Fix flow

authentik/blueprints/kaboot-setup-production.yaml.example

@@ -22,6 +22,58 @@ context:
   auth_domain: auth.example.com
 
 entries:
+  # ═══════════════════════════════════════════════════════════════════════════════
+  # CUSTOM INVALIDATION FLOW (must be defined before brand that references it)
+  # ═══════════════════════════════════════════════════════════════════════════════
+
+  - id: kaboot-logout-stage
+    model: authentik_stages_user_logout.userlogoutstage
+    identifiers:
+      name: kaboot-logout
+    attrs:
+      name: kaboot-logout
+
+  - id: kaboot-redirect-stage
+    model: authentik_stages_redirect.redirectstage
+    identifiers:
+      name: kaboot-redirect-to-app
+    attrs:
+      name: kaboot-redirect-to-app
+      mode: static
+      target_static: !Format ["https://%s", !Context kaboot_domain]
+
+  - id: kaboot-invalidation-flow
+    model: authentik_flows.flow
+    identifiers:
+      slug: kaboot-invalidation-flow
+    attrs:
+      name: Kaboot Logout Flow
+      title: Logging out...
+      slug: kaboot-invalidation-flow
+      designation: invalidation
+      authentication: none
+      background: /media/branding/background.svg
+
+  - id: kaboot-invalidation-logout-binding
+    model: authentik_flows.flowstagebinding
+    identifiers:
+      target: !KeyOf kaboot-invalidation-flow
+      stage: !KeyOf kaboot-logout-stage
+    attrs:
+      order: 0
+      evaluate_on_plan: true
+      re_evaluate_policies: false
+
+  - id: kaboot-invalidation-redirect-binding
+    model: authentik_flows.flowstagebinding
+    identifiers:
+      target: !KeyOf kaboot-invalidation-flow
+      stage: !KeyOf kaboot-redirect-stage
+    attrs:
+      order: 10
+      evaluate_on_plan: true
+      re_evaluate_policies: false
+
   # ═══════════════════════════════════════════════════════════════════════════════
   # BRANDING
   # ═══════════════════════════════════════════════════════════════════════════════
@@ -37,7 +89,7 @@ entries:
       branding_logo: /media/branding/logo.svg
       branding_favicon: /media/branding/logo.svg
       flow_authentication: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
-      flow_invalidation: !Find [authentik_flows.flow, [slug, default-invalidation-flow]]
+      flow_invalidation: !KeyOf kaboot-invalidation-flow
       flow_user_settings: !Find [authentik_flows.flow, [slug, default-user-settings-flow]]
       default_application: !Find [authentik_core.application, [slug, kaboot]]
       attributes:
@@ -143,13 +195,6 @@ entries:
       title: Welcome to Kaboot!
       background: /media/branding/background.svg
 
-  - id: update-invalidation-flow-background
-    model: authentik_flows.flow
-    identifiers:
-      slug: default-invalidation-flow
-    attrs:
-      background: /media/branding/background.svg
-
   - id: update-authorization-flow-background
     model: authentik_flows.flow
     identifiers:
@@ -204,7 +249,8 @@ entries:
     attrs:
       name: Kaboot OAuth2
       authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
-      invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
+      invalidation_flow: !KeyOf kaboot-invalidation-flow
+      signing_key: !Find [authentik_crypto.certificatekeypair, [name, authentik Internal JWT Certificate]]
       client_type: public
       client_id: kaboot-spa
       redirect_uris:

authentik/blueprints/kaboot-setup.yaml

@@ -231,6 +231,7 @@ entries:
       name: Kaboot OAuth2
       authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
       invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
+      signing_key: !Find [authentik_crypto.certificatekeypair, [name, authentik Internal JWT Certificate]]
       client_type: public
       client_id: kaboot-spa
       redirect_uris: