habsi/authentik
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

website/integrations: multiple integration edits (#7923)

Browse Source 
* Update authentik aspect of Fresh RSS documentation to flow better

* Changes to standardise documentation across Integrations

* Removing a comma

* Changes to Gravtee to standardise documentation across Integrations

* - Changing Home-Assistant to Home Assistant
- Attempt to standardise the documentation
- Attempted to make the Home Assistant configuration easier to follow

* make website for gravitee and immich#

* Fixing MD formatting

* make website for freshrss and home assistant

* Fix Immich note formatting

* make website immich to fix notes formatting

* fix typo

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* Move authentik section above the Home Assistant section for consistency

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: Jens Langhammer <jens@goauthentik.io>
This commit is contained in:
ZuluWhiskey
2024-02-23 18:52:17 +00:00
committed by GitHub
parent 5991b82cde
commit 507f9b7ae2
4 changed files with 108 additions and 99 deletions
Download Patch File Download Diff File Expand all files Collapse all files

31
website/integrations/services/freshrss/index.md
View File

@ -18,29 +18,32 @@ The following placeholders will be used:
- `port` is the port on which the FreshRSS install is running (usually 443)
- `authentik.company` is the FQDN of the authentik install.
## authentik Configuration
## authentik configuration
In Authentik, create an _OAuth2/OpenID Provider_ under _Applications > Providers_.
** Protocol Settings **
_Client Type_ : _Confidential_
1. Create an **OAuth2/OpenID Provider** under **Applications** > **Providers** using the following settings:
- **Name**: FreshRSS
- **Authorization flow**: default-provider-authorization-explicit-consent
- **Protocol Settings**:
- **Client Type**: Confidential
- **Client ID**: Either create your own Client ID or use the auto-populated ID
- **Client Secret**: Either create your own Client Secret or use the auto-populated secret
:::note
Take note of the `Client ID` and `Client Secret`, you'll need them later.
:::
_Redirect URIs/Origins_ :
- **Redirect URIs/Origins**:
- `https://freshrss.company/i/oidc/`
- `https://freshrss.company:port/i/oidc`
- **Signing Key**: Any of your signing keys
- Leave everything else as default
_Signing Key_ : Any of your signing keys
2. Create an **Application** under **Applications** > **Applications** using the following settings:
- **Name**: FreshRSS
- **Slug**: freshrss
- **Provider**: FreshRSS _(the provider you created in step 1)_
- Leave everything else as default
Then click _Finish_ to create your provider.
Then create an _Application_, note its slug, and assign it to the provider you've just created.
## FreshRSS Configuration
## FreshRSS configuration
:::info
This integration only works with the Docker or Kubernetes install of FreshRSS, using [FreshRSS docker image](https://hub.docker.com/r/freshrss/freshrss/), on x86_64 systems and without the Alpine version of the image. More information can be found on [this issue on FreshRSS GitHub](https://github.com/FreshRSS/FreshRSS/issues/5722)

