From 82c37e0f78a6970c46591081867724f052199547 Mon Sep 17 00:00:00 2001
From: Erich Blume <blume.erich@gmail.com>
Date: Fri, 5 Jun 2026 06:06:10 -0700
Subject: [PATCH] heph Authentik: add empty redirect_uris (required by provider
 serializer)

The OAuth2 provider serializer requires redirect_uris even for a public
device-code client; its absence failed blueprint validation atomically.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 argocd/manifests/authentik/configmap-blueprint.yaml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/argocd/manifests/authentik/configmap-blueprint.yaml b/argocd/manifests/authentik/configmap-blueprint.yaml
index 90e0d5d..56d9110 100644
--- a/argocd/manifests/authentik/configmap-blueprint.yaml
+++ b/argocd/manifests/authentik/configmap-blueprint.yaml
@@ -477,6 +477,9 @@ data:
           invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
           client_type: public
           client_id: heph
+          # Device-code (RFC 8628) + PKCE use no redirect, but the provider
+          # serializer requires the field — an empty list satisfies it.
+          redirect_uris: []
           signing_key: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
           property_mappings:
             - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]