Enhance Authentik role in noble cluster setup by adding support for resolving OAuth2 flow, signing key, and scope mapping UUIDs from the worker database, improving API access under 2026+ RBAC. Update README with troubleshooting steps for common OAuth2 provider issues and adjust default variables for better configuration management. Ensure seamless integration with oauth2-proxy by allowing unverified email handling in development environments.

ansible/roles/noble_authentik/tasks/main.yml

@@ -129,6 +129,249 @@
         mode: "0600"
       no_log: true
 
+    # Authentik 2026+ RBAC: bootstrap tokens often cannot **GET /flows/instances/** (403). Resolve UUIDs
+    # from the worker DB via **ak shell** when inventory PKs are unset (same slugs as configure_authentik.py).
+    - name: Resolve OAuth provider flow UUIDs from authentik-worker (DB; bypasses flows API RBAC)
+      ansible.builtin.shell: |
+        set -euo pipefail
+        NS="{{ noble_authentik_namespace }}"
+        POD="$(kubectl get pods -n "$NS" \
+          -l "app.kubernetes.io/name=authentik,app.kubernetes.io/component=worker" \
+          -o jsonpath='{.items[0].metadata.name}')"
+        REM=/tmp/ansible_resolve_oauth_flow_pks.py
+        kubectl cp "{{ role_path }}/files/resolve_oauth_flow_pks.py" "${NS}/${POD}:${REM}"
+        kubectl exec -n "$NS" "$POD" -- ak shell -c "exec(compile(open('${REM}').read(), 'ansible_resolve_oauth_flow_pks.py', 'exec'))"
+        kubectl exec -n "$NS" "$POD" -- rm -f "$REM" || true
+      environment:
+        KUBECONFIG: "{{ noble_kubeconfig }}"
+      register: noble_authentik_oauth_flow_pk_resolve
+      changed_when: false
+      when:
+        - noble_authentik_configure_idp | default(true) | bool
+        - (noble_authentik_oauth_authorization_flow_pk | default('') | trim | length) == 0
+        - (noble_authentik_oauth_invalidation_flow_pk | default('') | trim | length) == 0
+
+    - name: Apply OAuth flow PKs from worker resolution for configure_authentik.py
+      ansible.builtin.set_fact:
+        noble_authentik_oauth_authorization_flow_pk: "{{ (noble_authentik_oauth_flow_pk_resolve.stdout_lines | select('match', '^[0-9a-fA-F-]{36}$') | list)[0] }}"
+        noble_authentik_oauth_invalidation_flow_pk: "{{ (noble_authentik_oauth_flow_pk_resolve.stdout_lines | select('match', '^[0-9a-fA-F-]{36}$') | list)[1] }}"
+      when:
+        - noble_authentik_oauth_flow_pk_resolve is defined
+        - not (noble_authentik_oauth_flow_pk_resolve.skipped | default(false))
+        - (noble_authentik_oauth_flow_pk_resolve.rc | default(-1)) == 0
+        - (noble_authentik_oauth_flow_pk_resolve.stdout_lines | default([]) | select('match', '^[0-9a-fA-F-]{36}$') | list | length) >= 2
+
+    # Bootstrap tokens often cannot list **/crypto/certificatekeypairs/** (403).
