habsi/authentik
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

more content

Browse Source
This commit is contained in:
Tana M Berry
2025-06-23 18:53:49 -05:00
parent 4e2e678de3
commit fbc7dbb151
8 changed files with 372 additions and 322 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
website/docs/add-secure-apps/flows-stages/stages/user_login/index.md
View File

@ -40,7 +40,7 @@ When creating or editing this stage in the UI of the Admin interface, you can se
When configured, all sessions authenticated by this stage will be bound to the selected network and/or GeoIP criteria.
Sessions that break this binding will be terminated on use. The created [`logout`](../../../../sys-mgmt/events/index.md#logout) event will contain additional data related to what caused the binding to be broken:
Sessions that break this binding will be terminated on use. The created [`logout`](../../../../sys-mgmt/events/event-actions#logout) event will contain additional data related to what caused the binding to be broken:
```json
{

308
website/docs/sys-mgmt/events/event-actions.md Normal file
View File

@ -0,0 +1,308 @@
---
Title: Event actions
---
Whenever any of the following actions occur, an event is created. Actions are used to define [Notification Rules](notifications.md).
### `login`
A user logs in (including the source, if available)
<details>
<summary>Example</summary>
```json
{
"pk": "f00f54e7-2b38-421f-bc78-e61f950048d6",
"user": {
"pk": 1,
"email": "root@localhost",
"username": "akadmin"
},
"action": "login",
"app": "authentik.events.signals",
"context": {
"auth_method": "password",
"http_request": {
"args": {
"query": "next=%2F"
},
"path": "/api/v3/flows/executor/default-authentication-flow/",
"method": "GET"
},
"auth_method_args": {}
},
"client_ip": "::1",
"created": "2023-02-15T15:33:42.771091Z",
"expires": "2024-02-15T15:33:42.770425Z",
"brand": {
"pk": "fcba828076b94dedb2d5a6b4c5556fa1",
"app": "authentik_brands",
"name": "Default brand",
"model_name": "brand"
}
}
```
</details>
### `login_failed`
A failed login attempt
<details>
<summary>Example</summary>
```json
{
"pk": "2779b173-eb2a-4c2b-a1a4-8283eda308d7",
"user": {
"pk": 2,
"email": "",
"username": "AnonymousUser"
},
"action": "login_failed",
"app": "authentik.events.signals",
"context": {
"stage": {
"pk": "7e88f4a991c442c1a1335d80f0827d7f",
"app": "authentik_stages_password",
"name": "default-authentication-password",
"model_name": "passwordstage"
},
"password": "********************",
"username": "akadmin",
"http_request": {
"args": {
"query": "next=%2F"
},
"path": "/api/v3/flows/executor/default-authentication-flow/",
"method": "POST"
}
},
"client_ip": "::1",
"created": "2023-02-15T15:32:55.319608Z",
"expires": "2024-02-15T15:32:55.314581Z",
"brand": {
"pk": "fcba828076b94dedb2d5a6b4c5556fa1",
"app": "authentik_brands",
"name": "Default brand",
"model_name": "brand"
}
}
```
</details>
### `logout`
A user logs out.
<details>
<summary>Example</summary>
```json
{
"pk": "474ffb6b-77e3-401c-b681-7d618962440f",
"user": {
"pk": 1,
"email": "root@localhost",
"username": "akadmin"
},
"action": "logout",
"app": "authentik.events.signals",
"context": {
"http_request": {
"args": {
"query": ""
},
"path": "/api/v3/flows/executor/default-invalidation-flow/",
"method": "GET"
}
},
"client_ip": "::1",
"created": "2023-02-15T15:39:55.976243Z",
"expires": "2024-02-15T15:39:55.975535Z",
"brand": {
"pk": "fcba828076b94dedb2d5a6b4c5556fa1",
"app": "authentik_brands",
"name": "Default brand",
"model_name": "brand"
}
}
```
</details>
### `user_write`
A user is written to during a flow execution.
<details>
<summary>Example</summary>
```json
{
"pk": "d012e8af-cb94-4fa2-9e92-961e4eebc060",
"user": {
"pk": 1,
"email": "root@localhost",
"username": "akadmin"
},
"action": "user_write",
"app": "authentik.events.signals",
"context": {
"name": "authentik Default Admin",
"email": "root@localhost",
"created": false,
"username": "akadmin",
"attributes": {
"settings": {
"locale": ""
}
},
"http_request": {
"args": {
"query": ""
},
"path": "/api/v3/flows/executor/default-user-settings-flow/",
"method": "GET"
}
},
"client_ip": "::1",
"created": "2023-02-15T15:41:18.411017Z",
"expires": "2024-02-15T15:41:18.410276Z",
"brand": {
"pk": "fcba828076b94dedb2d5a6b4c5556fa1",
"app": "authentik_brands",
"name": "Default brand",
"model_name": "brand"
}
}
```
</details>
### `suspicious_request`
A suspicious request has been received (for example, a revoked token was used).
