habsi/authentik
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

website/integrations: multiple integration edits (#7923)

Browse Source 
* Update authentik aspect of Fresh RSS documentation to flow better

* Changes to standardise documentation across Integrations

* Removing a comma

* Changes to Gravtee to standardise documentation across Integrations

* - Changing Home-Assistant to Home Assistant
- Attempt to standardise the documentation
- Attempted to make the Home Assistant configuration easier to follow

* make website for gravitee and immich#

* Fixing MD formatting

* make website for freshrss and home assistant

* Fix Immich note formatting

* make website immich to fix notes formatting

* fix typo

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* Move authentik section above the Home Assistant section for consistency

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: Jens Langhammer <jens@goauthentik.io>
This commit is contained in:
ZuluWhiskey
2024-02-23 18:52:17 +00:00
committed by GitHub
parent 5991b82cde
commit 507f9b7ae2
4 changed files with 108 additions and 99 deletions
Download Patch File Download Diff File Expand all files Collapse all files

31
website/integrations/services/freshrss/index.md
View File

@ -18,29 +18,32 @@ The following placeholders will be used:
- `port` is the port on which the FreshRSS install is running (usually 443) - `port` is the port on which the FreshRSS install is running (usually 443)
- `authentik.company` is the FQDN of the authentik install. - `authentik.company` is the FQDN of the authentik install.
## authentik Configuration ## authentik configuration
In Authentik, create an _OAuth2/OpenID Provider_ under _Applications > Providers_. 1. Create an **OAuth2/OpenID Provider** under **Applications** > **Providers** using the following settings:
** Protocol Settings **
_Client Type_ : _Confidential_
- **Name**: FreshRSS
- **Authorization flow**: default-provider-authorization-explicit-consent
- **Protocol Settings**:
- **Client Type**: Confidential
- **Client ID**: Either create your own Client ID or use the auto-populated ID
- **Client Secret**: Either create your own Client Secret or use the auto-populated secret
:::note :::note
Take note of the `Client ID` and `Client Secret`, you'll need them later. Take note of the `Client ID` and `Client Secret`, you'll need them later.
::: :::
- **Redirect URIs/Origins**:
_Redirect URIs/Origins_ :
- `https://freshrss.company/i/oidc/` - `https://freshrss.company/i/oidc/`
- `https://freshrss.company:port/i/oidc` - `https://freshrss.company:port/i/oidc`
- **Signing Key**: Any of your signing keys
- Leave everything else as default
_Signing Key_ : Any of your signing keys 2. Create an **Application** under **Applications** > **Applications** using the following settings:
- **Name**: FreshRSS
- **Slug**: freshrss
- **Provider**: FreshRSS _(the provider you created in step 1)_
- Leave everything else as default
Then click _Finish_ to create your provider. ## FreshRSS configuration
Then create an _Application_, note its slug, and assign it to the provider you've just created.
## FreshRSS Configuration
:::info :::info
This integration only works with the Docker or Kubernetes install of FreshRSS, using [FreshRSS docker image](https://hub.docker.com/r/freshrss/freshrss/), on x86_64 systems and without the Alpine version of the image. More information can be found on [this issue on FreshRSS GitHub](https://github.com/FreshRSS/FreshRSS/issues/5722) This integration only works with the Docker or Kubernetes install of FreshRSS, using [FreshRSS docker image](https://hub.docker.com/r/freshrss/freshrss/), on x86_64 systems and without the Alpine version of the image. More information can be found on [this issue on FreshRSS GitHub](https://github.com/FreshRSS/FreshRSS/issues/5722)