67
website/integrations/services/gravitee/index.md
View File

@ -18,43 +18,44 @@ The following placeholders will be used:
- `gravitee.company` is the FQDN of the Gravitee install.
- `authentik.company` is the FQDN of the authentik install.
- `applicationName` is the Application name you set.
### Step 1 - authentik
## authentik configuration
In authentik, under _Providers_, create an _OAuth2/OpenID Provider_ with these settings:
1. Create an **OAuth2/OpenID Provider** under **Applications** > **Providers** using the following settings:
:::note
Only settings that have been modified from default have been listed.
::: - **Name**: Gravitee - **Protocol Settings**: - **Client ID**: Either create your own Client ID or use the auto-populated ID - **Client Secret**: Either create your own Client Secret or use the auto-populated secret
:::note
Take note of the `Client ID` and `Client Secret` as they are required when configuring Gravitee
::: - **Redirect URIs/Origins**: - https://gravitee.company/user/login - https://gravitee.company/console/ # Make sure to add the trailing / at the end, at the time of writing it does not work without it
:::note
Be sure to add the trailing `/` at the end of the `https://gravitee.company/console/` URI, at the time of writing Gravitee does not work without this.
:::
2. Create an **Application** under **Applications** > **Applications** using the following settings:
- **Name**: Gravitee
- **Slug**: gravitee
- **Provider**: Gravitee (the provider you created in step 1)
3. Open the new provider you've just created.
4. Make a note of the following URLs:
- **Authorize URL**
- **Token URL**
- **Userinfo URL**
- **Logout URL**
## Gravitee configuration
In the Gravitee Management Console, navigate to _Organizations_ (gravitee.company/console/#!/organization/settings/identities) , under **Console** > **Authentication**. Click _Add an identity provider_, select _OpenID Connect_, and fill in the following:
:::note
Only settings that have been modified from default have been listed.
:::
**Protocol Settings**
- Name: applicationName
- Client ID: Copy and Save this for Later
- Client Secret: Copy and Save this for later
- Redirect URIs/Origins:
```
https://gravitee.company/user/login
https://gravitee.company/console/ # Make sure to add the trailing / at the end, at the time of writing it does not work without it
```
Now, under _Applications_, create an application with the name `applicationName` and select the provider you've created above.
### Step 2 - Gravitee
In the Gravitee Management Console, head to _Organizations_(gravitee.company/console/#!/organization/settings/identities) , under _Console_, _Authentication_, click _Add an identity provider_, select _OpenID Connect_, and fill in the following:
:::note
Only settings that have been modified from default have been listed.
:::
- Allow portal authentication to use this identity provider: enable this
- Client ID: Client ID from step 1
- Client Secret: Client Secret from step 1
- Token Endpoint: `https://authentik.company/application/o/token/`
- Authorize Endpoint: `https://authentik.company/application/o/authorize/`
- Userinfo Endpoint: `https://authentik.company/application/o/userinfo/`
- Userinfo Logout Endpoint: `https://authentik.company/if/session-end/applicationName/`
- Scopes: `email openid profile`
- **Allow portal authentication to use this identity provider**: enable this
- **Client ID**: Enter the Client ID from authentik that you noted in step 1
- **Client Secret**: Enter the Client Secret from authentik that you noted in step 1
- **Token Endpoint**: Populate this field with the **Token URL**
- **Authorize Endpoint**: Populate this field with the **Authorize URL**
- **Userinfo Endpoint**: Populate this field with the **Userinfo URL**
- **Userinfo Logout Endpoint**: Populate this field with the **Logout URL**
- **Scopes**: `email openid profile`

