# yaml-language-server: $schema=https://goauthentik.io/blueprints/schema.json
version: 1
metadata:
  name: "oidc-{{ item.slug }}"
  labels:
    blueprints.goauthentik.io/instantiate: "true"
    blueprints.goauthentik.io/description: "OIDC provider + application for {{ item.slug }}"

entries:
  - model: authentik_providers_oauth2.oauth2provider
    id: oidc-provider-{{ item.slug }}
    identifiers:
      name: {{ item.slug }}
    attrs:
      name: {{ item.slug }}
      client_type: confidential
      client_id: !Env {{ item.client_id_env }}
      client_secret: !Env {{ item.client_secret_env }}

      redirect_uris:
{% for ru in item.redirect_uris %}
        - url: "{{ ru.url }}"
          matching_mode: {{ ru.matching_mode | default('strict') }}
{% endfor %}

      authorization_flow: !Find [authentik_flows.flow, [slug, {{ item.flows.authorization_slug | default('default-provider-authorization-implicit-consent') }}]]
      invalidation_flow: !Find [authentik_flows.flow, [slug, {{ item.flows.invalidation_slug | default('default-provider-invalidation-flow') }}]]

      property_mappings:
{% for s in (item.scopes | default(['openid','email','profile','offline_access'])) %}
        - !Find [authentik_providers_oauth2.scopemapping, [scope_name, {{ s }}]]
{% endfor %}

      signing_key: !Find [authentik_crypto.certificatekeypair, [name, {{ item.signing_key_name | default('authentik Self-signed Certificate') }}]]

  - model: authentik_core.application
    id: app-{{ item.slug }}
    identifiers:
      slug: {{ item.slug }}
    attrs:
      name: "{{ item.name | default(item.slug) }}"
      slug: {{ item.slug }}
      provider: !KeyOf oidc-provider-{{ item.slug }}