docs: replace Authentik with Logto, document OIDC resource server

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

HOWTO.md

@@ -138,7 +138,7 @@ curl -s -X PUT http://localhost:8081/api/v1/admin/oidc \
   -H "Authorization: Bearer $TOKEN" \
   -d '{
     "enabled": true,
-    "issuerUri": "http://authentik:9000/application/o/cameleer/",
+    "issuerUri": "http://logto:3001/oidc",
     "clientId": "your-client-id",
     "clientSecret": "your-client-secret",
     "rolesClaim": "realm_access.roles",
@@ -156,27 +156,34 @@ curl -s -X DELETE http://localhost:8081/api/v1/admin/oidc \
 
 **Initial provisioning**: OIDC can also be seeded from `CAMELEER_OIDC_*` env vars on first startup (when DB is empty). After that, the admin API takes over.
 
-### Authentik Setup (OIDC Provider)
+### Logto Setup (OIDC Provider)
 
-Authentik is deployed alongside the Cameleer stack. After first deployment:
+Logto is deployed alongside the Cameleer stack. After first deployment:
 
-1. **Initial setup**: Open `http://192.168.50.86:30950/if/flow/initial-setup/` and create the admin account
-2. **Create provider**: Admin Interface → Providers → Create → OAuth2/OpenID Provider
-   - Name: `Cameleer`
-   - Authorization flow: `default-provider-authorization-explicit-consent`
-   - Client type: `Confidential`
-   - Redirect URIs: `http://192.168.50.86:30090/callback` (or your UI URL)
+1. **Initial setup**: Open `http://192.168.50.86:30952` (admin console) and create the admin account
+2. **Create SPA application**: Applications → Create → Single Page App
+   - Name: `Cameleer UI`
+   - Redirect URI: `http://192.168.50.86:30090/oidc/callback` (or your UI URL)
+   - Note the **Client ID**
+3. **Create API Resource**: API Resources → Create
+   - Name: `Cameleer Server API`
+   - Indicator: `https://cameleer.siegeln.net/api` (or your API URL)
+   - Add permissions: `admin`, `operator`, `viewer`
+4. **Create M2M application** (for SaaS platform): Applications → Create → Machine-to-Machine
+   - Name: `Cameleer SaaS`
+   - Assign the API Resource created above with `admin` scope
    - Note the **Client ID** and **Client Secret**
-3. **Create application**: Admin Interface → Applications → Create
-   - Name: `Cameleer`
-   - Provider: select `Cameleer` (created above)
-4. **Configure roles** (optional): Create groups in Authentik and map them to Cameleer roles via the `roles-claim` config. Default claim path is `realm_access.roles`. For Authentik, you may need to customize the OIDC scope to include group claims.
 5. **Configure Cameleer**: Use the admin API (`PUT /api/v1/admin/oidc`) or set env vars for initial seeding:
    ```
    CAMELEER_OIDC_ENABLED=true
-   CAMELEER_OIDC_ISSUER=http://authentik:9000/application/o/cameleer/
+   CAMELEER_OIDC_ISSUER=http://logto:3001/oidc
    CAMELEER_OIDC_CLIENT_ID=<client-id-from-step-2>
-   CAMELEER_OIDC_CLIENT_SECRET=<client-secret-from-step-2>
+   CAMELEER_OIDC_CLIENT_SECRET=<not-needed-for-public-spa>
+   ```
+6. **Configure resource server** (for M2M token validation):
+   ```
+   CAMELEER_OIDC_ISSUER_URI=http://logto:3001/oidc
+   CAMELEER_OIDC_AUDIENCE=https://cameleer.siegeln.net/api
    ```
 
 ### User Management (ADMIN only)
@@ -445,10 +452,8 @@ cameleer namespace:
   cameleer3-server (Deployment)            ← NodePort 30081
   cameleer3-ui (Deployment, Nginx)         ← NodePort 30090
   cameleer-deploy-demo (Deployment)        ← NodePort 30092
-  Authentik Server (Deployment)            ← NodePort 30950
-  Authentik Worker (Deployment)
-  Authentik PostgreSQL (StatefulSet, 1Gi)  ← ClusterIP
-  Authentik Redis (Deployment)             ← ClusterIP
+  Logto Server (Deployment)               ← NodePort 30951/30952
+  Logto PostgreSQL (StatefulSet, 1Gi)     ← ClusterIP
 
 cameleer-demo namespace:
   (deployed Camel applications — managed by cameleer-deploy-demo)
@@ -462,13 +467,14 @@ cameleer-demo namespace:
 | Server API | `http://192.168.50.86:30081/api/v1/health` |
 | Swagger UI | `http://192.168.50.86:30081/api/v1/swagger-ui.html` |
 | Deploy Demo | `http://192.168.50.86:30092` |
-| Authentik | `http://192.168.50.86:30950` |
+| Logto API | `http://192.168.50.86:30951` |
+| Logto Admin | `http://192.168.50.86:30952` |
 
 ### CI/CD Pipeline
 
 Push to `main` triggers: **build** (UI npm + Maven, unit tests) → **docker** (buildx amd64 for server + UI, push to Gitea registry) → **deploy** (kubectl apply + rolling update).
 
-Required Gitea org secrets: `REGISTRY_TOKEN`, `KUBECONFIG_BASE64`, `CAMELEER_AUTH_TOKEN`, `CAMELEER_JWT_SECRET`, `POSTGRES_USER`, `POSTGRES_PASSWORD`, `POSTGRES_DB`, `CLICKHOUSE_USER`, `CLICKHOUSE_PASSWORD`, `CAMELEER_UI_USER` (optional), `CAMELEER_UI_PASSWORD` (optional), `AUTHENTIK_PG_USER`, `AUTHENTIK_PG_PASSWORD`, `AUTHENTIK_SECRET_KEY`, `CAMELEER_OIDC_ENABLED`, `CAMELEER_OIDC_ISSUER`, `CAMELEER_OIDC_CLIENT_ID`, `CAMELEER_OIDC_CLIENT_SECRET`.
+Required Gitea org secrets: `REGISTRY_TOKEN`, `KUBECONFIG_BASE64`, `CAMELEER_AUTH_TOKEN`, `CAMELEER_JWT_SECRET`, `POSTGRES_USER`, `POSTGRES_PASSWORD`, `POSTGRES_DB`, `CLICKHOUSE_USER`, `CLICKHOUSE_PASSWORD`, `CAMELEER_UI_USER` (optional), `CAMELEER_UI_PASSWORD` (optional), `LOGTO_PG_USER`, `LOGTO_PG_PASSWORD`, `LOGTO_ENDPOINT`, `LOGTO_ADMIN_ENDPOINT`, `CAMELEER_OIDC_ENABLED`, `CAMELEER_OIDC_ISSUER`, `CAMELEER_OIDC_CLIENT_ID`, `CAMELEER_OIDC_CLIENT_SECRET`, `CAMELEER_OIDC_ISSUER_URI` (optional), `CAMELEER_OIDC_AUDIENCE` (optional).
 
 ### Manual K8s Commands