habsi/authentik
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

wip: rename to authentik (#361)

Browse Source 
* root: initial rename

* web: rename custom element prefix

* root: rename external functions with pb_ prefix

* root: fix formatting

* root: replace domain with goauthentik.io

* proxy: update path

* root: rename remaining prefixes

* flows: rename file extension

* root: pbadmin -> akadmin

* docs: fix image filenames

* lifecycle: ignore migration files

* ci: copy default config from current source before loading last tagged

* *: new sentry dsn

* tests: fix missing python3.9-dev package

* root: add additional migrations for service accounts created by outposts

* core: mark system-created service accounts with attribute

* policies/expression: fix pb_ replacement not working

* web: fix last linting errors, add lit-analyse

* policies/expressions: fix lint errors

* web: fix sidebar display on screens where not all items fit

* proxy: attempt to fix proxy pipeline

* proxy: use go env GOPATH to get gopath

* lib: fix user_default naming inconsistency

* docs: add upgrade docs

* docs: update screenshots to use authentik

* admin: fix create button on empty-state of outpost

* web: fix modal submit not refreshing SiteShell and Table

* web: fix height of app-card and height of generic icon

* web: fix rendering of subtext

* admin: fix version check error not being caught

* web: fix worker count not being shown

* docs: update screenshots

* root: new icon

* web: fix lint error

* admin: fix linting error

* root: migrate coverage config to pyproject
This commit is contained in:
Jens L
2020-12-05 22:08:42 +01:00
committed by GitHub
parent 810a7ab50b
commit 1cfe1aff13
989 changed files with 6425 additions and 4412 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
website/docs/development/local-dev-environment.md
View File

@ -4,7 +4,7 @@ title: Setting up a local dev environment
## Backend
To create a local development setup for passbook, you need the following:
To create a local development setup for authentik, you need the following:
- Python 3.9
- pipenv, which is used to manage dependencies, and can be installed with `pip install pipenv`
@ -13,7 +13,7 @@ To create a local development setup for passbook, you need the following:
For PostgreSQL and Redis, you can use the docker-compose file in `scripts/`. You can also use a native install, if you prefer.
To configure passbook to use the local databases, create a file in the passbook directory called `local.env.yml`, with the following contents
To configure authentik to use the local databases, create a file in the authentik directory called `local.env.yml`, with the following contents
```yaml
debug: true
@ -23,7 +23,7 @@ postgresql:
log_level: debug
```
Afterwards, you can start passbook by running `./manage.py runserver`. Generally speaking, passbook is a Django application.
Afterwards, you can start authentik by running `./manage.py runserver`. Generally speaking, authentik is a Django application.
Most functions and classes have type-hints and docstrings, so it is recommended to install a Python Type-checking Extension in your IDE to navigate around the code.

12
website/docs/expressions/index.md
View File

@ -4,7 +4,7 @@ title: Expressions
Expressions allow you to write custom logic using Python code.
Expressions are used in different places throughout passbook, and can do different things.
Expressions are used in different places throughout authentik, and can do different things.
:::info
These functions/objects are available wherever expressions are used. For more specific information, see [Expression Policies](../policies/expression.md) and [Property Mappings](../property-mappings/expression.md)
@ -12,7 +12,7 @@ These functions/objects are available wherever expressions are used. For more sp
## Global objects
- `pb_logger`: structlog BoundLogger. ([ref](https://www.structlog.org/en/stable/api.html#structlog.BoundLogger))
- `ak_logger`: structlog BoundLogger. ([ref](https://www.structlog.org/en/stable/api.html#structlog.BoundLogger))
- `requests`: requests Session object. ([ref](https://requests.readthedocs.io/en/master/user/advanced/))
## Generally available functions
@ -37,24 +37,24 @@ Example:
user_email_local = regex_replace(request.user.email, '(.+)@.+', '')
```
### `pb_is_group_member(user: User, **group_filters) -> bool`
### `ak_is_group_member(user: User, **group_filters) -> bool`
Check if `user` is member of a group matching `**group_filters`.
Example:
```python
return pb_is_group_member(request.user, name="test_group")
return ak_is_group_member(request.user, name="test_group")
```
### `pb_user_by(**filters) -> Optional[User]`
### `ak_user_by(**filters) -> Optional[User]`
Fetch a user matching `**filters`. Returns "None" if no user was found.
Example:
```python
other_user = pb_user_by(username="other_user")
other_user = ak_user_by(username="other_user")
```
## Comparing IP Addresses

8
website/docs/expressions/reference/user-object.md
View File

@ -13,17 +13,17 @@ The User object has the following attributes:
- `password_change_date` Date password was last changed.
- `attributes` Dynamic attributes.
- `group_attributes` Merged attributes of all groups the user is member of and the user's own attributes.
- `pb_groups` This is a queryset of all the user's groups.
- `ak_groups` This is a queryset of all the user's groups.
You can do additional filtering like `user.pb_groups.filter(name__startswith='test')`, see [here](https://docs.djangoproject.com/en/3.1/ref/models/querysets/#id4)
You can do additional filtering like `user.ak_groups.filter(name__startswith='test')`, see [here](https://docs.djangoproject.com/en/3.1/ref/models/querysets/#id4)
To get the name of all groups, you can do `[group.name for group in user.pb_groups.all()]`
To get the name of all groups, you can do `[group.name for group in user.ak_groups.all()]`
## Examples
List all the User's group names:
```python
for group in user.pb_groups.all():
for group in user.ak_groups.all():
yield group.name
```

2
website/docs/flow/flows.md
View File

@ -6,7 +6,7 @@ Flows are a method of describing a sequence of stages. A stage represents a sing
Upon flow execution, a plan containing all stages is generated. This means that all attached policies are evaluated upon execution. This behaviour can be altered by enabling the **Re-evaluate Policies** option on the binding.
To determine which flow is linked, passbook searches all flows with the required designation and chooses the first instance the current user has access to.
To determine which flow is linked, authentik searches all flows with the required designation and chooses the first instance the current user has access to.
## Permissions

2
website/docs/flow/stages/email/index.md
View File

@ -2,6 +2,6 @@
title: Email stage
---
This stage can be used for email verification. passbook's background worker will send an email using the specified connection details. When an email can't be delivered, delivery is automatically retried periodically.
This stage can be used for email verification. authentik's background worker will send an email using the specified connection details. When an email can't be delivered, delivery is automatically retried periodically.
![](email-recovery.png)

2
website/docs/flow/stages/prompt/validation.md
View File

@ -10,7 +10,7 @@ To validate that two password fields are identical, create the following express
if request.context.get('prompt_data').get('password') == request.context.get('prompt_data').get('password_repeat'):
return True
pb_message("Passwords don't match.")
ak_message("Passwords don't match.")
return False
```

6
website/docs/index.md
View File

@ -1,11 +1,11 @@
---
title: Welcome to passbook
title: Welcome to authentik
slug: /
---
## What is passbook?
## What is authentik?
passbook is an open-source Identity Provider focused on flexibility and versatility. You can use passbook in an existing environment to add support for new protocols. passbook is also a great solution for implementing signup/recovery/etc in your application, so you don't have to deal with it.
authentik is an open-source Identity Provider focused on flexibility and versatility. You can use authentik in an existing environment to add support for new protocols. authentik is also a great solution for implementing signup/recovery/etc in your application, so you don't have to deal with it.
## Installation

