```plaintext
%% Authentik SSO Strategy (ADR-0028)
%% Flowchart showing authentication flow stages
flowchart TB
subgraph user["👤 User"]
browser["Browser"]
end
subgraph ingress["🌐 Ingress"]
traefik["Envoy Gateway"]
end
subgraph apps["📦 Applications"]
direction LR
oidc_app["OIDC Apps
Gitea, Grafana,
ArgoCD, Affine"]
proxy_app["Proxy Apps
MLflow, Kubeflow"]
end
subgraph authentik["🔐 Authentik"]
direction TB
subgraph components["Components"]
server["Server
(API)"]
worker["Worker
(Tasks)"]
outpost["Outpost
(Proxy Auth)"]
end
subgraph flow["Authentication Flow"]
direction LR
f1["1️⃣ Login
Stage"]
f2["2️⃣ Username
Identification"]
f3["3️⃣ Password
Validation"]
f4["4️⃣ MFA
Challenge"]
f5["5️⃣ Session
Created"]
end
subgraph providers["Providers"]
oidc_prov["OIDC Provider"]
proxy_prov["Proxy Provider"]
end
end
subgraph storage["💾 Storage"]
redis["Redis
(Cache)"]
postgres["PostgreSQL
(CNPG)"]
end
%% User flow
browser --> traefik
traefik --> apps
%% OIDC flow
oidc_app -->|"Redirect to auth"| server
server --> flow
f1 --> f2 --> f3 --> f4 --> f5
flow --> oidc_prov
oidc_prov -->|"JWT token"| oidc_app
%% Proxy flow
proxy_app -->|"Forward auth"| outpost
outpost --> server
server --> flow
proxy_prov --> outpost
%% Storage
server --> redis
server --> postgres
classDef user fill:#3498db,color:white
classDef ingress fill:#f39c12,color:black
classDef app fill:#27ae60,color:white
classDef authentik fill:#9b59b6,color:white
classDef storage fill:#e74c3c,color:white
classDef flow fill:#1abc9c,color:white
class browser user
class traefik ingress
class oidc_app,proxy_app app
class server,worker,outpost,oidc_prov,proxy_prov authentik
class redis,postgres storage
class f1,f2,f3,f4,f5 flow
```