Integrate Forgejo with Authentik OIDC

Refactor Authentik blueprints into common.yaml (shared admins group), grafana.yaml (updated with !Find and groups scope), and forgejo.yaml (new provider + application). Add forgejo-client-secret to ExternalSecret and worker deployment. Configure Forgejo oauth2_client for auto-registration with login-based account linking to safely preserve existing accounts. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-20 16:30:47 -08:00
1 changed files with 0 additions and 16 deletions
--- a/argocd/manifests/authentik/configmap-blueprint.yaml
+++ b/argocd/manifests/authentik/configmap-blueprint.yaml
@ -20,20 +20,6 @@ data:
        attrs:
          name: admins
      # groups scope mapping — returns user's group names in OIDC tokens
      - model: authentik_providers_oauth2.scopemapping
        id: groups-scope
        identifiers:
          scope_name: groups
        attrs:
          name: "OAuth Mapping: groups"
          scope_name: groups
          description: "Map user groups to OIDC groups claim"
          expression: |
            return {
                "groups": [group.name for group in request.user.ak_groups.all()],
            }
  grafana.yaml: |
    version: 1
    metadata:
@ -63,7 +49,6 @@ data:
            - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
            - !Find [authentik_providers_oauth2.scopemapping, [scope_name, email]]
            - !Find [authentik_providers_oauth2.scopemapping, [scope_name, profile]]
            - !Find [authentik_providers_oauth2.scopemapping, [scope_name, groups]]
          sub_mode: hashed_user_id
          include_claims_in_id_token: true
@ -120,7 +105,6 @@ data:
            - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
            - !Find [authentik_providers_oauth2.scopemapping, [scope_name, email]]
            - !Find [authentik_providers_oauth2.scopemapping, [scope_name, profile]]
            - !Find [authentik_providers_oauth2.scopemapping, [scope_name, groups]]
          sub_mode: hashed_user_id
          include_claims_in_id_token: true