ronnibaslund/dezky
1
0
Fork 0
Code Issues 37 Pull Requests Actions Packages Projects 1 Releases Wiki Activity
Files
b6c98e2a65d959ae22104a6879223016f91e9de8
dezky/infrastructure/production/fleet/authentik/blueprints/operator-application.yaml
T
Ronni Baslund 901cc69ba3
ci / changes (push) Successful in 4s
Details
ci / tc_booking (push) Has been skipped
Details
ci / tc_operator (push) Successful in 20s
Details
ci / tc_website (push) Has been skipped
Details
ci / tc_platform_api (push) Has been skipped
Details
ci / test_platform_api (push) Has been skipped
Details
ci / build_booking (push) Has been skipped
Details
ci / tc_portal (push) Successful in 26s
Details
ci / build_platform_api (push) Has been skipped
Details
ci / build_operator (push) Successful in 31s
Details
ci / build_portal (push) Successful in 39s
Details
ci / deploy (push) Successful in 41s
Details
fix(auth): silent session renewal + 401 auto-recovery 
Idle sessions died and left a broken page: when the access token expired,
nuxt-oidc-auth's automatic refresh had no refresh token to use — neither
Authentik provider carried the offline_access scope mapping (and the
operator never requested the scope), so the module cleared the session
and every /api call 401'd until a manual F5 happened to re-auth through
Authentik's still-alive SSO session.

Fix 1: offline_access end to end — scope mapping attached to both live
providers (and blueprints, prod + dev), operator now requests the scope.
Sessions renew server-side for up to 30 days of activity (Redis store +
pinned token key from earlier make the refresh tokens durable).

Fix 2: client plugin in both apps — a 401 from /api sends the browser
through /auth/oidc/login instead of leaving dead buttons; invisible when
Authentik's session is alive, a clean sign-in screen when it isn't.
Loop-guarded. Full sign-out behavior unchanged.
2026-06-11 09:21:15 +02:00

87 lines
3.4 KiB
YAML
Raw Blame History

# Prod operator OIDC application + dezky-platform-admins access policy.
# Mirrors infrastructure/docker-compose/configs/authentik/blueprints/
# operator-application.yaml, with .local → .eu URLs. Applied by the
# authentik-worker (mounts /blueprints/custom; reads OPERATOR_OIDC_* from env).
#
# Provider/app are state:created (never clobber a hand-made live provider);
# group/policy/binding are state:present (reconcile + enforce on every env).
version: 1
metadata:
name: dezky-operator-application
labels:
blueprints.goauthentik.io/instantiate: "true"
entries:
- model: authentik_core.group
state: present
identifiers:
name: dezky-platform-admins
attrs:
name: dezky-platform-admins
- id: operator-oauth2-provider
model: authentik_providers_oauth2.oauth2provider
state: created
identifiers:
client_id: !Env [OPERATOR_OIDC_CLIENT_ID, dezky-operator]
attrs:
name: dezky-operator
client_type: confidential
client_id: !Env [OPERATOR_OIDC_CLIENT_ID, dezky-operator]
client_secret: !Env OPERATOR_OIDC_CLIENT_SECRET
authorization_flow:
!Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
invalidation_flow:
!Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
signing_key:
!Find [authentik_crypto.certificatekeypair, [name, "authentik Self-signed Certificate"]]
redirect_uris:
- matching_mode: strict
url: https://operator.dezky.eu/auth/oidc/callback
property_mappings:
- !Find [authentik_providers_oauth2.scopemapping, [managed, "goauthentik.io/providers/oauth2/scope-openid"]]
- !Find [authentik_providers_oauth2.scopemapping, [managed, "goauthentik.io/providers/oauth2/scope-email"]]
- !Find [authentik_providers_oauth2.scopemapping, [managed, "goauthentik.io/providers/oauth2/scope-profile"]]
# offline_access -> Authentik issues refresh tokens, enabling the
# apps' silent session renewal (idle sessions died without it).
- !Find [authentik_providers_oauth2.scopemapping, [managed, "goauthentik.io/providers/oauth2/scope-offline_access"]]
sub_mode: hashed_user_id
issuer_mode: per_provider
# Authentik 2026.5+ enforces a per-provider grant_types allowlist; an empty
# list rejects every authorize request ("Invalid grant_type for provider").
# authorization_code = login; refresh_token = offline_access silent refresh.
grant_types:
- authorization_code
- refresh_token
- id: operator-application
model: authentik_core.application
state: created
identifiers:
slug: dezky-operator
attrs:
name: Dezky Operator
slug: dezky-operator
provider: !KeyOf operator-oauth2-provider
meta_launch_url: https://operator.dezky.eu
meta_description: Internal Dezky operator control plane. Platform admins only.
- id: operator-require-platform-admin
model: authentik_policies_expression.expressionpolicy
state: present
identifiers:
name: operator-require-platform-admin
attrs:
name: operator-require-platform-admin
expression: |
return ak_is_group_member(request.user, name="dezky-platform-admins")
- model: authentik_policies.policybinding
state: present
identifiers:
target: !KeyOf operator-application
policy: !KeyOf operator-require-platform-admin
attrs:
enabled: true
order: 0
Reference in New Issue View Git Blame Copy Permalink