heph Authentik: grant offline_access scope (fixes spoke sync refresh-token 400) #371

Merged

eblume merged 1 commit from heph-offline-access into main 2026-06-06 18:29:48 -07:00

Conversation 0 Commits 1 Files changed 3 +16

eblume commented 2026-06-06 18:07:43 -07:00

Owner

Copy link

What

Add the offline_access scope mapping to the Authentik heph OAuth2 provider (argocd/manifests/authentik/configmap-blueprint.yaml, heph-provider block).

Why

The hephaestus spoke (gilbert) lost sync with the hub (indri): hephd's refresh_token grant was rejected by Authentik with 400 Bad Request, so the bearer token couldn't be refreshed and heph sync --status showed auth_failure: true.

Root cause: the heph CLI requests scope = "openid offline_access", but the provider only mapped openid/email/profile. Without offline_access granted, the refresh token is bound to the login session instead of the 30-day refresh-token window. When the session lapses, refresh fails and sync silently degrades. heph auth login only fixes it until the next session expiry.

Verification done pre-merge

• Confirmed Authentik 2026.2.2 ships a built-in managed offline_access scope mapping (goauthentik.io/providers/oauth2/scope-offline_access), so !Find by scope_name resolves without declaring a new mapping. Verified via ak shell on the ringtail worker pod.
• Blueprint YAML parses.

Verify after deploy

1. Sync ArgoCD authentik app from this branch; confirm the blueprint applies cleanly (Authentik worker logs).
2. On gilbert: re-auth to mint a fresh token —
   heph auth login --hub-url http://indri.tail8d86e.ts.net:8787 --issuer https://authentik.ops.eblu.me/application/o/heph/ --client-id heph
3. Decode the new access token; confirm offline_access in the granted scope.
4. heph sync --status → auth_failure: false, fresh last_success_ms.
5. Durable check: sync survives past the Authentik session window with no manual re-login.

Changes

• Provider property_mappings += offline_access (with inline rationale comment)
• docs/reference/services/hephaestus.md: document the offline_access requirement
• Changelog fragment

heph task: 01KTFRWXFAD4Q1MDXKJ87WZD34

🤖 Generated with Claude Code

## What Add the `offline_access` scope mapping to the Authentik `heph` OAuth2 provider (`argocd/manifests/authentik/configmap-blueprint.yaml`, `heph-provider` block). ## Why The hephaestus **spoke (gilbert)** lost sync with the **hub (indri)**: hephd's `refresh_token` grant was rejected by Authentik with `400 Bad Request`, so the bearer token couldn't be refreshed and `heph sync --status` showed `auth_failure: true`. Root cause: the `heph` CLI requests `scope = "openid offline_access"`, but the provider only mapped `openid`/`email`/`profile`. Without `offline_access` granted, the refresh token is bound to the login **session** instead of the 30-day refresh-token window. When the session lapses, refresh fails and sync silently degrades. `heph auth login` only fixes it until the next session expiry. ## Verification done pre-merge - Confirmed Authentik 2026.2.2 ships a built-in managed `offline_access` scope mapping (`goauthentik.io/providers/oauth2/scope-offline_access`), so `!Find` by `scope_name` resolves without declaring a new mapping. Verified via `ak shell` on the ringtail worker pod. - Blueprint YAML parses. ## Verify after deploy 1. Sync ArgoCD authentik app from this branch; confirm the blueprint applies cleanly (Authentik worker logs). 2. On gilbert: re-auth to mint a fresh token — `heph auth login --hub-url http://indri.tail8d86e.ts.net:8787 --issuer https://authentik.ops.eblu.me/application/o/heph/ --client-id heph` 3. Decode the new access token; confirm `offline_access` in the granted `scope`. 4. `heph sync --status` → `auth_failure: false`, fresh `last_success_ms`. 5. Durable check: sync survives past the Authentik session window with no manual re-login. ## Changes - Provider `property_mappings` += `offline_access` (with inline rationale comment) - `docs/reference/services/hephaestus.md`: document the `offline_access` requirement - Changelog fragment heph task: `01KTFRWXFAD4Q1MDXKJ87WZD34` 🤖 Generated with [Claude Code](https://claude.com/claude-code)

eblume added 1 commit 2026-06-06 18:07:43 -07:00

heph Authentik: grant offline_access scope (fixes spoke sync refresh-token 400) ... 50a36ff93a

The heph CLI requests scope "openid offline_access", but the Authentik
heph OAuth2 provider only mapped openid/email/profile. Without the
offline_access mapping the issued refresh token is bound to the login
session rather than the 30-day refresh-token window; once the session
lapses, hephd's refresh_token grant returns 400 Bad Request and spoke
sync silently degrades (heph sync --status -> auth_failure: true).

Add the built-in offline_access scope mapping to the provider's
property_mappings and document the requirement in the service reference.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

eblume merged commit bc34b601be into main 2026-06-06 18:29:48 -07:00

eblume referenced this pull request from a commit 2026-06-06 18:29:50 -07:00

Merge pull request 'heph Authentik: grant offline_access scope (fixes spoke sync refresh-token 400)' (#371) from heph-offline-access into main

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels

No items

No labels

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

eblume/blumeops!371

No description provided.