40 lines
1.2 KiB
Markdown
40 lines
1.2 KiB
Markdown
# Keycloak SSO Rollout (Server)
|
||
|
||
## Compatible services to cover (assume up-to-date versions)
|
||
- Gitea (OAuth2/OIDC)
|
||
- Nextcloud (Social Login app)
|
||
- Paperless-ngx (OIDC)
|
||
- Mealie (OIDC v1+)
|
||
- Jellyfin (OIDC plugin)
|
||
- Kavita (OIDC-capable builds)
|
||
- Readeck (OIDC-capable builds)
|
||
- Audiobookshelf (OIDC-capable builds)
|
||
- Matrix Synapse – intentionally excluded (see below) but natively OIDC if needed
|
||
|
||
## Explicit exclusions (no SSO for now)
|
||
- Syncplay
|
||
- Matrix/Synapse
|
||
- Arr stack (sonarr, radarr, lidarr, prowlarr, bazarr)
|
||
- qbittorrent
|
||
- sabnzbd
|
||
- metube
|
||
- multi-scrobbler
|
||
- microbin
|
||
- ryot
|
||
- maloja
|
||
- plex
|
||
- atticd
|
||
|
||
## Phased rollout plan
|
||
1) Base identity
|
||
- Add Keycloak deployment/module and realm/client defaults.
|
||
2) Gateway/proxy auth
|
||
- Add oauth2-proxy (Keycloak provider) + nginx auth_request for non-OIDC apps (e.g., homepage-dashboard, stash).
|
||
3) Native OIDC wiring
|
||
- Configure native OIDC services (Gitea, Nextcloud, Paperless, Mealie, Jellyfin/Kavita/Readeck/Audiobookshelf) with Keycloak clients.
|
||
4) Per-service rollout
|
||
- Enable per app in priority order; document client IDs/secrets and callback URLs.
|
||
5) Verification
|
||
- Smoke-test login flows and cache any needed public keys/metadata.
|
||
|