Unauthenticated paths?

[aureateflux]

I'm playing around with using Authentik to add an authentication layer on top of Mealie so I can enforce some MFA. I didn't find any substantial discussion anywhere about doing this with Mealie, so I'm just following the typical flow of adding applications to Authentik.

I have the authentication working (it still requires a login to mealie after logging into Authentik, of course, since forward auth isn't implemented yet), and I haven't found any problems running it while signed into Authentik.

Sharing doesn't work, however, because the identity provider needs to know which paths don't need to be authenticated. I tried adding ^/shared/.* to the provider's unauthenticated paths list. That at least gets the page starting to load, but it doesn't load the actual recipe.

I'm hoping someone who has experience using Authentik or Authelia with Mealie can help me with identifying all the unauthenticated paths that need to be bypassed. There must be a path i'm missing that's causing the conflict. When I inspect the page, I'm seeing that it's refusing to run the script because of CSP rules I have in place. If I add the authentik domain path as a trusted source in the CSP headers, it triggers cross origin read blocking.

Any ideas on what path I need to tell Authentik to bypass so the script stays in the subdomain in this case?