diff --git a/.github/ISSUE_TEMPLATE/docs_issue.md b/.github/ISSUE_TEMPLATE/docs_issue.md new file mode 100644 index 0000000000..47eaa2a668 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/docs_issue.md @@ -0,0 +1,22 @@ +--- +name: Documentation issue +about: Suggest an improvement or report a problem +title: "" +labels: documentation +assignees: "" +--- + +**Do you see an area that can be clarified or expanded, a technical inaccuracy, or a broken link? Please describe.** +A clear and concise description of what the problem is, or where the document can be improved. Ex. I believe we need more details about [...] + +**Provide the URL or link to the exact page in the documentation to which you are referring.** +If there are multiple pages, list them all, and be sure to state the header or section where the content is. + +**Describe the solution you'd like** +A clear and concise description of what you want to happen. + +**Additional context** +Add any other context or screenshots about the documentation issue here. + +**Consider opening a PR!** +If the issue is one that you can fix, or even make a good pass at, we'd appreciate a PR. For more information about making a contribution to the docs, and using our Style Guide and our templates, refer to ["Writing documentation"](https://docs.goauthentik.io/docs/developer-docs/docs/writing-documentation). \ No newline at end of file diff --git a/.github/workflows/ci-outpost.yml b/.github/workflows/ci-outpost.yml index 209e7d4da1..4369d97404 100644 --- a/.github/workflows/ci-outpost.yml +++ b/.github/workflows/ci-outpost.yml @@ -29,7 +29,7 @@ jobs: - name: Generate API run: make gen-client-go - name: golangci-lint - uses: golangci/golangci-lint-action@v6 + uses: golangci/golangci-lint-action@v7 with: version: latest args: --timeout 5000s --verbose diff --git a/Dockerfile b/Dockerfile index 900efb0bc3..ef5cc06571 100644 --- a/Dockerfile +++ b/Dockerfile @@ -94,7 +94,7 @@ RUN --mount=type=secret,id=GEOIPUPDATE_ACCOUNT_ID \ /bin/sh -c "/usr/bin/entry.sh || echo 'Failed to get GeoIP database, disabling'; exit 0" # Stage 5: Download uv -FROM ghcr.io/astral-sh/uv:0.6.9 AS uv +FROM ghcr.io/astral-sh/uv:0.6.10 AS uv # Stage 6: Base python image FROM ghcr.io/goauthentik/fips-python:3.12.8-slim-bookworm-fips AS python-base diff --git a/authentik/lib/default.yml b/authentik/lib/default.yml index f62265d931..f6c9e15240 100644 --- a/authentik/lib/default.yml +++ b/authentik/lib/default.yml @@ -1,5 +1,20 @@ -# update website/docs/install-config/configuration/configuration.mdx -# This is the default configuration file +# authentik configuration +# +# https://docs.goauthentik.io/docs/install-config/configuration/ +# +# To override the settings in this file, run the following command from the repository root: +# +# ```shell +# make gen-dev-config +# ``` +# +# You may edit the generated file to override the configuration below. +# +# When making modifying the default configuration file, +# ensure that the corresponding documentation is updated to match. +# +# @see {@link ../../website/docs/install-config/configuration/configuration.mdx Configuration documentation} for more information. + postgresql: host: localhost name: authentik diff --git a/authentik/stages/email/tests/test_sending.py b/authentik/stages/email/tests/test_sending.py index 631983ab67..fc36cc7db6 100644 --- a/authentik/stages/email/tests/test_sending.py +++ b/authentik/stages/email/tests/test_sending.py @@ -8,7 +8,7 @@ from django.core.mail.backends.locmem import EmailBackend from django.urls import reverse from authentik.core.models import User -from authentik.core.tests.utils import create_test_admin_user, create_test_flow +from authentik.core.tests.utils import create_test_admin_user, create_test_flow, create_test_user from authentik.events.models import Event, EventAction from authentik.flows.markers import StageMarker from authentik.flows.models import FlowDesignation, FlowStageBinding @@ -67,6 +67,36 @@ class TestEmailStageSending(FlowTestCase): self.assertEqual(event.context["to_email"], [f"{self.user.name} <{self.user.email}>"]) self.assertEqual(event.context["from_email"], "system@authentik.local") + def test_newlines_long_name(self): + """Test with pending user""" + plan = FlowPlan(flow_pk=self.flow.pk.hex, bindings=[self.binding], markers=[StageMarker()]) + long_user = create_test_user() + long_user.name = "Test User\r\n Many Words\r\n" + long_user.save() + plan.context[PLAN_CONTEXT_PENDING_USER] = long_user + session = self.client.session + session[SESSION_KEY_PLAN] = plan + session.save() + Event.objects.filter(action=EventAction.EMAIL_SENT).delete() + + url = reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug}) + with patch( + "authentik.stages.email.models.EmailStage.backend_class", + PropertyMock(return_value=EmailBackend), + ): + response = self.client.post(url) + self.assertEqual(response.status_code, 200) + self.assertStageResponse( + response, + self.flow, + response_errors={ + "non_field_errors": [{"string": "email-sent", "code": "email-sent"}] + }, + ) + self.assertEqual(len(mail.outbox), 1) + self.assertEqual(mail.outbox[0].subject, "authentik") + self.assertEqual(mail.outbox[0].to, [f"Test User Many Words <{long_user.email}>"]) + def test_pending_fake_user(self): """Test with pending (fake) user""" self.flow.designation = FlowDesignation.RECOVERY diff --git a/authentik/stages/email/utils.py b/authentik/stages/email/utils.py index 22beb1294c..f19d9c1ea6 100644 --- a/authentik/stages/email/utils.py +++ b/authentik/stages/email/utils.py @@ -32,7 +32,14 @@ class TemplateEmailMessage(EmailMultiAlternatives): sanitized_to = [] # Ensure that all recipients are valid for recipient_name, recipient_email in to: - sanitized_to.append(sanitize_address((recipient_name, recipient_email), "utf-8")) + # Remove any newline characters from name and email before sanitizing + clean_name = ( + recipient_name.replace("\n", " ").replace("\r", " ") if recipient_name else "" + ) + clean_email = ( + recipient_email.replace("\n", "").replace("\r", "") if recipient_email else "" + ) + sanitized_to.append(sanitize_address((clean_name, clean_email), "utf-8")) super().__init__(to=sanitized_to, **kwargs) if not template_name: return diff --git a/internal/config/config.go b/internal/config/config.go index a7d3eeb5d0..ca1ec09424 100644 --- a/internal/config/config.go +++ b/internal/config/config.go @@ -162,13 +162,14 @@ func (c *Config) parseScheme(rawVal string) string { if err != nil { return rawVal } - if u.Scheme == "env" { + switch u.Scheme { + case "env": e, ok := os.LookupEnv(u.Host) if ok { return e } return u.RawQuery - } else if u.Scheme == "file" { + case "file": d, err := os.ReadFile(u.Path) if err != nil { return u.RawQuery diff --git a/internal/config/config_test.go b/internal/config/config_test.go index 0687e84a2b..066592f48e 100644 --- a/internal/config/config_test.go +++ b/internal/config/config_test.go @@ -10,7 +10,7 @@ import ( ) func TestConfigEnv(t *testing.T) { - os.Setenv("AUTHENTIK_SECRET_KEY", "bar") + assert.NoError(t, os.Setenv("AUTHENTIK_SECRET_KEY", "bar")) cfg = nil if err := Get().fromEnv(); err != nil { panic(err) @@ -19,8 +19,8 @@ func TestConfigEnv(t *testing.T) { } func TestConfigEnv_Scheme(t *testing.T) { - os.Setenv("foo", "bar") - os.Setenv("AUTHENTIK_SECRET_KEY", "env://foo") + assert.NoError(t, os.Setenv("foo", "bar")) + assert.NoError(t, os.Setenv("AUTHENTIK_SECRET_KEY", "env://foo")) cfg = nil if err := Get().fromEnv(); err != nil { panic(err) @@ -33,13 +33,15 @@ func TestConfigEnv_File(t *testing.T) { if err != nil { log.Fatal(err) } - defer os.Remove(file.Name()) + defer func() { + assert.NoError(t, os.Remove(file.Name())) + }() _, err = file.Write([]byte("bar")) if err != nil { panic(err) } - os.Setenv("AUTHENTIK_SECRET_KEY", fmt.Sprintf("file://%s", file.Name())) + assert.NoError(t, os.Setenv("AUTHENTIK_SECRET_KEY", fmt.Sprintf("file://%s", file.Name()))) cfg = nil if err := Get().fromEnv(); err != nil { panic(err) diff --git a/internal/debug/debug.go b/internal/debug/debug.go index ddd90ffa9e..3897df12e5 100644 --- a/internal/debug/debug.go +++ b/internal/debug/debug.go @@ -35,7 +35,7 @@ func EnableDebugServer() { if err != nil { return nil } - _, err = w.Write([]byte(fmt.Sprintf("%[1]s
", tpl))) + _, err = fmt.Fprintf(w, "%[1]s
", tpl) if err != nil { l.WithError(err).Warning("failed to write index") return nil diff --git a/internal/gounicorn/gounicorn.go b/internal/gounicorn/gounicorn.go index a3692f3106..6478b91981 100644 --- a/internal/gounicorn/gounicorn.go +++ b/internal/gounicorn/gounicorn.go @@ -44,10 +44,11 @@ func New(healthcheck func() bool) *GoUnicorn { signal.Notify(c, syscall.SIGHUP, syscall.SIGUSR2) go func() { for sig := range c { - if sig == syscall.SIGHUP { + switch sig { + case syscall.SIGHUP: g.log.Info("SIGHUP received, forwarding to gunicorn") g.Reload() - } else if sig == syscall.SIGUSR2 { + case syscall.SIGUSR2: g.log.Info("SIGUSR2 received, restarting gunicorn") g.Restart() } diff --git a/internal/outpost/ak/api_utils.go b/internal/outpost/ak/api_utils.go index d732ba7556..9b477903ae 100644 --- a/internal/outpost/ak/api_utils.go +++ b/internal/outpost/ak/api_utils.go @@ -35,13 +35,19 @@ func Paginator[Tobj any, Treq any, Tres PaginatorResponse[Tobj]]( req PaginatorRequest[Treq, Tres], opts PaginatorOptions, ) ([]Tobj, error) { + if opts.Logger == nil { + opts.Logger = log.NewEntry(log.StandardLogger()) + } var bfreq, cfreq interface{} fetchOffset := func(page int32) (Tres, error) { bfreq = req.Page(page) cfreq = bfreq.(PaginatorRequest[Treq, Tres]).PageSize(int32(opts.PageSize)) - res, _, err := cfreq.(PaginatorRequest[Treq, Tres]).Execute() + res, hres, err := cfreq.(PaginatorRequest[Treq, Tres]).Execute() if err != nil { opts.Logger.WithError(err).WithField("page", page).Warning("failed to fetch page") + if hres != nil && hres.StatusCode >= 400 && hres.StatusCode < 500 { + return res, err + } } return res, err } @@ -51,6 +57,9 @@ func Paginator[Tobj any, Treq any, Tres PaginatorResponse[Tobj]]( for { apiObjects, err := fetchOffset(page) if err != nil { + if page == 1 { + return objects, err + } errs = append(errs, err) continue } diff --git a/internal/outpost/ak/api_utils_test.go b/internal/outpost/ak/api_utils_test.go index ac751f943a..7ee84e13f4 100644 --- a/internal/outpost/ak/api_utils_test.go +++ b/internal/outpost/ak/api_utils_test.go @@ -1,5 +1,64 @@ package ak +import ( + "errors" + "net/http" + "testing" + + "github.com/stretchr/testify/assert" + "goauthentik.io/api/v3" +) + +type fakeAPIType struct{} + +type fakeAPIResponse struct { + results []fakeAPIType + pagination api.Pagination +} + +func (fapi *fakeAPIResponse) GetResults() []fakeAPIType { return fapi.results } +func (fapi *fakeAPIResponse) GetPagination() api.Pagination { return fapi.pagination } + +type fakeAPIRequest struct { + res *fakeAPIResponse + http *http.Response + err error +} + +func (fapi *fakeAPIRequest) Page(page int32) *fakeAPIRequest { return fapi } +func (fapi *fakeAPIRequest) PageSize(size int32) *fakeAPIRequest { return fapi } +func (fapi *fakeAPIRequest) Execute() (*fakeAPIResponse, *http.Response, error) { + return fapi.res, fapi.http, fapi.err +} + +func Test_Simple(t *testing.T) { + req := &fakeAPIRequest{ + res: &fakeAPIResponse{ + results: []fakeAPIType{ + {}, + }, + pagination: api.Pagination{ + TotalPages: 1, + }, + }, + } + res, err := Paginator(req, PaginatorOptions{}) + assert.NoError(t, err) + assert.Len(t, res, 1) +} + +func Test_BadRequest(t *testing.T) { + req := &fakeAPIRequest{ + http: &http.Response{ + StatusCode: 400, + }, + err: errors.New("foo"), + } + res, err := Paginator(req, PaginatorOptions{}) + assert.Error(t, err) + assert.Equal(t, []fakeAPIType{}, res) +} + // func