website: format docs with prettier (#2833)
* run prettier Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * add scim to comparison Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
This commit is contained in:
parent
26d92d9259
commit
f9469e3f99
|
@ -136,8 +136,8 @@ jobs:
|
||||||
key: ${{ runner.os }}-web-${{ hashFiles('web/package-lock.json', 'web/**') }}
|
key: ${{ runner.os }}-web-${{ hashFiles('web/package-lock.json', 'web/**') }}
|
||||||
- name: prepare web ui
|
- name: prepare web ui
|
||||||
if: steps.cache-web.outputs.cache-hit != 'true'
|
if: steps.cache-web.outputs.cache-hit != 'true'
|
||||||
|
working-directory: web
|
||||||
run: |
|
run: |
|
||||||
cd web
|
|
||||||
npm ci
|
npm ci
|
||||||
npm run build
|
npm run build
|
||||||
- name: run e2e
|
- name: run e2e
|
||||||
|
@ -169,8 +169,8 @@ jobs:
|
||||||
key: ${{ runner.os }}-web-${{ hashFiles('web/package-lock.json', 'web/**') }}
|
key: ${{ runner.os }}-web-${{ hashFiles('web/package-lock.json', 'web/**') }}
|
||||||
- name: prepare web ui
|
- name: prepare web ui
|
||||||
if: steps.cache-web.outputs.cache-hit != 'true'
|
if: steps.cache-web.outputs.cache-hit != 'true'
|
||||||
|
working-directory: web/
|
||||||
run: |
|
run: |
|
||||||
cd web
|
|
||||||
npm ci
|
npm ci
|
||||||
npm run build
|
npm run build
|
||||||
- name: run e2e
|
- name: run e2e
|
||||||
|
|
|
@ -118,8 +118,8 @@ jobs:
|
||||||
- name: Generate API
|
- name: Generate API
|
||||||
run: make gen-client-go
|
run: make gen-client-go
|
||||||
- name: Build web
|
- name: Build web
|
||||||
|
working-directory: web/
|
||||||
run: |
|
run: |
|
||||||
cd web
|
|
||||||
npm ci
|
npm ci
|
||||||
npm run build-proxy
|
npm run build-proxy
|
||||||
- name: Build outpost
|
- name: Build outpost
|
||||||
|
|
|
@ -20,15 +20,13 @@ jobs:
|
||||||
node-version: '16'
|
node-version: '16'
|
||||||
cache: 'npm'
|
cache: 'npm'
|
||||||
cache-dependency-path: web/package-lock.json
|
cache-dependency-path: web/package-lock.json
|
||||||
- run: |
|
- working-directory: web/
|
||||||
cd web
|
run: npm ci
|
||||||
npm ci
|
|
||||||
- name: Generate API
|
- name: Generate API
|
||||||
run: make gen-client-web
|
run: make gen-client-web
|
||||||
- name: Eslint
|
- name: Eslint
|
||||||
run: |
|
working-directory: web/
|
||||||
cd web
|
run: npm run lint
|
||||||
npm run lint
|
|
||||||
lint-prettier:
|
lint-prettier:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
|
@ -38,15 +36,13 @@ jobs:
|
||||||
node-version: '16'
|
node-version: '16'
|
||||||
cache: 'npm'
|
cache: 'npm'
|
||||||
cache-dependency-path: web/package-lock.json
|
cache-dependency-path: web/package-lock.json
|
||||||
- run: |
|
- working-directory: web/
|
||||||
cd web
|
run: npm ci
|
||||||
npm ci
|
|
||||||
- name: Generate API
|
- name: Generate API
|
||||||
run: make gen-client-web
|
run: make gen-client-web
|
||||||
- name: prettier
|
- name: prettier
|
||||||
run: |
|
working-directory: web/
|
||||||
cd web
|
run: npm run prettier-check
|
||||||
npm run prettier-check
|
|
||||||
lint-lit-analyse:
|
lint-lit-analyse:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
|
@ -56,15 +52,13 @@ jobs:
|
||||||
node-version: '16'
|
node-version: '16'
|
||||||
cache: 'npm'
|
cache: 'npm'
|
||||||
cache-dependency-path: web/package-lock.json
|
cache-dependency-path: web/package-lock.json
|
||||||
- run: |
|
- working-directory: web/
|
||||||
cd web
|
run: npm ci
|
||||||
npm ci
|
|
||||||
- name: Generate API
|
- name: Generate API
|
||||||
run: make gen-client-web
|
run: make gen-client-web
|
||||||
- name: lit-analyse
|
- name: lit-analyse
|
||||||
run: |
|
working-directory: web/
|
||||||
cd web
|
run: npm run lit-analyse
|
||||||
npm run lit-analyse
|
|
||||||
ci-web-mark:
|
ci-web-mark:
|
||||||
needs:
|
needs:
|
||||||
- lint-eslint
|
- lint-eslint
|
||||||
|
@ -84,12 +78,10 @@ jobs:
|
||||||
node-version: '16'
|
node-version: '16'
|
||||||
cache: 'npm'
|
cache: 'npm'
|
||||||
cache-dependency-path: web/package-lock.json
|
cache-dependency-path: web/package-lock.json
|
||||||
- run: |
|
- working-directory: web/
|
||||||
cd web
|
run: npm ci
|
||||||
npm ci
|
|
||||||
- name: Generate API
|
- name: Generate API
|
||||||
run: make gen-client-web
|
run: make gen-client-web
|
||||||
- name: build
|
- name: build
|
||||||
run: |
|
working-directory: web/
|
||||||
cd web
|
run: npm run build
|
||||||
npm run build
|
|
||||||
|
|
|
@ -0,0 +1,33 @@
|
||||||
|
name: authentik-ci-website
|
||||||
|
|
||||||
|
on:
|
||||||
|
push:
|
||||||
|
branches:
|
||||||
|
- master
|
||||||
|
- next
|
||||||
|
- version-*
|
||||||
|
pull_request:
|
||||||
|
branches:
|
||||||
|
- master
|
||||||
|
|
||||||
|
jobs:
|
||||||
|
lint-prettier:
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
steps:
|
||||||
|
- uses: actions/checkout@v3
|
||||||
|
- uses: actions/setup-node@v3.1.1
|
||||||
|
with:
|
||||||
|
node-version: '16'
|
||||||
|
cache: 'npm'
|
||||||
|
cache-dependency-path: website/package-lock.json
|
||||||
|
- working-directory: website/
|
||||||
|
run: npm ci
|
||||||
|
- name: prettier
|
||||||
|
working-directory: website/
|
||||||
|
run: npm run prettier-check
|
||||||
|
ci-web-mark:
|
||||||
|
needs:
|
||||||
|
- lint-prettier
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
steps:
|
||||||
|
- run: echo mark
|
|
@ -97,8 +97,8 @@ jobs:
|
||||||
cache: 'npm'
|
cache: 'npm'
|
||||||
cache-dependency-path: web/package-lock.json
|
cache-dependency-path: web/package-lock.json
|
||||||
- name: Build web
|
- name: Build web
|
||||||
|
working-directory: web/
|
||||||
run: |
|
run: |
|
||||||
cd web
|
|
||||||
npm ci
|
npm ci
|
||||||
npm run build-proxy
|
npm run build-proxy
|
||||||
- name: Build outpost
|
- name: Build outpost
|
||||||
|
|
|
@ -17,15 +17,15 @@ jobs:
|
||||||
- name: Generate API Client
|
- name: Generate API Client
|
||||||
run: make gen-client-web
|
run: make gen-client-web
|
||||||
- name: Publish package
|
- name: Publish package
|
||||||
|
working-directory: gen-ts-api/
|
||||||
run: |
|
run: |
|
||||||
cd web-api/
|
|
||||||
npm ci
|
npm ci
|
||||||
npm publish
|
npm publish
|
||||||
env:
|
env:
|
||||||
NODE_AUTH_TOKEN: ${{ secrets.NPM_PUBLISH_TOKEN }}
|
NODE_AUTH_TOKEN: ${{ secrets.NPM_PUBLISH_TOKEN }}
|
||||||
- name: Upgrade /web
|
- name: Upgrade /web
|
||||||
|
working-directory: web/
|
||||||
run: |
|
run: |
|
||||||
cd web/
|
|
||||||
export VERSION=`node -e 'console.log(require("../web-api/package.json").version)'`
|
export VERSION=`node -e 'console.log(require("../web-api/package.json").version)'`
|
||||||
npm i @goauthentik/api@$VERSION
|
npm i @goauthentik/api@$VERSION
|
||||||
- name: Create Pull Request
|
- name: Create Pull Request
|
||||||
|
|
|
@ -2,3 +2,6 @@
|
||||||
build
|
build
|
||||||
coverage
|
coverage
|
||||||
.docusaurus
|
.docusaurus
|
||||||
|
node_modules
|
||||||
|
help
|
||||||
|
static
|
||||||
|
|
|
@ -33,10 +33,7 @@ Below is the response, for example for an Identification stage.
