eblume/blumeops
1
1
Fork 0
Code Issues Pull requests Projects Releases 83 Packages Wiki Activity Actions

Integrate Forgejo with Authentik OIDC (#228)

Browse source 
## Summary

- Refactor Authentik blueprints: extract shared `admins` group into `common.yaml`, add `groups` scope mapping to all providers for group-based admin propagation
- Add Forgejo OAuth2 provider and application blueprint (`forgejo.yaml`)
- Add `forgejo-client-secret` to ExternalSecret and worker deployment env
- Configure Forgejo `[oauth2_client]` with `ACCOUNT_LINKING=login` to safely link existing accounts
- Update documentation (forgejo.md, authentik.md, federated-login.md)

## Deployment and Testing

After merge, deployment requires these steps in order:

1. **Authentik (ArgoCD):**
   - `argocd app set authentik --revision feature/forgejo-authentik-oidc && argocd app sync authentik`
   - Verify: Forgejo app/provider visible in Authentik admin UI
   - Verify: Grafana SSO still works (blueprint refactor)

2. **Forgejo app.ini (Ansible):**
   - `mise run provision-indri -- --tags forgejo --check --diff` (dry run)
   - `mise run provision-indri -- --tags forgejo` (apply, restarts Forgejo)

3. **Create Forgejo auth source (CLI on indri):**
   ```
   ssh indri 'sudo -u forgejo /opt/homebrew/bin/forgejo admin auth add-oauth \
     --name authentik \
     --provider openidConnect \
     --key forgejo \
     --secret "$(op read "op://vg6xf6vvfmoh5hqjjhlhbeoaie/Authentik (blumeops)/forgejo-client-secret")" \
     --auto-discover-url https://authentik.ops.eblu.me/application/o/forgejo/.well-known/openid-configuration \
     --scopes "openid email profile groups" \
     --group-claim-name groups \
     --admin-group admins'
   ```

4. **Link eblume account:** Sign in with Authentik on Forgejo, confirm link with local password

5. **Verify:** `tea repo list`, Forgejo Actions, local password break-glass

After merge: `argocd app set authentik --revision main && argocd app sync authentik`

Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/228
This commit is contained in:
Erich Blume 2026-02-20 17:39:50 -08:00
commit cd50c1454a
8 changed files with 143 additions and 14 deletions
Download patch file Download diff file Expand all files Collapse all files

94
argocd/manifests/authentik/configmap-blueprint.yaml
View file

@ -5,12 +5,12 @@ metadata:
name: authentik-blueprints
namespace: authentik
data:
grafana.yaml: |
common.yaml: |
version: 1
metadata:
name: BlumeOps Grafana SSO
name: BlumeOps Common Identity
labels:
blueprints.goauthentik.io/description: "Grafana OIDC provider and application"
blueprints.goauthentik.io/description: "Shared groups and identity resources"
entries:
# admins group — gates access to admin-only applications
- model: authentik_core.group
@ -20,6 +20,34 @@ data:
attrs:
name: admins
mfa.yaml: |
version: 1
metadata:
name: BlumeOps MFA Enforcement
labels:
blueprints.goauthentik.io/description: "Require MFA on default authentication flow"
entries:
# Require MFA — force_setup prompts users without MFA to enroll.
- model: authentik_stages_authenticator_validate.authenticatorvalidatestage
identifiers:
name: default-authentication-mfa-validation
attrs:
not_configured_action: configure
device_classes:
- totp
- webauthn
- static
configuration_stages:
- !Find [authentik_stages_authenticator_totp.authenticatortotpstage, [name, default-authenticator-totp-setup]]
- !Find [authentik_stages_authenticator_static.authenticatorstaticstage, [name, default-authenticator-static-setup]]
grafana.yaml: |
version: 1
metadata:
name: BlumeOps Grafana SSO
labels:
blueprints.goauthentik.io/description: "Grafana OIDC provider and application"
entries:
# OAuth2 provider for Grafana
- model: authentik_providers_oauth2.oauth2provider
id: grafana-provider
@ -62,10 +90,66 @@ data:
identifiers:
order: 0
target: !KeyOf grafana-app
group: !KeyOf admins-group
group: !Find [authentik_core.group, [name, admins]]
attrs:
target: !KeyOf grafana-app
group: !KeyOf admins-group
group: !Find [authentik_core.group, [name, admins]]
order: 0
enabled: true
negate: false
timeout: 30
forgejo.yaml: |
version: 1
metadata:
name: BlumeOps Forgejo SSO
labels:
blueprints.goauthentik.io/description: "Forgejo OIDC provider and application"
entries:
# OAuth2 provider for Forgejo
- model: authentik_providers_oauth2.oauth2provider
id: forgejo-provider
identifiers:
name: Forgejo
attrs:
name: Forgejo
authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
client_type: confidential
client_id: forgejo
client_secret: !Env AUTHENTIK_FORGEJO_CLIENT_SECRET
redirect_uris:
- matching_mode: strict
url: https://forge.ops.eblu.me/user/oauth2/authentik/callback
signing_key: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
property_mappings:
- !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
- !Find [authentik_providers_oauth2.scopemapping, [scope_name, email]]
- !Find [authentik_providers_oauth2.scopemapping, [scope_name, profile]]
sub_mode: hashed_user_id
include_claims_in_id_token: true
# Forgejo application — linked to the OAuth2 provider
- model: authentik_core.application
id: forgejo-app
identifiers:
slug: forgejo
attrs:
name: Forgejo
slug: forgejo
provider: !KeyOf forgejo-provider
meta_launch_url: https://forge.ops.eblu.me
policy_engine_mode: any
# Policy binding — restrict Forgejo to admins group
- model: authentik_policies.policybinding
identifiers:
order: 0
target: !KeyOf forgejo-app
group: !Find [authentik_core.group, [name, admins]]
attrs:
target: !KeyOf forgejo-app
group: !Find [authentik_core.group, [name, admins]]
order: 0
enabled: true
negate: false