Integrate Forgejo with Authentik OIDC

Refactor Authentik blueprints into common.yaml (shared admins group), grafana.yaml (updated with !Find and groups scope), and forgejo.yaml (new provider + application). Add forgejo-client-secret to ExternalSecret and worker deployment. Configure Forgejo oauth2_client for auto-registration with login-based account linking to safely preserve existing accounts. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-20 17:39:02 -08:00
4 changed files with 13 additions and 6 deletions
--- a/docs/changelog.d/feature-forgejo-authentik-oidc.feature.md
+++ b/docs/changelog.d/feature-forgejo-authentik-oidc.feature.md
@ -1 +1 @@
-Integrate Forgejo with Authentik OIDC for single sign-on with group-based admin propagation.
+Integrate Forgejo with Authentik OIDC for single sign-on with group-based admin propagation. Enforce TOTP MFA on Authentik authentication flow.
--- a/docs/explanation/federated-login.md
+++ b/docs/explanation/federated-login.md
@ -70,6 +70,10 @@ Account linking is configured with `ACCOUNT_LINKING = login`: when an Authentik

 The `admins` group in Authentik maps to Forgejo admin status, enabling centralized admin management.

+### MFA
+
+Authentik enforces TOTP MFA on its default authentication flow (`not_configured_action: configure`). Forgejo's auth source has `SkipLocalTwoFA: true`, so SSO logins bypass Forgejo's local 2FA — Authentik has already verified the second factor. Local password logins (break-glass) still require Forgejo's own TOTP.
+
 ## Future Work

 - **Additional services:** ArgoCD, Miniflux, Immich, Zot (see [[harden-zot-registry]])
--- a/docs/reference/services/authentik.md
+++ b/docs/reference/services/authentik.md
@ -42,10 +42,11 @@ Uses the shared CNPG `blumeops-pg` cluster on [[indri]], accessed cross-cluster
 Authentik configuration is managed via Blueprints (YAML) stored as a ConfigMap mounted into the worker at `/blueprints/custom/`. Current blueprints:

 - **`common.yaml`** — shared identity resources (`admins` group)
+- **`mfa.yaml`** — MFA enforcement on the default authentication flow (`not_configured_action: configure`)
 - **`grafana.yaml`** — Grafana OAuth2 provider, application, and policy binding
 - **`forgejo.yaml`** — Forgejo OAuth2 provider, application, and policy binding

-All providers include the `groups` scope mapping for group-based admin propagation.
+Group membership is included in the `profile` scope claim (Authentik built-in). Services use `--group-claim-name groups` to read it.

 Blueprint file: `argocd/manifests/authentik/configmap-blueprint.yaml`

--- a/docs/reference/services/forgejo.md
+++ b/docs/reference/services/forgejo.md
@ -83,14 +83,16 @@ This is a bootstrapping requirement - the PAT enables IaC for all other secrets.

 **Configuration:**
 - OAuth2 provider and application defined in Authentik blueprints (`argocd/manifests/authentik/configmap-blueprint.yaml`)
- Auth source created via `forgejo admin auth add-oauth` (lives in Forgejo's SQLite database, not app.ini)
+- Auth source created via `forgejo admin auth add-oauth` with `--skip-local-2fa` (lives in Forgejo's SQLite database, not app.ini)
 - `[oauth2_client]` section in `app.ini.j2` controls auto-registration and account linking behavior

-**Account linking:** `ACCOUNT_LINKING = login` — when an Authentik user's email matches an existing local account, Forgejo prompts for the local password to confirm the link. This preserves existing accounts, API tokens, SSH keys, and repository ownership.
+**MFA:** SSO logins skip Forgejo's local 2FA (`--skip-local-2fa` on the auth source) — Authentik enforces MFA instead. Local password logins still require Forgejo's own TOTP. Note: the `--skip-local-2fa` CLI flag has a [known bug](https://codeberg.org/forgejo/forgejo/issues/5366) where it doesn't persist via `update-oauth`; it was set directly in the `login_source.cfg` JSON (`SkipLocalTwoFA: true`).
+
+**Account linking:** `ACCOUNT_LINKING = login` — when an Authentik user's email matches an existing local account, Forgejo prompts for the local password (and local MFA) to confirm the link. This is a one-time operation that preserves existing accounts, API tokens, SSH keys, and repository ownership.

 **Group-based admin:** The `admins` group in Authentik maps to Forgejo admin status via `--admin-group admins` on the auth source. Manage admin access in Authentik, not Forgejo.

-**Break-glass:** Local password login always works. Authentik SSO is additive — if Authentik is down, log in with local credentials.
+**Break-glass:** Local password login always works (with local MFA). Authentik SSO is additive — if Authentik is down, log in with local credentials.

 ## Future: Public Access

@ -102,7 +104,7 @@ Forgejo can be exposed publicly at `forge.eblu.me` via [[flyio-proxy]]. Since Fo

 Exposing a dynamic, authenticated service like Forgejo requires a full security review before going live:

- Disable open user registration (require invites or admin approval)
+- Disable all local registration — only allow login via [[authentik]] (`DISABLE_REGISTRATION = true`, `ALLOW_ONLY_EXTERNAL_REGISTRATION = true`)
 - Configure fail2ban on indri with a filter for Forgejo's log format
 - Ensure Forgejo logs the forwarded client IP (`X-Real-IP`) rather than the proxy's Tailscale IP
 - Audit repository visibility defaults and permissions