Update compose

authentik/blueprints/kaboot-setup-production.yaml.example

@@ -22,6 +22,147 @@ context:
   auth_domain: auth.example.com
 
 entries:
+  # ═══════════════════════════════════════════════════════════════════════════════
+  # BRANDING
+  # ═══════════════════════════════════════════════════════════════════════════════
+
+  - id: kaboot-brand
+    model: authentik_brands.brand
+    identifiers:
+      domain: !Context auth_domain
+    attrs:
+      domain: !Context auth_domain
+      default: false
+      branding_title: Kaboot
+      branding_logo: /media/branding/logo.svg
+      branding_favicon: /media/branding/logo.svg
+      flow_authentication: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
+      flow_invalidation: !Find [authentik_flows.flow, [slug, default-invalidation-flow]]
+      flow_user_settings: !Find [authentik_flows.flow, [slug, default-user-settings-flow]]
+      attributes:
+        settings:
+          theme:
+            base: light
+          css: |
+            :root {
+              --ak-accent: #2563eb;
+              --ak-primary: #2563eb;
+              --ak-primary-dark: #1e40af;
+              --ak-primary-light: #60a5fa;
+              --ak-error: #ef4444;
+              --ak-success: #22c55e;
+              --pf-global--FontFamily--sans-serif: "Inter", system-ui, -apple-system, sans-serif;
+            }
+            body {
+              background-color: #2563eb !important;
+            }
+            .pf-c-login__main {
+              background-color: #ffffff !important;
+              border-radius: 2rem !important;
+              box-shadow: 0 10px 0 rgba(0,0,0,0.1) !important;
+              padding: 3rem !important;
+              max-width: 500px !important;
+              margin: 0 auto;
+            }
+            .pf-c-form-control {
+              border: 2px solid #e5e7eb !important;
+              border-radius: 1rem !important;
+              padding: 0.75rem 1rem !important;
+              font-weight: 600 !important;
+              color: #333 !important;
+              font-size: 1rem !important;
+              box-shadow: none !important;
+              transition: all 0.2s ease !important;
+            }
+            .pf-c-form-control:focus {
+              border-color: #2563eb !important;
+              outline: none !important;
+            }
+            .pf-c-button.pf-m-primary {
+              background-color: #333333 !important;
+              color: #ffffff !important;
+              border: none !important;
+              border-radius: 1rem !important;
+              padding: 0.75rem 1.5rem !important;
+              font-weight: 800 !important;
+              font-size: 1.1rem !important;
+              box-shadow: 0 6px 0 #000000 !important;
+              transform: translateY(0) !important;
+              transition: all 0.1s ease !important;
+              text-transform: uppercase !important;
+              letter-spacing: 0.05em !important;
+            }
+            .pf-c-button.pf-m-primary:hover {
+              background-color: #1a1a1a !important;
+            }
+            .pf-c-button.pf-m-primary:active {
+              transform: translateY(6px) !important;
+              box-shadow: none !important;
+            }
+            .pf-c-button.pf-m-secondary, .pf-c-button.pf-m-link {
+              color: #2563eb !important;
+              font-weight: 600 !important;
+            }
+            .pf-c-title {
+              font-weight: 900 !important;
+              color: #111827 !important;
+              text-align: center !important;
+              margin-bottom: 1.5rem !important;
+            }
+            .pf-c-brand {
+              filter: drop-shadow(0 4px 6px rgba(0,0,0,0.1));
+            }
+            .pf-c-alert {
+              border-radius: 1rem !important;
+              border: 2px solid transparent !important;
+              box-shadow: 0 4px 0 rgba(0,0,0,0.05) !important;
+            }
+            .pf-c-alert.pf-m-danger {
+              background-color: #fef2f2 !important;
+              border-color: #fca5a5 !important;
+              color: #991b1b !important;
+            }
+            .pf-c-login__main-footer-links-item-link {
+                color: #6b7280 !important;
+                font-weight: 500 !important;
+            }
+            .pf-c-background-image {
+              display: none !important;
+            }
+
+  # ═══════════════════════════════════════════════════════════════════════════════
+  # FLOW BACKGROUNDS
+  # ═══════════════════════════════════════════════════════════════════════════════
+
+  - id: update-authentication-flow-background
+    model: authentik_flows.flow
+    identifiers:
+      slug: default-authentication-flow
+    attrs:
+      title: Welcome to Kaboot!
+      background: /media/branding/background.svg
+
+  - id: update-invalidation-flow-background
+    model: authentik_flows.flow
+    identifiers:
+      slug: default-invalidation-flow
+    attrs:
+      background: /media/branding/background.svg
+
+  - id: update-authorization-flow-background
+    model: authentik_flows.flow
+    identifiers:
+      slug: default-provider-authorization-implicit-consent
+    attrs:
+      background: /media/branding/background.svg
+
+  - id: update-enrollment-flow-background
+    model: authentik_flows.flow
+    identifiers:
+      slug: enrollment-flow
+    attrs:
+      background: /media/branding/background.svg
+
   # ═══════════════════════════════════════════════════════════════════════════════
   # GROUPS
   # ═══════════════════════════════════════════════════════════════════════════════
@@ -33,6 +174,28 @@ entries:
     attrs:
       name: kaboot-users
 
