fix authentication

backend/src/config/authentik.ts

@@ -11,15 +11,23 @@ interface AuthentikConfig {
   logoutEndpoint: string;
 }
 
+// Authentik's shared endpoints live at /application/o/, not at the per-app issuer path.
+// Issuer example: https://auth.example.com/application/o/myapp/
+// Token endpoint:  https://auth.example.com/application/o/token/
+const issuerUrl = new URL(environment.authentik.issuer);
+const pathParts = issuerUrl.pathname.split('/').filter(Boolean);
+const basePath = '/' + pathParts.slice(0, -1).join('/') + '/';
+const baseEndpoint = `${issuerUrl.origin}${basePath}`;
+
 const authentikConfig: AuthentikConfig = {
   issuer: environment.authentik.issuer,
   clientId: environment.authentik.clientId,
   clientSecret: environment.authentik.clientSecret,
   redirectUri: environment.authentik.redirectUri,
-  tokenEndpoint: `${environment.authentik.issuer}token/`,
-  userInfoEndpoint: `${environment.authentik.issuer}userinfo/`,
-  authorizeEndpoint: `${environment.authentik.issuer}authorize/`,
-  logoutEndpoint: `${environment.authentik.issuer}logout/`,
+  tokenEndpoint: `${baseEndpoint}token/`,
+  userInfoEndpoint: `${baseEndpoint}userinfo/`,
+  authorizeEndpoint: `${baseEndpoint}authorize/`,
+  logoutEndpoint: `${baseEndpoint}end-session/`,
 };
 
 export default authentikConfig;