habsi/authentik
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Revert "website: latest migration to new structure" (#11634)

Browse Source 
Revert "website: latest migration to new structure (#11522)"

This reverts commit 9a89a5f94b.
This commit is contained in:
Tana M Berry
2024-10-08 17:30:50 -05:00
committed by GitHub
parent 9a89a5f94b
commit 6b2fced1b9
336 changed files with 883 additions and 2636 deletions
Download Patch File Download Diff File Expand all files Collapse all files

BIN
website/docs/users-sources/user/create_invite.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 171 KiB

13
website/docs/users-sources/user/index.mdx
View File

@ -1,13 +0,0 @@
---
title: About users
---
import DocCardList from "@theme/DocCardList";
In authentik you can create and manage users with fine-tuned access control, session and event details, group membership, super-user rights, impersonation, and password management and recovery.
To learn more about Enterprise licenses with internal and external users, refer to our [Enterprise documentation](../../enterprise/manage-enterprise.md#about-users-and-licenses).
To learn more about working with users in authentik, refer to the following topics:
<DocCardList />

49
website/docs/users-sources/user/invitations.md
View File

@ -1,49 +0,0 @@
---
title: Invitations
description: "Learn how to create an invitation URL for new users to enroll."
---
Invitations are another way to create a user, by inviting someone to join your authentik instance, as a new user. With invitations, you can either email an enrollment invitation URL to one or more specific recipients with pre-defined credentials, or you can email a URL to users, who can then log in and define their own credentials.
:::info
You can also create a policy to see if the invitation was ever used.
:::
## Create an invitation
The fastest way to create an invitation is to use our pre-defined `default-enrollment-flow` that has the necessary stages and prompts already included.
**Step 1. Download the `default-enrollment-flow` file**
To download the `default-enrollment-flow` file, run this command:
```shell
wget https://goauthentik.io/blueprints/example/flows-enrollment-2-stage.yaml
```
Alternatively, use this [link](/blueprints/example/flows-enrollment-2-stage.yaml) to view and save the file. For more details, refer to the [documentation](https://goauthentik.io/docs/flow/examples/flows#enrollment-2-stage).
**Step 2. Import the `default-enrollment-flow` file**
In authentik, navigate to the Admin UI, and then click **Flows** in the left navigation pane.
At the top of the Flows page, click **Import**, and then select the `flows-enrollment-2-stage.yaml` file that you just downloaded.
**Step 3. Create the invitation object**
In the Admin UI, navigate to **Directory --> Invitations**, and then click **Create** to open the **Create Invitation** modal. Define the following fields:
- **Name**: provide a name for your invitation object.
- **Expires**: select a date for when you want the invitation to expire.
- **Flow**: in the drop-down menu, select the **default-enrollment-flow** Flow.
- **Custom attributes**: (_optional_) enter optional key/value pairs here, to pre-define any information about the user that you will invite to enroll. The data entered here is considered as a variable, specifically the `context['prompt_data']` variable. This data is read by the context flow's [prompt stage](../../add-secure-apps/flows-stages/stages/prompt/index.md) in an expression policy.
![Create an invitation modal box](./create_invite.png)
- **Single use**: specify whether or not you want the invitation to expire after a single use.
Click **Save** to save the new invitation and close the modal and return to the **Invitations** page.
**Step 3. Email the invitation**
On the **Invitations** page, click the chevron beside your new invitation, to expand the details. The **Link to use the invitation** displays with the URL. Copy the URL and send it in an email to the people you want to invite to enroll.

