# yaml-language-server: $schema=https://goauthentik.io/blueprints/schema.json
version: 1
metadata:
  name: "source-entra-{{ item.slug }}"
  labels:
    blueprints.goauthentik.io/instantiate: "true"
    blueprints.goauthentik.io/description: "Microsoft Entra ID OAuth source ({{ item.slug }})"

entries:
  - model: authentik_sources_oauth.oauthsource
    id: source-entra-{{ item.slug }}
    identifiers:
      slug: {{ item.slug }}
    attrs:
      name: "{{ item.name | default('Microsoft Entra ID') }}"
      slug: {{ item.slug }}

      # Authentik’s OAuth sources support vendor-specific types.
      # Entra guide calls it “Entra ID OAuth Source”.
      provider_type: entraid

      consumer_key: !Env {{ item.client_id_env }}
      consumer_secret: !Env {{ item.client_secret_env }}

      scopes:
{% for s in (item.scopes | default(['openid','profile','email'])) %}
        - {{ s }}
{% endfor %}

{% if (item.tenant_mode | default('single')) == 'single' %}
      authorization_url: !Format ["https://login.microsoftonline.com/%s/oauth2/v2.0/authorize", !Env {{ item.tenant_id_env }}]
      access_token_url: !Format ["https://login.microsoftonline.com/%s/oauth2/v2.0/token", !Env {{ item.tenant_id_env }}]
      profile_url: "https://graph.microsoft.com/v1.0/me"
      oidc_jwks_url: !Format ["https://login.microsoftonline.com/%s/discovery/v2.0/keys", !Env {{ item.tenant_id_env }}]
{% else %}
      authorization_url: "https://login.microsoftonline.com/common/oauth2/v2.0/authorize"
      access_token_url: "https://login.microsoftonline.com/common/oauth2/v2.0/token"
      profile_url: "https://graph.microsoft.com/v1.0/me"
      oidc_jwks_url: "https://login.microsoftonline.com/common/discovery/v2.0/keys"
{% endif %}