AUTHENTIK_SETUP.md

# Authentik OAuth Configuration for Alfred Mobile

## Issue
OAuth login fails with "Authorization failed: Unknown error" because the mobile redirect URI is not configured in Authentik.

## Solution

### Step 1: Access Authentik Admin
1. Go to https://auth.dnspegasus.net/if/admin/
2. Log in with admin credentials

### Step 2: Update OAuth Provider
1. Navigate to **Applications** → **Providers**
2. Find the provider with Client ID: `QeSNaZPqZUz5pPClZMA2bakSsddkStiEhqbE4QZR`
3. Click to edit

### Step 3: Add Mobile Redirect URI
In the **Redirect URIs** field, add:
```
alfredmobile://oauth/callback
```

**Important:** Keep the existing redirect URIs! You should have:
- `https://alfred.dnspegasus.net/oauth/callback` (web Control UI)
- `https://alfred-app.dnspegasus.net/oauth/callback` (proxy)
- `alfredmobile://oauth/callback` (mobile app) ← **ADD THIS**

### Step 4: Verify Configuration

After saving, the provider should have:
- **Client ID:** `QeSNaZPqZUz5pPClZMA2bakSsddkStiEhqbE4QZR`
- **Client type:** Confidential (or Public if using PKCE)
- **Redirect URIs:** All three URIs listed above
- **Scopes:** `openid profile email`

### Step 5: Test
1. Open Alfred Mobile on tablet
2. Tap "Sign In with Authentik"
3. Log in with Authentik credentials
4. Browser should redirect back to the app
5. App should show "Login successful!" toast and "Logged In!" screen

## Troubleshooting

### Still getting "Unknown error"?
- Check browser address bar when redirecting - does it show `alfredmobile://...`?
- Verify redirect URI matches exactly (no trailing slash, correct scheme)
- Check Authentik logs for rejected redirect attempts

### Browser doesn't redirect back?
- Android may ask "Open with Alfred?" - tap Yes
- If app doesn't open, check AndroidManifest.xml has the intent-filter

### "Invalid redirect URI" error?
- The redirect URI in Authentik doesn't match
- Make sure it's exactly: `alfredmobile://oauth/callback` (lowercase, no spaces)

## Alternative: Create Separate Mobile Provider (Optional)

If you want separate OAuth clients for web vs mobile:

1. Create a new OAuth2/OpenID Provider
2. Name it "Alfred Mobile"
3. Set Client ID to a new value (or keep the same)
4. Set Redirect URI to `alfredmobile://oauth/callback` only
5. Update `secrets.properties` with the new Client ID
6. Rebuild the app

This keeps mobile and web OAuth flows isolated.

---

**Current Config (shared provider):**
- Client ID: `QeSNaZPqZUz5pPClZMA2bakSsddkStiEhqbE4QZR`
- Used by: Web Control UI, OAuth proxy, Mobile app
- Redirect URIs: All three endpoints
Initial commit: Alfred Mobile - AI Assistant Android App - OAuth authentication via Authentik - WebSocket connection to OpenClaw gateway - Configurable gateway URL with first-run setup - User preferences sync across devices - Multi-user support with custom assistant names - ElevenLabs TTS integration (local + remote) - FCM push notifications for alarms - Voice input via Google Speech API - No hardcoded secrets or internal IPs in tracked files 2026-02-09 11:12:51 -08:00			`# Authentik OAuth Configuration for Alfred Mobile`

			`## Issue`
			`OAuth login fails with "Authorization failed: Unknown error" because the mobile redirect URI is not configured in Authentik.`

			`## Solution`

			`### Step 1: Access Authentik Admin`
			`1. Go to https://auth.dnspegasus.net/if/admin/`
			`2. Log in with admin credentials`

			`### Step 2: Update OAuth Provider`
			`1. Navigate to Applications → Providers`
			2. Find the provider with Client ID: `QeSNaZPqZUz5pPClZMA2bakSsddkStiEhqbE4QZR`
			`3. Click to edit`

			`### Step 3: Add Mobile Redirect URI`
			`In the Redirect URIs field, add:`
			```
			`alfredmobile://oauth/callback`
			```

			`Important: Keep the existing redirect URIs! You should have:`
			- `https://alfred.dnspegasus.net/oauth/callback` (web Control UI)
			- `https://alfred-app.dnspegasus.net/oauth/callback` (proxy)
			- `alfredmobile://oauth/callback` (mobile app) ← ADD THIS

			`### Step 4: Verify Configuration`

			`After saving, the provider should have:`
			- Client ID: `QeSNaZPqZUz5pPClZMA2bakSsddkStiEhqbE4QZR`
			`- Client type: Confidential (or Public if using PKCE)`
			`- Redirect URIs: All three URIs listed above`
			- Scopes: `openid profile email`

			`### Step 5: Test`
			`1. Open Alfred Mobile on tablet`
			`2. Tap "Sign In with Authentik"`
			`3. Log in with Authentik credentials`
			`4. Browser should redirect back to the app`
			`5. App should show "Login successful!" toast and "Logged In!" screen`

			`## Troubleshooting`

			`### Still getting "Unknown error"?`
			- Check browser address bar when redirecting - does it show `alfredmobile://...`?
			`- Verify redirect URI matches exactly (no trailing slash, correct scheme)`
			`- Check Authentik logs for rejected redirect attempts`

			`### Browser doesn't redirect back?`
			`- Android may ask "Open with Alfred?" - tap Yes`
			`- If app doesn't open, check AndroidManifest.xml has the intent-filter`

			`### "Invalid redirect URI" error?`
			`- The redirect URI in Authentik doesn't match`
			- Make sure it's exactly: `alfredmobile://oauth/callback` (lowercase, no spaces)

			`## Alternative: Create Separate Mobile Provider (Optional)`

			`If you want separate OAuth clients for web vs mobile:`

			`1. Create a new OAuth2/OpenID Provider`
			`2. Name it "Alfred Mobile"`
			`3. Set Client ID to a new value (or keep the same)`
			4. Set Redirect URI to `alfredmobile://oauth/callback` only
			5. Update `secrets.properties` with the new Client ID
			`6. Rebuild the app`

			`This keeps mobile and web OAuth flows isolated.`

			`---`

			`Current Config (shared provider):`
			- Client ID: `QeSNaZPqZUz5pPClZMA2bakSsddkStiEhqbE4QZR`
			`- Used by: Web Control UI, OAuth proxy, Mobile app`
			`- Redirect URIs: All three endpoints`