstr ""
 
-#: authentik/providers/saml/models.py:122 authentik/sources/saml/models.py:152
+#: authentik/providers/saml/models.py:122 authentik/sources/saml/models.py:154
 msgid "RSA-SHA512"
 msgstr ""
 
-#: authentik/providers/saml/models.py:123 authentik/sources/saml/models.py:153
+#: authentik/providers/saml/models.py:123 authentik/sources/saml/models.py:155
 msgid "DSA-SHA1"
 msgstr ""
 
@@ -1009,7 +1022,7 @@ msgstr ""
 msgid "Keypair used to sign outgoing Responses going to the Service Provider."
 msgstr ""
 
-#: authentik/providers/saml/models.py:150 authentik/sources/saml/models.py:129
+#: authentik/providers/saml/models.py:150 authentik/sources/saml/models.py:131
 msgid "Signing Keypair"
 msgstr ""
 
@@ -1297,75 +1310,83 @@ msgstr ""
 msgid "User Plex Source Connections"
 msgstr ""
 
-#: authentik/sources/saml/models.py:38
+#: authentik/sources/saml/models.py:40
 msgid "Redirect Binding"
 msgstr ""
 
-#: authentik/sources/saml/models.py:39
+#: authentik/sources/saml/models.py:41
 msgid "POST Binding"
 msgstr ""
 
-#: authentik/sources/saml/models.py:40
+#: authentik/sources/saml/models.py:42
 msgid "POST Binding with auto-confirmation"
 msgstr ""
 
-#: authentik/sources/saml/models.py:68
+#: authentik/sources/saml/models.py:70
 msgid "Flow used before authentication."
 msgstr ""
 
-#: authentik/sources/saml/models.py:75
+#: authentik/sources/saml/models.py:77
 msgid "Issuer"
 msgstr ""
 
-#: authentik/sources/saml/models.py:76
+#: authentik/sources/saml/models.py:78
 msgid "Also known as Entity ID. Defaults the Metadata URL."
 msgstr ""
 
-#: authentik/sources/saml/models.py:80
+#: authentik/sources/saml/models.py:82
 msgid "SSO URL"
 msgstr ""
 
-#: authentik/sources/saml/models.py:81
+#: authentik/sources/saml/models.py:83
 msgid "URL that the initial Login request is sent to."
 msgstr ""
 
-#: authentik/sources/saml/models.py:87
+#: authentik/sources/saml/models.py:89
 msgid "SLO URL"
 msgstr ""
 
-#: authentik/sources/saml/models.py:88
+#: authentik/sources/saml/models.py:90
 msgid "Optional URL if your IDP supports Single-Logout."
 msgstr ""
 
-#: authentik/sources/saml/models.py:94
+#: authentik/sources/saml/models.py:96
 msgid ""
 "Allows authentication flows initiated by the IdP. This can be a security "
 "risk, as no validation of the request ID is done."
 msgstr ""
 
-#: authentik/sources/saml/models.py:102
+#: authentik/sources/saml/models.py:104
 msgid ""
 "NameID Policy sent to the IdP. Can be unset, in which case no Policy is sent."
 msgstr ""
 
-#: authentik/sources/saml/models.py:113
+#: authentik/sources/saml/models.py:115
 msgid "Delete temporary users after"
 msgstr ""
 
-#: authentik/sources/saml/models.py:131
+#: authentik/sources/saml/models.py:133
 msgid ""
 "Keypair which is used to sign outgoing requests. Leave empty to disable "
 "signing."
 msgstr ""
 
-#: authentik/sources/saml/models.py:199
+#: authentik/sources/saml/models.py:214
 msgid "SAML Source"
 msgstr ""
 
-#: authentik/sources/saml/models.py:200
+#: authentik/sources/saml/models.py:215
 msgid "SAML Sources"
 msgstr ""
 
+#: authentik/sources/saml/models.py:231
+msgid "User SAML Source Connection"
+msgstr ""
+
+#: authentik/sources/saml/models.py:232
+msgid "User SAML Source Connections"
+msgstr ""
+
 #: authentik/stages/authenticator_duo/models.py:81
 msgid "Duo Authenticator Setup Stage"
 msgstr ""
@@ -1382,26 +1403,30 @@ msgstr ""
 msgid "Duo Devices"
 msgstr ""
 
