Revert "website: latest migration to new structure" (#11634)

Revert "website: latest migration to new structure (#11522)"

This reverts commit 9a89a5f94b.

website/docs/users-sources/sources/social-logins/apple/index.md

@@ -1,73 +0,0 @@
----
-title: Apple
----
-
-<span class="badge badge--primary">Support level: authentik</span>
-
-Allows users to authenticate using their Apple ID.
-
-## Preparation
-
-:::caution
-An Apple developer account is required.
-:::
-
-:::caution
-Apple mandates the use of a [registered TLD](https://en.wikipedia.org/wiki/List_of_Internet_top-level_domains), as such this source will not work with .local and other non-public TLDs.
-:::
-
-The following placeholders will be used:
-
--   `authentik.company` is the FQDN of the authentik install.
-
-## Apple
-
-1. Log into your Apple developer account, and navigate to **Certificates, IDs & Profiles**, then click **Identifiers** in the sidebar.
-2. Register a new Identifier with the type of **App IDs**, and the subtype **App**.
-3. Choose a name that users will recognise for the **Description** field.
-4. For your bundle ID, use the reverse domain of authentik, in this case `company.authentik`.
-5. Scroll down the list of capabilities, and check the box next to **Sign In with Apple**.
-6. At the top, click **Continue** and **Register**.
-
-![](./app_id.png)
-
-7. Register another new Identifier with the type of **Services IDs**.
-8. Again, choose the same name as above for your **Description** field.
-9. Use the same identifier as above, but add a suffix like `signin` or `oauth`, as identifiers are unique.
-10. At the top, click **Continue** and **Register**.
-
-![](./service_id.png)
-
-11. Once back at the overview list, click on the just-created Identifier.
-12. Enable the checkbox next to **Sign In with Apple**, and click **Configure**
-13. Under domains, enter `authentik.company`.
-14. Under **Return URLs**, enter `https://authentik.company/source/oauth/callback/apple/`.
-
-![](./app_service_config.png)
-
-15. Click on **Keys** in the sidebar. Register a new Key with any name, and select **Sign in with Apple**.
-16. Click on **Configure**, and select the App ID you've created above.
-17. At the top, click **Save**, **Continue** and **Register**.
-18. Download the Key file and note the **Key ID**.
-
-![](./key.png)
-
-19. Note the Team ID, visible at the top of the page.
-
-## authentik
-
-20. Under _Directory -> Federation & Social login_ Click **Create Apple OAuth Source**
-
-21. **Name**: `Apple`
-22. **Slug**: `apple`
-23. **Consumer Key:** The identifier from step 9, then `;`, then your Team ID from step 19, then `;`, then the Key ID from step 18.
-
-    Example: `io.goauthentik.dev-local;JQNH45HN7V;XFBNJ82BV6`
-
-24. **Consumer Secret:** Paste the contents of the keyfile you've downloaded
-
-Save, and you now have Apple as a source.
-
-:::note
-For more details on how-to have the new source display on the Login Page see [here](../../index.md#add-sources-to-default-login-page).
-:::