|
||||||
"component": "ak-stage-identification",
|
"component": "ak-stage-identification",
|
||||||
|
|
||||||
// Stage-specific fields
|
// Stage-specific fields
|
||||||
"user_fields": [
|
"user_fields": ["username", "email"],
|
||||||
"username",
|
|
||||||
"email"
|
|
||||||
],
|
|
||||||
"password_fields": false,
|
"password_fields": false,
|
||||||
"primary_action": "Log in",
|
"primary_action": "Log in",
|
||||||
"sources": []
|
"sources": []
|
||||||
|
|
|
@ -4,7 +4,6 @@ title: Websocket API
|
||||||
|
|
||||||
authentik has two different WebSocket endpoints, one is used for web-based clients to get real-time updates, and the other is used for outposts to report their healthiness.
|
authentik has two different WebSocket endpoints, one is used for web-based clients to get real-time updates, and the other is used for outposts to report their healthiness.
|
||||||
|
|
||||||
|
|
||||||
### Web `/ws/client/`
|
### Web `/ws/client/`
|
||||||
|
|
||||||
:::info
|
:::info
|
||||||
|
|
|
@ -4,4 +4,3 @@ slug: /
|
||||||
---
|
---
|
||||||
|
|
||||||
Welcome to the authentik developer documentation. authentik is fully open source and can be found here: https://github.com/goauthentik/authentik
|
Welcome to the authentik developer documentation. authentik is fully open source and can be found here: https://github.com/goauthentik/authentik
|
||||||
|
|
||||||
|
|
|
@ -28,7 +28,7 @@ If you want to only make changes on the UI, you don't need a backend running fro
|
||||||
4. Add this volume mapping to your compose file
|
4. Add this volume mapping to your compose file
|
||||||
|
|
||||||
```yaml
|
```yaml
|
||||||
version: '3.2'
|
version: "3.2"
|
||||||
|
|
||||||
services:
|
services:
|
||||||
# [...]
|
# [...]
|
||||||
|
|
|
@ -9,11 +9,11 @@ Applications are used to configure and separate the authorization / access contr
|
||||||
|
|
||||||
## Authorization
|
## Authorization
|
||||||
|
|
||||||
Application access can be configured using (Policy) Bindings. Click on an application in the applications list, and select the *Policy / Group / User Bindings* tab. There you can bind users/groups/policies to grant them access. When nothing is bound, everyone has access. You can use this to grant access to one or multiple users/groups, or dynamically give access using policies.
|
Application access can be configured using (Policy) Bindings. Click on an application in the applications list, and select the _Policy / Group / User Bindings_ tab. There you can bind users/groups/policies to grant them access. When nothing is bound, everyone has access. You can use this to grant access to one or multiple users/groups, or dynamically give access using policies.
|
||||||
|
|
||||||
By default, all users can access applications when no policies are bound.
|
By default, all users can access applications when no policies are bound.
|
||||||
|
|
||||||
When multiple policies/groups/users are attached, you can configure the *Policy engine mode* to either
|
When multiple policies/groups/users are attached, you can configure the _Policy engine mode_ to either
|
||||||
|
|
||||||
- Require users to pass all bindings/be member of all groups (ALL), or
|
- Require users to pass all bindings/be member of all groups (ALL), or
|
||||||
- Require users to pass either binding/be member of either group (ANY)
|
- Require users to pass either binding/be member of either group (ANY)
|
||||||
|
@ -22,29 +22,28 @@ When multiple policies/groups/users are attached, you can configure the *Policy
|
||||||
|
|
||||||
The following aspects can be configured:
|
The following aspects can be configured:
|
||||||
|
|
||||||
- *Name*: This is the name shown for the application card
|
- _Name_: This is the name shown for the application card
|
||||||
- *Launch URL*: The URL that is opened when a user clicks on the application. When left empty, authentik tries to guess it based on the provider
|
- _Launch URL_: The URL that is opened when a user clicks on the application. When left empty, authentik tries to guess it based on the provider
|
||||||
|
|
||||||
Starting with authentik 2022.2, you can use placeholders in the launch url to build them dynamically based on logged in user. For example, you can set the Launch URL to `https://goauthentik.io/%(username)s`, which will be replaced with the currently logged in user's username.
|
Starting with authentik 2022.2, you can use placeholders in the launch url to build them dynamically based on logged in user. For example, you can set the Launch URL to `https://goauthentik.io/%(username)s`, which will be replaced with the currently logged in user's username.
|
||||||
|
|
||||||
- *Icon (URL)*: Optionally configure an Icon for the application
|
- _Icon (URL)_: Optionally configure an Icon for the application
|
||||||
|
|
||||||
If the authentik server does not have a volume mounted under `/media`, you'll get a text input. This accepts absolute URLs. If you've mounted single files into the container, you can reference them using `https://authentik.company/media/my-file.png`.
|
If the authentik server does not have a volume mounted under `/media`, you'll get a text input. This accepts absolute URLs. If you've mounted single files into the container, you can reference them using `https://authentik.company/media/my-file.png`.
|
||||||
|
|
||||||
If there is a mount under `/media`, you'll instead see a field to upload a file.
|
If there is a mount under `/media`, you'll instead see a field to upload a file.
|
||||||
|
|
||||||
- *Publisher*: Text shown below the application
|
- _Publisher_: Text shown below the application
|
||||||
- *Description*: Subtext shown on the application card below the publisher
|
- _Description_: Subtext shown on the application card below the publisher
|
||||||
|
|
||||||
Applications are shown to users when
|
Applications are shown to users when
|
||||||
|
|
||||||
- The user has access defined via policies (or the application has no policies bound)
|
- The user has access defined via policies (or the application has no policies bound)
|
||||||
- A Valid Launch URL is configured/could be guessed, this consists of URLs starting with http:// and https://
|
- A Valid Launch URL is configured/could be guessed, this consists of URLs starting with http:// and https://
|
||||||
|
|
||||||
|
|
||||||
#### Hiding applications
|
#### Hiding applications
|
||||||
|
|
||||||
To hide applications without modifying policy settings and without removing it, you can simply set the *Launch URL* to `blank://blank`, which will hide the application from users.
|
To hide applications without modifying policy settings and without removing it, you can simply set the _Launch URL_ to `blank://blank`, which will hide the application from users.
|
||||||
|
|
||||||
Keep in mind, the users still have access, so they can still authorize access when the login process is started from the application.
|
Keep in mind, the users still have access, so they can still authorize access when the login process is started from the application.
|
||||||
|
|
||||||
|
|
|
@ -12,7 +12,7 @@ Certificates in authentik are used for the following use cases:
|
||||||
|
|
||||||
## Default certificate
|
## Default certificate
|
||||||
|
|
||||||
Every authentik install generates a self-signed certificate on the first start. The certificate is called *authentik Self-signed Certificate* and is valid for 1 year.
|
Every authentik install generates a self-signed certificate on the first start. The certificate is called _authentik Self-signed Certificate_ and is valid for 1 year.
|
||||||
|
|
||||||
This certificate is generated to be used as a default for all OAuth2/OIDC providers, as these don't require the certificate to be configured on both sides (the signature of a JWT is validated using the [JWKS](https://auth0.com/docs/security/tokens/json-web-tokens/json-web-key-sets) URL).
|
This certificate is generated to be used as a default for all OAuth2/OIDC providers, as these don't require the certificate to be configured on both sides (the signature of a JWT is validated using the [JWKS](https://auth0.com/docs/security/tokens/json-web-tokens/json-web-key-sets) URL).