### `password_set`
A user sets their password.
### `secret_view`
A user views a token's/certificate's data.
### `secret_rotate`
A token was rotated automatically by authentik.
### `invitation_used`
An invitation is used.
### `authorize_application`
A user authorizes an application.
<details>
<summary>Example</summary>
```json
{
"pk": "f52f9eb9-dc2a-4f1e-afea-ad5af90bf680",
"user": {
"pk": 1,
"email": "root@localhost",
"username": "akadmin"
},
"action": "authorize_application",
"app": "authentik.providers.oauth2.views.authorize",
"context": {
"asn": {
"asn": 6805,
"as_org": "Telefonica Germany",
"network": "5.4.0.0/14"
},
"geo": {
"lat": 42.0,
"city": "placeholder",
"long": 42.0,
"country": "placeholder",
"continent": "placeholder"
},
"flow": "53287faa8a644b6cb124cb602a84282f",
"scopes": "ak_proxy profile openid email",
"http_request": {
"args": {
"query": "[...]"
},
"path": "/api/v3/flows/executor/default-provider-authorization-implicit-consent/",
"method": "GET"
},
"authorized_application": {
"pk": "bed6a2495fdc4b2e8c3f93cb2ed7e021",
"app": "authentik_core",
"name": "Alertmanager",
"model_name": "application"
}
},
"client_ip": "::1",
"created": "2023-02-15T10:02:48.615499Z",
"expires": "2023-04-26T10:02:48.612809Z",
"brand": {
"pk": "10800be643d44842ab9d97cb5f898ce9",
"app": "authentik_brands",
"name": "Default brand",
"model_name": "brand"
}
}
```
</details>
### `source_linked`
A user links a source to their account
### `impersonation_started` / `impersonation_ended`
A user starts/ends impersonation, including the user that was impersonated
### `policy_execution`
A policy is executed (when a policy has "Execution Logging" enabled).
### `policy_exception` / `property_mapping_exception`
A policy or property mapping causes an exception
### `system_task_exception`
An exception occurred in a system task.
### `system_exception`
A general exception in authentik occurred.
### `configuration_error`
A configuration error occurs, for example during the authorization of an application
### `model_created` / `model_updated` / `model_deleted`
Logged when any model is created/updated/deleted, including the user that sent the request.
:::info
Starting with authentik 2024.2, when a valid enterprise license is installed, these entries will contain additional audit data, including which fields were changed with this event, their previous values and their new values.
:::
### `email_sent`
An email has been sent. Included is the email that was sent.
### `update_available`
An update is available

BIN
website/docs/sys-mgmt/events/event_matcher.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 46 KiB

313
website/docs/sys-mgmt/events/index.md
View File

@ -4,319 +4,14 @@ title: Events
Events are authentik's built-in logging system. Every event is logged, whether it is initiated by a user or by authentik.
Events can be used to define [notification rules](notifications.md), with specified [transport options](transports.md) of local (in the authentik UI), email or webhook.
Events can be used to define [notification rules](notifications.md), with specified [transport options](transports.md) of either local (in the authentik UI), email, or webhook.
Certain information is stripped from events, to ensure that no passwords or other credentials are saved in the log.
## Event retention
## Event retention and forwarding
The event retention is configured in the **System > Settings** area of the Admin interface, with the default being set to 365 days.
If you want to forward these events to another application, forward the log output of all authentik containers. Every event creation is logged with the log level "info". For this configuration, it is also recommended to set the internal retention pretty low (for example, `days=1`).
If you want to forward these events to another application, forward the log output of all authentik containers. Every event creation is logged with the log level "info". For this configuration, it is also recommended to set the internal retention time period to a short time frame (for example, `days=1`).
## Event actions
Whenever any of the following actions occur, an event is created.
