version: 1
metadata:
  name: "Homepage Dashboard - OIDC Provisioning"
  labels:
    app: immich

entries:
  # 1. Create the OAuth2/OIDC Provider
  - model: authentik_providers_oauth2.oauth2provider
    attrs:
      name: "Homepage Provider"
      client_type: "confidential"
      client_id: !Env AUTHENTIK_HOME_CID"
      client_secret: !Env AUTHENTIK_HOME_CSEC"
      authorization_flow:
        !Find [
          authentik_flows.flow,
          [slug, default-provider-authorization-implicit-consent],
        ]
      authentication_flow:
        !Find [authentik_flows.flow, [slug, default-authentication-flow]]
      invalidation_flow:
        !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
      # Update this URI to match your dashboard's literal URL
      redirect_uris:
        - "https://@HOMEPAGE_DOMAIN@"
      # Bind default OpenID scopes plus our custom groups scope
      property_mappings:
        - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
        - !Find [authentik_providers_oauth2.scopemapping, [scope_name, profile]]
        - !Find [authentik_providers_oauth2.scopemapping, [scope_name, email]]
        - !Find [authentik_providers_oauth2.scopemapping, [scope_name, group]]

  # 2. Create the Application and link it to the Provider
  - model: authentik_core.application
    identifiers:
      slug: homepage
    attrs:
      name: "Homepage"
      launch_url: "@HOMEPAGE_DOMAIN@"
      provider:
        !Find [
          authentik_providers_oauth2.oauth2provider,
          [name, Homepage Provider],
        ]
      open_in_new_tab: false