|
||||||
|
|
||||||
|
@ -66,7 +66,7 @@ Starting with authentik 2021.12.4, you can configure the certificate authentik u
|
||||||
To use let's encrypt certificates with this setup, using certbot, you can use this compose override (create or edit a file called `docker-compose.override.yml` in the same folder as the authentik docker-compose file)
|
To use let's encrypt certificates with this setup, using certbot, you can use this compose override (create or edit a file called `docker-compose.override.yml` in the same folder as the authentik docker-compose file)
|
||||||
|
|
||||||
```yaml
|
```yaml
|
||||||
version: '3.2'
|
version: "3.2"
|
||||||
|
|
||||||
services:
|
services:
|
||||||
certbot:
|
certbot:
|
||||||
|
@ -89,6 +89,6 @@ services:
|
||||||
|
|
||||||
Afterwards, run `docker-compose up -d`, which will start certbot and generate your certificate. Within a few minutes, you'll see the certificate in your authentik interface. (If the certificate does not appear, restart the worker container. This is caused by incompatible permissions set by certbot).
|
Afterwards, run `docker-compose up -d`, which will start certbot and generate your certificate. Within a few minutes, you'll see the certificate in your authentik interface. (If the certificate does not appear, restart the worker container. This is caused by incompatible permissions set by certbot).
|
||||||
|
|
||||||
Navigate to *System -> Tenants*, edit any tenant and select the certificate of your choice.
|
Navigate to _System -> Tenants_, edit any tenant and select the certificate of your choice.
|
||||||
|
|
||||||
Keep in mind this certbot container will only run once, but there are a variety of ways to schedule regular renewals.
|
Keep in mind this certbot container will only run once, but there are a variety of ways to schedule regular renewals.
|
||||||
|
|
|
@ -13,7 +13,7 @@ This will send a POST request to the given URL with the following contents:
|
||||||
"body": "body of the notification message",
|
"body": "body of the notification message",
|
||||||
"severity": "severity level as configured in the trigger",
|
"severity": "severity level as configured in the trigger",
|
||||||
"user_email": "user's email",
|
"user_email": "user's email",
|
||||||
"user_username": "user's username",
|
"user_username": "user's username"
|
||||||
}
|
}
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
|
@ -9,6 +9,6 @@ Requires authentik 2022.3.1
|
||||||
The user interface (`/if/user/`) embeds a downsized flow executor to allow the user to configure their profile using custom stages and prompts.
|
The user interface (`/if/user/`) embeds a downsized flow executor to allow the user to configure their profile using custom stages and prompts.
|
||||||
|
|
||||||
This executor only supports [**prompt**](../stages/prompt/) stages. If the configured flow contains another stage, a button will be shown to open the default executor.
|
This executor only supports [**prompt**](../stages/prompt/) stages. If the configured flow contains another stage, a button will be shown to open the default executor.
|
||||||
Because the stages in a flow can change during it execution, this executor will redirect the user to the default interface *if* a non-supported stage is returned.
|
Because the stages in a flow can change during it execution, this executor will redirect the user to the default interface _if_ a non-supported stage is returned.
|
||||||
|
|
||||||
To configure which flow is used for this, configure it in the tenant settings.
|
To configure which flow is used for this, configure it in the tenant settings.
|
||||||
|
|
|
@ -8,23 +8,23 @@ This stage configures an SMS-based authenticator using either Twilio, or a gener
|
||||||
|
|
||||||
Navigate to https://console.twilio.com/, and log in to your existing account, or create a new one.
|
Navigate to https://console.twilio.com/, and log in to your existing account, or create a new one.
|
||||||
|
|
||||||
In the sidebar, navigate to *Explore Products*, then *Messaging*, and *Services* below that.
|
In the sidebar, navigate to _Explore Products_, then _Messaging_, and _Services_ below that.
|
||||||
|
|
||||||
Click on *Create Messaging Service* to create a new set of API credentials.
|
Click on _Create Messaging Service_ to create a new set of API credentials.
|
||||||
|
|
||||||
Give the service a Name, and select *Verify users* as a use-case.
|
Give the service a Name, and select _Verify users_ as a use-case.
|
||||||
|
|
||||||
In the next step, add an address from your Sender Pool. Instructions on how to create numbers are not covered here, please check the Twilio documentation [here](https://www.twilio.com/docs).
|
In the next step, add an address from your Sender Pool. Instructions on how to create numbers are not covered here, please check the Twilio documentation [here](https://www.twilio.com/docs).
|
||||||
|
|
||||||
The other two steps can be skipped using the *Skip setup* button.
|
The other two steps can be skipped using the _Skip setup_ button.
|
||||||
|
|
||||||
Afterwards, copy the value of **Messaging Service SID**. This is the value for the *Twilio Account SID* field in authentik.
|
Afterwards, copy the value of **Messaging Service SID**. This is the value for the _Twilio Account SID_ field in authentik.
|
||||||
|
|
||||||
Navigate back to the root of your Twilio console, and copy the Auth token. This is the value for the *Twilio Auth Token* field in authentik.
|
Navigate back to the root of your Twilio console, and copy the Auth token. This is the value for the _Twilio Auth Token_ field in authentik.
|
||||||
|
|
||||||
## Generic
|
## Generic
|
||||||
|
|
||||||
For the generic provider, a POST request will be sent to the URL you have specified in the *External API URL* field. The request payload looks like this
|
For the generic provider, a POST request will be sent to the URL you have specified in the _External API URL_ field. The request payload looks like this
|
||||||
|
|
||||||
```json
|
```json
|
||||||
{
|
{
|
||||||
|
|
|
@ -16,7 +16,7 @@ Using the `Not configured action`, you can choose what happens when a user does
|
||||||
|
|
||||||
- Skip: Validation is skipped and the flow continues
|
- Skip: Validation is skipped and the flow continues
|
||||||
- Deny: Access is denied, the flow execution ends
|
- Deny: Access is denied, the flow execution ends
|
||||||
- Configure: This option requires a *Configuration stage* to be set. The validation stage will be marked as successful, and the configuration stage will be injected into the flow.
|
- Configure: This option requires a _Configuration stage_ to be set. The validation stage will be marked as successful, and the configuration stage will be injected into the flow.
|
||||||
|
|
||||||
## Passwordless authentication
|
## Passwordless authentication
|
||||||
|
|
||||||
|
@ -26,17 +26,17 @@ Requires authentik 2021.12.4
|
||||||
|
|
||||||
Passwordless authentication currently only supports WebAuthn devices, like security keys and biometrics.
|
Passwordless authentication currently only supports WebAuthn devices, like security keys and biometrics.
|
||||||
|
|
||||||
To configure passwordless authentication, create a new Flow with the delegation set to *Authentication*.
|
To configure passwordless authentication, create a new Flow with the delegation set to _Authentication_.
|
||||||
|
|
||||||
As first stage, add an *Authentication validation* stage, with the WebAuthn device class allowed.
|
As first stage, add an _Authentication validation_ stage, with the WebAuthn device class allowed.
|
||||||
After this stage you can bind any additional verification stages.
|
After this stage you can bind any additional verification stages.
|
||||||
As final stage, bind a *User login* stage.
|
As final stage, bind a _User login_ stage.
|
||||||
|
|
||||||
Users can either access this flow directly via it's URL, or you can modify any Identification stage to add a direct link to this flow.
|
Users can either access this flow directly via it's URL, or you can modify any Identification stage to add a direct link to this flow.
|
||||||
|
|
||||||
#### Logging
|
#### Logging
|
||||||
|
|
||||||
Logins which used Passwordless authentication have the *auth_method* context variable set to `auth_webauthn_pwl`, and the device used is saved in the arguments. Example:
|
Logins which used Passwordless authentication have the _auth_method_ context variable set to `auth_webauthn_pwl`, and the device used is saved in the arguments. Example:
|
||||||
|
|
||||||
```json
|
```json
|
||||||
{
|
{
|
||||||
|
|
|
@ -6,5 +6,5 @@ This stage stops the execution of a flow. This can be used to conditionally deny
|
||||||
even if they are not signed in (and permissions can't be checked via groups).
|
even if they are not signed in (and permissions can't be checked via groups).
|
||||||
|
|
||||||
:::caution
|
:::caution
|
||||||
To effectively use this stage, make sure to **disable** *Evaluate on plan* on the Stage binding.
|
To effectively use this stage, make sure to **disable** _Evaluate on plan_ on the Stage binding.
|
||||||
:::
|
:::
|
||||||
|
|
|
@ -46,22 +46,16 @@ Templates are rendered using Django's templating engine. The following variables
|
||||||
- `expires`: The timestamp when the token expires.
|
- `expires`: The timestamp when the token expires.