-#: authentik/stages/authenticator_sms/models.py:56
+#: authentik/stages/authenticator_sms/models.py:57
 msgid ""
 "When enabled, the Phone number is only used during enrollment to verify the "
 "users authenticity. Only a hash of the phone number is saved to ensure it is "
 "not re-used in the future."
 msgstr ""
 
-#: authentik/stages/authenticator_sms/models.py:158
+#: authentik/stages/authenticator_sms/models.py:68
+msgid "Optionally modify the payload being sent to custom providers."
+msgstr ""
+
+#: authentik/stages/authenticator_sms/models.py:176
 msgid "SMS Authenticator Setup Stage"
 msgstr ""
 
-#: authentik/stages/authenticator_sms/models.py:159
+#: authentik/stages/authenticator_sms/models.py:177
 msgid "SMS Authenticator Setup Stages"
 msgstr ""
 
-#: authentik/stages/authenticator_sms/models.py:204
+#: authentik/stages/authenticator_sms/models.py:222
 msgid "SMS Device"
 msgstr ""
 
-#: authentik/stages/authenticator_sms/models.py:205
+#: authentik/stages/authenticator_sms/models.py:223
 msgid "SMS Devices"
 msgstr ""
 
@@ -1871,10 +1896,10 @@ msgid ""
 "and `ba.b`"
 msgstr ""
 
-#: authentik/tenants/models.py:95
+#: authentik/tenants/models.py:98
 msgid "Tenant"
 msgstr ""
 
-#: authentik/tenants/models.py:96
+#: authentik/tenants/models.py:99
 msgid "Tenants"
 msgstr ""

web/src/admin/sources/oauth/OAuthSourceForm.ts

@@ -306,17 +306,14 @@ export class OAuthSourceForm extends ModelForm<OAuthSource, string> {
                     >
                         <textarea class="pf-c-form-control"></textarea>
                     </ak-form-element-horizontal>
-                    <ak-form-element-horizontal
-                        label=${t`Additional Scope`}
-                        name="additionalScopes"
-                    >
+                    <ak-form-element-horizontal label=${t`Scopes`} name="additionalScopes">
                         <input
                             type="text"
                             value="${first(this.instance?.additionalScopes, "")}"
                             class="pf-c-form-control"
                         />
                         <p class="pf-c-form__helper-text">
-                            ${t`Additional scopes to be passed to the OAuth Provider, separated by space.`}
+                            ${t`Additional scopes to be passed to the OAuth Provider, separated by space. To replace existing scopes, prefix with *.`}
                         </p>
                     </ak-form-element-horizontal>
                 </div>

web/src/locales/en.po

@@ -262,8 +262,8 @@ msgid "Addition User DN"
 msgstr "Addition User DN"
 
 #: src/admin/sources/oauth/OAuthSourceForm.ts
-msgid "Additional Scope"
-msgstr "Additional Scope"
+#~ msgid "Additional Scope"
+#~ msgstr "Additional Scope"
 
 #: src/admin/applications/wizard/InitialApplicationWizardPage.ts
 msgid "Additional UI settings"
@@ -278,8 +278,12 @@ msgid "Additional scope mappings, which are passed to the proxy."
 msgstr "Additional scope mappings, which are passed to the proxy."
 
 #: src/admin/sources/oauth/OAuthSourceForm.ts
-msgid "Additional scopes to be passed to the OAuth Provider, separated by space."
-msgstr "Additional scopes to be passed to the OAuth Provider, separated by space."
+#~ msgid "Additional scopes to be passed to the OAuth Provider, separated by space."
+#~ msgstr "Additional scopes to be passed to the OAuth Provider, separated by space."
+
+#: src/admin/sources/oauth/OAuthSourceForm.ts
+msgid "Additional scopes to be passed to the OAuth Provider, separated by space. To replace existing scopes, prefix with *."
+msgstr "Additional scopes to be passed to the OAuth Provider, separated by space. To replace existing scopes, prefix with *."
 
