habsi/authentik
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge branch 'main' into celery-2-dramatiq

Browse Source
This commit is contained in:
Marc 'risson' Schmitt
2025-04-04 17:22:01 +02:00
parent 35640fcdfa 53814d9919
commit 8a073e8c60
9 changed files with 287 additions and 60 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
pyproject.toml
View File

@ -55,7 +55,7 @@ dependencies = [
"pydantic-scim",
"pyjwt",
"pyrad",
"python-kadmin-rs ==0.5.3",
"python-kadmin-rs ==0.6.0",
"pyyaml",
"requests-oauthlib",
"scim2-filter-parser",

18
uv.lock generated
View File

@ -317,7 +317,7 @@ requires-dist = [
{ name = "pydantic-scim" },
{ name = "pyjwt" },
{ name = "pyrad" },
{ name = "python-kadmin-rs", specifier = "==0.5.3" },
{ name = "python-kadmin-rs", specifier = "==0.6.0" },
{ name = "pyyaml" },
{ name = "requests-oauthlib" },
{ name = "scim2-filter-parser" },
@ -2689,16 +2689,16 @@ wheels = [
[[package]]
name = "python-kadmin-rs"
version = "0.5.3"
version = "0.6.0"
source = { registry = "https://pypi.org/simple" }
sdist = { url = "https://files.pythonhosted.org/packages/e7/95/07b708623f13874ad86dc603f2fe36e980a5f5890edea87286d13f2b0b81/python_kadmin_rs-0.5.3.tar.gz", hash = "sha256:4f46fd854af622896136c3ac4fc5e6a37d37bfffb5b2023e438001ffa62ab7e3", size = 89865 }
sdist = { url = "https://files.pythonhosted.org/packages/b9/ac/df3a093b1e186cd68a6f38778fac025450e5c5e9859c4790e00c2ed0ff62/python_kadmin_rs-0.6.0.tar.gz", hash = "sha256:dadd3d4ef542b829c1dcde97360a6b6a10700a4b5686f12f24b10f6cf5ca6e6c", size = 89318 }
wheels = [
{ url = "https://files.pythonhosted.org/packages/96/46/1bbfd7d6819851c300b991d7340452fba8edc3d2fe68b33271279eb74887/python_kadmin_rs-0.5.3-cp312-cp312-macosx_14_0_arm64.whl", hash = "sha256:54b5e1c2e22da0d16c1418eb2b46da8baa11699a5db8db2afc52dbfd02d14958", size = 1416637 },
{ url = "https://files.pythonhosted.org/packages/be/34/fd7f5c324aaf1b9ad3dd5050ac2059230618c29adc452d676d2af4d5ae79/python_kadmin_rs-0.5.3-cp312-cp312-macosx_14_0_x86_64.whl", hash = "sha256:d1dc7ad1f07bbfd09baeb1fb0dfc45c87776ed717052081e63d3bdba340a250e", size = 1503018 },
{ url = "https://files.pythonhosted.org/packages/e5/29/3931502534e07806cf7c70631374452cfcbafa44e75c5403416372b701c7/python_kadmin_rs-0.5.3-cp312-cp312-manylinux_2_28_aarch64.whl", hash = "sha256:86404a1060ece916088ae4a0d188e9309fd46e0b3003779ee7a8dc7493176779", size = 3268475 },
{ url = "https://files.pythonhosted.org/packages/ba/5d/f18ca5df97a4241711555987eb308c6e6c5505883514ac7f18d7aebd52f2/python_kadmin_rs-0.5.3-cp312-cp312-manylinux_2_28_x86_64.whl", hash = "sha256:7aa62a618af2b2112f708fd44f9cc3cf25e28f1562ea66a2036fb3cd1a47e649", size = 3371699 },
{ url = "https://files.pythonhosted.org/packages/91/d3/42c4d57414cfdf4e4ff528dd8e72428908ee67aeeae6a63fe2f5dbcd04bc/python_kadmin_rs-0.5.3-cp312-cp312-musllinux_1_2_aarch64.whl", hash = "sha256:80813af82dfbcc6a90505183c822eab11de77b6703e5691e37ed77d292224dd9", size = 1584049 },
{ url = "https://files.pythonhosted.org/packages/9a/65/705f179cf4bf4d16fc1daeac0810def57da2f4514a5b79ca60f24d7efb90/python_kadmin_rs-0.5.3-cp312-cp312-musllinux_1_2_x86_64.whl", hash = "sha256:6799a0faddb4ccf200acfa87da38e5fa2af54970d066b2c876e752bbf794b204", size = 1590360 },
{ url = "https://files.pythonhosted.org/packages/12/6d/59fefe1c4c11177c4feb8ad65dd6a265e9cc5fc83682a928acdccb170000/python_kadmin_rs-0.6.0-cp312-cp312-macosx_14_0_arm64.whl", hash = "sha256:0069fbd656096b98853f8cdc6d5e24f754829fa9cb4a716dac33777f0305d37a", size = 1418187 },
{ url = "https://files.pythonhosted.org/packages/a6/12/c00a71c0fc17f5d208b4bb5e570002d74f0bc414e35194537d46ea32080f/python_kadmin_rs-0.6.0-cp312-cp312-macosx_14_0_x86_64.whl", hash = "sha256:cfcfe9982e969705dee62f2b97c8d7c249b55b2a97e2bc981408061ea7182b96", size = 1501759 },
{ url = "https://files.pythonhosted.org/packages/a0/b5/06cf809cfaaeded84e6634bf07116264ab4f8fd5eccca7523114e197f424/python_kadmin_rs-0.6.0-cp312-cp312-manylinux_2_28_aarch64.whl", hash = "sha256:920df382e7a554d2f6fd160436a64adf1251f3262ec16bccd6d3b9f7e039d5fa", size = 3262691 },
{ url = "https://files.pythonhosted.org/packages/e6/72/99884dbc1856440a548ea8bf2ff1232c7f2823b6cb1a62bbb4d902a34609/python_kadmin_rs-0.6.0-cp312-cp312-manylinux_2_28_x86_64.whl", hash = "sha256:94509b7470b18105c27fcaf5e6af894644614a687af74a43499735c405217e01", size = 3382996 },
{ url = "https://files.pythonhosted.org/packages/bd/4f/5d7e5be27cd466affc00fcab71fb94ea0420aee95306188988faf270b129/python_kadmin_rs-0.6.0-cp312-cp312-musllinux_1_2_aarch64.whl", hash = "sha256:6f89e7fbcb7220a42c143a1b008685f98ca0a72ecc55c30f85b72c9d1ba9c3b9", size = 1572007 },
{ url = "https://files.pythonhosted.org/packages/a6/1e/fdd7d6cd2ebc4cc654112329311380d1c03c681511973e32ae6ab90f261c/python_kadmin_rs-0.6.0-cp312-cp312-musllinux_1_2_x86_64.whl", hash = "sha256:775ce07ffd47a50ba27c8d74c20baacb56acfc7a8c56a8b02f2207ed9829156e", size = 1618897 },
]
[[package]]

