109 lines
3.2 KiB
YAML
109 lines
3.2 KiB
YAML
version: 1
|
|
metadata:
|
|
name: "Homepage Dashboard - OIDC Provisioning"
|
|
labels:
|
|
app: homepage
|
|
|
|
entries:
|
|
- model: authentik_providers_oauth2.scopemapping
|
|
identifiers:
|
|
name: "Homepage Custom Scope: Groups"
|
|
attrs:
|
|
scope_name: "groups"
|
|
description: "Pass user groups array to Homepage for conditional element rendering"
|
|
expression: |
|
|
return {
|
|
"groups": [group.name for group in request.user.ak_groups.all()]
|
|
}
|
|
# 1. Create the OAuth2/OIDC Provider
|
|
- model: authentik_providers_oauth2.oauth2provider
|
|
identifiers:
|
|
name: "Homepage Provider"
|
|
attrs:
|
|
authorization_flow:
|
|
!Find [
|
|
authentik_flows.flow,
|
|
[slug, default-provider-authorization-implicit-consent],
|
|
]
|
|
authentication_flow:
|
|
!Find [authentik_flows.flow, [slug, default-authentication-flow]]
|
|
invalidation_flow:
|
|
!Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
|
|
client_type: "confidential"
|
|
client_id: "homepage"
|
|
client_secret: !Env HOMEPAGE_VAR_OAUTH_SECRET
|
|
access_code_validity: "minutes=5"
|
|
token_validity: "days=30"
|
|
redirect_uris:
|
|
- url: "https://@HOMEPAGE_DOMAIN@/login"
|
|
matching_mode: "regex"
|
|
signing_key:
|
|
!Find [
|
|
authentik_crypto.certificatekeypair,
|
|
[name, "authentik Self-signed Certificate"],
|
|
]
|
|
property_mappings:
|
|
- !Find [
|
|
authentik_providers_oauth2.scopemapping,
|
|
[name, "authentik default OAuth Mapping: OpenID 'openid'"],
|
|
]
|
|
- !Find [
|
|
authentik_providers_oauth2.scopemapping,
|
|
[name, "authentik default OAuth Mapping: OpenID 'email'"],
|
|
]
|
|
- !Find [
|
|
authentik_providers_oauth2.scopemapping,
|
|
[name, "authentik default OAuth Mapping: OpenID 'profile'"],
|
|
]
|
|
- !Find [
|
|
authentik_providers_oauth2.scopemapping,
|
|
[name, "Homepage Custom Scope: Groups"],
|
|
]
|
|
|
|
# 2. Create the Application and link it to the Provider
|
|
- model: authentik_core.application
|
|
identifiers:
|
|
slug: homepage
|
|
attrs:
|
|
name: "Homepage"
|
|
launch_url: "@HOMEPAGE_DOMAIN@"
|
|
provider:
|
|
!Find [
|
|
authentik_providers_oauth2.oauth2provider,
|
|
[name, Homepage Provider],
|
|
]
|
|
open_in_new_tab: false
|
|
|
|
# 3. Provision the static API token linked to the user account
|
|
- model: authentik_rbac.role
|
|
state: present
|
|
identifiers:
|
|
name: homepage-viewer
|
|
attrs:
|
|
permissions:
|
|
- authentik_core.view_user
|
|
- authentik_events.view_event
|
|
|
|
- model: authentik_core.user
|
|
state: present
|
|
identifiers:
|
|
username: homepage-svc
|
|
attrs:
|
|
roles:
|
|
- !Find [authentik_rbac.role, [name, "homepage-viewer"]]
|
|
name: Homepage Service Account
|
|
path: goauthentik.io/service-accounts
|
|
is_active: true
|
|
attributes:
|
|
goauthentik.io/user/service-account: true
|
|
|
|
- model: authentik_core.token
|
|
state: present
|
|
identifiers:
|
|
identifier: homepage-token
|
|
attrs:
|
|
key: !Env HOMEPAGE_VAR_AUTHENTIK_API
|
|
user: !Find [authentik_core.user, [username, "homepage-svc"]]
|
|
intent: api
|
|
expiring: false
|