Test_PaginatorCompile(t *testing.T) { // req := api.ApiCoreUsersListRequest{} // Paginator(req, PaginatorOptions{ diff --git a/internal/outpost/ak/api_ws.go b/internal/outpost/ak/api_ws.go index d92941f760..62f4e9ea48 100644 --- a/internal/outpost/ak/api_ws.go +++ b/internal/outpost/ak/api_ws.go @@ -148,7 +148,8 @@ func (ac *APIController) startWSHandler() { "outpost_type": ac.Server.Type(), "uuid": ac.instanceUUID.String(), }).Set(1) - if wsMsg.Instruction == WebsocketInstructionTriggerUpdate { + switch wsMsg.Instruction { + case WebsocketInstructionTriggerUpdate: time.Sleep(ac.reloadOffset) logger.Debug("Got update trigger...") err := ac.OnRefresh() @@ -163,7 +164,7 @@ func (ac *APIController) startWSHandler() { "build": constants.BUILD(""), }).SetToCurrentTime() } - } else if wsMsg.Instruction == WebsocketInstructionProviderSpecific { + case WebsocketInstructionProviderSpecific: for _, h := range ac.wsHandlers { h(context.Background(), wsMsg.Args) } diff --git a/internal/outpost/ldap/ldap.go b/internal/outpost/ldap/ldap.go index 383682c78a..f9d4ad61bb 100644 --- a/internal/outpost/ldap/ldap.go +++ b/internal/outpost/ldap/ldap.go @@ -66,7 +66,12 @@ func (ls *LDAPServer) StartLDAPServer() error { return err } proxyListener := &proxyproto.Listener{Listener: ln, ConnPolicy: utils.GetProxyConnectionPolicy()} - defer proxyListener.Close() + defer func() { + err := proxyListener.Close() + if err != nil { + ls.log.WithError(err).Warning("failed to close proxy listener") + } + }() ls.log.WithField("listen", listen).Info("Starting LDAP server") err = ls.s.Serve(proxyListener) diff --git a/internal/outpost/ldap/ldap_tls.go b/internal/outpost/ldap/ldap_tls.go index 48d4bcf8d9..40dfc25d9b 100644 --- a/internal/outpost/ldap/ldap_tls.go +++ b/internal/outpost/ldap/ldap_tls.go @@ -49,7 +49,12 @@ func (ls *LDAPServer) StartLDAPTLSServer() error { } proxyListener := &proxyproto.Listener{Listener: ln, ConnPolicy: utils.GetProxyConnectionPolicy()} - defer proxyListener.Close() + defer func() { + err := proxyListener.Close() + if err != nil { + ls.log.WithError(err).Warning("failed to close proxy listener") + } + }() tln := tls.NewListener(proxyListener, tlsConfig) diff --git a/internal/outpost/ldap/search/memory/memory.go b/internal/outpost/ldap/search/memory/memory.go index 0236cd9f28..c4f23a60e8 100644 --- a/internal/outpost/ldap/search/memory/memory.go +++ b/internal/outpost/ldap/search/memory/memory.go @@ -98,7 +98,7 @@ func (ms *MemorySearcher) Search(req *search.Request) (ldap.ServerSearchResult, entries := make([]*ldap.Entry, 0) - scope := req.SearchRequest.Scope + scope := req.Scope needUsers, needGroups := ms.si.GetNeededObjects(scope, req.BaseDN, req.FilterObjectClass) if scope >= 0 && strings.EqualFold(req.BaseDN, baseDN) { diff --git a/internal/outpost/proxyv2/application/endpoint.go b/internal/outpost/proxyv2/application/endpoint.go index c9cc50d40c..6137de2254 100644 --- a/internal/outpost/proxyv2/application/endpoint.go +++ b/internal/outpost/proxyv2/application/endpoint.go @@ -56,7 +56,7 @@ func GetOIDCEndpoint(p api.ProxyOutpostConfig, authentikHost string, embedded bo if !embedded && hostBrowser == "" { return ep } - var newHost *url.URL = aku + var newHost = aku var newBrowserHost *url.URL if embedded { if authentikHost == "" { diff --git a/internal/outpost/proxyv2/proxyv2.go b/internal/outpost/proxyv2/proxyv2.go index eed0ef18ac..1a83081d35 100644 --- a/internal/outpost/proxyv2/proxyv2.go +++ b/internal/outpost/proxyv2/proxyv2.go @@ -130,7 +130,12 @@ func (ps *ProxyServer) ServeHTTP() { return } proxyListener := &proxyproto.Listener{Listener: listener, ConnPolicy: utils.GetProxyConnectionPolicy()} - defer proxyListener.Close() + defer func() { + err := proxyListener.Close() + if err != nil { + ps.log.WithError(err).Warning("failed to close proxy listener") + } + }() ps.log.WithField("listen", listenAddress).Info("Starting HTTP server") ps.serve(proxyListener) @@ -149,7 +154,12 @@ func (ps *ProxyServer) ServeHTTPS() { return } proxyListener := &proxyproto.Listener{Listener: web.TCPKeepAliveListener{TCPListener: ln.(*net.TCPListener)}, ConnPolicy: utils.GetProxyConnectionPolicy()} - defer proxyListener.Close() + defer func() { + err := proxyListener.Close() + if err != nil { + ps.log.WithError(err).Warning("failed to close proxy listener") + } + }() tlsListener := tls.NewListener(proxyListener, tlsConfig) ps.log.WithField("listen", listenAddress).Info("Starting HTTPS server") diff --git a/internal/outpost/proxyv2/redisstore/redisstore.go b/internal/outpost/proxyv2/redisstore/redisstore.go index 21c812412a..643e2d11da 100644 --- a/internal/outpost/proxyv2/redisstore/redisstore.go +++ b/internal/outpost/proxyv2/redisstore/redisstore.go @@ -72,11 +72,13 @@ func (s *RedisStore) New(r *http.Request, name string) (*sessions.Session, error session.ID = c.Value err = s.load(r.Context(), session) - if err == nil { - session.IsNew = false - } else if err == redis.Nil { - err = nil // no data stored + if err != nil { + if errors.Is(err, redis.Nil) { + return session, nil + } + return session, err } + session.IsNew = false return session, err } diff --git a/internal/web/web.go b/internal/web/web.go index ecf2da149e..d5b2ae88ef 100644 --- a/internal/web/web.go +++ b/internal/web/web.go @@ -158,7 +158,12 @@ func (ws *WebServer) listenPlain() { return } proxyListener := &proxyproto.Listener{Listener: ln, ConnPolicy: utils.GetProxyConnectionPolicy()} - defer proxyListener.Close() + defer func() { + err := proxyListener.Close() + if err != nil { + ws.log.WithError(err).Warning("failed to close proxy listener") + } + }() ws.log.WithField("listen", config.Get().Listen.HTTP).Info("Starting HTTP server") ws.serve(proxyListener) diff --git a/internal/web/web_tls.go b/internal/web/web_tls.go index 7ccaf4dff9..9e006fbdd8 100644 --- a/internal/web/web_tls.go +++ b/internal/web/web_tls.go @@ -46,7 +46,12 @@ func (ws *WebServer) listenTLS() { return } proxyListener := &proxyproto.Listener{Listener: web.TCPKeepAliveListener{TCPListener: ln.(*net.TCPListener)}, ConnPolicy: utils.GetProxyConnectionPolicy()} - defer proxyListener.Close() + defer func() { + err := proxyListener.Close() + if err != nil { + ws.log.WithError(err).Warning("failed to close proxy listener") + } + }() tlsListener := tls.NewListener(proxyListener, tlsConfig) ws.log.WithField("listen", config.Get().Listen.HTTPS).Info("Starting HTTPS server") diff --git a/lifecycle/aws/package-lock.json b/lifecycle/aws/package-lock.json index 29913c2f02..2d73b7fdfe 100644 --- a/lifecycle/aws/package-lock.json +++ b/lifecycle/aws/package-lock.json @@ -9,7 +9,7 @@ "version": "0.0.0", "license": "MIT", "devDependencies": { - "aws-cdk": "^2.1005.0", + "aws-cdk": "^2.1006.0", "cross-env": "^7.0.3" }, "engines": { @@ -17,9 +17,9 @@ } }, "node_modules/aws-cdk": { - "version": "2.1005.0", - "resolved": "https://registry.npmjs.org/aws-cdk/-/aws-cdk-2.1005.0.tgz", - "integrity": "sha512-4ejfGGrGCEl0pg1xcqkxK0lpBEZqNI48wtrXhk6dYOFYPYMZtqn1kdla29ONN+eO2unewkNF4nLP1lPYhlf9Pg==", + "version": "2.1006.0", + "resolved": "https://registry.npmjs.org/aws-cdk/-/aws-cdk-2.1006.0.tgz", + "integrity": "sha512-6qYnCt4mBN+3i/5F+FC2yMETkDHY/IL7gt3EuqKVPcaAO4jU7oXfVSlR60CYRkZWL4fnAurUV14RkJuJyVG/IA==", "dev": true, "license": "Apache-2.0", "bin": { diff --git a/lifecycle/aws/package.json b/lifecycle/aws/package.json index d99249d1d1..912bed315c 100644 --- a/lifecycle/aws/package.json +++ b/lifecycle/aws/package.json @@ -10,7 +10,7 @@ "node": ">=20" }, "devDependencies": { - "aws-cdk": "^2.1005.0", + "aws-cdk": "^2.1006.0", "cross-env": "^7.0.3" } } diff --git a/scripts/generate_config.py b/scripts/generate_config.py index cc7cc30fd1..6cb49e0aea 100755 --- a/scripts/generate_config.py +++ b/scripts/generate_config.py @@ -5,48 +5,88 @@ from yaml import safe_dump from authentik.lib.generators import generate_id -with open("local.env.yml", "w", encoding="utf-8") as _config: - safe_dump( - { - "debug": True, - "log_level": "debug", - "secret_key": generate_id(), - "postgresql": { - "user": "postgres", - }, - "outposts": { - "container_image_base": "ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s", - "disable_embedded_outpost": False, - }, - "blueprints_dir": "./blueprints", - "cert_discovery_dir": "./certs", - "events": { - "processors": { - "geoip": "tests/GeoLite2-City-Test.mmdb", - "asn": "tests/GeoLite2-ASN-Test.mmdb", - } - }, - "storage": { - "media": { - "backend": "file", - "s3": { - "endpoint": "http://localhost:8020", - "access_key": "accessKey1", - "secret_key": "secretKey1", - "bucket_name": "authentik-media", - "custom_domain": "localhost:8020/authentik-media", - "secure_urls": False, - }, + +def generate_local_config(): + """Generate a local development configuration""" + # TODO: This should be generated and validated against a schema, such as Pydantic. + + return { + "debug": True, + "log_level": "debug", + "secret_key": generate_id(), + "postgresql": { + "user": "postgres", + }, + "outposts": { + "container_image_base": "ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s", + "disable_embedded_outpost": False, + }, + "blueprints_dir": "./blueprints", + "cert_discovery_dir": "./certs", + "events": { + "processors": { + "geoip": "tests/GeoLite2-City-Test.mmdb", + "asn": "tests/GeoLite2-ASN-Test.mmdb", + } + }, + "storage": { + "media": { + "backend": "file", + "s3": { + "endpoint": "http://localhost:8020", + "access_key": "accessKey1", + "secret_key": "secretKey1", + "bucket_name": "authentik-media", + "custom_domain": "localhost:8020/authentik-media", + "secure_urls": False, }, }, - "tenants": { - "enabled": False, - "api_key": generate_id(), - }, - "worker": { - "embedded": True, - }, }, - _config, - default_flow_style=False, + "tenants": { + "enabled": False, + "api_key": generate_id(), + }, + "worker": { + "embedded": True, + }, + } + + +if __name__ == "__main__": + config_file_name = "local.env.yml" + + with open(config_file_name, "w", encoding="utf-8") as _config: + _config.write( + """ +# Local authentik configuration overrides +# +# https://docs.goauthentik.io/docs/install-config/configuration/ +# +# To regenerate this file, run the following command from the repository root: +# +# ```shell +# make gen-dev-config +# ``` + +""" + ) + + safe_dump( + generate_local_config(), + _config, + default_flow_style=False, + ) + + print( + f""" +--- + +Generated configuration file: {config_file_name} + +For more information on how to use this configuration, see: + +https://docs.goauthentik.io/docs/install-config/configuration/ + +--- +""" ) diff --git a/web/package-lock.json b/web/package-lock.json index 335438a5b4..bbbfaff646 100644 --- a/web/package-lock.json +++ b/web/package-lock.json @@ -24760,9 +24760,9 @@ } }, "node_modules/vite": { - "version": "5.4.14", - "resolved": "https://registry.npmjs.org/vite/-/vite-5.4.14.tgz", - "integrity": "sha512-EK5cY7Q1D8JNhSaPKVK4pwBFvaTmZxEnoKXLG/U9gmdDcihQGNzFlgIvaxezFR4glP1LsuiedwMBqCXH3wZccA==", + "version": "5.4.15", + "resolved": "https://registry.npmjs.org/vite/-/vite-5.4.15.tgz", + "integrity": "sha512-6ANcZRivqL/4WtwPGTKNaosuNJr5tWiftOC7liM7G9+rMb8+oeJeyzymDu4rTN93seySBmbjSfsS3Vzr19KNtA==", "dev": true, "license": "MIT", "dependencies": { diff --git a/web/src/elements/sync/SyncStatusCard.ts b/web/src/elements/sync/SyncStatusCard.ts index ce329dd61a..fb75d9995a 100644 --- a/web/src/elements/sync/SyncStatusCard.ts +++ b/web/src/elements/sync/SyncStatusCard.ts @@ -11,6 +11,7 @@ import { msg } from "@lit/localize"; import { CSSResult, TemplateResult, css, html } from "lit"; import { customElement, property, state } from "lit/decorators.js"; +import PFButton from "@patternfly/patternfly/components/Button/button.css"; import PFCard from "@patternfly/patternfly/components/Card/card.css"; import PFTable from "@patternfly/patternfly/components/Table/table.css"; import PFBase from "@patternfly/patternfly/patternfly-base.css"; @@ -34,6 +35,9 @@ export class SyncStatusTable extends Table { } async apiEndpoint(): Promise> { + if (this.tasks.length === 1) { + this.expandedElements = this.tasks; + } return { pagination: { next: 0, @@ -104,7 +108,7 @@ export class SyncStatusCard extends AKElement { triggerSync!: () => Promise; static get styles(): CSSResult[] { - return [PFBase, PFCard, PFTable]; + return [PFBase, PFButton, PFCard, PFTable]; } firstUpdated() { @@ -133,7 +137,20 @@ export class SyncStatusCard extends AKElement { render(): TemplateResult { return html`
