eblume/blumeops
1
1
Fork 0
Code Issues Pull requests Projects Releases 83 Packages Wiki Activity Actions

Add Authentik OIDC integration for Mealie

Browse source 
Configure Mealie as a public PKCE client in Authentik. Mealie's OIDC
flow runs client-side (Vue.js SPA) so it uses PKCE instead of a
client_secret. No 1Password secret or ExternalSecret needed.

- Add mealie.yaml blueprint to Authentik configmap (public client, admins group)
- Add OIDC env vars to Mealie deployment
- Update service docs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Erich Blume 2026-03-16 21:15:21 -07:00
commit 5c5fd18cac
3 changed files with 75 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

57
argocd/manifests/authentik/configmap-blueprint.yaml
View file

@ -345,3 +345,60 @@ data:
provider: !KeyOf jellyfin-provider
meta_launch_url: https://jellyfin.ops.eblu.me
policy_engine_mode: all
mealie.yaml: |
version: 1
metadata:
name: BlumeOps Mealie SSO
labels:
blueprints.goauthentik.io/description: "Mealie OIDC provider and application"
entries:
# OAuth2 provider for Mealie (public client — Mealie uses PKCE)
- model: authentik_providers_oauth2.oauth2provider
id: mealie-provider
identifiers:
name: Mealie
attrs:
name: Mealie
authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
client_type: public
client_id: mealie
redirect_uris:
- matching_mode: strict
url: https://meals.ops.eblu.me/login
- matching_mode: strict
url: https://meals.tail8d86e.ts.net/login
signing_key: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
property_mappings:
- !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
- !Find [authentik_providers_oauth2.scopemapping, [scope_name, email]]
- !Find [authentik_providers_oauth2.scopemapping, [scope_name, profile]]
sub_mode: hashed_user_id
include_claims_in_id_token: true
# Mealie application — restricted to admins group
- model: authentik_core.application
id: mealie-app
identifiers:
slug: mealie
attrs:
name: Mealie
slug: mealie
provider: !KeyOf mealie-provider
meta_launch_url: https://meals.ops.eblu.me
policy_engine_mode: any
# Policy binding — restrict Mealie to admins group
- model: authentik_policies.policybinding
identifiers:
order: 0
target: !KeyOf mealie-app
group: !Find [authentik_core.group, [name, admins]]
attrs:
target: !KeyOf mealie-app
group: !Find [authentik_core.group, [name, admins]]
order: 0
enabled: true
negate: false
timeout: 30

17
argocd/manifests/mealie/deployment.yaml
View file

@ -29,6 +29,23 @@ spec:
value: "1"
- name: WEB_CONCURRENCY
value: "1"
# OIDC — Authentik (public client, PKCE)
- name: OIDC_AUTH_ENABLED
value: "true"
- name: OIDC_CONFIGURATION_URL
value: "https://authentik.ops.eblu.me/application/o/mealie/.well-known/openid-configuration"
- name: OIDC_CLIENT_ID
value: "mealie"
- name: OIDC_AUTO_REDIRECT
value: "false"
- name: OIDC_PROVIDER_NAME
value: "Authentik"
- name: OIDC_ADMIN_GROUP
value: "admins"
- name: OIDC_SIGNUP_ENABLED
value: "true"
- name: OIDC_USER_CLAIM
value: "email"
volumeMounts:
- name: data
mountPath: /app/data

1
docs/reference/services/mealie.md
View file

@ -30,6 +30,7 @@ Self-hosted recipe manager with a REST API. Part of the meal planning pipeline:
- Built-in meal planning and shopping lists
- Recipe import from URLs
- API token auth for automation
- OIDC login via [[authentik]] (public client with PKCE)
## Storage