habsi/authentik
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

website: format docs with prettier (#2833)

Browse Source 
* run prettier

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* add scim to comparison

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
This commit is contained in:
Jens L
2022-05-09 21:22:41 +02:00
committed by GitHub
parent 26d92d9259
commit f9469e3f99
148 changed files with 3447 additions and 3107 deletions
Download Patch File Download Diff File Expand all files Collapse all files

42
website/docs/providers/proxy/_nginx_ingress.md
View File

@ -4,18 +4,18 @@ Create a new ingress for the outpost
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: authentik-outpost
name: authentik-outpost
spec:
rules:
- host: app.company
http:
paths:
- backend:
# Or, to use an external Outpost, create an ExternalName service and reference that here.
# See https://kubernetes.io/docs/concepts/services-networking/service/#externalname
serviceName: ak-outpost-example-outpost
servicePort: 9000
path: /outpost.goauthentik.io
rules:
- host: app.company
http:
paths:
- backend:
# Or, to use an external Outpost, create an ExternalName service and reference that here.
# See https://kubernetes.io/docs/concepts/services-networking/service/#externalname
serviceName: ak-outpost-example-outpost
servicePort: 9000
path: /outpost.goauthentik.io
```
This ingress handles authentication requests, and the sign-in flow.
@ -24,14 +24,14 @@ Add these annotations to the ingress you want to protect
```yaml
metadata:
annotations:
nginx.ingress.kubernetes.io/auth-url: |-
http://outpost.company:9000/outpost.goauthentik.io/auth/nginx
# If you're using domain-level auth, use the authentication URL instead of the application URL
nginx.ingress.kubernetes.io/auth-signin: |-
https://app.company/outpost.goauthentik.io/start?rd=$escaped_request_uri
nginx.ingress.kubernetes.io/auth-response-headers: |-
Set-Cookie,X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid
nginx.ingress.kubernetes.io/auth-snippet: |
proxy_set_header X-Forwarded-Host $http_host;
annotations:
nginx.ingress.kubernetes.io/auth-url: |-
http://outpost.company:9000/outpost.goauthentik.io/auth/nginx
# If you're using domain-level auth, use the authentication URL instead of the application URL
nginx.ingress.kubernetes.io/auth-signin: |-
https://app.company/outpost.goauthentik.io/start?rd=$escaped_request_uri
nginx.ingress.kubernetes.io/auth-response-headers: |-
Set-Cookie,X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid
nginx.ingress.kubernetes.io/auth-snippet: |
proxy_set_header X-Forwarded-Host $http_host;
```

1
website/docs/providers/proxy/_nginx_standalone.md
View File

@ -1,4 +1,3 @@
```
server {
# SSL and VHost configuration

