From 799315d79e01becc8500ee9be55c3ed854b334e8 Mon Sep 17 00:00:00 2001
From: Nick Adam <hi@nixk.de>
Date: Tue, 20 Jan 2026 23:35:35 +0100
Subject: [PATCH] oidc support for openprject login

---
 .../templates/external-secret.yaml            | 13 ++++++++++-
 apps/openproject/values.yaml                  | 23 +++++++++++++++++++
 2 files changed, 35 insertions(+), 1 deletion(-)

diff --git a/apps/openproject/templates/external-secret.yaml b/apps/openproject/templates/external-secret.yaml
index 0691c4d..e98bbfa 100644
--- a/apps/openproject/templates/external-secret.yaml
+++ b/apps/openproject/templates/external-secret.yaml
@@ -12,6 +12,7 @@ spec:
     name: openproject-db-credentials
     creationPolicy: Owner
   data:
+
     - secretKey: postgres-password
       remoteRef:
         key: secret/apps/openproject
@@ -20,4 +21,14 @@ spec:
     - secretKey: password
       remoteRef:
         key: secret/apps/openproject
-        property: password
\ No newline at end of file
+        property: password
+
+    - secretKey: clientId
+      remoteRef:
+        key: secret/apps/openproject
+        property: oidc_client_id
+
+    - secretKey: clientSecret
+      remoteRef:
+        key: secret/apps/openproject
+        property: oidc_client_secret
\ No newline at end of file
diff --git a/apps/openproject/values.yaml b/apps/openproject/values.yaml
index ae29390..9a0ac20 100644
--- a/apps/openproject/values.yaml
+++ b/apps/openproject/values.yaml
@@ -46,3 +46,26 @@ openproject:
   # 5. Memcached
   memcached:
     enabled: true
+
+  # OIDC Authentik Provider
+  oidc:
+    enabled: true
+    provider: "openproject"
+    displayName: "Authentik"
+    host: "https://auth.apps.k3s.stabify.de"
+    authorizationEndpoint: "https://auth.apps.k3s.stabify.de/application/o/authorize/"
+    tokenEndpoint: "https://auth.apps.k3s.stabify.de/application/o/token/"
+    userinfoEndpoint: "https://auth.apps.k3s.stabify.de/application/o/userinfo/"
+    endSessionEndpoint: "https://auth.apps.k3s.stabify.de/application/o/openproject/end-session/"
+    scope: "[openid]"
+
+    # Optional attribute mappings from the id token
+    attribute_map: {}
+
+    ## To avoid having sensitive credentials in your values.yaml, the preferred way is to
+    ## use an existing secret containing the OIDC compatible access credentials.
+    ## Specify the name of this existing secret here.
+    existingSecret:
+    secretKeys:
+      identifier: "clientId"
+      secret: "clientSecret"