Authelia as an authorization provider

My terminology may be incorrect. What is the case is that the one thing that never changes is the auth username (name) All other things can change. email is the current registered email address for that user, which can change (subject to the procedure with the auth provider). preferred_name is the current display name for the user name and can change (and appears to be correctly used by misago. very well).

Right. I've checked this, and I am now getting a correct behaviour (logging in with name returns updated preferred_name and email). I do not understand what I was previously seeing. I cannot now duplicate what I was previously wrong (and nothing has changed with either misago or authelia). I must have done something stupid. Apologies for that.

Currently I'm working on a test instance. I have three misago created user profiles (all superusers), and three oauth created user profiles (which I have now tested changing priviledges, etc).

Accepting that compliant email behaviour is the responsibility of the auth provider, I think misago is actually working as it should. I'm very sorry for making noise over smoke, when there appears to be no actual fire. My only excuse would be that testing across multiple browsers and users gets a bit complicated.

Your constructive attention is appreciated.

I have a problem to resolve with a work issue, then I will look at integration with authelia documentation. Where would you like that posted, here as a thread? (I shall also endeavour to get it added to the authelia docs).

I removed 'groups' from the scopes in my authelia client id definition. Having done so, misago then stopped working with authelia.

I know that groups are not used in misago, but are they required nevertheless? I actually don't mind if they are...they might be used one day, which would be good. I just need to know from a documentation point of view.

If I remove 'groups' from scopes I get:

If I replace groups it works.

(as an example, gitea works without 'groups' in the scopes)

What you said triggered me to think.

I had removed groups from scopes in my authelia config...but I had forgotten that part of the misago oauth config was to include the required scopes - and I hadn't removed 'groups' from the misago config.

When I did, it all worked fine without groups.

I just needed to remove it from the config of both, not only authelia.

I'm making a lot of stupid mistakes on this.

Sorry I am generally too busy to follow all of the different sites, pinging me on Discord, GitHub, Matrix, or email is the best way to get in contact. I try to stay present in many social networks but it's hard to be across everything.

Authelia respects the spec and the sub / "subject" claim is the authoritative unique opaque value that represents an individual user. We could use their username technically however for privacy reasons we expressly hide that behind the profile scope and also support pairwise subject identifiers. However this is for the time being directly linked to the preferred_username in the backend (which is actually the username value just we map this to the appropriate standard claim).

www.authelia.com/integration/openid-connect/misago/ (thanks to tetricky)

Nope. Very much thanks to @rafalp and @jamesdelliott - all your your work fellas. I just did a small component of the admin.