From 70c30ef589e6f49093de0b62f0cdf4f1b49b4f0b Mon Sep 17 00:00:00 2001
From: Huskydog9988 <39809509+Huskydog9988@users.noreply.github.com>
Date: Tue, 10 Feb 2026 21:47:43 -0500
Subject: [PATCH] basic OIDC guide

---
 docs/astro.config.mjs                         |  1 +
 .../content/docs/admin/authentication/oidc.md |  2 +-
 .../docs/admin/guides/setting-up-oidc.mdx     | 38 +++++++++++++++++++
 3 files changed, 40 insertions(+), 1 deletion(-)
 create mode 100644 docs/src/content/docs/admin/guides/setting-up-oidc.mdx

diff --git a/docs/astro.config.mjs b/docs/astro.config.mjs
index 3d3727e4..6b590cc7 100644
--- a/docs/astro.config.mjs
+++ b/docs/astro.config.mjs
@@ -59,6 +59,7 @@ export default defineConfig({
                 { slug: "admin/guides/creating-library" },
                 { slug: "admin/guides/import-game" },
                 { slug: "admin/guides/import-version" },
+                { slug: "admin/guides/setting-up-oidc" },
               ],
             },
             {
diff --git a/docs/src/content/docs/admin/authentication/oidc.md b/docs/src/content/docs/admin/authentication/oidc.md
index d34e725c..c7c9684c 100644
--- a/docs/src/content/docs/admin/authentication/oidc.md
+++ b/docs/src/content/docs/admin/authentication/oidc.md
@@ -27,7 +27,7 @@ And then, you must configure **either**:
 
 A unprotected endpoint that returns a OIDC well-known JSON. Fetched on startup.
 
-For example if you used authentik, your OIDC well-known endpoint would be: `https://authentik.company/application/o/<slug>/.well-known/openid-configuration`.
+For example if you used authentik, your OIDC well-known endpoint would be: `https://authentik.tld/application/o/<slug>/.well-known/openid-configuration`.
 
 ---
 
diff --git a/docs/src/content/docs/admin/guides/setting-up-oidc.mdx b/docs/src/content/docs/admin/guides/setting-up-oidc.mdx
new file mode 100644
index 00000000..f0f2b24f
--- /dev/null
+++ b/docs/src/content/docs/admin/guides/setting-up-oidc.mdx
@@ -0,0 +1,38 @@
+---
+title: Setting up OIDC
+---
+
+## Authentik
+
+For this guide, `drop.tld` is used as a placeholder for your Drop instance's domain. Make sure to replace it with your actual domain.
+
+### In Authentik
+
+1. Go to the admin dashboard
+1. In the applications section, click Create with Provider
+   Set any name and slug you want
+1. Select OpenID Connect as the provider type
+1. Configure the provider
+   - Copy the client ID, and secret, you'll need them for Drop
+   - Set the redirect as `Strict` and the URL to `https://drop.tld/api/v1/auth/odic/callback`
+   - Set the logout URL to `https://drop.tld/api/v1/auth/odic/logout`
+     - Make sure to set the logout URL as a `back-channel` logout in the dropdown
+1. Configure everything else as you see fit
+
+### For Drop
+
+:::note
+Make sure to replace the client ID, secret, and well-known url with your actual values. You can find the well-known URL in the provider's configuration page in Authentik.
+:::
+
+For drop, the docker compose configuration would look like this:
+
+```yaml
+services:
+  drop:
+    environment:
+      - OIDC_CLIENT_ID=authentik-client-id
+      - OIDC_CLIENT_SECRET=authentik-client-secret
+      - OIDC_ADMIN_GROUP=admin-group-name
+      - OIDC_WELLKNOWN=https://authentik.tld/application/o/<slug>/.well-known/openid-configuration
+```