website/docs/users-sources/sources/social-logins/azure-ad/index.md

@@ -1,113 +0,0 @@
----
-title: Azure AD
----
-
-<span class="badge badge--secondary">Support level: Community</span>
-
-## Preparation
-
-The following placeholders will be used:
-
--   `authentik.company` is the FQDN of the authentik install.
-
-## Azure setup
-
-1. Navigate to [portal.azure.com](https://portal.azure.com), and open the _App registration_ service
-2. Register a new application
-
-    Under _Supported account types_, select whichever account type applies to your use-case.
-
-    ![](./aad_01.png)
-
-3. Take note of the _Application (client) ID_ value.
-
-    If you selected _Single tenant_ in the _Supported account types_ prompt, also note the _Directory (tenant) ID_ value.
-
-4. Navigate to _Certificates & secrets_ in the sidebar, and to the _Client secrets_ tab.
-5. Add a new secret, with an identifier of your choice, and select any expiration. Currently the secret in authentik has to be rotated manually or via API, so it is recommended to choose at least 12 months.
-6. Note the secret's value in the _Value_ column.
-
-## authentik Setup
-
-In authentik, create a new _Azure AD OAuth Source_ in Resources -> Sources.
-
-Use the following settings:
-
--   Name: `Azure AD`
--   Slug: `azure-ad` (this must match the URL being used above)
--   Consumer key: `*Application (client) ID* value from above`
--   Consumer secret: `*Value* of the secret from above`
-
-If you kept the default _Supported account types_ selection of _Single tenant_, then you must change the URL below as well:
-
--   OIDC Well-known URL: `https://login.microsoftonline.com/*Directory (tenant) ID* from above/v2.0/.well-known/openid-configuration`
-
-![](./authentik_01.png)
-
-Save, and you now have Azure AD as a source.
-
-:::note
-For more details on how-to have the new source display on the Login Page see [here](../../index.md#add-sources-to-default-login-page).
-:::
-
-### Automatic user enrollment and attribute mapping
-
-Using the following process you can auto-enroll your users without interaction, and directly control the mapping Azure attribute to authentik.
-attribute.
-
-1. Create a new _Expression Policy_ (see [here](../../../../customize/policies/index.md) for details).
-2. Use _azure-ad-mapping_ as the name.
-3. Add the following code and adjust to your needs.
-
-```python
-# save existing prompt data
-current_prompt_data = context.get('prompt_data', {})
-# make sure we are used in an oauth flow
-if 'oauth_userinfo' not in context:
-  ak_logger.warning(f"Missing expected oauth_userinfo in context. Context{context}")
-  return False
-oauth_data = context['oauth_userinfo']
-# map fields directly to user left hand are the field names provided by
-# the microsoft graph api on the right the user field names as used by authentik
-required_fields_map = {
-  'name': 'username',
-  'upn': 'email',
-  'given_name': 'name'
-}
-missing_fields = set(required_fields_map.keys()) - set(oauth_data.keys())
-if missing_fields:
-  ak_logger.warning(f"Missing expected fields. Missing fields {missing_fields}.")
-  return False
-for oauth_field, user_field in required_fields_map.items():
-  current_prompt_data[user_field] = oauth_data[oauth_field]
-# Define fields that should be mapped as extra user attributes
-attributes_map = {
-  'upn': 'upn',
-  'family_name': 'sn',
-  'name': 'name'
-}
-missing_attributes = set(attributes_map.keys()) - set(oauth_data.keys())
-if missing_attributes:
-  ak_logger.warning(f"Missing attributes: {missing_attributes}.")
-  return False
-# again make sure not to overwrite existing data
-current_attributes = current_prompt_data.get('attributes', {})
-for oauth_field, user_field in attributes_map.items():
-  current_attributes[user_field] = oauth_data[oauth_field]
-current_prompt_data['attributes'] = current_attributes
-context['prompt_data'] = current_prompt_data
-return True
-```
-
-4. Create a new enrollment flow _azure-ad-enrollment_ (see [here](../../../../add-secure-apps/flows-stages/flow/index.md) for details).
-5. Add the policy _default-source-enrollment-if-sso_ to the flow. To do so open the newly created flow.
-   Click on the tab **Policy/Group/User Bindings**. Click on **Bind existing policy** and choose _default-source-enrollment-if-sso_
-   from the list.
-6. Bind the stages _default-source-enrollment-write_ (order 0) and _default-source-enrollment-login_ (order 10) to the flow.
-7. Bind the policy _azure-ad-mapping_ to the stage _default-source-enrollment-write_. To do so open the flow _azure-ad-enrollment_
-   open the tab **Stage Bindings**, open the dropdown menu for the stage _default-source-enrollment-write_ and click on **Bind existing policy**
-   Select _azure-ad-mapping_.
-8. Open the source _azure-ad_. Click on edit.
-9. Open **Flow settings** and choose _azure-ad-enrollment_ as enrollment flow.
-
-Try to login with a **_new_** user. You should see no prompts and the user should have the correct information.

