Fix Authentik WIF client credentials
Some checks failed
Cache: Publish Nix / Publish Nix Cache (push) Successful in 2m46s
Build Rust / Cargo Test (push) Successful in 4m1s
Build Site / Next.js Build (push) Failing after 4s
Lint Governance / BEP Metadata (push) Successful in 1s

This commit is contained in:
Conrad Kramer 2026-06-07 13:07:34 -07:00
parent 8180c3c35a
commit e7c0442a12
6 changed files with 107 additions and 35 deletions

View file

@ -183,13 +183,13 @@ in
googleWifClientSecretFile = lib.mkOption {
type = lib.types.nullOr lib.types.str;
default = null;
description = "Host-local file containing the Authentik Google WIF OIDC client secret.";
description = "Host-local file containing the Authentik Google WIF client-credentials secret.";
};
googleWifAccessGroupName = lib.mkOption {
type = lib.types.str;
default = "burrow-automation";
description = "Authentik group allowed to mint Google WIF tokens.";
type = lib.types.nullOr lib.types.str;
default = null;
description = "Optional Authentik group allowed to launch the Google WIF application. Leave null for client-credentials token exchange.";
};
tailscaleProviderSlug = lib.mkOption {
@ -979,7 +979,9 @@ EOF
export AUTHENTIK_GOOGLE_WIF_CLIENT_SECRET="$(tr -d '\r\n' < ${lib.escapeShellArg cfg.googleWifClientSecretFile})"
export AUTHENTIK_GOOGLE_WIF_LAUNCH_URL=https://console.cloud.google.com/
export AUTHENTIK_GOOGLE_WIF_REDIRECT_URIS_JSON='[]'
export AUTHENTIK_GOOGLE_WIF_ACCESS_GROUP=${lib.escapeShellArg cfg.googleWifAccessGroupName}
${lib.optionalString (cfg.googleWifAccessGroupName != null) ''
export AUTHENTIK_GOOGLE_WIF_ACCESS_GROUP=${lib.escapeShellArg cfg.googleWifAccessGroupName}
''}
${pkgs.bash}/bin/bash ${googleWifOidcSyncScript}
'';