authentik: refactor oauth2 app blueprints, add group policies

roles/alpina/templates/services/authentik/blueprints/apps-oauth2.yaml.j2

@@ -5,46 +5,68 @@ metadata:
   name: Alpina - OAuth2 Apps
 entries:
   {% set apps = {
+    "Grafana": {
+      "redirect_uri": "https://grafana."~ domain ~"/login/generic_oauth",
+      "icon": "https://grafana."~ domain ~"/public/img/grafana_icon.svg",
+      "client_secret": auth_grafana_client_secret,
+      "ui_group": "Services",
+      "allowed_for_groups": ["admins"],
+    },
     "Gitea": {
-      "redirect_uris": "https://gitea."~ domain ~"/user/oauth2/Authentik/callback",
+      "redirect_uri": "https://gitea."~ domain ~"/user/oauth2/Authentik/callback",
       "icon": "https://gitea."~ domain ~"/assets/img/logo.svg",
+      "client_secret": auth_gitea_client_secret,
+      "ui_group": "Apps",
+      "allowed_for_groups": ["admins", "users"],
     },
     "Nextcloud": {
-      "redirect_uris": "https://nc."~ domain ~"/apps/sociallogin/custom_oidc/authentik",
+      "redirect_uri": "https://nc."~ domain ~"/apps/sociallogin/custom_oidc/authentik",
       "icon": "https://nc."~ domain ~"/apps/theming/favicon",
+      "client_secret": auth_nextcloud_client_secret,
+      "ui_group": "Apps",
+      "allowed_for_groups": ["admins", "users"],
     },
   } -%}
   {% for app in apps.keys() -%}
   - identifiers:
       name: {{ app }}
     model: authentik_providers_oauth2.oauth2provider
-    id: {{ app | lower }}
+    id: {{ app }}
     attrs:
-      access_code_validity: minutes=1
-      access_token_validity: minutes=5
       authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
+      invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
       client_type: confidential
-      issuer_mode: per_provider
-      sub_mode: hashed_user_id
+      client_id: {{ app | lower }}
+      client_secret: {{ apps[app]["client_secret"] }}
       property_mappings:
         - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
         - !Find [authentik_providers_oauth2.scopemapping, [scope_name, email]]
         - !Find [authentik_providers_oauth2.scopemapping, [scope_name, profile]]
-      redirect_uris: {{ apps[app]["redirect_uris"] }}
-      refresh_token_validity: days=30
+      redirect_uris:
+        - matching_mode: strict
+          url: {{ apps[app]["redirect_uri"] }}
       signing_key: !Find [authentik_crypto.certificatekeypair, [name, "authentik Self-signed Certificate"]]
 
   - identifiers:
       slug: {{ app | lower }}
     model: authentik_core.application
-    id: {{ app | lower }}
+    id: app-{{ app }}
     attrs:
       name: {{ app }}
-      group: "Apps"
+      group: "{{ apps[app]["ui_group"] }}"
       meta_description: "Hello, I'm {{ app }}!"
       meta_publisher: Alpina
       icon: "{{ apps[app]["icon"] }}"
       open_in_new_tab: true
-      policy_engine_mode: any
-      provider: !KeyOf {{ app | lower }}
+      provider: !KeyOf {{ app }}
+
+  {% for group in apps[app]["allowed_for_groups"] -%}
+  - identifiers:
+      group: !Find [authentik_core.group, [name, {{ group }}]]
+      target: !KeyOf app-{{ app }}
+    model: authentik_policies.policybinding
+    attrs:
+      order: 10
+  {% endfor %}
+
   {% endfor %}

roles/alpina/templates/services/authentik/blueprints/services-oauth2.yaml.j2

@@ -1,56 +0,0 @@
-version: 1
-metadata:
-  labels:
-    blueprints.goauthentik.io/instantiate: "true"
-  name: Alpina - OAuth2 Services
-entries:
-  {% set apps = {
-    "Grafana": {
-      "redirect_uris": "https://grafana."~ domain ~"/login/generic_oauth",
-      "icon": "https://grafana."~ domain ~"/public/img/grafana_icon.svg",
-      "client_secret": auth_grafana_client_secret,
-    },
-  } -%}
-  # TODO: Add Minio
-
-  {% for app in apps.keys() -%}
-  - identifiers:
-      name: {{ app }}
-    model: authentik_providers_oauth2.oauth2provider
-    id: {{ app | lower }}
-    attrs:
-      authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
-      client_type: confidential
-      client_id: {{ app | lower }}
-      client_secret: {{ apps[app]["client_secret"] }}
-      property_mappings:
-        - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
-        - !Find [authentik_providers_oauth2.scopemapping, [scope_name, email]]
-        - !Find [authentik_providers_oauth2.scopemapping, [scope_name, profile]]
-      redirect_uris: {{ apps[app]["redirect_uris"] }}
-
-  - identifiers:
-      slug: {{ app | lower }}
-    model: authentik_core.application
-    attrs:
-      name: {{ app }}
-      group: "Services"
-      meta_description: "Hello, I'm {{ app }}!"
-      meta_publisher: Alpina
-      icon: "{{ apps[app]["icon"] }}"
-      open_in_new_tab: true
-      provider: !KeyOf {{ app | lower }}
-
-  - identifiers:
-      name: "{{ app }} Admins"
-    model: authentik_core.group
-    id: "{{ app }} Admins"
-
-  - identifiers:
-      group: !KeyOf "{{ app }} Admins"
-      target: !Find [authentik_core.application, [slug, {{ app | lower }}]]
-    model: authentik_policies.policybinding
-    attrs:
-      order: 0
-
-  {% endfor %}