ronnibaslund/dezky
1
0
Fork 0
Code Issues 37 Pull Requests Actions Packages Projects 1 Releases Wiki Activity
Files
901cc69ba31758543b90890ed124c49541831b5d
dezky/infrastructure/production/fleet/authentik/blueprints/portal-application.yaml
T
Ronni Baslund 901cc69ba3
ci / changes (push) Successful in 4s
Details
ci / tc_booking (push) Has been skipped
Details
ci / tc_operator (push) Successful in 20s
Details
ci / tc_website (push) Has been skipped
Details
ci / tc_platform_api (push) Has been skipped
Details
ci / test_platform_api (push) Has been skipped
Details
ci / build_booking (push) Has been skipped
Details
ci / tc_portal (push) Successful in 26s
Details
ci / build_platform_api (push) Has been skipped
Details
ci / build_operator (push) Successful in 31s
Details
ci / build_portal (push) Successful in 39s
Details
ci / deploy (push) Successful in 41s
Details
fix(auth): silent session renewal + 401 auto-recovery 
Idle sessions died and left a broken page: when the access token expired,
nuxt-oidc-auth's automatic refresh had no refresh token to use — neither
Authentik provider carried the offline_access scope mapping (and the
operator never requested the scope), so the module cleared the session
and every /api call 401'd until a manual F5 happened to re-auth through
Authentik's still-alive SSO session.

Fix 1: offline_access end to end — scope mapping attached to both live
providers (and blueprints, prod + dev), operator now requests the scope.
Sessions renew server-side for up to 30 days of activity (Redis store +
pinned token key from earlier make the refresh tokens durable).

Fix 2: client plugin in both apps — a 401 from /api sends the browser
through /auth/oidc/login instead of leaving dead buttons; invisible when
Authentik's session is alive, a clean sign-in screen when it isn't.
Loop-guarded. Full sign-out behavior unchanged.
2026-06-11 09:21:15 +02:00

63 lines
2.9 KiB
YAML
Raw Blame History

# Prod customer-portal OIDC application. In dev this provider was made by hand
# (docs/AUTHENTIK-SETUP.md §3.3); captured here as code for prod. Same shape as
# the operator provider (implicit-consent flow, self-signed signing key,
# openid/email/profile, hashed sub, per-provider issuer) but open to ALL users
# (no platform-admin policy) and with the portal's redirect URI.
#
# state:created so a hand-made live provider is never clobbered. The
# authentik-worker reads PORTAL_OIDC_CLIENT_SECRET from env; the SAME secret
# must be given to the portal app (portal-secrets.NUXT_OIDC_CLIENT_SECRET).
version: 1
metadata:
name: dezky-portal-application
labels:
blueprints.goauthentik.io/instantiate: "true"
entries:
- id: portal-oauth2-provider
model: authentik_providers_oauth2.oauth2provider
state: created
identifiers:
client_id: !Env [PORTAL_OIDC_CLIENT_ID, dezky-portal]
attrs:
name: dezky-portal
client_type: confidential
client_id: !Env [PORTAL_OIDC_CLIENT_ID, dezky-portal]
client_secret: !Env PORTAL_OIDC_CLIENT_SECRET
authorization_flow:
!Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
invalidation_flow:
!Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
signing_key:
!Find [authentik_crypto.certificatekeypair, [name, "authentik Self-signed Certificate"]]
redirect_uris:
- matching_mode: strict
url: https://app.dezky.eu/auth/oidc/callback
property_mappings:
- !Find [authentik_providers_oauth2.scopemapping, [managed, "goauthentik.io/providers/oauth2/scope-openid"]]
- !Find [authentik_providers_oauth2.scopemapping, [managed, "goauthentik.io/providers/oauth2/scope-email"]]
- !Find [authentik_providers_oauth2.scopemapping, [managed, "goauthentik.io/providers/oauth2/scope-profile"]]
# offline_access -> Authentik issues refresh tokens, enabling the
# apps' silent session renewal (idle sessions died without it).
- !Find [authentik_providers_oauth2.scopemapping, [managed, "goauthentik.io/providers/oauth2/scope-offline_access"]]
sub_mode: hashed_user_id
issuer_mode: per_provider
# Authentik 2026.5+ enforces a per-provider grant_types allowlist; an empty
# list rejects every authorize request ("Invalid grant_type for provider").
# authorization_code = login; refresh_token = offline_access silent refresh.
grant_types:
- authorization_code
- refresh_token
- id: portal-application
model: authentik_core.application
state: created
identifiers:
slug: dezky-portal
attrs:
name: Dezky Portal
slug: dezky-portal
provider: !KeyOf portal-oauth2-provider
meta_launch_url: https://app.dezky.eu
meta_description: Your dezky workspace — mail, files, calendar and more.
Reference in New Issue View Git Blame Copy Permalink