Enhance Authentik role in noble cluster setup by adding support for resolving OAuth2 flow, signing key, and scope mapping UUIDs from the worker database, improving API access under 2026+ RBAC. Update README with troubleshooting steps for common OAuth2 provider issues and adjust default variables for better configuration management. Ensure seamless integration with oauth2-proxy by allowing unverified email handling in development environments.

2026-05-14 14:26:43 -04:00
parent c392ce1e5a
commit 5e5c6ef671
24 changed files with 868 additions and 99 deletions
--- a/clusters/noble/bootstrap/oauth2-proxy/values.yaml
+++ b/clusters/noble/bootstrap/oauth2-proxy/values.yaml
@@ -33,6 +33,10 @@ ingress:
 extraArgs:
  provider: oidc
  skip-provider-button: "true"
+  # Authentik bootstrap / local users often omit **email_verified** in the id_token; without this,
+  # oauth2-proxy returns **500** on `/oauth2/callback` with: "email in id_token (...) isn't verified".
+  # Prefer marking the account verified in Authentik (Directory) in production.
+  insecure-oidc-allow-unverified-email: "true"
  oidc-issuer-url: "https://auth.apps.noble.lab.pcenicni.dev/application/o/oauth2-proxy/"
  redirect-url: "https://oauth2.apps.noble.lab.pcenicni.dev/oauth2/callback"
  scope: "openid profile email groups"