ronnibaslund/dezky
1
0
Fork 0
Code Issues 37 Pull Requests Actions Packages Projects 1 Releases Wiki Activity

fix(authentik): pin chart 2026.5.2, grant_types allowlist, portal redirect URI

Browse Source 
- Pin the helm-controller chart version (unset = silent latest upgrades) and
  move the image tag under global.image per the 2026.5 chart layout.
- Authentik 2026.5 enforces a per-provider grant_types allowlist; empty list
  rejected every authorize request. Allow authorization_code + refresh_token
  for portal and operator providers.
- Fix the portal redirect URI to the nuxt-oidc-auth callback path.
- Serve the auth ingress on :80 with a per-router HTTPS redirect so the
  cert-manager HTTP-01 solver keeps working.
This commit is contained in:
Ronni Baslund
2026-06-10 07:53:49 +02:00
parent c814bfdf3b
commit d02eb5ec50
5 changed files with 58 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files
infrastructure/production/fleet/authentik/blueprints/operator-application.yaml
+6
View File
@@ -44,6 +44,12 @@ entries:
- !Find [authentik_providers_oauth2.scopemapping, [managed, "goauthentik.io/providers/oauth2/scope-profile"]]
sub_mode: hashed_user_id
issuer_mode: per_provider
# Authentik 2026.5+ enforces a per-provider grant_types allowlist; an empty
# list rejects every authorize request ("Invalid grant_type for provider").
# authorization_code = login; refresh_token = offline_access silent refresh.
grant_types:
- authorization_code
- refresh_token
- id: operator-application
model: authentik_core.application
infrastructure/production/fleet/authentik/blueprints/portal-application.yaml
+7 -1
View File
@@ -32,13 +32,19 @@ entries:
!Find [authentik_crypto.certificatekeypair, [name, "authentik Self-signed Certificate"]]
redirect_uris:
- matching_mode: strict
url: https://app.dezky.eu/api/auth/callback
url: https://app.dezky.eu/auth/oidc/callback
property_mappings:
- !Find [authentik_providers_oauth2.scopemapping, [managed, "goauthentik.io/providers/oauth2/scope-openid"]]
- !Find [authentik_providers_oauth2.scopemapping, [managed, "goauthentik.io/providers/oauth2/scope-email"]]
- !Find [authentik_providers_oauth2.scopemapping, [managed, "goauthentik.io/providers/oauth2/scope-profile"]]
sub_mode: hashed_user_id
issuer_mode: per_provider
# Authentik 2026.5+ enforces a per-provider grant_types allowlist; an empty
# list rejects every authorize request ("Invalid grant_type for provider").
# authorization_code = login; refresh_token = offline_access silent refresh.
grant_types:
- authorization_code
- refresh_token
- id: portal-application
model: authentik_core.application