# Authentik blueprint — OnlyOffice OIDC (when ONLYOFFICE_ENABLED=true)
# Generated from onlyoffice-oidc.yaml.template
# Client secret must match ONLYOFFICE_OIDC_CLIENT_SECRET in .env
version: 1
metadata:
  name: OnlyOffice OIDC
  labels:
    blueprints.goauthentik.io/instantiate: "true"
entries:
  - model: authentik_providers_oauth2.oauth2provider
    id: oo-oauth-provider
    identifiers:
      name: ulti-onlyoffice-provider
    attrs:
      name: ulti-onlyoffice-provider
      authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
      invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
      property_mappings:
        - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
        - !Find [authentik_providers_oauth2.scopemapping, [scope_name, email]]
        - !Find [authentik_providers_oauth2.scopemapping, [scope_name, profile]]
      client_type: confidential
      client_id: ulti-onlyoffice
      client_secret: changeme
      redirect_uris:
        - matching_mode: strict
          url: {{SUITE_ORIGIN}}/office/
        - matching_mode: strict
          url: {{SUITE_ORIGIN}}/office/oauth2/callback
        - matching_mode: strict
          url: http://localhost/office/
        - matching_mode: strict
          url: http://localhost/office/oauth2/callback
      signing_key: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]

  - model: authentik_core.application
    identifiers:
      slug: onlyoffice
    attrs:
      name: OnlyOffice
      slug: onlyoffice
      group: Ulti Suite
      provider: !KeyOf oo-oauth-provider
      meta_launch_url: {{SUITE_ORIGIN}}/office
      policy_engine_mode: any