Configure K3s for OIDC authentication with Authentik

This recipe describes how to configure K3s for OIDC authentication against an authentik instance.

This is a companion discussion topic for the original entry at

Your article says " Remember how we setup a groups property-mapper when deploying authentik? "

I don’t see this step in the deploying authentik article. I tried adding a groups Scope mapping in authentik with the expression return user.groups, but i’m not getting the groups in the token.

It appears that group should come back automatically as part of authentik default OAuth Mapping: OpenID 'profile', as it’s expression contains. "groups": [ for group in request.user.ak_groups.all()],. but it is not.

I’ve also tried appending --exec-arg=--oidc-extra-scope=groups to the kubectl config set-credentials oidc with no luck.

Any ideas?


The stated redirect URL in the provider config for authentik is wrong. Instead of http://localhost:18000 it is just http://localhost:8000

Hey, just ran into this same issue. Adding --exec-arg=--oidc-extra-scope=profile to the login command seems to work, as groups get returned when requesting that scope.