|
||||||
|
|
||||||
```html
|
```html
|
||||||
{# This is how you can write comments which aren't rendered. #}
|
{# This is how you can write comments which aren't rendered. #} {# Extend this
|
||||||
|
template from the base email template, which includes base layout and CSS. #} {%
|
||||||
{# Extend this template from the base email template, which includes base layout and CSS. #}
|
extends "email/base.html" %} {# Load the internationalization module to
|
||||||
{% extends "email/base.html" %}
|
translate strings, and humanize to show date-time #} {% load i18n %} {% load
|
||||||
|
humanize %} {# The email/base.html template uses a single "content" block #} {%
|
||||||
{# Load the internationalization module to translate strings, and humanize to show date-time #}
|
block content %}
|
||||||
{% load i18n %}
|
|
||||||
{% load humanize %}
|
|
||||||
|
|
||||||
{# The email/base.html template uses a single "content" block #}
|
|
||||||
{% block content %}
|
|
||||||
<tr>
|
<tr>
|
||||||
<td class="alert alert-success">
|
<td class="alert alert-success">
|
||||||
{% blocktrans with username=user.username %}
|
{% blocktrans with username=user.username %} Hi {{ username }}, {%
|
||||||
Hi {{ username }},
|
endblocktrans %}
|
||||||
{% endblocktrans %}
|
|
||||||
</td>
|
</td>
|
||||||
</tr>
|
</tr>
|
||||||
<tr>
|
<tr>
|
||||||
|
@ -69,21 +63,41 @@ Templates are rendered using Django's templating engine. The following variables
|
||||||
<table width="100%" cellpadding="0" cellspacing="0">
|
<table width="100%" cellpadding="0" cellspacing="0">
|
||||||
<tr>
|
<tr>
|
||||||
<td class="content-block">
|
<td class="content-block">
|
||||||
{% blocktrans %}
|
{% blocktrans %} You recently requested to change your
|
||||||
You recently requested to change your password for you authentik account. Use the button below to set a new password.
|
password for you authentik account. Use the button below to
|
||||||
{% endblocktrans %}
|
set a new password. {% endblocktrans %}
|
||||||
</td>
|
</td>
|
||||||
</tr>
|
</tr>
|
||||||
<tr>
|
<tr>
|
||||||
<td class="content-block">
|
<td class="content-block">
|
||||||
<table role="presentation" border="0" cellpadding="0" cellspacing="0" class="btn btn-primary">
|
<table
|
||||||
|
role="presentation"
|
||||||
|
border="0"
|
||||||
|
cellpadding="0"
|
||||||
|
cellspacing="0"
|
||||||
|
class="btn btn-primary"
|
||||||
|
>
|
||||||
<tbody>
|
<tbody>
|
||||||
<tr>
|
<tr>
|
||||||
<td align="center">
|
<td align="center">
|
||||||
<table role="presentation" border="0" cellpadding="0" cellspacing="0">
|
<table
|
||||||
|
role="presentation"
|
||||||
|
border="0"
|
||||||
|
cellpadding="0"
|
||||||
|
cellspacing="0"
|
||||||
|
>
|
||||||
<tbody>
|
<tbody>
|
||||||
<tr>
|
<tr>
|
||||||
<td> <a id="confirm" href="{{ url }}" rel="noopener noreferrer" target="_blank">{% trans 'Reset Password' %}</a> </td>
|
<td>
|
||||||
|
<a
|
||||||
|
id="confirm"
|
||||||
|
href="{{ url }}"
|
||||||
|
rel="noopener noreferrer"
|
||||||
|
target="_blank"
|
||||||
|
>{% trans 'Reset
|
||||||
|
Password' %}</a
|
||||||
|
>
|
||||||
|
</td>
|
||||||
</tr>
|
</tr>
|
||||||
</tbody>
|
</tbody>
|
||||||
</table>
|
</table>
|
||||||
|
@ -95,9 +109,9 @@ Templates are rendered using Django's templating engine. The following variables
|
||||||
</tr>
|
</tr>
|
||||||
<tr>
|
<tr>
|
||||||
<td class="content-block">
|
<td class="content-block">
|
||||||
{% blocktrans with expires=expires|naturaltime %}
|
{% blocktrans with expires=expires|naturaltime %} If you did
|
||||||
If you did not request a password change, please ignore this Email. The link above is valid for {{ expires }}.
|
not request a password change, please ignore this Email. The
|
||||||
{% endblocktrans %}
|
link above is valid for {{ expires }}. {% endblocktrans %}
|
||||||
</td>
|
</td>
|
||||||
</tr>
|
</tr>
|
||||||
</table>
|
</table>
|
||||||
|
|
|
@ -10,4 +10,4 @@ To check if a user has used an invitation within a policy, you can check `reques
|
||||||
|
|
||||||
To use an invitation, use the URL `https://authentik.tld/if/flow/your-enrollment-flow/?itoken=invitation-token`.
|
To use an invitation, use the URL `https://authentik.tld/if/flow/your-enrollment-flow/?itoken=invitation-token`.
|
||||||
|
|
||||||
You can also prompt the user for an invite by using the [*Prompt stage*](../prompt/) by using a field with a field key of `token`.
|
You can also prompt the user for an invite by using the [_Prompt stage_](../prompt/) by using a field with a field key of `token`.
|
||||||
|
|
|
@ -26,4 +26,4 @@ return DuoDevice.objects.filter(user=request.user, confirmed=True).exists()
|
||||||
|
|
||||||
Afterwards, bind the policy you've created to the stage binding of the password stage.
|
Afterwards, bind the policy you've created to the stage binding of the password stage.
|
||||||
|
|
||||||
Make sure to uncheck *Evaluate on plan* and check *Re-evaluate policies*, otherwise an invalid result will be cached.
|
Make sure to uncheck _Evaluate on plan_ and check _Re-evaluate policies_, otherwise an invalid result will be cached.
|
||||||
|
|
|
@ -9,7 +9,7 @@ This stage is used to show the user arbitrary prompts.
|
||||||
The prompt can be any of the following types:
|
The prompt can be any of the following types:
|
||||||
|
|
||||||
| Type | Description |
|
| Type | Description |
|
||||||
| -------- | ----------------------------------------------------------------- |
|
| ----------------- | ---------------------------------------------------------------------------------------- |
|
||||||
| Text | Arbitrary text. No client-side validation is done. |
|
| Text | Arbitrary text. No client-side validation is done. |
|
||||||
| Text (Read only) | Same as above, but cannot be edited. |
|
| Text (Read only) | Same as above, but cannot be edited. |
|
||||||
| Username | Same as text, except the username is validated to be unique. |
|
| Username | Same as text, except the username is validated to be unique. |
|
||||||
|
@ -26,9 +26,9 @@ The prompt can be any of the following types:
|
||||||
|
|
||||||
Some types have special behaviors:
|
Some types have special behaviors:
|
||||||
|
|
||||||
- *Username*: Input is validated against other usernames to ensure a unique value is provided.
|
- _Username_: Input is validated against other usernames to ensure a unique value is provided.
|
||||||
- *Password*: All prompts with the type password within the same stage are compared and must be equal. If they are not equal, an error is shown
|
- _Password_: All prompts with the type password within the same stage are compared and must be equal. If they are not equal, an error is shown
|
||||||
- *Hidden* and *Static*: Their placeholder values are defaults and are not user-changeable.
|
- _Hidden_ and _Static_: Their placeholder values are defaults and are not user-changeable.
|
||||||
|
|
||||||
A prompt has the following attributes:
|
A prompt has the following attributes:
|
||||||
|
|
||||||
|
@ -52,7 +52,7 @@ A flag which decides whether or not this field is required.
|
||||||
|
|
||||||
A field placeholder, shown within the input field. This field is also used by the `hidden` type as the actual value.
|
A field placeholder, shown within the input field. This field is also used by the `hidden` type as the actual value.
|
||||||
|
|
||||||
By default, the placeholder is interpreted as-is. If you enable *Interpret placeholder as expression*, the placeholder
|
By default, the placeholder is interpreted as-is. If you enable _Interpret placeholder as expression_, the placeholder
|
||||||
will be evaluated as a python expression. This happens in the same environment as [_Property mappings_](../../../property-mappings/expression).
|
will be evaluated as a python expression. This happens in the same environment as [_Property mappings_](../../../property-mappings/expression).
|
||||||
|
|
||||||
You can access both the HTTP request and the user as with a mapping. Additionally, you can access `prompt_context`, which is a dictionary of the current state of the prompt stage's data.
|
You can access both the HTTP request and the user as with a mapping. Additionally, you can access `prompt_context`, which is a dictionary of the current state of the prompt stage's data.
