From 6a5ee0fb0a9a3ccebb075c3241bfd0dc04b51f05 Mon Sep 17 00:00:00 2001 From: kenpat Date: Mon, 15 Jun 2026 09:41:14 -0500 Subject: [PATCH] 2026-06-15: add native Uptime Kuma Authentik SSO button --- project-kitestacks-migration.md | 41 +++++++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) diff --git a/project-kitestacks-migration.md b/project-kitestacks-migration.md index b65eda9..f799fd5 100644 --- a/project-kitestacks-migration.md +++ b/project-kitestacks-migration.md @@ -447,6 +447,47 @@ Verified current live state on monk before making changes: get Authentik first and then still see Kuma's local login. Native in-app SSO would require an Uptime Kuma version/plugin/fork with login OIDC support or custom app code, not the Authentik proxy provider. +- User reset the Cloudflare route back to `http://uptime-kuma:3001` and asked + to continue with an in-app Authentik button. Upstream latest checked via + GitHub API: Uptime Kuma latest release is `2.4.0` (published 2026-05-31) and + upstream `src/components/Login.vue` still has only username/password login, + no native OAuth/OIDC button. Proceeded with a custom overlay patch. +- Custom native Authentik SSO overlay deployed on BOTH active tunnel backends + (monk and kscloud1) so public load-balanced traffic behaves consistently: + - monk path: `~/kitestacks-live/docker/uptime-kuma/` + - kscloud1 path: `/opt/kitestacks/docker/uptime-kuma/` + - backend preload module: + `custom/server/authentik-sso.js` + - frontend mounted files: + `custom/dist/index.html`, `index.html.gz`, `index.html.br` + - compose now sets `NODE_OPTIONS=--require /app/custom/server/authentik-sso.js`, + loads `.env.sso`, and bind-mounts the custom files over Kuma's built HTML. +- Authentik native OAuth provider/application created: + - OAuth2Provider name `Uptime Kuma Native`, provider id `12` + - Application slug `uptime-kuma-native`, name `Uptime Kuma Native SSO` + - Client ID `uptime-kuma-native` + - Redirect URI `https://status.kitestacks.com/auth/authentik/callback` + - Restricted to Authentik group `homelab-admin` via PolicyBinding + `2e1eaa95-b397-4c4f-bfc7-abb337906cf3` + - Client secret is stored only in each host's `.env.sso`; do not print it. +- Custom flow behavior: + - Login page injects a `Sign in with Authentik` button linking to + `/auth/authentik`. + - Backend starts Authentik OIDC, validates callback state, fetches userinfo, + maps the login to existing Kuma user `kenpat`, issues Kuma's normal JWT, + then redirects to `/?authentik_token=`. + - Frontend one-time script stores the JWT in `localStorage.token`, removes + the URL token, and redirects to `/dashboard`, letting Kuma's normal + `loginByToken` flow establish the session. +- Verification 2026-06-15: + - monk local `/dashboard` HTML contains `Sign in with Authentik`, + `/auth/authentik`, and `authentik_token`. + - kscloud1 local `/dashboard` HTML contains the same and `/auth/authentik` + redirects to Authentik with client_id `uptime-kuma-native`. + - Public repeated check: + `for i in 1 2 3 4 5 6; do curl -sSL --compressed https://status.kitestacks.com/dashboard | grep -q "Sign in with Authentik"; done` + returned `button` for all 6 attempts, confirming both active connectors + serve the button. Important security hygiene: local git remote for `~/claude-memory` contains an HTTP token in the URL; do not print it in summaries. Prefer redacted URLs in