feat(web): Add support for authentik sso

[brendan-kellam]

Adds support for Authentik as a EE identity provider

Summary by CodeRabbit

• New Features
  • Added Authentik as a supported identity provider for single sign-on authentication
  • Added comprehensive documentation with step-by-step setup instructions to configure and enable Authentik OAuth2/OpenID Connect integration

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on this repository.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Walkthrough

This pull request adds comprehensive support for Authentik as a new identity provider across the codebase. Changes include schema and type definitions for AuthentikIdentityProviderConfig, documentation with setup instructions, runtime provider configuration in the SSO module, and UI support through logo integration and provider information mapping.

Changes

Cohort / File(s)	Summary
Documentation CHANGELOG.md, docs/docs/configuration/idp.mdx	Adds changelog entry and new Authentik provider documentation section with OAuth2/OpenID Connect setup instructions, environment variable definitions, and configuration examples.
Schema Definitions docs/snippets/schemas/v3/identityProvider.schema.mdx, docs/snippets/schemas/v3/index.schema.mdx, schemas/v3/identityProvider.json	Introduces AuthentikIdentityProviderConfig schema definition with provider="authentik", purpose="sso", and required clientId, clientSecret, issuer fields supporting env or googleCloudSecret references.
TypeScript Type Definitions packages/schemas/src/v3/identityProvider.type.ts, packages/schemas/src/v3/index.type.ts, packages/schemas/src/v3/identityProvider.schema.ts, packages/schemas/src/v3/index.schema.ts	Adds AuthentikIdentityProviderConfig type interface and integrates it into the IdentityProviderConfig union alongside existing providers.
Runtime SSO Implementation packages/web/src/ee/features/sso/sso.ts	Adds provider recognition for authentik and exports createAuthentikProvider helper function that configures Authentik with clientId, clientSecret, and issuer.
UI Provider Configuration packages/web/src/lib/utils.ts	Adds authentik logo import and case handler in getAuthProviderInfo to return provider metadata (id, displayName, icon) for Authentik.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

• Schema consistency verification: Review that AuthentikIdentityProviderConfig schema matches the structure of existing providers and that oneOf unions are updated consistently across all schema files.
• Type safety: Verify the new AuthentikIdentityProviderConfig type properly extends the IdentityProviderConfig union and that all required fields are specified.
• Runtime provider configuration: Ensure the createAuthentikProvider implementation in sso.ts correctly handles credential resolution and integrates with the next-auth authentik provider.
• Documentation accuracy: Confirm OAuth2/OpenID Connect setup instructions align with Authentik's current authentication flow requirements.

Suggested reviewers

• msukkari

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title 'feat(web): Add support for authentik sso' accurately summarizes the main change—adding Authentik as a new identity provider with SSO support across the codebase.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[brendan-kellam]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

docs/docs/configuration/idp.mdx (1)

369-416: Minor wording and example consistency tweaks for Authentik section

The content and flow look good. Two small polish suggestions:

• “Create a OAuth2/OpenID Connect application” → “Create an OAuth2/OpenID Connect application”.
• Step 2 says env vars “can be named whatever you like (ex. …)”, but the JSON snippet then hardcodes the example names. Consider either:
  • Using generic placeholders (YOUR_CLIENT_ID_ENV_VAR, etc.) like other sections, or
  • Explicitly stating that the snippet shows the recommended names and should be adjusted if different env var names are used.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between f3a8fa3 and 6c947e3.

⛔ Files ignored due to path filters (1)

• packages/web/public/authentik.svg is excluded by !**/*.svg

📒 Files selected for processing (11)

• CHANGELOG.md (1 hunks)
• docs/docs/configuration/idp.mdx (1 hunks)
• docs/snippets/schemas/v3/identityProvider.schema.mdx (2 hunks)
• docs/snippets/schemas/v3/index.schema.mdx (2 hunks)
• packages/schemas/src/v3/identityProvider.schema.ts (2 hunks)
• packages/schemas/src/v3/identityProvider.type.ts (2 hunks)
• packages/schemas/src/v3/index.schema.ts (2 hunks)
• packages/schemas/src/v3/index.type.ts (2 hunks)
• packages/web/src/ee/features/sso/sso.ts (3 hunks)
• packages/web/src/lib/utils.ts (2 hunks)
• schemas/v3/identityProvider.json (2 hunks)

🧰 Additional context used

🧬 Code graph analysis (2)

packages/schemas/src/v3/identityProvider.type.ts (1)

packages/schemas/src/v3/index.type.ts (2)

• GCPIAPIdentityProviderConfig (1388-1404)
• AuthentikIdentityProviderConfig (1405-1447)

packages/schemas/src/v3/index.type.ts (1)

packages/schemas/src/v3/identityProvider.type.ts (2)

• GCPIAPIdentityProviderConfig (242-258)
• AuthentikIdentityProviderConfig (259-301)

🪛 LanguageTool

docs/docs/configuration/idp.mdx

[grammar] ~369-~369: Ensure spelling is correct
Context: ... ### Authentik [Auth.js Authentik Provider Docs](https:/...