+    - name: Resolve OAuth signing key UUID from authentik-worker (DB; bypasses crypto API RBAC)
+      ansible.builtin.shell: |
+        set -euo pipefail
+        NS="{{ noble_authentik_namespace }}"
+        POD="$(kubectl get pods -n "$NS" \
+          -l "app.kubernetes.io/name=authentik,app.kubernetes.io/component=worker" \
+          -o jsonpath='{.items[0].metadata.name}')"
+        REM=/tmp/ansible_resolve_oauth_signing_key_pk.py
+        kubectl cp "{{ role_path }}/files/resolve_oauth_signing_key_pk.py" "${NS}/${POD}:${REM}"
+        kubectl exec -n "$NS" "$POD" -- ak shell -c "exec(compile(open('${REM}').read(), 'ansible_resolve_oauth_signing_key_pk.py', 'exec'))"
+        kubectl exec -n "$NS" "$POD" -- rm -f "$REM" || true
+      environment:
+        KUBECONFIG: "{{ noble_kubeconfig }}"
+      register: noble_authentik_oauth_signing_key_resolve
+      changed_when: false
+      when:
+        - noble_authentik_configure_idp | default(true) | bool
+        - (noble_authentik_oauth_signing_key_pk | default('') | trim | length) == 0
+
+    - name: Apply OAuth signing key PK from worker resolution for configure_authentik.py
+      ansible.builtin.set_fact:
+        noble_authentik_oauth_signing_key_pk: "{{ (noble_authentik_oauth_signing_key_resolve.stdout_lines | select('match', '^[0-9a-fA-F-]{36}$') | list)[0] }}"
+      when:
+        - noble_authentik_oauth_signing_key_resolve is defined
+        - not (noble_authentik_oauth_signing_key_resolve.skipped | default(false))
+        - (noble_authentik_oauth_signing_key_resolve.rc | default(-1)) == 0
+        - (noble_authentik_oauth_signing_key_resolve.stdout_lines | default([]) | select('match', '^[0-9a-fA-F-]{36}$') | list | length) >= 1
+
+    # Bootstrap tokens often cannot list **/propertymappings/provider/scope/** (403).
+    - name: Resolve OAuth scope mapping UUIDs from authentik-worker (DB; bypasses propertymappings API RBAC)
+      ansible.builtin.shell: |
+        set -euo pipefail
+        NS="{{ noble_authentik_namespace }}"
+        POD="$(kubectl get pods -n "$NS" \
+          -l "app.kubernetes.io/name=authentik,app.kubernetes.io/component=worker" \
+          -o jsonpath='{.items[0].metadata.name}')"
+        REM=/tmp/ansible_resolve_oauth_scope_mapping_pks.py
+        kubectl cp "{{ role_path }}/files/resolve_oauth_scope_mapping_pks.py" "${NS}/${POD}:${REM}"
+        kubectl exec -n "$NS" "$POD" -- ak shell -c "exec(compile(open('${REM}').read(), 'ansible_resolve_oauth_scope_mapping_pks.py', 'exec'))"
+        kubectl exec -n "$NS" "$POD" -- rm -f "$REM" || true
+      environment:
+        KUBECONFIG: "{{ noble_kubeconfig }}"
+      register: noble_authentik_oauth_scope_mapping_resolve
+      changed_when: false
+      when:
+        - noble_authentik_configure_idp | default(true) | bool
+        - (noble_authentik_oauth_scope_mapping_pks | default('') | trim | length) == 0
+
+    - name: Apply OAuth scope mapping PKs from worker resolution for configure_authentik.py
+      ansible.builtin.set_fact:
+        noble_authentik_oauth_scope_mapping_pks: "{{ (noble_authentik_oauth_scope_mapping_resolve.stdout_lines | default([]) | select('match', '^[0-9a-fA-F-]{36}$') | list) | join(',') }}"
+      when:
+        - noble_authentik_oauth_scope_mapping_resolve is defined
+        - not (noble_authentik_oauth_scope_mapping_resolve.skipped | default(false))
+        - (noble_authentik_oauth_scope_mapping_resolve.rc | default(-1)) == 0
+        - (noble_authentik_oauth_scope_mapping_resolve.stdout_lines | default([]) | select('match', '^[0-9a-fA-F-]{36}$') | list | length) >= 4
+
+    # Bootstrap tokens often cannot **GET /core/groups/** (403). Worker **get_or_create** ensures groups exist.