122
website/docs/users-sources/user/user_basic_operations.md
View File

@ -1,122 +0,0 @@
---
title: Manage users
---
The following topics are for the basic management of users: how to create, modify, delete or deactivate users, and using a recovery email.
[Policies](../../customize/policies/index.md) can be used to further manage how users are authenticated. For example, by default authentik does not require email addresses be unique, but you can use a policy to [enforce unique email addresses](../../customize/policies/working_with_policies/unique_email.md).
### Create a user
> If you want to automate user creation, you can do that either by [invitations](./invitations.md), [`user_write` stage](../../add-secure-apps/flows-stages/stages/user_write.md), or [using the API](/docs/developer-docs/api/reference/core-users-create).
1. In the Admin interface of your authentik instance, select **Directory > Users** in the left side menu.
2. Select the folder where you want to create a user.
3. Click **Create** (for a default user).
4. Fill in the required fields:
- **Username**: This value must be unique across your user folders.
- **Path**: The path where the user will be created. It will be automatically populated with the folder you selected in the previous step.
5. Fill the **_optional_** fields if needed:
- **Name**: The display name of the user.
- **Email**: The email address of the user. Email addresses are used in [email stages](../../add-secure-apps/flows-stages/stages/email/index.mdx) and to receive [notifications](../../sys-mgmt/events/notifications.md), if configured.
- **Is active**: Define if the newly created user account is active. Selected by default.
- **Attributes**: Custom attributes definition for the user, in YAML or JSON format. These attributes can be used to enforce additional prompts on authentication stages or define conditions to enforce specific policies if the current implementation does not fit your use case. The value is an empty dictionary by default.
6. Click **Create**
You should see a confirmation pop-up on the top-right of the screen that the user has been created, and see the new user in the user list. You can directly click the username if you want to [modify your user](./user_basic_operations#modify-a-user).
:::info
To create a super-user, you need to add the user to a group that has super-user permissions. For more information, refer to [Create a Group](../groups/manage_groups.md#create-a-group).
:::
### View user details
In the **Directory > Users** menu of the Admin interface, you can browse all the users in your authentik instance.
To view details about a specific user:
1. In the list of all users, click on the name of the user you want to check.
This takes you to the **Overview** tab, with basic information about the user, and also quick access to perform basic actions to the user.
2. To see further details, click any of the other tabs:
- **Session** shows the active sessions established by the user. If there is any need, you can clean up the connected devices for a user by selecting the device(s) and then clicking **Delete**. This forces the user to authenticate again on the deleted devices.
- **Groups** allows you to manage the group membership of the user. You can find more details on [groups](../groups/index.mdx).
- **User events** displays all the events generated by the user during a session, such as login, logout, application authorisation, password reset, user info update, etc.
- **Explicit consent** lists all the permissions the user has given explicitly to an application. Entries will only appear if the user is validating an [explicit consent flow in an OAuth2 provider](../../add-secure-apps/providers/oauth2/index.md). If you want to delete the explicit consent (because the application is requiring new permissions, or the user has explicitly asked to reset his consent on third-party apps), select the applications and click **Delete**. The user will be asked to again give explicit consent to share information with the application.
- **OAuth Refresh Tokens** lists all the OAuth tokens currently distributed. You can remove the tokens by selecting the applications and then clicking **Delete**.
- **MFA Authenticators** shows all the authentications that the user has registered to their user profile. You can remove the tokens if the user has lost their authenticator and want to enroll a new one.
## Modify a user
After the creation of the user, you can edit any parameter defined during the creation.
To modify a user object, go to **Directory > Users**, and click the edit icon beside the name. You can also go into [user details](#view-user-details), and click **Edit**.
### Assign, modify, or remove permissions for a user
You can grant a user specific global or object-level permissions. Alternatively, you can add a user to a group that has the appropriate permissions, and the user inherits all of the group's permissions.
For more information, review ["Permissions"](../access-control/permissions.md).
## Add a user to a group
1. To add a user to a group, navigate to **Directory > Users** to display all users.
2. Click the name of the user to display the full user details page.
3. Click the **Groups** tab, and then click either **Add to existing group** or **Add to new group**.
## User credentials recovery
If a user has lost their credentials, there are several options.
### Email them a recovery link
1. In the Admin interface, navigate to **Directory > Users** to display all users.
2. Either click the name of the user to display the full User details page, or click the chevron (the symbol) beside their name to expand the options.
3. To generate a recovery link, which you can then copy and paste into an email, click **View recovery link**.
A pop-up will appear on your browser with the link for you to copy and to send to the user.
### Automate email to a user
You can use our automated email to send a link with the URL for the user to reset their password. This option will only work if you have properly [configured a SMTP server during the installation](../../install-config/install/docker-compose.mdx#email-configuration-optional-but-recommended) and set an email address for the user.
1. In the Admin interface, navigate to **Directory > Users** to display all users.
2. Either click the name of the user to display the full User details page, or click the chevron beside their name to expand the toptions.
3. To send the automated email to the user, click **Email recovery link**.
If the user does not receive the email, check if the mail server parameters [are properly configured](../../troubleshooting/emails.md).
### Reset the password for the user
As an Admin, you can simply reset the password for the user.
1. In the Admin interface, navigate to **Directory > Users** to display all users.
2. Either click the name of the user to display the full User details page, or click the chevron beside their name to expand the toptions.
3. To reset the user's password, click **Reset password**, and then define the new value.
## Deactivate or Delete user
#### To deactivate a user:
1. Go into the user list or detail, and click **Deactivate**.
2. Review the changes and click **Update**.
The active sessions are revoked and the authentication of the user blocked. You can reactivate the account by following the same procedure.
#### To delete a user:
:::caution
This deletion is not reversible, so be sure you do not need to recover any identity data of the user.
You may instead deactivate the account to preserve identity data.
:::
1. Go into the user list and select one (or multiple users) to delete and click **Delete** on the top-right of the page.
2. Review the changes and click **Delete**.
The user list refreshes and no longer displays the removed users.

