sources/oauth: add Sign in with Apple (#1635)

* sources/oauth: add apple sign in support

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* website/docs: apple sign in docs

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* website/docs: fix missing apple in sidebar

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* sources/oauth: add fallback values for name and slug

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

website/docs/integrations/services/bookstack/index.md

@@ -50,7 +50,7 @@ In authentik, create an application which uses this provider. Optionally apply a
 
 ### Step 3
 
-Obtain your Metadata URL from Authentik.
+Obtain your Metadata URL from authentik.
 
 1. Click on the BookStack Provider
 2. Click the Metadata Tab
@@ -69,7 +69,7 @@ Modify the following Example SAML config and paste incorporate into your `.env`
 AUTH_METHOD=saml2
 # Set the display name to be shown on the login button.
 # (Login with <name>)
-SAML2_NAME=Authentik
+SAML2_NAME=authentik
 # Name of the attribute which provides the user's email address
 SAML2_EMAIL_ATTRIBUTE=email
 # Name of the attribute to use as an ID for the SAML user.

website/docs/integrations/services/portainer/index.md

@@ -21,7 +21,7 @@ The following placeholders will be used:
 - `port.company` is the FQDN of Portainer.
 - `authentik.company` is the FQDN of authentik.
 
-### Step 1 - Authentik
+### Step 1 - authentik
 
 In authentik, under _Providers_, create an _OAuth2/OpenID Provider_ with these settings:
 
@@ -57,7 +57,7 @@ Portainer by default shows commas between each item in the Scopes field.  Do **N
 
 ![](./port1.png)
 
-### Step 3 - Authentik
+### Step 3 - authentik
 
 In authentik, create an application which uses this provider. Optionally apply access restrictions to the application using policy bindings.
 

website/docs/integrations/services/vikunja/index.md

@@ -76,9 +76,9 @@ auth:
         # The auth url to send users to if they want to authenticate using OpenID Connect.
         authurl: https://authentik.company/application/o/vikunja/
         # The client ID used to authenticate Vikunja at the OpenID Connect provider.
-        clientid: THIS IS THE CLIENT ID YOU COPIED FROM STEP 1 in Authentik
+        clientid: THIS IS THE CLIENT ID YOU COPIED FROM STEP 1 in authentik
         # The client secret used to authenticate Vikunja at the OpenID Connect provider.
-        clientsecret: THIS IS THE CLIENT SECRET YOU COPIED FROM STEP 1 in Authentik
+        clientsecret: THIS IS THE CLIENT SECRET YOU COPIED FROM STEP 1 in authentik
 ```
 
 :::note

website/docs/integrations/services/wekan/index.mdx

@@ -39,7 +39,7 @@ import TabItem from '@theme/TabItem';
     {label: 'Standalone', value: 'standalone'},
   ]}>
   <TabItem value="docker">
-If your Wekan is running in docker, add the following environment variables for Authentik
+If your Wekan is running in docker, add the following environment variables for authentik
 
 ```yaml
 environment:
@@ -58,11 +58,11 @@ environment:
 ```
   </TabItem>
   <TabItem value="standalone">
-    
+
 edit `.env` and add the following:
 
 ```ini
-     # Authentik OAUTH Config
+     # authentik OAUTH Config
       OAUTH2_ENABLED='true'
       OAUTH2_LOGIN_STYLE='redirect'
       OAUTH2_CLIENT_ID='<Client ID from above>'

website/docs/integrations/services/wordpress/index.md

@@ -21,7 +21,7 @@ The following placeholders will be used:
 - `wp.company` is the FQDN of Wordpress.
 - `authentik.company` is the FQDN of authentik.
 
