From f40ac6d1adb9f0bfa2a582f436466008edc77410 Mon Sep 17 00:00:00 2001 From: autonomic-bot Date: Fri, 29 May 2026 09:08:20 +0100 Subject: [PATCH] =?UTF-8?q?sso-dep:=20resolve=20authentik=20question=20?= =?UTF-8?q?=E2=80=94=20default=20keycloak;=20authentik=20ONLY=20if=20a=20r?= =?UTF-8?q?ecipe=20requires=20it;=20Phase-2=20DONE=20not=20gated=20on=20it?= =?UTF-8?q?=20(operator=202026-05-29)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-Authored-By: Claude Opus 4.8 (1M context) --- cc-ci-plan/plan-sso-dep-testing.md | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/cc-ci-plan/plan-sso-dep-testing.md b/cc-ci-plan/plan-sso-dep-testing.md index 9e408b6..a216b0c 100644 --- a/cc-ci-plan/plan-sso-dep-testing.md +++ b/cc-ci-plan/plan-sso-dep-testing.md @@ -172,9 +172,14 @@ These are **loop work** under this plan, not deferred: ## 6. What stays deferred (genuinely operator-input) -- **authentik enrollment + `setup_authentik_realm` backend** (DEFERRED #9) — provider breadth, not - blocking any Phase-2 recipe under keycloak. Open question for the operator: do we want - cross-provider coverage as part of Phase-2 DONE? If yes, lift; if not, leave deferred. +- **authentik enrollment + `setup_authentik_realm` backend** (DEFERRED #9) — **RESOLVED (operator, + 2026-05-29): keycloak is our default SSO provider; default ALL recipe OIDC tests to keycloak.** Do + NOT test authentik↔keycloak integration, and do NOT enroll authentik just to "prove pluggability" + — **Phase-2 DONE is NOT gated on authentik.** Enroll authentik + add `setup_authentik_realm` ONLY + if/when a recipe genuinely **requires** authentik (won't work under keycloak). If a recipe works + with keycloak, use keycloak. So DEFERRED #9's re-entry trigger narrows to "a recipe requires + authentik" — the cross-provider-coverage trigger is dropped. (E.g. cryptpad: its upstream test + uses authentik, but test it under **keycloak** — equally valid.) - The `--extra-tests` flag IDEA is **not** a precondition for this plan; OIDC-dep tests are part of the default suite for the recipes that need them.