83
website/docs/providers/proxy/_traefik_compose.md
View File

@ -1,47 +1,46 @@
```yaml
version: '3.7'
version: "3.7"
services:
traefik:
image: traefik:v2.2
container_name: traefik
volumes:
- /var/run/docker.sock:/var/run/docker.sock
ports:
- 80:80
command:
- '--api'
- '--providers.docker=true'
- '--providers.docker.exposedByDefault=false'
- "--entrypoints.web.address=:80"
traefik:
image: traefik:v2.2
container_name: traefik
volumes:
- /var/run/docker.sock:/var/run/docker.sock
ports:
- 80:80
command:
- "--api"
- "--providers.docker=true"
- "--providers.docker.exposedByDefault=false"
- "--entrypoints.web.address=:80"
authentik-proxy:
image: ghcr.io/goauthentik/proxy
ports:
- 9000:9000
- 9443:9443
environment:
AUTHENTIK_HOST: https://your-authentik.tld
AUTHENTIK_INSECURE: "false"
AUTHENTIK_TOKEN: token-generated-by-authentik
# Starting with 2021.9, you can optionally set this too
# when authentik_host for internal communication doesn't match the public URL
# AUTHENTIK_HOST_BROWSER: https://external-domain.tld
labels:
traefik.enable: true
traefik.port: 9000
traefik.http.routers.authentik.rule: Host(`app.company`) && PathPrefix(`/outpost.goauthentik.io/`)
# `authentik-proxy` refers to the service name in the compose file.
traefik.http.middlewares.authentik.forwardauth.address: http://authentik-proxy:9000/outpost.goauthentik.io/auth/traefik
traefik.http.middlewares.authentik.forwardauth.trustForwardHeader: true
traefik.http.middlewares.authentik.forwardauth.authResponseHeaders: X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid,X-authentik-jwt,X-authentik-meta-jwks,X-authentik-meta-outpost,X-authentik-meta-provider,X-authentik-meta-app,X-authentik-meta-version
restart: unless-stopped
authentik-proxy:
image: ghcr.io/goauthentik/proxy
ports:
- 9000:9000
- 9443:9443
environment:
AUTHENTIK_HOST: https://your-authentik.tld
AUTHENTIK_INSECURE: "false"
AUTHENTIK_TOKEN: token-generated-by-authentik
# Starting with 2021.9, you can optionally set this too
# when authentik_host for internal communication doesn't match the public URL
# AUTHENTIK_HOST_BROWSER: https://external-domain.tld
labels:
traefik.enable: true
traefik.port: 9000
traefik.http.routers.authentik.rule: Host(`app.company`) && PathPrefix(`/outpost.goauthentik.io/`)
# `authentik-proxy` refers to the service name in the compose file.
traefik.http.middlewares.authentik.forwardauth.address: http://authentik-proxy:9000/outpost.goauthentik.io/auth/traefik
traefik.http.middlewares.authentik.forwardauth.trustForwardHeader: true
traefik.http.middlewares.authentik.forwardauth.authResponseHeaders: X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid,X-authentik-jwt,X-authentik-meta-jwks,X-authentik-meta-outpost,X-authentik-meta-provider,X-authentik-meta-app,X-authentik-meta-version
restart: unless-stopped
whoami:
image: containous/whoami
labels:
traefik.enable: true
traefik.http.routers.whoami.rule: Host(`app.company`)
traefik.http.routers.whoami.middlewares: authentik@docker
restart: unless-stopped
whoami:
image: containous/whoami
labels:
traefik.enable: true
traefik.http.routers.whoami.rule: Host(`app.company`)
traefik.http.routers.whoami.middlewares: authentik@docker
restart: unless-stopped
```

