blumeops

History

Erich Blume 50a36ff93a heph Authentik: grant offline_access scope (fixes spoke sync refresh-token 400) The heph CLI requests scope "openid offline_access", but the Authentik heph OAuth2 provider only mapped openid/email/profile. Without the offline_access mapping the issued refresh token is bound to the login session rather than the 30-day refresh-token window; once the session lapses, hephd's refresh_token grant returns 400 Bad Request and spoke sync silently degrades (heph sync --status -> auth_failure: true). Add the built-in offline_access scope mapping to the provider's property_mappings and document the requirement in the service reference. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-06 18:07:13 -07:00
..
apps	Localize external-secrets on ringtail (amd64 nix build) (#368 )	2026-06-04 15:37:42 -07:00
manifests	heph Authentik: grant offline_access scope (fixes spoke sync refresh-token 400)	2026-06-06 18:07:13 -07:00

Erich Blume 50a36ff93a heph Authentik: grant offline_access scope (fixes spoke sync refresh-token 400)

The heph CLI requests scope "openid offline_access", but the Authentik
heph OAuth2 provider only mapped openid/email/profile. Without the
offline_access mapping the issued refresh token is bound to the login
session rather than the 30-day refresh-token window; once the session
lapses, hephd's refresh_token grant returns 400 Bad Request and spoke
sync silently degrades (heph sync --status -> auth_failure: true).

Add the built-in offline_access scope mapping to the provider's
property_mappings and document the requirement in the service reference.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

2026-06-06 18:07:13 -07:00

apps

Localize external-secrets on ringtail (amd64 nix build) (#368 )

2026-06-04 15:37:42 -07:00

manifests

heph Authentik: grant offline_access scope (fixes spoke sync refresh-token 400)

2026-06-06 18:07:13 -07:00