feat: add invalidation_flow to the tofu authentik providers

tofu/authentik/main.tf

@@ -33,21 +33,6 @@ resource "authentik_group" "vpn" {
 }
 
 
-module "firezone" {
-  source              = "../modules/authentik-oidc"
-  app_name            = "Firezone"
-  app_slug            = "firezone"
-  client_id           = var.firezone_client_id
-  client_secret       = var.firezone_client_secret
-  app_access_group_id = authentik_group.admins.id
-  redirect_uris       = ["https://fz.fukurokuju.dev/auth/oidc/authentik/callback/"]
-  app_icon            = "https://www.firezone.dev/icon.svg"
-  app_description     = "VPN"
-  app_publisher       = "Firezone"
-  app_url             = "https://fz.fukurokuju.dev"
-  sub_mode            = "hashed_user_id"
-}
-
 module "gitea" {
   source              = "../modules/authentik-oidc"
   app_name            = "Gitea"
@@ -159,5 +144,6 @@ module "netbird" {
   extra_property_mappings = [
     "goauthentik.io/providers/oauth2/scope-authentik_api"
   ]
-  app_icon = "https://vpn.fukurokuju.dev/apple-icon.png"
+  app_icon              = "https://vpn.fukurokuju.dev/apple-icon.png"
+  access_token_validity = "days=10"
 }

tofu/modules/authentik-oidc/main.tf

@@ -26,20 +26,25 @@ data "authentik_property_mapping_provider_scope" "default-scopes" {
   ], var.extra_property_mappings)
 }
 
+data "authentik_flow" "default-provider-invalidation-flow" {
+  slug = "default-provider-invalidation-flow "
+}
 
 resource "authentik_provider_oauth2" "provider_oidc" {
-  name                  = var.app_name
-  client_id             = var.client_id
-  client_secret         = var.client_secret
-  client_type           = var.client_type
-  authorization_flow    = data.authentik_flow.default-authorization-flow.id
-  authentication_flow   = data.authentik_flow.default-authentication-flow.id
-  redirect_uris         = var.redirect_uris
-  property_mappings     = data.authentik_property_mapping_provider_scope.default-scopes.ids
-  sub_mode              = var.sub_mode
-  signing_key           = var.oidc_signing_key
-  access_code_validity  = var.access_code_validity
-  access_token_validity = var.access_token_validity
+  name                   = var.app_name
+  client_id              = var.client_id
+  client_secret          = var.client_secret
+  client_type            = var.client_type
+  authorization_flow     = data.authentik_flow.default-authorization-flow.id
+  authentication_flow    = data.authentik_flow.default-authentication-flow.id
+  redirect_uris          = var.redirect_uris
+  property_mappings      = data.authentik_property_mapping_provider_scope.default-scopes.ids
+  sub_mode               = var.sub_mode
+  signing_key            = var.oidc_signing_key
+  access_code_validity   = var.access_code_validity
+  access_token_validity  = var.access_token_validity
+  refresh_token_validity = var.refresh_token_validity
+  invalidation_flow      = data.authentik_flow.default-provider-invalidation-flow.id
 }
 
 

tofu/modules/authentik-oidc/vars.tf

@@ -90,6 +90,11 @@ variable "access_token_validity" {
   default = "minutes=10"
 }
 
+variable "refresh_token_validity" {
+  type    = string
+  default = "days=30"
+}
+
 variable "extra_property_mappings" {
   type    = list(string)
   default = []

tofu/modules/authentik-proxy/main.tf

@@ -16,6 +16,9 @@ data "authentik_flow" "default-authentication-flow" {
   slug = "default-authentication-flow"
 }
 
+data "authentik_flow" "default-provider-invalidation-flow" {
+  slug = "default-provider-invalidation-flow "
+}
 
 resource "authentik_provider_proxy" "provider_proxy" {
   authorization_flow           = data.authentik_flow.default-authorization-flow.id
@@ -24,6 +27,7 @@ resource "authentik_provider_proxy" "provider_proxy" {
   internal_host                = var.internal_host
   name                         = var.app_name
   internal_host_ssl_validation = var.internal_host_ssl_validation
+  invalidation_flow            = data.authentik_flow.default-provider-invalidation-flow.id
 }