### `login`
A user logs in (including the source, if available)
<details>
<summary>Example</summary>
```json
{
"pk": "f00f54e7-2b38-421f-bc78-e61f950048d6",
"user": {
"pk": 1,
"email": "root@localhost",
"username": "akadmin"
},
"action": "login",
"app": "authentik.events.signals",
"context": {
"auth_method": "password",
"http_request": {
"args": {
"query": "next=%2F"
},
"path": "/api/v3/flows/executor/default-authentication-flow/",
"method": "GET"
},
"auth_method_args": {}
},
"client_ip": "::1",
"created": "2023-02-15T15:33:42.771091Z",
"expires": "2024-02-15T15:33:42.770425Z",
"brand": {
"pk": "fcba828076b94dedb2d5a6b4c5556fa1",
"app": "authentik_brands",
"name": "Default brand",
"model_name": "brand"
}
}
```
</details>
### `login_failed`
A failed login attempt
<details>
<summary>Example</summary>
```json
{
"pk": "2779b173-eb2a-4c2b-a1a4-8283eda308d7",
"user": {
"pk": 2,
"email": "",
"username": "AnonymousUser"
},
"action": "login_failed",
"app": "authentik.events.signals",
"context": {
"stage": {
"pk": "7e88f4a991c442c1a1335d80f0827d7f",
"app": "authentik_stages_password",
"name": "default-authentication-password",
"model_name": "passwordstage"
},
"password": "********************",
"username": "akadmin",
"http_request": {
"args": {
"query": "next=%2F"
},
"path": "/api/v3/flows/executor/default-authentication-flow/",
"method": "POST"
}
},
"client_ip": "::1",
"created": "2023-02-15T15:32:55.319608Z",
"expires": "2024-02-15T15:32:55.314581Z",
"brand": {
"pk": "fcba828076b94dedb2d5a6b4c5556fa1",
"app": "authentik_brands",
"name": "Default brand",
"model_name": "brand"
}
}
```
</details>
### `logout`
A user logs out.
<details>
<summary>Example</summary>
```json
{
"pk": "474ffb6b-77e3-401c-b681-7d618962440f",
"user": {
"pk": 1,
"email": "root@localhost",
"username": "akadmin"
},
"action": "logout",
"app": "authentik.events.signals",
"context": {
"http_request": {
"args": {
"query": ""
},
"path": "/api/v3/flows/executor/default-invalidation-flow/",
"method": "GET"
}
},
"client_ip": "::1",
"created": "2023-02-15T15:39:55.976243Z",
"expires": "2024-02-15T15:39:55.975535Z",
"brand": {
"pk": "fcba828076b94dedb2d5a6b4c5556fa1",
"app": "authentik_brands",
"name": "Default brand",
"model_name": "brand"
}
}
```
</details>
### `user_write`
A user is written to during a flow execution.
<details>
<summary>Example</summary>
```json
{
"pk": "d012e8af-cb94-4fa2-9e92-961e4eebc060",
"user": {
"pk": 1,
"email": "root@localhost",
"username": "akadmin"
},
"action": "user_write",
"app": "authentik.events.signals",
"context": {
"name": "authentik Default Admin",
"email": "root@localhost",
"created": false,
"username": "akadmin",
"attributes": {
"settings": {
"locale": ""
}
},
"http_request": {
"args": {
"query": ""
},
"path": "/api/v3/flows/executor/default-user-settings-flow/",
"method": "GET"
}
},
"client_ip": "::1",
"created": "2023-02-15T15:41:18.411017Z",
"expires": "2024-02-15T15:41:18.410276Z",
"brand": {
"pk": "fcba828076b94dedb2d5a6b4c5556fa1",
"app": "authentik_brands",
"name": "Default brand",
"model_name": "brand"
}
}
```
</details>
### `suspicious_request`
A suspicious request has been received (for example, a revoked token was used).
### `password_set`
A user sets their password.
### `secret_view`
A user views a token's/certificate's data.
### `secret_rotate`
A token was rotated automatically by authentik.
### `invitation_used`
An invitation is used.
### `authorize_application`
A user authorizes an application.
<details>
<summary>Example</summary>
```json
{
"pk": "f52f9eb9-dc2a-4f1e-afea-ad5af90bf680",
"user": {
"pk": 1,
"email": "root@localhost",
"username": "akadmin"
},
"action": "authorize_application",
"app": "authentik.providers.oauth2.views.authorize",
"context": {
"asn": {
"asn": 6805,
"as_org": "Telefonica Germany",
"network": "5.4.0.0/14"
},
"geo": {
"lat": 42.0,
"city": "placeholder",
"long": 42.0,
"country": "placeholder",
"continent": "placeholder"
},
"flow": "53287faa8a644b6cb124cb602a84282f",
"scopes": "ak_proxy profile openid email",
"http_request": {
"args": {
"query": "[...]"
},
"path": "/api/v3/flows/executor/default-provider-authorization-implicit-consent/",
"method": "GET"
},
"authorized_application": {
"pk": "bed6a2495fdc4b2e8c3f93cb2ed7e021",
"app": "authentik_core",
"name": "Alertmanager",
"model_name": "application"
}
},
"client_ip": "::1",
"created": "2023-02-15T10:02:48.615499Z",
"expires": "2023-04-26T10:02:48.612809Z",
"brand": {
"pk": "10800be643d44842ab9d97cb5f898ce9",
"app": "authentik_brands",
"name": "Default brand",
"model_name": "brand"
}
}
```
</details>
### `source_linked`
A user links a source to their account
### `impersonation_started` / `impersonation_ended`
A user starts/ends impersonation, including the user that was impersonated
### `policy_execution`
A policy is executed (when a policy has "Execution Logging" enabled).