73
website/integrations/services/home-assistant/index.md
View File

@ -1,10 +1,10 @@
---
title: Home-Assistant
title: Home Assistant
---
<span class="badge badge--secondary">Support level: Community</span>
## What is Home-Assistant
## What is Home Assistant
> Open source home automation that puts local control and privacy first. Powered by a worldwide community of tinkerers and DIY enthusiasts. Perfect to run on a Raspberry Pi or a local server.
>
@ -13,54 +13,57 @@ title: Home-Assistant
:::caution
You might run into CSRF errors, this is caused by a technology Home-assistant uses and not authentik, see [this GitHub issue](https://github.com/goauthentik/authentik/issues/884#issuecomment-851542477).
:::
:::note
For Home Assistant to work with authentik, a custom integration needs to be installed for Home Assistant.
:::
## Preparation
The following placeholders will be used:
- `hass.company` is the FQDN of the Home-Assistant install.
- `hass.company` is the FQDN of the Home Assistant install.
- `authentik.company` is the FQDN of the authentik install.
## Home-Assistant
## authentik configuration
This guide requires https://github.com/BeryJu/hass-auth-header, which can be installed as described in the Readme.
1. Create a **Proxy Provider** under **Applications** > **Providers** using the following settings:
Afterwards, make sure the `trusted_proxies` setting contains the IP(s) of the Host(s) authentik is running on.
- **Name**: Home Assistant
- **Authentication flow**: default-authentication-flow
- **Authorization flow**: default-provider-authorization-explicit-consent
- **External Host**: Set this to the external URL you will be accessing Home Assistant from
- **Internal Host**: `http://hass.company:8123`
Use this configuration to match on the user's authentik username.
2. Create an **Application** under **Applications** > **Applications** using the following settings:
- **Name**: Home Assistant
- **Slug**: homeassistant
- **Provider**: Home Assistant (the provider you created in step 1)
3. Create an outpost deployment for the provider you've created above, as described [here](../../../docs/outposts/). Deploy this Outpost either on the same host or a different host that can access Home Assistant. The outpost will connect to authentik and configure itself.
## Home Assistant configuration
1. Configure [trusted_proxies](https://www.home-assistant.io/integrations/http/#trusted_proxies) for the HTTP integration with the IP(s) of the Host(s) authentik is running on.
2. If you don't already have it set up, https://github.com/BeryJu/hass-auth-header, using the installation guide.
3. There are two ways to configure the custom component.
1. To match on the user's authentik username, use the following configuration:
```yaml
auth_header:
username_header: X-authentik-username
```
If this is not the case, you can simply add an additional header for your user, which contains the Home-Assistant Name and authenticate based on that.
For example add this to your user's properties and set the Header to `X-ak-hass-user`.
2. Alternatively, you can associate an existing Home Assistant username to an authentik username.
1. Within authentik, navigate to **Directory** > **Users**.
2. Select **Edit** for the user then add the following configuration to the **Attributes** section. Be sure to replace `hassusername` with the Home Assistant username.
:::note
This configuration will add an additional header for the authentik user which will contain the Home Assistant username and allow Home Assistant to authenticate based on that.
:::
```yaml
additionalHeaders:
X-ak-hass-user: some other name
X-ak-hass-user: hassusername
```
3. Then configure the Home Assistant custom component to use this header:
```yaml
auth_header:
username_header: X-ak-hass-user
```
## authentik
Create a Proxy Provider with the following values
- Internal host
If Home-Assistant is running in docker, and you're deploying the authentik proxy on the same host, set the value to `http://homeassistant:8123`, where Home-Assistant is the name of your container.
If Home-Assistant is running on a different server than where you are deploying the authentik proxy, set the value to `http://hass.company:8123`.
- External host
Set this to the external URL you will be accessing Home-Assistant from.
Create an application in authentik and select the provider you've created above.
## Deployment
Create an outpost deployment for the provider you've created above, as described [here](../../../docs/outposts/). Deploy this Outpost either on the same host or a different host that can access Home-Assistant.
The outpost will connect to authentik and configure itself.

18
website/integrations/services/immich/index.md
View File

@ -19,24 +19,26 @@ The following placeholders will be used:
## authentik configuration
1. Create a new OAuth2/OpenID Provider using the following settings:
1. Create a new OAuth2/OpenID Provider under **Applications** > **Providers** using the following settings:
- **Name**: Immich
- **Authentication flow**: default-authentication-flow
- **Authorization flow**: default-provider-authorization-explicit-consent
- **Client type**: Confidential
- **Client ID**: Either create your own Client ID or make a note of the auto-populated one
- **Client Secret**: Either create your own Client Secret or make a note of the auto-populated one
- **Client ID**: Either create your own Client ID or use the auto-populated ID
- **Client Secret**: Either create your own Client Secret or use the auto-populated secret
:::note
Take note of the `Client ID` and `Client Secret` as they are required when configuring Immich.
:::
- **Redirect URIs/Origins (RegEx)**:
_Please note that the following URIs are just examples. Be sure to include all of the domains / URLs that you will use to access Immich._
- app.immich:/
- https://immich.company/auth/login
- https://immich.company/user-settings
:::note
Please note that the following URIs are just examples. Be sure to include all of the domains / URLs that you will use to access Immich.
::: - app.immich:/ - https://immich.company/auth/login - https://immich.company/user-settings
- **Signing Key**: authentik Self-signed Certificate
- Leave everything else as default
2. Open the new provider you've just created.
3. Make a note of the **OpenID Configuration Issuer**.
## Immich Configuration
## Immich configuration
Immich documentation can be found here: https://immich.app/docs/administration/oauth