habsi/authentik
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

website/integrations: multiple integration edits (#7923)

Browse Source 
* Update authentik aspect of Fresh RSS documentation to flow better

* Changes to standardise documentation across Integrations

* Removing a comma

* Changes to Gravtee to standardise documentation across Integrations

* - Changing Home-Assistant to Home Assistant
- Attempt to standardise the documentation
- Attempted to make the Home Assistant configuration easier to follow

* make website for gravitee and immich#

* Fixing MD formatting

* make website for freshrss and home assistant

* Fix Immich note formatting

* make website immich to fix notes formatting

* fix typo

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* Move authentik section above the Home Assistant section for consistency

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: Jens Langhammer <jens@goauthentik.io>
This commit is contained in:
ZuluWhiskey
2024-02-23 18:52:17 +00:00
committed by GitHub
parent 5991b82cde
commit 507f9b7ae2
4 changed files with 108 additions and 99 deletions
Download Patch File Download Diff File Expand all files Collapse all files

41
website/integrations/services/freshrss/index.md
View File

@ -18,29 +18,32 @@ The following placeholders will be used:
- `port` is the port on which the FreshRSS install is running (usually 443) - `port` is the port on which the FreshRSS install is running (usually 443)
- `authentik.company` is the FQDN of the authentik install. - `authentik.company` is the FQDN of the authentik install.
## authentik Configuration ## authentik configuration
In Authentik, create an _OAuth2/OpenID Provider_ under _Applications > Providers_. 1. Create an **OAuth2/OpenID Provider** under **Applications** > **Providers** using the following settings:
** Protocol Settings ** - **Name**: FreshRSS
_Client Type_ : _Confidential_ - **Authorization flow**: default-provider-authorization-explicit-consent
- **Protocol Settings**:
- **Client Type**: Confidential
- **Client ID**: Either create your own Client ID or use the auto-populated ID
- **Client Secret**: Either create your own Client Secret or use the auto-populated secret
:::note
Take note of the `Client ID` and `Client Secret`, you'll need them later.
:::
- **Redirect URIs/Origins**:
- `https://freshrss.company/i/oidc/`
- `https://freshrss.company:port/i/oidc`
- **Signing Key**: Any of your signing keys
- Leave everything else as default
:::note 2. Create an **Application** under **Applications** > **Applications** using the following settings:
Take note of the `Client ID` and `Client Secret`, you'll need them later. - **Name**: FreshRSS
::: - **Slug**: freshrss
- **Provider**: FreshRSS _(the provider you created in step 1)_
- Leave everything else as default
_Redirect URIs/Origins_ : ## FreshRSS configuration
- `https://freshrss.company/i/oidc/`
- `https://freshrss.company:port/i/oidc`
_Signing Key_ : Any of your signing keys
Then click _Finish_ to create your provider.
Then create an _Application_, note its slug, and assign it to the provider you've just created.
## FreshRSS Configuration
:::info :::info
This integration only works with the Docker or Kubernetes install of FreshRSS, using [FreshRSS docker image](https://hub.docker.com/r/freshrss/freshrss/), on x86_64 systems and without the Alpine version of the image. More information can be found on [this issue on FreshRSS GitHub](https://github.com/FreshRSS/FreshRSS/issues/5722) This integration only works with the Docker or Kubernetes install of FreshRSS, using [FreshRSS docker image](https://hub.docker.com/r/freshrss/freshrss/), on x86_64 systems and without the Alpine version of the image. More information can be found on [this issue on FreshRSS GitHub](https://github.com/FreshRSS/FreshRSS/issues/5722)

