version: 1
metadata:
  name: "FreshRSS OAuth2 Provisioning"
  labels:
    app: freshrss
entries:
  - model: authentik_providers_oauth2.oauth2provider
    identifiers:
      name: "FreshRSS Provider"
    attrs:
      authorization_flow:
        !Find [
          authentik_flows.flow,
          [slug, default-provider-authorization-implicit-consent],
        ]
      authentication_flow:
        !Find [authentik_flows.flow, [slug, default-authentication-flow]]
      invalidation_flow:
        !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
      client_type: "confidential"
      client_id: "freshrss"

      client_secret: !Env FRESHRSS_OAUTH_SECRET
      access_code_validity: "minutes=5"
      token_validity: "days=30"
      signing_key:
        !Find [
          authentik_crypto.certificatekeypair,
          [name, "authentik Self-signed Certificate"],
        ]
      redirect_uris:
        - url: "https://@FRESHRSS_DOMAIN@.*"
          matching_mode: "regex"
      property_mappings:
        - !Find [
            authentik_providers_oauth2.scopemapping,
            [name, "authentik default OAuth Mapping: OpenID 'openid'"],
          ]
        - !Find [
            authentik_providers_oauth2.scopemapping,
            [name, "authentik default OAuth Mapping: OpenID 'email'"],
          ]
        - !Find [
            authentik_providers_oauth2.scopemapping,
            [name, "authentik default OAuth Mapping: OpenID 'profile'"],
          ]

  - model: authentik_core.application
    identifiers:
      slug: "freshrss"
    attrs:
      name: "FreshRSS"
      launch_url: "@FRESHRSS_DOMAIN@"
      provider:
        !Find [
          authentik_providers_oauth2.oauth2provider,
          [name, "FreshRSS Provider"],
        ]