 #: src/admin/blueprints/BlueprintForm.ts
 #: src/admin/sources/ldap/LDAPSourceForm.ts
@@ -1081,6 +1085,7 @@ msgstr "Client type"
 msgid "Close"
 msgstr "Close"
 
+#: src/flow/providers/oauth2/DeviceCode.ts
 #: src/flow/stages/authenticator_sms/AuthenticatorSMSStage.ts
 #: src/flow/stages/authenticator_totp/AuthenticatorTOTPStage.ts
 #: src/flow/stages/authenticator_validate/AuthenticatorValidateStageCode.ts
@@ -1195,6 +1200,7 @@ msgstr "Confirmed"
 
 #: src/user/user-settings/sources/SourceSettingsOAuth.ts
 #: src/user/user-settings/sources/SourceSettingsPlex.ts
+#: src/user/user-settings/sources/SourceSettingsSAML.ts
 msgid "Connect"
 msgstr "Connect"
 
@@ -1278,6 +1284,7 @@ msgid "Context"
 msgstr "Context"
 
 #: src/admin/stages/authenticator_validate/AuthenticatorValidateStageForm.ts
+#: src/flow/providers/oauth2/DeviceCode.ts
 #: src/flow/stages/authenticator_sms/AuthenticatorSMSStage.ts
 #: src/flow/stages/authenticator_sms/AuthenticatorSMSStage.ts
 #: src/flow/stages/authenticator_static/AuthenticatorStaticStage.ts
@@ -1757,6 +1764,10 @@ msgstr "Device classes"
 msgid "Device classes which can be used to authenticate."
 msgstr "Device classes which can be used to authenticate."
 
+#: src/admin/tenants/TenantForm.ts
+msgid "Device code flow"
+msgstr "Device code flow"
+
 #: 
 #~ msgid "Device name"
 #~ msgstr "Device name"
@@ -1826,6 +1837,7 @@ msgstr "Disabled blueprints are never applied."
 
 #: src/user/user-settings/sources/SourceSettingsOAuth.ts
 #: src/user/user-settings/sources/SourceSettingsPlex.ts
+#: src/user/user-settings/sources/SourceSettingsSAML.ts
 msgid "Disconnect"
 msgstr "Disconnect"
 
@@ -2058,6 +2070,10 @@ msgstr "Enrollment"
 msgid "Enrollment flow"
 msgstr "Enrollment flow"
 
+#: src/flow/providers/oauth2/DeviceCode.ts
+msgid "Enter the code shown on your device."
+msgstr "Enter the code shown on your device."
+
 #: src/admin/providers/saml/SAMLProviderViewPage.ts
 msgid "EntityID/Issuer"
 msgstr "EntityID/Issuer"
@@ -2305,6 +2321,7 @@ msgstr "Failed to delete {0}: {1}"
 
 #: src/user/user-settings/sources/SourceSettingsOAuth.ts
 #: src/user/user-settings/sources/SourceSettingsPlex.ts
+#: src/user/user-settings/sources/SourceSettingsSAML.ts
 msgid "Failed to disconnected source: {exc}"
 msgstr "Failed to disconnected source: {exc}"
 
@@ -2799,6 +2816,10 @@ msgstr "If no explicit redirect URIs are specified, the first successfully used
 #~ "If password change date is more than x days in the past, invalidate the user's password\n"
 #~ "and show a notice."
 
+#: src/admin/tenants/TenantForm.ts
+msgid "If set, the OAuth Device Code profile can be used, and the selected flow will be used to enter the code."
+msgstr "If set, the OAuth Device Code profile can be used, and the selected flow will be used to enter the code."
+
 #: src/admin/tenants/TenantForm.ts
 msgid "If set, users are able to configure details of their profile."
 msgstr "If set, users are able to configure details of their profile."
@@ -3152,6 +3173,8 @@ msgstr "Load servers"
 #: src/flow/FlowExecutor.ts
 #: src/flow/FlowExecutor.ts
 #: src/flow/FlowInspector.ts
+#: src/flow/providers/oauth2/DeviceCode.ts
+#: src/flow/providers/oauth2/DeviceCodeFinish.ts
 #: src/flow/stages/FlowErrorStage.ts
 #: src/flow/stages/access_denied/AccessDeniedStage.ts
 #: src/flow/stages/authenticator_duo/AuthenticatorDuoStage.ts
@@ -3228,6 +3251,7 @@ msgstr "Loading"
 #: src/admin/stages/authenticator_duo/AuthenticatorDuoStageForm.ts
 #: src/admin/stages/authenticator_duo/DuoDeviceImportForm.ts
 #: src/admin/stages/authenticator_sms/AuthenticatorSMSStageForm.ts
+#: src/admin/stages/authenticator_sms/AuthenticatorSMSStageForm.ts
 #: src/admin/stages/authenticator_static/AuthenticatorStaticStageForm.ts
 #: src/admin/stages/authenticator_totp/AuthenticatorTOTPStageForm.ts
 #: src/admin/stages/authenticator_validate/AuthenticatorValidateStageForm.ts
@@ -3248,6 +3272,7 @@ msgstr "Loading"
 #: src/admin/tenants/TenantForm.ts
 #: src/admin/tenants/TenantForm.ts
 #: src/admin/tenants/TenantForm.ts
+#: src/admin/tenants/TenantForm.ts
 #: src/admin/tokens/TokenForm.ts
 #: src/admin/users/UserForm.ts
 #: src/admin/users/UserResetEmailForm.ts
@@ -3367,6 +3392,10 @@ msgstr "Manual configuration"
 msgid "Manually configure SAML"
 msgstr "Manually configure SAML"
 