website/docs/users-sources/sources/social-logins/discord/index.md

@@ -1,383 +0,0 @@
----
-title: Discord
----
-
-<span class="badge badge--primary">Support level: authentik</span>
-
-Allows users to authenticate using their Discord credentials
-
-## Preparation
-
-The following placeholders will be used:
-
--   `authentik.company` is the FQDN of the authentik install.
-
-## Discord
-
-1. Create an application in the Discord Developer Portal (This is Free) https://discord.com/developers/applications
-
-![New Application Button](./discord1.png)
-
-2. Name the Application
-
-![Name App](./discord2.png)
-
-3. Select **OAuth2** from the left Menu
-
-4. Copy the **Client ID** and _save it for later_
-
-5. **Click to Reveal** the Client Secret and _save it for later_
-
-6. Click **Add Redirect** and add https://authentik.company/source/oauth/callback/discord/
-
-Here is an example of a completed OAuth2 screen for Discord.
-
-![](./discord3.png)
-
-## authentik
-
-8. Under _Directory -> Federation & Social login_ Click **Create Discord OAuth Source**
-
-9. **Name:** Choose a name (For the example I used Discord)
-10. **Slug:** discord (You can choose a different slug, if you do you will need to update the Discord redirect URLand point it to the correct slug.)
-11. **Consumer Key:** Client ID from step 4
-12. **Consumer Secret:** Client Secret from step 5
-
-Here is an example of a complete authentik Discord OAuth Source
-
-![](./discord4.png)
-
-Save, and you now have Discord as a source.
-
-:::note
-For more details on how-to have the new source display on the Login Page see [here](../../index.md#add-sources-to-default-login-page).
-:::
-
-### Checking for membership of a Discord Guild
-
-:::info
-Ensure that the Discord OAuth source in **Federation & Social login** has the additional `guilds guilds.members.read` scopes added under **Protocol settings**.
-:::
-
-Create a new **Expression Policy** with the content below, adjusting the variables where required:
-
-```python
-# To get the guild ID number for the parameters, open Discord, go to Settings > Advanced and enable developer mode.
-# Right-click on the server/guild title and select "Copy ID" to get the guild ID.
-
-ACCEPTED_GUILD_ID = "123456789123456789"
-GUILD_NAME_STRING = "The desired server/guild name in the error message."
-
-# Only change below here if you know what you are doing.
-
-# Ensure flow is only run during OAuth logins via Discord
-if context['source'].provider_type != "discord":
-    return True
-
-# Get the user-source connection object from the context, and get the access token
-connection = context.get("goauthentik.io/sources/connection")
-if not connection:
-  return False
-access_token = connection.access_token
-
-guilds = requests.get(
-    "https://discord.com/api/users/@me/guilds",
-    headers= {
-        "Authorization": f"Bearer {access_token}",
-    }
-).json()
-
-user_matched = any(ACCEPTED_GUILD_ID == g["id"] for g in guilds)
-if not user_matched:
-    ak_message(f"User is not a member of {GUILD_NAME_STRING}.")
-return user_matched
-```
-
-Now bind this policy to the chosen enrollment and authentication flows for the Discord OAuth source.
-
-### Checking for membership of a Discord Guild role
-
-:::info
-Ensure that the Discord OAuth source in **Federation & Social login** has the additional `guilds guilds.members.read` scopes added under **Protocol settings**.
-:::
-
-Create a new **Expression Policy** with the content below, adjusting the variables where required:
-
-```python
-# To get the role and guild ID numbers for the parameters, open Discord, go to Settings > Advanced and
-# enable developer mode.
-# Right-click on the server/guild title and select "Copy ID" to get the guild ID.
-# Right-click on the server/guild title and select server settings > roles, right click on the role and click
-# "Copy ID" to get the role ID.
-
-ACCEPTED_ROLE_ID = "123456789123456789"
-ACCEPTED_GUILD_ID = "123456789123456789"
-GUILD_NAME_STRING = "The desired server/guild name in the error message."
-ROLE_NAME_STRING = "The desired role name in the error message."
-
-# Only change below here if you know what you are doing.
-GUILD_API_URL = f"https://discord.com/api/users/@me/guilds/{ACCEPTED_GUILD_ID}/member"
-
-# Ensure flow is only run during OAuth logins via Discord
-if context['source'].provider_type != "discord":
-    return True
-
-# Get the user-source connection object from the context, and get the access token
-connection = context.get("goauthentik.io/sources/connection")
-if not connection:
-  return False
-access_token = connection.access_token
-
-guild_member_object = requests.get(
-    GUILD_API_URL,
-    headers= {
-        "Authorization": f"Bearer {access_token}",
-    }
-).json()
-
-# The response for JSON errors is held within guild_member_object['code']
-# See: https://discord.com/developers/docs/topics/opcodes-and-status-codes#json
-# If the user isn't in the queried guild, it gives the somewhat misleading code = 10004.
-if "code" in guild_member_object:
-    if guild_member_object['code'] == 10004:
-        ak_message(f"User is not a member of {GUILD_NAME_STRING}.")
-    else:
-        ak_create_event("discord_error", source=context['source'], code=guild_member_object['code'])
-        ak_message("Discord API error, try again later.")
-    # Policy does not match if there is any error.
-    return False
-
-user_matched = any(ACCEPTED_ROLE_ID == g for g in guild_member_object["roles"])
-if not user_matched:
-    ak_message(f"User is not a member of the {ROLE_NAME_STRING} role in {GUILD_NAME_STRING}.")
-return user_matched
-```
-
-Now bind this policy to the chosen enrollment and authentication flows for the Discord OAuth source.
-
-### Syncing Discord roles to authentik groups
-
-:::info
-Ensure that the Discord OAuth source in **Federation & Social login** has the additional `guilds.members.read` scopes added under **Protocol settings**.
-:::
-
-:::info
-Any authentik role that you want to sync with a Discord role needs to have the **attribute** `discord_role_id` with a value of the Discord role's ID set.  
-This setting can be found under `Authentik > Admin Interface > Directory > Groups > YOUR_GROUP > Attributes`  
-Example: `discord_role_id: "<ROLE ID>"`
-:::
-
-The following two policies allow you to synchronize roles in a Discord guild with roles in authentik.  
-Whenever a user enrolls or signs in to authentik via a Discord source, these policies will check the user's Discord roles and apply the user's authentik roles accordingly.  
-All roles with the attribute `discord_role_id` defined will be added or removed depending on whether the user is a member of the defined Discord role.
-
-Create a new **Expression Policy** with the content below, adjusting the variables where required.
-
-#### Sync on enrollment
-
-The following policy will apply the above behaviour when a user enrolls.
-
-```python
-from authentik.core.models import Group
-GUILD_API_URL = "https://discord.com/api/users/@me/guilds/{guild_id}/member"
