Skip to content

feat: SSO Stack Enhancements - Automated OIDC Setup (#9)#451

Open
zhaog100 wants to merge 1 commit intoillbnm:masterfrom
zhaog100:feat/sso-enhancements-9
Open

feat: SSO Stack Enhancements - Automated OIDC Setup (#9)#451
zhaog100 wants to merge 1 commit intoillbnm:masterfrom
zhaog100:feat/sso-enhancements-9

Conversation

@zhaog100
Copy link
Copy Markdown

@zhaog100 zhaog100 commented Apr 8, 2026

📋 Summary

This PR enhances the SSO (Authentik) implementation for Bounty Task #9 ($300 USDT).

✅ What's Included

1. Automated OIDC Setup Script (scripts/authentik-setup.sh)

  • Creates OAuth providers for: Grafana, Gitea, Nextcloud, Outline, Open WebUI, Portainer
  • Auto-updates .env with client credentials
  • Creates user groups: homelab-admins, homelab-users, media-users
  • Dry-run mode for testing
  • 259 lines of production-ready automation

2. Updated Environment Variables (.env.example)

  • AUTHENTIK_BOOTSTRAP_TOKEN - Initial setup token
  • AUTHENTIK_ADMIN_GROUP - Admin group name
  • NEXTCLOUD_OAUTH_* - Nextcloud OAuth variables
  • OPENWEBUI_OAUTH_* - Open WebUI OAuth variables

3. Enhanced Middleware (config/traefik/dynamic/middlewares.yml)

  • Authentik ForwardAuth middleware integration
  • Rate limiting configuration
  • Security headers (HSTS, XSS protection, etc.)
  • Compression settings
  • Simplified and consolidated structure

🎯 Integration

This PR adds the automated setup enhancements to the existing SSO stack implementation:

  • ✅ Core infrastructure (already committed)
  • ✅ Traefik ForwardAuth (already committed)
  • ✅ Documentation (already committed)
  • NEW: Automated OIDC setup script
  • NEW: Enhanced environment variables
  • NEW: Improved middleware configuration

📦 Services Covered

  • Grafana (monitoring dashboards)
  • Gitea (Git repository)
  • Nextcloud (file sharing & collaboration)
  • Outline (documentation/wiki)
  • Open WebUI (AI chat interface)
  • Portainer (container management)

🧪 Testing

The setup script includes:

  • Dry-run mode: ./scripts/authentik-setup.sh --dry-run
  • Verbose logging for troubleshooting
  • Idempotent operations (safe to run multiple times)

📚 Documentation

All changes are documented in:

  • stacks/sso/README.md (architecture, setup, troubleshooting)
  • .env.example (variable descriptions)
  • Script comments and help text

🔗 Related

Bounty Value: $300 USDT
Implementation Status: Complete (core + enhancements)
Ready for Review: ✅

feat(sso): add automated OIDC setup script and enhanced middleware
2745af8 
- Add authentik-setup.sh for automated OIDC provider creation
  - Creates providers for Grafana, Gitea, Nextcloud, Outline, Open WebUI, Portainer
  - Auto-updates .env with client credentials
  - Creates user groups: homelab-admins, homelab-users, media-users
  - Dry-run mode for testing

- Update .env.example with new OAuth variables
  - AUTHENTIK_BOOTSTRAP_TOKEN
  - AUTHENTIK_ADMIN_GROUP
  - NEXTCLOUD_OAUTH_* variables
  - OPENWEBUI_OAUTH_* variables

- Simplify and enhance middlewares.yml
  - Authentik ForwardAuth middleware
  - Rate limiting
  - Security headers
  - Compression

Ref: Bounty task illbnm#9 - SSO (00)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@zhaog100