|
||||||
|
|
|
@ -8,7 +8,7 @@ It can be used after `user_write` during an enrollment flow, or after a `passwor
|
||||||
|
|
||||||
## Session duration
|
## Session duration
|
||||||
|
|
||||||
By default, the authentik session expires when you close your browser (*seconds=0*).
|
By default, the authentik session expires when you close your browser (_seconds=0_).
|
||||||
|
|
||||||
You can set the session to expire after any duration using the syntax of `hours=1,minutes=2,seconds=3`. The following keys are allowed:
|
You can set the session to expire after any duration using the syntax of `hours=1,minutes=2,seconds=3`. The following keys are allowed:
|
||||||
|
|
||||||
|
|
|
@ -13,7 +13,7 @@ See [Docker-compose](installation/docker-compose) or [Kubernetes](installation/k
|
||||||
|
|
||||||
## Screenshots
|
## Screenshots
|
||||||
|
|
||||||
Light | Dark
|
| Light | Dark |
|
||||||
--- | ---
|
| -------------------------------- | ------------------------------- |
|
||||||
![](/img/screen_apps_light.jpg) | ![](/img/screen_apps_dark.jpg)
|
| ![](/img/screen_apps_light.jpg) | ![](/img/screen_apps_dark.jpg) |
|
||||||
![](/img/screen_admin_light.jpg) | ![](/img/screen_admin_dark.jpg)
|
| ![](/img/screen_admin_light.jpg) | ![](/img/screen_admin_dark.jpg) |
|
||||||
|
|
|
@ -2,10 +2,10 @@
|
||||||
title: Beta versions
|
title: Beta versions
|
||||||
---
|
---
|
||||||
|
|
||||||
You can test upcoming authentik versions by switching to the *next* images. These beta versions supported upgrades from the latest stable version, and have a supported upgrade plan to the next stable version.
|
You can test upcoming authentik versions by switching to the _next_ images. These beta versions supported upgrades from the latest stable version, and have a supported upgrade plan to the next stable version.
|
||||||
|
|
||||||
import Tabs from '@theme/Tabs';
|
import Tabs from "@theme/Tabs";
|
||||||
import TabItem from '@theme/TabItem';
|
import TabItem from "@theme/TabItem";
|
||||||
|
|
||||||
<Tabs
|
<Tabs
|
||||||
defaultValue="docker-compose"
|
defaultValue="docker-compose"
|
||||||
|
@ -23,6 +23,7 @@ AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=ghcr.io/goauthentik/dev-%(type)s:gh-nex
|
||||||
```
|
```
|
||||||
|
|
||||||
Afterwards, run the upgrade commands from the latest release notes.
|
Afterwards, run the upgrade commands from the latest release notes.
|
||||||
|
|
||||||
</TabItem>
|
</TabItem>
|
||||||
<TabItem value="kubernetes">
|
<TabItem value="kubernetes">
|
||||||
Add the following block to your `values.yml` file:
|
Add the following block to your `values.yml` file:
|
||||||
|
@ -39,5 +40,6 @@ image:
|
||||||
```
|
```
|
||||||
|
|
||||||
Afterwards, run the upgrade commands from the latest release notes.
|
Afterwards, run the upgrade commands from the latest release notes.
|
||||||
|
|
||||||
</TabItem>
|
</TabItem>
|
||||||
</Tabs>
|
</Tabs>
|
||||||
|
|
|
@ -47,7 +47,7 @@ Secret key used for cookie signing and unique user IDs, don't change this after
|
||||||
|
|
||||||
Log level for the server and worker containers. Possible values: debug, info, warning, error
|
Log level for the server and worker containers. Possible values: debug, info, warning, error
|
||||||
|
|
||||||
Starting with 2021.12.3, you can also set the log level to *trace*. This has no affect on the core authentik server, but shows additional messages for the embedded outpost.
|
Starting with 2021.12.3, you can also set the log level to _trace_. This has no affect on the core authentik server, but shows additional messages for the embedded outpost.
|
||||||
|
|
||||||
Defaults to `info`.
|
Defaults to `info`.
|
||||||
|
|
||||||
|
@ -118,6 +118,7 @@ Disable the inbuilt update-checker. Defaults to `false`.
|
||||||
- `AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE`
|
- `AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE`
|
||||||
|
|
||||||
Placeholders:
|
Placeholders:
|
||||||
|
|
||||||
- `%(type)s`: Outpost type; proxy, ldap, etc
|
- `%(type)s`: Outpost type; proxy, ldap, etc
|
||||||
- `%(version)s`: Current version; 2021.4.1
|
- `%(version)s`: Current version; 2021.4.1
|
||||||
- `%(build_hash)s`: Build hash if you're running a beta version
|
- `%(build_hash)s`: Build hash if you're running a beta version
|
||||||
|
|
|
@ -101,7 +101,7 @@ The docker-compose project contains the following containers:
|
||||||
|
|
||||||
- worker
|
- worker
|
||||||
|
|
||||||
This container executes background tasks, everything you can see on the *System Tasks* page in the frontend.
|
This container executes background tasks, everything you can see on the _System Tasks_ page in the frontend.
|
||||||
|
|
||||||
- redis & postgresql
|
- redis & postgresql
|
||||||
|
|
||||||
|
|
|
@ -31,7 +31,6 @@ postgresql:
|
||||||
postgresqlPassword: "ThisIsNotASecurePassword"
|
postgresqlPassword: "ThisIsNotASecurePassword"
|
||||||
redis:
|
redis:
|
||||||
enabled: true
|
enabled: true
|
||||||
|
|
||||||
```
|
```
|
||||||
|
|
||||||
See all configurable values on [artifacthub](https://artifacthub.io/packages/helm/goauthentik/authentik).
|
See all configurable values on [artifacthub](https://artifacthub.io/packages/helm/goauthentik/authentik).
|
||||||
|
|
|
@ -9,15 +9,19 @@ The following features can be enabled/disabled. By default, all of them are enab
|
||||||
- `settings.enabledFeatures.apiDrawer`
|
- `settings.enabledFeatures.apiDrawer`
|
||||||
|
|
||||||
API Request drawer in navbar
|
API Request drawer in navbar
|
||||||
|
|
||||||
- `settings.enabledFeatures.notificationDrawer`
|
- `settings.enabledFeatures.notificationDrawer`
|
||||||
|
|
||||||
Notification drawer in navbar
|
Notification drawer in navbar
|
||||||
|
|
||||||
- `settings.enabledFeatures.settings`
|
- `settings.enabledFeatures.settings`
|
||||||
|
|
||||||
Settings link in navbar
|
Settings link in navbar
|
||||||
|
|
||||||
- `settings.enabledFeatures.applicationEdit`
|
- `settings.enabledFeatures.applicationEdit`
|
||||||
|
|
||||||
Application edit in library (only shown when user is superuser)
|
Application edit in library (only shown when user is superuser)
|
||||||
|
|
||||||
- `settings.enabledFeatures.search`
|
- `settings.enabledFeatures.search`
|
||||||
|
|
||||||
Search bar
|
Search bar
|
||||||
|
|
|
@ -49,7 +49,7 @@ Afterwards, create two Certificate-keypairs in authentik:
|
||||||
- `Docker CA`, with the contents of `~/.docker/ca.pem` as Certificate
|
- `Docker CA`, with the contents of `~/.docker/ca.pem` as Certificate
|
||||||
- `Docker Cert`, with the contents of `~/.docker/cert.pem` as Certificate and `~/.docker/key.pem` as Private key.
|
- `Docker Cert`, with the contents of `~/.docker/cert.pem` as Certificate and `~/.docker/key.pem` as Private key.
|
||||||
|
|
||||||
Create an integration with `Docker CA` as *TLS Verification Certificate* and `Docker Cert` as *TLS Authentication Certificate*.
|
Create an integration with `Docker CA` as _TLS Verification Certificate_ and `Docker Cert` as _TLS Authentication Certificate_.
|
||||||
|
|
||||||
## Remote hosts (SSH)
|
## Remote hosts (SSH)
|
||||||
|
|
||||||
|
@ -69,6 +69,6 @@ You'll end up with three files:
|
||||||
- `authentik` is the private key, which should be imported into a Keypair in authentik.
|
- `authentik` is the private key, which should be imported into a Keypair in authentik.
|
||||||
- `certificate.pem` is the matching certificate for the keypair above.
|
- `certificate.pem` is the matching certificate for the keypair above.
|
||||||
|
|
||||||
Modify/create a new Docker integration, and set your *Docker URL* to `ssh://hostname`, and select the keypair you created above as *TLS Authentication Certificate/SSH Keypair*.
