# SSO / OIDC Status

**Identity Provider:** Authentik at `https://sso.vish.gg` (runs on Calypso)
**Last updated:** 2026-03-21

---

## Configured Services

| Service | URL | Authentik App Slug | Method | Notes |
|---------|-----|--------------------|--------|-------|
| Grafana (Atlantis) | `gf.vish.gg` | — | OAuth2 generic | Pre-existing |
| Grafana (homelab-vm) | monitoring stack | — | OAuth2 generic | Pre-existing |
| Mattermost (matrix-ubuntu) | `mm.crista.love` | — | OpenID Connect | Pre-existing |
| Mattermost (homelab-vm) | — | — | GitLab-compat OAuth2 | Pre-existing |
| Reactive Resume | `rx.vish.gg` | — | OAuth2 | Pre-existing |
| Homarr | `dash.vish.gg` | — | OIDC | Pre-existing |
| Headscale | `headscale.vish.gg` | — | OIDC | Pre-existing |
| Headplane | — | — | OIDC | Pre-existing |
| **Paperless-NGX** | `docs.vish.gg` | `paperless` | django-allauth OIDC | Added 2026-03-16. Forward Auth removed from NPM 2026-03-21 (was causing redirect loop) |
| **Hoarder** | `hoarder.thevish.io` | `hoarder` | NextAuth OIDC | Added 2026-03-16 |
| **Portainer** | `pt.vish.gg` | `portainer` | OAuth2 | Migrated to pt.vish.gg 2026-03-16 |
| **Immich (Calypso)** | `192.168.0.250:8212` | `immich` | immich-config.json OAuth2 | Renamed to "Immich (Calypso)" 2026-03-16 |
| **Immich (Atlantis)** | `atlantis.tail.vish.gg:8212` | `immich-atlantis` | immich-config.json OAuth2 | Added 2026-03-16 |
| **Gitea** | `git.vish.gg` | `gitea` | OpenID Connect | Added 2026-03-16 |
| **Actual Budget** | `actual.vish.gg` | `actual-budget` | OIDC env vars | Added 2026-03-16. Forward Auth removed from NPM 2026-03-21 (was causing redirect loop) |
| **Vaultwarden** | `pw.vish.gg` | `vaultwarden` | SSO_ENABLED (testing image) | Added 2026-03-16, SSO works but local login preferred due to 2FA/security key |

---

## Authentik Provider Reference

| Provider PK | Name | Client ID | Used By |
|-------------|------|-----------|---------|
| 2 | Gitea OAuth2 | `7KamS51a0H7V8HyIsfMKNJ8COstZEFh4Z8Em6ZhO` | Gitea |
| 3 | Portainer OAuth2 | `fLLnVh8iUyJYdw5HKdt1Q7LHKJLLB8tLZwxmVhNs` | Portainer |
| 4 | Paperless (legacy Forward Auth) | — | Superseded by pk=18 |
| 11 | Immich (Calypso) | `XSHhp1Hys1ZyRpbpGUv4iqu1y1kJXX7WIIFETqcL` | Immich Calypso |
| 18 | Paperless-NGX OIDC | `paperless` | Paperless docs.vish.gg |
| 19 | Hoarder | `hoarder` | Hoarder |
| 20 | Vaultwarden | `vaultwarden` | Vaultwarden |
| 21 | Actual Budget | `actual-budget` | Actual Budget |
| 22 | Immich (Atlantis) | `immich-atlantis` | Immich Atlantis |

---

## User Account Reference

| Service | Login email/username | Notes |
|---------|---------------------|-------|
| Authentik (`vish`) | `admin@thevish.io` | Primary SSO identity |
| Gitea | `admin@thevish.io` | Updated 2026-03-16 |
| Paperless | `vish` / `admin@thevish.io` | OAuth linked to `vish` username |
| Hoarder | `admin@thevish.io` | |
| Portainer | `vish` (username match) | |
| Immich (both) | `admin@thevish.io` | oauthId=`vish` |
| Vaultwarden | `your-email@example.com` | Left as-is to preserve 2FA/security key |
| Actual Budget | auto-created on first login | `ACTUAL_USER_CREATION_MODE=login` |

---

## Known Issues / Quirks

### Vaultwarden SSO
- Requires `vaultwarden/server:testing` image (SSO not compiled into `:latest`)
- `SSO_AUTHORITY` must include trailing slash to match Authentik's issuer URI
- `SSO_ALLOW_UNKNOWN_EMAIL_VERIFICATION=true` required (Authentik sends `email_verified: False` by default)
- A custom email scope mapping `email_verified true` (pk=`51d15142`) returns `True` for Authentik
- SSO login works but local login kept as primary due to security key/2FA dependency

### Authentik email scope
- Default Authentik email mapping hardcodes `email_verified: False`
- Custom mapping `email_verified true` (pk=`51d15142`) created and applied to Vaultwarden provider
- All other providers use the default mapping (most apps don't check this field)

### Gitea OAuth2 source name case
- Gitea sends `Authentik` (capital A) as the callback path
- Both `authentik` and `Authentik` redirect URIs registered in Authentik provider pk=2

### Portainer
- Migrated from `http://vishinator.synology.me:10000` to `https://pt.vish.gg` on 2026-03-16
- Client secret was stale — resynced from Authentik provider

### Immich (Atlantis) network issues
- Container must be on `immich-stack_default` network (not `immich_default` or `atlantis_default`)
- When recreating container manually, always reconnect to `immich-stack_default` before starting

---

## Services Without SSO (candidates)

| Service | OIDC Support | Effort | Notes |
|---------|-------------|--------|-------|
| Paperless (Atlantis) | ✅ same as Calypso | Low | Separate older instance |
| Audiobookshelf | ✅ `AUTH_OPENID_*` env vars | Low | |
| BookStack (Seattle) | ✅ `AUTH_METHOD=oidc` | Low | |
| Seafile | ✅ `seahub_settings.py` | Medium | WebDAV at `dav.vish.gg` |
| NetBox | ✅ `SOCIAL_AUTH_OIDC_*` | Medium | |
| PhotoPrism | ✅ `PHOTOPRISM_AUTH_MODE=oidc` | Medium | |
| Firefly III | ✅ via `stack.env` | Medium | |
| Mastodon | ✅ `.env.production` | Medium | |