# Seafile OAuth2 with Authentik

**Host**: Calypso (Synology NAS)  
**Domain**: `sf.vish.gg`  
**Port**: 8611  
**Compose File**: `hosts/synology/calypso/seafile-server.yaml`  
**Status**: ✅ Working

## Overview

Seafile uses OAuth2 to integrate with Authentik for SSO. Local login remains fully functional.

## Authentication Methods

1. **Local Login** - Email/password on the login page
2. **OAuth2 SSO** - "Single Sign-On" button

## Authentik Configuration

### Provider Created
- **Name**: Seafile OAuth2
- **Type**: OAuth2/OpenID Provider
- **Client ID**: `oVa51E8UC9PNmgFSIlivYgcGwdBvnc83YW2WkuDS`
- **Redirect URI**: `https://sf.vish.gg/oauth/callback/`
- **Scopes**: openid, email, profile

### Application Created
- **Name**: Seafile
- **Slug**: `seafile`
- **Launch URL**: https://sf.vish.gg

## Seafile Configuration

Seafile requires adding OAuth settings to `seahub_settings.py`. The config file is at:
`/volume1/docker/seafile/data/seafile/conf/seahub_settings.py`

### Configuration to Add

Append the contents of `hosts/synology/calypso/seafile-oauth-config.py` to seahub_settings.py:

```python
ENABLE_OAUTH = True
OAUTH_ENABLE_INSECURE_TRANSPORT = False
OAUTH_CLIENT_ID = "REDACTED_CLIENT_ID"
OAUTH_CLIENT_SECRET = "REDACTED_CLIENT_SECRET"
OAUTH_REDIRECT_URL = "https://sf.vish.gg/oauth/callback/"
OAUTH_PROVIDER_DOMAIN = "sso.vish.gg"
OAUTH_AUTHORIZATION_URL = "https://sso.vish.gg/application/o/authorize/"
OAUTH_TOKEN_URL = "https://sso.vish.gg/application/o/token/"
OAUTH_USER_INFO_URL = "https://sso.vish.gg/application/o/userinfo/"
OAUTH_SCOPE = ["openid", "profile", "email"]
OAUTH_ATTRIBUTE_MAP = {
    "email": (True, "email"),
    "name": (False, "name"),
}
```

## Activation Steps

1. SSH to Calypso or use Synology DSM
2. Edit the seahub_settings.py file:
   ```bash
   nano /volume1/docker/seafile/data/seafile/conf/seahub_settings.py
   ```
3. Append the OAuth configuration (see above or copy from `seafile-oauth-config.py`)
4. Restart Seafile:
   ```bash
   docker restart Seafile
   ```
5. Test by visiting https://sf.vish.gg and clicking "Single Sign-On"

## Troubleshooting

### SSO button not appearing
- Verify `ENABLE_OAUTH = True` is in seahub_settings.py
- Check Seafile logs: `docker logs Seafile`

### "Invalid redirect URI" error
- Ensure redirect URI in Authentik matches exactly: `https://sf.vish.gg/oauth/callback/`
- Note the trailing slash is important!

### User created but can't access files
- OAuth users are created automatically on first login
- Admin needs to grant them access to libraries

## Related Documentation

- [Seafile OAuth Documentation](https://manual.seafile.com/deploy/oauth/)
- [Authentik OAuth2 Setup](https://docs.goauthentik.io/docs/providers/oauth2/)

## Change Log

- **2026-01-31**: Created OAuth2 provider and application in Authentik, created config file