Erich Blume
50a36ff93a
The heph CLI requests scope "openid offline_access", but the Authentik heph OAuth2 provider only mapped openid/email/profile. Without the offline_access mapping the issued refresh token is bound to the login session rather than the 30-day refresh-token window; once the session lapses, hephd's refresh_token grant returns 400 Bad Request and spoke sync silently degrades (heph sync --status -> auth_failure: true). Add the built-in offline_access scope mapping to the provider's property_mappings and document the requirement in the service reference. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| +external-secrets-main-sha-rebuild.infra.md | ||
| +external-secrets-stable-main-sha.infra.md | ||
| +heph-hub-v1.2.1.infra.md | ||
| +tailscale-operator-mirror-tailnet-url.bugfix.md | ||
| .gitkeep | ||
| external-secrets-ringtail-nix.infra.md | ||
| heph-indri-hub.infra.md | ||
| heph-offline-access.bugfix.md | ||
| heph-pwa-redirect-uris.infra.md | ||
| local-external-secrets.infra.md | ||
| reviews-jun4.doc.md | ||
| reviews-jun4.infra.md | ||