samply · Threated · Jul 4, 2025 · Jul 4, 2025
diff --git a/central/src/auth/authentik/mod.rs b/central/src/auth/authentik/mod.rs
@@ -39,6 +39,7 @@ pub struct AuthentikConfig {
 pub struct FlowPropertymapping {
     pub authorization_flow: String,
     pub invalidation_flow: String,
+    pub signing_key: String,
     pub property_mapping: Vec<String>,
     pub federation_mapping: Vec<String>
 }
@@ -50,6 +51,7 @@ impl FlowPropertymapping {
         }
         let flow_auth = "Authorize Application";
         let flow_invalidation = "Logged out of application";
+        let crypto_signing_key = "authentik_hs265";
         let property_keys = conf.authentik_property_names.clone();
         let jwt_federation_sources = conf.authentik_federation_names.clone();
         //let flow_url = "/api/v3/flows/instances/?name=...";
@@ -58,6 +60,10 @@ impl FlowPropertymapping {
             .authentik_url
             .join("api/v3/flows/instances/")
             .unwrap();
+        let signing_key_url = conf
+            .authentik_url
+            .join("api/v3/crypto/certificatekeypairs/")
+            .unwrap();
         let property_url = conf
             .authentik_url
             .join("api/v3/propertymappings/all/")
@@ -74,10 +80,14 @@ impl FlowPropertymapping {
         let invalidation_flow = get_uuid(&flow_url, flow_invalidation, conf)
             .await
             .expect("No default flow present"); // flow uuid
+        let signing_key = get_uuid(&signing_key_url, crypto_signing_key, conf)
+            .await
+            .expect("No default crypto signing_key"); // crypto signing_key uuid
 
         let mapping = FlowPropertymapping {
             authorization_flow,
             invalidation_flow,
+            signing_key,
             property_mapping,
             federation_mapping
         };

diff --git a/central/src/auth/authentik/provider.rs b/central/src/auth/authentik/provider.rs
@@ -34,21 +34,25 @@ pub async fn generate_provider_values(
     });
 
     if !oidc_client_config.redirect_urls.is_empty() {
-        let res_urls: Vec<RedirectURIS> = oidc_client_config
-            .redirect_urls
-            .iter()
-            .map(|url| {
-                let (matching_mode, url) = if is_regex_uri(url) {
-                    ("regex".to_owned(), convert_to_regex_url(url))
-                } else {
-                    ("strict".to_owned(), url.to_owned())
-                };
-                RedirectURIS {
-                    matching_mode,
-                    url,
-                }
-            })
-            .collect();
+        let mut res_urls: Vec<RedirectURIS> = Vec::new();
+        for url in &oidc_client_config.redirect_urls {
+            if is_regex_uri(url) {
+                res_urls.push(RedirectURIS {
+                    matching_mode: "strict".to_owned(),
+                    url: convert_to_strict_for_regex(url),
+                });
+                res_urls.push(RedirectURIS {
+                    matching_mode: "regex".to_owned(),
+                    url: convert_to_regex_url(url),
+                });
+            } else {
+                res_urls.push(RedirectURIS {
+                    matching_mode: "strict".to_owned(),
+                    url: url.to_owned(),
+                });
+            }
+        }
+
         json["redirect_uris"] = json!(res_urls);
     }
 
@@ -60,6 +64,9 @@ pub async fn generate_provider_values(
     if let Some(secret) = secret {
         json["client_secret"] = json!(secret);
     }
+    if oidc_client_config.is_public {
+        json["signing_key"] = json!(mapping.signing_key);
+    }
     Ok(json)
 }
 
@@ -215,8 +222,7 @@ pub async fn check_set_federation_id(
 }
 
 fn is_regex_uri(uri: &str) -> bool {
-    let regex_chars = ['*'];
-    uri.chars().any(|c| regex_chars.contains(&c))
+    uri.ends_with('*')
 }
 
 fn convert_to_regex_url(uri: &str) -> String {
@@ -231,4 +237,15 @@ fn convert_to_regex_url(uri: &str) -> String {
     }
     result_uri.push_str("$");
     result_uri
+}
+
+fn convert_to_strict_for_regex(uri: &str) -> String {
+    let mut result_uri = uri.to_owned();
+    if result_uri.ends_with('*') {
+        result_uri.pop();
+        if result_uri.ends_with("/") {
+            result_uri.pop();
+        }
+    }
+    result_uri
 }