-
${msg("Sync status")}
+
+
+ +
+
${msg("Sync status")}
+
${this.renderSyncStatus()}
{ + reset = (ev?: Event) => { + if (ev) { + ev.preventDefault(); + ev.stopPropagation(); + } this.open = false; this.querySelectorAll("[data-wizardmanaged=true]").forEach((el) => { @@ -245,7 +249,7 @@ export class Wizard extends ModalButton { class="pf-c-button pf-m-plain pf-c-wizard__close" type="button" aria-label="${msg("Close")}" - @click=${this.reset} + @click=${(ev: Event) => this.reset(ev)} > ` @@ -332,9 +336,7 @@ export class Wizard extends ModalButton { diff --git a/website/docs/developer-docs/setup/frontend-dev-environment.md b/website/docs/developer-docs/setup/frontend-dev-environment.md index 5c53726eaa..05628e21dd 100644 --- a/website/docs/developer-docs/setup/frontend-dev-environment.md +++ b/website/docs/developer-docs/setup/frontend-dev-environment.md @@ -1,51 +1,82 @@ --- -title: Frontend-only development environment +title: Frontend development environment +sidebar_label: Frontend development +tags: + - development + - contributor + - frontend + - docker --- -If you want to only make changes on the UI, you don't need a backend running from source. You can user the docker-compose install with a few customizations. +If you're focusing solely on frontend development, you can create a minimal development environment using Docker and Node.js. This setup allows you to make and preview changes to the frontend in real-time, without needing to interact with the backend. ### Prerequisites -- Node.js (any recent version should work; we use 22.x to build) -- Make (again, any recent version should work) -- Docker and Docker Compose +- [Node.js](https://nodejs.org/en) (22 or later) +- [Docker](https://www.docker.com/) (Latest Community Edition or Docker Desktop) +- [Docker Compose](https://docs.docker.com/compose/) (Compose v2) +- [Make](https://www.gnu.org/software/make/) (3 or later) :::info + Depending on platform, some native dependencies might be required. On macOS, run `brew install node@22`, and for Docker `brew install --cask docker` + ::: ### Instructions -1. Clone the git repo from https://github.com/goauthentik/authentik. -2. In the cloned repository, follow the docker-compose installation instructions [here](../../install-config/install/docker-compose). -3. Add the following entry to your `.env` file: +1. Clone the Git repo to your development machine and navigate to the authentik directory. + ```shell + git clone https://github.com/goauthentik/authentik + cd authentik ``` + + :::info Beta images + By default, authentik will use the latest stable Docker images. + You can opt into using beta images during development by creating a `.env` file in the root of the repository with the following variables: + + ```shell AUTHENTIK_IMAGE=ghcr.io/goauthentik/dev-server AUTHENTIK_TAG=gh-next AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=ghcr.io/goauthentik/dev-%(type)s:gh-next AUTHENTIK_LOG_LEVEL=debug ``` - This will cause authentik to use the beta images. + ::: -4. Add this volume mapping to your compose file. +2. From the cloned repository, follow the Docker Compose [installation instructions](../../install-config/install/docker-compose). - ```yaml +3. Create a Docker Compose override to mount the local configuration file (`local.env.yml`) and ESBuild's output directory (`web`). + + ```yaml title="docker-compose.override.yml" services: - # [...] server: - # [...] volumes: - ./web:/web - ./local.env.yml:/local.env.yml ``` - This makes the local web files and the config file available to the authentik server. + By creating this file in the root of the repository, Docker will automatically mount the web files generated by the build process. The `local.env.yml` mount is optional, but allows you to override the default configuration. -5. Run `docker compose up -d` to apply those changes to your containers. -6. `cd web` -7. Run `npm i` and then `npm run watch` to start the build process. +4. From the cloned repository root, install the front-end dependencies using NPM. + + ```shell + cd web + npm ci + ``` + +5. From the cloned repository root, run the front-end build script. + + ```shell + make web-watch + ``` + +6. In a new terminal, navigate to the cloned repository root and start the backend containers with Docker Compose. + + ```shell + docker compose up + ``` You can now access authentik on http://localhost:9000 (or https://localhost:9443). diff --git a/website/docs/developer-docs/setup/full-dev-environment.mdx b/website/docs/developer-docs/setup/full-dev-environment.mdx index 9f29083500..768dd2c185 100644 --- a/website/docs/developer-docs/setup/full-dev-environment.mdx +++ b/website/docs/developer-docs/setup/full-dev-environment.mdx @@ -1,5 +1,12 @@ --- title: Full development environment +sidebar_label: Full development +tags: + - development + - contributor + - backend + - frontend + - docker --- import Tabs from "@theme/Tabs"; @@ -8,13 +15,14 @@ import ExecutionEnvironment from "@docusaurus/ExecutionEnvironment"; ## Requirements -- [Python](https://www.python.org/) 3.12 -- [uv](https://docs.astral.sh/uv/getting-started/installation/), which is used to manage dependencies -- [Go](https://go.dev/) 1.23 or newer -- [Node.js](https://nodejs.org/en) 22 or newer -- [PostgreSQL](https://www.postgresql.org/) 16 or newer -- [Redis](https://redis.io/) (any recent version will do) -- [Docker](https://www.docker.com/) (Community Edition will do) +- [Python](https://www.python.org/) (3.12 or later) +- [uv](https://docs.astral.sh/uv/getting-started/installation/), (Latest stable release) +- [Go](https://go.dev/) (1.23 or later) +- [Node.js](https://nodejs.org/en) (22 or later) +- [PostgreSQL](https://www.postgresql.org/) (16 or later) +- [Redis](https://redis.io/) (7 or later) +- [Docker](https://www.docker.com/) (Latest Community Edition or Docker Desktop) +- [Docker Compose](https://docs.docker.com/compose/) (Compose v2) ## Services Setup diff --git a/website/docs/developer-docs/setup/website-dev-environment.md b/website/docs/developer-docs/setup/website-dev-environment.md index 472b72e326..98b56c0ad7 100644 --- a/website/docs/developer-docs/setup/website-dev-environment.md +++ b/website/docs/developer-docs/setup/website-dev-environment.md @@ -1,5 +1,11 @@ --- -title: Website development environment +title: Docs development environment +sidebar_label: Docs development +tags: + - development + - contributor + - docs + - docusaurus --- If you want to only make changes to the website, you only need node. diff --git a/website/docs/install-config/install/docker-compose.mdx b/website/docs/install-config/install/docker-compose.mdx index 219c332d65..8f6137c971 100644 --- a/website/docs/install-config/install/docker-compose.mdx +++ b/website/docs/install-config/install/docker-compose.mdx @@ -8,7 +8,7 @@ This installation method is for test setups and small-scale production setups. - A host with at least 2 CPU cores and 2 GB of RAM - Docker -- Docker Compose (Compose v2 is recommended, see [here](https://docs.docker.com/compose/migrate/) for instructions on how to upgrade) +- Docker Compose (Compose v2, see [instructions for upgrade](https://docs.docker.com/compose/migrate/)) ## Video diff --git a/website/docs/troubleshooting/logs.md b/website/docs/troubleshooting/logs.md new file mode 100644 index 0000000000..8932dadb91 --- /dev/null +++ b/website/docs/troubleshooting/logs.md @@ -0,0 +1,47 @@ +--- +title: Capturing logs +--- + +When troubleshooting issues it is useful to investigate the [event logs](../sys-mgmt/events/index.md) that are continuosuly outputted by authentik. + +## Capturing Past Logs + +The `--since` option can be used with both `docker logs` and `kubectl logs` commands. It can accept a Go durating string (e.g. `1m30s`, `3h`) or a specific date/time (e.g. `2006-01-02T07:00`, `2006-01-02`). When used, the command will output logs for the specified time period. + +More information on this option and others can be found in the [`docker logs` command documentation](https://docs.docker.com/reference/cli/docker/container/logs/) and [`kubectl logs` command documentation](https://kubernetes.io/docs/reference/kubectl/generated/kubectl_logs/). + +### Docker + +To capture and display the logs of a Docker container in the terminal, use the following command: + +```shell +docker logs --timestamps --since 5m +``` + +### Kubernetes + +To capture and display the logs from a pod deployed via Kubernetes, use the following command: + +```shell +kubectl logs --timestamps --since 5m +``` + +## Continuously Capturing Logs + +To continuously display logs from a Docker container or a pod deployed via Kubernetes, you can include the _follow_ option (`-f`, `--follow`). This option will stream logs into the terminal until stopped (`Ctrl + C` or closing the terminal). + +### Docker + +To stream the logs from a Docker container, use the following command: + +```shell +docker logs -f --timestamps +``` + +### Kubernetes Logs + +To stream the logs from a pod deployed via Kubernetes, use the following command: + +```shell +kubectl logs -f --timestamps +``` diff --git a/website/integrations/index.mdx b/website/integrations/index.mdx index 795d64841d..55cc70bb48 100644 --- a/website/integrations/index.mdx +++ b/website/integrations/index.mdx @@ -1,15 +1,23 @@ --- title: Integrations overview +sidebar_label: Overview --- -There are two main types of integrations with authentik: **Applications** and **Sources**. +## What is an integration? -## Applications +An integration is a how authentik connects to third-party applications, directories, and other identity providers. +Integrations are categorized into two categories: **Applications** and **Sources**. -authentik integrates with many applications. For a full list, and to learn more about adding documentation for a new application, refer to the [Applications](../integrations/services/index.mdx) documentation +### Applications -## Sources +Applications include vendor tools such as Google Workspace, GitHub, Slack, or AWS. These applications can be integrated with authentik to provide single sign-on capabilities to securely authenticate users. -In addition to applications, authentik also integrates with external sources, including federated directories like Active Directory and through protocols such as LDAP, OAuth, SAML, and SCIM sources. Sources are a way for authentik to use external credentials for authentication and verification. Sources in authentik can also be used for social logins, using external providers such as Facebook, Twitter, etc. +If you want to integrate an application that isn't listed, authentik can be configured to work with most applications that support authentication protocols such as [SAML](../docs/add-secure-apps/providers/saml), [OAuth and OpenID Connect](../docs/add-secure-apps/providers/oauth2). -To learn more, refer to the [Sources](https://docs.goauthentik.io/docs/users-sources/sources/index) documentation. +To learn