version: 1 metadata: name: "Homepage Dashboard - OIDC Provisioning" labels: app: homepage entries: - model: authentik_providers_oauth2.scopemapping identifiers: name: "Homepage Custom Scope: Groups" attrs: scope_name: "groups" description: "Pass user groups array to Homepage for conditional element rendering" expression: | return { "groups": [group.name for group in request.user.ak_groups.all()] } # 1. Create the OAuth2/OIDC Provider - model: authentik_providers_oauth2.oauth2provider identifiers: name: "Homepage Provider" attrs: authorization_flow: !Find [ authentik_flows.flow, [slug, default-provider-authorization-implicit-consent], ] authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]] invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]] client_type: "confidential" client_id: "homepage" client_secret: !Env HOMEPAGE_VAR_OAUTH_SECRET access_code_validity: "minutes=5" token_validity: "days=30" redirect_uris: - "https://@HOMEPAGE_DOMAIN@" signing_key: !Find [ authentik_crypto.certificatekeypair, [name, "authentik Self-signed Certificate"], ] property_mappings: - !Find [ authentik_providers_oauth2.scopemapping, [name, "authentik default OAuth Mapping: OpenID 'openid'"], ] - !Find [ authentik_providers_oauth2.scopemapping, [name, "authentik default OAuth Mapping: OpenID 'email'"], ] - !Find [ authentik_providers_oauth2.scopemapping, [name, "authentik default OAuth Mapping: OpenID 'profile'"], ] - !Find [ authentik_providers_oauth2.scopemapping, [name, "Homepage Custom Scope: Groups"], ] # 2. Create the Application and link it to the Provider - model: authentik_core.application identifiers: slug: homepage attrs: name: "Homepage" launch_url: "@HOMEPAGE_DOMAIN@" provider: !Find [ authentik_providers_oauth2.oauth2provider, [name, Homepage Provider], ] open_in_new_tab: false