+    - name: Resolve noble-admins / noble-editors group UUIDs from authentik-worker (DB; bypasses groups API RBAC)
+      ansible.builtin.shell: |
+        set -euo pipefail
+        NS="{{ noble_authentik_namespace }}"
+        POD="$(kubectl get pods -n "$NS" \
+          -l "app.kubernetes.io/name=authentik,app.kubernetes.io/component=worker" \
+          -o jsonpath='{.items[0].metadata.name}')"
+        REM=/tmp/ansible_resolve_noble_group_pks.py
+        kubectl cp "{{ role_path }}/files/resolve_noble_group_pks.py" "${NS}/${POD}:${REM}"
+        kubectl exec -n "$NS" "$POD" -- ak shell -c "exec(compile(open('${REM}').read(), 'ansible_resolve_noble_group_pks.py', 'exec'))"
+        kubectl exec -n "$NS" "$POD" -- rm -f "$REM" || true
+      environment:
+        KUBECONFIG: "{{ noble_kubeconfig }}"
+      register: noble_authentik_noble_group_resolve
+      changed_when: false
+      when:
+        - noble_authentik_configure_idp | default(true) | bool
+        - (noble_authentik_group_pk_noble_admins | default('') | trim | length) == 0
+        - (noble_authentik_group_pk_noble_editors | default('') | trim | length) == 0
+
+    - name: Apply noble group PKs from worker resolution for configure_authentik.py
+      ansible.builtin.set_fact:
+        noble_authentik_group_pk_noble_admins: "{{ (noble_authentik_noble_group_resolve.stdout_lines | default([]) | select('match', '^[0-9a-fA-F-]{36}$') | list)[0] }}"
+        noble_authentik_group_pk_noble_editors: "{{ (noble_authentik_noble_group_resolve.stdout_lines | default([]) | select('match', '^[0-9a-fA-F-]{36}$') | list)[1] }}"
+      when:
+        - noble_authentik_noble_group_resolve is defined
+        - not (noble_authentik_noble_group_resolve.skipped | default(false))
+        - (noble_authentik_noble_group_resolve.rc | default(-1)) == 0
+        - (noble_authentik_noble_group_resolve.stdout_lines | default([]) | select('match', '^[0-9a-fA-F-]{36}$') | list | length) >= 2
+
+    - name: Render Authentik worker admin-access spec (JSON for ak shell)
+      ansible.builtin.template:
+        src: authentik-worker-admin-access-spec.json.j2
+        dest: "{{ noble_repo_root }}/ansible/.ansible-tmp/authentik-worker-admin-access-spec.json"
+        mode: "0600"
+      no_log: true
+      when:
+        - noble_authentik_configure_idp | default(true) | bool
+        - noble_authentik_ensure_admin_ui_access | default(true) | bool
+
+    - name: Ensure authentik Admins + superuser group flag (worker ORM; restores admin UI access)
+      ansible.builtin.shell: |
+        set -euo pipefail
+        NS="{{ noble_authentik_namespace }}"
+        POD="$(kubectl get pods -n "$NS" \
+          -l "app.kubernetes.io/name=authentik,app.kubernetes.io/component=worker" \
+          -o jsonpath='{.items[0].metadata.name}')"
+        SPEC=/tmp/ansible_authentik_worker_admin_access_spec.json
+        REM=/tmp/ansible_worker_ensure_authentik_admin_access.py
+        kubectl cp "{{ noble_repo_root }}/ansible/.ansible-tmp/authentik-worker-admin-access-spec.json" "${NS}/${POD}:${SPEC}"
+        kubectl cp "{{ role_path }}/files/worker_ensure_authentik_admin_access.py" "${NS}/${POD}:${REM}"
+        kubectl exec -n "$NS" "$POD" -- env AUTHENTIK_WORKER_ADMIN_ACCESS_SPEC="${SPEC}" ak shell -c "exec(compile(open('${REM}').read(), 'ansible_worker_ensure_authentik_admin_access.py', 'exec'))"
+        kubectl exec -n "$NS" "$POD" -- rm -f "$SPEC" "$REM" || true
+      environment:
+        KUBECONFIG: "{{ noble_kubeconfig }}"
+      register: noble_authentik_worker_admin_access
+      changed_when: true
+      when:
+        - noble_authentik_configure_idp | default(true) | bool
+        - noble_authentik_ensure_admin_ui_access | default(true) | bool
+
+    - name: Require OAuth PKs for worker OIDC upsert (ORM path)
+      ansible.builtin.assert:
+        that:
+          - (noble_authentik_oauth_authorization_flow_pk | default('') | trim | length) > 0
+          - (noble_authentik_oauth_invalidation_flow_pk | default('') | trim | length) > 0
+          - (noble_authentik_oauth_signing_key_pk | default('') | trim | length) > 0
+          - (noble_authentik_oauth_scope_mapping_pks | default('') | trim | length) > 0
+        fail_msg: >-
+          Worker OIDC provisioning needs flow UUIDs, signing key UUID, and comma-separated scope-mapping UUIDs.