+#: src/admin/stages/authenticator_sms/AuthenticatorSMSStageForm.ts
+msgid "Mapping"
+msgstr "Mapping"
+
 #: src/admin/stages/user_write/UserWriteStageForm.ts
 msgid "Mark newly created users as inactive."
 msgstr "Mark newly created users as inactive."
@@ -3471,6 +3500,10 @@ msgstr "Model updated"
 msgid "Modern applications, APIs and Single-page applications."
 msgstr "Modern applications, APIs and Single-page applications."
 
+#: src/admin/stages/authenticator_sms/AuthenticatorSMSStageForm.ts
+msgid "Modify the payload sent to the custom provider."
+msgstr "Modify the payload sent to the custom provider."
+
 #: 
 #~ msgid "Monitor"
 #~ msgstr "Monitor"
@@ -3897,8 +3930,8 @@ msgid "OIDC well-known configuration URL. Can be used to automatically configure
 msgstr "OIDC well-known configuration URL. Can be used to automatically configure the URLs above."
 
 #: src/admin/admin-overview/cards/SystemStatusCard.ts
-msgid "OK"
-msgstr "OK"
+#~ msgid "OK"
+#~ msgstr "OK"
 
 #: src/admin/events/EventInfo.ts
 #: src/admin/events/EventInfo.ts
@@ -4211,6 +4244,7 @@ msgstr "Plan history"
 msgid "Please enter the code you received via SMS"
 msgstr "Please enter the code you received via SMS"
 
+#: src/flow/providers/oauth2/DeviceCode.ts
 #: src/flow/stages/authenticator_validate/AuthenticatorValidateStageCode.ts
 msgid "Please enter your Code"
 msgstr "Please enter your Code"
@@ -4864,6 +4898,7 @@ msgstr "Scope which the client can specify to access these properties."
 
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
 #: src/admin/providers/proxy/ProxyProviderForm.ts
+#: src/admin/sources/oauth/OAuthSourceForm.ts
 #: src/elements/oauth/UserRefreshList.ts
 msgid "Scopes"
 msgstr "Scopes"
@@ -5589,6 +5624,7 @@ msgstr "Successfully deleted {0} {1}"
 
 #: src/user/user-settings/sources/SourceSettingsOAuth.ts
 #: src/user/user-settings/sources/SourceSettingsPlex.ts
+#: src/user/user-settings/sources/SourceSettingsSAML.ts
 msgid "Successfully disconnected source"
 msgstr "Successfully disconnected source"
 
@@ -5831,7 +5867,7 @@ msgstr "System"
 msgid "System Tasks"
 msgstr "System Tasks"
 
-#: src/admin/admin-overview/AdminOverviewPage.ts
+#: src/admin/admin-overview/cards/SystemStatusCard.ts
 msgid "System status"
 msgstr "System status"
 
@@ -6701,6 +6737,7 @@ msgstr "User mappings can only be checked if a user is already logged in when tr
 
 #: src/admin/sources/oauth/OAuthSourceForm.ts
 #: src/admin/sources/plex/PlexSourceForm.ts
+#: src/admin/sources/saml/SAMLSourceForm.ts
 msgid "User matching mode"
 msgstr "User matching mode"
 
@@ -6882,7 +6919,7 @@ msgstr "Verification Certificate"
 msgid "Verify the user's email address by sending them a one-time-link. Can also be used for recovery to verify the user's authenticity."
 msgstr "Verify the user's email address by sending them a one-time-link. Can also be used for recovery to verify the user's authenticity."
 