67
website/integrations/services/gravitee/index.md
View File

@ -18,43 +18,44 @@ The following placeholders will be used:
- `gravitee.company` is the FQDN of the Gravitee install. - `gravitee.company` is the FQDN of the Gravitee install.
- `authentik.company` is the FQDN of the authentik install. - `authentik.company` is the FQDN of the authentik install.
- `applicationName` is the Application name you set.
### Step 1 - authentik ## authentik configuration
In authentik, under _Providers_, create an _OAuth2/OpenID Provider_ with these settings: 1. Create an **OAuth2/OpenID Provider** under **Applications** > **Providers** using the following settings:
:::note
Only settings that have been modified from default have been listed.
::: - **Name**: Gravitee - **Protocol Settings**: - **Client ID**: Either create your own Client ID or use the auto-populated ID - **Client Secret**: Either create your own Client Secret or use the auto-populated secret
:::note
Take note of the `Client ID` and `Client Secret` as they are required when configuring Gravitee
::: - **Redirect URIs/Origins**: - https://gravitee.company/user/login - https://gravitee.company/console/ # Make sure to add the trailing / at the end, at the time of writing it does not work without it
:::note
Be sure to add the trailing `/` at the end of the `https://gravitee.company/console/` URI, at the time of writing Gravitee does not work without this.
:::
2. Create an **Application** under **Applications** > **Applications** using the following settings:
- **Name**: Gravitee
- **Slug**: gravitee
- **Provider**: Gravitee (the provider you created in step 1)
3. Open the new provider you've just created.
4. Make a note of the following URLs:
- **Authorize URL**
- **Token URL**
- **Userinfo URL**
- **Logout URL**
## Gravitee configuration
In the Gravitee Management Console, navigate to _Organizations_ (gravitee.company/console/#!/organization/settings/identities) , under **Console** > **Authentication**. Click _Add an identity provider_, select _OpenID Connect_, and fill in the following:
:::note :::note
Only settings that have been modified from default have been listed. Only settings that have been modified from default have been listed.
::: :::
**Protocol Settings** - **Allow portal authentication to use this identity provider**: enable this
- **Client ID**: Enter the Client ID from authentik that you noted in step 1
- Name: applicationName - **Client Secret**: Enter the Client Secret from authentik that you noted in step 1
- Client ID: Copy and Save this for Later - **Token Endpoint**: Populate this field with the **Token URL**
- Client Secret: Copy and Save this for later - **Authorize Endpoint**: Populate this field with the **Authorize URL**
- Redirect URIs/Origins: - **Userinfo Endpoint**: Populate this field with the **Userinfo URL**
- **Userinfo Logout Endpoint**: Populate this field with the **Logout URL**
``` - **Scopes**: `email openid profile`
https://gravitee.company/user/login
https://gravitee.company/console/ # Make sure to add the trailing / at the end, at the time of writing it does not work without it
```
Now, under _Applications_, create an application with the name `applicationName` and select the provider you've created above.
### Step 2 - Gravitee
In the Gravitee Management Console, head to _Organizations_(gravitee.company/console/#!/organization/settings/identities) , under _Console_, _Authentication_, click _Add an identity provider_, select _OpenID Connect_, and fill in the following:
:::note
Only settings that have been modified from default have been listed.
:::
- Allow portal authentication to use this identity provider: enable this
- Client ID: Client ID from step 1
- Client Secret: Client Secret from step 1
- Token Endpoint: `https://authentik.company/application/o/token/`
- Authorize Endpoint: `https://authentik.company/application/o/authorize/`
- Userinfo Endpoint: `https://authentik.company/application/o/userinfo/`
- Userinfo Logout Endpoint: `https://authentik.company/if/session-end/applicationName/`
- Scopes: `email openid profile`

