homelab-design/diagrams/authentik-sso.mmd

```plaintext
%% Authentik SSO Strategy (ADR-0028)
%% Flowchart showing authentication flow stages

flowchart TB
    subgraph user["👤 User"]
        browser["Browser"]
    end

    subgraph ingress["🌐 Ingress"]
        traefik["Envoy Gateway"]
    end

    subgraph apps["📦 Applications"]
        direction LR
        oidc_app["OIDC Apps<br/>Gitea, Grafana,<br/>ArgoCD, Affine"]
        proxy_app["Proxy Apps<br/>MLflow, Kubeflow"]
    end

    subgraph authentik["🔐 Authentik"]
        direction TB
        
        subgraph components["Components"]
            server["Server<br/>(API)"]
            worker["Worker<br/>(Tasks)"]
            outpost["Outpost<br/>(Proxy Auth)"]
        end

        subgraph flow["Authentication Flow"]
            direction LR
            f1["1️⃣ Login<br/>Stage"]
            f2["2️⃣ Username<br/>Identification"]
            f3["3️⃣ Password<br/>Validation"]
            f4["4️⃣ MFA<br/>Challenge"]
            f5["5️⃣ Session<br/>Created"]
        end

        subgraph providers["Providers"]
            oidc_prov["OIDC Provider"]
            proxy_prov["Proxy Provider"]
        end
    end

    subgraph storage["💾 Storage"]
        redis["Redis<br/>(Cache)"]
        postgres["PostgreSQL<br/>(CNPG)"]
    end

    %% User flow
    browser --> traefik
    traefik --> apps

    %% OIDC flow
    oidc_app -->|"Redirect to auth"| server
    server --> flow
    f1 --> f2 --> f3 --> f4 --> f5
    flow --> oidc_prov
    oidc_prov -->|"JWT token"| oidc_app

    %% Proxy flow
    proxy_app -->|"Forward auth"| outpost
    outpost --> server
    server --> flow
    proxy_prov --> outpost

    %% Storage
    server --> redis
    server --> postgres

    classDef user fill:#3498db,color:white
    classDef ingress fill:#f39c12,color:black
    classDef app fill:#27ae60,color:white
    classDef authentik fill:#9b59b6,color:white
    classDef storage fill:#e74c3c,color:white
    classDef flow fill:#1abc9c,color:white

    class browser user
    class traefik ingress
    class oidc_app,proxy_app app
    class server,worker,outpost,oidc_prov,proxy_prov authentik
    class redis,postgres storage
    class f1,f2,f3,f4,f5 flow

```