+          Ensure worker resolution tasks ran, or set noble_authentik_oauth_* inventory vars (see role README).
+      when:
+        - noble_authentik_configure_idp | default(true) | bool
+        - (noble_authentik_oidc_provision_via | default('worker') | lower) == 'worker'
+
+    - name: Render Authentik worker OIDC spec (JSON for ak shell upsert)
+      ansible.builtin.template:
+        src: authentik-worker-oidc-spec.json.j2
+        dest: "{{ noble_repo_root }}/ansible/.ansible-tmp/authentik-worker-oidc-spec.json"
+        mode: "0600"
+      no_log: true
+      when:
+        - noble_authentik_configure_idp | default(true) | bool
+        - (noble_authentik_oidc_provision_via | default('worker') | lower) == 'worker'
+
+    - name: Upsert OAuth2 providers + applications in authentik-worker (ORM; bypasses provider REST RBAC)
+      ansible.builtin.shell: |
+        set -euo pipefail
+        NS="{{ noble_authentik_namespace }}"
+        POD="$(kubectl get pods -n "$NS" \
+          -l "app.kubernetes.io/name=authentik,app.kubernetes.io/component=worker" \
+          -o jsonpath='{.items[0].metadata.name}')"
+        SPEC=/tmp/ansible_authentik_worker_oidc_spec.json
+        REM=/tmp/ansible_worker_upsert_oauth_oidc.py
+        kubectl cp "{{ noble_repo_root }}/ansible/.ansible-tmp/authentik-worker-oidc-spec.json" "${NS}/${POD}:${SPEC}"
+        kubectl cp "{{ role_path }}/files/worker_upsert_oauth_oidc.py" "${NS}/${POD}:${REM}"
+        kubectl exec -n "$NS" "$POD" -- env AUTHENTIK_WORKER_OIDC_SPEC="${SPEC}" ak shell -c "exec(compile(open('${REM}').read(), 'ansible_worker_upsert_oauth_oidc.py', 'exec'))"
+        kubectl exec -n "$NS" "$POD" -- rm -f "$SPEC" "$REM" || true
+      environment:
+        KUBECONFIG: "{{ noble_kubeconfig }}"
+      register: noble_authentik_worker_oidc_upsert
+      changed_when: true
+      when:
+        - noble_authentik_configure_idp | default(true) | bool
+        - (noble_authentik_oidc_provision_via | default('worker') | lower) == 'worker'
+
+    - name: Require noble group PKs for worker bootstrap group membership
+      ansible.builtin.assert:
+        that:
+          - (noble_authentik_group_pk_noble_admins | default('') | trim | length) > 0
+          - (noble_authentik_group_pk_noble_editors | default('') | trim | length) > 0
+        fail_msg: >-
+          Worker bootstrap group membership needs noble-admins / noble-editors UUIDs (worker DB resolve or inventory).
+          See noble_authentik_group_pk_noble_* in defaults/README.