18
website/docs/installation/docker-compose.md
View File

@ -11,18 +11,18 @@ This installation method is for test-setups and small-scale productive setups.
## Install
Download the latest `docker-compose.yml` from [here](https://raw.githubusercontent.com/BeryJu/passbook/master/docker-compose.yml). Place it in a directory of your choice.
Download the latest `docker-compose.yml` from [here](https://raw.githubusercontent.com/BeryJu/authentik/master/docker-compose.yml). Place it in a directory of your choice.
To optionally enable error-reporting, run `echo PASSBOOK_ERROR_REPORTING__ENABLED=true >> .env`
To optionally enable error-reporting, run `echo AUTHENTIK_ERROR_REPORTING__ENABLED=true >> .env`
To optionally deploy a different version run `echo PASSBOOK_TAG=0.12.11-stable >> .env`
To optionally deploy a different version run `echo AUTHENTIK_TAG=0.12.11-stable >> .env`
If this is a fresh passbook install run the following commands to generate a password:
If this is a fresh authentik install run the following commands to generate a password:
```
sudo apt-get install -y pwgen
echo "PG_PASS=$(pwgen 40 1)" >> .env
echo "PASSBOOK_SECRET_KEY=$(pwgen 50 1)" >> .env
echo "AUTHENTIK_SECRET_KEY=$(pwgen 50 1)" >> .env
```
Afterwards, run these commands to finish
@ -37,10 +37,10 @@ The compose file statically references the latest version available at the time
If you plan to use this setup for production, it is also advised to change the PostgreSQL password by setting `PG_PASS` to a password of your choice.
Now you can pull the Docker images needed by running `docker-compose pull`. After this has finished, run `docker-compose up -d` to start passbook.
Now you can pull the Docker images needed by running `docker-compose pull`. After this has finished, run `docker-compose up -d` to start authentik.
passbook will then be reachable via HTTP on port 80, and HTTPS on port 443. You can optionally configure the packaged traefik to use Let's Encrypt certificates for TLS Encryption.
authentik will then be reachable via HTTP on port 80, and HTTPS on port 443. You can optionally configure the packaged traefik to use Let's Encrypt certificates for TLS Encryption.
If you plan to access passbook via a reverse proxy which does SSL Termination, make sure you use the HTTPS port, so passbook is aware of the SSL connection.
If you plan to access authentik via a reverse proxy which does SSL Termination, make sure you use the HTTPS port, so authentik is aware of the SSL connection.
The initial setup process also creates a default admin user, the username and password for which is `pbadmin`. It is highly recommended to change this password as soon as you log in.
The initial setup process also creates a default admin user, the username and password for which is `akadmin`. It is highly recommended to change this password as soon as you log in.

2
website/docs/installation/index.md
View File

@ -2,6 +2,6 @@
title: Installation
---
If you want to try out passbook, or only want a small deployment (< 100 Users), you should use [docker-compose](./docker-compose).
If you want to try out authentik, or only want a small deployment (< 100 Users), you should use [docker-compose](./docker-compose).
If you want a larger deployment, or you want High-Availability, you should use [Kubernetes](./kubernetes).

28
website/docs/installation/kubernetes.md
View File

@ -2,32 +2,32 @@
title: Kubernetes installation
---
For a mid to high-load installation, Kubernetes is recommended. passbook is installed using a helm-chart.
For a mid to high-load installation, Kubernetes is recommended. authentik is installed using a helm-chart.
To install passbook using the helm chart, run these commands:
To install authentik using the helm chart, run these commands:
```
helm repo add passbook https://docker.beryju.org/chartrepo/passbook
helm repo add authentik https://docker.beryju.org/chartrepo/authentik
helm repo update
helm repo install passbook/passbook --devel -f values.yaml
helm install authentik/authentik --devel -f values.yaml
```
This installation automatically applies database migrations on startup. After the installation is done, you can use `pbadmin` as username and password.
This installation automatically applies database migrations on startup. After the installation is done, you can use `akadmin` as username and password.
```yaml
###################################
# Values directly affecting passbook
# Values directly affecting authentik
###################################
image:
name: beryju/passbook
name_static: beryju/passbook-static
name_outposts: beryju/passbook # Prefix used for Outpost deployments, Outpost type and version is appended
name: beryju/authentik
name_static: beryju/authentik-static
name_outposts: beryju/authentik # Prefix used for Outpost deployments, Outpost type and version is appended
tag: 0.12.11-stable
serverReplicas: 1
workerReplicas: 1
# Enable the Kubernetes integration which lets passbook deploy outposts into kubernetes
# Enable the Kubernetes integration which lets authentik deploy outposts into kubernetes
kubernetesIntegration: true
config:
@ -56,11 +56,11 @@ ingress:
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
hosts:
- passbook.k8s.local
- authentik.k8s.local
tls: []
# - secretName: chart-example-tls
# hosts:
# - passbook.k8s.local
# - authentik.k8s.local
###################################
# Values controlling dependencies
@ -70,9 +70,9 @@ install:
postgresql: true
redis: true
# These values influence the bundled postgresql and redis charts, but are also used by passbook to connect
# These values influence the bundled postgresql and redis charts, but are also used by authentik to connect
postgresql:
postgresqlDatabase: passbook
postgresqlDatabase: authentik
redis:
cluster:

6
website/docs/installation/reverse-proxy.md
View File

@ -1,8 +1,8 @@
---
title: passbook behind a reverse-proxy
title: authentik behind a reverse-proxy
---
If you want to access passbook behind a reverse-proxy, use a config like this. It is important that Websocket is enabled, so that Outposts can connect.
If you want to access authentik behind a reverse-proxy, use a config like this. It is important that Websocket is enabled, so that Outposts can connect.
```
map $http_upgrade $connection_upgrade {
@ -31,7 +31,7 @@ server {
# Proxy site
location / {
proxy_pass https://<hostname of your passbook server>;
proxy_pass https://<hostname of your authentik server>;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Port 443;

18
website/docs/integrations/services/aws/index.md
View File

@ -12,13 +12,13 @@ Amazon Web Services (AWS) is the worlds most comprehensive and broadly adopte
The following placeholders will be used:
- `passbook.company` is the FQDN of the passbook install.
- `authentik.company` is the FQDN of the authentik install.
Create an application in passbook and note the slug, as this will be used later. Create a SAML provider with the following parameters:
Create an application in authentik and note the slug, as this will be used later. Create a SAML provider with the following parameters:
- ACS URL: `https://signin.aws.amazon.com/saml`
- Audience: `urn:amazon:webservices`
- Issuer: `passbook`
- Issuer: `authentik`
- Binding: `Post`
You can of course use a custom signing certificate, and adjust durations.
@ -31,7 +31,7 @@ After you've created the Property Mappings below, add them to the Provider.
Create an application, assign policies, and assign this provider.
Export the metadata from passbook, and create an Identity Provider [here](https://console.aws.amazon.com/iam/home#/providers).
Export the metadata from authentik, and create an Identity Provider [here](https://console.aws.amazon.com/iam/home#/providers).
#### Role Mapping
@ -42,23 +42,23 @@ This Mapping needs to have the SAML Name field set to "https://aws.amazon.com/SA
As expression, you can return a static ARN like so
```python
return "arn:aws:iam::123412341234:role/saml_role,arn:aws:iam::123412341234:saml-provider/passbook"
return "arn:aws:iam::123412341234:role/saml_role,arn:aws:iam::123412341234:saml-provider/authentik"
```
Or, if you want to assign AWS Roles based on Group membership, you can add a custom attribute to the Groups, for example "aws_role", and use this snippet below. Groups are sorted by name and later groups overwrite earlier groups' attributes.
```python
role_name = user.group_attributes().get("aws_role", "")
return f"arn:aws:iam::123412341234:role/{role_name},arn:aws:iam::123412341234:saml-provider/passbook"
return f"arn:aws:iam::123412341234:role/{role_name},arn:aws:iam::123412341234:saml-provider/authentik"
```
If you want to allow a user to choose from multiple roles, use this snippet
```python
return [
"arn:aws:iam::123412341234:role/role_a,arn:aws:iam::123412341234:saml-provider/passbook",
"arn:aws:iam::123412341234:role/role_b,arn:aws:iam::123412341234:saml-provider/passbook",
"arn:aws:iam::123412341234:role/role_c,arn:aws:iam::123412341234:saml-provider/passbook",
"arn:aws:iam::123412341234:role/role_a,arn:aws:iam::123412341234:saml-provider/authentik",
"arn:aws:iam::123412341234:role/role_b,arn:aws:iam::123412341234:saml-provider/authentik",
"arn:aws:iam::123412341234:role/role_c,arn:aws:iam::123412341234:saml-provider/authentik",
]
```

18
website/docs/integrations/services/tower-awx/index.md → website/docs/integrations/services/awx-tower/index.md
View File

