CaZzzer/alpina
1
1
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

authentik: refactor oauth apps blueprints with group policies

Browse Source
This commit is contained in:
Yuri Tatishchev 2024-12-20 21:51:20 -08:00
parent ee24d69906
commit 1be4868f09
Signed by: CaZzzer
GPG Key ID: E0EBF441EA424369
1 changed files with 19 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
roles/alpina/templates/services/authentik/blueprints/apps-oauth2.yaml.j2
View File

@ -9,26 +9,29 @@ entries:
"redirect_uri": "https://grafana."~ domain ~"/login/generic_oauth", "redirect_uri": "https://grafana."~ domain ~"/login/generic_oauth",
"icon": "https://grafana."~ domain ~"/public/img/grafana_icon.svg", "icon": "https://grafana."~ domain ~"/public/img/grafana_icon.svg",
"client_secret": auth_grafana_client_secret, "client_secret": auth_grafana_client_secret,
"group": "Services", "ui_group": "Services",
"allowed_for_groups": ["admins"],
}, },
"Gitea": { "Gitea": {
"redirect_uri": "https://gitea."~ domain ~"/user/oauth2/Authentik/callback", "redirect_uri": "https://gitea."~ domain ~"/user/oauth2/Authentik/callback",
"icon": "https://gitea."~ domain ~"/assets/img/logo.svg", "icon": "https://gitea."~ domain ~"/assets/img/logo.svg",
"client_secret": auth_gitea_client_secret, "client_secret": auth_gitea_client_secret,
"group": "Apps", "ui_group": "Apps",
"allowed_for_groups": ["admins", "users"],
}, },
"Nextcloud": { "Nextcloud": {
"redirect_uri": "https://nc."~ domain ~"/apps/sociallogin/custom_oidc/authentik", "redirect_uri": "https://nc."~ domain ~"/apps/sociallogin/custom_oidc/authentik",
"icon": "https://nc."~ domain ~"/apps/theming/favicon", "icon": "https://nc."~ domain ~"/apps/theming/favicon",
"client_secret": auth_nextcloud_client_secret, "client_secret": auth_nextcloud_client_secret,
"group": "Apps", "ui_group": "Apps",
"allowed_for_groups": ["admins", "users"],
}, },
} -%} } -%}
{% for app in apps.keys() -%} {% for app in apps.keys() -%}
- identifiers: - identifiers:
name: {{ app }} name: {{ app }}
model: authentik_providers_oauth2.oauth2provider model: authentik_providers_oauth2.oauth2provider
id: {{ app | lower }} id: {{ app }}
attrs: attrs:
authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]] authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]] invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
@ -46,13 +49,23 @@ entries:
- identifiers: - identifiers:
slug: {{ app | lower }} slug: {{ app | lower }}
model: authentik_core.application model: authentik_core.application
id: app-{{ app }}
attrs: attrs:
name: {{ app }} name: {{ app }}
group: "{{ apps[app]["group"] }}" group: "{{ apps[app]["ui_group"] }}"
meta_description: "Hello, I'm {{ app }}!" meta_description: "Hello, I'm {{ app }}!"
meta_publisher: Alpina meta_publisher: Alpina
icon: "{{ apps[app]["icon"] }}" icon: "{{ apps[app]["icon"] }}"
open_in_new_tab: true open_in_new_tab: true
provider: !KeyOf {{ app | lower }} provider: !KeyOf {{ app }}
{% for group in apps[app]["allowed_for_groups"] -%}
- identifiers:
group: !Find [authentik_core.group, [name, {{ group }}]]
target: !KeyOf app-{{ app }}
model: authentik_policies.policybinding
attrs:
order: 10
{% endfor %}
{% endfor %} {% endfor %}