kenpat/claude-memory
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

2026-06-15: add native Uptime Kuma Authentik SSO button

Browse source
This commit is contained in:
kenpat 2026-06-15 09:41:14 -05:00
parent 9ef95472d9
commit 6a5ee0fb0a
1 changed files with 41 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

41
project-kitestacks-migration.md
View file

@ -447,6 +447,47 @@ Verified current live state on monk before making changes:
get Authentik first and then still see Kuma's local login. Native in-app SSO get Authentik first and then still see Kuma's local login. Native in-app SSO
would require an Uptime Kuma version/plugin/fork with login OIDC support or would require an Uptime Kuma version/plugin/fork with login OIDC support or
custom app code, not the Authentik proxy provider. custom app code, not the Authentik proxy provider.
- User reset the Cloudflare route back to `http://uptime-kuma:3001` and asked
to continue with an in-app Authentik button. Upstream latest checked via
GitHub API: Uptime Kuma latest release is `2.4.0` (published 2026-05-31) and
upstream `src/components/Login.vue` still has only username/password login,
no native OAuth/OIDC button. Proceeded with a custom overlay patch.
- Custom native Authentik SSO overlay deployed on BOTH active tunnel backends
(monk and kscloud1) so public load-balanced traffic behaves consistently:
- monk path: `~/kitestacks-live/docker/uptime-kuma/`
- kscloud1 path: `/opt/kitestacks/docker/uptime-kuma/`
- backend preload module:
`custom/server/authentik-sso.js`
- frontend mounted files:
`custom/dist/index.html`, `index.html.gz`, `index.html.br`
- compose now sets `NODE_OPTIONS=--require /app/custom/server/authentik-sso.js`,
loads `.env.sso`, and bind-mounts the custom files over Kuma's built HTML.
- Authentik native OAuth provider/application created:
- OAuth2Provider name `Uptime Kuma Native`, provider id `12`
- Application slug `uptime-kuma-native`, name `Uptime Kuma Native SSO`
- Client ID `uptime-kuma-native`
- Redirect URI `https://status.kitestacks.com/auth/authentik/callback`
- Restricted to Authentik group `homelab-admin` via PolicyBinding
`2e1eaa95-b397-4c4f-bfc7-abb337906cf3`
- Client secret is stored only in each host's `.env.sso`; do not print it.
- Custom flow behavior:
- Login page injects a `Sign in with Authentik` button linking to
`/auth/authentik`.
- Backend starts Authentik OIDC, validates callback state, fetches userinfo,
maps the login to existing Kuma user `kenpat`, issues Kuma's normal JWT,
then redirects to `/?authentik_token=<token>`.
- Frontend one-time script stores the JWT in `localStorage.token`, removes
the URL token, and redirects to `/dashboard`, letting Kuma's normal
`loginByToken` flow establish the session.
- Verification 2026-06-15:
- monk local `/dashboard` HTML contains `Sign in with Authentik`,
`/auth/authentik`, and `authentik_token`.
- kscloud1 local `/dashboard` HTML contains the same and `/auth/authentik`
redirects to Authentik with client_id `uptime-kuma-native`.
- Public repeated check:
`for i in 1 2 3 4 5 6; do curl -sSL --compressed https://status.kitestacks.com/dashboard | grep -q "Sign in with Authentik"; done`
returned `button` for all 6 attempts, confirming both active connectors
serve the button.
Important security hygiene: local git remote for `~/claude-memory` contains an Important security hygiene: local git remote for `~/claude-memory` contains an
HTTP token in the URL; do not print it in summaries. Prefer redacted URLs in HTTP token in the URL; do not print it in summaries. Prefer redacted URLs in