# Mattermost ↔ Authentik (GitLab OAuth workaround)

**Status:** ✅ Live (config.json patched 2026-05-24; VM **107** @ `10.0.10.237`)

Team Edition has no generic OIDC UI — use **GitLab OAuth** endpoints pointed at Authentik.

**URL:** https://slack.levkin.ca · **Backend:** `10.0.10.237:8065` (VM **107** on pve10)

---

## Authentik (done 2026-05-24)

| Item | Value |
|------|--------|
| Application slug | `mattermost` |
| Provider | `mattermost-gitlab-oidc` |
| Client ID | `mattermost` |
| Redirect URI | `https://slack.levkin.ca/signup/gitlab/complete` |
| Scope mappings | `mattermost-username`, `mattermost-id` + default OpenID |
| Access | `homelab-users` group binding |

Client secret: store in vault as `vault_mattermost_oidc_client_secret` (rotate if exposed).

---

## Mattermost — apply on VM

SSH as root (or bootstrap key first: `make bootstrap-root-ssh` once password works):

```bash
ssh root@10.0.10.237
```

Edit `/opt/mattermost/config/config.json` (path may vary — `find / -name config.json -path '*mattermost*'`).

Set `GitLabSettings`:

```json
"GitLabSettings": {
  "Enable": true,
  "Secret": "<vault_mattermost_oidc_client_secret>",
  "Id": "mattermost",
  "Scope": "",
  "AuthEndpoint": "https://auth.levkin.ca/application/o/authorize/",
  "TokenEndpoint": "https://auth.levkin.ca/application/o/token/",
  "UserAPIEndpoint": "https://auth.levkin.ca/application/o/userinfo/",
  "DiscoveryEndpoint": "https://auth.levkin.ca/application/o/mattermost/.well-known/openid-configuration",
  "ButtonText": "Log in with Authentik",
  "ButtonColor": "#fd4b2d"
}
```

Then:

1. **System Console** → Authentication → Signup → **Enable Account Creation** = true  
2. `systemctl restart mattermost` (or `docker compose restart` if containerized)  
3. Log out → use **GitLab** button (actually Authentik)  
4. Existing users: Profile → Security → **Switch to GitLab SSO** (see [Authentik integration](https://integrations.goauthentik.io/chat-communication-collaboration/mattermost-team-edition/))

---

## Verify

```bash
curl -sS https://auth.levkin.ca/application/o/mattermost/.well-known/openid-configuration | head
curl -sS -o /dev/null -w '%{http_code}\n' https://slack.levkin.ca/login
```

---

## Related

- [sso-selfhosted-matrix.md](sso-selfhosted-matrix.md)
- [cursor-mcp-homelab.md](cursor-mcp-homelab.md) — Playwright can smoke-test login after `config.json` is applied