+      when:
+        - noble_authentik_configure_idp | default(true) | bool
+        - (noble_authentik_oidc_provision_via | default('worker') | lower) == 'worker'
+        - (noble_authentik_bootstrap_email | default('') | trim | length) > 0
+
+    - name: Render Authentik worker user-groups spec (JSON for ak shell)
+      ansible.builtin.template:
+        src: authentik-worker-user-groups-spec.json.j2
+        dest: "{{ noble_repo_root }}/ansible/.ansible-tmp/authentik-worker-user-groups-spec.json"
+        mode: "0600"
+      no_log: true
+      when:
+        - noble_authentik_configure_idp | default(true) | bool
+        - (noble_authentik_oidc_provision_via | default('worker') | lower) == 'worker'
+        - (noble_authentik_bootstrap_email | default('') | trim | length) > 0
+
+    - name: Add bootstrap user to noble groups in authentik-worker (ORM; bypasses users API RBAC)
+      ansible.builtin.shell: |
+        set -euo pipefail
+        NS="{{ noble_authentik_namespace }}"
+        POD="$(kubectl get pods -n "$NS" \
+          -l "app.kubernetes.io/name=authentik,app.kubernetes.io/component=worker" \
+          -o jsonpath='{.items[0].metadata.name}')"
+        SPEC=/tmp/ansible_authentik_worker_user_groups_spec.json
+        REM=/tmp/ansible_worker_add_bootstrap_user_groups.py
+        kubectl cp "{{ noble_repo_root }}/ansible/.ansible-tmp/authentik-worker-user-groups-spec.json" "${NS}/${POD}:${SPEC}"
+        kubectl cp "{{ role_path }}/files/worker_add_bootstrap_user_groups.py" "${NS}/${POD}:${REM}"
+        kubectl exec -n "$NS" "$POD" -- env AUTHENTIK_WORKER_USER_GROUPS_SPEC="${SPEC}" ak shell -c "exec(compile(open('${REM}').read(), 'ansible_worker_add_bootstrap_user_groups.py', 'exec'))"
+        kubectl exec -n "$NS" "$POD" -- rm -f "$SPEC" "$REM" || true
+      environment:
+        KUBECONFIG: "{{ noble_kubeconfig }}"
+      register: noble_authentik_worker_user_groups
+      changed_when: true
+      when:
+        - noble_authentik_configure_idp | default(true) | bool
+        - (noble_authentik_oidc_provision_via | default('worker') | lower) == 'worker'
+        - (noble_authentik_bootstrap_email | default('') | trim | length) > 0
+
     - name: Configure Authentik OAuth2/OIDC providers (API)
       ansible.builtin.command:
         argv:
@@ -141,6 +384,12 @@
         CLIENT_JSON: "{{ noble_repo_root }}/ansible/.ansible-tmp/authentik-clients.json"
         AUTHENTIK_OAUTH_AUTHORIZATION_FLOW_PK: "{{ noble_authentik_oauth_authorization_flow_pk | default('') }}"
         AUTHENTIK_OAUTH_INVALIDATION_FLOW_PK: "{{ noble_authentik_oauth_invalidation_flow_pk | default('') }}"
+        AUTHENTIK_OAUTH_SIGNING_KEY_PK: "{{ noble_authentik_oauth_signing_key_pk | default('') }}"
+        AUTHENTIK_OAUTH_SCOPE_MAPPING_PKS: "{{ noble_authentik_oauth_scope_mapping_pks | default('') }}"
+        AUTHENTIK_NOBLE_ADMINS_GROUP_PK: "{{ noble_authentik_group_pk_noble_admins | default('') }}"
+        AUTHENTIK_NOBLE_EDITORS_GROUP_PK: "{{ noble_authentik_group_pk_noble_editors | default('') }}"
+        AUTHENTIK_SKIP_OIDC_REST: "{{ '1' if (noble_authentik_oidc_provision_via | default('worker') | lower) == 'worker' else '' }}"
+        AUTHENTIK_SKIP_USER_GROUP_REST: "{{ '1' if ((noble_authentik_oidc_provision_via | default('worker') | lower) == 'worker' and (noble_authentik_bootstrap_email | default('') | trim | length) > 0) else '' }}"
       when: noble_authentik_configure_idp | default(true) | bool
       changed_when: true