Enhance Authentik role in noble cluster setup by adding support for resolving OAuth2 flow, signing key, and scope mapping UUIDs from the worker database, improving API access under 2026+ RBAC. Update README with troubleshooting steps for common OAuth2 provider issues and adjust default variables for better configuration management. Ensure seamless integration with oauth2-proxy by allowing unverified email handling in development environments.

ansible/roles/noble_authentik/files/resolve_oauth_flow_pks.py

@@ -0,0 +1,23 @@
+# Run inside the Authentik worker image: `ak shell -c "exec(open('/tmp/...').read())"`.
+# Prints two lines: authorization flow UUID, invalidation flow UUID (for configure_authentik.py).
+from authentik.flows.models import Flow
+
+
+def _pk(slug: str) -> str:
+    return str(Flow.objects.get(slug=slug).pk)
+
+
+def main() -> None:
+    auth = _pk("default-provider-authorization-implicit-consent")
+    inv_slug = None
+    for candidate in ("default-invalidation-flow", "default-provider-invalidation-flow"):
+        if Flow.objects.filter(slug=candidate).exists():
+            inv_slug = candidate
+            break
+    if not inv_slug:
+        raise SystemExit("no default invalidation flow (expected one of: default-invalidation-flow, default-provider-invalidation-flow)")
+    print(auth)
+    print(_pk(inv_slug))
+
+
+main()