### `policy_exception` / `property_mapping_exception`
A policy or property mapping causes an exception
### `system_task_exception`
An exception occurred in a system task.
### `system_exception`
A general exception in authentik occurred.
### `configuration_error`
A configuration error occurs, for example during the authorization of an application
### `model_created` / `model_updated` / `model_deleted`
Logged when any model is created/updated/deleted, including the user that sent the request.
:::info
Starting with authentik 2024.2, when a valid enterprise license is installed, these entries will contain additional audit data, including which fields were changed with this event, their previous values and their new values.
:::
### `email_sent`
An email has been sent. Included is the email that was sent.
### `update_available`
An update is available
## Audit logging

5
website/docs/sys-mgmt/events/logging-events.md Normal file
View File

@ -0,0 +1,5 @@
---
Title: Logging events
---
shshhs

32
website/docs/sys-mgmt/events/notifications.md
View File

@ -3,16 +3,32 @@ title: Notifications
---
:::note
To prevent infinite loops (events created by policies which are attached to a Notification rule), **any events created by a policy which is attached to any Notification Rules do not trigger notifications.**
To prevent infinite loops of cause and effect (events created by policies which are attached to a notification rule), _any events created by a policy which is attached to any notification rules do not trigger notifications._
:::
## Filtering Events
An authentik administrator can create notification rules based on the creation of specified events. Filtering of events is processed by the authentik Policy Engine, using a combination of both 1) a policy and 2) a notification rule.
An authentik administrator can create notification rules based on the creation of specified events. Filtering is done by using the Policy Engine. You can do simple filtering using the "Event Matcher Policy" type.
## Workflow overview
![](./event_matcher.png)
To receive notifications about events, follow this workflow:
An event has to match all configured fields, otherwise the rule will not trigger.
1. [Create a transport](./transports.md#create-a-transport) (or use an existing default transport)
2. [Create a policy](#create-a-policy)
3. [Create a notification rule, and bind the policy to the rule](#create-a-notification-rule)
## Create a policy
First you need to create a policy, either the **Event Matcher** policy or a custom Expression policy.
### **Event Matcher** policy
For simple filtering you can [create and configure](../../customize/policies/working_with_policies.md) a new **Event Matcher** policy to specify exactly which events (known as _Actions_ in the policy) you want to be notified about. For example, you get chose to create a policy for every time a user deletes a model object, or fails to successfully log in.
The authentik policy engine....
Be aware that an event has to match all configured fields in the policy, otherwise the notification rule will not trigger.
### Expression policy for events
To match events with an "Expression Policy", you can write code like so:
@ -23,14 +39,14 @@ if "event" not in request.context:
return ip_address(request.context["event"].client_ip) in ip_network('192.0.2.0/24')
```
## Selecting who gets notified
## Create a notification rule
After you've created the policies to match the events you want, create a "Notification Rule".
After you've created the policies to match the events you want, create a **"**Notification Rule\*\*.
You have to select which group the generated notification should be sent to. If left empty, the rule will be disabled.
:::info
Before authentik 2023.5, when no group is selected, policies bound to the rule are not executed. Starting with authentik 2023.5, policies are executed even when no group is selected.
Be aware that policies are executed even when no group is selected.
:::
You also have to select which transports should be used to send the notification.

27
website/docs/sys-mgmt/events/transports.md
View File

@ -2,9 +2,26 @@
title: Transports
---
Notifications can be sent to users via multiple mediums. By default, the [global email configuration](../../install-config/install/docker-compose.mdx#email-configuration-optional-but-recommended) will be used.
To receive notifications about events, you will need to [create](#create-a-transport) a transport object, then create a notification rule and a policy. For details on this workflow refer to
## Generic Webhook
## Transport types
Notifications can be sent to users via multiple mediums, or _transports_:
- Local
- Email
- Webhook (generic)
- Webhook (Slack/Discord)
### Local transport
This transport will manifest the notification within the authentik user interface (UI).
### Email
select this transport to send event notificstions to an email address. Note that by default, the [global email configuration](../../install-config/install/docker-compose.mdx#email-configuration-optional-but-recommended) is used.
### Webhook (generic)
This will send a POST request to the given URL with the following contents:
@ -31,6 +48,10 @@ return {
}
```
## Slack Webhook
### Webhook (Slack or Discord)
This sends a request using the Slack-specific format. This is also compatible with Discord's webhooks by appending `/slack` to the Discord webhook URL.
## Create a transport
dfvfd