Device Code Flow Setup

[forgo]

Version: 2024.8.2
Deployment: Helm Chart / Kubernetes (EKS)

I am replacing Keycloak which currently only serves the purpose of administrative actions via influxctl for an InfluxDB time series database (using device code flow).

From what I can see, the flow is initiated successfully because I get a URL to follow with the code:

$ influxctl --profile transient database list;                                                                 
info    Go to the following URL and enter this code to authenticate:
info    <AUTHENTIK_HOST>/device?code=314980372
info    Code: 314980372

However, the URL given seems to use /device?code=, which 404s -- and looks different from the endpoint in the configuration /application/o/device.

As far as Influx is concerned, we pass these URLs for the device code flow configuration:

client_id = "*************"
token_url = "${AUTHENTIK_HOST}/application/o/token/"
device_url = "${AUTHENTIK_HOST}/application/o/device/"

The question is, is the URL coming back wrong and a bug on Authentik side? From what I can tell, Influx is just forwarding something generated by Authentik in this flow. If I misconfigure the URLs above in Influx, the flow doesn't even properly initiate.

I have seen older Authentik docs/GitHub issues regarding "Tenants" and adding a manual "Flow" for device code flow. But the latest version does not seem to indicate any place to configure Device Code Flow explicitly for my provider, and the device endpoint was more or less gathered intuitively through inspecting the OpenID configuration URL:

For example:
${AUTHENTIK_HOST}/application/o/influx-db-stg/.well-known/openid-configuration

It seems I am missing something on the Authentik configuration and not Influx here, since I see the event logs do show the Device Token being generated. The Authentik URL coming back appears to be wrong or not setup to process the code.

Am I missing some documentation surrounding Device Code Flow beyond this as it relates to a Provider/Application?

https://docs.goauthentik.io/docs/providers/oauth2/device_code

[profiluefter]

btw the device_code flow now has better docs in regards to this, commit 8e4810f added them: https://docs.goauthentik.io/docs/add-secure-apps/providers/oauth2/device_code#create-and-apply-a-device-code-flow

yes it seems like you need to configure this flow in order for /device to work