From 8180c3c35aa68e3625b18d09633d69409b553ee8 Mon Sep 17 00:00:00 2001 From: Conrad Kramer Date: Sun, 7 Jun 2026 12:33:39 -0700 Subject: [PATCH] Fix Authentik WIF token endpoint --- Scripts/ci/google-wif-auth.sh | 30 ++++++++++++++++++- ...nfrastructure-and-store-upload-pipeline.md | 4 +++ 2 files changed, 33 insertions(+), 1 deletion(-) diff --git a/Scripts/ci/google-wif-auth.sh b/Scripts/ci/google-wif-auth.sh index 5c8c09e..67cd03c 100755 --- a/Scripts/ci/google-wif-auth.sh +++ b/Scripts/ci/google-wif-auth.sh @@ -7,6 +7,7 @@ pool_id="${BURROW_GOOGLE_WIF_POOL_ID:-burrow-authentik}" provider_id="${BURROW_GOOGLE_WIF_PROVIDER_ID:-forgejo-runners}" service_account="${BURROW_GOOGLE_WIF_SERVICE_ACCOUNT:-burrow-forgejo-runner@project-88c23ce9-918a-470a-b33.iam.gserviceaccount.com}" authentik_issuer="${BURROW_AUTHENTIK_WIF_ISSUER:-https://auth.burrow.net/application/o/google-cloud/}" +authentik_token_endpoint="${BURROW_AUTHENTIK_WIF_TOKEN_ENDPOINT:-}" authentik_audience="${BURROW_AUTHENTIK_WIF_AUDIENCE:-google-wif.burrow.net}" authentik_client_id="${BURROW_AUTHENTIK_WIF_CLIENT_ID:-${AUTHENTIK_GOOGLE_WIF_CLIENT_ID:-google-wif.burrow.net}}" authentik_client_secret="${BURROW_AUTHENTIK_WIF_CLIENT_SECRET:-${AUTHENTIK_GOOGLE_WIF_CLIENT_SECRET:-}}" @@ -30,6 +31,7 @@ Inputs: BURROW_GOOGLE_WIF_PROVIDER_ID BURROW_GOOGLE_WIF_SERVICE_ACCOUNT BURROW_AUTHENTIK_WIF_ISSUER + BURROW_AUTHENTIK_WIF_TOKEN_ENDPOINT BURROW_AUTHENTIK_WIF_AUDIENCE BURROW_AUTHENTIK_WIF_TOKEN or BURROW_AUTHENTIK_WIF_TOKEN_FILE @@ -66,6 +68,32 @@ require_command gcloud require_command curl require_command jq +resolve_token_endpoint() { + if [[ -n "$authentik_token_endpoint" ]]; then + printf '%s\n' "$authentik_token_endpoint" + return + fi + + local issuer_no_slash="${authentik_issuer%/}" + local discovered="" + if discovered="$( + curl -fsS "${issuer_no_slash}/.well-known/openid-configuration" 2>/dev/null \ + | jq -r '.token_endpoint // empty' 2>/dev/null + )" && [[ -n "$discovered" ]]; then + printf '%s\n' "$discovered" + return + fi + + case "$issuer_no_slash" in + */application/o/*) + printf '%s/application/o/token/\n' "${issuer_no_slash%%/application/o/*}" + ;; + *) + printf '%s/token/\n' "$issuer_no_slash" + ;; + esac +} + mkdir -p "$work_dir" chmod 0700 "$work_dir" @@ -85,7 +113,7 @@ else echo "missing Authentik WIF token. Set BURROW_AUTHENTIK_WIF_TOKEN, BURROW_AUTHENTIK_WIF_TOKEN_FILE, or BURROW_AUTHENTIK_WIF_CLIENT_SECRET." >&2 exit 1 fi - token_endpoint="${authentik_issuer%/}/token/" + token_endpoint="$(resolve_token_endpoint)" curl -fsS \ -u "${authentik_client_id}:${authentik_client_secret}" \ -d grant_type=client_credentials \ diff --git a/evolution/proposals/BEP-0009-release-infrastructure-and-store-upload-pipeline.md b/evolution/proposals/BEP-0009-release-infrastructure-and-store-upload-pipeline.md index 7dfe85d..6c06146 100644 --- a/evolution/proposals/BEP-0009-release-infrastructure-and-store-upload-pipeline.md +++ b/evolution/proposals/BEP-0009-release-infrastructure-and-store-upload-pipeline.md @@ -81,6 +81,10 @@ The same change also makes the forge itself the release authority: release tags resolves Nix from those profile paths, and the action builds `.#age` before falling back to `.#agenix`. The decrypt step must not require Python before the Nix CI shell is active. +- Authentik-backed Google WIF must exchange tokens against Authentik's OAuth + token endpoint, not a provider-slug child path. The helper should prefer an + explicit `BURROW_AUTHENTIK_WIF_TOKEN_ENDPOINT`, then OIDC discovery, then the + Authentik `/application/o/token/` fallback derived from the configured issuer. - Produce unsigned Apple validation artifacts when signing is absent, but require signing for an App Store requested iOS release and for a Sparkle tester release. Uploadable artifacts are produced only after provisioning profiles can be synced from App Store Connect credentials and the relevant Apple certificate is proven to match the selected Google KMS key. - Resolve release credentials through age/agenix before signed Apple lanes run. Forgejo secrets should carry only the runner age identity fallback and the Authentik WIF client secret until OpenBao can mint the runner token directly. App Store Connect keys and signing certificates live as sealed files under `secrets/`. - Persist the forge runner SSH key as `/var/lib/forgejo-runner-agent/age_keystore` and export `BURROW_RUNNER_AGE_IDENTITY_PATH` so jobs can resolve agenix identities without embedding long-lived material in every workflow.