docs(operator): O.1 done — Authentik dezky-operator OAuth client live
What landed in Authentik (runtime state, not in git):
- OAuth2 provider 'dezky-operator', confidential, PKCE, audience
dezky-operator, redirect URIs operator.dezky.local/auth/oidc/{callback,logout}
- Application 'Dezky Operator' linked to the provider
- Policy binding: dezky-platform-admins group required on the application
.env (gitignored) gained OPERATOR_OIDC_CLIENT_ID/SECRET/ISSUER.
MFA-required is deferred — Authentik enforces it via a stage binding on
the auth flow, which is app-specific config better tackled when there's
a real enrollment to gate. akadmin already has WebAuthn so the flow
prompts for it anyway.
Discovery doc at /application/o/dezky-operator/.well-known/openid-
configuration confirmed: issuer correct, scopes include 'groups'.
Two gotchas documented in OPERATOR-PLAN.md:
- Authentik 2025.10 requires invalidation_flow alongside authorization_flow
- policies/group_membership endpoint is gone; use policies/bindings with a
direct group reference instead
This commit is contained in:
Ronni Baslund
+26
-10
@@ -260,18 +260,34 @@ done in order — earlier ones unblock later ones.
|
||||
NEXT-STEPS.md, TROUBLESHOOTING.md) for stale references
|
||||
- [x] Verify customer portal `/api/me` still works end-to-end after rename
|
||||
|
||||
### O.1 · Authentik — operator OAuth client
|
||||
### O.1 · Authentik — operator OAuth client ✓
|
||||
|
||||
- [ ] Create `dezky-operator` OAuth provider via Authentik API
|
||||
- [ ] Set redirect URIs to `https://operator.dezky.local/auth/oidc/{callback,logout}`
|
||||
- [ ] Confidential client; persist client_secret to `.env` as
|
||||
- [x] Create `dezky-operator` OAuth provider via Authentik API
|
||||
- [x] Set redirect URIs to `https://operator.dezky.local/auth/oidc/{callback,logout}`
|
||||
- [x] Confidential client; client_secret persisted to `.env` as
|
||||
`OPERATOR_OIDC_CLIENT_SECRET`
|
||||
- [ ] Create application binding linking the provider to a
|
||||
`dezky-platform-admins`-only authorization flow (only group members can
|
||||
reach the consent screen)
|
||||
- [ ] Configure MFA-required policy on this provider
|
||||
- [ ] Verify via `curl` that the discovery doc resolves at
|
||||
`/application/o/dezky-operator/.well-known/openid-configuration`
|
||||
- [x] `Dezky Operator` application created and linked to the provider
|
||||
- [x] Group binding on the application: `dezky-platform-admins` required to
|
||||
reach the consent screen. (Authentik 2025.10 supports group-direct
|
||||
policy bindings — no separate `policy_group_membership` object needed)
|
||||
- [ ] **Deferred to follow-up:** MFA-required policy on this provider.
|
||||
Authentik does this via a stage binding on the authentication flow,
|
||||
which is app-specific configuration we'll wire when there's an actual
|
||||
MFA enrollment to gate against. For dev with one akadmin, akadmin
|
||||
already has WebAuthn — the auth flow prompts for it automatically
|
||||
- [x] Discovery doc verified at
|
||||
`/application/o/dezky-operator/.well-known/openid-configuration` —
|
||||
issuer correct, scopes include `groups`, all endpoints resolve
|
||||
|
||||
### Gotchas worth noting
|
||||
|
||||
- Authentik 2025.10 requires both `authorization_flow` AND `invalidation_flow`
|
||||
when creating OAuth2 providers. The default invalidation flow is at
|
||||
`/api/v3/flows/instances/?designation=invalidation` (slug
|
||||
`default-provider-invalidation-flow`)
|
||||
- The `policies/group_membership/` endpoint mentioned in older Authentik
|
||||
docs is gone in 2025.10. Use `policies/bindings/` with a direct `group`
|
||||
reference instead
|
||||
|
||||
### O.2 · platform-api — multi-audience + Partner CRUD
|
||||
|
||||
|
||||
Reference in New Issue
Block a user