-### Step 1 - Authentik
+### Step 1 - authentik
 
 In authentik, under _Providers_, create an _OAuth2/OpenID Provider_ with these settings:
 
@@ -63,7 +63,7 @@ Only settings that have been modified from default have been listed.
 Review each setting and choose the ones that you require for your installation.  Examples of popular settings are _Link Existing Users_, _Create user if does not exist_, and _Enforce Privacy_
 :::
 
-### Step 3 - Authentik
+### Step 3 - authentik
 
 In authentik, create an application which uses this provider. Optionally apply access restrictions to the application using policy bindings.
 

website/docs/integrations/sources/apple/index.md

@@ -0,0 +1,67 @@
+---
+title: Apple
+---
+
+Allows users to authenticate using their Apple ID.
+
+## Preparation
+
+:::warning
+An Apple developer account is required for this.
+:::
+
+The following placeholders will be used:
+
+- `authentik.company` is the FQDN of the authentik install.
+
+## Apple
+
+1. Log into your Apple developer account, and navigate to **Certificates, IDs & Profiles**, then click **Identifiers** in the sidebar.
+2. Register a new Identifier with the type of **App IDs**, and the subtype **App**.
+3. Choose a name that users will recognise for the **Description** field.
+4. For your bundle ID, use the reverse domain of authentik, in this case `company.authentik`.
+5. Scroll down the list of capabilities, and check the box next to **Sign In with Apple**.
+6. At the top, click **Continue** and **Register**.
+
+![](app_id.png)
+
+7. Register another new Identifier with the type of **Services IDs**.
+8. Again, choose the same name as above for your **Description** field.
+9. Use the same identifier as above, but add a suffix like `signin` or `oauth`, as identifiers are unique.
+10. At the top, click **Continue** and **Register**.
+
+![](service_id.png)
+
+11. Once back at the overview list, click on the just-created Identifier.
+12. Enable the checkbox next to **Sign In with Apple**, and click **Configure**
+13. Under domains, enter `authentik.company`.
+14. Under **Return URLs**, enter `https://authentik.company/source/oauth/callback/apple/`.
+
+![](app_service_config.png)
+
+15. Click on **Keys** in the sidebar. Register a new Key with any name, and select **Sign in with Apple**.
+16. Click on **Configure**, and select the App ID you've created above.
+17. At the top, click **Save**, **Continue** and **Register**.
+18. Download the Key file and note the **Key ID**.
+
+![](key.png)
+
+19. Note the Team ID, visible at the top of the page.
+
+## authentik
+
+20. Under _Resources -> Sources_ Click **Create Apple OAuth Source**
+
+21. **Name**: `Apple`
+22. **Slug**: `apple`
+23. **Consumer Key:** The identifier from step 9, then `;`, then your Team ID from step 19, then `;`, then the Key ID from step 18.
+
+    Example: `io.goauthentik.dev-local;JQNH45HN7V;XFBNJ82BV6`
+
+24. **Consumer Secret:** Paste the contents of the keyfile you've downloaded
+
+Save, and you now have Apple as a source.
+
+:::note
+For more details on how-to have the new source display on the Login Page see the Sources page.
+:::

website/docs/integrations/sources/discord/index.md

@@ -33,7 +33,7 @@ Here is an example of a completed OAuth2 screen for Discord.
 
 ![Example Screen](discord4.png)
 
-## Authentik
+## authentik
 
 8. Under _Resources -> Sources_ Click **Create Discord OAuth Source**
 
@@ -43,7 +43,7 @@ Here is an example of a completed OAuth2 screen for Discord.
 12. **Consumer Secret:** Client Secret from step 5
 13. **Provider type:** Discord
 
-Here is an exmple of a complete Authentik Discord OAuth Source
+Here is an example of a complete authentik Discord OAuth Source
 
 ![Example Screen](discord5.png)
 
@@ -51,4 +51,4 @@ Save, and you now have Discord as a source.
 
