version: 1
metadata:
  name: oauth2-applications
entries:
{% for app in oauth_applications %}
  - model: authentik_providers_oauth2.oauth2provider
    identifiers:
      name: {{ app.name }}
    state: present
    attrs:
      name: {{ app.name }}
      client_type: {{ app.client_type | default('confidential') }}
      client_id: {{ app.client_id }}
{% if app.client_secret is defined %}
      client_secret: {{ app.client_secret }}
{% endif %}
      authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
      authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
      invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
      redirect_uris:
{% for uri in app.redirect_uris %}
        - url: "{{ uri }}"
          matching_mode: strict
{% endfor %}
      property_mappings:
        - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
        - !Find [authentik_providers_oauth2.scopemapping, [scope_name, email]]
        - !Find [authentik_providers_oauth2.scopemapping, [scope_name, profile]]
      signing_key: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]

  - model: authentik_core.application
    identifiers:
      slug: {{ app.slug }}
    state: present
    attrs:
      name: {{ app.name }}
      slug: {{ app.slug }}
      provider: !Find [authentik_providers_oauth2.oauth2provider, [name, {{ app.name }}]]
      policy_engine_mode: any

{% endfor %}
  - model: authentik_policies_expression.expressionpolicy
    identifiers:
      name: enforce-unique-email
    state: present
    attrs:
      name: enforce-unique-email
      expression: |
        from authentik.core.models import User
        email = request.context.get("prompt_data", {}).get("email", "")
        if not email:
            return True
        if User.objects.filter(email=email).exists():
            ak_message("This email address is already in use.")
            return False
        return True
      execution_logging: true

  - model: authentik_stages_prompt.promptstage
    identifiers:
      name: default-source-enrollment-prompt
    state: present
    attrs:
      fields:
        - !Find [authentik_stages_prompt.prompt, [name, default-source-enrollment-field-username]]
      validation_policies:
        - !Find [authentik_policies_expression.expressionpolicy, [name, enforce-unique-email]]