# Authentik blueprint — Ultimail OIDC (auto-applied on worker startup) # Generated from ulti-oidc.yaml.template — edit template, not this file directly. # Client secret must match ULTID_OIDC_CLIENT_SECRET in .env version: 1 metadata: name: Ultimail OIDC labels: blueprints.goauthentik.io/instantiate: "true" entries: - model: authentik_providers_oauth2.oauth2provider id: ulti-oauth-provider identifiers: name: ulti-backend-provider attrs: name: ulti-backend-provider authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]] invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]] access_token_validity: "hours=1" refresh_token_validity: "days=365" property_mappings: - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]] - !Find [authentik_providers_oauth2.scopemapping, [scope_name, email]] - !Find [authentik_providers_oauth2.scopemapping, [scope_name, profile]] - !Find [authentik_providers_oauth2.scopemapping, [scope_name, offline_access]] client_type: confidential client_id: ulti-backend client_secret: changeme redirect_uris: - matching_mode: strict url: https://dev.ultispace.fr/api/auth/callback - matching_mode: strict url: http://localhost/api/auth/callback - matching_mode: strict url: http://127.0.0.1/api/auth/callback - matching_mode: strict url: http://localhost:3004/api/auth/callback - matching_mode: strict url: http://127.0.0.1:3004/api/auth/callback signing_key: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]] - model: authentik_core.application identifiers: slug: ulti attrs: name: Ultimail slug: ulti group: Ulti Suite provider: !KeyOf ulti-oauth-provider meta_launch_url: https://dev.ultispace.fr/mail/inbox policy_engine_mode: any