providers/proxy: add initial header token auth (#4421)

* initial implementation Signed-off-by: Jens Langhammer <jens@goauthentik.io> * check for openid/profile claims Signed-off-by: Jens Langhammer <jens@goauthentik.io> * include jwks sources in proxy provider Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add web ui for jwks Signed-off-by: Jens Langhammer <jens@goauthentik.io> * only show sources with JWKS data configured Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix introspection tests Signed-off-by: Jens Langhammer <jens@goauthentik.io> * start basic Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add basic auth Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add docs, update admonitions Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add client_id to api, add tab for auth Signed-off-by: Jens Langhammer <jens@goauthentik.io> * update locale Signed-off-by: Jens Langhammer <jens@goauthentik.io> Signed-off-by: Jens Langhammer <jens@goauthentik.io>
2023-01-13 16:22:03 +01:00
parent 31c6ea9fda
commit cd12e177ea
54 changed files with 830 additions and 162 deletions
--- a/website/integrations/services/home-assistant/index.md
+++ b/website/integrations/services/home-assistant/index.md
@ -12,7 +12,7 @@ From https://www.home-assistant.io/
 Open source home automation that puts local control and privacy first. Powered by a worldwide community of tinkerers and DIY enthusiasts. Perfect to run on a Raspberry Pi or a local server.
 :::

-:::warning
+:::caution
 You might run into CSRF errors, this is caused by a technology Home-assistant uses and not authentik, see [this GitHub issue](https://github.com/goauthentik/authentik/issues/884#issuecomment-851542477).
 :::

--- a/website/integrations/services/jellyfin/index.md
+++ b/website/integrations/services/jellyfin/index.md
@ -20,7 +20,7 @@ Jellyfin does not have any native external authentication support as of the writ
 Currently there are two plugins for Jelyfin that provide external authenticaion, an OIDC plugin and an LDAP plugin. This guide focuses on the use of the LDAP plugin.
 :::

-:::warning
+:::caution
 An LDAP outpost must be deployed to use the Jellyfin LDAP plugin
 :::

--- a/website/integrations/services/nextcloud/index.md
+++ b/website/integrations/services/nextcloud/index.md
@ -12,11 +12,11 @@ From https://en.wikipedia.org/wiki/Nextcloud
 Nextcloud is a suite of client-server software for creating and using file hosting services. Nextcloud is free and open-source, which means that anyone is allowed to install and operate it on their own private server devices.
 :::

-:::warning
+:::caution
 This setup only works, when Nextcloud is running with HTTPS enabled. See [here](https://docs.nextcloud.com/server/stable/admin_manual/configuration_server/reverse_proxy_configuration.html?highlight=overwriteprotocol#overwrite-parameters) on how to configure this.
 :::

-:::warning
+:::info
 In case something goes wrong with the configuration, you can use the URL `http://nextcloud.company/login?direct=1` to log in using the built-in authentication.
 :::

--- a/website/integrations/services/node-red/index.md
+++ b/website/integrations/services/node-red/index.md
@ -14,7 +14,7 @@ Node-RED is a programming tool for wiring together hardware devices, APIs and on
 It provides a browser-based editor that makes it easy to wire together flows using the wide range of nodes in the palette that can be deployed to its runtime in a single-click.
 :::

-:::warning
+:::caution
 This requires modification of the Node-RED settings.js and installing additional Passport-js packages, see [Securing Node-RED](https://nodered.org/docs/user-guide/runtime/securing-node-red#oauthopenid-based-authentication) documentation for further details.
 :::

--- a/website/integrations/services/paperless-ng/index.md
+++ b/website/integrations/services/paperless-ng/index.md
@ -12,7 +12,7 @@ Modified from https://github.com/jonaswinkler/paperless-ng
 Paperless-ng is an application that indexes your scanned documents and allows you to easily search for documents and store metadata alongside your documents. It was a fork from the original Paperless that is no longer maintained.
 :::

-:::warning
+:::caution
 This setup uses HTTP headers to log you in simply by providing your username as a header. Your authentik username and Paperless username MUST match. If you intend for this to be accessed externally, this requires careful setup of your reverse proxy server to not forward these headers from other sources.

