Authentik OIDC client registration sweep
This directory holds the FlowerCore per-service OIDC client secret references for the ADR-093 / ADR-124 Phase 1 step 8 sweep.
The clients/*-oidc-client.yaml manifests are intentionally only
OnePasswordItem CRDs. The actual 1Password items are created by an operator in
the IAmWorkin vault with these fields:
| Field | Purpose |
|---|---|
client_id |
Authentik provider client id, default <slug> |
client_secret |
Authentik provider client secret |
issuer_url |
https://id.iamworkin.lan/application/o/<slug>/ |
Run scripts/authentik-bulk-client-create.py in dry-run mode first. Live REST
mutation requires --apply, AUTHENTIK_TOKEN, and an operator-provided
client-secret JSON file. The script redacts secrets in all normal output.