version: 1
metadata:
  name: "Homepage Dashboard - OIDC Provisioning"
  labels:
    blueprints.goauthentik.io/instantiate: "true"

entries:
  # 1. Create the OIDC Scope Mapping for Groups
  - model: authentik_providers_oauth2.scopemapping
    identifiers:
      slug: homepage-scope-groups
    attrs:
      name: "Homepage Custom Scope: Groups"
      scope_name: "groups"
      description: "Pass user groups array to Homepage for conditional element rendering"
      expression: |
        return {
            "groups": [group.name for group in request.user.ak_groups.all()]
        }

  # 2. Create the OAuth2/OIDC Provider
  - model: authentik_providers_oauth2.oauth2provider
    identifiers:
      slug: homepage-provider
    attrs:
      name: "Homepage Provider"
      client_type: "confidential"
      client_id: !Env AUTHENTIK_HOME_CID"
      client_secret: !Env AUTHENTIK_HOME_CSEC"
      authorization_flow:
        !Find [authentik_flows.flow, [slug, default-authorization-flow]]
      # Update this URI to match your dashboard's literal URL
      redirect_uris:
        - "https://@HOMEPAGE_DOMAIN@"
      # Bind default OpenID scopes plus our custom groups scope
      property_mappings:
        - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
        - !Find [authentik_providers_oauth2.scopemapping, [scope_name, profile]]
        - !Find [authentik_providers_oauth2.scopemapping, [scope_name, email]]
        - !Find [authentik_providers_oauth2.scopemapping, [scope_name, group]]

  # 3. Create the Application and link it to the Provider
  - model: authentik_core.application
    identifiers:
      slug: homepage-dashboard
    attrs:
      name: "Homepage Dashboard"
      slug: "homepage"
      launch_url: "@HOMEPAGE_DOMAIN@"
      provider:
        !Find [
          authentik_providers_oauth2.oauth2provider,
          [name, Homepage Provider],
        ]
      open_in_new_tab: false