keycloak init
This commit is contained in:
Danilo Reyes
39
TODO.md
Normal file
39
TODO.md
Normal file
@@ -0,0 +1,39 @@
|
||||
# Keycloak SSO Rollout (Server)
|
||||
|
||||
## Compatible services to cover (assume up-to-date versions)
|
||||
- Gitea (OAuth2/OIDC)
|
||||
- Nextcloud (Social Login app)
|
||||
- Paperless-ngx (OIDC)
|
||||
- Mealie (OIDC v1+)
|
||||
- Jellyfin (OIDC plugin)
|
||||
- Kavita (OIDC-capable builds)
|
||||
- Readeck (OIDC-capable builds)
|
||||
- Audiobookshelf (OIDC-capable builds)
|
||||
- Matrix Synapse – intentionally excluded (see below) but natively OIDC if needed
|
||||
|
||||
## Explicit exclusions (no SSO for now)
|
||||
- Syncplay
|
||||
- Matrix/Synapse
|
||||
- Arr stack (sonarr, radarr, lidarr, prowlarr, bazarr)
|
||||
- qbittorrent
|
||||
- sabnzbd
|
||||
- metube
|
||||
- multi-scrobbler
|
||||
- microbin
|
||||
- ryot
|
||||
- maloja
|
||||
- plex
|
||||
- atticd
|
||||
|
||||
## Phased rollout plan
|
||||
1) Base identity
|
||||
- Add Keycloak deployment/module and realm/client defaults.
|
||||
2) Gateway/proxy auth
|
||||
- Add oauth2-proxy (Keycloak provider) + nginx auth_request for non-OIDC apps (e.g., homepage-dashboard, stash).
|
||||
3) Native OIDC wiring
|
||||
- Configure native OIDC services (Gitea, Nextcloud, Paperless, Mealie, Jellyfin/Kavita/Readeck/Audiobookshelf) with Keycloak clients.
|
||||
4) Per-service rollout
|
||||
- Enable per app in priority order; document client IDs/secrets and callback URLs.
|
||||
5) Verification
|
||||
- Smoke-test login flows and cache any needed public keys/metadata.
|
||||
|
||||
Reference in New Issue
Block a user