Integrate Forgejo with Authentik OIDC

Refactor Authentik blueprints into common.yaml (shared admins group), grafana.yaml (updated with !Find and groups scope), and forgejo.yaml (new provider + application). Add forgejo-client-secret to ExternalSecret and worker deployment. Configure Forgejo oauth2_client for auto-registration with login-based account linking to safely preserve existing accounts. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-20 16:16:03 -08:00
1 changed files with 16 additions and 0 deletions
--- a/argocd/manifests/authentik/configmap-blueprint.yaml
+++ b/argocd/manifests/authentik/configmap-blueprint.yaml
@ -20,6 +20,20 @@ data:
        attrs:
          name: admins

+      # groups scope mapping — returns user's group names in OIDC tokens
+      - model: authentik_providers_oauth2.scopemapping
+        id: groups-scope
+        identifiers:
+          scope_name: groups
+        attrs:
+          name: "OAuth Mapping: groups"
+          scope_name: groups
+          description: "Map user groups to OIDC groups claim"
+          expression: |
+            return {
+                "groups": [group.name for group in request.user.ak_groups.all()],
+            }
+
  grafana.yaml: |
    version: 1
    metadata:
@ -49,6 +63,7 @@ data:
            - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
            - !Find [authentik_providers_oauth2.scopemapping, [scope_name, email]]
            - !Find [authentik_providers_oauth2.scopemapping, [scope_name, profile]]
+            - !Find [authentik_providers_oauth2.scopemapping, [scope_name, groups]]
          sub_mode: hashed_user_id
          include_claims_in_id_token: true

@ -105,6 +120,7 @@ data:
            - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
            - !Find [authentik_providers_oauth2.scopemapping, [scope_name, email]]
            - !Find [authentik_providers_oauth2.scopemapping, [scope_name, profile]]
+            - !Find [authentik_providers_oauth2.scopemapping, [scope_name, groups]]
          sub_mode: hashed_user_id
          include_claims_in_id_token: true