diff --git a/authentik/blueprints/kaboot-setup-production.yaml.example b/authentik/blueprints/kaboot-setup-production.yaml.example index ae1f17a..517206c 100644 --- a/authentik/blueprints/kaboot-setup-production.yaml.example +++ b/authentik/blueprints/kaboot-setup-production.yaml.example @@ -22,6 +22,58 @@ context: auth_domain: auth.example.com entries: + # ═══════════════════════════════════════════════════════════════════════════════ + # CUSTOM INVALIDATION FLOW (must be defined before brand that references it) + # ═══════════════════════════════════════════════════════════════════════════════ + + - id: kaboot-logout-stage + model: authentik_stages_user_logout.userlogoutstage + identifiers: + name: kaboot-logout + attrs: + name: kaboot-logout + + - id: kaboot-redirect-stage + model: authentik_stages_redirect.redirectstage + identifiers: + name: kaboot-redirect-to-app + attrs: + name: kaboot-redirect-to-app + mode: static + target_static: !Format ["https://%s", !Context kaboot_domain] + + - id: kaboot-invalidation-flow + model: authentik_flows.flow + identifiers: + slug: kaboot-invalidation-flow + attrs: + name: Kaboot Logout Flow + title: Logging out... + slug: kaboot-invalidation-flow + designation: invalidation + authentication: none + background: /media/branding/background.svg + + - id: kaboot-invalidation-logout-binding + model: authentik_flows.flowstagebinding + identifiers: + target: !KeyOf kaboot-invalidation-flow + stage: !KeyOf kaboot-logout-stage + attrs: + order: 0 + evaluate_on_plan: true + re_evaluate_policies: false + + - id: kaboot-invalidation-redirect-binding + model: authentik_flows.flowstagebinding + identifiers: + target: !KeyOf kaboot-invalidation-flow + stage: !KeyOf kaboot-redirect-stage + attrs: + order: 10 + evaluate_on_plan: true + re_evaluate_policies: false + # ═══════════════════════════════════════════════════════════════════════════════ # BRANDING # ═══════════════════════════════════════════════════════════════════════════════ @@ -37,7 +89,7 @@ entries: branding_logo: /media/branding/logo.svg branding_favicon: /media/branding/logo.svg flow_authentication: !Find [authentik_flows.flow, [slug, default-authentication-flow]] - flow_invalidation: !Find [authentik_flows.flow, [slug, default-invalidation-flow]] + flow_invalidation: !KeyOf kaboot-invalidation-flow flow_user_settings: !Find [authentik_flows.flow, [slug, default-user-settings-flow]] default_application: !Find [authentik_core.application, [slug, kaboot]] attributes: @@ -143,13 +195,6 @@ entries: title: Welcome to Kaboot! background: /media/branding/background.svg - - id: update-invalidation-flow-background - model: authentik_flows.flow - identifiers: - slug: default-invalidation-flow - attrs: - background: /media/branding/background.svg - - id: update-authorization-flow-background model: authentik_flows.flow identifiers: @@ -204,7 +249,8 @@ entries: attrs: name: Kaboot OAuth2 authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]] - invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]] + invalidation_flow: !KeyOf kaboot-invalidation-flow + signing_key: !Find [authentik_crypto.certificatekeypair, [name, authentik Internal JWT Certificate]] client_type: public client_id: kaboot-spa redirect_uris: diff --git a/authentik/blueprints/kaboot-setup.yaml b/authentik/blueprints/kaboot-setup.yaml index 2c43693..6dc4cd9 100644 --- a/authentik/blueprints/kaboot-setup.yaml +++ b/authentik/blueprints/kaboot-setup.yaml @@ -231,6 +231,7 @@ entries: name: Kaboot OAuth2 authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]] invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]] + signing_key: !Find [authentik_crypto.certificatekeypair, [name, authentik Internal JWT Certificate]] client_type: public client_id: kaboot-spa redirect_uris: