# OIDC with Authentik — credentials live in Secret **headlamp-oidc** (envFrom), created by **noble_authentik**.
# **OIDC_SCOPES** in that Secret must match scopes the Authentik provider exposes (see **noble_authentik_headlamp_oidc_scopes**).
#
# With **externalSecret**, the Headlamp chart only adds **-oidc-callback-url** / **-oidc-use-pkce** args when these
# values are set here (or under **env:**). The Secret alone is not enough — without them, login can fail or Authentik returns errors.
# **usePKCE** defaults **false** for Authentik confidential clients (Ansible **noble_authentik_headlamp_oidc_use_pkce** also passes **--set** on **--tags authentik**).

config:
  oidc:
    secret:
      create: false
    externalSecret:
      enabled: true
      name: headlamp-oidc
    callbackURL: "https://headlamp.apps.noble.lab.pcenicni.dev/oidc-callback"
    usePKCE: false