Configure K3s for OIDC authentication with Authentik

This recipe describes how to configure K3s for OIDC authentication against an authentik instance.

This is a companion discussion topic for the original entry at

Your article says " Remember how we setup a groups property-mapper when deploying authentik? "

I don’t see this step in the deploying authentik article. I tried adding a groups Scope mapping in authentik with the expression return user.groups, but i’m not getting the groups in the token.

It appears that group should come back automatically as part of authentik default OAuth Mapping: OpenID 'profile', as it’s expression contains. "groups": [ for group in request.user.ak_groups.all()],. but it is not.

I’ve also tried appending --exec-arg=--oidc-extra-scope=groups to the kubectl config set-credentials oidc with no luck.

Any ideas?