+  - id: kaboot-ai-access-group
+    model: authentik_core.group
+    identifiers:
+      name: kaboot-ai-access
+    attrs:
+      name: kaboot-ai-access
+
+  # ═══════════════════════════════════════════════════════════════════════════════
+  # GROUPS SCOPE MAPPING
+  # ═══════════════════════════════════════════════════════════════════════════════
+
+  - id: groups-scope-mapping
+    model: authentik_providers_oauth2.scopemapping
+    identifiers:
+      managed: goauthentik.io/providers/oauth2/scope-kaboot-groups
+    attrs:
+      name: "Kaboot Groups Scope"
+      scope_name: groups
+      description: "Include user groups in the token"
+      expression: |
+        return [group.name for group in user.ak_groups.all()]
+
   # ═══════════════════════════════════════════════════════════════════════════════
   # OAUTH2/OIDC PROVIDER
   # ═══════════════════════════════════════════════════════════════════════════════
@@ -65,6 +228,7 @@ entries:
         - !Find [authentik_providers_oauth2.scopemapping, [scope_name, profile]]
         - !Find [authentik_providers_oauth2.scopemapping, [scope_name, email]]
         - !Find [authentik_providers_oauth2.scopemapping, [scope_name, offline_access]]
+        - !KeyOf groups-scope-mapping
 
   # ═══════════════════════════════════════════════════════════════════════════════
   # APPLICATION

authentik/blueprints/kaboot-setup.yaml

@@ -203,6 +203,21 @@ entries:
     attrs:
       name: kaboot-ai-access
 
+  # ═══════════════════════════════════════════════════════════════════════════════
+  # GROUPS SCOPE MAPPING
+  # ═══════════════════════════════════════════════════════════════════════════════
+
+  - id: groups-scope-mapping
+    model: authentik_providers_oauth2.scopemapping
+    identifiers:
+      managed: goauthentik.io/providers/oauth2/scope-kaboot-groups
+    attrs:
+      name: "Kaboot Groups Scope"
+      scope_name: groups
+      description: "Include user groups in the token"
+      expression: |
+        return [group.name for group in user.ak_groups.all()]
+
   # ═══════════════════════════════════════════════════════════════════════════════
   # OAUTH2/OIDC PROVIDER
   # ═══════════════════════════════════════════════════════════════════════════════
@@ -235,6 +250,7 @@ entries:
         - !Find [authentik_providers_oauth2.scopemapping, [scope_name, profile]]
         - !Find [authentik_providers_oauth2.scopemapping, [scope_name, email]]
         - !Find [authentik_providers_oauth2.scopemapping, [scope_name, offline_access]]
+        - !KeyOf groups-scope-mapping
 
   # ═══════════════════════════════════════════════════════════════════════════════
   # APPLICATION