docs(operator): O.1 done — Authentik dezky-operator OAuth client live
What landed in Authentik (runtime state, not in git):
- OAuth2 provider 'dezky-operator', confidential, PKCE, audience
dezky-operator, redirect URIs operator.dezky.local/auth/oidc/{callback,logout}
- Application 'Dezky Operator' linked to the provider
- Policy binding: dezky-platform-admins group required on the application
.env (gitignored) gained OPERATOR_OIDC_CLIENT_ID/SECRET/ISSUER.
MFA-required is deferred — Authentik enforces it via a stage binding on
the auth flow, which is app-specific config better tackled when there's
a real enrollment to gate. akadmin already has WebAuthn so the flow
prompts for it anyway.
Discovery doc at /application/o/dezky-operator/.well-known/openid-
configuration confirmed: issuer correct, scopes include 'groups'.
Two gotchas documented in OPERATOR-PLAN.md:
- Authentik 2025.10 requires invalidation_flow alongside authorization_flow
- policies/group_membership endpoint is gone; use policies/bindings with a
direct group reference instead
This commit is contained in:
Ronni Baslund
+26
-10
@@ -260,18 +260,34 @@ done in order — earlier ones unblock later ones.
|
|||||||
NEXT-STEPS.md, TROUBLESHOOTING.md) for stale references
|
NEXT-STEPS.md, TROUBLESHOOTING.md) for stale references
|
||||||
- [x] Verify customer portal `/api/me` still works end-to-end after rename
|
- [x] Verify customer portal `/api/me` still works end-to-end after rename
|
||||||
|
|
||||||
### O.1 · Authentik — operator OAuth client
|
### O.1 · Authentik — operator OAuth client ✓
|
||||||
|
|
||||||
- [ ] Create `dezky-operator` OAuth provider via Authentik API
|
- [x] Create `dezky-operator` OAuth provider via Authentik API
|
||||||
- [ ] Set redirect URIs to `https://operator.dezky.local/auth/oidc/{callback,logout}`
|
- [x] Set redirect URIs to `https://operator.dezky.local/auth/oidc/{callback,logout}`
|
||||||
- [ ] Confidential client; persist client_secret to `.env` as
|
- [x] Confidential client; client_secret persisted to `.env` as
|
||||||
`OPERATOR_OIDC_CLIENT_SECRET`
|
`OPERATOR_OIDC_CLIENT_SECRET`
|
||||||
- [ ] Create application binding linking the provider to a
|
- [x] `Dezky Operator` application created and linked to the provider
|
||||||
`dezky-platform-admins`-only authorization flow (only group members can
|
- [x] Group binding on the application: `dezky-platform-admins` required to
|
||||||
reach the consent screen)
|
reach the consent screen. (Authentik 2025.10 supports group-direct
|
||||||
- [ ] Configure MFA-required policy on this provider
|
policy bindings — no separate `policy_group_membership` object needed)
|
||||||
- [ ] Verify via `curl` that the discovery doc resolves at
|
- [ ] **Deferred to follow-up:** MFA-required policy on this provider.
|
||||||
`/application/o/dezky-operator/.well-known/openid-configuration`
|
Authentik does this via a stage binding on the authentication flow,
|
||||||
|
which is app-specific configuration we'll wire when there's an actual
|
||||||
|
MFA enrollment to gate against. For dev with one akadmin, akadmin
|
||||||
|
already has WebAuthn — the auth flow prompts for it automatically
|
||||||
|
- [x] Discovery doc verified at
|
||||||
|
`/application/o/dezky-operator/.well-known/openid-configuration` —
|
||||||
|
issuer correct, scopes include `groups`, all endpoints resolve
|
||||||
|
|
||||||
|
### Gotchas worth noting
|
||||||
|
|
||||||
|
- Authentik 2025.10 requires both `authorization_flow` AND `invalidation_flow`
|
||||||
|
when creating OAuth2 providers. The default invalidation flow is at
|
||||||
|
`/api/v3/flows/instances/?designation=invalidation` (slug
|
||||||
|
`default-provider-invalidation-flow`)
|
||||||
|
- The `policies/group_membership/` endpoint mentioned in older Authentik
|
||||||
|
docs is gone in 2025.10. Use `policies/bindings/` with a direct `group`
|
||||||
|
reference instead
|
||||||
|
|
||||||
### O.2 · platform-api — multi-audience + Partner CRUD
|
### O.2 · platform-api — multi-audience + Partner CRUD
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user