version: 1
metadata:
  name: "Immich OAuth2 Provisioning"
  labels:
    app: immich
entries:
  - model: authentik_providers_oauth2.oauth2provider
    identifiers:
      name: "Immich Provider"
    attrs:
      authorization_flow:
        !Find [
          authentik_flows.flow,
          [slug, default-provider-authorization-implicit-consent],
        ]
      authentication_flow:
        !Find [authentik_flows.flow, [slug, default-authentication-flow]]
      invalidation_flow:
        !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
      client_type: "confidential"
      client_id: "immich"

      client_secret: !Env IMMICH_OAUTH_SECRET
      access_code_validity: "minutes=5"
      token_validity: "days=30"
      signing_key:
        !Find [
          authentik_crypto.certificatekeypair,
          [name, "authentik Self-signed Certificate"],
        ]
      redirect_uris:
        - url: "app.immich:///oauth-callback"
          matching_mode: "strict"
        - url: "https://@IMMICH_DOMAIN@/auth/login"
          matching_mode: "regex"
        - url: "https://@IMMICH_DOMAIN@/user-settings"
          matching_mode: "regex"
      property_mappings:
        - !Find [authentik_core.propertymapping, [scope_name, "openid"]]
        - !Find [authentik_core.propertymapping, [scope_name, "email"]]
        - !Find [authentik_core.propertymapping, [scope_name, "profile"]]

  - model: authentik_core.application
    identifiers:
      slug: "immich"
    attrs:
      name: "Immich"
      launch_url: "@IMMICH_DOMAIN@"
      provider:
        !Find [
          authentik_providers_oauth2.oauth2provider,
          [name, "Immich Provider"],
        ]