ultisuite-backend/deploy/authentik/blueprints/ulti-oidc.yaml

# Authentik blueprint — Ultimail OIDC (auto-applied on worker startup)
# Client secret must match ULTID_OIDC_CLIENT_SECRET in .env
version: 1
metadata:
  name: Ultimail OIDC
  labels:
    blueprints.goauthentik.io/instantiate: "true"
entries:
  - model: authentik_providers_oauth2.oauth2provider
    id: ulti-oauth-provider
    identifiers:
      name: ulti-backend-provider
    attrs:
      name: ulti-backend-provider
      authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
      invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
      access_token_validity: "hours=1"
      refresh_token_validity: "days=365"
      property_mappings:
        - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
        - !Find [authentik_providers_oauth2.scopemapping, [scope_name, email]]
        - !Find [authentik_providers_oauth2.scopemapping, [scope_name, profile]]
        - !Find [authentik_providers_oauth2.scopemapping, [scope_name, offline_access]]
      client_type: confidential
      client_id: ulti-backend
      client_secret: changeme
      redirect_uris:
        - matching_mode: strict
          url: http://localhost/api/auth/callback
        - matching_mode: strict
          url: http://127.0.0.1/api/auth/callback
        - matching_mode: strict
          url: http://localhost:3000/api/auth/callback
        - matching_mode: strict
          url: http://127.0.0.1:3000/api/auth/callback
      signing_key: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]

  - model: authentik_core.application
    identifiers:
      slug: ulti
    attrs:
      name: Ultimail
      slug: ulti
      group: Ulti Suite
      provider: !KeyOf ulti-oauth-provider
      meta_launch_url: http://localhost/mail/inbox
      policy_engine_mode: any