(QB_NEW_EN_ORTHOGRAPHY_ERROR_IDS_1)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: build

🔇 Additional comments (14)

docs/snippets/schemas/v3/index.schema.mdx (1)

5166-5275: Authentik IdP schema variant looks consistent with existing OIDC providers

The new AuthentikIdentityProviderConfig definition and its oneOf entry mirror the existing Okta/Keycloak/Microsoft Entra ID patterns (provider "authentik", purpose "sso", and clientId/clientSecret/issuer supporting env or googleCloudSecret tokens). This looks structurally correct for the config surface.

Also applies to: 5921-6030

packages/web/src/ee/features/sso/sso.ts (1)

4-4: Authentik provider wiring verified as correct

Web verification confirms:

• Import path next-auth/providers/authentik is correct for NextAuth
• Provider options { clientId, clientSecret, issuer } are the documented configuration fields

The Authentik integration is properly implemented and consistent with the NextAuth/Auth.js API.

packages/schemas/src/v3/identityProvider.schema.ts (2)

1404-1513: LGTM! oneOf entry correctly includes Authentik provider.

The Authentik provider entry in the oneOf union is properly structured and consistent with other providers.

---

649-758: Schema correctly implements Authentik OIDC configuration with issuer field.

The AuthentikIdentityProviderConfig schema is consistent with the runtime implementation in packages/web/src/ee/features/sso/sso.ts. The issuer field is properly retrieved from the configuration and passed to createAuthentikProvider(), confirming the schema supports the required OIDC flow.

schemas/v3/identityProvider.json (2)

173-195: LGTM! JSON schema definition is clean and consistent.

The AuthentikIdentityProviderConfig definition properly uses $ref to the shared Token type, maintaining consistency with other provider definitions in this schema.

---

218-221: LGTM! oneOf reference correctly added.

The Authentik provider is properly included in the oneOf union, allowing it as a valid identity provider configuration variant.

packages/schemas/src/v3/identityProvider.type.ts (2)

3-11: LGTM! Union type correctly includes Authentik provider.

The IdentityProviderConfig union type is properly updated to include AuthentikIdentityProviderConfig, maintaining the discriminated union pattern that allows TypeScript to narrow types based on the provider field.

---

259-301: LGTM! TypeScript interface accurately reflects the schema.

The AuthentikIdentityProviderConfig interface is well-defined with:

• Literal types for provider and purpose enabling type narrowing
• Union types for secrets supporting both environment variables and Google Cloud Secrets
• Comprehensive JSDoc documentation for all fields

packages/schemas/src/v3/index.schema.ts (2)

5165-5273: Authentik identity provider definition matches existing OIDC patterns

The new AuthentikIdentityProviderConfig schema mirrors Okta/Keycloak/Microsoft (env/Google Cloud Secret union, required clientId/clientSecret/issuer, additionalProperties: false) and looks consistent with the typed interface. LGTM.

---

5920-6028: Authentik correctly added to identityProviders oneOf union

Including the authentik variant in the identityProviders.items.oneOf block with the same shape as its definition ensures configs validate properly. This stays aligned with the other providers. LGTM.

packages/schemas/src/v3/index.type.ts (2)

36-37: IdentityProviderConfig union correctly extended

Adding AuthentikIdentityProviderConfig to IdentityProviderConfig cleanly exposes the new provider type to consumers, consistent with how GCPIAP and others are wired. LGTM.

---

1405-1447: AuthentikIdentityProviderConfig interface is consistent with schema and source types

The new AuthentikIdentityProviderConfig interface (provider/purpose plus env/Google Cloud Secret unions for clientId, clientSecret, issuer) matches both the JSON schema and the existing definition in identityProvider.type.ts. LGTM.
Based on learnings from packages/schemas/src/v3/identityProvider.type.ts snippet.

docs/snippets/schemas/v3/identityProvider.schema.mdx (2)

651-759: AuthentikIdentityProviderConfig definition follows established pattern.

The new definition correctly mirrors the structure of other multi-field OIDC providers (Okta, Keycloak) with required issuer field. Schema constraints are properly enforced via additionalProperties: false, and secret variants (env/googleCloudSecret) are correctly defined.

Since this is an auto-generated file, please verify that the schema generation process produced these changes consistently across all related files mentioned in the summary (TypeScript types, index schema, etc.).

---

1406-1514: AuthentikIdentityProviderConfig oneOf variant correctly positioned and structured.

The oneOf entry properly duplicates the definition (standard schema pattern) and is positioned after the gcp-iap variant. The schema structure is consistent with other provider configurations.