Viktor Barzin aa461b95bc feat(authentik): bind Vault OIDC app to Allow Login Users (close ADR-0020 OIDC gap) ... Audit found the Vault Authentik application had no authorization binding, so any authenticated identity (incl. a future self-enrolled TripIt External user) could complete Vault OIDC login and get a built-in default-policy token. Bind it to 'Allow Login Users' — existing homelab users inherit that group via its children (verified User.all_groups() includes the parent), parentless TripIt External users are excluded. Closes the only OIDC app the forward-auth fence does not cover. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>		2026-06-15 21:48:04 +00:00
..
modules/authentik	authentik: ignore Keel-managed image_pull_policy on pgbouncer	2026-06-11 00:34:44 +00:00
admin-services-restriction.tf	feat(authentik): TripIt external self-signup group + forward-auth fence (ADR-0020)	2026-06-15 21:48:04 +00:00
authentik_provider.tf	authentik: incident hardening after the signin-speedup rollout storm	2026-06-11 00:26:52 +00:00
guest.tf	fix: restore tree dropped by 6d224861; land stem95su gdrive-sync (10m) [ci skip]	2026-06-09 08:45:33 +00:00
main.tf	fix: restore tree dropped by 6d224861; land stem95su gdrive-sync (10m) [ci skip]	2026-06-09 08:45:33 +00:00
secrets	fix: restore tree dropped by 6d224861; land stem95su gdrive-sync (10m) [ci skip]	2026-06-09 08:45:33 +00:00
t3-users.tf	fix: restore tree dropped by 6d224861; land stem95su gdrive-sync (10m) [ci skip]	2026-06-09 08:45:33 +00:00
terragrunt.hcl	fix: restore tree dropped by 6d224861; land stem95su gdrive-sync (10m) [ci skip]	2026-06-09 08:45:33 +00:00
tripit-external.tf	feat(authentik): TripIt external self-signup group + forward-auth fence (ADR-0020)	2026-06-15 21:48:04 +00:00
vault-authz-binding.tf	feat(authentik): bind Vault OIDC app to Allow Login Users (close ADR-0020 OIDC gap)	2026-06-15 21:48:04 +00:00