Idle sessions died and left a broken page: when the access token expired,
nuxt-oidc-auth's automatic refresh had no refresh token to use — neither
Authentik provider carried the offline_access scope mapping (and the
operator never requested the scope), so the module cleared the session
and every /api call 401'd until a manual F5 happened to re-auth through
Authentik's still-alive SSO session.
Fix 1: offline_access end to end — scope mapping attached to both live
providers (and blueprints, prod + dev), operator now requests the scope.
Sessions renew server-side for up to 30 days of activity (Redis store +
pinned token key from earlier make the refresh tokens durable).
Fix 2: client plugin in both apps — a 401 from /api sends the browser
through /auth/oidc/login instead of leaving dead buttons; invisible when
Authentik's session is alive, a clean sign-in screen when it isn't.
Loop-guarded. Full sign-out behavior unchanged.
A partner or tenant admin could complete the dezky-operator OIDC flow and
land on the operator portal. The platform-api OperatorGuard already 403s
their data, but the login/UI layer had no authorization check at all — the
only gate was a manual Authentik UI setting with nothing in git enforcing it.
Close it with defense-in-depth across three independent layers:
1. IdP — operator-application.yaml blueprint binds an
ak_is_group_member("dezky-platform-admins") policy to the dezky-operator
app, so Authentik denies the OIDC flow for non-admins. The blueprint also
provisions the provider + application (state: created, so a fresh env is
built from code while an existing hand-made provider is left untouched).
Wire OPERATOR_OIDC_* into both authentik containers and mount the
blueprints dir on the worker (it applies blueprints, and previously lacked
the mount).
2. Operator app — require-platform-admin.global.ts requires platformAdmin and
routes a non-admin to not-authorized.vue, which triggers a full sign-out
(local + Authentik IdP) for shared-workstation safety. Fails open on a
transient /api/me error by design, to avoid mass-signout on platform-api
restarts; layers 1 and 3 contain the exposure.
3. platform-api — OperatorGuard (unchanged) requires dezky-operator audience
plus platformAdmin resolved from the DB on every request.
Also harden the partner surface: it shares the dezky-portal client with tenant
users so it has no IdP gate, and its /partner/* route middleware now fails
CLOSED when identity can't be confirmed.
Docs (AUTHENTIK-SETUP.md) and .env.example updated; the operator client secret
must be set before first boot since the blueprint now consumes it.
Ronni Baslund