 :::note
 For more details on how-to have the new source display on the Login Page see the Sources page
-:::
+:::

website/docs/integrations/sources/github/index.md

@@ -17,7 +17,7 @@ The following placeholders will be used:
 
 ![Register OAuth App](githubdeveloper1.png)
 
-2. **Application Name:** Choose a name users will recognize ie: Authentik
+2. **Application Name:** Choose a name users will recognize ie: authentik
 3. **Homepage URL**:: www.my.company
 4. **Authorization callback URL**: https://authentik.company/source/oauth/callback/github
 5. Click **Register Application**
@@ -27,9 +27,9 @@ Example screenshot
 ![Example Screen](githubdeveloperexample.png)
 
 6. Copy the **Client ID** and _save it for later_
-7. Click **Generate a new client secret** and _save it for later_  You will not be able to see the secret again, so be sure to copy it now.  
+7. Click **Generate a new client secret** and _save it for later_  You will not be able to see the secret again, so be sure to copy it now.
 
-## Authentik
+## authentik
 
 8. Under _Resources -> Sources_ Click **Create Github OAuth Source**
 
@@ -49,7 +49,7 @@ As of June 20 2021 these URLS are correct. Here is the Github reference URL http
 15. **Access token URL:** `https://github.com/login/oauth/access_token`
 16. **Profile URL:** `https://api.github.com/user`
 
-Here is an exmple of a complete Authentik Github OAuth Source
+Here is an example of a complete authentik Github OAuth Source
 
 ![Example Screen](githubexample2.png)
 

website/docs/integrations/sources/google/index.md

@@ -15,7 +15,7 @@ The following placeholders will be used:
 You will need to create a new project, and OAuth credentials in the Google Developer console.  The developer console can be overwhelming at first.
 
 1. Visit https://console.developers.google.com/ to create a new project
-2. Create a New project. 
+2. Create a New project.
 
 ![Example Screen](googledeveloper1.png)
 
@@ -62,7 +62,7 @@ _I'm only going to list the mandatory/important fields to complete._
 24. Click **Create**
 25. Copy and store _Your Client ID_ and _Your Client Secret_ for later
 
-## Authentik
+## authentik
 
 26. Under _Resources -> Sources_ Click **Create Google OAuth Source**
 
@@ -72,7 +72,7 @@ _I'm only going to list the mandatory/important fields to complete._
 30. **Consumer Secret:** Your Client Secret from step 25
 31. **Provider Type:** Google
 
-Here is an exmple of a complete Authentik Google OAuth Source
+Here is an example of a complete authentik Google OAuth Source
 
 ![Example Screen](authentiksource.png)
 
@@ -80,4 +80,4 @@ Save, and you now have Google as a source.
 
 :::note
 For more details on how-to have the new source display on the Login Page see the Sources page
-:::
+:::

website/docs/integrations/sources/plex/index.md

@@ -8,7 +8,7 @@ Allows users to authenticate using their Plex credentials
 
 None
 
-## Authentik -> Sources
+## authentik -> Sources
 
 Add _Plex_ as a _source_
 

website/docs/providers/proxy/forward_auth.mdx

@@ -73,7 +73,7 @@ server {
         # authentik-specific config
         auth_request        /akprox/auth/nginx;
         error_page          401 = @akprox_signin;
-        # For domain level, use the below error_page to redirect to your Authentik server with the full redirect path
+        # For domain level, use the below error_page to redirect to your authentik server with the full redirect path
         # error_page          401 =302 https://authentik.company/akprox/start?rd=$scheme://$http_host$request_uri;
 
         # translate headers from the outposts back to the actual upstream

website/docs/releases/v0.10.md

@@ -69,7 +69,7 @@ error_reporting:
 
 ### Upgrading
 
-This upgrade only applies if you are upgrading from a running 0.9 instance. Authentik detects this on startup, and automatically executes this upgrade.
+This upgrade only applies if you are upgrading from a running 0.9 instance. authentik detects this on startup, and automatically executes this upgrade.
 
 Because this upgrade brings the new OAuth2 Provider, the old providers will be lost in the process. Make sure to take note of the providers you want to bring over.
 

website/sidebars.js

@@ -64,6 +64,7 @@ module.exports = {
                     label: "as Source",
                     items: [
                         "integrations/sources/index",
+                        "integrations/sources/apple/index",
                         "integrations/sources/active-directory/index",
                         "integrations/sources/discord/index",
                         "integrations/sources/github/index",