viktor/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1

docs(forgejo): runbook reflects Authentik disabled + zero-click GitHub
All checks were successful
ci/woodpecker/push/default Pipeline was successful
Details

Browse source 
Authentik OAuth2 source is now disabled (login_source.is_active=0) and GitHub
auto-registration (zero-click sign-up) is on. Document why (global auto-reg +
Authentik's email-as-username 500; Forgejo/Authentik email mismatch blocks
account-linking) and how to re-enable Authentik later.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
viktor 2026-06-19 17:37:46 +00:00
parent 7d99203fc6
commit 78095aa273
1 changed files with 4 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

7
docs/runbooks/forgejo-open-signups.md
View file

@ -11,7 +11,7 @@ layers:
user clicks an activation link emailed to the address they registered with.
Two external login sources also work alongside local accounts: the pre-existing
**Authentik OAuth2 login** (SSO) and **Sign in with GitHub** (see the GitHub
**Sign in with GitHub** OAuth2 login (the **Authentik OAuth2 source is now DISABLED** — see the GitHub section below) (see the GitHub
section below). Opening local signups was additive — it did not touch SSO.
Most of this is Terraform-managed in `stacks/forgejo/`. The one exception is the
@ -81,8 +81,9 @@ the `/user/sign_up` HTML afterwards.
## GitHub sign-in (OAuth2 source)
People can **sign up / sign in with GitHub** — a second Forgejo OAuth2 source
alongside Authentik.
People can **sign up / sign in with GitHub** — the active Forgejo OAuth2 source. GitHub sign-up is **zero-click** (auto-registration creates the account on first login).
> **Authentik is DISABLED on purpose** (2026-06-19). `ENABLE_AUTO_REGISTRATION` is GLOBAL across OAuth sources, and Authentik's `preferred_username` claim is the user's **email** — invalid as a Forgejo username, which 500'd auto-create. Viktor's Forgejo email (`me@viktorbarzin.me`) does not match his Authentik email (`vbarzin@gmail.com`), so account-linking can't bridge it. Per his directive GitHub was prioritised; the Authentik source was deactivated via `UPDATE login_source SET is_active=0 WHERE name='Authentik'` in the forgejo MySQL DB. **Re-enable** with `is_active=1` after fixing Authentik's username claim.
- **Source** (Forgejo DB, *not* Terraform — added via CLI, same as Authentik):
```