seperate proxy for rewriting openid config

authentik/proxy/Dockerfile

@@ -0,0 +1,6 @@
+FROM python:3.12-slim
+WORKDIR /app
+RUN pip install --no-cache-dir flask gunicorn requests
+COPY app.py .
+EXPOSE 5000
+CMD ["gunicorn", "-w", "1", "-b", "0.0.0.0:5000", "app:app"]

authentik/proxy/app.py

@@ -0,0 +1,24 @@
+import os
+import requests
+from flask import Flask, jsonify, request
+
+app = Flask(__name__)
+
+@app.route("/headers")
+def headers():
+    return jsonify(dict(request.headers))
+
+@app.route("/<provider>/.well-known/openid-configuration",)
+def openid(provider):
+    internal = os.environ.get('INTERNAL')
+    external = os.environ.get('EXTERNAL')
+    url = f'/application/o/{provider}/.well-known/openid-configuration'
+    response = requests.get(f'{internal}/{url}')
+    return jsonify({
+        k: v.replace(internal, external)
+            if isinstance(v, str) and (k != 'jwks_uri') else v
+            for k, v in response.json().items()
+        })
+
+if __name__ == '__main__':
+    app.run(host='0.0.0.0', port=5000)

caddy/conf/auth.caddy

@@ -10,7 +10,7 @@
 			scopes openid email profile
 
 			base_auth_url https://authentik.rik.veenboer.xyz
-			metadata_url http://host:12345/.well-known
+			metadata_url http://192.168.2.200:15000/caddy/.well-known/openid-configuration
 		}
 		authentication portal myportal {
 			enable identity provider generic

caddy/sites/test.caddy

@@ -4,7 +4,7 @@ test.rik.veenboer.xyz {
 	}
 
 	authorize with mypolicy
-	reverse_proxy host:12345
+	reverse_proxy host:15000
 }
 
 auth.rik.veenboer.xyz {

docker-compose.authentik.yml

@@ -75,3 +75,16 @@ services:
     depends_on:
       - authentik-postgresql
       - authentik-redis
+
+  authentik-proxy:
+    image: authentik-proxy
+    container_name: authentik-proxy
+    ports:
+      - "15000:5000"
+    environment:
+      INTERNAL: http://host:19000
+      EXTERNAL: https://authentik.rik.veenboer.xyz
+    build:
+      context: /opt/authentik/proxy
+    extra_hosts:
+      - host:192.168.2.200