freshrss oidc

modules/server/containers/data/authentik/freshrss.yaml

@@ -0,0 +1,58 @@
+version: 1
+metadata:
+  name: "FreshRSS OAuth2 Provisioning"
+  labels:
+    app: freshrss
+entries:
+  - model: authentik_providers_oauth2.oauth2provider
+    identifiers:
+      name: "FreshRSS Provider"
+    attrs:
+      authorization_flow:
+        !Find [
+          authentik_flows.flow,
+          [slug, default-provider-authorization-implicit-consent],
+        ]
+      authentication_flow:
+        !Find [authentik_flows.flow, [slug, default-authentication-flow]]
+      invalidation_flow:
+        !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
+      client_type: "confidential"
+      client_id: "freshrss"
+
+      client_secret: !Env FRESHRSS_OAUTH_SECRET
+      access_code_validity: "minutes=5"
+      token_validity: "days=30"
+      signing_key:
+        !Find [
+          authentik_crypto.certificatekeypair,
+          [name, "authentik Self-signed Certificate"],
+        ]
+      redirect_uris:
+        - url: "https://@FRESHRSS_DOMAIN@/i/oidc"
+          matching_mode: "regex"
+      property_mappings:
+        - !Find [
+            authentik_providers_oauth2.scopemapping,
+            [name, "authentik default OAuth Mapping: OpenID 'openid'"],
+          ]
+        - !Find [
+            authentik_providers_oauth2.scopemapping,
+            [name, "authentik default OAuth Mapping: OpenID 'email'"],
+          ]
+        - !Find [
+            authentik_providers_oauth2.scopemapping,
+            [name, "authentik default OAuth Mapping: OpenID 'profile'"],
+          ]
+
+  - model: authentik_core.application
+    identifiers:
+      slug: "freshrss"
+    attrs:
+      name: "FreshRSS"
+      launch_url: "@FRESHRSS_DOMAIN@"
+      provider:
+        !Find [
+          authentik_providers_oauth2.oauth2provider,
+          [name, "FreshRSS Provider"],
+        ]