|
Modify/create a new Docker integration, and set your _Docker URL_ to `ssh://hostname`, and select the keypair you created above as _TLS Authentication Certificate/SSH Keypair_.
|
||||||
|
|
||||||
The *Docker URL* field include a user, if none is specified authentik connects with the user `authentik`.
|
The _Docker URL_ field include a user, if none is specified authentik connects with the user `authentik`.
|
||||||
|
|
|
@ -3,13 +3,17 @@ title: Expression Policies
|
||||||
---
|
---
|
||||||
|
|
||||||
The passing of the policy is determined by the return value of the code. Use
|
The passing of the policy is determined by the return value of the code. Use
|
||||||
|
|
||||||
```python
|
```python
|
||||||
return True
|
return True
|
||||||
```
|
```
|
||||||
|
|
||||||
to pass a policy and
|
to pass a policy and
|
||||||
|
|
||||||
```python
|
```python
|
||||||
return False
|
return False
|
||||||
```
|
```
|
||||||
|
|
||||||
to fail it.
|
to fail it.
|
||||||
|
|
||||||
## Available Functions
|
## Available Functions
|
||||||
|
@ -44,7 +48,7 @@ return ak_user_has_authenticator(request.user)
|
||||||
|
|
||||||
### `ak_call_policy(name: str, **kwargs) -> PolicyResult` (2021.12+)
|
### `ak_call_policy(name: str, **kwargs) -> PolicyResult` (2021.12+)
|
||||||
|
|
||||||
Call another policy with the name *name*. Current request is passed to policy. Key-word arguments
|
Call another policy with the name _name_. Current request is passed to policy. Key-word arguments
|
||||||
can be used to modify the request's context.
|
can be used to modify the request's context.
|
||||||
|
|
||||||
Example:
|
Example:
|
||||||
|
@ -59,13 +63,13 @@ result = ak_call_policy("test-policy-2", foo="bar")
|
||||||
return result.passing
|
return result.passing
|
||||||
```
|
```
|
||||||
|
|
||||||
import Functions from '../expressions/_functions.md'
|
import Functions from "../expressions/_functions.md";
|
||||||
|
|
||||||
<Functions />
|
<Functions />
|
||||||
|
|
||||||
## Variables
|
## Variables
|
||||||
|
|
||||||
import Objects from '../expressions/_objects.md'
|
import Objects from "../expressions/_objects.md";
|
||||||
|
|
||||||
<Objects />
|
<Objects />
|
||||||
|
|
||||||
|
@ -103,6 +107,7 @@ This includes the following:
|
||||||
- `app_password`: App password (token)
|
- `app_password`: App password (token)
|
||||||
|
|
||||||
Sets `context['auth_method_args']` to
|
Sets `context['auth_method_args']` to
|
||||||
|
|
||||||
```json
|
```json
|
||||||
{
|
{
|
||||||
"token": {
|
"token": {
|
||||||
|
@ -113,9 +118,11 @@ This includes the following:
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
```
|
```
|
||||||
|
|
||||||
- `ldap`: LDAP bind authentication
|
- `ldap`: LDAP bind authentication
|
||||||
|
|
||||||
Sets `context['auth_method_args']` to
|
Sets `context['auth_method_args']` to
|
||||||
|
|
||||||
```json
|
```json
|
||||||
{
|
{
|
||||||
"source": {} // Information about the source used
|
"source": {} // Information about the source used
|
||||||
|
|
|
@ -4,20 +4,19 @@ title: Expressions
|
||||||
|
|
||||||
The property mapping should return a value that is expected by the Provider/Source. Supported types are documented in the individual Provider/Source. Returning `None` is always accepted and would simply skip the mapping for which `None` was returned.
|
The property mapping should return a value that is expected by the Provider/Source. Supported types are documented in the individual Provider/Source. Returning `None` is always accepted and would simply skip the mapping for which `None` was returned.
|
||||||
|
|
||||||
|
|
||||||
## Available Functions
|
## Available Functions
|
||||||
|
|
||||||
import Functions from '../expressions/_functions.md'
|
import Functions from "../expressions/_functions.md";
|
||||||
|
|
||||||
<Functions />
|
<Functions />
|
||||||
|
|
||||||
## Variables
|
## Variables
|
||||||
|
|
||||||
import Objects from '../expressions/_objects.md'
|
import Objects from "../expressions/_objects.md";
|
||||||
|
|
||||||
<Objects />
|
<Objects />
|
||||||
|
|
||||||
import User from '../expressions/_user.md'
|
import User from "../expressions/_user.md";
|
||||||
|
|
||||||
<User />
|
<User />
|
||||||
|
|
||||||
|
|
|
@ -85,9 +85,9 @@ All bind modes rely on flows.
|
||||||
|
|
||||||
The following stages are supported:
|
The following stages are supported:
|
||||||
|
|
||||||
- [Identification](../flow/stages/identification/)
|
- [Identification](../flow/stages/identification/)
|
||||||
- [Password](../flow/stages/password/)
|
- [Password](../flow/stages/password/)
|
||||||
- [Authenticator validation](../flow/stages/authenticator_validate/)
|
- [Authenticator validation](../flow/stages/authenticator_validate/)
|
||||||
|
|
||||||
Note: Authenticator validation currently only supports DUO devices
|
Note: Authenticator validation currently only supports DUO devices
|
||||||
|
|
||||||
|
@ -97,7 +97,7 @@ In this mode, the outpost will always execute the configured flow when a new bin
|
||||||
|
|
||||||
#### Cached bind
|
#### Cached bind
|
||||||
|
|
||||||
This mode uses the same logic as direct bind, however the result is cached for the entered credentials, and saved in memory for the standard session duration. Sessions are saved independently, meaning that revoking sessions does *not* remove them from the outpost, and neither will changing a users credentials.
|
This mode uses the same logic as direct bind, however the result is cached for the entered credentials, and saved in memory for the standard session duration. Sessions are saved independently, meaning that revoking sessions does _not_ remove them from the outpost, and neither will changing a users credentials.
|
||||||
|
|
||||||
## Search Modes
|
## Search Modes
|
||||||
|
|
||||||
|
|
|
@ -6,7 +6,7 @@ Note that authentik does treat a grant type of `password` the same as `client_cr
|
||||||
|
|
||||||
### Static authentication
|
### Static authentication
|
||||||
|
|
||||||
Hence identification is based on service-accounts, and authentication is based on App-password tokens. These objects can be created in a single step using the *Create Service account* function.
|
Hence identification is based on service-accounts, and authentication is based on App-password tokens. These objects can be created in a single step using the _Create Service account_ function.
|
||||||
|
|
||||||
An example request can look like this:
|
An example request can look like this:
|
||||||
|
|
||||||
|
@ -29,7 +29,7 @@ Starting with authentik 2022.4, you can authenticate and get a token using an ex
|
||||||
|
|
||||||
(For readability we will refer to the JWT issued by the external issuer/platform as input JWT, and the resulting JWT from authentik as the output JWT)
|
(For readability we will refer to the JWT issued by the external issuer/platform as input JWT, and the resulting JWT from authentik as the output JWT)
|
||||||
|
|
||||||
To configure this, the certificate used to sign the input JWT must be created in authentik. The certificate is enough, a private key is not required. Afterwards, configure the certificate in the OAuth2 provider settings under *Verification certificates*.
|
To configure this, the certificate used to sign the input JWT must be created in authentik. The certificate is enough, a private key is not required. Afterwards, configure the certificate in the OAuth2 provider settings under _Verification certificates_.
|
||||||
|
|
||||||
With this configure, any JWT issued by the configured certificates can be used to authenticate:
|
With this configure, any JWT issued by the configured certificates can be used to authenticate:
|
||||||
|
|
||||||
|
@ -46,9 +46,9 @@ client_id=application_client_id
|
||||||
|
|
||||||
Alternatively, you can set the `client_secret` parameter to the `$inputJWT`, for applications which can set the password from a file but not other parameters.
|
Alternatively, you can set the `client_secret` parameter to the `$inputJWT`, for applications which can set the password from a file but not other parameters.
|
||||||
|
|
||||||
Input JWTs are checked to be signed by any of the selected *Verification certificates*, and their `exp` attribute must not be now or in the past.
|
Input JWTs are checked to be signed by any of the selected _Verification certificates_, and their `exp` attribute must not be now or in the past.