-#: src/admin/admin-overview/AdminOverviewPage.ts
+#: src/admin/admin-overview/cards/VersionStatusCard.ts
 msgid "Version"
 msgstr "Version"
 
@@ -7083,7 +7120,7 @@ msgstr "Whoops!"
 msgid "Windows"
 msgstr "Windows"
 
-#: src/admin/admin-overview/AdminOverviewPage.ts
+#: src/admin/admin-overview/cards/WorkerStatusCard.ts
 msgid "Workers"
 msgstr "Workers"
 
@@ -7127,6 +7164,10 @@ msgstr "Yes"
 msgid "Yes ({0})"
 msgstr "Yes ({0})"
 
+#: src/flow/providers/oauth2/DeviceCodeFinish.ts
+msgid "You can close this tab now."
+msgstr "You can close this tab now."
+
 #: src/admin/outposts/OutpostForm.ts
 msgid "You can only select providers that match the type of the outpost."
 msgstr "You can only select providers that match the type of the outpost."
@@ -7139,6 +7180,10 @@ msgstr "You're about to be redirect to the following URL."
 msgid "You're currently impersonating {0}. Click to stop."
 msgstr "You're currently impersonating {0}. Click to stop."
 
+#: src/flow/providers/oauth2/DeviceCodeFinish.ts
+msgid "You've successfully authenticated your device."
+msgstr "You've successfully authenticated your device."
+
 #: src/admin/providers/proxy/ProxyProviderForm.ts
 msgid "app1 running on app1.example.com"
 msgstr "app1 running on app1.example.com"

web/src/locales/pseudo-LOCALE.po

@@ -258,8 +258,8 @@ msgid "Addition User DN"
 msgstr ""
 
 #: src/admin/sources/oauth/OAuthSourceForm.ts
-msgid "Additional Scope"
-msgstr ""
+#~ msgid "Additional Scope"
+#~ msgstr ""
 
 #: src/admin/applications/wizard/InitialApplicationWizardPage.ts
 msgid "Additional UI settings"
@@ -274,7 +274,11 @@ msgid "Additional scope mappings, which are passed to the proxy."
 msgstr ""
 
 #: src/admin/sources/oauth/OAuthSourceForm.ts
-msgid "Additional scopes to be passed to the OAuth Provider, separated by space."
+#~ msgid "Additional scopes to be passed to the OAuth Provider, separated by space."
+#~ msgstr ""
+
+#: src/admin/sources/oauth/OAuthSourceForm.ts
+msgid "Additional scopes to be passed to the OAuth Provider, separated by space. To replace existing scopes, prefix with *."
 msgstr ""
 
 #: src/admin/blueprints/BlueprintForm.ts
@@ -1069,6 +1073,7 @@ msgstr ""
 msgid "Close"
 msgstr ""
 
+#: src/flow/providers/oauth2/DeviceCode.ts
 #: src/flow/stages/authenticator_sms/AuthenticatorSMSStage.ts
 #: src/flow/stages/authenticator_totp/AuthenticatorTOTPStage.ts
 #: src/flow/stages/authenticator_validate/AuthenticatorValidateStageCode.ts
@@ -1183,6 +1188,7 @@ msgstr ""
 
 #: src/user/user-settings/sources/SourceSettingsOAuth.ts
 #: src/user/user-settings/sources/SourceSettingsPlex.ts
+#: src/user/user-settings/sources/SourceSettingsSAML.ts
 msgid "Connect"
 msgstr ""
 
@@ -1266,6 +1272,7 @@ msgid "Context"
 msgstr ""
 
 #: src/admin/stages/authenticator_validate/AuthenticatorValidateStageForm.ts
+#: src/flow/providers/oauth2/DeviceCode.ts
 #: src/flow/stages/authenticator_sms/AuthenticatorSMSStage.ts
 #: src/flow/stages/authenticator_sms/AuthenticatorSMSStage.ts
 #: src/flow/stages/authenticator_static/AuthenticatorStaticStage.ts
@@ -1743,6 +1750,10 @@ msgstr ""
 msgid "Device classes which can be used to authenticate."
 msgstr ""
 