@ -21,9 +21,9 @@ AWX is the open-source version of Tower. The term "AWX" will be used interchange
The following placeholders will be used:
- `awx.company` is the FQDN of the AWX/Tower install.
- `passbook.company` is the FQDN of the passbook install.
- `authentik.company` is the FQDN of the authentik install.
Create an application in passbook and note the slug, as this will be used later. Create a SAML provider with the following parameters:
Create an application in authentik and note the slug, as this will be used later. Create a SAML provider with the following parameters:
- ACS URL: `https://awx.company/sso/complete/saml/`
- Audience: `awx`
@ -36,16 +36,16 @@ You can of course use a custom signing certificate, and adjust durations.
Navigate to `https://awx.company/#/settings/auth` to configure SAML. Set the Field `SAML SERVICE PROVIDER ENTITY ID` to `awx`.
For the fields `SAML SERVICE PROVIDER PUBLIC CERTIFICATE` and `SAML SERVICE PROVIDER PRIVATE KEY`, you can either use custom certificates, or use the self-signed pair generated by passbook.
For the fields `SAML SERVICE PROVIDER PUBLIC CERTIFICATE` and `SAML SERVICE PROVIDER PRIVATE KEY`, you can either use custom certificates, or use the self-signed pair generated by authentik.
Provide metadata in the `SAML Service Provider Organization Info` field:
```json
{
"en-US": {
"name": "passbook",
"url": "https://passbook.company",
"displayname": "passbook"
"name": "authentik",
"url": "https://authentik.company",
"displayname": "authentik"
}
}
```
@ -63,11 +63,11 @@ In the `SAML Enabled Identity Providers` paste the following configuration:
```json
{
"passbook": {
"authentik": {
"attr_username": "urn:oid:2.16.840.1.113730.3.1.241",
"attr_user_permanent_id": "urn:oid:0.9.2342.19200300.100.1.1",
"x509cert": "MIIDEjCCAfqgAwIBAgIRAJZ9pOZ1g0xjiHtQAAejsMEwDQYJKoZIhvcNAQELBQAwMDEuMCwGA1UEAwwlcGFzc2Jvb2sgU2VsZi1zaWduZWQgU0FNTCBDZXJ0aWZpY2F0ZTAeFw0xOTEyMjYyMDEwNDFaFw0yMDEyMjYyMDEwNDFaMFkxLjAsBgNVBAMMJXBhc3Nib29rIFNlbGYtc2lnbmVkIFNBTUwgQ2VydGlmaWNhdGUxETAPBgNVBAoMCHBhc3Nib29rMRQwEgYDVQQLDAtTZWxmLXNpZ25lZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAO/ktBYZkY9xAijF4acvzX6Q1K8KoIZeyde8fVgcWBz4L5FgDQ4/dni4k2YAcPdwteGL4nKVzetUzjbRCBUNuO6lqU4J4WNNX4Xg4Ir7XLRoAQeo+omTPBdpJ1p02HjtN5jT01umN3bK2yto1e37CJhK6WJiaXqRewPxh4lI4aqdj3BhFkJ3I3r2qxaWOAXQ6X7fg3w/ny7QP53//ouZo7hSLY3GIcRKgvdjjVM3OW5C3WLpOq5Dez5GWVJ17aeFCfGQ8bwFKde6qfYqyGcU9xHB36TtVHB9hSFP/tUFhkiSOxtsrYwCgCyXm4UTSpP+wiNyjKfFw7qGLBvA2hGTNw8CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAh9PeAqPRQk1/SSygIFADZBi08O/DPCshFwEHvJATIcTzcDD8UGAjXh+H5OlkDyX7KyrcaNvYaafCUo63A+WprdtdY5Ty6SBEwTYyiQyQfwM9BfK+imCoif1Ai7xAelD7p9lNazWq7JU+H/Ep7U7Q7LvpxAbK0JArt+IWTb2NcMb3OWE1r0gFbs44O1l6W9UbJTbyLMzbGbe5i+NHlgnwPwuhtRMh0NUYabGHKcHbhwyFhfGAQv2dAp5KF1E5gu6ZzCiFePzc0FrqXQyb2zpFYcJHXquiqaOeG7cZxRHYcjrl10Vxzki64XVA9BpdELgKSnupDGUEJsRUt3WVOmvZuA==",
"url": "https://passbook.company/application/saml/awx/login/",
"url": "https://authentik.company/application/saml/awx/login/",
"attr_last_name": "User.LastName",
"entity_id": "https://awx.company/sso/metadata/saml/",
"attr_email": "urn:oid:0.9.2342.19200300.100.1.3",
@ -76,4 +76,4 @@ In the `SAML Enabled Identity Providers` paste the following configuration:
}
```
`x509cert` is the certificate configured in passbook. Remove the `--BEGIN CERTIFICATE--` and `--END CERTIFICATE--` headers, then enter the cert as one non-breaking string.
`x509cert` is the certificate configured in authentik. Remove the `--BEGIN CERTIFICATE--` and `--END CERTIFICATE--` headers, then enter the cert as one non-breaking string.