73
website/integrations/services/home-assistant/index.md
View File

@ -1,10 +1,10 @@
--- ---
title: Home-Assistant title: Home Assistant
--- ---
<span class="badge badge--secondary">Support level: Community</span> <span class="badge badge--secondary">Support level: Community</span>
## What is Home-Assistant ## What is Home Assistant
> Open source home automation that puts local control and privacy first. Powered by a worldwide community of tinkerers and DIY enthusiasts. Perfect to run on a Raspberry Pi or a local server. > Open source home automation that puts local control and privacy first. Powered by a worldwide community of tinkerers and DIY enthusiasts. Perfect to run on a Raspberry Pi or a local server.
> >
@ -13,54 +13,57 @@ title: Home-Assistant
:::caution :::caution
You might run into CSRF errors, this is caused by a technology Home-assistant uses and not authentik, see [this GitHub issue](https://github.com/goauthentik/authentik/issues/884#issuecomment-851542477). You might run into CSRF errors, this is caused by a technology Home-assistant uses and not authentik, see [this GitHub issue](https://github.com/goauthentik/authentik/issues/884#issuecomment-851542477).
::: :::
:::note
For Home Assistant to work with authentik, a custom integration needs to be installed for Home Assistant.
:::
## Preparation ## Preparation
The following placeholders will be used: The following placeholders will be used:
- `hass.company` is the FQDN of the Home-Assistant install. - `hass.company` is the FQDN of the Home Assistant install.
- `authentik.company` is the FQDN of the authentik install. - `authentik.company` is the FQDN of the authentik install.
## Home-Assistant ## authentik configuration
This guide requires https://github.com/BeryJu/hass-auth-header, which can be installed as described in the Readme. 1. Create a **Proxy Provider** under **Applications** > **Providers** using the following settings:
Afterwards, make sure the `trusted_proxies` setting contains the IP(s) of the Host(s) authentik is running on. - **Name**: Home Assistant
- **Authentication flow**: default-authentication-flow
- **Authorization flow**: default-provider-authorization-explicit-consent
- **External Host**: Set this to the external URL you will be accessing Home Assistant from
- **Internal Host**: `http://hass.company:8123`
Use this configuration to match on the user's authentik username. 2. Create an **Application** under **Applications** > **Applications** using the following settings:
- **Name**: Home Assistant
- **Slug**: homeassistant
- **Provider**: Home Assistant (the provider you created in step 1)
3. Create an outpost deployment for the provider you've created above, as described [here](../../../docs/outposts/). Deploy this Outpost either on the same host or a different host that can access Home Assistant. The outpost will connect to authentik and configure itself.
## Home Assistant configuration
1. Configure [trusted_proxies](https://www.home-assistant.io/integrations/http/#trusted_proxies) for the HTTP integration with the IP(s) of the Host(s) authentik is running on.
2. If you don't already have it set up, https://github.com/BeryJu/hass-auth-header, using the installation guide.
3. There are two ways to configure the custom component.
1. To match on the user's authentik username, use the following configuration:
```yaml ```yaml
auth_header: auth_header:
username_header: X-authentik-username username_header: X-authentik-username
``` ```
2. Alternatively, you can associate an existing Home Assistant username to an authentik username.
If this is not the case, you can simply add an additional header for your user, which contains the Home-Assistant Name and authenticate based on that. 1. Within authentik, navigate to **Directory** > **Users**.
2. Select **Edit** for the user then add the following configuration to the **Attributes** section. Be sure to replace `hassusername` with the Home Assistant username.
For example add this to your user's properties and set the Header to `X-ak-hass-user`. :::note
This configuration will add an additional header for the authentik user which will contain the Home Assistant username and allow Home Assistant to authenticate based on that.
:::
```yaml ```yaml
additionalHeaders: additionalHeaders:
X-ak-hass-user: some other name X-ak-hass-user: hassusername
```
3. Then configure the Home Assistant custom component to use this header:
```yaml
auth_header:
username_header: X-ak-hass-user
``` ```
## authentik
Create a Proxy Provider with the following values
- Internal host
If Home-Assistant is running in docker, and you're deploying the authentik proxy on the same host, set the value to `http://homeassistant:8123`, where Home-Assistant is the name of your container.
If Home-Assistant is running on a different server than where you are deploying the authentik proxy, set the value to `http://hass.company:8123`.
- External host
Set this to the external URL you will be accessing Home-Assistant from.
Create an application in authentik and select the provider you've created above.
## Deployment
Create an outpost deployment for the provider you've created above, as described [here](../../../docs/outposts/). Deploy this Outpost either on the same host or a different host that can access Home-Assistant.
The outpost will connect to authentik and configure itself.

18
website/integrations/services/immich/index.md
View File

@ -19,24 +19,26 @@ The following placeholders will be used:
## authentik configuration ## authentik configuration
1. Create a new OAuth2/OpenID Provider using the following settings: 1. Create a new OAuth2/OpenID Provider under **Applications** > **Providers** using the following settings:
- **Name**: Immich - **Name**: Immich
- **Authentication flow**: default-authentication-flow - **Authentication flow**: default-authentication-flow
- **Authorization flow**: default-provider-authorization-explicit-consent - **Authorization flow**: default-provider-authorization-explicit-consent
- **Client type**: Confidential - **Client type**: Confidential
- **Client ID**: Either create your own Client ID or make a note of the auto-populated one - **Client ID**: Either create your own Client ID or use the auto-populated ID
- **Client Secret**: Either create your own Client Secret or make a note of the auto-populated one - **Client Secret**: Either create your own Client Secret or use the auto-populated secret
:::note
Take note of the `Client ID` and `Client Secret` as they are required when configuring Immich.
:::
- **Redirect URIs/Origins (RegEx)**: - **Redirect URIs/Origins (RegEx)**:
_Please note that the following URIs are just examples. Be sure to include all of the domains / URLs that you will use to access Immich._ :::note
- app.immich:/ Please note that the following URIs are just examples. Be sure to include all of the domains / URLs that you will use to access Immich.
- https://immich.company/auth/login ::: - app.immich:/ - https://immich.company/auth/login - https://immich.company/user-settings
- https://immich.company/user-settings
- **Signing Key**: authentik Self-signed Certificate - **Signing Key**: authentik Self-signed Certificate
- Leave everything else as default - Leave everything else as default
2. Open the new provider you've just created. 2. Open the new provider you've just created.
3. Make a note of the **OpenID Configuration Issuer**. 3. Make a note of the **OpenID Configuration Issuer**.
## Immich Configuration ## Immich configuration
Immich documentation can be found here: https://immich.app/docs/administration/oauth Immich documentation can be found here: https://immich.app/docs/administration/oauth