- Update architecture-decisions.md: Change decision to OAuth/OIDC primary, forward auth fallback
- Add comprehensive OAuth/OIDC and forward auth flow diagrams
- Add decision matrix comparing both authentication methods
- Include real examples: Nextcloud/Gitea OAuth configs, whoami forward auth
- Update rationale to emphasize OAuth/OIDC security and standards benefits
- Update authentication-architecture.md: Align with new OAuth-first approach
- Add 'Choosing the Right Pattern' section with clear decision guidance
- Swap pattern order: OAuth/OIDC (Pattern 1), Forward Auth (Pattern 2)
- Update Example 1: Change Gitea from forward auth to OAuth/OIDC integration
- Add emphasis on primary vs fallback methods throughout
- Update authentik-deployment-guide.md: Reflect OAuth/OIDC preference
- Update overview to mention OAuth2/OIDC provider and forward auth fallback
- Add decision guidance to service integration examples
- Reorder examples: Nextcloud OAuth (primary), forward auth (fallback)
- Clarify forward auth should only be used for services without OAuth support
This update ensures all authentication documentation consistently reflects the
agreed architectural decision: use OAuth/OIDC when services support it
(Nextcloud, Gitea, modern apps), and only use forward auth as a fallback for
legacy applications, static sites, or simple tools without OAuth capabilities.
Joakim
e8b76c6a72