Files
authentik/website/docs/users-sources/sources/protocols/oauth/index.md
Tana M Berry 6d5172d18a website: latest PR for new Docs structure (#11639)
* first pass

* dependency shenanigans

* move blueprints

* few broken links

* change config the throw errors

* internal file edits

* fighting links

* remove sidebarDev

* fix subdomain

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix relative URL

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix mismatched package versions

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix api reference build

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* test tweak

* links hell

* more links hell

* links hell2

* yep last of the links

* last broken link fixed

* re-add cves

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add devdocs redirects

* add dir

* tweak netlify.toml

* move latest 2 CVES into dir

* fix links to moved cves

* typoed title fix

* fix link

* remove banner

* remove committed api docs

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

* integrations: remove version dropdown

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

* Update Makefile

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

* change doc links in web as well

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

* fix some more docs paths

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

* fix more docs paths

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

* ci: require ci-web.build for merging

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

* Revert "ci: require ci-web.build for merging"

This reverts commit b99a4842a9.

* remove sluf for Application

* put slug back in

* minor fix to trigger deploy

* Spelled out Documentation in menu bar

* remove image redirects...

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* remove explicit index.md

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* remove mdx first

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* then remove .md

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add missing prefix

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Co-authored-by: Tana M Berry <tana@goauthentik.com>
Co-authored-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>
2024-10-09 09:33:40 -05:00

3.1 KiB

title
title
OAuth Source

This source allows users to enroll themselves with an external OAuth-based Identity Provider. The generic provider expects the endpoint to return OpenID-Connect compatible information. Vendor-specific implementations have their own OAuth Source.

  • Policies: Allow/Forbid users from linking their accounts with this provider.

  • Request Token URL: This field is used for OAuth v1 implementations and will be provided by the provider.

  • Authorization URL: This value will be provided by the provider.

  • Access Token URL: This value will be provided by the provider.

  • Profile URL: This URL is called by authentik to retrieve user information upon successful authentication.

  • Consumer key/Consumer secret: These values will be provided by the provider.

  • Scopes: Configure additional scopes to send to the provider.

    Starting with authentik 2022.10, the default scopes can be replaced by prefix the value for scopes with *.

OpenID Connect authentik 2022.6+

Well-known

Instead of configuring the URLs for a source manually, and the application you're configuring implements the OpenID Connect Discovery Spec, you can configure the source with a single URL. The URL should always end with .well-known/openid-configuration. Many applications don't explicitly mention this URL, but for most of them it will be https://application.company/.well-known/openid-configuration.

This URL is fetched upon saving the source, and all the URLs will be replaced by the ones from the Discovery document. No automatic re-fetching is done.

JWKS

To simplify Machine-to-machine authentication, you can create an OAuth Source as "trusted" source of JWTs. Create a source and configure either the Well-known URL or the OIDC JWKS URL, or you can manually enter the JWKS data if you so desire.

Afterwards, this source can be selected in one or multiple OAuth2 providers, and any JWT issued by any of the configured sources' JWKS will be able to authenticate. To learn more about this, see JWT-authentication.

OAuth source property mappings

See the overview for information on how property mappings work.

Expression data

The following variables are available to OAuth source property mappings:

  • info: A Python dictionary containing OAuth claims. For example (values might differ depending on the source):
    {
        "iss": "https://source.company",
        "sub": "f153e7da687eec8c8789c72b6cc6bb5197df7b48b263b3151f36908e1bc10691",
        "aud": "01e4DmQiG1d3kaewD3Mkz7E7kXknk9j43eZMkNaE",
        "aud": "a7809c1b1c4aaa50adfb68660a6273dd9c8d15e4",
        "email": "user@authentik.company",
        "email_verified": True,
        "name": "User",
        "given_name": "User",
        "preferred_username": "user",
        "nickname": "user",
    }
    
  • client: An OAuth client object to make requests to the Source with authentication built-in.
  • token: A Python dictionary containing OAuth tokens.