Skip to content

OIDC with Authentik

Authentik is a full-featured open-source IdP with MFA, flows, and a sizeable audit/admin surface. Before starting, read the OIDC Setup overview, as it covers the RomM-side settings common to every provider.

1. Prerequisites

Authentik installed and running via their install guide.

Log in as admin and open Admin Interface.

Authentik user dashboard

2. Create a property mapping (Authentik 2025.10+)

Authentik 2025.10 breaking change

In version 2025.10, Authentik changed the default of email_verified from true to false. A verified email is required, so without this property mapping, authentication silently fails.

In Customization → Property Mappings → Create → Scope Mapping:

  • Name: RomM Email Verification
  • Scope name: email
  • Expression:
return {
    "email": user.email,
    "email_verified": True,
}

Property Mapping

Click Create. Upstream reference: Authentik scope mappings.

3. Create a provider

Admin → Providers → Create.

Create a new provider

Choose OAuth2/OpenID Provider.

Select OAuth2 provider

Configure:

  • Name: RomM OIDC Provider
  • Authorization flow: implicit consent
  • Redirect URIs: https://demo.romm.app/api/oauth/openid
  • Scopes: Under "Advanced protocol settings", move the property mapping you created above from "Available Scopes" to "Selected Scopes". You'll also need to make sure any existing mappings of email or email_verified are disabled. Authentik has an email mapping by default, so make sure to check for this and remove it if it's present.

Copy the generated Client ID and Client Secret. You'll use them as OIDC_CLIENT_ID/OIDC_CLIENT_SECRET on the app side.

Provider settings

Click Create.

4. Register the application

Admin → Applications → Create.

Applications

  • Name: RomM
  • Slug: romm
  • Provider: the RomM OIDC Provider you just made

New application

Click Create.

5. Configure

environment:
    - OIDC_ENABLED=true
    - OIDC_PROVIDER=authentik
    - OIDC_CLIENT_ID=<from Authentik>
    - OIDC_CLIENT_SECRET=<from Authentik>
    - OIDC_REDIRECT_URI=https://demo.romm.app/api/oauth/openid
    - OIDC_SERVER_APPLICATION_URL=https://auth.example.com/application/o/romm
    - ROMM_BASE_URL=https://demo.romm.app

Note that OIDC_SERVER_APPLICATION_URL points at the per-application URL (/application/o/<slug>), not the Authentik root.

For role mapping from Authentik groups, see OIDC Setup → Role mapping.

6. Set your email

In Profile → set your email to exactly the same address Authentik has for you.

Set email

7. Test

Restart, navigate to /login and click the Login with OIDC button. You're redirected to Authentik → authenticate → bounced back and signed in!

Login with OIDC

If it doesn't work, head to Authentication Troubleshooting.