47
website/docs/troubleshooting/logs.md
View File

@ -1,47 +0,0 @@
---
title: Capturing logs
---
When troubleshooting issues it is useful to investigate the [event logs](../sys-mgmt/events/index.md) that are continuosuly outputted by authentik.
## Capturing Past Logs
The `--since` option can be used with both `docker logs` and `kubectl logs` commands. It can accept a Go durating string (e.g. `1m30s`, `3h`) or a specific date/time (e.g. `2006-01-02T07:00`, `2006-01-02`). When used, the command will output logs for the specified time period.
More information on this option and others can be found in the [`docker logs` command documentation](https://docs.docker.com/reference/cli/docker/container/logs/) and [`kubectl logs` command documentation](https://kubernetes.io/docs/reference/kubectl/generated/kubectl_logs/).
### Docker
To capture and display the logs of a Docker container in the terminal, use the following command:
```shell
docker logs <container_name_or_id> --timestamps --since 5m
```
### Kubernetes
To capture and display the logs from a pod deployed via Kubernetes, use the following command:
```shell
kubectl logs --timestamps --since 5m <pod_name>
```
## Continuously Capturing Logs
To continuously display logs from a Docker container or a pod deployed via Kubernetes, you can include the _follow_ option (`-f`, `--follow`). This option will stream logs into the terminal until stopped (`Ctrl + C` or closing the terminal).
### Docker
To stream the logs from a Docker container, use the following command:
```shell
docker logs <container_name_or_id> -f --timestamps
```
### Kubernetes Logs
To stream the logs from a pod deployed via Kubernetes, use the following command:
```shell
kubectl logs -f --timestamps <pod_name>
```