|
||||||
|
|
||||||
To do additional checks, you can use *[Expression policies](../../policies/expression)*:
|
To do additional checks, you can use _[Expression policies](../../policies/expression)_:
|
||||||
|
|
||||||
```python
|
```python
|
||||||
return request.context["oauth_jwt"]["iss"] == "https://my.issuer"
|
return request.context["oauth_jwt"]["iss"] == "https://my.issuer"
|
||||||
|
|
|
@ -1,4 +1,3 @@
|
||||||
|
|
||||||
```
|
```
|
||||||
server {
|
server {
|
||||||
# SSL and VHost configuration
|
# SSL and VHost configuration
|
||||||
|
|
|
@ -1,6 +1,5 @@
|
||||||
|
|
||||||
```yaml
|
```yaml
|
||||||
version: '3.7'
|
version: "3.7"
|
||||||
services:
|
services:
|
||||||
traefik:
|
traefik:
|
||||||
image: traefik:v2.2
|
image: traefik:v2.2
|
||||||
|
@ -10,9 +9,9 @@ services:
|
||||||
ports:
|
ports:
|
||||||
- 80:80
|
- 80:80
|
||||||
command:
|
command:
|
||||||
- '--api'
|
- "--api"
|
||||||
- '--providers.docker=true'
|
- "--providers.docker=true"
|
||||||
- '--providers.docker.exposedByDefault=false'
|
- "--providers.docker.exposedByDefault=false"
|
||||||
- "--entrypoints.web.address=:80"
|
- "--entrypoints.web.address=:80"
|
||||||
|
|
||||||
authentik-proxy:
|
authentik-proxy:
|
||||||
|
|
|
@ -16,9 +16,10 @@ has the advantage that you can still do per-application access policies in authe
|
||||||
## Domain level
|
## Domain level
|
||||||
|
|
||||||
To use forward auth instead of proxying, you have to change a couple of settings.
|
To use forward auth instead of proxying, you have to change a couple of settings.
|
||||||
In the Proxy Provider, make sure to use the *Forward auth (domain level)* mode.
|
In the Proxy Provider, make sure to use the _Forward auth (domain level)_ mode.
|
||||||
|
|
||||||
|
This mode differs from the _Forward auth (single application)_ mode in the following points:
|
||||||
|
|
||||||
This mode differs from the *Forward auth (single application)* mode in the following points:
|
|
||||||
- You don't have to configure an application in authentik for each domain
|
- You don't have to configure an application in authentik for each domain
|
||||||
- Users don't have to authorize multiple times
|
- Users don't have to authorize multiple times
|
||||||
|
|
||||||
|
@ -33,16 +34,16 @@ is redirected to the outpost.
|
||||||
For domain level, you'd use the same domain as authentik.
|
For domain level, you'd use the same domain as authentik.
|
||||||
|
|
||||||
:::info
|
:::info
|
||||||
*example-outpost* is used as a placeholder for the outpost name.
|
_example-outpost_ is used as a placeholder for the outpost name.
|
||||||
*authentik.company* is used as a placeholder for the authentik install.
|
_authentik.company_ is used as a placeholder for the authentik install.
|
||||||
*app.company* is used as a placeholder for the external domain for the application.
|
_app.company_ is used as a placeholder for the external domain for the application.
|
||||||
*outpost.company* is used as a placeholder for the outpost. When using the embedded outpost, this can be the same as *authentik.company*
|
_outpost.company_ is used as a placeholder for the outpost. When using the embedded outpost, this can be the same as _authentik.company_
|
||||||
:::
|
:::
|
||||||
|
|
||||||
## Nginx
|
## Nginx
|
||||||
|
|
||||||
import Tabs from '@theme/Tabs';
|
import Tabs from "@theme/Tabs";
|
||||||
import TabItem from '@theme/TabItem';
|
import TabItem from "@theme/TabItem";
|
||||||
|
|
||||||
<Tabs
|
<Tabs
|
||||||
defaultValue="standalone-nginx"
|
defaultValue="standalone-nginx"
|
||||||
|
@ -53,21 +54,21 @@ import TabItem from '@theme/TabItem';
|
||||||
]}>
|
]}>
|
||||||
<TabItem value="standalone-nginx">
|
<TabItem value="standalone-nginx">
|
||||||
|
|
||||||
import NginxStandalone from './_nginx_standalone.md'
|
import NginxStandalone from "./_nginx_standalone.md";
|
||||||
|
|
||||||
<NginxStandalone />
|
<NginxStandalone />
|
||||||
|
|
||||||
</TabItem>
|
</TabItem>
|
||||||
<TabItem value="ingress">
|
<TabItem value="ingress">
|
||||||
|
|
||||||
import NginxIngress from './_nginx_ingress.md'
|
import NginxIngress from "./_nginx_ingress.md";
|
||||||
|
|
||||||
<NginxIngress />
|
<NginxIngress />
|
||||||
|
|
||||||
</TabItem>
|
</TabItem>
|
||||||
<TabItem value="proxy-manager">
|
<TabItem value="proxy-manager">
|
||||||
|
|
||||||
import NginxProxyManager from './_nginx_proxy_manager.md'
|
import NginxProxyManager from "./_nginx_proxy_manager.md";
|
||||||
|
|
||||||
<NginxProxyManager />
|
<NginxProxyManager />
|
||||||
|
|
||||||
|
@ -85,21 +86,21 @@ import NginxProxyManager from './_nginx_proxy_manager.md'
|
||||||
]}>
|
]}>
|
||||||
<TabItem value="standalone-traefik">
|
<TabItem value="standalone-traefik">
|
||||||
|
|
||||||
import TraefikStandalone from './_traefik_standalone.md'
|
import TraefikStandalone from "./_traefik_standalone.md";
|
||||||
|
|
||||||
<TraefikStandalone />
|
<TraefikStandalone />
|
||||||
|
|
||||||
</TabItem>
|
</TabItem>
|
||||||
<TabItem value="docker-compose">
|
<TabItem value="docker-compose">
|
||||||
|
|
||||||
import TraefikCompose from './_traefik_compose.md'
|
import TraefikCompose from "./_traefik_compose.md";
|
||||||
|
|
||||||
<TraefikCompose />
|
<TraefikCompose />
|
||||||
|
|
||||||
</TabItem>
|
</TabItem>
|
||||||
<TabItem value="ingress">
|
<TabItem value="ingress">
|
||||||
|
|
||||||
import TraefikIngress from './_traefik_ingress.md'
|
import TraefikIngress from "./_traefik_ingress.md";
|
||||||
|
|
||||||
<TraefikIngress />
|
<TraefikIngress />
|
||||||
|
|
||||||
|
|
|
@ -26,7 +26,7 @@ The proxy outpost sets the following user-specific headers:
|
||||||
|
|
||||||
Additionally, you can set `additionalHeaders` on groups or users to set additional headers.
|
Additionally, you can set `additionalHeaders` on groups or users to set additional headers.
|
||||||
|
|
||||||
If you enable *Set HTTP-Basic Authentication* option, the HTTP Authorization header is being set.
|
If you enable _Set HTTP-Basic Authentication_ option, the HTTP Authorization header is being set.
|
||||||
|
|
||||||
Besides these user-specific headers, some application specific headers are also set:
|
Besides these user-specific headers, some application specific headers are also set:
|
||||||
|
|
||||||
|
@ -72,7 +72,7 @@ To log out, navigate to `/outpost.goauthentik.io/sign_out`.
|
||||||
|
|
||||||
## Allowing unauthenticated requests
|
## Allowing unauthenticated requests
|
||||||
|
|
||||||
To allow un-authenticated requests to certain paths/URLs, you can use the *Unauthenticated URLs* / *Unauthenticated Paths* field.
|
To allow un-authenticated requests to certain paths/URLs, you can use the _Unauthenticated URLs_ / _Unauthenticated Paths_ field.
|
||||||
|
|
||||||
Each new line is interpreted as a regular expression, and is compiled and checked using the standard Golang regex parser.
|
Each new line is interpreted as a regular expression, and is compiled and checked using the standard Golang regex parser.
|
||||||
|
|
||||||
|
@ -88,7 +88,7 @@ In this mode, the regular expressions are matched against the Request's full URL
|
||||||
|
|
||||||
## Dynamic backend selection
|
## Dynamic backend selection
|
||||||
|
|
||||||
You can configure the backend the proxy should access dynamically via *Scope mappings*. To do so, create a new *Scope mapping*, with a name and scope of your choice. As expression, use this:
|
You can configure the backend the proxy should access dynamically via _Scope mappings_. To do so, create a new _Scope mapping_, with a name and scope of your choice. As expression, use this:
|
||||||
|
|
||||||
```python
|
```python
|
||||||
return {
|
return {
|
||||||
|
@ -98,4 +98,4 @@ return {
|
||||||
}
|
}
|
||||||
```
|
```
|
||||||
|
|
||||||
Afterwards, edit the *Proxy provider* and add this new mapping. The expression is only evaluated when the user logs into the application.
