diff --git a/website/integrations/services/freshrss/index.md b/website/integrations/services/freshrss/index.md index cf5af2f027..606c07f895 100644 --- a/website/integrations/services/freshrss/index.md +++ b/website/integrations/services/freshrss/index.md @@ -18,29 +18,32 @@ The following placeholders will be used: - `port` is the port on which the FreshRSS install is running (usually 443) - `authentik.company` is the FQDN of the authentik install. -## authentik Configuration +## authentik configuration -In Authentik, create an _OAuth2/OpenID Provider_ under _Applications > Providers_. +1. Create an **OAuth2/OpenID Provider** under **Applications** > **Providers** using the following settings: -** Protocol Settings ** -_Client Type_ : _Confidential_ + - **Name**: FreshRSS + - **Authorization flow**: default-provider-authorization-explicit-consent + - **Protocol Settings**: + - **Client Type**: Confidential + - **Client ID**: Either create your own Client ID or use the auto-populated ID + - **Client Secret**: Either create your own Client Secret or use the auto-populated secret + :::note + Take note of the `Client ID` and `Client Secret`, you'll need them later. + ::: + - **Redirect URIs/Origins**: + - `https://freshrss.company/i/oidc/` + - `https://freshrss.company:port/i/oidc` + - **Signing Key**: Any of your signing keys + - Leave everything else as default -:::note -Take note of the `Client ID` and `Client Secret`, you'll need them later. -::: +2. Create an **Application** under **Applications** > **Applications** using the following settings: + - **Name**: FreshRSS + - **Slug**: freshrss + - **Provider**: FreshRSS _(the provider you created in step 1)_ + - Leave everything else as default -_Redirect URIs/Origins_ : - -- `https://freshrss.company/i/oidc/` -- `https://freshrss.company:port/i/oidc` - -_Signing Key_ : Any of your signing keys - -Then click _Finish_ to create your provider. - -Then create an _Application_, note its slug, and assign it to the provider you've just created. - -## FreshRSS Configuration +## FreshRSS configuration :::info This integration only works with the Docker or Kubernetes install of FreshRSS, using [FreshRSS docker image](https://hub.docker.com/r/freshrss/freshrss/), on x86_64 systems and without the Alpine version of the image. More information can be found on [this issue on FreshRSS GitHub](https://github.com/FreshRSS/FreshRSS/issues/5722) diff --git a/website/integrations/services/gravitee/index.md b/website/integrations/services/gravitee/index.md index 9e16190f9c..f43606c225 100644 --- a/website/integrations/services/gravitee/index.md +++ b/website/integrations/services/gravitee/index.md @@ -18,43 +18,44 @@ The following placeholders will be used: - `gravitee.company` is the FQDN of the Gravitee install. - `authentik.company` is the FQDN of the authentik install. -- `applicationName` is the Application name you set. -### Step 1 - authentik +## authentik configuration -In authentik, under _Providers_, create an _OAuth2/OpenID Provider_ with these settings: +1. Create an **OAuth2/OpenID Provider** under **Applications** > **Providers** using the following settings: + :::note + Only settings that have been modified from default have been listed. + ::: - **Name**: Gravitee - **Protocol Settings**: - **Client ID**: Either create your own Client ID or use the auto-populated ID - **Client Secret**: Either create your own Client Secret or use the auto-populated secret + :::note + Take note of the `Client ID` and `Client Secret` as they are required when configuring Gravitee + ::: - **Redirect URIs/Origins**: - https://gravitee.company/user/login - https://gravitee.company/console/ # Make sure to add the trailing / at the end, at the time of writing it does not work without it + :::note + Be sure to add the trailing `/` at the end of the `https://gravitee.company/console/` URI, at the time of writing Gravitee does not work without this. + ::: + +2. Create an **Application** under **Applications** > **Applications** using the following settings: + - **Name**: Gravitee + - **Slug**: gravitee + - **Provider**: Gravitee (the provider you created in step 1) +3. Open the new provider you've just created. +4. Make a note of the following URLs: + - **Authorize URL** + - **Token URL** + - **Userinfo URL** + - **Logout URL** + +## Gravitee configuration + +In the Gravitee Management Console, navigate to _Organizations_ (gravitee.company/console/#!