8
website/docs/integrations/services/gitlab/index.md
View File

@ -15,9 +15,9 @@ GitLab is a complete DevOps platform, delivered as a single application. This ma
The following placeholders will be used:
- `gitlab.company` is the FQDN of the GitLab Install
- `passbook.company` is the FQDN of the passbook Install
- `authentik.company` is the FQDN of the authentik Install
Create an application in passbook and note the slug, as this will be used later. Create a SAML provider with the following parameters:
Create an application in authentik and note the slug, as this will be used later. Create a SAML provider with the following parameters:
- ACS URL: `https://gitlab.company/users/auth/saml/callback`
- Audience: `https://gitlab.company`
@ -45,7 +45,7 @@ gitlab_rails['omniauth_providers'] = [
args: {
assertion_consumer_service_url: 'https://gitlab.company/users/auth/saml/callback',
idp_cert_fingerprint: '4E:1E:CD:67:4A:67:5A:E9:6A:D0:3C:E6:DD:7A:F2:44:2E:76:00:6A',
idp_sso_target_url: 'https://passbook.company/application/saml/<passbook application slug>/sso/binding/post/',
idp_sso_target_url: 'https://authentik.company/application/saml/<authentik application slug>/sso/binding/post/',
issuer: 'https://gitlab.company',
name_identifier_format: 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
attribute_statements: {
@ -54,7 +54,7 @@ gitlab_rails['omniauth_providers'] = [
nickname: ['urn:oid:2.16.840.1.113730.3.1.241']
}
},
label: 'passbook'
label: 'authentik'
}
]
```

BIN
website/docs/integrations/services/harbor/harbor.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 348 KiB

After

Width:  |  Height:  |  Size: 119 KiB

4
website/docs/integrations/services/harbor/index.md
View File

@ -15,9 +15,9 @@ Harbor is an open source container image registry that secures images with role-
The following placeholders will be used:
- `harbor.company` is the FQDN of the Harbor install.
- `passbook.company` is the FQDN of the passbook install.
- `authentik.company` is the FQDN of the authentik install.
Create an application in passbook. Create an OpenID provider with the following parameters:
Create an application in authentik. Create an OpenID provider with the following parameters:
- Client Type: `Confidential`
- Response types: `code (Authorization Code Flow)`

22
website/docs/integrations/services/home-assistant/index.md
View File

@ -15,47 +15,47 @@ Open source home automation that puts local control and privacy first. Powered b
The following placeholders will be used:
- `hass.company` is the FQDN of the Home-Assistant install.
- `passbook.company` is the FQDN of the passbook install.
- `authentik.company` is the FQDN of the authentik install.
:::note
This setup uses https://github.com/BeryJu/hass-auth-header and the passbook proxy for authentication. When this [PR](https://github.com/home-assistant/core/pull/32926) is merged, this will no longer be necessary.
This setup uses https://github.com/BeryJu/hass-auth-header and the authentik proxy for authentication. When this [PR](https://github.com/home-assistant/core/pull/32926) is merged, this will no longer be necessary.
:::
## Home-Assistant
This guide requires https://github.com/BeryJu/hass-auth-header, which can be installed as described in the Readme.
Afterwards, make sure the `trusted_proxies` setting contains the IP(s) of the Host(s) passbook is running on.
Afterwards, make sure the `trusted_proxies` setting contains the IP(s) of the Host(s) authentik is running on.
With the default Header of `X-Forwarded-Preferred-Username` matching is done on a username basis, so your Name in Home-Assistant and your username in passbook have to match.
With the default Header of `X-Forwarded-Preferred-Username` matching is done on a username basis, so your Name in Home-Assistant and your username in authentik have to match.
If this is not the case, you can simply add an additional header for your user, which contains the Home-Assistant Name and authenticate based on that.
For example add this to your user's properties and set the Header to `X-pb-hass-user`.
For example add this to your user's properties and set the Header to `X-ak-hass-user`.
```yaml
additionalHeaders:
X-pb-hass-user: some other name
X-ak-hass-user: some other name
```
## passbook
## authentik
Create a Proxy Provider with the following values
- Internal host
If Home-Assistant is running in docker, and you're deploying the passbook proxy on the same host, set the value to `http://homeassistant:8123`, where Home-Assistant is the name of your container.
If Home-Assistant is running in docker, and you're deploying the authentik proxy on the same host, set the value to `http://homeassistant:8123`, where Home-Assistant is the name of your container.
If Home-Assistant is running on a different server than where you are deploying the passbook proxy, set the value to `http://hass.company:8123`.
If Home-Assistant is running on a different server than where you are deploying the authentik proxy, set the value to `http://hass.company:8123`.
- External host
Set this to the external URL you will be accessing Home-Assistant from.
Create an application in passbook and select the provider you've created above.
Create an application in authentik and select the provider you've created above.
## Deployment
Create an outpost deployment for the provider you've created above, as described [here](../../../outposts/outposts.md). Deploy this Outpost either on the same host or a different host that can access Home-Assistant.
The outpost will connect to passbook and configure itself.
The outpost will connect to authentik and configure itself.

6
website/docs/integrations/services/rancher/index.md
View File

@ -16,13 +16,13 @@ Rancher is a platform built to address the needs of the DevOps teams deploying a
The following placeholders will be used:
- `rancher.company` is the FQDN of the Rancher install.
- `passbook.company` is the FQDN of the passbook install.
- `authentik.company` is the FQDN of the authentik install.
Create an application in passbook and note the slug, as this will be used later. Create a SAML provider with the following parameters:
Create an application in authentik and note the slug, as this will be used later. Create a SAML provider with the following parameters:
- ACS URL: `https://rancher.company/v1-saml/adfs/saml/acs`
- Audience: `https://rancher.company/v1-saml/adfs/saml/metadata`
- Issuer: `passbook`
- Issuer: `authentik`
You can of course use a custom signing certificate, and adjust durations.

BIN
website/docs/integrations/services/rancher/rancher.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 525 KiB

After

Width:  |  Height:  |  Size: 549 KiB

10
website/docs/integrations/services/sentry/index.md
View File

@ -19,13 +19,13 @@ better software faster with Sentry. Wont you join them?
The following placeholders will be used:
- `sentry.company` is the FQDN of the Sentry install.
- `passbook.company` is the FQDN of the passbook install.
- `authentik.company` is the FQDN of the authentik install.
Create an application in passbook. Create a SAML Provider with the following values
Create an application in authentik. Create a SAML Provider with the following values
- ACS URL: `https://sentry.company/saml/acs/<sentry organisation name>/`
- Audience: `https://sentry.company/saml/metadata/<sentry organisation name>/`
- Issuer: `passbook`
- Issuer: `authentik`
- Service Provider Binding: `Post`
- Property Mapping: Select all Autogenerated Mappings
@ -37,7 +37,7 @@ Navigate to Settings -> Auth, and click on Configure next to SAML2
![](./auth.png)
In passbook, get the Metadata URL by right-clicking `Download Metadata` and selecting Copy Link Address, and paste that URL into Sentry.
In authentik, get the Metadata URL by right-clicking `Download Metadata` and selecting Copy Link Address, and paste that URL into Sentry.
On the next screen, input these Values
@ -45,4 +45,4 @@ IdP User ID: `urn:oid:0.9.2342.19200300.100.1.1`
User Email: `urn:oid:0.9.2342.19200300.100.1.3`
First Name: `urn:oid:2.5.4.3`
After confirming, Sentry will authenticate with passbook, and you should be redirected back to a page confirming your settings.
After confirming, Sentry will authenticate with authentik, and you should be redirected back to a page confirming your settings.

10
website/docs/integrations/services/sonarr/index.md
View File

@ -21,24 +21,24 @@ Sonarr is a PVR for Usenet and BitTorrent users. It can monitor multiple RSS fee
The following placeholders will be used:
- `sonarr.company` is the FQDN of the Sonarr install.
- `passbook.company` is the FQDN of the passbook install.
- `authentik.company` is the FQDN of the authentik install.
Create a Proxy Provider with the following values
- Internal host
If Sonarr is running in docker, and you're deploying the passbook proxy on the same host, set the value to `http://sonarr:8989`, where sonarr is the name of your container.
If Sonarr is running in docker, and you're deploying the authentik proxy on the same host, set the value to `http://sonarr:8989`, where sonarr is the name of your container.
If Sonarr is running on a different server than where you are deploying the passbook proxy, set the value to `http://sonarr.company:8989`.
If Sonarr is running on a different server than where you are deploying the authentik proxy, set the value to `http://sonarr.company:8989`.
- External host
Set this to the external URL you will be accessing Sonarr from.
Create an application in passbook and select the provider you've created above.
Create an application in authentik and select the provider you've created above.
## Deployment
Create an outpost deployment for the provider you've created above, as described [here](../../../outposts/outposts.md). Deploy this Outpost either on the same host or a different host that can access Sonarr.
The outpost will connect to passbook and configure itself.
The outpost will connect to authentik and configure itself.

12
website/docs/integrations/services/tautulli/index.md
View File

@ -15,11 +15,11 @@ Tautulli is a 3rd party application that you can run alongside your Plex Media S
The following placeholders will be used:
- `tautulli.company` is the FQDN of the Tautulli install.
- `passbook.company` is the FQDN of the passbook install.
- `authentik.company` is the FQDN of the authentik install.
## passbook Setup
## authentik Setup
Because Tautulli requires valid HTTP Basic credentials, you must save your HTTP Basic Credentials in passbook. The recommended way to do this is to create a Group. Name the group "Tautulli Users", for example. For this group, add the following attributes:
Because Tautulli requires valid HTTP Basic credentials, you must save your HTTP Basic Credentials in authentik. The recommended way to do this is to create a Group. Name the group "Tautulli Users", for example. For this group, add the following attributes:
```yaml
tautulli_user: username
@ -28,13 +28,13 @@ tautulli_password: password
Add all Tautulli users to the Group. You should also create a Group Membership Policy to limit access to the application.
Create an application in passbook. Create a Proxy provider with the following parameters:
Create an application in authentik. Create a Proxy provider with the following parameters:
- Internal host
If Tautulli is running in docker, and you're deploying the passbook proxy on the same host, set the value to `http://tautulli:3579`, where tautulli is the name of your container.
If Tautulli is running in docker, and you're deploying the authentik proxy on the same host, set the value to `http://tautulli:3579`, where tautulli is the name of your container.
If Tautulli is running on a different server to where you are deploying the passbook proxy, set the value to `http://tautulli.company:3579`.
If Tautulli is running on a different server to where you are deploying the authentik proxy, set the value to `http://tautulli.company:3579`.
- External host

10
website/docs/integrations/services/ubuntu-landscape/index.md
View File

@ -11,7 +11,7 @@ Landscape is a systems management tool developed by Canonical. It can be run on-
:::
:::warning
This requires passbook 0.10.3 or newer.
This requires authentik 0.10.3 or newer.
:::
## Preparation
@ -19,11 +19,11 @@ This requires passbook 0.10.3 or newer.
The following placeholders will be used:
- `landscape.company` is the FQDN of the Landscape server.
- `passbook.company` is the FQDN of the passbook install.
- `authentik.company` is the FQDN of the authentik install.
Landscape uses the OpenID-Connect Protocol for single-sign on.
## passbook Setup
## authentik Setup
Create an OAuth2/OpenID-Connect Provider with the default settings. Set the Redirect URIs to `https://landscape.company/login/handle-openid`. Select all Autogenerated Scopes.
@ -36,7 +36,7 @@ Create an application and assign access policies to the application. Set the app
On the Landscape Server, edit the file `/etc/landscape/service.conf` and add the following snippet under the `[landscape]` section:
```
oidc-issuer = https://passbook.company/application/o/<slug of the application you've created>/
oidc-issuer = https://authentik.company/application/o/<slug of the application you've created>/
oidc-client-id = <client ID of the provider you've created>
oidc-client-secret = <client Secret of the provider you've created>
```
@ -47,7 +47,7 @@ Afterwards, run `sudo lsctl restart` to restart the Landscape services.
To make an OpenID-Connect User admin, you have to insert some rows into the database.
First login with your passbook user, and make sure the user is created successfully.
First login with your authentik user, and make sure the user is created successfully.
Run `sudo -u postgres psql landscape-standalone-main` on the Landscape server to open a PostgreSQL Prompt.
Then run `select * from person;` to get a list of all users. Take note of the ID given to your new user.

