fix(k8s-dashboard): set RS256 signing_key on Authentik OIDC provider

Provider had signing_key=null → Authentik signed id_tokens with HS256 and served an empty JWKS, so oauth2-proxy (and the apiserver) failed signature verification (500 'failed to verify id token signature' on the callback). Use the same 'authentik Self-signed Certificate' keypair the kubernetes provider uses. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-04 03:12:01 +00:00 · 2026-06-04 03:12:01 +00:00 · 1042c0f082
commit 1042c0f082
parent e436af8d8c
1 changed files with 10 additions and 0 deletions
--- a/stacks/k8s-dashboard/authentik.tf
+++ b/stacks/k8s-dashboard/authentik.tf
@ -34,6 +34,15 @@ data "authentik_flow" "default_provider_invalidation" {
  slug = "default-provider-invalidation-flow"
 }

+# RS256 signing keypair — REQUIRED, else Authentik signs the id_token with
+# HS256 (client-secret HMAC) and publishes an EMPTY JWKS, so oauth2-proxy AND
+# the apiserver fail signature verification ("failed to verify id token
+# signature" / 500 on the OAuth callback). Same keypair the `kubernetes`
+# provider uses.
+data "authentik_certificate_key_pair" "signing" {
+  name = "authentik Self-signed Certificate"
+}
+
 # Default OIDC scope mappings. `profile` carries the `groups` claim in
 # Authentik's default expression, which the apiserver reads via
 # --oidc-groups-claim=groups. offline_access enables refresh tokens.
@ -74,6 +83,7 @@ resource "authentik_provider_oauth2" "k8s_dashboard" {
  access_token_validity      = "hours=1"
  refresh_token_validity     = "days=30"
  include_claims_in_id_token = true
+  signing_key                = data.authentik_certificate_key_pair.signing.id

  property_mappings = concat(
    data.authentik_property_mapping_provider_scope.defaults.ids,