/organization/settings/identities) , under **Console** > **Authentication**. Click _Add an identity provider_, select _OpenID Connect_, and fill in the following: :::note Only settings that have been modified from default have been listed. ::: -**Protocol Settings** - -- Name: applicationName -- Client ID: Copy and Save this for Later -- Client Secret: Copy and Save this for later -- Redirect URIs/Origins: - -``` -https://gravitee.company/user/login -https://gravitee.company/console/ # Make sure to add the trailing / at the end, at the time of writing it does not work without it -``` - -Now, under _Applications_, create an application with the name `applicationName` and select the provider you've created above. - -### Step 2 - Gravitee - -In the Gravitee Management Console, head to _Organizations_(gravitee.company/console/#!/organization/settings/identities) , under _Console_, _Authentication_, click _Add an identity provider_, select _OpenID Connect_, and fill in the following: - -:::note -Only settings that have been modified from default have been listed. -::: - -- Allow portal authentication to use this identity provider: enable this -- Client ID: Client ID from step 1 -- Client Secret: Client Secret from step 1 -- Token Endpoint: `https://authentik.company/application/o/token/` -- Authorize Endpoint: `https://authentik.company/application/o/authorize/` -- Userinfo Endpoint: `https://authentik.company/application/o/userinfo/` -- Userinfo Logout Endpoint: `https://authentik.company/if/session-end/applicationName/` -- Scopes: `email openid profile` +- **Allow portal authentication to use this identity provider**: enable this +- **Client ID**: Enter the Client ID from authentik that you noted in step 1 +- **Client Secret**: Enter the Client Secret from authentik that you noted in step 1 +- **Token Endpoint**: Populate this field with the **Token URL** +- **Authorize Endpoint**: Populate this field with the **Authorize URL** +- **Userinfo Endpoint**: Populate this field with the **Userinfo URL** +- **Userinfo Logout Endpoint**: Populate this field with the **Logout URL** +- **Scopes**: `email openid profile` diff --git a/website/integrations/services/home-assistant/index.md b/website/integrations/services/home-assistant/index.md index 836eb2e4be..4abf98ec06 100644 --- a/website/integrations/services/home-assistant/index.md +++ b/website/integrations/services/home-assistant/index.md @@ -1,10 +1,10 @@ --- -title: Home-Assistant +title: Home Assistant --- Support level: Community -## What is Home-Assistant +## What is Home Assistant > Open source home automation that puts local control and privacy first. Powered by a worldwide community of tinkerers and DIY enthusiasts. Perfect to run on a Raspberry Pi or a local server. > @@ -13,54 +13,57 @@ title: Home-Assistant :::caution You might run into CSRF errors, this is caused by a technology Home-assistant uses and not authentik, see [this GitHub issue](https://github.com/goauthentik/authentik/issues/884#issuecomment-851542477). ::: +:::note +For Home Assistant to work with authentik, a custom integration needs to be installed for Home Assistant. +::: ## Preparation The following placeholders will be used: -- `hass.company` is the FQDN of the Home-Assistant install. +- `hass.company` is the FQDN of the Home Assistant install. - `authentik.company` is the FQDN of the authentik install. -## Home-Assistant +## authentik configuration -This guide requires https://github.com/BeryJu/hass-auth-header, which can be installed as described in the Readme. +1. Create a **Proxy Provider** under **Applications** > **Providers** using the following settings: -Afterwards, make sure the `trusted_proxies` setting contains the IP(s) of the Host(s) authentik is running on. + - **Name**: Home Assistant + - **Authentication flow**: default-authentication-flow + - **Authorization flow**: default-provider-authorization-explicit-consent + - **External Host**: Set this to the external URL you will be accessing Home Assistant from + - **Internal Host**: `http://hass.company:8123` -Use this configuration to match on the user's authentik username. +2. Create an **Application** under **Applications** > **Applications** using the following settings: -```yaml -auth_header: - username_header: X-authentik-username -``` + - **Name**: Home Assistant + - **Slug**: homeassistant + - **Provider**: Home Assistant (the provider you created in step 1) -If this is not the case, you can simply add an additional header for your user, which contains the Home-Assistant Name and authenticate based on that. +3. Create an outpost deployment for the provider you've created above, as