From 14b65a272259cb54b07a6bbe60705dbd1b9ce62f Mon Sep 17 00:00:00 2001
From: Joey Yakimowich-Payne <jyapayne@pm.me>
Date: Thu, 15 Jan 2026 18:55:09 -0700
Subject: [PATCH 1/2] Fix groups

---
 authentik/blueprints/kaboot-setup-production.yaml.example | 1 +
 authentik/blueprints/kaboot-setup.yaml                    | 1 +
 2 files changed, 2 insertions(+)

diff --git a/authentik/blueprints/kaboot-setup-production.yaml.example b/authentik/blueprints/kaboot-setup-production.yaml.example
index ae1f17a..7b11e1b 100644
--- a/authentik/blueprints/kaboot-setup-production.yaml.example
+++ b/authentik/blueprints/kaboot-setup-production.yaml.example
@@ -205,6 +205,7 @@ entries:
       name: Kaboot OAuth2
       authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
       invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
+      signing_key: !Find [authentik_crypto.certificatekeypair, [name, authentik Internal JWT Certificate]]
       client_type: public
       client_id: kaboot-spa
       redirect_uris:
diff --git a/authentik/blueprints/kaboot-setup.yaml b/authentik/blueprints/kaboot-setup.yaml
index 2c43693..6dc4cd9 100644
--- a/authentik/blueprints/kaboot-setup.yaml
+++ b/authentik/blueprints/kaboot-setup.yaml
@@ -231,6 +231,7 @@ entries:
       name: Kaboot OAuth2
       authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
       invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
+      signing_key: !Find [authentik_crypto.certificatekeypair, [name, authentik Internal JWT Certificate]]
       client_type: public
       client_id: kaboot-spa
       redirect_uris:

From 7faf459e3cf8c811e984a9e4596f7a84672d25ba Mon Sep 17 00:00:00 2001
From: Joey Yakimowich-Payne <jyapayne@pm.me>
Date: Thu, 15 Jan 2026 19:14:30 -0700
Subject: [PATCH 2/2] Fix flow

---
 .../kaboot-setup-production.yaml.example      | 63 ++++++++++++++++---
 1 file changed, 54 insertions(+), 9 deletions(-)

diff --git a/authentik/blueprints/kaboot-setup-production.yaml.example b/authentik/blueprints/kaboot-setup-production.yaml.example
index 7b11e1b..517206c 100644
--- a/authentik/blueprints/kaboot-setup-production.yaml.example
+++ b/authentik/blueprints/kaboot-setup-production.yaml.example
@@ -22,6 +22,58 @@ context:
   auth_domain: auth.example.com
 
 entries:
+  # ═══════════════════════════════════════════════════════════════════════════════
+  # CUSTOM INVALIDATION FLOW (must be defined before brand that references it)
+  # ═══════════════════════════════════════════════════════════════════════════════
+
+  - id: kaboot-logout-stage
+    model: authentik_stages_user_logout.userlogoutstage
+    identifiers:
+      name: kaboot-logout
+    attrs:
+      name: kaboot-logout
+
+  - id: kaboot-redirect-stage
+    model: authentik_stages_redirect.redirectstage
+    identifiers:
+      name: kaboot-redirect-to-app
+    attrs:
+      name: kaboot-redirect-to-app
+      mode: static
+      target_static: !Format ["https://%s", !Context kaboot_domain]
+
+  - id: kaboot-invalidation-flow
+    model: authentik_flows.flow
+    identifiers:
+      slug: kaboot-invalidation-flow
+    attrs:
+      name: Kaboot Logout Flow
+      title: Logging out...
+      slug: kaboot-invalidation-flow
+      designation: invalidation
+      authentication: none
+      background: /media/branding/background.svg
+
+  - id: kaboot-invalidation-logout-binding
+    model: authentik_flows.flowstagebinding
+    identifiers:
+      target: !KeyOf kaboot-invalidation-flow
+      stage: !KeyOf kaboot-logout-stage
+    attrs:
+      order: 0
+      evaluate_on_plan: true
+      re_evaluate_policies: false
+
+  - id: kaboot-invalidation-redirect-binding
+    model: authentik_flows.flowstagebinding
+    identifiers:
+      target: !KeyOf kaboot-invalidation-flow
+      stage: !KeyOf kaboot-redirect-stage
+    attrs:
+      order: 10
+      evaluate_on_plan: true
+      re_evaluate_policies: false
+
   # ═══════════════════════════════════════════════════════════════════════════════
   # BRANDING
   # ═══════════════════════════════════════════════════════════════════════════════
@@ -37,7 +89,7 @@ entries:
       branding_logo: /media/branding/logo.svg
       branding_favicon: /media/branding/logo.svg
       flow_authentication: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
-      flow_invalidation: !Find [authentik_flows.flow, [slug, default-invalidation-flow]]
+      flow_invalidation: !KeyOf kaboot-invalidation-flow
       flow_user_settings: !Find [authentik_flows.flow, [slug, default-user-settings-flow]]
       default_application: !Find [authentik_core.application, [slug, kaboot]]
       attributes:
@@ -143,13 +195,6 @@ entries:
       title: Welcome to Kaboot!
       background: /media/branding/background.svg
 
-  - id: update-invalidation-flow-background
-    model: authentik_flows.flow
-    identifiers:
-      slug: default-invalidation-flow
-    attrs:
-      background: /media/branding/background.svg
-
   - id: update-authorization-flow-background
     model: authentik_flows.flow
     identifiers:
@@ -204,7 +249,7 @@ entries:
     attrs:
       name: Kaboot OAuth2
       authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
-      invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
+      invalidation_flow: !KeyOf kaboot-invalidation-flow
       signing_key: !Find [authentik_crypto.certificatekeypair, [name, authentik Internal JWT Certificate]]
       client_type: public
       client_id: kaboot-spa