# Authentik SSO Configuration

## Location

- **Server:** Contabo (5.189.158.149 / 100.64.0.6)
- **URL:** https://auth.echo6.co
- **Internal Port:** 9000

## API Access

API token stored in `/home/zvx/projects/.ref/credentials` as `AUTHENTIK_API_TOKEN`

## Flow UUIDs

Required for OAuth2 provider creation:

| Flow | UUID |
|------|------|
| Authorization (implicit) | `86051292-389f-4bd9-b0f9-53cd32f197fd` |
| Authorization (explicit) | `6f9f5c89-9f98-4776-9e0d-a72a8ad17963` |
| Invalidation | `ed861c0d-2c81-4c3d-819b-946a21c4296a` |
| Provider Invalidation | `1eb91626-19a3-4f45-b384-d699c6189197` |

## Create New API Token

```bash
ssh root@100.64.0.6 'docker exec authentik-server ak shell -c "
from authentik.core.models import Token, User
user = User.objects.get(username=\"akadmin\")
token, created = Token.objects.get_or_create(
    identifier=\"token-name\",
    user=user,
    defaults={\"intent\": \"api\", \"expiring\": False}
)
print(token.key)
"'
```

## Quick OAuth2 Provider Creation

```bash
# Source credentials
source /home/zvx/projects/.ref/credentials

# Create provider
curl -s -X POST "https://auth.echo6.co/api/v3/providers/oauth2/" \
  -H "Authorization: Bearer $AUTHENTIK_API_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "AppName",
    "authorization_flow": "86051292-389f-4bd9-b0f9-53cd32f197fd",
    "invalidation_flow": "ed861c0d-2c81-4c3d-819b-946a21c4296a",
    "client_type": "confidential",
    "client_id": "appname",
    "redirect_uris": [{"matching_mode": "strict", "url": "https://app.echo6.co/callback"}],
    "sub_mode": "user_username"
  }'

# Create application (use pk from provider response)
curl -s -X POST "https://auth.echo6.co/api/v3/core/applications/" \
  -H "Authorization: Bearer $AUTHENTIK_API_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "AppName",
    "slug": "appname",
    "provider": PROVIDER_PK,
    "meta_launch_url": "https://app.echo6.co"
  }'
```

## Common Redirect URI Patterns

| Application Type | Redirect URI Pattern |
|------------------|---------------------|
| Web app | `https://app.echo6.co/callback` |
| Web app (oauth) | `https://app.echo6.co/oauth/callback` |
| Caddy forward auth | `https://app.echo6.co/outpost.goauthentik.io/callback` |