Skip to content

Authentik

This guide walks you through setting up Authentik as an OIDC provider for Grimmory. By the end, your users will be able to sign in to Grimmory with their Authentik account.

The setup has two parts: creating an OAuth2 application in Authentik, then entering the credentials in Grimmory. The whole process takes about 5 minutes.


Open your Authentik admin dashboard and click “Create a new application”. This launches the setup wizard.

Create Application

Fill in the application details:

Application Configuration
  • Name: Grimmory (this is what users see on the Authentik dashboard)
  • Slug: grimmory (used in URLs, keep it lowercase)

Click Next.

Choose Provider

Choose OAuth2/OpenID Provider and click Next.

Configure Provider
  • Name: Grimmory OAuth2
  • Authorization Flow: default-provider-authorization-implicit-consent (users won’t be prompted to approve access each time they log in)
  • Client Type: Public (Grimmory uses PKCE, so a client secret isn’t needed)

This tells Authentik where to send users after they authenticate. The redirect URI must match exactly or the login will fail.

Redirect URIs

Add the following (replace books.example.com with your actual Grimmory domain):

  • Strict: https://books.example.com/oauth2-callback
  • Regex: https://books.example.com/*

Set the Signing Key to authentik Self-signed Certificate.

Local development example:

Strict: http://localhost:4200/oauth2-callback
Regex: http://localhost:4200/*
OAuth Scopes

Add these scopes (all required):

ScopeWhy Grimmory needs it
openidRequired for OIDC. Provides the user’s unique subject identifier.
profileUsername and display name.
emailEmail address for notifications and email-to-device.
offline_accessAllows Grimmory to issue refresh tokens for extended sessions.

Click Save.

Control which Authentik users can access Grimmory. Users who aren’t bound to the application won’t see it in their dashboard and can’t authenticate.

Configure Bindings
  • Type: Select User to bind individual users, or Group to bind all members of a group
  • Select the users or groups who should have access
  • Click Save Binding

You need two values from Authentik to configure Grimmory: the Client ID and the Issuer URL.

Go to Applications > Providers and click on the provider you just created.

Provider List Provider Credentials

Copy these two values:

ValueWhere to find itExample
Client IDShown on the provider detail pagea1b2c3d4e5f6... (long alphanumeric string)
Issuer URLListed as “OpenID Configuration Issuer”https://auth.example.com/application/o/grimmory/

Keep these handy for the next step.


Navigate to Settings > OIDC in Grimmory.

Grimmory OIDC Settings

Fill in the provider configuration:

FieldValue
Provider NameAuthentik (shown on the login button)
Client IDPaste the Client ID from Authentik
Client SecretLeave empty (public client)
Issuer URIPaste the Issuer URL from Authentik (include the trailing slash)

The default claim mappings work with Authentik out of the box:

ClaimValue
Usernamepreferred_username
Emailemail
Display Namename
Groupsgroups

Click Test Connection to verify Grimmory can reach Authentik’s discovery endpoint. All checks should pass.

Click Save, then toggle OIDC Login to ON in the Login Methods section.

For sessions to stay in sync (so logging out of Authentik also logs the user out of Grimmory), configure back-channel logout in Authentik:

  1. In Grimmory’s OIDC settings, find the Provider Configuration Reference panel
  2. Copy the Back-Channel Logout URI
  3. In Authentik, go to your provider settings and paste it into the Backchannel Logout URL field

The fastest way to test without logging out of your admin account:

User Impersonation
  1. Go to Authentik > Directory > Users, select a user bound to Grimmory, and click Impersonate
  2. Navigate to your Grimmory instance. You should see the Authentik login/dashboard.
Authentik Login Page
  1. Click the Grimmory tile. You should be redirected and logged in automatically.
Grimmory Homepage
  1. Verify the username and email are correct, and that you can access your libraries.

Alternative: Open an incognito window, go to Grimmory, and click “Sign in with Authentik”.


Now that basic OIDC is working, you can configure additional features in Grimmory’s OIDC Settings:

  • User Provisioning: Automatically create Grimmory accounts when users sign in for the first time
  • Group Mapping: Map Authentik groups to Grimmory permissions and library access (Authentik includes groups in the groups claim by default, no extra configuration needed)
  • OIDC-Only Mode: Hide the local login form and redirect everyone to Authentik
  • Account Linking: Migrate existing local users to OIDC without losing their data

  • The Redirect URI in Authentik must match exactly. Copy it from Grimmory’s Provider Configuration Reference panel.
  • Check that all four scopes (openid, profile, email, offline_access) are assigned to the provider.
  • Verify the Client ID has no extra spaces.

Auto-provisioning is off by default. Either enable it in OIDC Settings, or create a Grimmory user with a username that exactly matches the Authentik preferred_username (case-sensitive).

  • Make sure the provider is set to Public client type.
  • Check that the Issuer URI ends with a trailing slash (Authentik requires it).

If you’re using group mapping, check that:

  • The group names in Authentik match the Group Claim values in your Grimmory mappings (case-sensitive)
  • Group Sync Mode is set to something other than Disabled
  • The Back-Channel Logout URI must be reachable from Authentik’s server. If both run on the same Docker network, use the internal hostname (e.g., http://grimmory:8080/api/v1/auth/oidc/backchannel-logout).
  • Not all Authentik versions support back-channel logout. Check your Authentik version.
  • Admin backdoor: /login?local=true
  • Nuclear option: set FORCE_DISABLE_OIDC=true as an environment variable and restart