150
website/docs/troubleshooting/logs.mdx Normal file
View File

@ -0,0 +1,150 @@
---
title: Capturing logs in authentik
---
When troubleshooting issues in authentik, reviewing the [event logs](../sys-mgmt/events/index.md) can be invaluable. These logs provide continuous output, helping to diagnose problems effectively.
## Adjusting log levels
The server and worker containers support multiple log levels: `debug`, `info`, `warning`, and `error`. By default, the log level is set to `info`.
To modify the log level, follow the steps for your platform
import Tabs from "@theme/Tabs";
import TabItem from "@theme/TabItem";
<Tabs
groupId="platform"
defaultValue="docker-compose"
values={[
{label: 'docker-compose', value: 'docker-compose'},
{label: 'Kubernetes', value: 'kubernetes'},
]}>
<TabItem value="docker-compose">
1. Add the following environment variable to your docker deployment:
```shell
AUTHENTIK_LOG_LEVEL=debug
```
2. Recreate your containers to apply the changes.
</TabItem>
<TabItem value="kubernetes">
1. Add the following configuration to your `values.yml` file:
```yaml
authentik:
log_level: debug
```
2. Recreate your containers to apply the changes.
</TabItem>
</Tabs>
## Enabling `trace` mode
:::danger
The trace log level provides deeper insights, but be aware that using trace logs can expose sensitive information, including session cookies. Handle these logs with extreme caution and avoid using trace unless absolutely necessary.
:::
To enable `trace` logging, follow the platform-specific steps below:
<Tabs
groupId="platform"
defaultValue="docker-compose"
values={[
{label: 'docker-compose', value: 'docker-compose'},
{label: 'Kubernetes', value: 'kubernetes'},
]}>
<TabItem value="docker-compose">
1. Add the following environment variable to your docker deployment:
```shell
AUTHENTIK_LOG_LEVEL=trace
```
2. Recreate your containers to apply the changes.
</TabItem>
<TabItem value="kubernetes">
1. Modify your `values.yml` file:
```yaml
authentik:
log_level: trace
```
2. Recreate your containers to apply the changes.
</TabItem>
</Tabs>
## Viewing past logs
To review historical logs, you can use the `--since` option with both `docker logs` and `kubectl logs`. This option allows you to specify either a duration (e.g., `1m30s`, `3h`) or a specific timestamp (e.g., `2006-01-02T07:00`, `2006-01-02`) to view logs generated after that point in time.
For more details, see the [`docker logs` documentation](https://docs.docker.com/reference/cli/docker/container/logs/) and [`kubectl logs` documentation](https://kubernetes.io/docs/reference/kubectl/generated/kubectl_logs/).
<Tabs
groupId="platform"
defaultValue="docker"
values={[
{label: 'docker', value: 'docker'},
{label: 'Kubernetes', value: 'kubernetes'},
]}>
<TabItem value="docker-compose">
To retrieve logs from a specific timeframe, use:
```shell
docker logs <container_name_or_id> --since 5m
```
</TabItem>
<TabItem value="kubernetes">
To fetch logs from a Kubernetes pod:
```shell
kubectl logs --since 5m <pod_name>
```
</TabItem>
</Tabs>
## Streaming logs in real-time
To continuously monitor logs, use the `--follow` (`-f`) option. This will stream log output to your terminal until manually stopped (`Ctrl + C` or closing the terminal).
<Tabs
groupId="platform"
defaultValue="docker"
values={[
{label: 'docker', value: 'docker'},
{label: 'Kubernetes', value: 'kubernetes'},
]}>
<TabItem value="docker">
To follow logs in real time:
```shell
docker logs <container_name_or_id> -f
```
</TabItem>
<TabItem value="kubernetes">
To stream logs from a Kubernetes pod:
```shell
kubectl logs -f <pod_name>
```
</TabItem>
</Tabs>