more, refer to the [Applications](../integrations/services) page. + +### Federated and social sources + +Sources are a way for authentik to use external user credentials for authentication. Supported integrations with external sources via authentik include federated directories like Active Directory and social logins such as Facebook, Twitter, etc. These integrations support all major protocols, including [LDAP](../docs/users-sources/sources/protocols/ldap), [SCIM](../docs/users-sources/sources/protocols/scim), [SAML](../docs/users-sources/sources/protocols/saml), and [OAuth and OpenID Connect](../docs/users-sources/sources/protocols/oauth) + +To learn more, refer to the [Sources](../docs/users-sources/sources) page. diff --git a/website/integrations/services/actual-budget/index.mdx b/website/integrations/services/actual-budget/index.mdx index 48d2dc10dd..1a3408fca6 100644 --- a/website/integrations/services/actual-budget/index.mdx +++ b/website/integrations/services/actual-budget/index.mdx @@ -26,28 +26,22 @@ This documentation lists only the settings that you need to change from their de ## authentik configuration -[Create](https://docs.goauthentik.io/docs/add-secure-apps/applications/manage_apps#add-new-applications) an OAuth2/OpenID provider and an application in authentik. Use the following parameters for the OAuth2/OpenID provider: +To support the integration of Actual Budget with authentik, you need to create an application/provider pair in authentik. -**Provider:** +### Create an application and provider in authentik -- Name: _SP-actual_ -- Client type: _Confidential_ -- Redirect URIs/Origins (RegEx): https://_actual.company_/openid/callback -- Signing Key: Select any available signing keys. +1. Log in to authentik as an admin, and open the authentik Admin interface. +2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can create only an application, without a provider, by clicking **Create**.) -:::info -Actual Budget supports the RS256 algorithm. Be aware of this when choosing the appropriate signing key. -::: +- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings. +- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. +- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. + - Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later. + - Set a `Strict` redirect URI to https://actual.company/openid/callback/. + - Select any available signing key. Actual Budget only supports the RS256 algorithm. Be aware of this when choosing a signing key. +- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page. -Take note of the Client ID and Client Secret; you will need to provide them to Actual Budget in the last step. - -Leave the remaining values as default. Durations can be adjusted as needed. - -**Application:** - -- Name: _Actual Budget_ -- Slug: _actual_ -- Launch URL: https://_actual.company_/ +3. Click **Submit** to save the new application and provider. ## Actual Budget configuration diff --git a/website/integrations/services/adventurelog/index.md b/website/integrations/services/adventurelog/index.md index 0d1c8af550..7f88e52b03 100644 --- a/website/integrations/services/adventurelog/index.md +++ b/website/integrations/services/adventurelog/index.md @@ -23,26 +23,22 @@ This documentation lists only the settings that you need to change from their de ## authentik configuration -1. Create a new OAuth2/OpenID Provider under **Applications** > **Providers** using the following settings: - - **Name**: AdventureLog - - **Authentication flow**: default-authentication-flow - - **Authorization flow**: default-provider-authorization-explicit-consent - - **Client type**: Confidential - - **Client ID**: Either create your own Client ID or use the auto-populated ID - - **Client Secret**: Either create your own Client Secret or use the auto-populated secret - :::note - Take note of the `Client ID` and `Client Secret` as they are required when configuring AdventureLog. - ::: - - **Redirect URIs/Origins (RegEx)**: - :::note - Make sure type is set to `RegEx` and the following RegEx is used. - ::: - - `^https://adventurelog.company/accounts/oidc/.*$` - - **Signing Key**: authentik Self-signed Certificate - - Leave everything else as default -2. Open the new provider you've just created. -3. Make a note of the **OpenID Configuration Issuer**. -4. Navigate to **Applications -> Applications** and create a new application that uses the provider you just created. +To support the integration of Adventure Log with authentik, you need to create an application/provider pair in authentik. + +### Create an application and provider in authentik + +1. Log in to authentik as an admin, and open the authentik Admin interface. +2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can create only an application, without a provider, by clicking **Create**.) + +- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings. +- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. +- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. + - Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later. + - Set a `Regex` redirect URI to ^https://adventurelog.company/accounts/oidc/.\*$. + - Select any available signing key. +- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page. + +3. Click **Submit** to save the new application and provider. ## AdventureLog configuration diff --git a/website/integrations/services/apache-guacamole/index.mdx b/website/integrations/services/apache-guacamole/index.mdx index e47963488b..fa00bc23a8 100644 --- a/website/integrations/services/apache-guacamole/index.mdx +++ b/website/integrations/services/apache-guacamole/index.mdx @@ -21,20 +21,27 @@ The following placeholders are used in this guide: This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application. ::: -Create an OAuth2/OpenID provider with the following parameters: +## authentik configuration -- **Client Type**: `Confidential` -- **Redirect URIs**: `https://guacamole.company/` (depending on your Tomcat setup, you might have to add `/guacamole/` if the application runs in a subfolder) -- **Scopes**: OpenID, Email, and Profile +To support the integration of Apache Guacamole with authentik, you need to create an application/provider pair in authentik. -Under **Advanced protocol settings**, set the following: +### Create an application and provider in authentik -- **Token validity**: Any value to configure how long the session should last. Guacamole will not accept any tokens valid longer than 300 Minutes. -- **Signing Key**: Set the key as `authentik Self-signed Certificate` +1. Log in to authentik as an admin, and open the authentik Admin interface. +2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can create only an application, without a provider, by clicking **Create**.) -Note the Client ID value. Create an application, using the provider you've created above. +- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings. +- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. +- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. + - Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later. + - Set a `Strict` redirect URI to https://guacamole.company/. If you have configured [Apache Tomcat](https://tomcat.apache.org/) to run Apache Guacamole on a subpath, you will need to update this value accordingly. + - Select any available signing key. + - Note that Apache Guacamole does not support session tokens longer than 300 minutes (5 hours). +- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page. -## Guacamole +3. Click **Submit** to save the new application and provider. + +## Guacamole configuration It is recommended you configure an admin account in Guacamole before setting up SSO to make things easier. Create a user in Guacamole using the username of your user in authentik and give them admin permissions. Without this, you might lose access to the Guacamole admin settings and have to revert the settings below. diff --git a/website/integrations/services/apple/index.md b/website/integrations/services/apple/index.md index 55765dd4c8..d8e8adaf58 100644 --- a/website/integrations/services/apple/index.md +++ b/website/integrations/services/apple/index.md @@ -7,6 +7,7 @@ tags: - apple - ssf - backchannel + - device-management authentik_version: "2025.2.0" authentik_enterprise: true authentik_preview: true diff --git a/website/integrations/services/argocd/index.md b/website/integrations/services/argocd/index.md index 79d92545b5..df3b7110f6 100644 --- a/website/integrations/services/argocd/index.md +++ b/website/integrations/services/argocd/index.md @@ -21,44 +21,30 @@ The following placeholders are used in this guide: This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application. ::: -## authentik Configuration +## authentik configuration -### Step 1 - Provider creation +To support the integration of ArgoCD with authentik, you need to create an application/provider pair in authentik. -In authentik, create an _OAuth2/OpenID Provider_ (under _Applications/Providers_) with these settings: +### Create an application and provider in authentik -- Name: ArgoCD -- Client Type: `Confidential` -- Signing Key: Select any available key -- Redirect URIs: +1. Log in to authentik as an admin, and open the authentik Admin interface. +2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can create only an application, without a provider, by clicking **Create**.) -``` -https://argocd.company/api/dex/callback -http://localhost:8085/auth/callback -``` +- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings. +- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. +- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. + - Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later. + - Add two `Strict` redirect URI and set them to https://argocd.company/api/dex/callback/ and https://localhost:8085/auth/callback/. + - Select any available signing key. +- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page. -After creating the provider, take note of the `Client ID` and `Client Secret`, you'll need to give them to ArgoCD in the _ArgoCD Configuration_ field. +3. Click **Submit** to save the new application and provider. -### Step 2 - Application creation +### Create the users and administrator groups -Create a new _Application_ (under _Applications/Applications_) with these settings: +Using the authentik Admin interface, navigate to **Directory** -> **Groups** and click **Create** to create two required groups: `ArgoCD Admins` for administrator users and `ArgoCD Viewers` for read-only users. -- Name: ArgoCD -- Provider: ArgoCD -- Slug: argocd -- Launch URL: https://argocd.company/auth/login - -### Step 3 - ArgoCD Group creation - -Create a new _Group_ (under _Directory/Groups_) that'll be used as the admin group for ArgoCD (if you already have an "admin" group, you can skip this part!) - -- Name: ArgoCD Admins -- Members: Add your user and/or any user that should be an ArgoCD admin - -You can create another group for read-only access to ArgoCD as well if desired: - -- Name: ArgoCD Viewers -- Members: Any user that should have ArgoCD read-only access +After creating the groups, select a group, navigate to the **Users** tab, and manage its members by using the **Add existing user** and **Create user** buttons as needed. ## Terraform provider diff --git a/website/integrations/services/aruba-orchestrator/index.md b/website/integrations/services/aruba-orchestrator/index.md index bd8fae0bf1..384ee85b72 100644 --- a/website/integrations/services/aruba-orchestrator/index.md +++ b/website/integrations/services/aruba-orchestrator/index.md @@ -22,37 +22,41 @@ The following placeholders are used in this guide: