kitestacks-cloud-migration/claude-memory/project-sso.md

name	description	metadata
project-sso	Authentik SSO setup status for kitestacks.com — what's done vs pending	node_type type originSessionId memory project 301d23e2-6920-42b0-a27d-eba4e667b7f7

Authentik SSO configured 2026-06-08 to cover all kitestacks.com services. Full reference: docs/authentik-sso-setup.md in the Forgejo repo.

Config files updated (done):

• apps/authentik/docker-compose.yml — kitestacks network declared
• apps/kavita/config/appsettings.json — OIDC enabled, Authority set
• BookStack retired — not used, all books on Kavita
• apps/openproject/docker-compose.yml — OIDC env vars + network
• apps/openproject/.env — OPENPROJECT_OIDC_SECRET placeholder
• Grafana and OpenWebUI already had OIDC env vars (just need Authentik apps created)

Pending manual steps:

1. Create Authentik OAuth2/OIDC providers + applications in admin UI for: Grafana, OpenWebUI, Kavita, OpenProject, Forgejo
2. Create Authentik Proxy Providers for: Shaarli, Uptime Kuma, LiteLLM; assign to Embedded Outpost
3. Configure Forgejo OAuth2 source via Forgejo admin UI (Site Admin → Auth Sources)
4. Fill client secrets in .env files and restart containers
5. Update Cloudflare tunnel routes: links.kitestacks.com → authentik:9000, status.kitestacks.com → authentik:9000, llm.kitestacks.com → authentik:9000
6. After OpenProject container recreation (v13→v15 upgrade), update tunnel: tasks.kitestacks.com → openproject:80

Excluded from SSO: Portainer, Prometheus, Node Exporter, OpenRouter, BookStack (retired)

Why: User requested Authentik SSO for all services; OpenRouter/Prometheus/node-exporter/Portainer excluded by user request. How to apply: When user asks about SSO, check this memory for current status before suggesting next steps.