48
website/integrations/services/apache-guacamole/index.mdx
View File

@ -81,3 +81,51 @@ openid-username-claim-type=preferred_username
</TabItem>
</Tabs>
### Self Signed Certificates
When using a self-signed certificate, it is necessary to incorporate the certificate of the corresponding Certificate Authority into both the `/etc/ssl/certs/ca-certificates.crt` file and the `/opt/java/openjkd/jre/lib/security/cacerts` keystore on your Apache Guacamole host. This ensures that the self-signed certificate is trusted by both the system and the Java runtime environment used by Guacamole.
#### Adding Certificate Authority certificate as trusted in `/etc/ssl/certs/ca-certificates.crt`
:::note
This section depends on the operating system hosting Apache Guacamole.
:::
##### For _Debian_ based operating systems:
1. Copy the certificate of the Certificate Authority (e.g. `<CA_certificate>.crt`) to the `/usr/local/share/ca-certificates/` directory on the Apache Guacamole host. Ensure that the file extension is `.crt`.
2. To add the certificate as trusted in `/etc/ssl/certs/ca-certificates.crt`, use the following command:
```shell
update-ca-certificates
```
##### For _Synology_ systems:
1. Copy the certificate of the Certificate Authority (e.g. `<CA_certificate>.crt`) to the `/usr/syno/etc/security-profile/ca-bundle-profile/ca-certificates/` directory on the Synology host. Ensure that the filetype is `.crt`.
2. To add the certificate as trusted in `/etc/ssl/certs/ca-certificates.crt`, use the following command:
```shell
update-ca-certificates.sh
```
#### Adding Certificate Authority certificate to `/opt/java/openjkd/jre/lib/security/cacerts`
1. To export the certificate of the Certificate Authority, use the following command on the Certificate Authority host:
```shell
openssl pkcs12 -export -in <CA_certificate>.crt -inkey <CA_certificate>.key -out <CA_certificate>.p12 -passout pass:<password>
```
2. To import the certificate to the `/opt/java/openjdk/jre/lib/security/cacerts` keystore on the Apache Guacamole host, use the following command:
```shell
keytool -importkeystore -srckeystore <CA_certificate>.p12 -srcstoretype PKCS12 -keystore /opt/java/openjdk/jre/lib/security/cacerts -deststorepass <destination_store_password> -nopromt -srcstorepass <password>
```
:::note
More information on the keytool command can be found in the [Oracle documentation.](https://docs.oracle.com/en/java/javase/21/docs/specs/man/keytool.html)
:::

2
website/integrations/services/jenkins/index.md
View File

@ -34,7 +34,7 @@ To support the integration of Jenkins with authentik, you need to create an appl
- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later.
- Set a `Strict` redirect URI to <kbd>https://<em>jenkins.company</em>/jenkins/securityRealm/finishLogin</kbd>.
- Set a `Strict` redirect URI to <kbd>https://<em>jenkins.company</em>/securityRealm/finishLogin</kbd>.
- Select any available signing key.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.