-
-### CONFIG ###
-guild_id = "<YOUR GUILD ID>"
-##############
-
-# Ensure flow is only run during OAuth logins via Discord
-if context["source"].provider_type != "discord":
-    return True
-
-# Get the user-source connection object from the context, and get the access token
-connection = context.get("goauthentik.io/sources/connection")
-if not connection:
-    return False
-access_token = connection.access_token
-
-guild_member_request = requests.get(
-    GUILD_API_URL.format(guild_id=guild_id),
-    headers={
-        "Authorization": f"Bearer {access_token}",
-    },
-)
-guild_member_info = guild_member_request.json()
-
-# Ensure we are not being ratelimited
-if guild_member_request.status_code == 429:
-    ak_message(f"Discord is throttling this connection. Retry in {int(guild_member_info['retry_after'])}s")
-    return False
-
-# Ensure user is a member of the guild
-if "code" in guild_member_info:
-    if guild_member_info["code"] == 10004:
-        ak_message("User is not a member of the guild")
-    else:
-        ak_create_event("discord_error", source=context["source"], code=guild_member_info["code"])
-        ak_message("Discord API error, try again later.")
-    return False
-
-# Get all discord_groups
-discord_groups = Group.objects.filter(attributes__discord_role_id__isnull=False)
-
-# Filter matching roles based on guild_member_info['roles']
-user_groups_discord_updated = discord_groups.filter(attributes__discord_role_id__in=guild_member_info["roles"])
-
-# Set matchin_roles in flow context
-request.context["flow_plan"].context["groups"] = user_groups_discord_updated
-
-# Create event with roles added
-ak_create_event(
-    "discord_role_sync",
-    user_discord_roles_added=", ".join(str(group) for group in user_groups_discord_updated),
-)
-
-return True
-
-```
-
-Now bind this policy to the chosen enrollment flows for the Discord OAuth source.
-
-#### Sync on authentication
-
-The following policy will apply the above behaviour when a user logs in.
-
-```python
-from authentik.core.models import Group
-GUILD_API_URL = "https://discord.com/api/users/@me/guilds/{guild_id}/member"
-
-### CONFIG ###
-guild_id = "<YOUR GUILD ID>"
-##############
-
-# Ensure flow is only run during OAuth logins via Discord
-if context["source"].provider_type != "discord":
-    return True
-
-# Get the user-source connection object from the context, and get the access token
-connection = context.get("goauthentik.io/sources/connection")
-if not connection:
-    return False
-access_token = connection.access_token
-
-guild_member_request = requests.get(
-    GUILD_API_URL.format(guild_id=guild_id),
-    headers={
-        "Authorization": f"Bearer {access_token}"
-    },
-)
-guild_member_info = guild_member_request.json()
-
-# Ensure we are not being ratelimited
-if guild_member_request.status_code == 429:
-    ak_message(f"Discord is throttling this connection. Retry in {int(guild_member_info['retry_after'])}s")
-    return False
-
-# Ensure user is a member of the guild
-if "code" in guild_member_info:
-    if guild_member_info["code"] == 10004:
-        ak_message("User is not a member of the guild")
-    else:
-        ak_create_event("discord_error", source=context["source"], code=guild_member_info["code"])
-        ak_message("Discord API error, try again later.")
-    return False
-
-# Get all discord_groups
-discord_groups = Group.objects.filter(attributes__discord_role_id__isnull=False)
-
-# Split user groups into discord groups and non discord groups
-user_groups_non_discord = request.user.ak_groups.exclude(pk__in=discord_groups.values_list("pk", flat=True))
-user_groups_discord = list(request.user.ak_groups.filter(pk__in=discord_groups.values_list("pk", flat=True)))
-
-# Filter matching roles based on guild_member_info['roles']
-user_groups_discord_updated = discord_groups.filter(attributes__discord_role_id__in=guild_member_info["roles"])
-
-# Combine user_groups_non_discord and matching_roles
-user_groups_updated = user_groups_non_discord.union(user_groups_discord_updated)
-
-# Update user's groups
-request.user.ak_groups.set(user_groups_updated)
-
-# Create event with roles changed
-ak_create_event(
-    "discord_role_sync",
-    user_discord_roles_before=", ".join(str(group) for group in user_groups_discord),
-    user_discord_roles_after=", ".join(str(group) for group in user_groups_discord_updated),
-)
-
-return True
-
-```
-
-Now bind this policy to the chosen authentication flows for the Discord OAuth source.
-
-### Store OAuth info in attribute and create avatar attribute from Discord avatar
-
-:::info
-Ensure that the Discord OAuth source in **Federation & Social login** has the additional `guilds.members.read` scopes added under **Protocol settings**.
-:::
-
-:::info
-In order to use the created attribute in authentik you will have to set authentik configuration arguments found at: https://docs.goauthentik.io/docs/core/settings#avatars
-:::
-
-Create a new **Expression Policy** with the content below, adjusting the variables where required:
-
-```python
-import base64
-import requests
-
-AVATAR_SIZE = "64"  # Valid values: 16,32,64,128,256,512,1024. Larger values may cause HTTP error 431 on applications/providers due to headers being too large.
-
-# Only change below here if you know what you are doing.
-AVATAR_URL = "https://cdn.discordapp.com/avatars/{id}/{avatar}.png?size={avatar_size}"
-AVATAR_STREAM_CONTENT = "data:image/png;base64,{base64_string}"  # Converts base64 image into html syntax usable with authentik's avatar attributes feature
-
-
-def get_as_base64(url):
-    """Returns the base64 content of the url"""
-    return base64.b64encode(requests.get(url).content)
-
-
-def get_avatar_from_avatar_url(url):
-    """Returns an authentik-avatar-attributes-compatible string from an image url"""
-    cut_url = f"{url}"
-    return AVATAR_STREAM_CONTENT.format(
-        base64_string=(get_as_base64(cut_url).decode("utf-8"))
-    )
-
-
-# Ensure flow is only run during OAuth logins via Discord
-if context["source"].provider_type != "discord":
-    return True
-
-user = request.user
-userinfo = request.context["oauth_userinfo"]
-
-# Assigns the discord attributes to the user
-user.attributes["discord"] = {
-    "id": userinfo["id"],
-    "username": userinfo["username"],
-    "discriminator": userinfo["discriminator"],
-    "email": userinfo["email"],
-    "avatar": userinfo["avatar"],
-    "avatar_url": (
-        AVATAR_URL.format(
-            id=userinfo["id"], avatar=userinfo["avatar"], avatar_size=AVATAR_SIZE
-        )
-        if userinfo["avatar"]
-        else None
-    ),
-}
-
-# If the user has an avatar, assign it to the user
-avatar_url = user.attributes["discord"].get("avatar_url", None)
-if avatar_url is not None:
-    user.attributes["avatar"] = get_avatar_from_avatar_url(avatar_url)
-
-user.save()
-return True
-
-```
-
-Now bind this policy to the chosen enrollment and authentication flows for the Discord OAuth source.

