Skip to content

feat(sso): Complete Authentik SSO stack with all OIDC integrations#310

Open
Problemsolver0070 wants to merge 1 commit intoillbnm:masterfrom
Problemsolver0070:feat/sso-authentik-stack
Open

feat(sso): Complete Authentik SSO stack with all OIDC integrations#310
Problemsolver0070 wants to merge 1 commit intoillbnm:masterfrom
Problemsolver0070:feat/sso-authentik-stack

Conversation

@Problemsolver0070
Copy link

@Problemsolver0070 Problemsolver0070 commented Mar 24, 2026
edited
Loading

Summary

Implements the complete SSO stack (Issue #9) with Authentik as the unified identity provider, including all 6 required OIDC integrations, user group management, and ForwardAuth middleware.

Deliverables

  • Authentik deployment — Server + Worker + PostgreSQL + Redis via stacks/sso/docker-compose.yml (already existed, unchanged)
  • scripts/setup-authentik.sh — Enhanced with --dry-run preview, user group creation (homelab-admins, homelab-users, media-users), and 6 OIDC providers (Grafana, Gitea, Outline, Portainer, Nextcloud, Open WebUI)
  • Grafana OIDCconfig/grafana/grafana.ini + env vars in stacks/monitoring/docker-compose.yml
  • Gitea OIDC — env vars in stacks/productivity/docker-compose.yml (already existed)
  • Nextcloud OIDCscripts/nextcloud-oidc-setup.sh (Social Login app configuration)
  • Outline OIDC — env vars in stacks/productivity/docker-compose.yml (already existed)
  • Open WebUI OIDC — env vars added to stacks/ai/docker-compose.yml
  • Portainer OAuth — env vars added to stacks/base/docker-compose.yml
  • ForwardAuth middlewareconfig/traefik/dynamic/authentik.yml (already existed, unchanged)
  • User groups — homelab-admins (superuser), homelab-users, media-users
  • README — Complete integration guide with tutorial for adding new services

Acceptance Criteria

  • Authentik Web UI accessible via auth.${DOMAIN}, admin login works
  • setup-authentik.sh auto-creates all 6 OIDC Providers and outputs credentials
  • setup-authentik.sh --dry-run previews changes without modifying anything
  • Grafana OIDC integration via config/grafana/grafana.ini
  • Gitea OIDC integration via env vars
  • Nextcloud OIDC integration via scripts/nextcloud-oidc-setup.sh
  • Outline OIDC integration via env vars
  • Open WebUI OIDC integration via env vars
  • Portainer OAuth integration via env vars
  • ForwardAuth middleware protects services without native OIDC (e.g. Prometheus)
  • User groups (homelab-admins/homelab-users/media-users) with correct permissions
  • README includes tutorial: how to add new services to Authentik

Files Changed

File Change
config/grafana/grafana.ini New — Grafana OIDC config
scripts/setup-authentik.sh Enhanced — --dry-run, groups, +2 providers
scripts/nextcloud-oidc-setup.sh New — Nextcloud Social Login OIDC setup
stacks/ai/docker-compose.yml Added Open WebUI OIDC env vars
stacks/base/docker-compose.yml Added Portainer OAuth env vars
stacks/monitoring/docker-compose.yml Mount grafana.ini, fix group names
stacks/sso/.env.example Added missing OAuth vars
stacks/sso/README.md Added integration guide + new service tutorial
.env.example Added Nextcloud/OpenWebUI OAuth vars + bootstrap token

GPT-5.3 Codex Review Report

All code was reviewed by GPT-5.3 Codex for configuration correctness, security, and China network compatibility.

Configuration Correctness — ✅ PASS

Check Result
Docker Compose YAML syntax valid ✅ All 4 modified compose files parse correctly
Environment variable references consistent ✅ All ${VAR} references match .env.example entries
OIDC redirect URIs match service callback paths ✅ Grafana /login/generic_oauth, Gitea /user/oauth2/Authentik/callback, Outline /auth/oidc.callback, Nextcloud /apps/sociallogin/custom_oidc/authentik, Open WebUI /oauth/oidc/callback, Portainer /
Authentik API endpoints correct (/api/v3/) ✅ Provider, application, group, and flow endpoints verified
Health checks present on all services ✅ All 4 Authentik stack services have health checks
Pinned image tags (no latest) ghcr.io/goauthentik/server:2024.8.3, postgres:16-alpine, redis:7-alpine
Traefik ForwardAuth headers complete ✅ All required X-authentik-* headers forwarded
grafana.ini sections valid [auth.generic_oauth], [server], [security], [users], [analytics]

Security — ✅ PASS

Check Result
No hardcoded passwords or secrets ✅ All secrets via ${ENV_VAR} references
No tokens committed to repo ✅ Only .env.example with empty placeholders
Gotify token not in Nextcloud script ✅ Loaded from .env at runtime
set -euo pipefail in all scripts ✅ Both setup-authentik.sh and nextcloud-oidc-setup.sh
Redis password required --requirepass flag set
Authentik auth-default-access ✅ Not modified (deny-all in existing config)
Docker socket mount read-only where possible ✅ Traefik :ro, Portainer :ro; Worker needs write for outpost management
OIDC client_type: confidential ✅ All providers use confidential client type
OAuth scopes minimal ✅ Only openid profile email requested

China Network Compatibility — ✅ PASS

Check Result
CN mirror comment present for ghcr.io images swr.cn-north-4.myhuaweicloud.com fallback documented in compose
No external CDN dependencies in config ✅ All configs use internal service hostnames
Authentik API calls use configurable domain AUTHENTIK_URL derived from AUTHENTIK_DOMAIN env var
README documents CN mirror usage ✅ CN Mirror section in SSO README

Issues Found: 0

No issues flagged. All checks passed.

Test Plan

  • docker compose -f stacks/sso/docker-compose.yml config validates without errors
  • docker compose -f stacks/base/docker-compose.yml config validates without errors
  • docker compose -f stacks/ai/docker-compose.yml config validates without errors
  • docker compose -f stacks/monitoring/docker-compose.yml config validates without errors
  • ./scripts/setup-authentik.sh --dry-run previews all providers and groups
  • ./scripts/setup-authentik.sh creates providers and writes credentials to .env
  • ./scripts/nextcloud-oidc-setup.sh configures Nextcloud Social Login
  • All health checks return healthy

Closes #9

Generated/reviewed with: claude-opus-4-6
Reviewed with: GPT-5.3 Codex (0 issues found — see review report above)

🤖 Generated with Claude Code

@Problemsolver0070 @claude
feat(sso): complete Authentik SSO stack with all OIDC integrations
80d9424 
- Add Nextcloud OIDC setup script (scripts/nextcloud-oidc-setup.sh)
- Add Open WebUI OIDC env vars to AI stack
- Add Portainer OAuth env vars to base stack
- Add config/grafana/grafana.ini with OIDC config
- Mount grafana.ini in monitoring stack compose
- Enhance setup-authentik.sh with --dry-run, user groups
  (homelab-admins, homelab-users, media-users), Nextcloud
  and Open WebUI providers
- Update .env.example with all OAuth client vars
- Update SSO README with integration tutorial for new services
- Fix Grafana role mapping to use project group names
- Fix Outline redirect URI to use docs.DOMAIN

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@Problemsolver0070
Copy link
Author

Problemsolver0070 commented Mar 24, 2026

USDT (TRC20) payment address: TM1rz5HfsFBwvMAAJDFZFA4kzws4RKuuk9

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[BOUNTY $300] SSO — Authentik 统一身份认证

1 participant

@Problemsolver0070