0
website/docs/integrations/services/vmware-vcenter/passbook_setup.png → website/docs/integrations/services/vmware-vcenter/authentik_setup.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 173 KiB

After

Width:  |  Height:  |  Size: 173 KiB

12
website/docs/integrations/services/vmware-vcenter/index.md
View File

@ -11,7 +11,7 @@ vCenter Server is the centralized management utility for VMware, and is used to
:::
:::warning
This requires passbook 0.10.3 or newer.
This requires authentik 0.10.3 or newer.
:::
:::warning
@ -27,9 +27,9 @@ It seems that the vCenter still needs to be joined to the Active Directory Domai
The following placeholders will be used:
- `vcenter.company` is the FQDN of the vCenter server.
- `passbook.company` is the FQDN of the passbook install.
- `authentik.company` is the FQDN of the authentik install.
Since vCenter only allows OpenID-Connect in combination with Active Directory, it is recommended to have passbook sync with the same Active Directory.
Since vCenter only allows OpenID-Connect in combination with Active Directory, it is recommended to have authentik sync with the same Active Directory.
### Step 1
@ -61,7 +61,7 @@ Under _Providers_, create an OAuth2/OpenID Provider with these settings:
- Sub Mode: If your Email address Schema matches your UPN, select "Based on the User's Email...", otherwise select "Based on the User's UPN...".
- Scopes: Select the Scope Mapping you've created in Step 1
![](./passbook_setup.png)
![](./authentik_setup.png)
### Step 4
@ -77,9 +77,9 @@ Click on _Change Identity Provider_ in the top-right corner.
In the wizard, select "Microsoft ADFS" and click Next.
Fill in the Client Identifier and Shared Secret from the Provider in passbook. For the OpenID Address, click on _View Setup URLs_ in passbook, and copy the OpenID Configuration URL.
Fill in the Client Identifier and Shared Secret from the Provider in authentik. For the OpenID Address, click on _View Setup URLs_ in authentik, and copy the OpenID Configuration URL.
On the next page, fill in your Active Directory Connection Details. These should be similar to what you have set in passbook.
On the next page, fill in your Active Directory Connection Details. These should be similar to what you have set in authentik.
![](./vcenter_post_setup.png)

BIN
website/docs/integrations/services/vmware-vcenter/vcenter_post_setup.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 89 KiB

After

Width:  |  Height:  |  Size: 98 KiB

0
website/docs/integrations/sources/active-directory/03_pb_status.png → website/docs/integrations/sources/active-directory/03_ak_status.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 64 KiB

After

Width:  |  Height:  |  Size: 64 KiB

14
website/docs/integrations/sources/active-directory/index.md
View File

@ -7,7 +7,7 @@ title: Active Directory
The following placeholders will be used:
- `ad.company` is the Name of the Active Directory domain.
- `passbook.company` is the FQDN of the passbook install.
- `authentik.company` is the FQDN of the authentik install.
## Active Directory Setup
@ -21,25 +21,25 @@ The following placeholders will be used:
4. Open the Delegation of Control Wizard by right-clicking the domain.
5. Select the passbook service user you've just created.
5. Select the authentik service user you've just created.
6. Ensure the "Reset user password and force password change at next logon" Option is checked.
![](./02_delegate.png)
## passbook Setup
## authentik Setup
In passbook, create a new LDAP Source in Administration -> Sources.
In authentik, create a new LDAP Source in Administration -> Sources.
Use these settings:
- Server URI: `ldap://ad.company`
For passbook to be able to write passwords back to Active Directory, make sure to use `ldaps://`
For authentik to be able to write passwords back to Active Directory, make sure to use `ldaps://`
- Bind CN: `<name of your service user>@ad.company`
- Bind Password: The password you've given the user above
- Base DN: The base DN which you want passbook to sync
- Base DN: The base DN which you want authentik to sync
- Property Mappings: Select all and click the right arrow
The other settings might need to be adjusted based on the setup of your domain.
@ -54,4 +54,4 @@ The other settings might need to be adjusted based on the setup of your domain.
After you save the source, a synchronization will start in the background. When its done, you cen see the summary on the System Tasks page.
![](./03_pb_status.png)
![](./03_ak_status.png)

16
website/docs/maintenance/backups/index.md
View File

@ -12,7 +12,7 @@ Local backups are only supported for docker-compose installs. If you want to bac
Local backups are **enabled** by default, and will be run daily at 00:00
:::
Local backups can be created by running the following command in your passbook installation directory
Local backups can be created by running the following command in your authentik installation directory
```
docker-compose run --rm worker backup
@ -22,7 +22,7 @@ This will dump the current database into the `./backups` folder. By defaults, th
### Restore
Run this command in your passbook installation directory
Run this command in your authentik installation directory
```
docker-compose run --rm worker restore
@ -40,7 +40,7 @@ After you've restored the backup, it is recommended to restart all services with
#### Preparation
passbook expects the bucket you select to already exist. The IAM User given to passbook should have the following permissions
authentik expects the bucket you select to already exist. The IAM User given to authentik should have the following permissions
```json
{
@ -74,16 +74,16 @@ passbook expects the bucket you select to already exist. The IAM User given to p
Set the following values in your `.env` file.
```
PASSBOOK_POSTGRESQL__S3_BACKUP__ACCESS_KEY=
PASSBOOK_POSTGRESQL__S3_BACKUP__SECRET_KEY=
PASSBOOK_POSTGRESQL__S3_BACKUP__BUCKET=
PASSBOOK_POSTGRESQL__S3_BACKUP__REGION=
AUTHENTIK_POSTGRESQL__S3_BACKUP__ACCESS_KEY=
AUTHENTIK_POSTGRESQL__S3_BACKUP__SECRET_KEY=
AUTHENTIK_POSTGRESQL__S3_BACKUP__BUCKET=
AUTHENTIK_POSTGRESQL__S3_BACKUP__REGION=
```
If you want to backup to an S3-compatible server, like [minio](https://min.io/), use this setting:
```
PASSBOOK_POSTGRESQL__S3_BACKUP__HOST=http://play.min.io
AUTHENTIK_POSTGRESQL__S3_BACKUP__HOST=http://play.min.io
```
#### Kubernetes

10
website/docs/outposts/manual-deploy-docker-compose.md
View File

@ -10,13 +10,13 @@ You can also run the outpost in a separate docker-compose project, you just have
version: "3.5"
services:
passbook_proxy:
image: beryju/passbook-proxy:0.10.0-stable
authentik_proxy:
image: beryju/authentik-proxy:0.10.0-stable
ports:
- 4180:4180
- 4443:4443
environment:
PASSBOOK_HOST: https://your-passbook.tld
PASSBOOK_INSECURE: "false"
PASSBOOK_TOKEN: token-generated-by-passbook
AUTHENTIK_HOST: https://your-authentik.tld
AUTHENTIK_INSECURE: "false"
AUTHENTIK_TOKEN: token-generated-by-authentik
```

