From 9ef95472d926b70ea0f1212e990a10747f2a5090 Mon Sep 17 00:00:00 2001
From: kenpat <kenpat7177@gmail.com>
Date: Mon, 15 Jun 2026 09:30:42 -0500
Subject: [PATCH] 2026-06-15: clarify Uptime Kuma native SSO requirement

---
 project-kitestacks-migration.md | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/project-kitestacks-migration.md b/project-kitestacks-migration.md
index a89c156..b65eda9 100644
--- a/project-kitestacks-migration.md
+++ b/project-kitestacks-migration.md
@@ -433,6 +433,20 @@ Verified current live state on monk before making changes:
   the Cloudflare Tunnel public hostname for `status.kitestacks.com` from
   `http://uptime-kuma:3001` to `http://authentik:9000` (or equivalent
   Authentik service target in the Tunnel UI).
+- Correction after user tested: user does NOT want front-door proxy behavior
+  for Uptime Kuma. Desired UX is an in-app "single sign on" button on the
+  Uptime Kuma login screen, like Grafana/Forgejo style native OAuth. Authentik
+  proxy redirect is not acceptable for this requirement.
+- Confirmed in the installed Uptime Kuma 1.23.17 frontend:
+  `/app/src/components/Login.vue` only renders username, password, remember-me,
+  and login submit controls. No native OAuth/OIDC/SSO button exists in this
+  version's login component, and local source search only found monitor OAuth
+  client-credentials support, not app login SSO.
+- If staying on Uptime Kuma 1.23.17, revert Cloudflare route for
+  `status.kitestacks.com` back to `http://uptime-kuma:3001`; otherwise users
+  get Authentik first and then still see Kuma's local login. Native in-app SSO
+  would require an Uptime Kuma version/plugin/fork with login OIDC support or
+  custom app code, not the Authentik proxy provider.
 
 Important security hygiene: local git remote for `~/claude-memory` contains an
 HTTP token in the URL; do not print it in summaries. Prefer redacted URLs in