4.9 KiB
4.9 KiB
SSO / OIDC Status
Identity Provider: Authentik at https://sso.vish.gg (runs on Calypso)
Last updated: 2026-03-16
Configured Services
| Service | URL | Authentik App Slug | Method | Notes |
|---|---|---|---|---|
| Grafana (Atlantis) | gf.vish.gg |
— | OAuth2 generic | Pre-existing |
| Grafana (homelab-vm) | monitoring stack | — | OAuth2 generic | Pre-existing |
| Mattermost (matrix-ubuntu) | mm.crista.love |
— | OpenID Connect | Pre-existing |
| Mattermost (homelab-vm) | — | — | GitLab-compat OAuth2 | Pre-existing |
| Reactive Resume | rx.vish.gg |
— | OAuth2 | Pre-existing |
| Homarr | dash.vish.gg |
— | OIDC | Pre-existing |
| Headscale | headscale.vish.gg |
— | OIDC | Pre-existing |
| Headplane | — | — | OIDC | Pre-existing |
| Paperless-NGX | docs.vish.gg |
paperless |
django-allauth OIDC | Added 2026-03-16 |
| Hoarder | hoarder.thevish.io |
hoarder |
NextAuth OIDC | Added 2026-03-16 |
| Portainer | pt.vish.gg |
portainer |
OAuth2 | Migrated to pt.vish.gg 2026-03-16 |
| Immich (Calypso) | 192.168.0.250:8212 |
immich |
immich-config.json OAuth2 | Renamed to "Immich (Calypso)" 2026-03-16 |
| Immich (Atlantis) | atlantis.tail.vish.gg:8212 |
immich-atlantis |
immich-config.json OAuth2 | Added 2026-03-16 |
| Gitea | git.vish.gg |
gitea |
OpenID Connect | Added 2026-03-16 |
| Actual Budget | actual.vish.gg |
actual-budget |
OIDC env vars | Added 2026-03-16 |
| Vaultwarden | pw.vish.gg |
vaultwarden |
SSO_ENABLED (testing image) | Added 2026-03-16, SSO works but local login preferred due to 2FA/security key |
Authentik Provider Reference
| Provider PK | Name | Client ID | Used By |
|---|---|---|---|
| 2 | Gitea OAuth2 | 7KamS51a0H7V8HyIsfMKNJ8COstZEFh4Z8Em6ZhO |
Gitea |
| 3 | Portainer OAuth2 | fLLnVh8iUyJYdw5HKdt1Q7LHKJLLB8tLZwxmVhNs |
Portainer |
| 4 | Paperless (legacy Forward Auth) | — | Superseded by pk=18 |
| 11 | Immich (Calypso) | XSHhp1Hys1ZyRpbpGUv4iqu1y1kJXX7WIIFETqcL |
Immich Calypso |
| 18 | Paperless-NGX OIDC | paperless |
Paperless docs.vish.gg |
| 19 | Hoarder | hoarder |
Hoarder |
| 20 | Vaultwarden | vaultwarden |
Vaultwarden |
| 21 | Actual Budget | actual-budget |
Actual Budget |
| 22 | Immich (Atlantis) | immich-atlantis |
Immich Atlantis |
User Account Reference
| Service | Login email/username | Notes |
|---|---|---|
Authentik (vish) |
admin@thevish.io |
Primary SSO identity |
| Gitea | admin@thevish.io |
Updated 2026-03-16 |
| Paperless | vish / admin@thevish.io |
OAuth linked to vish username |
| Hoarder | admin@thevish.io |
|
| Portainer | vish (username match) |
|
| Immich (both) | admin@thevish.io |
oauthId=vish |
| Vaultwarden | your-email@example.com |
Left as-is to preserve 2FA/security key |
| Actual Budget | auto-created on first login | ACTUAL_USER_CREATION_MODE=login |
Known Issues / Quirks
Vaultwarden SSO
- Requires
vaultwarden/server:testingimage (SSO not compiled into:latest) SSO_AUTHORITYmust include trailing slash to match Authentik's issuer URISSO_ALLOW_UNKNOWN_EMAIL_VERIFICATION=truerequired (Authentik sendsemail_verified: Falseby default)- A custom email scope mapping
email_verified true(pk=51d15142) returnsTruefor Authentik - SSO login works but local login kept as primary due to security key/2FA dependency
Authentik email scope
- Default Authentik email mapping hardcodes
email_verified: False - Custom mapping
email_verified true(pk=51d15142) created and applied to Vaultwarden provider - All other providers use the default mapping (most apps don't check this field)
Gitea OAuth2 source name case
- Gitea sends
Authentik(capital A) as the callback path - Both
authentikandAuthentikredirect URIs registered in Authentik provider pk=2
Portainer
- Migrated from
http://vishinator.synology.me:10000tohttps://pt.vish.ggon 2026-03-16 - Client secret was stale — resynced from Authentik provider
Immich (Atlantis) network issues
- Container must be on
immich-stack_defaultnetwork (notimmich_defaultoratlantis_default) - When recreating container manually, always reconnect to
immich-stack_defaultbefore starting
Services Without SSO (candidates)
| Service | OIDC Support | Effort | Notes |
|---|---|---|---|
| Paperless (Atlantis) | ✅ same as Calypso | Low | Separate older instance |
| Audiobookshelf | ✅ AUTH_OPENID_* env vars |
Low | |
| BookStack (Seattle) | ✅ AUTH_METHOD=oidc |
Low | |
| Seafile | ✅ seahub_settings.py |
Medium | WebDAV at dav.vish.gg |
| NetBox | ✅ SOCIAL_AUTH_OIDC_* |
Medium | |
| PhotoPrism | ✅ PHOTOPRISM_AUTH_MODE=oidc |
Medium | |
| Firefly III | ✅ via stack.env |
Medium | |
| Mastodon | ✅ .env.production |
Medium |