72
website/integrations/services/omni/index.md Normal file
View File

@ -0,0 +1,72 @@
---
title: Integrate with Omni
sidebar_label: Omni
support_level: community
---
## What is Omni
> Omni manages Kubernetes on bare metal, virtual machines, or in a cloud.
>
> -- https://github.com/siderolabs/omni
## Preparation
The following placeholders are used in this guide:
- `omni.company` is the FQDN of the Omni installation.
- `authentik.company` is the FQDN of the authentik installation.
:::note
This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
:::
## authentik configuration
To support the integration of Omni with authentik, you need to create a property mapping and application/provider pair in authentik.
### Create a Property Mapping, Application, and Provider in authentik
1. Log in to authentik as an admin, and open the authentik Admin interface.
2. Navigate to **Customization** > **Property Mappings** and click **Create** to create a property mapping.
- **Choose a Property Mapping type**: Select SAML Provider Property Mapping as the property mapping type.
- **Configure the Property Mapping**:
- **Name**: `*property_mapping_name*` (e.g. `Omni Mapping`)
- **SAML Attribute Name**: `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name`
- **Expression**: `return request.user.email`
3. Navigate to **Applications** -> **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can first create a provider separately, then create the application and connect it with the provider.)
- **Application**: provide a descriptive name, application slug, an optional group for the type of application, the policy engine mode, and optional UI settings.
- **Choose a Provider type**: select SAML Provider as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- **ACS URL**: <kbd>https://<em>omni.company</em>/saml/acs</kbd>
- **Service Provider Binding**: `Post`
- **Audience**: <kbd>https://<em>omni.company</em>/saml/metadata</kbd>
- **Signing Certificate**: select a signing certificate, either the `authentik Self-signed Certificate` or generate a certificate via **System** > **Certificate**
- **Sign assertions**: `true`
- **Sign responses**: `true`
- **Property mappings**: `*property_mapping_name*` (e.g. `Omni Mapping`)
- **NameID Property Mapping**: `*property_mapping_name*` (e.g. `Omni Mapping`)
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
4. Click **Submit** to save the new application and provider.
## Omni configuration
Add the following environment variables to your Omni configuration. Make sure to fill in the authentik FQDN from your authentik instance and the application slug generated in the last section.
```shell
auth-saml-enabled=true
auth-saml-url=https://<em>authentik.company</em>/application/saml/<em><application_slug></em>/metadata/
```
## Configuration verification
To confirm that authentik is properly configured with Omni, log out and log back in via the SAML button.

7
website/integrations/services/synology-dsm/index.md
View File

@ -38,7 +38,7 @@ To support the integration of Synology DSM with authentik, you need to create an
- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later.
- Set a `Strict` redirect URI to <kbd>https://<em>synology.company</em>/#/signin</kbd>.
- Set a `Strict` redirect URI to <kbd>https://<em>synology.company</em></kbd>.
- Select any available signing key.
- Under **Advanced Protocol Settings**, set the **subject mode** to be based on the user's email.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
@ -59,7 +59,7 @@ To configure Synology DSM to utilize authentik as an OpenID Connect 1.0 Provider
- Well Known URL: Copy this from the 'OpenID Configuration URL' in the authentik provider (URL ends with '/.well-known/openid-configuration')
- Application ID: The 'Client ID' from the authentik provider
- Application Key: The 'Client secret' from the authentik provider
- Redirect URL: https://synology.company/#/signin (This should match the 'Redirect URI' in authentik exactly)
- Redirect URL: https://synology.company (This should match the 'Redirect URI' in authentik exactly)
- Authorization Scope: openid profile email
- Username Claim: preferred_username
- Save the settings.
@ -70,6 +70,9 @@ To configure Synology DSM to utilize authentik as an OpenID Connect 1.0 Provider
The log in process could fail with a `not privilege` error, when the SSO pop-up is blocked. Allowing pop-ups in the browser configuration resolves this (see https://github.com/authelia/authelia/discussions/6902#discussioncomment-9756400).
This error can also happen when you have multiple Redirect URI entries, but only the last one is used when trying to log on from any of the URLs. For example, if using the Application portal, each service has its own URL.
The DSM tries to match the right redirect URI based on the Host and HTTPS headers. This is why you should not add #/signin at the end of your redirect URIs.
## See also:
[Synology DSM SSO Client Documentation](https://kb.synology.com/en-af/DSM/help/DSM/AdminCenter/file_directory_service_sso?version=7)

1
website/sidebarsIntegrations.js
View File

@ -94,6 +94,7 @@ module.exports = {
"services/meshcentral/index",
"services/minio/index",
"services/netbox/index",
"services/omni/index",
"services/pgadmin/index",
"services/phpipam/index",
"services/plesk/index",