68
website/docs/providers/proxy/_traefik_ingress.md
View File

@ -4,23 +4,23 @@ Create a middleware:
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: authentik
name: authentik
spec:
forwardAuth:
address: http://outpost.company:9000/outpost.goauthentik.io/auth/traefik
trustForwardHeader: true
authResponseHeaders:
- X-authentik-username
- X-authentik-groups
- X-authentik-email
- X-authentik-name
- X-authentik-uid
- X-authentik-jwt
- X-authentik-meta-jwks
- X-authentik-meta-outpost
- X-authentik-meta-provider
- X-authentik-meta-app
- X-authentik-meta-version
forwardAuth:
address: http://outpost.company:9000/outpost.goauthentik.io/auth/traefik
trustForwardHeader: true
authResponseHeaders:
- X-authentik-username
- X-authentik-groups
- X-authentik-email
- X-authentik-name
- X-authentik-uid
- X-authentik-jwt
- X-authentik-meta-jwks
- X-authentik-meta-outpost
- X-authentik-meta-provider
- X-authentik-meta-app
- X-authentik-meta-version
```
Add the following settings to your IngressRoute
@ -31,22 +31,22 @@ See [here](https://doc.traefik.io/traefik/v2.4/providers/kubernetes-crd/#allowcr
```yaml
spec:
routes:
- kind: Rule
match: "Host(`app.company`)"
middlewares:
- name: authentik
namespace: authentik
priority: 10
services: # Unchanged
# This part is only required for single-app setups
- kind: Rule
match: "Host(`app.company`) && PathPrefix(`/outpost.goauthentik.io/`)"
priority: 15
services:
- kind: Service
# Or, to use an external Outpost, create an ExternalName service and reference that here.
# See https://kubernetes.io/docs/concepts/services-networking/service/#externalname
name: ak-outpost-example-outpost
port: 9000
routes:
- kind: Rule
match: "Host(`app.company`)"
middlewares:
- name: authentik
namespace: authentik
priority: 10
services: # Unchanged
# This part is only required for single-app setups
- kind: Rule
match: "Host(`app.company`) && PathPrefix(`/outpost.goauthentik.io/`)"
priority: 15
services:
- kind: Service
# Or, to use an external Outpost, create an ExternalName service and reference that here.
# See https://kubernetes.io/docs/concepts/services-networking/service/#externalname
name: ak-outpost-example-outpost
port: 9000
```

56
website/docs/providers/proxy/_traefik_standalone.md
View File

@ -1,31 +1,31 @@
```yaml
http:
middlewares:
authentik:
forwardAuth:
address: http://outpost.company:9000/outpost.goauthentik.io/auth/traefik
trustForwardHeader: true
authResponseHeaders:
- X-authentik-username
- X-authentik-groups
- X-authentik-email
- X-authentik-name
- X-authentik-uid
- X-authentik-jwt
- X-authentik-meta-jwks
- X-authentik-meta-outpost
- X-authentik-meta-provider
- X-authentik-meta-app
- X-authentik-meta-version
routers:
default-router:
rule: "Host(`app.company`)"
middlewares:
- name: authentik
priority: 10
services: # Unchanged
default-router-auth:
match: "Host(`app.company`) && PathPrefix(`/outpost.goauthentik.io/`)"
priority: 15
services: http://outpost.company:9000/outpost.goauthentik.io
middlewares:
authentik:
forwardAuth:
address: http://outpost.company:9000/outpost.goauthentik.io/auth/traefik
trustForwardHeader: true
authResponseHeaders:
- X-authentik-username
- X-authentik-groups
- X-authentik-email
- X-authentik-name
- X-authentik-uid
- X-authentik-jwt
- X-authentik-meta-jwks
- X-authentik-meta-outpost
- X-authentik-meta-provider
- X-authentik-meta-app
- X-authentik-meta-version
routers:
default-router:
rule: "Host(`app.company`)"
middlewares:
- name: authentik
priority: 10
services: # Unchanged
default-router-auth:
match: "Host(`app.company`) && PathPrefix(`/outpost.goauthentik.io/`)"
priority: 15
services: http://outpost.company:9000/outpost.goauthentik.io
```

4
website/docs/providers/proxy/custom_headers.md
View File

@ -4,8 +4,8 @@ title: Custom headers
The proxy can send custom headers to your upstream application. These can be configured in one of two ways:
- Group attributes; this allows for inheritance, but only allows static values
- Property mappings; this allows for dynamic values
- Group attributes; this allows for inheritance, but only allows static values
- Property mappings; this allows for dynamic values
## Group attributes

33
website/docs/providers/proxy/forward_auth.mdx
View File

@ -16,11 +16,12 @@ has the advantage that you can still do per-application access policies in authe
## Domain level
To use forward auth instead of proxying, you have to change a couple of settings.
In the Proxy Provider, make sure to use the *Forward auth (domain level)* mode.
In the Proxy Provider, make sure to use the _Forward auth (domain level)_ mode.
This mode differs from the *Forward auth (single application)* mode in the following points:
- You don't have to configure an application in authentik for each domain
- Users don't have to authorize multiple times
This mode differs from the _Forward auth (single application)_ mode in the following points:
- You don't have to configure an application in authentik for each domain
- Users don't have to authorize multiple times
There are however also some downsides, mainly the fact that you **can't** restrict individual
applications to different users.
@ -33,16 +34,16 @@ is redirected to the outpost.
For domain level, you'd use the same domain as authentik.
:::info
