From 44e22a9fc6b1eb1bf1350e507cb8cba3d7f850da Mon Sep 17 00:00:00 2001
From: Matthias Hochmeister <matthias.hochmeister@apple.com>
Date: Fri, 27 Feb 2026 19:05:18 +0100
Subject: [PATCH] fix authentication

---
 backend/src/config/authentik.ts | 16 ++++++++++++----
 frontend/src/services/auth.ts   | 11 +++++++++--
 2 files changed, 21 insertions(+), 6 deletions(-)

diff --git a/backend/src/config/authentik.ts b/backend/src/config/authentik.ts
index 595f2cd..357c604 100644
--- a/backend/src/config/authentik.ts
+++ b/backend/src/config/authentik.ts
@@ -11,15 +11,23 @@ interface AuthentikConfig {
   logoutEndpoint: string;
 }
 
+// Authentik's shared endpoints live at /application/o/, not at the per-app issuer path.
+// Issuer example: https://auth.example.com/application/o/myapp/
+// Token endpoint:  https://auth.example.com/application/o/token/
+const issuerUrl = new URL(environment.authentik.issuer);
+const pathParts = issuerUrl.pathname.split('/').filter(Boolean);
+const basePath = '/' + pathParts.slice(0, -1).join('/') + '/';
+const baseEndpoint = `${issuerUrl.origin}${basePath}`;
+
 const authentikConfig: AuthentikConfig = {
   issuer: environment.authentik.issuer,
   clientId: environment.authentik.clientId,
   clientSecret: environment.authentik.clientSecret,
   redirectUri: environment.authentik.redirectUri,
-  tokenEndpoint: `${environment.authentik.issuer}token/`,
-  userInfoEndpoint: `${environment.authentik.issuer}userinfo/`,
-  authorizeEndpoint: `${environment.authentik.issuer}authorize/`,
-  logoutEndpoint: `${environment.authentik.issuer}logout/`,
+  tokenEndpoint: `${baseEndpoint}token/`,
+  userInfoEndpoint: `${baseEndpoint}userinfo/`,
+  authorizeEndpoint: `${baseEndpoint}authorize/`,
+  logoutEndpoint: `${baseEndpoint}end-session/`,
 };
 
 export default authentikConfig;
diff --git a/frontend/src/services/auth.ts b/frontend/src/services/auth.ts
index 4bcb40e..3ac3734 100644
--- a/frontend/src/services/auth.ts
+++ b/frontend/src/services/auth.ts
@@ -28,11 +28,18 @@ export const authService = {
    * Handle OAuth callback - send code to backend, receive JWT
    */
   async handleCallback(code: string): Promise<AuthCallbackResponse> {
-    const response = await api.post<AuthCallbackResponse>('/api/auth/callback', {
+    const response = await api.post<{
+      success: boolean;
+      message: string;
+      data: { accessToken: string; refreshToken: string; user: User };
+    }>('/api/auth/callback', {
       code,
       redirect_uri: REDIRECT_URI,
     });
-    return response.data;
+    return {
+      token: response.data.data.accessToken,
+      user: response.data.data.user,
+    };
   },
 
   /**