benschubert.infrastructure.authentik_provider_oauth2 module – Allows administration of Authentik OAuth2 providers

Note

This module is part of the benschubert.infrastructure collection (version 0.0.1).

It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install benschubert.infrastructure.

To use it in a playbook, specify: benschubert.infrastructure.authentik_provider_oauth2.

Synopsis

Parameters

Parameter

Comments

authentik_token

string / required

The token used to authenticate against the Authentik server

authentik_url

string / required

The URL at which to contact the Authentik server

ca_path

string

PEM formatted file that contains a CA certificate to be used for validation

provider

dictionary / required

The configuration for the specified provider

authorization_flow

string / required

The slug for the authorization flow used to authorize connecting to the connected application

invalidation_flow

string / required

The slug for the invalidation flow used to invalidate a session

name

string / required

The name to give to the provider

property_mappings

list / elements=string / required

The ids of the scopes to give to this application.

See benschubert.infrastructure.authentik_propertymappings_scope_info for how to retrieve scopes by name more easily

redirect_uris

list / elements=dictionary / required

The URIs that are valid redirection targets after login.

This must be a dictionary of the form {url: <url>, matching_mode: ‘strict’ or ‘regex’}

signing_key

string / required

The primary key of the signing key to use for signing those entries

sub_mode

string

The mode for the OAuth sub information

Choices:

  • "hashed_user_id" ← (default)

  • "user_id"

  • "user_uuid"

  • "user_username"

  • "user_email"

  • "user_upn"

state

string

Whether the entity should exist or not

Choices:

  • "present" ← (default)

  • "absent"

timeout

integer

The timeout to set when contacting the Authentik Server.

If your server is slow to respond, it might be necessary to bump this

Default: 10

validate_certs

boolean

If false, SSL certificates will not be validated.

This should only set to false used on personally controlled sites using self-signed certificates.

Choices:

  • false

  • true ← (default)

Examples

- name: Configure a provider for Grafana
  benschubert.infrastructure.authentik_provider_oauth2:
    authentik_token: <my-secret-token>
    authentik_url: https://authentik.test/
    provider:
      name: grafana-
      authorization_flow: only-admin-authorization
      redirect_uris:
        - url: https://grafana.test/login/generic_oauth
          matching_mode: strict
      property_mappings:
        - <email_mapping>.pk
        - <openid_mapping>.pk
        - <profile_mapping>.pk
      signing_key: <certificate>.pk

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key

Description

data

dictionary

The information returned by the Authentik API for the provider

Returned: always

Sample: {"access_token_validity": "hours=1", "assigned_application_name": "Grafana's dashboard", "assigned_application_slug": "grafana-dashboard", "authorization_flow": "<pk>", "component": "ak-provider-oauth2-form", "name": "benschubert-infrastructure-grafana", "pk": 1}

Authors

  • Benjamin Schubert (@benjaminschubert)