Integrate Forgejo with Authentik OIDC #228

Merged

eblume merged 1 commit from feature/forgejo-authentik-oidc into main 2026-02-20 17:39:50 -08:00

Conversation 0 Commits 1 Files changed 8 +143 -14

eblume commented 2026-02-20 16:10:37 -08:00

Owner

Copy link

Summary

• Refactor Authentik blueprints: extract shared admins group into common.yaml, add groups scope mapping to all providers for group-based admin propagation
• Add Forgejo OAuth2 provider and application blueprint (forgejo.yaml)
• Add forgejo-client-secret to ExternalSecret and worker deployment env
• Configure Forgejo [oauth2_client] with ACCOUNT_LINKING=login to safely link existing accounts
• Update documentation (forgejo.md, authentik.md, federated-login.md)

Deployment and Testing

After merge, deployment requires these steps in order:

1. Authentik (ArgoCD):

   • argocd app set authentik --revision feature/forgejo-authentik-oidc && argocd app sync authentik
   • Verify: Forgejo app/provider visible in Authentik admin UI
   • Verify: Grafana SSO still works (blueprint refactor)

2. Forgejo app.ini (Ansible):

   • mise run provision-indri -- --tags forgejo --check --diff (dry run)
   • mise run provision-indri -- --tags forgejo (apply, restarts Forgejo)

3. Create Forgejo auth source (CLI on indri):

   ssh indri 'sudo -u forgejo /opt/homebrew/bin/forgejo admin auth add-oauth \
     --name authentik \
     --provider openidConnect \
     --key forgejo \
     --secret "$(op read "op://vg6xf6vvfmoh5hqjjhlhbeoaie/Authentik (blumeops)/forgejo-client-secret")" \
     --auto-discover-url https://authentik.ops.eblu.me/application/o/forgejo/.well-known/openid-configuration \
     --scopes "openid email profile groups" \
     --group-claim-name groups \
     --admin-group admins'
   

4. Link eblume account: Sign in with Authentik on Forgejo, confirm link with local password

5. Verify: tea repo list, Forgejo Actions, local password break-glass

After merge: argocd app set authentik --revision main && argocd app sync authentik

## Summary - Refactor Authentik blueprints: extract shared `admins` group into `common.yaml`, add `groups` scope mapping to all providers for group-based admin propagation - Add Forgejo OAuth2 provider and application blueprint (`forgejo.yaml`) - Add `forgejo-client-secret` to ExternalSecret and worker deployment env - Configure Forgejo `[oauth2_client]` with `ACCOUNT_LINKING=login` to safely link existing accounts - Update documentation (forgejo.md, authentik.md, federated-login.md) ## Deployment and Testing After merge, deployment requires these steps in order: 1. **Authentik (ArgoCD):** - `argocd app set authentik --revision feature/forgejo-authentik-oidc && argocd app sync authentik` - Verify: Forgejo app/provider visible in Authentik admin UI - Verify: Grafana SSO still works (blueprint refactor) 2. **Forgejo app.ini (Ansible):** - `mise run provision-indri -- --tags forgejo --check --diff` (dry run) - `mise run provision-indri -- --tags forgejo` (apply, restarts Forgejo) 3. **Create Forgejo auth source (CLI on indri):** ``` ssh indri 'sudo -u forgejo /opt/homebrew/bin/forgejo admin auth add-oauth \ --name authentik \ --provider openidConnect \ --key forgejo \ --secret "$(op read "op://vg6xf6vvfmoh5hqjjhlhbeoaie/Authentik (blumeops)/forgejo-client-secret")" \ --auto-discover-url https://authentik.ops.eblu.me/application/o/forgejo/.well-known/openid-configuration \ --scopes "openid email profile groups" \ --group-claim-name groups \ --admin-group admins' ``` 4. **Link eblume account:** Sign in with Authentik on Forgejo, confirm link with local password 5. **Verify:** `tea repo list`, Forgejo Actions, local password break-glass After merge: `argocd app set authentik --revision main && argocd app sync authentik`

eblume added 1 commit 2026-02-20 16:10:37 -08:00

Integrate Forgejo with Authentik OIDC ... 23dd7c3c2b

Refactor Authentik blueprints into common.yaml (shared admins group),
grafana.yaml (updated with !Find and groups scope), and forgejo.yaml
(new provider + application). Add forgejo-client-secret to ExternalSecret
and worker deployment. Configure Forgejo oauth2_client for auto-registration
with login-based account linking to safely preserve existing accounts.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

eblume force-pushed feature/forgejo-authentik-oidc from 23dd7c3c2b to 30815cfe10 2026-02-20 16:16:10 -08:00 Compare

eblume force-pushed feature/forgejo-authentik-oidc from 30815cfe10 to 30bed2db0a 2026-02-20 16:30:58 -08:00 Compare

eblume force-pushed feature/forgejo-authentik-oidc from 30bed2db0a to 30bacbf86a 2026-02-20 16:43:35 -08:00 Compare

eblume force-pushed feature/forgejo-authentik-oidc from 30bacbf86a to c5110c8a8a 2026-02-20 16:55:26 -08:00 Compare

eblume force-pushed feature/forgejo-authentik-oidc from c5110c8a8a to 4f92fe3035 2026-02-20 17:12:14 -08:00 Compare

eblume force-pushed feature/forgejo-authentik-oidc from 4f92fe3035 to 76dfbf2d57 2026-02-20 17:14:31 -08:00 Compare

eblume force-pushed feature/forgejo-authentik-oidc from 76dfbf2d57 to e721a7dd33 2026-02-20 17:23:27 -08:00 Compare

eblume force-pushed feature/forgejo-authentik-oidc from e721a7dd33 to 2cd980e9e7 2026-02-20 17:39:04 -08:00 Compare

eblume merged commit cd50c1454a into main 2026-02-20 17:39:50 -08:00

eblume referenced this pull request from a commit 2026-02-20 17:39:52 -08:00

Integrate Forgejo with Authentik OIDC (#228)

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels

No items

No labels

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

eblume/blumeops!228

No description provided.