heph Authentik: register heph-pwa redirect URIs for PKCE login

The heph-pwa browser login (hephaestus PR #9) uses Authorization Code + PKCE, which redirects back to the app origin. Register https://heph.ops.eblu.me/ (and http://localhost:8787/ for dev) on the heph provider; Authentik also keys token-endpoint CORS off these origins. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-05 07:27:00 -07:00
6 changed files with 1 additions and 35 deletions
--- a/ansible/roles/heph/defaults/main.yml
+++ b/ansible/roles/heph/defaults/main.yml
@ -6,7 +6,7 @@
 # Pinned release used for the initial `cargo install` and the PWA shell.
 # After bootstrap, hephd's own --self-update keeps the binary current; this
 # pin only governs the first install and the bundled PWA shell version.
-heph_version: v1.2.1
+heph_version: v1.2.0

 # Anonymous public HTTPS clone — matches hephd's INSTALL_GIT_URL so the initial
 # install and unattended self-update build from the same source (no ssh-agent).
--- a/argocd/manifests/authentik/configmap-blueprint.yaml
+++ b/argocd/manifests/authentik/configmap-blueprint.yaml
@ -492,10 +492,6 @@ data:
            - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
            - !Find [authentik_providers_oauth2.scopemapping, [scope_name, email]]
            - !Find [authentik_providers_oauth2.scopemapping, [scope_name, profile]]
-            # offline_access: heph CLI requests "openid offline_access"; without
-            # this mapping the refresh token is session-bound and hephd's
-            # refresh_token grant 400s once the session lapses (spoke sync dies).
-            - !Find [authentik_providers_oauth2.scopemapping, [scope_name, offline_access]]
          sub_mode: hashed_user_id
          include_claims_in_id_token: true

--- a/docs/changelog.d/+heph-hub-v1.2.1.infra.md
+++ b/docs/changelog.d/+heph-hub-v1.2.1.infra.md
@ -1 +0,0 @@
-Bumped the indri heph hub to v1.2.1, which adds the hub `GET /config` endpoint and ships the heph-pwa **Login with Authentik** flow (Authorization Code + PKCE). Pairs with the Authentik `heph` provider redirect URIs registered earlier.
--- a/docs/changelog.d/heph-offline-access.bugfix.md
+++ b/docs/changelog.d/heph-offline-access.bugfix.md
@ -1 +0,0 @@
-Granted the `offline_access` scope on the Authentik `heph` OAuth2 provider so hephaestus spokes receive a durable 30-day refresh token. Previously the refresh token was session-bound, so spoke sync would silently fail with a `400 Bad Request` on the `refresh_token` grant once the Authentik session lapsed.
--- a/docs/reference/services/hephaestus.md
+++ b/docs/reference/services/hephaestus.md
@ -68,17 +68,6 @@ in the [[authentik]] blueprint (`argocd/manifests/authentik/configmap-blueprint.
 - Issuer: `https://authentik.ops.eblu.me/application/o/heph/`
 - Audience / client id: `heph`
 - Restricted to the `admins` group (single-owner, sensitive data).
- Scope mappings: `openid`, `email`, `profile`, **`offline_access`**.
-
-> **`offline_access` is required for durable sync.** The `heph` CLI requests
-> `scope = "openid offline_access"`, and a refresh token is only issued for the
-> 30-day refresh-token window when the provider actually grants `offline_access`.
-> Without that scope mapping the refresh token is bound to the login **session**;
-> once the session lapses, hephd's `refresh_token` grant returns `400 Bad
-> Request`, the bearer can't be refreshed, and spoke sync silently degrades
-> (`heph sync --status` → `auth_failure: true`). `heph auth login` papers over it
-> until the next session expiry. Keep `offline_access` in the provider's
-> `property_mappings`.

 Because no Authentik instance ships a device-code flow by default, the blueprint
 also creates `default-device-code-flow` and binds it to the default brand's
--- a/service-versions.yaml
+++ b/service-versions.yaml
@ -414,23 +414,6 @@ services:
    upstream-source: https://github.com/caddyserver/caddy/releases
    notes: Built from source with Gandi DNS and Layer 4 plugins

-  - name: heph
-    type: ansible
-    last-reviewed: 2026-06-05
-    current-version: "v1.2.1"
-    upstream-source: https://forge.eblu.me/eblume/hephaestus/releases
-    notes: >-
-      hephaestus task/context sync hub on indri (server-mode launchagent,
-      ansible/roles/heph; cargo-built from the forge). SELF-UPDATING: hephd
-      polls the forge for newer releases every 10 min and rebuilds + restarts
-      itself, so the running version drifts AHEAD of the ansible heph_version
-      pin. current-version here is the last observed/deployed tag, not a hard
-      pin — verify the live version via `curl https://heph.ops.eblu.me/config`
-      is served (hub up) and the hub log's `current=` line. Reconciling this
-      self-update vs IaC-pin drift is tracked in the heph "Hephaestus" project:
-      "Reconcile hephd self-update with ansible-pinned version (drift on indri
-      hub)" (node 01KTBXWT6XTHNDH92CVJY88E5K).
-
  - name: borgmatic
    type: ansible
    last-reviewed: 2026-04-15
				`@ -1 +0,0 @@`
				Bumped the indri heph hub to v1.2.1, which adds the hub `GET /config` endpoint and ships the heph-pwa Login with Authentik flow (Authorization Code + PKCE). Pairs with the Authentik `heph` provider redirect URIs registered earlier.
				`@ -1 +0,0 @@`
				Granted the `offline_access` scope on the Authentik `heph` OAuth2 provider so hephaestus spokes receive a durable 30-day refresh token. Previously the refresh token was session-bound, so spoke sync would silently fail with a `400 Bad Request` on the `refresh_token` grant once the Authentik session lapsed.