website/docs/users-sources/sources/social-logins/facebook/index.md

@@ -1,74 +0,0 @@
----
-title: Facebook
----
-
-<span class="badge badge--secondary">Support level: Community</span>
-
-Adding Facebook as a source allows users to authenticate through authentik using their Facebook credentials.
-
-## Preparation
-
-The following placeholders are used:
-
--   `authentik.company` is the FQDN of the authentik install.
-
-## Facebook configuration
-
-To integrate authentik with Facebook and access the user credentials from Facebook, you first need to register with Meta for Developers and create a developers account. Refer to the [Facebook documentation](https://developers.facebook.com/docs/development) for exact steps.
-
-1. Visit https://developers.facebook.com/ and log in to your Facebook account.
-2. After you log in, go to https://developers.facebook.com/async/registration and follow the steps to register as a developer.
-
-Next, create an app so that Facebook generates a unique ID for your authentik app.
-
-:::info
-You will need the Facebook **App ID** and **App Secret** values from the Facebook app in order to configure the authentik integration. See Step 11. below for instructions.
-:::
-
-3. On the Meta for Developers Dashboard click **Create**.
-4. Follow the prompts to create the app.
-
-After you create the app you need to customize the login settings.
-
-5. Go back to the Dashboard and in the left navigation pane click **Use Cases**.
-6. On the **Use cases** page, click **Customize** under **Authentication and account creation**.
-7. On the **Customize** page, click **Go to settings**.
-8. On the **Facebook Login settings** page set the **Valid OAuth redirect URIs** field to `https://authentik.company/source/oauth/callback/facebook/` and then click **Save**.
-
-9. Navigate to the **Use cases -> Customize** page.
-10. Under **Permissions** click **Add** for the **email** permission.
-
-Next, you need to obtain the App ID and the App Secret for the Facebook app, and enter those into your authentik source configuration.
-
-11. Go back to the Dashboard, and in the bottom left in the navigation pane, click on **App settings -> Basic**.
-12. Copy the **App ID** and the **App secret** values and temporarily store them in a safe place until you enter them into authentik.
-
-Finally, you need to publish the Facebook app.
-
-12. Go back to the Dashboard, and on the **Create and publish this app** page, follow the prompts.
-
-## authentik configuration
-
-1. Log into authentik as admin, and then navigate to **Directory -> Federation & Social login**
-2. Click **Create**.
-3. In the **New Source** modal box, for **Select type** select **Facebook OAuth Source** and then click **Next**.
-4. Define the following fields:
-    - **Name**: provide a descriptive name
-    - **Slug**: leave default value (If you choose a different slug then the default, the URL will need to be updated to reflect the change)
-    - **User matching mode**: leave default option unless other configuration is needed
-    - **User path**: leave default option unless other configuration is needed
-    - **Icon**: optionally you can select a specific icon of logo to display on the login form.
-    - **Protocol settings**
-        - **Consumer Key**: enter the **App ID** from Facebook
-        - **Consumer Secret**: enter the **App Secret** from Facebook
-        - **Scopes**: define any further access scopes
-    - **Flow settings**
-        - **Authentication flow**: leave the default `default-source-authentication` option.
-        - **Enrollment flow**: leave the default `default-source-enrollment` option.
-5. Click **Finish** to save your settings and close the modal box.
-
-You now have Facebook as a source. Verify by checking that appears on the **Directory -> Federation & Social login** page in authentik.
-
-:::note
-For more details on how to display the new source on the authentik Login page refer to [Add Sources to default Login form](../../index.md#add-sources-to-default-login-page).
-:::