 The author of Paperless-ng recommends you do not expose Paperless outside your network, as it was not designed for that. Instead, they "recommend that if you do want to use it, run it locally on a server in your own home."
--- a/website/integrations/services/pfsense/index.md
+++ b/website/integrations/services/pfsense/index.md
@ -59,7 +59,7 @@ In authentik, create an outpost (under _Applications/Outposts_) of type `LDAP` t

 ## pfSense unsecure setup (without SSL)

-:::warning
+:::caution
 This setup should only be used for testing purpose, because passwords will be sent in clear text to authentik.
 :::

--- a/website/integrations/services/proxmox-ve/index.md
+++ b/website/integrations/services/proxmox-ve/index.md
@ -12,7 +12,7 @@ From https://pve.proxmox.com/wiki/Main_Page
 Proxmox Virtual Environment is an open source server virtualization management solution based on QEMU/KVM and LXC. You can manage virtual machines, containers, highly available clusters, storage and networks with an integrated, easy-to-use web interface or via CLI. Proxmox VE code is licensed under the GNU Affero General Public License, version 3. The project is developed and maintained by Proxmox Server Solutions GmbH.
 :::

-:::warning
+:::caution
 This requires Proxmox VE 7.0 or newer.
 :::

--- a/website/integrations/services/qnap-nas/index.md
+++ b/website/integrations/services/qnap-nas/index.md
@ -38,7 +38,7 @@ Create a new service account for all of your hosts to use to connect
 to LDAP and perform searches. Make sure this service account is added
 to `ldap.searchGroup`.

-:::warning
+:::caution
 It seems that QNAP LDAP client configuration has issues with too long password.
 Max password length <= 66 characters.
 :::
@ -111,7 +111,7 @@ Attributes:
 Configure the following values and "Apply"
 ![qnap domain security](./qnap-ldap-configuration.png)

-:::warning
+:::caution
 With each save (Apply) in the UI the `/etc/config/nss_ldap.conf` will be overwritten with default values.
 :::

--- a/website/integrations/services/snipe-it/index.md
+++ b/website/integrations/services/snipe-it/index.md
@ -11,11 +11,11 @@ From https://snipeitapp.com
 A free open source IT asset/license management system.
 :::

-:::warning
+:::caution
 This setup assumes you will be using HTTPS as Snipe-It dynamically generates the ACS and other settings based on the complete URL.
 :::

-:::warning
+:::caution
 In case something goes wrong with the configuration, you can use the URL `http://inventory.company/login?nosaml` to log in using the
 built-in authentication.
 :::
--- a/website/integrations/services/truecommand/index.md
+++ b/website/integrations/services/truecommand/index.md
@ -14,7 +14,7 @@ e uptime and future planning. TrueCommand also identifies and pinpoints errors o
 me when resolving issues.
 :::

-:::warning
+:::caution
 This setup assumes you will be using HTTPS as TrueCommand generates ACS and Redirect URLs based on the complete URL.
 :::

--- a/website/integrations/services/ubuntu-landscape/index.md
+++ b/website/integrations/services/ubuntu-landscape/index.md
@ -12,7 +12,7 @@ From https://en.wikipedia.org/wiki/Landscape_(software)
 Landscape is a systems management tool developed by Canonical. It can be run on-premises or in the cloud depending on the needs of the user. It is primarily designed for use with Ubuntu derivatives such as Desktop, Server, and Core.
 :::

-:::warning
+:::caution
 This requires authentik 0.10.3 or newer.
 :::

--- a/website/integrations/services/vmware-vcenter/index.md
+++ b/website/integrations/services/vmware-vcenter/index.md
@ -12,11 +12,11 @@ From https://en.wikipedia.org/wiki/VCenter
 vCenter Server is the centralized management utility for VMware, and is used to manage virtual machines, multiple ESXi hosts, and all dependent components from a single centralized location. VMware vMotion and svMotion require the use of vCenter and ESXi hosts.
 :::

-:::warning
+:::caution
 This requires authentik 0.10.3 or newer.
 :::

-:::warning
+:::caution
 This requires VMware vCenter 7.0.0 or newer.
 :::

@ -68,7 +68,7 @@ Create an application which uses this provider. Optionally apply access restrict

 Set the Launch URL to `https://vcenter.company/ui/login/oauth2`. This will skip vCenter's User Prompt and directly log you in.

-:::warning
+:::caution
 This Launch URL only works for vCenter < 7.0u2. If you're running 7.0u2 or later, set the launch URL to `https://vcenter.company/ui/login`
 :::

--- a/website/integrations/sources/apple/index.md
+++ b/website/integrations/sources/apple/index.md
@ -8,11 +8,11 @@ Allows users to authenticate using their Apple ID.

 ## Preparation

-:::warning
+:::caution
 An Apple developer account is required.
 :::

-:::warning
+:::caution
 Apple mandates the use of a [registered TLD](https://en.wikipedia.org/wiki/List_of_Internet_top-level_domains), as such this source will not work with .local and other non-public TLDs.
 :::