Fix Authentik WIF token endpoint
Some checks failed
Build Rust / Cargo Test (push) Successful in 4m8s
Build Site / Next.js Build (push) Failing after 4s
Lint Governance / BEP Metadata (push) Successful in 1s

This commit is contained in:
Conrad Kramer 2026-06-07 12:33:39 -07:00
parent 5ef4fdef64
commit 8180c3c35a
2 changed files with 33 additions and 1 deletions

View file

@ -7,6 +7,7 @@ pool_id="${BURROW_GOOGLE_WIF_POOL_ID:-burrow-authentik}"
provider_id="${BURROW_GOOGLE_WIF_PROVIDER_ID:-forgejo-runners}"
service_account="${BURROW_GOOGLE_WIF_SERVICE_ACCOUNT:-burrow-forgejo-runner@project-88c23ce9-918a-470a-b33.iam.gserviceaccount.com}"
authentik_issuer="${BURROW_AUTHENTIK_WIF_ISSUER:-https://auth.burrow.net/application/o/google-cloud/}"
authentik_token_endpoint="${BURROW_AUTHENTIK_WIF_TOKEN_ENDPOINT:-}"
authentik_audience="${BURROW_AUTHENTIK_WIF_AUDIENCE:-google-wif.burrow.net}"
authentik_client_id="${BURROW_AUTHENTIK_WIF_CLIENT_ID:-${AUTHENTIK_GOOGLE_WIF_CLIENT_ID:-google-wif.burrow.net}}"
authentik_client_secret="${BURROW_AUTHENTIK_WIF_CLIENT_SECRET:-${AUTHENTIK_GOOGLE_WIF_CLIENT_SECRET:-}}"
@ -30,6 +31,7 @@ Inputs:
BURROW_GOOGLE_WIF_PROVIDER_ID
BURROW_GOOGLE_WIF_SERVICE_ACCOUNT
BURROW_AUTHENTIK_WIF_ISSUER
BURROW_AUTHENTIK_WIF_TOKEN_ENDPOINT
BURROW_AUTHENTIK_WIF_AUDIENCE
BURROW_AUTHENTIK_WIF_TOKEN or BURROW_AUTHENTIK_WIF_TOKEN_FILE
@ -66,6 +68,32 @@ require_command gcloud
require_command curl
require_command jq
resolve_token_endpoint() {
if [[ -n "$authentik_token_endpoint" ]]; then
printf '%s\n' "$authentik_token_endpoint"
return
fi
local issuer_no_slash="${authentik_issuer%/}"
local discovered=""
if discovered="$(
curl -fsS "${issuer_no_slash}/.well-known/openid-configuration" 2>/dev/null \
| jq -r '.token_endpoint // empty' 2>/dev/null
)" && [[ -n "$discovered" ]]; then
printf '%s\n' "$discovered"
return
fi
case "$issuer_no_slash" in
*/application/o/*)
printf '%s/application/o/token/\n' "${issuer_no_slash%%/application/o/*}"
;;
*)
printf '%s/token/\n' "$issuer_no_slash"
;;
esac
}
mkdir -p "$work_dir"
chmod 0700 "$work_dir"
@ -85,7 +113,7 @@ else
echo "missing Authentik WIF token. Set BURROW_AUTHENTIK_WIF_TOKEN, BURROW_AUTHENTIK_WIF_TOKEN_FILE, or BURROW_AUTHENTIK_WIF_CLIENT_SECRET." >&2
exit 1
fi
token_endpoint="${authentik_issuer%/}/token/"
token_endpoint="$(resolve_token_endpoint)"
curl -fsS \
-u "${authentik_client_id}:${authentik_client_secret}" \
-d grant_type=client_credentials \