From 1042c0f0827b138262c3bd304c45165738a12c4f Mon Sep 17 00:00:00 2001 From: Viktor Barzin Date: Thu, 4 Jun 2026 03:12:01 +0000 Subject: [PATCH] fix(k8s-dashboard): set RS256 signing_key on Authentik OIDC provider MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Provider had signing_key=null → Authentik signed id_tokens with HS256 and served an empty JWKS, so oauth2-proxy (and the apiserver) failed signature verification (500 'failed to verify id token signature' on the callback). Use the same 'authentik Self-signed Certificate' keypair the kubernetes provider uses. Co-Authored-By: Claude Opus 4.8 --- stacks/k8s-dashboard/authentik.tf | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/stacks/k8s-dashboard/authentik.tf b/stacks/k8s-dashboard/authentik.tf index 97f721b9..708f60d2 100644 --- a/stacks/k8s-dashboard/authentik.tf +++ b/stacks/k8s-dashboard/authentik.tf @@ -34,6 +34,15 @@ data "authentik_flow" "default_provider_invalidation" { slug = "default-provider-invalidation-flow" } +# RS256 signing keypair — REQUIRED, else Authentik signs the id_token with +# HS256 (client-secret HMAC) and publishes an EMPTY JWKS, so oauth2-proxy AND +# the apiserver fail signature verification ("failed to verify id token +# signature" / 500 on the OAuth callback). Same keypair the `kubernetes` +# provider uses. +data "authentik_certificate_key_pair" "signing" { + name = "authentik Self-signed Certificate" +} + # Default OIDC scope mappings. `profile` carries the `groups` claim in # Authentik's default expression, which the apiserver reads via # --oidc-groups-claim=groups. offline_access enables refresh tokens. @@ -74,6 +83,7 @@ resource "authentik_provider_oauth2" "k8s_dashboard" { access_token_validity = "hours=1" refresh_token_validity = "days=30" include_claims_in_id_token = true + signing_key = data.authentik_certificate_key_pair.signing.id property_mappings = concat( data.authentik_property_mapping_provider_scope.defaults.ids,