This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application. ::: -## authentik Configuration +## authentik configuration -1. Log in to authentik as an admin, and go to the Admin interface. -2. Create a new SAML Property Mapping under **Customisation** -> **Property Mappings**: +To support the integration of Aruba Orchestrator with authentik, you need to create an application/provider pair in authentik. - - **Name**: `Aruba Orchestrator RBAC` - - **SAML Attribute Name**: `sp-roles` - - **Expression**: Use the expression below but amend the group name as desired. +### Create property mappings - ``` - if ak_is_group_member(request.user, name="authentik Admins"): - result = "superAdmin" - return result - ``` +1. Log in to authentik as an admin, and open the authentik Admin interface. +2. Navigate to **Customization** > **Property Mappings** and click **Create**. Create a **SAML Provider Property Mapping** with the following settings: + - **Name**: Set an appropriate name + - **SAML Attribute Name**: sp-roles + - **Friendly Name**: Leave blank + - **Expression**: (You can modify the authentik Admins group as needed) + ```python + if ak_is_group_member(request.user, name="authentik Admins"): + result = "superAdmin" + return result + ``` - - Save the settings. +### Create an application and provider in authentik -3. Create a new SAML Provider under **Applications** -> **Providers** using the following settings: - - **Name**: Aruba Orchestrator - - **Authentication Flow**: Use your preferred authentication flow (e.g., default-authentication-flow`) - - **Authorization Flow ID**: `default-provider-authorization-explicit-consent (Authorize Application)` - - Protocol settings: - - - **ACS URL**: `https://arubaorchestrator.company/gms/rest/authentication/saml2/consume` - - - **Issuer**: `https://arubaorchestrator.company/gms/rest/authentication/saml2/consume` - - - **Service Provider Binding**: Post - - Advanced protocol settings: - - - **Signing Certificate**:`SSL Certificate` - - - **Property Mappings**:`default` + `sp-roles` - - Leave everything else as default and save the settings. -4. Download the signing certificate under **Applications** -> **Providers** -> **Aruba Orchestrator** . -5. Create a new application under **Applications** -> **Applications**, pick a name and a slug, and assign the provider that you have just created. +1. Log in to authentik as an admin, and open the authentik Admin interface. +2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can create only an application, without a provider, by clicking **Create**.) + +- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings. Take note of the **slug** as it will be required later. +- **Choose a Provider type**: select **SAML Provider** as the provider type. +- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. + - Set the **ACS URL** and **Issuer** to https://arubaorchestrator.company/gms/rest/authentication/saml2/consume. + - Set the **Service Provider Binding** to `Post`. + - Under **Advanced protocol settings**, select an available signing certificate. + - Under **Advanced protocol settings**, add the newly created property mapping under **Property Mappings**. +- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page. + +3. Click **Submit** to save the new application and provider. + +4. Navigate to **Applications** > **Providers** > **Provider for _Application Name_**, and download the signing certificate. ## Aruba Orchestrator Configuration diff --git a/website/integrations/services/aws/index.md b/website/integrations/services/aws/index.md deleted file mode 100644 index 198549ba51..0000000000 --- a/website/integrations/services/aws/index.md +++ /dev/null @@ -1,163 +0,0 @@ ---- -title: Integrate with Amazon Web Services -sidebar_label: Amazon Web Services -support_level: authentik ---- - -## What is AWS - -> Amazon Web Services (AWS) is the world’s most comprehensive and broadly adopted cloud, with more than 200 fully featured services available from data centers globally. Millions of customers—including the fastest-growing startups, largest enterprises, and leading government agencies—are using AWS to lower costs, increase security, become more agile, and innovate faster. -> -> -- https://www.aboutamazon.com/what-we-do/amazon-web-services - -## Select your method - -There are two ways to perform the integration: the classic IAM SAML way, or the 'newer' IAM Identity Center way. This all depends on your preference and needs. - -## Method 1: Classic IAM - -### Preparation - -Create an application in authentik and note the slug, as this will be used later. Create a SAML provider with the following parameters: - -- **ACS URL**: `https://signin.aws.amazon.com/saml` -- **Issuer**: `authentik` -- **Binding**: `Post` -- **Audience**: `urn:amazon:webservices` - -You can use a custom signing certificate and adjust durations as needed. - -### AWS - -Create a role with the permissions you desire, and note the ARN. - -After configuring the Property Mappings, add them to the SAML Provider in AWS. - -Create an application, assign policies, and assign this provider. - -Export the metadata from authentik and create a new Identity Provider [here](https://console.aws.amazon.com/iam/home#/providers). - -#### Role Mapping - -The Role mapping specifies the AWS ARN(s) of the identity provider, and the role the user should assume ([see](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml_assertions.html#saml_role-attribute)). - -This Mapping needs to have the SAML Name field set to `https://aws.amazon.com/SAML/Attributes/Role`. - -As expression, you can return a static ARN like so - -```python -return "arn:aws:iam::123412341234:role/saml_role,arn:aws:iam::123412341234:saml-provider/authentik" -``` - -Or, if you want to assign AWS Roles based on Group membership, you can add a custom attribute to the Groups, for example "aws_role", and use this snippet below. Groups are sorted by name and later groups overwrite earlier groups' attributes. - -```python -role_name = user.group_attributes().get("aws_role", "") -return f"arn:aws:iam::123412341234:role/{role_name},arn:aws:iam::123412341234:saml-provider/authentik" -``` - -If you want to allow a user to choose from multiple roles, use this snippet - -```python -return [ - "arn:aws:iam::123412341234:role/role_a,arn:aws:iam::123412341234:saml-provider/authentik", - "arn:aws:iam::123412341234:role/role_b,arn:aws:iam::123412341234:saml-provider/authentik", - "arn:aws:iam::123412341234:role/role_c,arn:aws:iam::123412341234:saml-provider/authentik", -] -``` - -### RoleSessionName Mapping - -The RoleSessionMapping specifies what identifier will be shown at the top of the Management Console ([see](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml_assertions.html#saml_role-session-attribute)). - -This mapping needs to have the SAML Name field set to `https://aws.amazon.com/SAML/Attributes/RoleSessionName`. - -To use the user's username, use this snippet - -```python -return user.username -``` - -## Method 2: IAM Identity Center - -### Preparation - -- A certificate to sign SAML assertions is required. You can use authentik's default certificate, or provide/generate one yourself. -- You may pre-create an AWS application. - -### How to integrate with AWS - -In AWS: - -- In AWS, navigate to: **IAM Identity Center -> Settings -> Identity Source (tab)** -- On the right side, click **Actions** -> **Change identity source** -- Select **External Identity Provider** -- Under **Service Provider metadata** download the metadata file. - -Now go to your authentik instance, and perform the following steps. - -- Under **Providers**, create a new **SAML Provider from metadata**. Give it a name, and upload the metadata file AWS gave you. -- Click **Next**. Give it a name, and close the file. -- If you haven't done so yet, create an application for AWS and connect the provider to it. -- Navigate to the provider you've just created, and then select **Edit** -- Copy the **Issuer URL** to the **Audience** field. -- Under **Advanced Protocol Settings** set a **Signing Certificate** -- Save and Close. -- Under **Related Objects**, download the **Metadata file** and the **Signing Certificate** - -Now go back to your AWS instance - -- Under **Identity provider metadata**, upload both the **Metadata** file and **Signing Certificate** that authentik gave you. -- Click **Next**. -- In your settings pane, under the tab **Identity Source**, click **Actions** -> **Manage Authentication**. -- Note the AWS access portal sign-in URL (especially if you have customized it). - -Now go back to your authentik instance. - -- Navigate to the Application that you created for AWS and click **Edit**. -- Under **UI Settings** make sure the **Start URL** matches the **AWS access portal sign-in URL**. - -:::::info - -- Ensure users already exist in AWS for authentication through authentik. AWS will throw an error if the user is unrecognized. -- In case you're stuck, you can see the SSO logs in Amazon CloudTrail -> Event History. Look for `ExtenalIdPDirectoryLogin`. - ::::: - -## Optional: Automated provisioning with SCIM - -Some people may opt to use the automatic provisioning feature called SCIM (System for Cross-domain Identity Management). -SCIM allows you to synchronize (part of) your directory to AWS's IAM, saving you the hassle of having to create users by hand. -To do so, take the following steps in your AWS Identity Center: - -- In your **Settings** pane, locate the **Automatic Provisioning** information box. Click **Enable**. -- AWS provides an SCIM Endpoint and an Access Token. Note these values. - -Go back to your authentik instance - -- Navigate to **Providers** -> **Create** -- Select **SCIM Provider** -- Give it a name, under **URL** enter the **SCIM Endpoint**, and then under **Token** enter the **Access Token** AWS provided you with. -- Optionally, change the user filtering settings to your liking. Click **Finish** - -- Go to **Customization -> Property Mappings** -- Click **Create -> SCIM Mapping** -- Make sure to give the mapping a name that's lexically lower than `authentik default`, for example `AWS SCIM User mapping` -- As the expression, enter: - -```python -# This expression strips the default mapping from its 'photos' attribute, -# which is a forbidden property in AWS IAM. -return { - "photos": None, -} -``` - -- Click **Save**. Navigate back to your SCIM provider, click **Edit** -- Under **User Property Mappings** select the default mapping and the mapping that you just created. -- Click **Update** - -- Navigate to your application, click **Edit**. -- Under **Backchannel providers** add the SCIM provider that you created. -- Click **Update** - -The SCIM provider syncs automatically whenever you create/update/remove users, groups, or group membership. You can manually sync by going to your SCIM provider and clicking **Run sync again**. After the SCIM provider has synced, you should see the users and groups in your AWS IAM center. diff --git a/website/integrations/services/aws/index.mdx b/website/integrations/services/aws/index.mdx new file mode 100644 index 0000000000..e1c82106de --- /dev/null +++ b/website/integrations/services/aws/index.mdx @@ -0,0 +1,206 @@ +--- +title: Integrate with Amazon Web Services +sidebar_label: Amazon Web Services +support_level: authentik +--- + +## What is AWS + +> Amazon Web Services (AWS) is the world's most comprehensive and broadly adopted cloud, with more than 200 fully featured services available from data centers globally. Millions of customers—including the fastest-growing startups, largest enterprises, and leading government agencies—are using AWS to lower costs, increase security, become more agile, and innovate