*example-outpost* is used as a placeholder for the outpost name.
*authentik.company* is used as a placeholder for the authentik install.
*app.company* is used as a placeholder for the external domain for the application.
*outpost.company* is used as a placeholder for the outpost. When using the embedded outpost, this can be the same as *authentik.company*
_example-outpost_ is used as a placeholder for the outpost name.
_authentik.company_ is used as a placeholder for the authentik install.
_app.company_ is used as a placeholder for the external domain for the application.
_outpost.company_ is used as a placeholder for the outpost. When using the embedded outpost, this can be the same as _authentik.company_
:::
## Nginx
import Tabs from '@theme/Tabs';
import TabItem from '@theme/TabItem';
import Tabs from "@theme/Tabs";
import TabItem from "@theme/TabItem";
<Tabs
defaultValue="standalone-nginx"
@ -53,21 +54,21 @@ import TabItem from '@theme/TabItem';
]}>
<TabItem value="standalone-nginx">
import NginxStandalone from './_nginx_standalone.md'
import NginxStandalone from "./_nginx_standalone.md";
<NginxStandalone />
</TabItem>
<TabItem value="ingress">
import NginxIngress from './_nginx_ingress.md'
import NginxIngress from "./_nginx_ingress.md";
<NginxIngress />
</TabItem>
<TabItem value="proxy-manager">
import NginxProxyManager from './_nginx_proxy_manager.md'
import NginxProxyManager from "./_nginx_proxy_manager.md";
<NginxProxyManager />
@ -85,21 +86,21 @@ import NginxProxyManager from './_nginx_proxy_manager.md'
]}>
<TabItem value="standalone-traefik">
import TraefikStandalone from './_traefik_standalone.md'
import TraefikStandalone from "./_traefik_standalone.md";
<TraefikStandalone />
</TabItem>
<TabItem value="docker-compose">
import TraefikCompose from './_traefik_compose.md'
import TraefikCompose from "./_traefik_compose.md";
<TraefikCompose />
</TabItem>
<TabItem value="ingress">
import TraefikIngress from './_traefik_ingress.md'
import TraefikIngress from "./_traefik_ingress.md";
<TraefikIngress />

28
website/docs/providers/proxy/proxy.md
View File

@ -4,51 +4,51 @@ title: Overview
The proxy outpost sets the following user-specific headers:
- X-authentik-username: `akadmin`
- X-authentik-username: `akadmin`
The username of the currently logged in user
- X-authentik-groups: `foo|bar|baz`
- X-authentik-groups: `foo|bar|baz`
The groups the user is member of, separated by a pipe
- X-authentik-email: `root@localhost`
- X-authentik-email: `root@localhost`
The email address of the currently logged in user
- X-authentik-name: `authentik Default Admin`
- X-authentik-name: `authentik Default Admin`
Full name of the current user
- X-authentik-uid: `900347b8a29876b45ca6f75722635ecfedf0e931c6022e3a29a8aa13fb5516fb`
- X-authentik-uid: `900347b8a29876b45ca6f75722635ecfedf0e931c6022e3a29a8aa13fb5516fb`
The hashed identifier of the currently logged in user.
Additionally, you can set `additionalHeaders` on groups or users to set additional headers.
If you enable *Set HTTP-Basic Authentication* option, the HTTP Authorization header is being set.
If you enable _Set HTTP-Basic Authentication_ option, the HTTP Authorization header is being set.
Besides these user-specific headers, some application specific headers are also set:
- X-authentik-meta-outpost: `authentik Embedded Outpost`
- X-authentik-meta-outpost: `authentik Embedded Outpost`
The authentik outpost's name.
- X-authentik-meta-provider: `test`
- X-authentik-meta-provider: `test`
The authentik provider's name.
- X-authentik-meta-app: `test`
- X-authentik-meta-app: `test`
The authentik application's slug.
- X-authentik-meta-version: `goauthentik.io/outpost/1.2.3`
- X-authentik-meta-version: `goauthentik.io/outpost/1.2.3`
The authentik outpost's version.
### Only in proxy mode
- X-Forwarded-Host:
- X-Forwarded-Host:
The original Host header sent by the client. This is set as the `Host` header is set to the host of the configured backend.
@ -72,7 +72,7 @@ To log out, navigate to `/outpost.goauthentik.io/sign_out`.
## Allowing unauthenticated requests
To allow un-authenticated requests to certain paths/URLs, you can use the *Unauthenticated URLs* / *Unauthenticated Paths* field.
To allow un-authenticated requests to certain paths/URLs, you can use the _Unauthenticated URLs_ / _Unauthenticated Paths_ field.
Each new line is interpreted as a regular expression, and is compiled and checked using the standard Golang regex parser.
@ -88,7 +88,7 @@ In this mode, the regular expressions are matched against the Request's full URL
## Dynamic backend selection
You can configure the backend the proxy should access dynamically via *Scope mappings*. To do so, create a new *Scope mapping*, with a name and scope of your choice. As expression, use this:
You can configure the backend the proxy should access dynamically via _Scope mappings_. To do so, create a new _Scope mapping_, with a name and scope of your choice. As expression, use this:
```python
return {
@ -98,4 +98,4 @@ return {
}
```
Afterwards, edit the *Proxy provider* and add this new mapping. The expression is only evaluated when the user logs into the application.
Afterwards, edit the _Proxy provider_ and add this new mapping. The expression is only evaluated when the user logs into the application.