From 5c5fd18cacf81d8c86b8ee9724e883ca7d86a28d Mon Sep 17 00:00:00 2001
From: Erich Blume <blume.erich@gmail.com>
Date: Mon, 16 Mar 2026 21:15:21 -0700
Subject: [PATCH] Add Authentik OIDC integration for Mealie

Configure Mealie as a public PKCE client in Authentik. Mealie's OIDC
flow runs client-side (Vue.js SPA) so it uses PKCE instead of a
client_secret. No 1Password secret or ExternalSecret needed.

- Add mealie.yaml blueprint to Authentik configmap (public client, admins group)
- Add OIDC env vars to Mealie deployment
- Update service docs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .../authentik/configmap-blueprint.yaml        | 57 +++++++++++++++++++
 argocd/manifests/mealie/deployment.yaml       | 17 ++++++
 docs/reference/services/mealie.md             |  1 +
 3 files changed, 75 insertions(+)

diff --git a/argocd/manifests/authentik/configmap-blueprint.yaml b/argocd/manifests/authentik/configmap-blueprint.yaml
index f6ea4d6..8bb467c 100644
--- a/argocd/manifests/authentik/configmap-blueprint.yaml
+++ b/argocd/manifests/authentik/configmap-blueprint.yaml
@@ -345,3 +345,60 @@ data:
           provider: !KeyOf jellyfin-provider
           meta_launch_url: https://jellyfin.ops.eblu.me
           policy_engine_mode: all
+
+  mealie.yaml: |
+    version: 1
+    metadata:
+      name: BlumeOps Mealie SSO
+      labels:
+        blueprints.goauthentik.io/description: "Mealie OIDC provider and application"
+    entries:
+      # OAuth2 provider for Mealie (public client — Mealie uses PKCE)
+      - model: authentik_providers_oauth2.oauth2provider
+        id: mealie-provider
+        identifiers:
+          name: Mealie
+        attrs:
+          name: Mealie
+          authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
+          invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
+          client_type: public
+          client_id: mealie
+          redirect_uris:
+            - matching_mode: strict
+              url: https://meals.ops.eblu.me/login
+            - matching_mode: strict
+              url: https://meals.tail8d86e.ts.net/login
+          signing_key: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
+          property_mappings:
+            - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
+            - !Find [authentik_providers_oauth2.scopemapping, [scope_name, email]]
+            - !Find [authentik_providers_oauth2.scopemapping, [scope_name, profile]]
+          sub_mode: hashed_user_id
+          include_claims_in_id_token: true
+
+      # Mealie application — restricted to admins group
+      - model: authentik_core.application
+        id: mealie-app
+        identifiers:
+          slug: mealie
+        attrs:
+          name: Mealie
+          slug: mealie
+          provider: !KeyOf mealie-provider
+          meta_launch_url: https://meals.ops.eblu.me
+          policy_engine_mode: any
+
+      # Policy binding — restrict Mealie to admins group
+      - model: authentik_policies.policybinding
+        identifiers:
+          order: 0
+          target: !KeyOf mealie-app
+          group: !Find [authentik_core.group, [name, admins]]
+        attrs:
+          target: !KeyOf mealie-app
+          group: !Find [authentik_core.group, [name, admins]]
+          order: 0
+          enabled: true
+          negate: false
+          timeout: 30
diff --git a/argocd/manifests/mealie/deployment.yaml b/argocd/manifests/mealie/deployment.yaml
index 1c99ed0..d88d632 100644
--- a/argocd/manifests/mealie/deployment.yaml
+++ b/argocd/manifests/mealie/deployment.yaml
@@ -29,6 +29,23 @@ spec:
               value: "1"
             - name: WEB_CONCURRENCY
               value: "1"
+            # OIDC — Authentik (public client, PKCE)
+            - name: OIDC_AUTH_ENABLED
+              value: "true"
+            - name: OIDC_CONFIGURATION_URL
+              value: "https://authentik.ops.eblu.me/application/o/mealie/.well-known/openid-configuration"
+            - name: OIDC_CLIENT_ID
+              value: "mealie"
+            - name: OIDC_AUTO_REDIRECT
+              value: "false"
+            - name: OIDC_PROVIDER_NAME
+              value: "Authentik"
+            - name: OIDC_ADMIN_GROUP
+              value: "admins"
+            - name: OIDC_SIGNUP_ENABLED
+              value: "true"
+            - name: OIDC_USER_CLAIM
+              value: "email"
           volumeMounts:
             - name: data
               mountPath: /app/data
diff --git a/docs/reference/services/mealie.md b/docs/reference/services/mealie.md
index 3bdcd87..b624bea 100644
--- a/docs/reference/services/mealie.md
+++ b/docs/reference/services/mealie.md
@@ -30,6 +30,7 @@ Self-hosted recipe manager with a REST API. Part of the meal planning pipeline:
 - Built-in meal planning and shopping lists
 - Recipe import from URLs
 - API token auth for automation
+- OIDC login via [[authentik]] (public client with PKCE)
 
 ## Storage