ansible/docs/guides/mailcow-authentik-oidc.md

# Mailcow ↔ Authentik OIDC

**Status:** Configured 2026-05-24 (Generic-OIDC in DB + Authentik app `mailcow`)

**Requires:** mailcow **2025-03+** (this host: `2025-10a`)

**URL:** https://mail.levkine.ca

---

## What OIDC means

**OIDC** = **OpenID Connect** — login with an identity provider (Authentik) instead of a separate password per app. You sign in once at `auth.levkin.ca`, apps trust that login.

---

## Authentik

| Item | Value |
|------|--------|
| Application slug | `mailcow` |
| Provider | `mailcow-oidc` |
| Client ID | `mailcow` |
| Redirect URI | `https://mail.levkine.ca` |
| Scope mapping | `mailcow_template` → `default` mailbox template |
| Access | `homelab-users` |

Secret: `vault_mailcow_oidc_client_secret` in Ansible vault.

---

## Mailcow (applied via MySQL `identity_provider`)

- **Identity Provider:** Generic-OIDC
- **Authorize / token / userinfo:** `https://auth.levkin.ca/application/o/{authorize,token,userinfo}/`
- **Redirect URL:** `https://mail.levkine.ca`
- **Scopes:** `openid profile email mailcow_template`

Mailbox users with SSO need matching email in Authentik. Admin UI may still use local admin for break-glass.

---

## Verify

Log out of Mailcow → login should offer external IdP. Test with user `ilia` in `homelab-users`.

---

## Related

- [sso-selfhosted-matrix.md](sso-selfhosted-matrix.md)
- [Authentik mailcow integration](https://integrations.goauthentik.io/chat-communication-collaboration/mailcow/)