website/docs/users-sources/sources/social-logins/github/index.md

@@ -1,102 +0,0 @@
----
-title: Github
----
-
-<span class="badge badge--primary">Support level: authentik</span>
-
-Allows users to authenticate using their Github credentials
-
-## Preparation
-
-The following placeholders will be used:
-
--   `authentik.company` is the FQDN of the authentik install.
--   `www.my.company` Homepage URL for your site
-
-## Github
-
-1. Create an OAuth app under Developer Settings https://github.com/settings/developers by clicking on the **Register a new application**
-
-![Register OAuth App](./githubdeveloper1.png)
-
-2. **Application Name:** Choose a name users will recognize ie: authentik
-3. **Homepage URL**:: www.my.company
-4. **Authorization callback URL**: https://authentik.company/source/oauth/callback/github
-5. Click **Register Application**
-
-Example screenshot
-
-![](./githubdeveloperexample.png)
-
-6. Copy the **Client ID** and _save it for later_
-7. Click **Generate a new client secret** and _save it for later_ You will not be able to see the secret again, so be sure to copy it now.
-
-## authentik
-
-8. Under _Directory -> Federation & Social login_ Click **Create Github OAuth Source**
-
-9. **Name**: Choose a name (For the example I use Github)
-10. **Slug**: github (If you choose a different slug the URLs will need to be updated to reflect the change)
-11. **Consumer Key:** Client ID from step 6
-12. **Consumer Secret:** Client Secret from step 7
-
-Here is an example of a complete authentik Github OAuth Source
-
-![](./githubexample2.png)
-
-Save, and you now have Github as a source.
-
-:::note
-For more details on how-to have the new source display on the Login Page see [here](../../index.md#add-sources-to-default-login-page).
-:::
-
-### Checking for membership of a GitHub Organisation <span class="badge badge--version">authentik 2021.12.5.+</span>
-
-To check if the user is member of an organisation, you can use the following policy on your flows:
-
-:::info
-Make sure to include `read:org` in the sources' _Scopes_ setting.
-:::
-
-```python
-# Ensure flow is only run during oauth logins via Github
-if context["source"].provider_type != "github":
-    return True
-
-accepted_org = "foo"
-
-# Get the user-source connection object from the context, and get the access token
-connection = context["goauthentik.io/sources/connection"]
-access_token = connection.access_token
-
-# We also access the user info authentik already retrieved, to get the correct username
-github_username = context["oauth_userinfo"]
-
-# Github does not include Organisations in the userinfo endpoint, so we have to call another URL
-
-orgs_response = requests.get(
-    "https://api.github.com/user/orgs",
-    auth=(github_username["login"], access_token),
-    headers={
-        "accept": "application/vnd.github.v3+json"
-    }
-)
-orgs_response.raise_for_status()
-orgs = orgs_response.json()
-
-# `orgs` will be formatted like this
-# [
-#     {
-#         "login": "goauthentik",
-#         [...]
-#     }
-# ]
-user_matched = any(org['login'] == accepted_org for org in orgs)
-if not user_matched:
-    ak_message(f"User is not member of {accepted_org}.")
-return user_matched
-```
-
-If a user is not member of the chosen organisation, they will see this message
-
-![](./github_org_membership.png)

