# Prod customer-portal OIDC application. In dev this provider was made by hand
# (docs/AUTHENTIK-SETUP.md §3.3); captured here as code for prod. Same shape as
# the operator provider (implicit-consent flow, self-signed signing key,
# openid/email/profile, hashed sub, per-provider issuer) but open to ALL users
# (no platform-admin policy) and with the portal's redirect URI.
#
# state:created so a hand-made live provider is never clobbered. The
# authentik-worker reads PORTAL_OIDC_CLIENT_SECRET from env; the SAME secret
# must be given to the portal app (portal-secrets.NUXT_OIDC_CLIENT_SECRET).
version: 1
metadata:
  name: dezky-portal-application
  labels:
    blueprints.goauthentik.io/instantiate: "true"

entries:
  - id: portal-oauth2-provider
    model: authentik_providers_oauth2.oauth2provider
    state: created
    identifiers:
      client_id: !Env [PORTAL_OIDC_CLIENT_ID, dezky-portal]
    attrs:
      name: dezky-portal
      client_type: confidential
      client_id: !Env [PORTAL_OIDC_CLIENT_ID, dezky-portal]
      client_secret: !Env PORTAL_OIDC_CLIENT_SECRET
      authorization_flow:
        !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
      invalidation_flow:
        !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
      signing_key:
        !Find [authentik_crypto.certificatekeypair, [name, "authentik Self-signed Certificate"]]
      redirect_uris:
        - matching_mode: strict
          url: https://app.dezky.eu/api/auth/callback
      property_mappings:
        - !Find [authentik_providers_oauth2.scopemapping, [managed, "goauthentik.io/providers/oauth2/scope-openid"]]
        - !Find [authentik_providers_oauth2.scopemapping, [managed, "goauthentik.io/providers/oauth2/scope-email"]]
        - !Find [authentik_providers_oauth2.scopemapping, [managed, "goauthentik.io/providers/oauth2/scope-profile"]]
      sub_mode: hashed_user_id
      issuer_mode: per_provider

  - id: portal-application
    model: authentik_core.application
    state: created
    identifiers:
      slug: dezky-portal
    attrs:
      name: Dezky Portal
      slug: dezky-portal
      provider: !KeyOf portal-oauth2-provider
      meta_launch_url: https://app.dezky.eu
      meta_description: Your dezky workspace — mail, files, calendar and more.