99
website/docs/users-sources/user/user_ref.md
View File

@ -1,99 +0,0 @@
---
title: User properties and attributes
---
## Object properties
The User object has the following properties:
- `username`: User's username.
- `email` User's email.
- `uid` User's unique ID
- `name` User's display name.
- `is_staff` Boolean field if user is staff.
- `is_active` Boolean field if user is active.
- `date_joined` Date user joined/was created.
- `password_change_date` Date password was last changed.
- `path` User's path, see [Path](#path-authentik-20227)
- `attributes` Dynamic attributes, see [Attributes](#attributes)
- `group_attributes()` Merged attributes of all groups the user is member of and the user's own attributes.
- `ak_groups` This is a queryset of all the user's groups.
You can do additional filtering like:
```python
user.ak_groups.filter(name__startswith='test')
```
For Django field lookups, see [here](https://docs.djangoproject.com/en/4.2/ref/models/querysets/#id4).
To get the name of all groups, you can use this command:
```python
[group.name for group in user.ak_groups.all()]
```
## Examples
List all the User's group names:
```python
for group in user.ak_groups.all():
yield group.name
```
## Path <span class="badge badge--version">authentik 2022.7+</span>
Paths can be used to organize users into folders depending on which source created them or organizational structure. Paths may not start or end with a slash, but they can contain any other character as path segments. The paths are currently purely used for organization, it does not affect their permissions, group memberships, or anything else.
## Attributes
### `goauthentik.io/user/can-change-username`
Optional flag, when set to false prevents the user from changing their own username.
### `goauthentik.io/user/can-change-name`
Optional flag, when set to false prevents the user from changing their own name.
### `goauthentik.io/user/can-change-email`
Optional flag, when set to false prevents the user from changing their own email address.
### `goauthentik.io/user/token-expires`:
Optional flag, when set to false, Tokens created by the user will not expire.
Only applies when the token creation is triggered by the user with this attribute set. Additionally, the flag does not apply to superusers.
### `goauthentik.io/user/token-maximum-lifetime`:
Optional flag, when set, defines the maximum lifetime of user-created tokens. Defaults to the system setting if not set.
Only applies when `goauthentik.io/user/token-expires` set to true.
Format is string of format `days=10;hours=1;minute=3;seconds=5`.
### `goauthentik.io/user/debug`:
See [Troubleshooting access problems](../../troubleshooting/access.md), when set, the user gets a more detailed explanation of access decisions.
### `additionalHeaders`:
:::info
This field is only used by the Proxy Provider.
:::
Some applications can be configured to create new users using header information forwarded from authentik. You can forward additional header information by adding each header
underneath `additionalHeaders`:
#### Example:
```yaml
additionalHeaders:
REMOTE-USER: joe.smith
REMOTE-EMAIL: joe@jsmith.com
REMOTE-NAME: Joseph
```
These headers will now be passed to the application when the user logs in. Most applications will need to be configured to accept these headers. Some examples of applications that can accept additional headers from an authentik Proxy Provider are [Grafana](https://grafana.com/docs/grafana/latest/auth/auth-proxy/) and [Tandoor Recipes](https://docs.tandoor.dev/features/authentication/).