described [here](../../../docs/outposts/). Deploy this Outpost either on the same host or a different host that can access Home Assistant. The outpost will connect to authentik and configure itself. -For example add this to your user's properties and set the Header to `X-ak-hass-user`. +## Home Assistant configuration -```yaml -additionalHeaders: - X-ak-hass-user: some other name -``` - -## authentik - -Create a Proxy Provider with the following values - -- Internal host - - If Home-Assistant is running in docker, and you're deploying the authentik proxy on the same host, set the value to `http://homeassistant:8123`, where Home-Assistant is the name of your container. - - If Home-Assistant is running on a different server than where you are deploying the authentik proxy, set the value to `http://hass.company:8123`. - -- External host - - Set this to the external URL you will be accessing Home-Assistant from. - -Create an application in authentik and select the provider you've created above. - -## Deployment - -Create an outpost deployment for the provider you've created above, as described [here](../../../docs/outposts/). Deploy this Outpost either on the same host or a different host that can access Home-Assistant. - -The outpost will connect to authentik and configure itself. +1. Configure [trusted_proxies](https://www.home-assistant.io/integrations/http/#trusted_proxies) for the HTTP integration with the IP(s) of the Host(s) authentik is running on. +2. If you don't already have it set up, https://github.com/BeryJu/hass-auth-header, using the installation guide. +3. There are two ways to configure the custom component. + 1. To match on the user's authentik username, use the following configuration: + ```yaml + auth_header: + username_header: X-authentik-username + ``` + 2. Alternatively, you can associate an existing Home Assistant username to an authentik username. + 1. Within authentik, navigate to **Directory** > **Users**. + 2. Select **Edit** for the user then add the following configuration to the **Attributes** section. Be sure to replace `hassusername` with the Home Assistant username. + :::note + This configuration will add an additional header for the authentik user which will contain the Home Assistant username and allow Home Assistant to authenticate based on that. + ::: + ```yaml + additionalHeaders: + X-ak-hass-user: hassusername + ``` + 3. Then configure the Home Assistant custom component to use this header: + ```yaml + auth_header: + username_header: X-ak-hass-user + ``` diff --git a/website/integrations/services/immich/index.md b/website/integrations/services/immich/index.md index 88554d302f..edc0f2b162 100644 --- a/website/integrations/services/immich/index.md +++ b/website/integrations/services/immich/index.md @@ -19,24 +19,26 @@ The following placeholders will be used: ## authentik configuration -1. Create a new OAuth2/OpenID Provider using the following settings: +1. Create a new OAuth2/OpenID Provider under **Applications** > **Providers** using the following settings: - **Name**: Immich - **Authentication flow**: default-authentication-flow - **Authorization flow**: default-provider-authorization-explicit-consent - **Client type**: Confidential - - **Client ID**: Either create your own Client ID or make a note of the auto-populated one - - **Client Secret**: Either create your own Client Secret or make a note of the auto-populated one + - **Client ID**: Either create your own Client ID or use the auto-populated ID + - **Client Secret**: Either create your own Client Secret or use the auto-populated secret + :::note + Take note of the `Client ID` and `Client Secret` as they are required when configuring Immich. + ::: - **Redirect URIs/Origins (RegEx)**: - _Please note that the following URIs are just examples. Be sure to include all of the domains / URLs that you will use to access Immich._ - - app.immich:/ - - https://immich.company/auth/login - - https://immich.company/user-settings + :::note + Please note that the following URIs are just examples. Be sure to include all of the domains / URLs that you will use to access Immich. + ::: - app.immich:/ - https://immich.company/auth/login - https://immich.company/user-settings - **Signing Key**: authentik Self-signed Certificate - Leave everything else as default 2. Open the new provider you've just created. 3. Make a note of the **OpenID Configuration Issuer**. -## Immich Configuration +## Immich configuration Immich documentation can be found here: https://immich.app/docs/administration/oauth