Skip to main content

Integrate with Paperless-ngx

Support level: Community

What is Paperless-ngx

Paperless-ngx is an application that indexes your scanned documents and allows you to easily search for documents and store metadata alongside your documents. It was a fork from Paperless-ng, in turn a fork from the original Paperless, neither of which are maintained any longer.

-- https://github.com/paperless-ngx/paperless-ngx

Preparation

The following placeholders are used in this guide:

  • paperless.company is the FQDN of the Paperless-ngx installation.
  • authentik.company is the FQDN of the authentik installation.
info

This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.

authentik configuration

To support the integration of Paperless-ngx with authentik, you need to create an application/provider pair in authentik.

Create an application and provider in authentik

  1. Log in to authentik as an administrator and open the authentik Admin interface.

  2. Navigate to Applications > Applications and click Create with Provider to create an application and provider pair. (Alternatively you can first create a provider separately, then create the application and connect it with the provider.)

    • Application: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
    • Choose a Provider type: select OAuth2/OpenID Connect as the provider type.
    • Configure the Provider: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
      • Note the Client ID, Client Secret, and slug values because they will be required later.
      • Set a Strict redirect URI to https://paperless.company/accounts/oidc/authentik/login/callback/.
    • Configure Bindings (optional): you can create a binding (policy, group, or user) to manage the listing and access to applications on a user's My applications page.
    • Advanced protocol settings:
      • Selected Scopes: Add the following
        • authentik default OAuth Mapping: OpenID 'openid'
        • authentik default OAuth Mapping: OpenID 'email'
        • authentik default OAuth Mapping: OpenID 'profile'

  3. Click Submit to save the new application and provider.

Paperless-ngx Configuration

If you have Paperless-ngx setup in Docker, add the following environment variables to your Paperless-ngx compose file:

environment:
    PAPERLESS_APPS: allauth.socialaccount.providers.openid_connect
    PAPERLESS_SOCIALACCOUNT_PROVIDERS: >
        {
          "openid_connect": {
            "OAUTH_PKCE_ENABLED": true,
            "APPS": [
              {
                "provider_id": "authentik",
                "name": "authentik",
                "client_id": "<client_id>",
                "secret": "<client_secret>",
                "settings": {
                  "server_url": "https://authentik.company/application/o/<application_slug>/.well-known/openid-configuration",
                  "fetch_userinfo": true
                }
              }
            ],
            "SCOPE": ["openid", "profile", "email"]
          }
        }
    PAPERLESS_LOGOUT_REDIRECT_URL: "https://authentik.company/application/o/<application_slug>/end-session/"
    PAPERLESS_SOCIAL_AUTO_SIGNUP: true
    PAPERLESS_SOCIALACCOUNT_ALLOW_SIGNUPS: true

Alternatively, add the variables directly to your environment file:

PAPERLESS_APPS=allauth.socialaccount.providers.openid_connect
PAPERLESS_SOCIALACCOUNT_PROVIDERS={"openid_connect": {"OAUTH_PKCE_ENABLED": true, "APPS": [{"provider_id": "authentik", "name": "authentik", "client_id": "<client_id>", "secret": "<client_secret>", "settings": {"server_url": "https://authentik.company/application/o/<application_slug>/.well-known/openid-configuration", "fetch_userinfo": true}}], "SCOPE": ["openid", "profile", "email"]}}
PAPERLESS_LOGOUT_REDIRECT_URL=https://authentik.company/application/o/<application_slug>/end-session/
PAPERLESS_SOCIAL_AUTO_SIGNUP=true
PAPERLESS_SOCIALACCOUNT_ALLOW_SIGNUPS=true

Remove PAPERLESS_SOCIAL_AUTO_SIGNUP if you want to allow only pre-created Paperless-ngx users.

To add authentik authentication to an existing Paperless-ngx user, the user can log in to Paperless-ngx with local authentication, click the profile icon in the top-right, click My Profile, then Connect new social account.

To sync groups from your IdP, enable PAPERLESS_SOCIAL_ACCOUNT_SYNC_GROUPS and include groups in the provider SCOPE. Paperless expects a groups claim, so map your IdP's group claim to groups if it uses a different name.

If you want to disable local logins after validating SSO, set PAPERLESS_DISABLE_REGULAR_LOGIN and optionally PAPERLESS_REDIRECT_LOGIN_TO_SSO to true.

Now restart your container: docker compose down && docker compose up -d

Configuration verification

To confirm that authentik is properly configured with Paperless-ngx, log out and click the authentik button. You will be redirected to authentik and once authenticated, you will be signed in to Paperless-ngx.