56
website/docs/outposts/manual-deploy-kubernetes.md
View File

@ -4,7 +4,7 @@ title: Manual Outpost deployment on Kubernetes
Use the following manifest, replacing all values surrounded with `__`.
Afterwards, configure the proxy provider to connect to `<service name>.<namespace>.svc.cluster.local`, and update your Ingress to connect to the `passbook-outpost` service.
Afterwards, configure the proxy provider to connect to `<service name>.<namespace>.svc.cluster.local`, and update your Ingress to connect to the `authentik-outpost` service.
```yaml
apiVersion: v1
@ -12,14 +12,14 @@ kind: Secret
metadata:
labels:
app.kubernetes.io/instance: test
app.kubernetes.io/managed-by: passbook.beryju.org
app.kubernetes.io/name: passbook-proxy
app.kubernetes.io/managed-by: goauthentik.io
app.kubernetes.io/name: authentik-proxy
app.kubernetes.io/version: 0.10.0
name: passbook-outpost-api
name: authentik-outpost-api
stringData:
passbook_host: "__PASSBOOK_URL__"
passbook_host_insecure: "true"
token: "__PASSBOOK_TOKEN__"
authentik_host: "__AUTHENTIK_URL__"
authentik_host_insecure: "true"
token: "__AUTHENTIK_TOKEN__"
type: Opaque
---
apiVersion: v1
@ -27,10 +27,10 @@ kind: Service
metadata:
labels:
app.kubernetes.io/instance: test
app.kubernetes.io/managed-by: passbook.beryju.org
app.kubernetes.io/name: passbook-proxy
app.kubernetes.io/managed-by: goauthentik.io
app.kubernetes.io/name: authentik-proxy
app.kubernetes.io/version: 0.10.0
name: passbook-outpost
name: authentik-outpost
spec:
ports:
- name: http
@ -43,8 +43,8 @@ spec:
targetPort: https
selector:
app.kubernetes.io/instance: test
app.kubernetes.io/managed-by: passbook.beryju.org
app.kubernetes.io/name: passbook-proxy
app.kubernetes.io/managed-by: goauthentik.io
app.kubernetes.io/name: authentik-proxy
app.kubernetes.io/version: 0.10.0
type: ClusterIP
---
@ -53,43 +53,43 @@ kind: Deployment
metadata:
labels:
app.kubernetes.io/instance: test
app.kubernetes.io/managed-by: passbook.beryju.org
app.kubernetes.io/name: passbook-proxy
app.kubernetes.io/managed-by: goauthentik.io
app.kubernetes.io/name: authentik-proxy
app.kubernetes.io/version: 0.10.0
name: passbook-outpost
name: authentik-outpost
spec:
selector:
matchLabels:
app.kubernetes.io/instance: test
app.kubernetes.io/managed-by: passbook.beryju.org
app.kubernetes.io/name: passbook-proxy
app.kubernetes.io/managed-by: goauthentik.io
app.kubernetes.io/name: authentik-proxy
app.kubernetes.io/version: 0.10.0
template:
metadata:
labels:
app.kubernetes.io/instance: test
app.kubernetes.io/managed-by: passbook.beryju.org
app.kubernetes.io/name: passbook-proxy
app.kubernetes.io/managed-by: goauthentik.io
app.kubernetes.io/name: authentik-proxy
app.kubernetes.io/version: 0.10.0
spec:
containers:
- env:
- name: PASSBOOK_HOST
- name: AUTHENTIK_HOST
valueFrom:
secretKeyRef:
key: passbook_host
name: passbook-outpost-api
- name: PASSBOOK_TOKEN
key: authentik_host
name: authentik-outpost-api
- name: AUTHENTIK_TOKEN
valueFrom:
secretKeyRef:
key: token
name: passbook-outpost-api
- name: PASSBOOK_INSECURE
name: authentik-outpost-api
- name: AUTHENTIK_INSECURE
valueFrom:
secretKeyRef:
key: passbook_host_insecure
name: passbook-outpost-api
image: beryju/passbook-proxy:0.10.0-stable
key: authentik_host_insecure
name: authentik-outpost-api
image: beryju/authentik-proxy:0.10.0-stable
name: proxy
ports:
- containerPort: 4180

10
website/docs/outposts/outposts.md
View File

@ -2,16 +2,16 @@
title: Outposts
---
An outpost is a single deployment of a passbook component, which can be deployed in a completely separate environment. Currently, only the Proxy Provider is supported as outpost.
An outpost is a single deployment of a authentik component, which can be deployed in a completely separate environment. Currently, only the Proxy Provider is supported as outpost.
![](outposts.png)
Upon creation, a service account and a token is generated. The service account only has permissions to read the outpost and provider configuration. This token is used by the Outpost to connect to passbook.
Upon creation, a service account and a token is generated. The service account only has permissions to read the outpost and provider configuration. This token is used by the Outpost to connect to authentik.
passbook can manage the deployment, updating and general lifecycle of an Outpost. To communicate with the underlying platforms on which the outpost is deployed, passbook has "Service Connections".
authentik can manage the deployment, updating and general lifecycle of an Outpost. To communicate with the underlying platforms on which the outpost is deployed, authentik has "Service Connections".
- If you've deployed passbook on docker-compose, passbook automatically create a Service Connection for the local docker socket.
- If you've deployed passbook on Kubernetes, with `kubernetesIntegration` set to true (default), passbook automatically creates a Service Connection for the local Kubernetes Cluster.
- If you've deployed authentik on docker-compose, authentik automatically create a Service Connection for the local docker socket.
- If you've deployed authentik on Kubernetes, with `kubernetesIntegration` set to true (default), authentik automatically creates a Service Connection for the local Kubernetes Cluster.
To deploy an outpost with these service connections, simply selected them during the creation of an Outpost. A background task is started, which creates the container/deployment. You can see that Status on the System Tasks page.

BIN
website/docs/outposts/outposts.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 122 KiB

After

Width:  |  Height:  |  Size: 318 KiB

2
website/docs/outposts/upgrading.md
View File

@ -8,4 +8,4 @@ In the Outpost Overview list, you'll see if any deployed outposts are out of dat
To upgrade the Outpost to the latest version, simple adjust the docker tag of the outpost the the new version.
Since the configuration is managed by passbook, that's all you have to do.
Since the configuration is managed by authentik, that's all you have to do.

10
website/docs/policies/expression.md
View File

@ -10,14 +10,14 @@ The passing of the policy is determined by the return value of the code. Use `re
### Available Functions
#### `pb_message(message: str)`
#### `ak_message(message: str)`
Add a message, visible by the end user. This can be used to show the reason why they were denied.
Example:
```python
pb_message("Access denied")
ak_message("Access denied")
return False
```
@ -28,11 +28,11 @@ return False
- `request.http_request`: The Django HTTP Request. ([ref](https://docs.djangoproject.com/en/3.0/ref/request-response/#httprequest-objects))
- `request.obj`: A Django Model instance. This is only set if the policy is ran against an object.
- `request.context`: A dictionary with dynamic data. This depends on the origin of the execution.
- `pb_is_sso_flow`: Boolean which is true if request was initiated by authenticating through an external provider.
- `pb_client_ip`: Client's IP Address or 255.255.255.255 if no IP Address could be extracted. Can be [compared](../expressions/index.md#comparing-ip-addresses), for example
- `ak_is_sso_flow`: Boolean which is true if request was initiated by authenticating through an external provider.
- `ak_client_ip`: Client's IP Address or 255.255.255.255 if no IP Address could be extracted. Can be [compared](../expressions/index.md#comparing-ip-addresses), for example
```python
return pb_client_ip in ip_network('10.0.0.0/24')
return ak_client_ip in ip_network('10.0.0.0/24')
```
Additionally, when the policy is executed from a flow, every variable from the flow's current context is accessible under the `context` object.

4
website/docs/policies/index.md
View File

@ -8,7 +8,7 @@ title: Policies
### Reputation Policy
passbook keeps track of failed login attempts by source IP and attempted username. These values are saved as scores. Each failed login decreases the score for the client IP as well as the targeted username by 1 (one).
authentik keeps track of failed login attempts by source IP and attempted username. These values are saved as scores. Each failed login decreases the score for the client IP as well as the targeted username by 1 (one).
This policy can be used, for example, to prompt clients with a low score to pass a captcha before they can continue.
@ -33,7 +33,7 @@ The following rules can be set:
### Have I Been Pwned Policy
This policy checks the hashed password against the [Have I Been Pwned](https://haveibeenpwned.com/) API. This only sends the first 5 characters of the hashed password. The remaining comparison is done within passbook.
This policy checks the hashed password against the [Have I Been Pwned](https://haveibeenpwned.com/) API. This only sends the first 5 characters of the hashed password. The remaining comparison is done within authentik.
### Password-Expiry Policy

6
website/docs/property-mappings/index.md
View File

@ -2,7 +2,7 @@
title: Property Mappings
---
Property Mappings allow you to pass information to external applications. For example, pass the current user's groups as a SAML parameter. Property Mappings are also used to map Source fields to passbook fields, for example when using LDAP.
Property Mappings allow you to pass information to external applications. For example, pass the current user's groups as a SAML parameter. Property Mappings are also used to map Source fields to authentik fields, for example when using LDAP.
## SAML Property Mapping
@ -10,7 +10,7 @@ SAML Property Mappings allow you embed information into the SAML AuthN request.
## LDAP Property Mapping
LDAP Property Mappings are used when you define a LDAP Source. These mappings define which LDAP property maps to which passbook property. By default, the following mappings are created:
