Attempting to map an EntraID access token as a custom claim

[smarcucciohal]

I have a typical authentication flow that includes a Generic OAuth source (pointing to Azure/EntraID). I have created a property mapping (applied to the Generic Oauth source) to extract the access token from EntraID.

# Build the return dictionary
result = {
    "username": info.get("email", ""),
    "email": info.get("email"),
    "name": info.get("name"),
    "first_name": info.get("given_name"),
    "last_name": info.get("family_name"),
    "attributes": {
        "entraid_access_token": token.get("access_token"),
    }
}

return result

I then have a scope mapping that attempts to return the access token as a custom claim:

claims = {}

if not request.user.is_anonymous:
    user_attrs = request.user.attributes

    if user_attrs.get("entraid_access_token"):
        claims["entraid_access_token"] = user_attrs["entraid_access_token"]

else:
    ak_logger.warning("Scope mapping executed with anonymous user.")

return claims

This all works when a user is first authenticated in EntraID and then created in Authentik. I see the "entraid_access_token" in the user's attributes. The problem is that on re-authentication, the user's attributes are not updated.

Is there a way to force Authentik to always update the user's attributes on every login? I've read that a "Post-Authentication Signal" can be used to do this, but it seems quite complex.

NOTE: I also tried simply passing the access token this way:

result = {
    "username": info.get("email", ""),
    "email": info.get("email"),
    "name": info.get("name"),
    "first_name": info.get("given_name"),
    "last_name": info.get("family_name"),
    "entraid_access_token": token.get("access_token"),
}

But, in this case "entraid_access_token" was not present when the scope mapping executed.