faster. +> +> -- https://www.aboutamazon.com/what-we-do/amazon-web-services + +## Preparation + +The following placeholders are used in this guide: + +- `authentik.company` is the FQDN of the authentik installation. +- `123412341234` is your AWS account ID. + +:::note +This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application. +::: + +import Tabs from "@theme/Tabs"; +import TabItem from "@theme/TabItem"; + + + + +### Prerequisites + +- An AWS account with permissions to create IAM roles and identity providers +- An authentik instance with admin access + +### authentik configuration + +To support the integration of AWS with authentik using the classic IAM method, you need to create an application/provider pair and property mappings in authentik. + +#### Create property mappings + +1. Log in to authentik as an admin, and open the authentik Admin interface. +2. Navigate to **Customization** > **Property Mappings** and click **Create**. Create two **SAML Provider Property Mapping**s with the following settings: + + - **Role Mapping:** + + - **Name**: Choose a descriptive name + - **SAML Attribute Name**: https://aws.amazon.com/SAML/Attributes/Role + - **Friendly Name**: Leave blank + - **Expression**: Choose one of these options: + + For a static role: + + ```python + return "arn:aws:iam::123412341234:role/saml_role,arn:aws:iam::123412341234:saml-provider/authentik" + ``` + + For role assignment based on group membership: + + ```python + role_name = user.group_attributes().get("aws_role", "") + return f"arn:aws:iam::123412341234:role/{role_name},arn:aws:iam::123412341234:saml-provider/authentik" + ``` + + For multiple role choices: + + ```python + return [ + "arn:aws:iam::123412341234:role/role_a,arn:aws:iam::123412341234:saml-provider/authentik", + "arn:aws:iam::123412341234:role/role_b,arn:aws:iam::123412341234:saml-provider/authentik", + "arn:aws:iam::123412341234:role/role_c,arn:aws:iam::123412341234:saml-provider/authentik", + ] + ``` + + - **Session Name Mapping:** + - **Name**: Choose a descriptive name + - **SAML Attribute Name**: https://aws.amazon.com/SAML/Attributes/RoleSessionName + - **Friendly Name**: Leave blank + - **Expression**: return user.username + +#### Create an application and provider in authentik + +1. Log in to authentik as an admin, and open the authentik Admin interface. +2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can create only an application, without a provider, by clicking **Create**.) + +- **Application**: provide a descriptive name (e.g. "AWS"), an optional group for the type of application, the policy engine mode, and optional UI settings. The **slug** will be used in URLs and should match the `aws-slug` placeholder defined earlier. +- **Choose a Provider type**: select **SAML Provider** as the provider type. +- **Configure the Provider**: provide a name (or accept the auto-provided name), and configure the following required settings: + - Set the **ACS URL** to https://signin.aws.amazon.com/saml + - Set the **Audience** to urn:amazon:webservices + - Under **Advanced protocol settings**, add both property mappings you created in the previous section +- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page. + +3. Click **Submit** to save the new application and provider. +4. Download the **Metadata file** from the provider's page. + +### AWS configuration + +1. Log in to the AWS Management Console as an administrator +2. Create an IAM role with the desired permissions and note the ARN +3. Navigate to [IAM Identity Providers](https://console.aws.amazon.com/iam/home#/providers) +4. Click **Create Provider** and configure: + - Select **SAML** as the provider type + - Upload the metadata file from authentik +5. Add the property mappings to the SAML Provider +6. Create an application and assign the appropriate policies +7. Connect the provider to your application + + + + +### Prerequisites + +- An AWS account with IAM Identity Center enabled +- An authentik instance with admin access +- A certificate for signing SAML assertions (you can use authentik's default or provide your own) + +### authentik configuration + +To support the integration of AWS with authentik using IAM Identity Center, you need to create an application/provider pair in authentik. + +#### Create an application and provider in authentik + +1. Log in to authentik as an admin, and open the authentik Admin interface. +2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can create only an application, without a provider, by clicking **Create**.) + +- **Application**: provide a descriptive name (e.g. "AWS Identity Center"), an optional group for the type of application, the policy engine mode, and optional UI settings. The **slug** will be used in URLs and should match the `aws-slug` placeholder defined earlier. +- **Choose a Provider type**: select **SAML Provider from metadata** as the provider type. +- **Configure the Provider**: provide a name (or accept the auto-provided name), and configure the following required settings: + - Upload the metadata file from AWS (obtained in AWS Configuration steps) + - Copy the **Issuer URL** to the **Audience** field + - Under **Advanced Protocol Settings**, set your **Signing Certificate** +- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page. + +3. Click **Submit** to save the new application and provider. +4. Under **Related Objects**, download both: + - The **Metadata file** + - The **Signing Certificate** + +### AWS configuration + +1. Navigate to **IAM Identity Center -> Settings -> Identity Source** +2. Click **Actions -> Change identity source** +3. Select **External Identity Provider** +4. Download the **Service Provider metadata** file +5. Upload authentik's metadata file and signing certificate +6. Under **Actions -> Manage Authentication**, note the AWS access portal sign-in URL +7. Update your authentik application's **Start URL** to match the AWS portal URL. + + + + +### Prerequisites + +- Completed either Classic IAM or IAM Identity Center setup +- AWS Identity Center enabled with admin access +- authentik instance with admin access + +### authentik configuration + +To support the integration of AWS with authentik using SCIM, you need to create a SCIM provider and custom mapping in authentik. + +#### Create property mappings + +1. Log in to authentik as an admin, and open the authentik Admin interface. +2. Navigate to **Customization** > **Property Mappings** and click **Create**. Create a **SCIM Mapping** with the following settings: + - **Name**: Choose a name lexically lower than `authentik default` (e.g. `AWS SCIM User mapping`) + - **Expression**: + ```python + # This expression strips the default mapping from its 'photos' attribute, + # which is a forbidden property in AWS IAM. + return { + "photos": None, + } + ``` + +#### Create a SCIM provider in authentik + +1. Log in to authentik as an admin, and open the authentik Admin interface. +2. Navigate to **Providers** > **Providers** and click **Create**. +3. Select **SCIM Provider** as the provider type. +4. Configure the provider with the following settings: + - Set a descriptive name + - Set **URL** to the AWS SCIM Endpoint + - Set **Token** to the AWS Access Token + - Configure user filtering as needed +5. Under **User Property Mappings**, add: + - The default mapping + - Your custom mapping +6. Add the SCIM provider to your AWS application's **Backchannel providers** + +### AWS configuration + +1. In AWS Identity Center **Settings**, locate the **Automatic Provisioning** information box +2. Click **Enable** +3. Note the provided **SCIM Endpoint** and **Access Token** + +The SCIM provider will automatically sync when users, groups, or memberships change. You can manually sync from the provider page. + + + + +## Additional Resources + +- [AWS IAM SAML Documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml.html) +- [AWS IAM Identity Center Documentation](https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html) +- [AWS SCIM Documentation](https://docs.aws.amazon.com/singlesignon/latest/userguide/scim-profile.html) diff --git a/website/integrations/services/awx-tower/index.md b/website/integrations/services/awx-tower/index.md index d3078f7b40..be5b0c5a99 100644 --- a/website/integrations/services/awx-tower/index.md +++ b/website/integrations/services/awx-tower/index.md @@ -6,11 +6,7 @@ support_level: community ## What is Tower -From - -> Red Hat Ansible Automation Platform (RHAAP) (formerly ‘AWX’) is a web-based solution that makes Ansible even more easy to use for IT teams of all kinds. It’s designed to be the hub for all of your automation tasks. -> -> Tower allows you to control access to who can access what, even allowing sharing of SSH credentials without someone being able to transfer those credentials. Inventory can be graphically managed or synced with a wide variety of cloud sources. It logs all of your jobs, integrates well with LDAP, and has an amazing browsable REST API. Command line tools are available for easy integration with Jenkins as well. Provisioning callbacks provide great support for autoscaling topologies. +> Red Hat Ansible Automation Platform (RHAAP) (formerly ‘AWX’) is a web-based solution that makes Ansible even more easy to use for IT teams of all kinds. It’s designed to be the hub for all of your automation tasks. Tower allows you to control access to who can access what, even allowing sharing of SSH credentials without someone being able to transfer those credentials. Inventory can be graphically managed or synced with a wide variety of cloud sources. It logs all of your jobs, integrates well with LDAP, and has an amazing browsable REST API. Command line tools are available for easy integration with Jenkins as well. Provisioning callbacks provide great support for autoscaling topologies. > > -- https://docs.ansible.com/ansible/latest/reference_appendices/tower.html @@ -29,14 +25,26 @@ The following placeholders are used in this guide: This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application. ::: -Create an application in authentik and note the slug, as this will be used later. Create a SAML provider with the following parameters: +## authentik configuration -- ACS URL: `https://awx.company/sso/complete/saml/` -- Audience: `awx` -- Service Provider Binding: Post -- Issuer: `https://awx.company/sso/metadata/saml/` +To support the integration of AWX Tower with authentik, you need to create an application/provider pair in authentik. -You can of course use a custom signing certificate, and adjust durations. +### Create an application and provider in authentik + +1. Log in to authentik as an admin, and open the authentik Admin interface. +2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can create only an application, without a provider, by clicking **Create**.) + +- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings. Take note of the **slug** as it will be required later. +- **Choose a Provider type**: select **SAML Provider** as the provider type. +- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. + - Set the **ACS URL** to https://awx.company/sso/complete/saml/. + - Set the **Audience** to awx. + - Set the **Issuer** to https://awx.company/sso/metadata/saml/. + - Set the **Service Provider Binding** to `Post`. + - Under **Advanced protocol settings**, select an available signing certificate. +- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page. + +3. Click **Submit** to save the new application and provider. ## AWX Configuration diff --git a/website/integrations/services/bookstack/index.md b/website/integrations/services/bookstack/index.md index 9472632178..52f77e46f4 100644 --- a/website/integrations/services/bookstack/index.md +++ b/website/integrations/services/bookstack/index.md @@ -26,45 +26,26 @@ The following placeholders are used in this guide: This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application. ::: -### Step 1 +## authentik configuration -In authentik, under _Providers_, create a _SAML Provider_ with these settings: +To support the integration of BookStack with authentik, you need to create an application/provider pair in authentik. -**Protocol Settings** +### Create an application and provider in authentik -- Name: Bookstack -- ACS URL: https://book.company/saml2/acs -- Issuer: https://authentik.company -- Service Provider Binding: Post -- Audience: https://book.company/saml2/metadata +1. Log in to authentik as an admin, and open the authentik Admin interface. +2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can create only an application, without a provider, by clicking **Create**.) -**Advanced protocol settings** +- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings. +- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. +- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. + - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later. + - Set a `Strict` redirect URI to https://bookstack.company/oidc/callback/. + - Select any available signing key. +- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page. -- Signing Certificate: Choose your certificate or the default authentik Self-signed Certificate - All other options as default. +3. Click **Submit** to save the new application and provider. -![](./authentik_saml_bookstack.png) - -### Step 2 - -In authentik, create an application which uses this provider. Optionally apply access restrictions to the application using policy bindings. - -- Name: Bookstack -- Slug: bookstack -- Provider: Bookstack -- Launch URL: https://book.company - -### Step 3 - -Obtain your Metadata URL from authentik. - -1. Click on the BookStack Provider -2. Click the Metadata Tab -3. Click Copy download URL (This URL is the `METADATAURL` required in Step 4) - -![](./metadataurl.png) - -### Step 4 +## Bookstack configuration Edit the `.env` file inside of the `www` folder of Bookstack. diff --git a/website/integrations/services/bookstack/metadataurl.png b/website/integrations/services/bookstack/metadataurl.png deleted file mode 100644 index 795e2769a3..0000000000 Binary files a/website/integrations/services/bookstack/metadataurl.png and /dev/null differ diff --git a/website/integrations/services/budibase/index.md b/website/integrations/services/budibase/index.md index f50c21d83e..017e5c1fa7 100644 --- a/website/integrations/services/budibase/index.md +++ b/website/integrations/services/budibase/index.md @@ -21,16 +21,26 @@ The following placeholders are used in this guide: This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application. ::: -Create an application in authentik. Create an OAuth2/OpenID provider with the following parameters: +## authentik configuration -- Client Type: `Confidential` -- Scopes: OpenID, Email and Profile -- Signing Key: Select any available key -- Redirect URIs: `https://budibase.company/api/global/auth/oidc/callback` +To support the integration of Budibase with authentik, you need to create an application/provider pair in authentik. -Note the Client ID and Client Secret values. Create an application, using the provider you've created above. +### Create an application and provider in authentik -## Budibase +1. Log in to authentik as an admin, and open the authentik Admin interface. +2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can create only an application, without a provider, by clicking **Create**.) + +- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings. +- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. +- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. + - Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later. + - Set a `Strict` redirect URI to https://budibase.company/api/global/auth/oidc/callback/. + - Select any available signing key. +- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page. + +3. Click **Submit** to save the new application and provider. + +## Budibase configuration In Budibase under `Auth` set the following values diff --git a/website/integrations/services/chronograf/index.md b/website/integrations/services/chronograf/index.md index 6b9075e9a4..dd9ca2f0bd 100644 --- a/website/integrations/services/chronograf/index.md +++ b/website/integrations/services/chronograf/index.md @@ -23,13 +23,24 @@ This documentation lists only the settings that you need to change from their de ## authentik configuration -1. From the authentik Admin interface navigate to **Applications** -> **Applications** on the left sidebar. +To support the integration of Chronograf with authentik, you need to create an application/provider pair in authentik. -2. Create an application and an OAuth2/OpenID provider using the [Application modal](https://docs.goauthentik.io/docs/add-secure-apps/applications/manage_apps#instructions). - - Note the application slug, client ID, and client secret, as they will be required later. - - Set a strict redirect URI to `https://chronograf.company/oauth/authentik/callback`. - - Choose a signing key (any available key is acceptable). -3. Complete and submit the settings to close the modal. +### Create an application and provider in authentik + +1. Log in to authentik as an admin, and open the authentik Admin interface. +2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can create only an application, without a provider, by clicking **Create**.) +3. Log in to authentik as an admin, and open the authentik Admin interface. +4. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can create only an application, without a provider, by clicking **Create**.) + +- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings. +- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. +- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. + - Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later. + - Set a `Strict` redirect URI to https://chronograf.company/oauth/authentik/callback/. + - Select any available signing key. +- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page. + +3. Click **Submit** to save the new application and provider. ## Chronograf configuration diff --git a/website/integrations/services/cloudflare-access/index.md b/website/integrations/services/cloudflare-access/index.md index 96aa048ddc..9b11eef5ab 100644 --- a/website/integrations/services/cloudflare-access/index.md +++ b/website/integrations/services/cloudflare-access/index.md @@ -25,11 +25,22 @@ This documentation lists only the settings that you need to change from their de ## authentik configuration -1. From the Admin interface, navigate to **Applications** -> **Applications**. -2. Use the wizard to create a new application and provider. During this process: - - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later. - - Set a `Strict` redirect URI to `https://company.cloudflareaccess.com/cdn-cgi/access/callback`. +To support the integration of Cloudflare Access with authentik, you need to create an application/provider pair in authentik. + +### Create an application and provider in authentik + +1. Log in to authentik as an admin, and open the authentik Admin interface. +2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can create only an application, without a provider, by clicking **Create**.) + +- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings. +- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. +- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. + - Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later. + - Set a `Strict` redirect URI to https://company.cloudflareaccess.com/cdn-cgi/access/callback/. - Select any available signing key. +- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page. + +3. Click **Submit** to save the new application and provider. ## Cloudflare Access configuration diff --git a/website/integrations/services/dokuwiki/index.md b/website/integrations/services/dokuwiki/index.md index 5e7a61240a..9345f54d4a 100644 --- a/website/integrations/services/dokuwiki/index.md +++ b/website/integrations/services/dokuwiki/index.md @@ -21,6 +21,26 @@ The following placeholders are used in this guide: This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application. ::: +## authentik configuration + +To support the integration of DocuWiki with authentik, you need to create an application/provider pair in authentik. + +### Create an application and provider in authentik + +1. Log in to authentik as an admin, and open the authentik Admin interface. +2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can create only an application, without a provider, by clicking **Create**.) + +- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings. +- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. +- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. + - Note the **Client ID** and **Client Secret** values because they will be required later. + - Set a `Strict` redirect URI to https://docuwiki.company/doku.php. + - Select any available signing key. + - Under **Advanced Protocol Settings**, add the following OAuth mapping under **Scopes**: `authentik default OAuth Mapping: OpenID 'offline_access'` +- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page. + +3. Click **Submit** to save the new application and provider. + ## DokuWiki configuration In DokuWiki, navigate to the _Extension Manager_ section in the _Administration_ interface and install @@ -52,21 +72,3 @@ For _Oauthgeneric_: ![](./dokuwiki_oauth_generic.png) In the _Configuration Settings_ section in the _Administration_ interface navigate to _Authentication_ and activate _oauth_ in _Authentication backend_. - -## authentik Configuration - -### Provider - -In authentik, under _Providers_, create an _OAuth2/OpenID Provider_ with these settings: - -- Redirect URI: The _Callback URL / Redirect URI_ from _plugin»oauth»info_, usually `dokuwiki.company/doku.php` -- Signing Key: Select any available key - -Note the _client ID_ and _client secret_, then save the provider. If you need to retrieve these values, you can do so by editing the provider. - -To prevent users from needing to log in again as soon as the access token expires, include the _offline_access_ scope in both authentik and DokuWiki. This scope allows DokuWiki to use refresh tokens. - -### Application - -In authentik, create an application which uses this provider. Optionally apply access restrictions to the application using policy bindings. -Set the Launch URL to the _Callback URL / Redirect URI_ (`dokuwiki.company/doku.php`). diff --git a/website/integrations/services/drupal/index.md b/website/integrations/services/drupal/index.md index 74aa890b94..4b9b8e44f1 100644 --- a/website/integrations/services/drupal/index.md +++ b/website/integrations/services/drupal/index.md @@ -11,73 +11,62 @@ support_level: community > > -- https://en.wikipedia.org/wiki/Drupal -:::note -There are many different modules for Drupal that allow you to set up SSO using -different authentication methods. This tutorial uses the -[OpenID Connect / OAuth client](https://www.drupal.org/project/openid_connect) -module. -::: - ## Preparation The following placeholders are used in this guide: -- `drupal.company` is the FQDN of Drupal installation. -- `authentik.company` is the FQDN of authentik installation. +- `drupal.company` is the FQDN of the Drupal installation. +- `authentik.company` is the FQDN of the authentik installation. :::note -This documentation lists only the settings that you need to change from their -default