website/docs/users-sources/sources/social-logins/google/index.md

@@ -1,102 +0,0 @@
----
-title: Google
----
-
-<span class="badge badge--secondary">Support level: Community</span>
-
-Allows users to authenticate using their Google credentials
-
-## Preparation
-
-The following placeholders will be used:
-
--   `authentik.company` is the FQDN of the authentik install.
-
-## Google
-
-You will need to create a new project, and OAuth credentials in the Google Developer console. The developer console can be overwhelming at first.
-
-1. Visit https://console.developers.google.com/ to create a new project
-2. Create a New project.
-
-![](./googledeveloper1.png)
-
-3. **Project Name**: Choose a name
-4. **Organization**: Leave as default if unsure
-5. **Location**: Leave as default if unsure
-
-![](./googledeveloper2.png)
-
-6. Click **Create**
-7. Choose your project from the drop down at the top
-8. Click the **Credentials** menu item on the left. It looks like a key.
-
-![](./googledeveloper3.png)
-
-9. Click on **Configure Consent Screen**
-
-![](./googledeveloper4.png)
-
-10. **User Type:** If you do not have a Google Workspace (GSuite) account choose _External_. If you do have a Google Workspace (Gsuite) account and want to limit access to only users inside of your organization choose _Internal_
-
-_I'm only going to list the mandatory/important fields to complete._
-
-11. **App Name:** Choose an Application
-12. **User Support Email:** Must have a value
-13. **Authorized Domains:** authentik.company
-14. **Developer Contact Info:** Must have a value
-15. Click **Save and Continue**
-16. If you have special scopes configured for google, enter them on this screen. If not click **Save and Continue**
-17. If you want to create Test Users enter them here, if not click **Save and Continue**
-18. From the _Summary Page_ click on the \*_Credentials_ link on the left. Same link as step 8
-19. Click **Create Credentials** on the top of the screen
-20. Choose **OAuth Client ID**
-
-![](./googledeveloper5.png)
-
-21. **Application Type:** Web Application
-22. **Name:** Choose a name
-23. **Authorized redirect URIs:** `https://authentik.company/source/oauth/callback/google/`
-
-![](./googledeveloper6.png)
-
-24. Click **Create**
-25. Copy and store _Your Client ID_ and _Your Client Secret_ for later
-
-## authentik
-
-26. Under _Directory -> Federation & Social login_ Click **Create Google OAuth Source**
-
-27. **Name**: Choose a name (For the example I use Google)
-28. **Slug**: google (If you choose a different slug the URLs will need to be updated to reflect the change)
-29. **Consumer Key:** Your Client ID from step 25
-30. **Consumer Secret:** Your Client Secret from step 25
-
-Here is an example of a complete authentik Google OAuth Source
-
-![](./authentiksource.png)
-
-Save, and you now have Google as a source.
-
-:::note
-For more details on how-to have the new source display on the Login Page see [here](../../index.md#add-sources-to-default-login-page).
-:::
-
-## Username mapping
-
-Since google does not have the concept of a username, authentik will by default prompt the user for a username when they first enroll through a google source. To change this behaviour and automatically use the email address as username, create an expression policy to set the username to the email, and bind it to the enrollment flow.
-
-Create an expression policy with this expression:
-
-```python
-email = request.context["prompt_data"]["email"]
-# Direct set username to email
-request.context["prompt_data"]["username"] = email
-# Set username to email without domain
-# request.context["prompt_data"]["username"] = email.split("@")[0]
-return False
-```
-
-Afterwards, edit the source's enrollment flow (by default _default-source-enrollment_), expand the policies bound to the first stage (_default-source-enrollment-prompt_), and bind the policy created above. Make sure the newly created policy comes before _default-source-enrollment-if-username_. Afterwards, any new logins will automatically have their google email address used as their username.
-
-This can be combined with disallowing users from changing their usernames, see [Configuration](../../../../sys-mgmt/settings.md#allow-users-to-change-username).

website/docs/users-sources/sources/social-logins/mailcow/index.md

@@ -1,54 +0,0 @@
----
-title: Mailcow
----
-
-<span class="badge badge--secondary">Support level: Community</span>
-
-Allows users to authenticate using their Mailcow credentials
-
-## Preparation
-
-The following placeholders will be used:
-
--   `authentik.company` is the FQDN of the authentik install.
--   `mailcow.company` is the FQDN of the mailcow install.
-
-## Mailcow
-
-1. Log into mailcow as an admin and navigate to the OAuth2 Apps settings
-
-![OAuth2 Apps menu](./mailcow1.png)
-
-2. Click "Add OAuth2 Client"
-
-3. Insert the redirect URL: `https://authentik.company/source/oauth/callback/mailcow/`
-
-![Add OAuth2 CLient](./mailcow2.png)
-
-4. Copy the **Client ID** and **Client secret** and _save it for later_
-
-![ClientID and Secret](./mailcow3.png)
-
-## authentik
-
-5. Under _Directory -> Federation & Social login_ Click **Create > Mailcow OAuth Source**
-
-![Mailcow OAuth Source](./mailcow4.png)
-
-6. **Name:** Choose a name (For the example I used Mailcow)
-7. **Slug:** mailcow (You can choose a different slug, if you do you will need to update the Mailcow redirect URL and point it to the correct slug.)
-8. **Consumer Key:** Client ID from step 4
-9. **Consumer Secret:** Client Secret from step 4
-10. **Authorization URL:** https://mailcow.company/oauth/authorize
-11. **Access token URL:** https://mailcow.company/oauth/token
-12. **Profile URL:** https://mailcow.company/oauth/profile
-
-Here is an example of a complete authentik Mailcow OAuth Source
-
-![](./mailcow5.png)
-
-Save, and you now have Mailcow as a source.
-
-:::note
-For more details on how-to have the new source display on the Login Page see [here](../../index.md#add-sources-to-default-login-page).
-:::

