fix authentication

backend/src/config/authentik.ts

@@ -11,15 +11,23 @@ interface AuthentikConfig {
   logoutEndpoint: string;
 }
 
+// Authentik's shared endpoints live at /application/o/, not at the per-app issuer path.
+// Issuer example: https://auth.example.com/application/o/myapp/
+// Token endpoint:  https://auth.example.com/application/o/token/
+const issuerUrl = new URL(environment.authentik.issuer);
+const pathParts = issuerUrl.pathname.split('/').filter(Boolean);
+const basePath = '/' + pathParts.slice(0, -1).join('/') + '/';
+const baseEndpoint = `${issuerUrl.origin}${basePath}`;
+
 const authentikConfig: AuthentikConfig = {
   issuer: environment.authentik.issuer,
   clientId: environment.authentik.clientId,
   clientSecret: environment.authentik.clientSecret,
   redirectUri: environment.authentik.redirectUri,
-  tokenEndpoint: `${environment.authentik.issuer}token/`,
+  tokenEndpoint: `${baseEndpoint}token/`,
-  userInfoEndpoint: `${environment.authentik.issuer}userinfo/`,
+  userInfoEndpoint: `${baseEndpoint}userinfo/`,
-  authorizeEndpoint: `${environment.authentik.issuer}authorize/`,
+  authorizeEndpoint: `${baseEndpoint}authorize/`,
-  logoutEndpoint: `${environment.authentik.issuer}logout/`,
+  logoutEndpoint: `${baseEndpoint}end-session/`,
 };
 
 export default authentikConfig;

frontend/src/services/auth.ts

@@ -28,11 +28,18 @@ export const authService = {
    * Handle OAuth callback - send code to backend, receive JWT
    */
   async handleCallback(code: string): Promise<AuthCallbackResponse> {
-    const response = await api.post<AuthCallbackResponse>('/api/auth/callback', {
+    const response = await api.post<{
+      success: boolean;
+      message: string;
+      data: { accessToken: string; refreshToken: string; user: User };
+    }>('/api/auth/callback', {
       code,
       redirect_uri: REDIRECT_URI,
     });
-    return response.data;
+    return {
+      token: response.data.data.accessToken,
+      user: response.data.data.user,
+    };
   },
 
   /**