LDAP Property Mappings are used when you define a LDAP Source. These mappings define which LDAP property maps to which authentik property. By default, the following mappings are created:
- Autogenerated LDAP Mapping: givenName -> first_name
- Autogenerated LDAP Mapping: mail -> email
@ -22,4 +22,4 @@ These are configured with most common LDAP setups.
## Scope Mapping
Scope Mappings are used by the OAuth2 Provider to map information from passbook to OAuth2/OpenID Claims.
Scope Mappings are used by the OAuth2 Provider to map information from authentik to OAuth2/OpenID Claims.

2
website/docs/providers/proxy.md
View File

@ -8,7 +8,7 @@ This provider is to be used in conjunction with [Outposts](../outposts/outposts.
This provider protects applications, which have no built-in support for OAuth2 or SAML. This is done by running a lightweight Reverse Proxy in front of the application, which authenticates the requests.
passbook Proxy is based on [oauth2_proxy](https://github.com/oauth2-proxy/oauth2-proxy), but has been integrated more tightly with passbook.
authentik Proxy is based on [oauth2_proxy](https://github.com/oauth2-proxy/oauth2-proxy), but has been integrated more tightly with authentik.
The Proxy these extra headers to the application:

8
website/docs/sources.md
View File

@ -2,7 +2,7 @@
title: Sources
---
Sources allow you to connect passbook to an existing user directory. They can also be used for social logins, using external providers such as Facebook, Twitter, etc.
Sources allow you to connect authentik to an existing user directory. They can also be used for social logins, using external providers such as Facebook, Twitter, etc.
## Generic OAuth Source
@ -14,12 +14,12 @@ This source allows users to enroll themselves with an external OAuth-based Ident
- Request Token URL: This field is used for OAuth v1 implementations and will be provided by the provider.
- Authorization URL: This value will be provided by the provider.
- Access Token URL: This value will be provided by the provider.
- Profile URL: This URL is called by passbook to retrieve user information upon successful authentication.
- Profile URL: This URL is called by authentik to retrieve user information upon successful authentication.
- Consumer key/Consumer secret: These values will be provided by the provider.
## SAML Source
This source allows passbook to act as a SAML Service Provider. Just like the SAML Provider, it supports signed requests. Vendor-specific documentation can be found in the Integrations Section.
This source allows authentik to act as a SAML Service Provider. Just like the SAML Provider, it supports signed requests. Vendor-specific documentation can be found in the Integrations Section.
## LDAP Source
@ -38,4 +38,4 @@ This source allows you to import users and groups from an LDAP Server.
- Object uniqueness field: This field contains a unique identifier.
- Sync groups: Enable/disable group synchronization. Groups are synced in the background every 5 minutes.
- Sync parent group: Optionally set this group as the parent group for all synced groups. An example use case of this would be to import Active Directory groups under a root `imported-from-ad` group.
- Property mappings: Define which LDAP properties map to which passbook properties. The default set of property mappings is generated for Active Directory. See also [LDAP Property Mappings](property-mappings/index.md#ldap-property-mapping)
- Property mappings: Define which LDAP properties map to which authentik properties. The default set of property mappings is generated for Active Directory. See also [LDAP Property Mappings](property-mappings/index.md#ldap-property-mapping)

6
website/docs/terminology.md
View File

@ -9,11 +9,11 @@ At a base level a policy is a yes/no gate. It will either evaluate to True or Fa
### Provider
A Provider is a way for other applications to authenticate against passbook. Common Providers are OpenID Connect (OIDC) and SAML.
A Provider is a way for other applications to authenticate against authentik. Common Providers are OpenID Connect (OIDC) and SAML.
### Source
Sources are locations from which users can be added to passbook. For example, an LDAP Connection to import Users from Active Directory, or an OAuth2 Connection to allow Social Logins.
Sources are locations from which users can be added to authentik. For example, an LDAP Connection to import Users from Active Directory, or an OAuth2 Connection to allow Social Logins.
### Application
@ -29,4 +29,4 @@ Flows are an ordered sequence of stages. These flows can be used to define how a
### Property Mappings
Property Mappings allow you to make information available for external applications. For example, if you want to login to AWS with passbook, you'd use Property Mappings to set the user's roles in AWS based on their group memberships in passbook.
Property Mappings allow you to make information available for external applications. For example, if you want to login to AWS with authentik, you'd use Property Mappings to set the user's roles in AWS based on their group memberships in authentik.

4
website/docs/troubleshooting/access.md
View File

@ -4,9 +4,9 @@ title: Troubleshooting access problems
### I get an access denied error when trying to access an application.
If your user is a superuser, or has the attribute `passbook_user_debug` set to true:
If your user is a superuser, or has the attribute `goauthentik.io/user/debug` set to true:
![](./passbook_user_debug.png)
![](./authentik_user_debug.png)
Afterwards, try to access the application again. You will now see a message explaining which policy denied you access:

0
website/docs/troubleshooting/passbook_user_debug.png → website/docs/troubleshooting/authentik_user_debug.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 13 KiB

After

Width:  |  Height:  |  Size: 13 KiB

12
website/docs/upgrading/to-0.10.md
View File

@ -10,23 +10,23 @@ This update brings a lot of big features, such as:
- Proxy Provider
Due to this new OAuth2 Provider, the Application Gateway Provider, now simply called "Proxy Provider" has been revamped as well. The new passbook Proxy integrates more tightly with passbook via the new Outposts system. The new proxy also supports multiple applications per proxy instance, can configure TLS based on passbook Keypairs, and more.
Due to this new OAuth2 Provider, the Application Gateway Provider, now simply called "Proxy Provider" has been revamped as well. The new authentik Proxy integrates more tightly with authentik via the new Outposts system. The new proxy also supports multiple applications per proxy instance, can configure TLS based on authentik Keypairs, and more.
See [Proxy](../providers/proxy.md)
- Outpost System
This is a new Object type, currently used only by the Proxy Provider. It manages the creation and permissions of service accounts, which are used by the outposts to communicate with passbook.
This is a new Object type, currently used only by the Proxy Provider. It manages the creation and permissions of service accounts, which are used by the outposts to communicate with authentik.
See [Outposts](../outposts/outposts.md)
- Flow Import/Export
Flows can now be imported and exported. This feature can be used as a backup system, or to share complex flows with other people. Example flows have also been added to the documentation to help you get going with passbook.
Flows can now be imported and exported. This feature can be used as a backup system, or to share complex flows with other people. Example flows have also been added to the documentation to help you get going with authentik.
## Under the hood
- passbook now runs on Django 3.1 and Channels with complete ASGI enabled
- authentik now runs on Django 3.1 and Channels with complete ASGI enabled
- uwsgi has been replaced with Gunicorn and uvicorn
- Elastic APM has been replaced with Sentry Performance metrics
- Flow title is now configurable separately from the name
@ -36,7 +36,7 @@ This update brings a lot of big features, such as:
### docker-compose
The docker-compose file has been updated, please download the latest from `https://raw.githubusercontent.com/BeryJu/passbook/master/docker-compose.yml`.
The docker-compose file has been updated, please download the latest from `https://raw.githubusercontent.com/BeryJu/authentik/master/docker-compose.yml`.
By default, the new compose file uses a fixed version to prevent unintended updates.
Before updating the file, stop all containers. Then download the file, pull the new containers and start the database.
@ -68,7 +68,7 @@ error_reporting:
### Upgrading
This upgrade only applies if you are upgrading from a running 0.9 instance. Passbook detects this on startup, and automatically executes this upgrade.
This upgrade only applies if you are upgrading from a running 0.9 instance. Authentik detects this on startup, and automatically executes this upgrade.
Because this upgrade brings the new OAuth2 Provider, the old providers will be lost in the process. Make sure to take note of the providers you want to bring over.

4
website/docs/upgrading/to-0.11.md
View File

@ -10,7 +10,7 @@ This update brings these headline features:
Shows successful and failed logins from the last 24 hours, as well as the most used applications
- Add search to all table views
- Outpost now supports a Docker Controller, which installs the Outpost on the same host as passbook, updates and manages it
- Outpost now supports a Docker Controller, which installs the Outpost on the same host as authentik, updates and manages it
- Add Token Identifier