website/docs/users-sources/sources/social-logins/plex/index.md

@@ -1,38 +0,0 @@
----
-title: Plex
----
-
-<span class="badge badge--secondary">Support level: Community</span>
-
-Allows users to authenticate using their Plex credentials
-
-## Preparation
-
-None
-
-## authentik -> Sources
-
-Add _Plex_ as a _source_
-
--   Name: Choose a name
--   Slug: Set a slug
--   Client ID: Set a unique Client Id or leave the generated ID
--   Press _Load Servers_ to login to plex and pick the authorized Plex Servers for "allowed users"
--   Decide if _anyone_ with a plex account can authenticate or only friends you share with
-
-Save, and you now have Plex as a source.
-
-:::note
-For more details on how-to have the new source display on the Login Page see [here](../../index.md#add-sources-to-default-login-page).
-:::
-
-## Plex source property mappings
-
-See the [overview](../../property-mappings/index.md) for information on how property mappings work.
-
-### Expression data
-
-The following variables are available to OAuth source property mappings:
-
--   `info`: A Python dictionary containing Plex user data.
--   `auth_api`: A Plex client object to make requests to the Source with authentication built-in.

website/docs/users-sources/sources/social-logins/twitch/index.md

@@ -1,60 +0,0 @@
----
-title: Twitch
----
-
-<span class="badge badge--secondary">Support level: Community</span>
-
-Allows users to authenticate using their Twitch credentials
-
-## Preparation
-
-The following placeholders will be used:
-
--   `authentik.company` is the FQDN of the authentik install.
-
-## Twitch
-
-1. Click **Register Your Application** in the Twitch Developers Console https://dev.twitch.tv/console
-
-![Register Your Application Button](./twitch1.png)
-
-2. Name your Application
-
-3. Add https://authentik.company/source/oauth/callback/twitch in the **OAuth Redirect URLs** field
-
-4. Select a Category for your Application
-
-5. Click **Create** to finish the registration of your Application
-
-![Create Application](./twitch2.png)
-
-6. Click **Manage** on your newly created Application
-
-![Manage Application](./twitch3.png)
-
-7. Copy your Client ID and save it for later
-
-8. Click **New Secret** to create a new Secret
-
-9. Copy the above Secret and also save it for later
-
-![Copy Keys](./twitch4.png)
-
-## authentik
-
-10. Under _Directory -> Federation & Social login_ Click **Create Twitch OAuth Source**
-
-11. **Name:** Choose a name (For the example I used Twitch)
-12. **Slug:** twitch (You can choose a different slug, if you do you will need to update the Twitch redirect URL and point it to the correct slug.)
-13. **Consumer Key:** Client ID from step 7
-14. **Consumer Secret:** Secret from step 9
-
-Here is an example of a complete authentik Twitch OAuth Source
-
-![Authentik Source Example](./twitch5.png)
-
-Save, and you now have Twitch as a source.
-
-:::note
-For more details on how-to have the new source display on the Login Page see [here](../../index.md#add-sources-to-default-login-page).
-:::

website/docs/users-sources/sources/social-logins/twitter/index.md

@@ -1,48 +0,0 @@
----
-title: Twitter
----
-
-<span class="badge badge--primary">Support level: authentik</span>
-
-Allows users to authenticate using their twitter credentials
-
-## Preparation
-
-The following placeholders will be used:
-
--   `authentik.company` is the FQDN of the authentik install.
-
-## Twitter
-
-You will need to create a new project, and OAuth credentials in the Twitter Developer console.
-
-1. Visit https://developer.twitter.com/ to create a new App
-2. Select an environment fitting to your use-case
-3. Give the app a name, for example _authentik_
-4. Finish setting up the app by clicking **App settings**. Any of the API keys on this screen are not used by authentik.
-5. Click the **Set up** button
-
-![](./twitter1.png)
-
-6. Enable **OAuth 2.0**
-7. Set **Type of App** to _Web_
-8. Set **Callback URI / Redirect URL** to `https://authentik.company/source/oauth/callback/twitter/`
-9. Set **Website URL** to `https://authentik.company`
-
-![](./twitter2.png)
-
-10. Confirm with **Save**
-11. Copy and store **Client ID** and **Client Secret** for later
-
-## authentik
-
-1. Under _Directory -> Federation & Social login_ Click **Create Twitter OAuth Source**
-
-2. **Name**: Choose a name (For the example I use Google)
-3. **Slug**: twitter (If you choose a different slug the URLs will need to be updated to reflect the change)
-4. **Consumer Key:** Your Client ID from step 25
-5. **Consumer Secret:** Your Client Secret from step 25
-
-:::note
-For more details on how-to have the new source display on the Login Page see [here](../../index.md#add-sources-to-default-login-page).
-:::