values. Be aware that any changes other than those explicitly mentioned -in this guide could cause issues accessing your application. +This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application. +::: + +:::note +There are many different modules for Drupal that allow you to set up SSO using different authentication methods. This tutorial uses the [OpenID Connect / OAuth client](https://www.drupal.org/project/openid_connect) module. ::: ## authentik configuration -### Provider +To support the integration of Drupal with authentik, you need to create an application/provider pair in authentik. -1. Go to Applications -> Providers - https://authentik.company/if/admin/#/core/providers -2. Create an OAuth2/OpenID Provider -3. Set the Authentication flow to default-authentication-flow -4. The Authorisation flow can be either default-provider-authorization-implicit-consent - or default-provider-authorization-explicit-consent -5. Set the Client type to "Confidential" -6. Note the Cliend ID and Client Secret -7. Set the Redirect URIs/Origins to your Drupal site - https://drupal.company/openid-connect/generic -8. Leave everything else as-is +### Create an application and provider in authentik -### Application +1. Log in to authentik as an admin, and open the authentik Admin interface. +2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can create only an application, without a provider, by clicking **Create**.) -1. Go to Applications -> Applications - https://authentik.company/if/admin/#/core/applications -2. Create an application e.g. "Drupal" and set the Provider field to the provider - created above +- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings. The **slug** will be used in URLs and should match the `drupal-slug` placeholder defined earlier. +- **Choose a Provider type**: select **OAuth2/OpenID Provider** as the provider type. +- **Configure the Provider**: provide a name (or accept the auto-provided name), and configure the following required settings: + - Add the following **Redirect URI**: https://drupal.company/openid-connect/generic +- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page. + +3. Click **Submit** to save the new application and provider. +4. Note the **Client ID** and **Client Secret** for later use. ## Drupal configuration -1. From the Admin Toolbar or admin page at https://drupal.company/admin go to - **Configuration -> Web Services -> OpenID Connect** or directly at https://drupal.company/admin/config/services/openid-connect. -2. Input the Client ID and Secret you noted above. -3. Fill out the following endpoints: - -- **Authorization endpoint**: https://authentik.company/application/o/authorize/ -- **Token endpoint**: https://authentik.company/application/o/token/ -- **UserInfo endpoint**: https://authentik.company/application/o/userinfo/ - -4. If your User Registration settings (**Admin -> Configuration -> People -> Account Settings** or - https://drupal.company/admin/config/people/accounts) does not allow new users, check the "Override registration - settings" checkbox to enable new accounts to be created. If you do not check this and log in as an unknown user, you - will get a message saying you've successfully logged in but your account is blocked and needs to be approved by - an administrator. Individual accounts can be unblocked at **Admin -> People** or https://drupal.company/admin/people. +1. From the Admin Toolbar or admin page at https://drupal.company/admin, navigate to **Configuration** > **Web Services** > **OpenID Connect** (or directly at https://drupal.company/admin/config/services/openid-connect) +2. Configure the following settings: + - Set the **Client ID** and **Client Secret** to the values noted from authentik + - Configure the endpoints: + - **Authorization endpoint**: https://authentik.company/application/o/authorize/ + - **Token endpoint**: https://authentik.company/application/o/token/ + - **UserInfo endpoint**: https://authentik.company/application/o/userinfo/ +3. Under **Admin** > **Configuration** > **People** > **Account Settings** (or https://drupal.company/admin/config/people/accounts): + - If new user registration is disabled, check **Override registration settings** to enable new account creation + - Note: Without this setting, new users will receive a message that their account is blocked pending administrator approval +4. Enable the OpenID button on the user login form :::info -If you are developing Drupal locally with DDEV and authentik is also running -locally, use `host.docker.internal:9000` as the hostname for the Token and UserInfo endpoints. -::: 5. Enable the OpenID button on the user login form. +If you are developing Drupal locally with DDEV and authentik is also running locally, use `host.docker.internal:9000` as the hostname for the Token and UserInfo endpoints. +::: ## Configuration verification -To confirm that authentik is properly configured with Drupal, log out from the -Admin Toolbar link under your username, or go directly to -https://drupal.company/user/logout, and log back in via authentik at https://drupal.company/user/login. +TODO + +## Additional Resources + +- [Drupal OpenID Connect Module Documentation](https://www.drupal.org/project/openid_connect) +- [Drupal User Account Settings Documentation](https://www.drupal.org/docs/user_guide/en/user-registration.html) diff --git a/website/integrations/services/engomo/index.mdx b/website/integrations/services/engomo/index.mdx index 98c3188771..b73d862dea 100644 --- a/website/integrations/services/engomo/index.mdx +++ b/website/integrations/services/engomo/index.mdx @@ -18,7 +18,6 @@ The following placeholders are used in this guide: - `engomo.company` is the FQDN of the engomo installation. - `authentik.company` is the FQDN of the authentik installation. -- `engomo.mapping` is the name of the Scope Mapping. :::note This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application. @@ -26,26 +25,33 @@ This documentation lists only the settings that you need to change from their de ## authentik configuration -In authentik, create a new scope mapping. To do so, log in and navigate to the Admin interface, then go to **Customization --> Property Mapping** and click **Create**. +To support the integration of Engomo with authentik, you need to create an application/provider pair in authentik. -- `engomo.mapping` is the value of the Mapping's name. -- `profile` is the value for the Scope name. -- `return {"preferred_username": request.user.email}` is the value for the Expression. +### Create property mappings -[Create](https://docs.goauthentik.io/docs/add-secure-apps/applications/manage_apps#add-new-applications) an OAuth2/OpenID provider and an application in authentik. Use the following parameters for the OAuth2/OpenID provider: +1. Log in to authentik as an admin, and open the authentik Admin interface. +2. Navigate to **Customization** > **Property Mappings** and click **Create**. Create a **Scope Mapping** with the following settings: + - **Name**: Set an appropriate name. + - **Scope Name**: `profile` + - **Description**: Set an appropriate description, if desired. + - **Expression**: `return {"preferred_username": request.user.email}` -1. In the authentik Admin interface, navigate to **Applications** -> **Applications**. -2. Use the wizard to create a new application and provider. During this process: - - Note the **Client ID**, **Client Secret**, and **slug** values for later use. - - Select implicit or explicit authorization flow as desired. - - Set Client type to `Public`. - - Set the redirect URI to https://engomo.company/auth and com.engomo.engomo://callback/. +### Create an application and provider in authentik + +1. Log in to authentik as an admin, and open the authentik Admin interface. +2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can create only an application, without a provider, by clicking **Create**.) + +- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings. +- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. +- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. + - Note the **Client ID** and **slug** values because they will be required later. + - Set the **Client type** to `Public`. + - Add two `Strict` redirect URIs and set them to https://engomo.company/auth and com.engomo.engomo://callback/. - Select any available signing key. - - Add the `engomo.mapping` scope in addition to the default values. + - Under **Advanced Protocol Settings**, add the scope you just created to the list of available scopes. +- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page. -:::note -Redirect URIs => write the values line by line. -::: +3. Click **Submit** to save the new application and provider. ## engomo configuration diff --git a/website/integrations/services/espoCRM/index.md b/website/integrations/services/espoCRM/index.md index 8ba59e693e..5c0685cfe3 100644 --- a/website/integrations/services/espoCRM/index.md +++ b/website/integrations/services/espoCRM/index.md @@ -28,25 +28,23 @@ This documentation lists only the settings that you need to change from their de ## authentik configuration -1. Log into authentik as an admin, and navigate to **Applications** --> **Applications**. -2. Click **Create with Wizard**. +To support the integration of EspoCRM with authentik, you need to create an application/provider pair in authentik. -:::info -Alternatively, use our legacy process and click **Create**. The legacy process requires that the application and its configuration provider be configured separately. -::: +### Create an application and provider in authentik -3. In the _New Application_ wizard, define the application details, and then define the provider details with the following parameters: +1. Log in to authentik as an admin, and open the authentik Admin interface. +2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can create only an application, without a provider, by clicking **Create**.) -- **Provider Type**: `OAuth2/OIDC (Open Authorization/OpenID Connect)` +- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings. +- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. +- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. + - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later. + - Set a `Strict` redirect URI to https://espocrm.company/oauth-callback.php. + - Select any available signing key. + - Under **Advanced Protocol Settings**, set **Subject mode** to be `Based on the Users's username`. +- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page. -- **Authorization Flow**: `default-provider-authorization-explicit-consent (Authorize Application)` -- **Client Type**: `Confidential` -- **Redirect URIs/Origins**: `https://crm./oauth-callback.php` -- **Scopes**: OpenID, Email, Profile, Proxy outpost -- **Subject Mode**: `Based on the User's username` (**OR** your preferred method; you can use the same username in authentik and EspoCRM) -- **Signing Key**: Select any available key - -Note the `Client ID` and `Client Secret` values. +3. Click **Submit** to save the new application and provider. ## EspoCRM configuration diff --git a/website/integrations/services/firezone/index.md b/website/integrations/services/firezone/index.md index 7b4d114a35..7d1290b7fa 100644 --- a/website/integrations/services/firezone/index.md +++ b/website/integrations/services/firezone/index.md @@ -22,16 +22,26 @@ The following placeholders are used in this guide: This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application. ::: -Create an OAuth2/OpenID provider with the following parameters: +## authentik configuration -- Client type: `Confidential` -- Redirect URIs/Origins: `Redirect URI from Firezone Config` -- Signing Key: `