67
website/integrations/services/gravitee/index.md
View File

@ -18,43 +18,44 @@ The following placeholders will be used:
- `gravitee.company` is the FQDN of the Gravitee install. - `gravitee.company` is the FQDN of the Gravitee install.
- `authentik.company` is the FQDN of the authentik install. - `authentik.company` is the FQDN of the authentik install.
- `applicationName` is the Application name you set.
### Step 1 - authentik ## authentik configuration
In authentik, under _Providers_, create an _OAuth2/OpenID Provider_ with these settings: 1. Create an **OAuth2/OpenID Provider** under **Applications** > **Providers** using the following settings:
:::note
Only settings that have been modified from default have been listed.
::: - **Name**: Gravitee - **Protocol Settings**: - **Client ID**: Either create your own Client ID or use the auto-populated ID - **Client Secret**: Either create your own Client Secret or use the auto-populated secret
:::note
Take note of the `Client ID` and `Client Secret` as they are required when configuring Gravitee
::: - **Redirect URIs/Origins**: - https://gravitee.company/user/login - https://gravitee.company/console/ # Make sure to add the trailing / at the end, at the time of writing it does not work without it
:::note
Be sure to add the trailing `/` at the end of the `https://gravitee.company/console/` URI, at the time of writing Gravitee does not work without this.
:::
2. Create an **Application** under **Applications** > **Applications** using the following settings:
- **Name**: Gravitee
- **Slug**: gravitee
- **Provider**: Gravitee (the provider you created in step 1)
3. Open the new provider you've just created.
4. Make a note of the following URLs:
- **Authorize URL**
- **Token URL**
- **Userinfo URL**
- **Logout URL**
## Gravitee configuration
In the Gravitee Management Console, navigate to _Organizations_ (gravitee.company/console/#!/organization/settings/identities) , under **Console** > **Authentication**. Click _Add an identity provider_, select _OpenID Connect_, and fill in the following:
:::note :::note
Only settings that have been modified from default have been listed. Only settings that have been modified from default have been listed.
::: :::
**Protocol Settings** - **Allow portal authentication to use this identity provider**: enable this
- **Client ID**: Enter the Client ID from authentik that you noted in step 1
- Name: applicationName - **Client Secret**: Enter the Client Secret from authentik that you noted in step 1
- Client ID: Copy and Save this for Later - **Token Endpoint**: Populate this field with the **Token URL**
- Client Secret: Copy and Save this for later - **Authorize Endpoint**: Populate this field with the **Authorize URL**
- Redirect URIs/Origins: - **Userinfo Endpoint**: Populate this field with the **Userinfo URL**
- **Userinfo Logout Endpoint**: Populate this field with the **Logout URL**
``` - **Scopes**: `email openid profile`
https://gravitee.company/user/login
https://gravitee.company/console/ # Make sure to add the trailing / at the end, at the time of writing it does not work without it
```
Now, under _Applications_, create an application with the name `applicationName` and select the provider you've created above.
### Step 2 - Gravitee
In the Gravitee Management Console, head to _Organizations_(gravitee.company/console/#!/organization/settings/identities) , under _Console_, _Authentication_, click _Add an identity provider_, select _OpenID Connect_, and fill in the following:
:::note
Only settings that have been modified from default have been listed.
:::
- Allow portal authentication to use this identity provider: enable this
- Client ID: Client ID from step 1
- Client Secret: Client Secret from step 1
- Token Endpoint: `https://authentik.company/application/o/token/`
- Authorize Endpoint: `https://authentik.company/application/o/authorize/`
- Userinfo Endpoint: `https://authentik.company/application/o/userinfo/`
- Userinfo Logout Endpoint: `https://authentik.company/if/session-end/applicationName/`
- Scopes: `email openid profile`

