How to set Custom Scopes/Mappings/Properties/Permissions/Entitlements to OpenID/OAuth2 Application ?

[luckylinux]

Introduction

I admit I'm a bit of a Loss on how to Configure custom Permissions for allowing some Users/Groups to access an Application. It should be IMHO relatively straightforward, but I find myself jumping between like 10 different Settings Section of the Admin Panel and nothing working.

Dashy Dashboard Access Control & Custom Properties

Case currently being considered is the dashy Dashboard.

After struggling a lot being unable to save Configuration Changes to Disk due to apparently lacking Administrative Rights, I could finally see, after many Page Refreshes, the following in Network Console:

user: luckylinux  admin: false
{"groups":["authentik Admins","admins"],"roles":[]} CoolConsole.js:24:11

So apparently dashy requires a "special" (?) User Property / Attribute called admin which must be set to true in order to grant Administrative Privileges within the Application.

Now the Question is: how to do that ?

• This suggests using Application Entitlements
• Property Mappings appear to be another way to map Permissions from Authentik onto the App
• Application Entitlements talk about Attributes and how to retrieve them, but not really clear where to define them

It seems that Roles are for controlling access to Authentik itself, so that's probably the one Thing I should NOT be looking at.

What I did so far

1. I enabled Application Entitlements for the dashy OpenID Connect/OAuth2 Provider related to the dashy Application under Applications -> Providers -> dashy -> Edit -> `Advanced Protocol Settings:

2. I configured an Application Entitlement in Applications -> Applications -> dashy -> Application Entitlements for the Group admins which includes my current User:

3. I configured a Group Binding in Applications -> Applications -> dashy -> Policy/Group/User Bindings for the Group admins which includes my current User:

4. In Customization -> Property Mappings I configured a OAuth Source Property Mapping

Anyways, nothing is working right now, so obviously there is something wrong with the Configuration and most likely the Problem lies between the Chain and the Screen 🤣.

I see there are ways to add "groups" or expose "claims" etc, but is there a Way (and which is it ?) to set "root" level Properties ?

The admin: false that I saw in Network Console while trying to setup Dashy with Authentik OpenID Connect / OAuth2 seems to suggest it's a Top-Level / Root Property Key, thus I would expect that I need to set admin: true (YAML) or return { admin: True } (Python) somewhere in Authentik 🤔 ...