+#: src/admin/tenants/TenantForm.ts
+msgid "Device code flow"
+msgstr ""
+
 #: 
 #~ msgid "Device name"
 #~ msgstr ""
@@ -1812,6 +1823,7 @@ msgstr ""
 
 #: src/user/user-settings/sources/SourceSettingsOAuth.ts
 #: src/user/user-settings/sources/SourceSettingsPlex.ts
+#: src/user/user-settings/sources/SourceSettingsSAML.ts
 msgid "Disconnect"
 msgstr ""
 
@@ -2044,6 +2056,10 @@ msgstr ""
 msgid "Enrollment flow"
 msgstr ""
 
+#: src/flow/providers/oauth2/DeviceCode.ts
+msgid "Enter the code shown on your device."
+msgstr ""
+
 #: src/admin/providers/saml/SAMLProviderViewPage.ts
 msgid "EntityID/Issuer"
 msgstr ""
@@ -2291,6 +2307,7 @@ msgstr ""
 
 #: src/user/user-settings/sources/SourceSettingsOAuth.ts
 #: src/user/user-settings/sources/SourceSettingsPlex.ts
+#: src/user/user-settings/sources/SourceSettingsSAML.ts
 msgid "Failed to disconnected source: {exc}"
 msgstr ""
 
@@ -2783,6 +2800,10 @@ msgstr ""
 #~ "and show a notice."
 #~ msgstr ""
 
+#: src/admin/tenants/TenantForm.ts
+msgid "If set, the OAuth Device Code profile can be used, and the selected flow will be used to enter the code."
+msgstr ""
+
 #: src/admin/tenants/TenantForm.ts
 msgid "If set, users are able to configure details of their profile."
 msgstr ""
@@ -3134,6 +3155,8 @@ msgstr ""
 #: src/flow/FlowExecutor.ts
 #: src/flow/FlowExecutor.ts
 #: src/flow/FlowInspector.ts
+#: src/flow/providers/oauth2/DeviceCode.ts
+#: src/flow/providers/oauth2/DeviceCodeFinish.ts
 #: src/flow/stages/FlowErrorStage.ts
 #: src/flow/stages/access_denied/AccessDeniedStage.ts
 #: src/flow/stages/authenticator_duo/AuthenticatorDuoStage.ts
@@ -3210,6 +3233,7 @@ msgstr ""
 #: src/admin/stages/authenticator_duo/AuthenticatorDuoStageForm.ts
 #: src/admin/stages/authenticator_duo/DuoDeviceImportForm.ts
 #: src/admin/stages/authenticator_sms/AuthenticatorSMSStageForm.ts
+#: src/admin/stages/authenticator_sms/AuthenticatorSMSStageForm.ts
 #: src/admin/stages/authenticator_static/AuthenticatorStaticStageForm.ts
 #: src/admin/stages/authenticator_totp/AuthenticatorTOTPStageForm.ts
 #: src/admin/stages/authenticator_validate/AuthenticatorValidateStageForm.ts
@@ -3230,6 +3254,7 @@ msgstr ""
 #: src/admin/tenants/TenantForm.ts
 #: src/admin/tenants/TenantForm.ts
 #: src/admin/tenants/TenantForm.ts
+#: src/admin/tenants/TenantForm.ts
 #: src/admin/tokens/TokenForm.ts
 #: src/admin/users/UserForm.ts
 #: src/admin/users/UserResetEmailForm.ts
@@ -3349,6 +3374,10 @@ msgstr ""
 msgid "Manually configure SAML"
 msgstr ""
 
+#: src/admin/stages/authenticator_sms/AuthenticatorSMSStageForm.ts
+msgid "Mapping"
+msgstr ""
+
 #: src/admin/stages/user_write/UserWriteStageForm.ts
 msgid "Mark newly created users as inactive."
 msgstr ""
@@ -3453,6 +3482,10 @@ msgstr ""
 msgid "Modern applications, APIs and Single-page applications."
 msgstr ""
 
