All authentication flows go through Keycloak (auth.remico.eu, realm remico). There are three distinct patterns depending on the service.
Access model: any user in realm remico gets full admin access everywhere. Keycloak groups are not used.
| Client ID | Used by | Callback URL |
|---|---|---|
remico-web |
oauth2-proxy | https://auth.remico.eu/oauth2/callback |
wikijs |
Wiki.js | https://wiki.remico.eu/login/keycloak/callback |
gitea |
Gitea | https://gitea.remico.eu/user/oauth2/Keycloak/callback |
Admin Console: https://auth.remico.eu/admin
Services: work.remico.eu (Dashy), grafana, prometheus, traefik dashboard.
Wiki.js and Gitea intentionally do not use this path — adding Traefik oauth-auth middleware to them causes redirect loops.
Key details:
oauth-errors,oauth-auth.remico.eu (shared across subdomains)X-Auth-Request-User and X-Auth-Request-Email headers to upstream (used by Grafana)https://auth.remico.eu/oauth2/sign_out?rd=https://work.remico.eu/logged-out — oauth2-proxy sends id_token_hint to Keycloak, so SSO session is properly terminatedService: wiki.remico.eu
Key details:
oauth-auth middlewareauthAutoLogin: trueuserGroups table (see Operations Commands)end_session_endpointService: gitea.remico.eu
Key details:
openid, email, profile (email required for user creation)ENABLE_INTERNAL_AUTHENTICATION=false — password login disabledDISABLE_REGISTRATION=false but only OAuth can create accountsKC_SPI_LOGIN_PROTOCOL_OPENID_CONNECT_SUPPRESS_LOGOUT_CONFIRMATION_SCREEN=true because Gitea does not send id_token_hintgitea: https://gitea.remico.eu/, /user/login, /*Service: analytics.remico.eu
Key details:
umami-sso bridges Keycloak session to Umami JWT.umami-sso (priority 110) catches /login; dashboard router uses oauth-auth./script.js, /api/send) are routed without SSO (priority 100).DISABLE_LOGIN=1); admin password in .env is for the bridge only.umami lives on the shared postgres container (not a separate DB container).| URL | Purpose |
|---|---|
| https://remico.eu | Static website |
| https://www.remico.eu | Static website (alias) |
| https://api.remico.eu/health | Health check JSON |
| https://analytics.remico.eu/script.js | Umami tracker script |
| https://analytics.remico.eu/api/send | Umami metrics collection |
| https://work.remico.eu/logged-out | Post-logout landing page |
| https://auth.remico.eu | Keycloak login UI (unauthenticated access to login pages) |
| Symptom | Likely cause |
|---|---|
| Redirect loop | Traefik oauth-auth on Wiki or Gitea — remove middleware |
| Gitea callback → login page | Wrong OAuth client secret, missing email scope, or DISABLE_REGISTRATION blocking OAuth signup |
| Gitea logout → instant re-login | Keycloak SSO session still active; check SUPPRESS_LOGOUT_CONFIRMATION_SCREEN |
| oauth2-proxy 401 after login | remico-web client secret mismatch with compose env |
| Wiki user has no admin access | Missing row in userGroups for Administrators (groupId=1) |
| Umami shows login / 403 on dashboard | umami-sso not running, or UMAMI_ADMIN_PASS mismatch with Umami admin user |
| Umami tracking not recording | WEBSITE_ID empty in /opt/platform/web/html/js/analytics.js |
See Operations Commands for diagnostic commands.