ronnibaslund/dezky
1
0
Fork 0
Code Issues 37 Pull Requests Actions Packages Projects 1 Releases Wiki Activity
Files
716d854b3d87598b157c9ae3bd9943ef0de7de8e
dezky/infrastructure/production/fleet/authentik/blueprints/portal-application.yaml
T
Ronni Baslund d02eb5ec50 fix(authentik): pin chart 2026.5.2, grant_types allowlist, portal redirect URI 
- Pin the helm-controller chart version (unset = silent latest upgrades) and
  move the image tag under global.image per the 2026.5 chart layout.
- Authentik 2026.5 enforces a per-provider grant_types allowlist; empty list
  rejected every authorize request. Allow authorization_code + refresh_token
  for portal and operator providers.
- Fix the portal redirect URI to the nuxt-oidc-auth callback path.
- Serve the auth ingress on :80 with a per-router HTTPS redirect so the
  cert-manager HTTP-01 solver keeps working.
2026-06-10 07:53:49 +02:00

60 lines
2.6 KiB
YAML
Raw Blame History

# Prod customer-portal OIDC application. In dev this provider was made by hand
# (docs/AUTHENTIK-SETUP.md §3.3); captured here as code for prod. Same shape as
# the operator provider (implicit-consent flow, self-signed signing key,
# openid/email/profile, hashed sub, per-provider issuer) but open to ALL users
# (no platform-admin policy) and with the portal's redirect URI.
#
# state:created so a hand-made live provider is never clobbered. The
# authentik-worker reads PORTAL_OIDC_CLIENT_SECRET from env; the SAME secret
# must be given to the portal app (portal-secrets.NUXT_OIDC_CLIENT_SECRET).
version: 1
metadata:
name: dezky-portal-application
labels:
blueprints.goauthentik.io/instantiate: "true"
entries:
- id: portal-oauth2-provider
model: authentik_providers_oauth2.oauth2provider
state: created
identifiers:
client_id: !Env [PORTAL_OIDC_CLIENT_ID, dezky-portal]
attrs:
name: dezky-portal
client_type: confidential
client_id: !Env [PORTAL_OIDC_CLIENT_ID, dezky-portal]
client_secret: !Env PORTAL_OIDC_CLIENT_SECRET
authorization_flow:
!Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
invalidation_flow:
!Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
signing_key:
!Find [authentik_crypto.certificatekeypair, [name, "authentik Self-signed Certificate"]]
redirect_uris:
- matching_mode: strict
url: https://app.dezky.eu/auth/oidc/callback
property_mappings:
- !Find [authentik_providers_oauth2.scopemapping, [managed, "goauthentik.io/providers/oauth2/scope-openid"]]
- !Find [authentik_providers_oauth2.scopemapping, [managed, "goauthentik.io/providers/oauth2/scope-email"]]
- !Find [authentik_providers_oauth2.scopemapping, [managed, "goauthentik.io/providers/oauth2/scope-profile"]]
sub_mode: hashed_user_id
issuer_mode: per_provider
# Authentik 2026.5+ enforces a per-provider grant_types allowlist; an empty
# list rejects every authorize request ("Invalid grant_type for provider").
# authorization_code = login; refresh_token = offline_access silent refresh.
grant_types:
- authorization_code
- refresh_token
- id: portal-application
model: authentik_core.application
state: created
identifiers:
slug: dezky-portal
attrs:
name: Dezky Portal
slug: dezky-portal
provider: !KeyOf portal-oauth2-provider
meta_launch_url: https://app.dezky.eu
meta_description: Your dezky workspace — mail, files, calendar and more.
Reference in New Issue View Git Blame Copy Permalink