+#: src/admin/stages/authenticator_sms/AuthenticatorSMSStageForm.ts
+msgid "Modify the payload sent to the custom provider."
+msgstr ""
+
 #: 
 #~ msgid "Monitor"
 #~ msgstr ""
@@ -3879,8 +3912,8 @@ msgid "OIDC well-known configuration URL. Can be used to automatically configure
 msgstr ""
 
 #: src/admin/admin-overview/cards/SystemStatusCard.ts
-msgid "OK"
-msgstr ""
+#~ msgid "OK"
+#~ msgstr ""
 
 #: src/admin/events/EventInfo.ts
 #: src/admin/events/EventInfo.ts
@@ -4193,6 +4226,7 @@ msgstr ""
 msgid "Please enter the code you received via SMS"
 msgstr ""
 
+#: src/flow/providers/oauth2/DeviceCode.ts
 #: src/flow/stages/authenticator_validate/AuthenticatorValidateStageCode.ts
 msgid "Please enter your Code"
 msgstr ""
@@ -4844,6 +4878,7 @@ msgstr ""
 
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
 #: src/admin/providers/proxy/ProxyProviderForm.ts
+#: src/admin/sources/oauth/OAuthSourceForm.ts
 #: src/elements/oauth/UserRefreshList.ts
 msgid "Scopes"
 msgstr ""
@@ -5569,6 +5604,7 @@ msgstr ""
 
 #: src/user/user-settings/sources/SourceSettingsOAuth.ts
 #: src/user/user-settings/sources/SourceSettingsPlex.ts
+#: src/user/user-settings/sources/SourceSettingsSAML.ts
 msgid "Successfully disconnected source"
 msgstr ""
 
@@ -5811,7 +5847,7 @@ msgstr ""
 msgid "System Tasks"
 msgstr ""
 
-#: src/admin/admin-overview/AdminOverviewPage.ts
+#: src/admin/admin-overview/cards/SystemStatusCard.ts
 msgid "System status"
 msgstr ""
 
@@ -6671,6 +6707,7 @@ msgstr ""
 
 #: src/admin/sources/oauth/OAuthSourceForm.ts
 #: src/admin/sources/plex/PlexSourceForm.ts
+#: src/admin/sources/saml/SAMLSourceForm.ts
 msgid "User matching mode"
 msgstr ""
 
@@ -6852,7 +6889,7 @@ msgstr ""
 msgid "Verify the user's email address by sending them a one-time-link. Can also be used for recovery to verify the user's authenticity."
 msgstr ""
 
-#: src/admin/admin-overview/AdminOverviewPage.ts
+#: src/admin/admin-overview/cards/VersionStatusCard.ts
 msgid "Version"
 msgstr ""
 
@@ -7049,7 +7086,7 @@ msgstr ""
 msgid "Windows"
 msgstr ""
 
-#: src/admin/admin-overview/AdminOverviewPage.ts
+#: src/admin/admin-overview/cards/WorkerStatusCard.ts
 msgid "Workers"
 msgstr ""
 
@@ -7091,6 +7128,10 @@ msgstr ""
 msgid "Yes ({0})"
 msgstr ""
 
+#: src/flow/providers/oauth2/DeviceCodeFinish.ts
+msgid "You can close this tab now."
+msgstr ""
+
 #: src/admin/outposts/OutpostForm.ts
 msgid "You can only select providers that match the type of the outpost."
 msgstr ""
@@ -7103,6 +7144,10 @@ msgstr ""
 msgid "You're currently impersonating {0}. Click to stop."
 msgstr ""
 
+#: src/flow/providers/oauth2/DeviceCodeFinish.ts
+msgid "You've successfully authenticated your device."
+msgstr ""
+
 #: src/admin/providers/proxy/ProxyProviderForm.ts
 msgid "app1 running on app1.example.com"
 msgstr ""

website/integrations/sources/oauth/index.md

@@ -14,6 +14,9 @@ This source allows users to enroll themselves with an external OAuth-based Ident
 -   Access Token URL: This value will be provided by the provider.
 -   Profile URL: This URL is called by authentik to retrieve user information upon successful authentication.
 -   Consumer key/Consumer secret: These values will be provided by the provider.
+-   Scopes: Configure additional scopes to send to the provider.
+
+    Starting with authentik 2022.10, the default scopes can be replaced by prefix the value for scopes with `*`.
 
 ### OpenID Connect