81
website/integrations/services/home-assistant/index.md
View File

@ -1,10 +1,10 @@
--- ---
title: Home-Assistant title: Home Assistant
--- ---
<span class="badge badge--secondary">Support level: Community</span> <span class="badge badge--secondary">Support level: Community</span>
## What is Home-Assistant ## What is Home Assistant
> Open source home automation that puts local control and privacy first. Powered by a worldwide community of tinkerers and DIY enthusiasts. Perfect to run on a Raspberry Pi or a local server. > Open source home automation that puts local control and privacy first. Powered by a worldwide community of tinkerers and DIY enthusiasts. Perfect to run on a Raspberry Pi or a local server.
> >
@ -13,54 +13,57 @@ title: Home-Assistant
:::caution :::caution
You might run into CSRF errors, this is caused by a technology Home-assistant uses and not authentik, see [this GitHub issue](https://github.com/goauthentik/authentik/issues/884#issuecomment-851542477). You might run into CSRF errors, this is caused by a technology Home-assistant uses and not authentik, see [this GitHub issue](https://github.com/goauthentik/authentik/issues/884#issuecomment-851542477).
::: :::
:::note
For Home Assistant to work with authentik, a custom integration needs to be installed for Home Assistant.
:::
## Preparation ## Preparation
The following placeholders will be used: The following placeholders will be used:
- `hass.company` is the FQDN of the Home-Assistant install. - `hass.company` is the FQDN of the Home Assistant install.
- `authentik.company` is the FQDN of the authentik install. - `authentik.company` is the FQDN of the authentik install.
## Home-Assistant ## authentik configuration
This guide requires https://github.com/BeryJu/hass-auth-header, which can be installed as described in the Readme. 1. Create a **Proxy Provider** under **Applications** > **Providers** using the following settings:
Afterwards, make sure the `trusted_proxies` setting contains the IP(s) of the Host(s) authentik is running on. - **Name**: Home Assistant
- **Authentication flow**: default-authentication-flow
- **Authorization flow**: default-provider-authorization-explicit-consent
- **External Host**: Set this to the external URL you will be accessing Home Assistant from
- **Internal Host**: `http://hass.company:8123`
Use this configuration to match on the user's authentik username. 2. Create an **Application** under **Applications** > **Applications** using the following settings:
```yaml - **Name**: Home Assistant
auth_header: - **Slug**: homeassistant
username_header: X-authentik-username - **Provider**: Home Assistant (the provider you created in step 1)
```
If this is not the case, you can simply add an additional header for your user, which contains the Home-Assistant Name and authenticate based on that. 3. Create an outpost deployment for the provider you've created above, as described [here](../../../docs/outposts/). Deploy this Outpost either on the same host or a different host that can access Home Assistant. The outpost will connect to authentik and configure itself.
For example add this to your user's properties and set the Header to `X-ak-hass-user`. ## Home Assistant configuration
```yaml 1. Configure [trusted_proxies](https://www.home-assistant.io/integrations/http/#trusted_proxies) for the HTTP integration with the IP(s) of the Host(s) authentik is running on.
additionalHeaders: 2. If you don't already have it set up, https://github.com/BeryJu/hass-auth-header, using the installation guide.
X-ak-hass-user: some other name 3. There are two ways to configure the custom component.
``` 1. To match on the user's authentik username, use the following configuration:
```yaml
## authentik auth_header:
username_header: X-authentik-username
Create a Proxy Provider with the following values ```
2. Alternatively, you can associate an existing Home Assistant username to an authentik username.
- Internal host 1. Within authentik, navigate to **Directory** > **Users**.
2. Select **Edit** for the user then add the following configuration to the **Attributes** section. Be sure to replace `hassusername` with the Home Assistant username.
If Home-Assistant is running in docker, and you're deploying the authentik proxy on the same host, set the value to `http://homeassistant:8123`, where Home-Assistant is the name of your container. :::note
This configuration will add an additional header for the authentik user which will contain the Home Assistant username and allow Home Assistant to authenticate based on that.
If Home-Assistant is running on a different server than where you are deploying the authentik proxy, set the value to `http://hass.company:8123`. :::
```yaml
- External host additionalHeaders:
X-ak-hass-user: hassusername
Set this to the external URL you will be accessing Home-Assistant from. ```
3. Then configure the Home Assistant custom component to use this header:
Create an application in authentik and select the provider you've created above. ```yaml
auth_header:
## Deployment username_header: X-ak-hass-user
```
Create an outpost deployment for the provider you've created above, as described [here](../../../docs/outposts/). Deploy this Outpost either on the same host or a different host that can access Home-Assistant.
The outpost will connect to authentik and configure itself.

18
website/integrations/services/immich/index.md
View File

@ -19,24 +19,26 @@ The following placeholders will be used:
## authentik configuration ## authentik configuration
1. Create a new OAuth2/OpenID Provider using the following settings: 1. Create a new OAuth2/OpenID Provider under **Applications** > **Providers** using the following settings:
- **Name**: Immich - **Name**: Immich
- **Authentication flow**: default-authentication-flow - **Authentication flow**: default-authentication-flow
- **Authorization flow**: default-provider-authorization-explicit-consent - **Authorization flow**: default-provider-authorization-explicit-consent
- **Client type**: Confidential - **Client type**: Confidential
- **Client ID**: Either create your own Client ID or make a note of the auto-populated one - **Client ID**: Either create your own Client ID or use the auto-populated ID
- **Client Secret**: Either create your own Client Secret or make a note of the auto-populated one - **Client Secret**: Either create your own Client Secret or use the auto-populated secret
:::note
Take note of the `Client ID` and `Client Secret` as they are required when configuring Immich.
:::
- **Redirect URIs/Origins (RegEx)**: - **Redirect URIs/Origins (RegEx)**:
_Please note that the following URIs are just examples. Be sure to include all of the domains / URLs that you will use to access Immich._ :::note
- app.immich:/ Please note that the following URIs are just examples. Be sure to include all of the domains / URLs that you will use to access Immich.
- https://immich.company/auth/login ::: - app.immich:/ - https://immich.company/auth/login - https://immich.company/user-settings
- https://immich.company/user-settings
- **Signing Key**: authentik Self-signed Certificate - **Signing Key**: authentik Self-signed Certificate
- Leave everything else as default - Leave everything else as default
2. Open the new provider you've just created. 2. Open the new provider you've just created.
3. Make a note of the **OpenID Configuration Issuer**. 3. Make a note of the **OpenID Configuration Issuer**.
## Immich Configuration ## Immich configuration
Immich documentation can be found here: https://immich.app/docs/administration/oauth Immich documentation can be found here: https://immich.app/docs/administration/oauth