# Keycloak SSO Rollout (Server)

## Compatible services to cover (assume up-to-date versions)
- Gitea (OAuth2/OIDC)
- Nextcloud (Social Login app)
- Paperless-ngx (OIDC)
- Mealie (OIDC v1+)
- Jellyfin (OIDC plugin)
- Kavita (OIDC-capable builds)
- Readeck (OIDC-capable builds)
- Audiobookshelf (OIDC-capable builds)
- Matrix Synapse – intentionally excluded (see below) but natively OIDC if needed

## Explicit exclusions (no SSO for now)
- Syncplay
- Matrix/Synapse
- Arr stack (sonarr, radarr, lidarr, prowlarr, bazarr)
- qbittorrent
- sabnzbd
- metube
- multi-scrobbler
- microbin
- ryot
- maloja
- plex
- atticd

## Phased rollout plan
1) Base identity
   - Add Keycloak deployment/module and realm/client defaults.
2) Gateway/proxy auth
   - Add oauth2-proxy (Keycloak provider) + nginx auth_request for non-OIDC apps (e.g., homepage-dashboard, stash).
3) Native OIDC wiring
   - Configure native OIDC services (Gitea, Nextcloud, Paperless, Mealie, Jellyfin/Kavita/Readeck/Audiobookshelf) with Keycloak clients.
4) Per-service rollout
   - Enable per app in priority order; document client IDs/secrets and callback URLs.
5) Verification
   - Smoke-test login flows and cache any needed public keys/metadata.