Tokens now have an identifier which is used to reference to them, so the Primary key is not shown in URLs
@ -19,6 +19,6 @@ This update brings these headline features:
## Upgrading
This upgrade can be done as with minor upgrades, the only external change is the new docker-compose file, which enabled the Docker Integration for Outposts. To use this feature, please download the latest docker-compose from [here](https://raw.githubusercontent.com/BeryJu/passbook/master/docker-compose.yml).
This upgrade can be done as with minor upgrades, the only external change is the new docker-compose file, which enabled the Docker Integration for Outposts. To use this feature, please download the latest docker-compose from [here](https://raw.githubusercontent.com/BeryJu/authentik/master/docker-compose.yml).
Afterwards, you can simply run `docker-compose up -d` and then the normal upgrade command of `docker-compose run --rm server migrate`.

20
website/docs/upgrading/to-0.12.md
View File

@ -4,23 +4,23 @@ title: Upgrading to 0.12
This update brings these headline features:
- Rewrite Outpost state Logic, which now supports multiple concurrent Outpost instances.
- Add Kubernetes Integration for Outposts, which deploys and maintains Outposts with High Availability in a Kubernetes Cluster
- Add System Task Overview to see all background tasks, their status, the log output, and retry them
- Alerts now disappear automatically
- Audit Logs are now searchable
- Users can now create their own Tokens to access the API
- docker-compose deployment now uses traefik 2.3
- Rewrite Outpost state Logic, which now supports multiple concurrent Outpost instances.
- Add Kubernetes Integration for Outposts, which deploys and maintains Outposts with High Availability in a Kubernetes Cluster
- Add System Task Overview to see all background tasks, their status, the log output, and retry them
- Alerts now disappear automatically
- Audit Logs are now searchable
- Users can now create their own Tokens to access the API
- docker-compose deployment now uses traefik 2.3
Fixes:
- Fix high CPU Usage of the proxy when Websocket connections fail
- Fix high CPU Usage of the proxy when Websocket connections fail
## Upgrading
### docker-compose
Docker-compose users should download the latest docker-compose file from [here](https://raw.githubusercontent.com/BeryJu/passbook/master/docker-compose.yml). This includes the new traefik 2.3.
Docker-compose users should download the latest docker-compose file from [here](https://raw.githubusercontent.com/BeryJu/authentik/master/docker-compose.yml). This includes the new traefik 2.3.
Afterwards, you can simply run `docker-compose up -d` and then the normal upgrade command of `docker-compose run --rm server migrate`.
@ -62,4 +62,4 @@ config:
in order to be consistent with the rest of the settings.
There is also a new setting called `kubernetesIntegration`, which controls the Kubernetes integration for passbook. When enabled (the default), a Service Account is created, which allows passbook to deploy and update Outposts.
There is also a new setting called `kubernetesIntegration`, which controls the Kubernetes integration for authentik. When enabled (the default), a Service Account is created, which allows authentik to deploy and update Outposts.

58
website/docs/upgrading/to-0.13.md Normal file
View File

@ -0,0 +1,58 @@
---
title: Upgrading to 0.13 (passbook -> authentik)
---
After a long back and forth, we've finally switched to a more permanent name. Whilst the upgrade is pretty much seamless, there are some things you have to change before upgrading.
## Upgrading
### docker-compose
Docker-compose users should download the latest docker-compose file from [here](https://raw.githubusercontent.com/BeryJu/authentik/master/docker-compose.yml).
:::caution
If you decided to rename the folder you're running the docker-compose file from, be aware that this will also change the name, that docker-compose will give the database volume. To mitigate this, either
- Keep the original directory name
- Move the directory and set `COMPOSE_PROJECT_NAME` to the name of the old directory (see [here](https://docs.docker.com/compose/reference/envvars/#compose_project_name))
- Create a backup, rename the directory and restore from backup.
:::
The only manual change you have to do is replace the `PASSBOOK_` prefix in your `.env` file, so `PASSBOOK_SECRET_KEY` gets changed to `AUTHENTIK_SECRET_KEY`.
Afterwards, you can simply run `docker-compose up -d` and then the normal upgrade command of `docker-compose run --rm server migrate`.
### Kubernetes
The helm repository changes from passbook to authentik. To update your repository, execute these commands:
```
helm repo remove passbook
helm repo add authentik https://docker.beryju.org/chartrepo/authentik
```
:::notice
If you've set any custom image names in your values file, make sure to change them to authentik before upgrading.
:::
Additionally, you need to change the database name that authentik uses, as the database name doesn't change. Add this snippet to your `values.yaml` file:
```yaml
postgresql:
postgresqlDatabase: passbook
```
Afterwards you can upgrade as usual from the new repository:
```
helm upgrade passbook authentik/authentik --devel -f values.yaml
```
## Post-upgrade notes
- Some default values change, for example the SAML Provider's default issuer.
This only makes a difference for newly created objects.
- Expression Policies variables change
Anything prefixed with `pb_` changes to `ak_`, this change is done **automatically**

21
website/docs/upgrading/to-0.13.md_
View File

@ -1,21 +0,0 @@
---
title: Upgrading to 0.13
---
**WIP**
# TODO: Changelog for 0.13
## Upgrading
### docker-compose
Docker-compose users should download the latest docker-compose file from [here](https://raw.githubusercontent.com/BeryJu/passbook/master/docker-compose.yml).
This includes a new shared volume, which is used for file Uploads.
Afterwards, you can simply run `docker-compose up -d` and then the normal upgrade command of `docker-compose run --rm server migrate`.
### Kubernetes
The Helm chart contains a new PVC which is used to store all the files uploaded by users. This PVC is shared between the Server pods and the static pods.

22
website/docs/upgrading/to-0.9.md
View File

@ -2,38 +2,38 @@
title: Upgrading to 0.9
---
Due to some database changes that had to be rather sooner than later, there is no possibility to directly upgrade. You must extract the data before hand and import it again. It is recommended to spin up a second instance of passbook to do this.
Due to some database changes that had to be rather sooner than later, there is no possibility to directly upgrade. You must extract the data before hand and import it again. It is recommended to spin up a second instance of authentik to do this.
To export data from your old instance, run this command:
- docker-compose
```
docker-compose exec server ./manage.py dumpdata -o /tmp/passbook_dump.json passbook_core.User passbook_core.Group passbook_crypto.CertificateKeyPair passbook_audit.Event otp_totp.totpdevice otp_static.staticdevice otp_static.statictoken
docker cp passbook_server_1:/tmp/passbook_dump.json passbook_dump.json
docker-compose exec server ./manage.py dumpdata -o /tmp/authentik_dump.json authentik_core.User authentik_core.Group authentik_crypto.CertificateKeyPair authentik_audit.Event otp_totp.totpdevice otp_static.staticdevice otp_static.statictoken
docker cp authentik_server_1:/tmp/authentik_dump.json authentik_dump.json
```
- kubernetes
```
kubectl exec -it passbook-web-... -- ./manage.py dumpdata -o /tmp/passbook_dump.json passbook_core.User passbook_core.Group passbook_crypto.CertificateKeyPair passbook_audit.Event otp_totp.totpdevice otp_static.staticdevice otp_static.statictoken
kubectl cp passbook-web-...:/tmp/passbook_dump.json passbook_dump.json
kubectl exec -it authentik-web-... -- ./manage.py dumpdata -o /tmp/authentik_dump.json authentik_core.User authentik_core.Group authentik_crypto.CertificateKeyPair authentik_audit.Event otp_totp.totpdevice otp_static.staticdevice otp_static.statictoken
kubectl cp authentik-web-...:/tmp/authentik_dump.json authentik_dump.json
```
After that, create a new passbook instance in a different namespace (kubernetes) or in a different folder (docker-compose). Once this instance is running, you can use the following commands to restore the data. On docker-compose, you still have to run the `migrate` command, to create all database structures.
After that, create a new authentik instance in a different namespace (kubernetes) or in a different folder (docker-compose). Once this instance is running, you can use the following commands to restore the data. On docker-compose, you still have to run the `migrate` command, to create all database structures.
- docker-compose
```
docker cp passbook_dump.json new_passbook_server_1:/tmp/passbook_dump.json
docker-compose exec server ./manage.py loaddata /tmp/passbook_dump.json
docker cp authentik_dump.json new_authentik_server_1:/tmp/authentik_dump.json
docker-compose exec server ./manage.py loaddata /tmp/authentik_dump.json
```
- kubernetes
```
kubectl cp passbook_dump.json passbook-web-...:/tmp/passbook_dump.json
kubectl exec -it passbook-web-... -- ./manage.py loaddata /tmp/passbook_dump.json
kubectl cp authentik_dump.json authentik-web-...:/tmp/authentik_dump.json
kubectl exec -it authentik-web-... -- ./manage.py loaddata /tmp/authentik_dump.json
```
Now, you should be able to login to the new passbook instance, and migrate the rest of the data over.
Now, you should be able to login to the new authentik instance, and migrate the rest of the data over.