ansible/docs/guides/vikunja-authentik-oidc.md

Vikunja ↔ Authentik OIDC

Status: Live at https://todo.levkin.ca (host vikunja, 10.0.10.159).

Authentik

Item	Value
Application slug	vikunja
Redirect URI (strict)	https://todo.levkin.ca/auth/openid/authentik
Subject mode	Based on the User's username (user_username)
Access group	homelab-users (bind to app; policy engine ANY)

Authentik user	Purpose	Email
admin	Authentik admin UI only	admin@levkin.ca
ilia	Homelab apps (Vikunja, etc.)	idobkin@gmail.com

Do not use the same email on both users — Authentik will pick the wrong account.

homelab-users group = ilia only. Vikunja app binding: group homelab-users (policy engine ANY).

Secrets: vault_vikunja_oidc_client_id, vault_vikunja_oidc_client_secret in Ansible vault.

Vikunja

Config: /opt/vikunja/config.yml (mounted in docker-compose.yml).

• auth.openid.providers.authentik → authurl: https://auth.levkin.ca/application/o/vikunja/
• usernamefallback: true + emailfallback: true → SSO links to existing local user ilia when Authentik username is ilia.

Local auth stays enabled for break-glass.

Login

1. Sign out: https://auth.levkin.ca/if/user/logout/
2. https://todo.levkin.ca → Login with Authentik
3. Sign in as ilia (username) or idobkin@gmail.com — not admin

My applications: admin only sees apps allowed for superuser (e.g. Cal). ilia sees Vikunja after login.

Adding users

1. Directory → Users — create user (username should match Vikunja local username if linking).
2. Directory → Groups → homelab-users — add user.
3. New Vikunja users: first OIDC login creates account; existing local users need matching username + fallbacks.

Related

• sso-selfhosted-matrix.md
• Authentik Vikunja integration