|
Afterwards, edit the _Proxy provider_ and add this new mapping. The expression is only evaluated when the user logs into the application.
|
||||||
|
|
|
@ -6,11 +6,11 @@ This provider allows you to integrate enterprise software using the SAML2 Protoc
|
||||||
Default fields are exposed through auto-generated Property Mappings, which are prefixed with "authentik default".
|
Default fields are exposed through auto-generated Property Mappings, which are prefixed with "authentik default".
|
||||||
|
|
||||||
| Endpoint | URL |
|
| Endpoint | URL |
|
||||||
| ---------------------- | -------------------------------------------------------------- |
|
| ---------------------- | ------------------------------------------------------------ |
|
||||||
| SSO (Redirect binding) | `/application/saml/<application slug>/sso/binding/redirect/` |
|
| SSO (Redirect binding) | `/application/saml/<application slug>/sso/binding/redirect/` |
|
||||||
| SSO (POST binding) | `/application/saml/<application slug>/sso/binding/post/` |
|
| SSO (POST binding) | `/application/saml/<application slug>/sso/binding/post/` |
|
||||||
| IdP-initiated login | `/application/saml/<application slug>/sso/binding/init/` |
|
| IdP-initiated login | `/application/saml/<application slug>/sso/binding/init/` |
|
||||||
| Metadata Download | `/api/v3/providers/saml/<provider uid>/metadata/?download/`|
|
| Metadata Download | `/api/v3/providers/saml/<provider uid>/metadata/?download/` |
|
||||||
|
|
||||||
You can download the metadata through the Webinterface, this link might be handy if your software wants to download the metadata directly.
|
You can download the metadata through the Webinterface, this link might be handy if your software wants to download the metadata directly.
|
||||||
|
|
||||||
|
|
|
@ -29,10 +29,11 @@ Docker-compose users should download the latest docker-compose file from [here](
|
||||||
|
|
||||||
:::caution
|
:::caution
|
||||||
If you decided to rename the folder you're running the docker-compose file from, be aware that this will also change the name, that docker-compose will give the database volume. To mitigate this, either
|
If you decided to rename the folder you're running the docker-compose file from, be aware that this will also change the name, that docker-compose will give the database volume. To mitigate this, either
|
||||||
|
|
||||||
- Keep the original directory name
|
- Keep the original directory name
|
||||||
- Move the directory and set `COMPOSE_PROJECT_NAME` to the name of the old directory (see [here](https://docs.docker.com/compose/reference/envvars/#compose_project_name))
|
- Move the directory and set `COMPOSE_PROJECT_NAME` to the name of the old directory (see [here](https://docs.docker.com/compose/reference/envvars/#compose_project_name))
|
||||||
- Create a backup, rename the directory and restore from backup.
|
- Create a backup, rename the directory and restore from backup.
|
||||||
:::
|
:::
|
||||||
|
|
||||||
The only manual change you have to do is replace the `PASSBOOK_` prefix in your `.env` file, so `PASSBOOK_SECRET_KEY` gets changed to `AUTHENTIK_SECRET_KEY`.
|
The only manual change you have to do is replace the `PASSBOOK_` prefix in your `.env` file, so `PASSBOOK_SECRET_KEY` gets changed to `AUTHENTIK_SECRET_KEY`.
|
||||||
|
|
||||||
|
|
|
@ -30,7 +30,7 @@ slug: "2021.1"
|
||||||
|
|
||||||
### Fixed in 2021.1.2
|
### Fixed in 2021.1.2
|
||||||
|
|
||||||
- sources/*: Add source to flow context, so source is logged during login
|
- sources/\*: Add source to flow context, so source is logged during login
|
||||||
- outposts: Fix outpost not correctly updating on outpost modification
|
- outposts: Fix outpost not correctly updating on outpost modification
|
||||||
- outposts: Improve drift detection on kubernetes
|
- outposts: Improve drift detection on kubernetes
|
||||||
- providers/saml: Fix metadata not being signed when signature is enabled
|
- providers/saml: Fix metadata not being signed when signature is enabled
|
||||||
|
|
|
@ -23,7 +23,7 @@ A huge shoutout to all the people that contributed, helped test and also transla
|
||||||
|
|
||||||
## Minor changes
|
## Minor changes
|
||||||
|
|
||||||
- *: Squash Migrations (#1593)
|
- \*: Squash Migrations (#1593)
|
||||||
- admin: clear update notification when notification's version matches current version
|
- admin: clear update notification when notification's version matches current version
|
||||||
- cmd: prevent outposts from panicking when failing to get their config
|
- cmd: prevent outposts from panicking when failing to get their config
|
||||||
- core: add default for user's settings attribute
|
- core: add default for user's settings attribute
|
||||||
|
@ -171,7 +171,7 @@ A huge shoutout to all the people that contributed, helped test and also transla
|
||||||
- internal: start embedded outpost directly after backend is healthy instead of waiting
|
- internal: start embedded outpost directly after backend is healthy instead of waiting
|
||||||
- lifecycle: revert to non-h11 worker
|
- lifecycle: revert to non-h11 worker
|
||||||
- outpost/ldap: don't cleanup user info as it is overwritten on bind
|
- outpost/ldap: don't cleanup user info as it is overwritten on bind
|
||||||
- providers/*: include list of outposts
|
- providers/\*: include list of outposts
|
||||||
- providers/ldap: add/squash migrations
|
- providers/ldap: add/squash migrations
|
||||||
- providers/ldap: memory Query (#1681)
|
- providers/ldap: memory Query (#1681)
|
||||||
- recovery: add create_admin_group management command
|
- recovery: add create_admin_group management command
|
||||||
|
@ -182,7 +182,7 @@ A huge shoutout to all the people that contributed, helped test and also transla
|
||||||
- sources/oauth: set prompt=none for Discord provider
|
- sources/oauth: set prompt=none for Discord provider
|
||||||
- sources/plex: allow users to connect their plex account without login flow
|
- sources/plex: allow users to connect their plex account without login flow
|
||||||
- sources/plex: use exception_to_string in tasks
|
- sources/plex: use exception_to_string in tasks
|
||||||
- stages/authenticator_*: add default name for authenticators
|
- stages/authenticator\_\*: add default name for authenticators
|
||||||
- stages/identification: only allow limited challenges for login sources
|
- stages/identification: only allow limited challenges for login sources
|
||||||
- stages/identification: use random sleep
|
- stages/identification: use random sleep
|
||||||
- stages/prompt: add text_read_only field
|
- stages/prompt: add text_read_only field
|
||||||
|
@ -211,7 +211,7 @@ A huge shoutout to all the people that contributed, helped test and also transla
|
||||||
- root: use python slim-bullseye as base
|
- root: use python slim-bullseye as base
|
||||||
- sources/ldap: fix user/group sync overwriting attributes instead of merging them
|
- sources/ldap: fix user/group sync overwriting attributes instead of merging them
|
||||||
- sources/ldap: set connect/receive timeout (default to 15s)
|
- sources/ldap: set connect/receive timeout (default to 15s)
|
||||||
- stages/*: disable trim_whitespace on important fields
|
- stages/\*: disable trim_whitespace on important fields
|
||||||
- stages/authenticator_duo: fix devices created with name
|
- stages/authenticator_duo: fix devices created with name
|
||||||
- stages/authenticator_validate: enable all device classes by default
|
- stages/authenticator_validate: enable all device classes by default
|
||||||
- web: write interfaces to different folders and remove custom chunk names
|
- web: write interfaces to different folders and remove custom chunk names
|
||||||
|
|
|
@ -13,7 +13,7 @@ This release does not have any headline features, and mostly fixes bugs.
|
||||||
|
|
||||||
## Minor changes
|
## Minor changes
|
||||||
|
|
||||||
- core: make defaults for _change_email and _change_username configurable
|
- core: make defaults for \_change_email and \_change_username configurable
|
||||||
- core: remove dump_config, handle directly in config loader without booting django, don't check database
|
- core: remove dump_config, handle directly in config loader without booting django, don't check database
|
||||||
- events: add gdpr_compliance option
|
- events: add gdpr_compliance option
|
||||||
- internal: fix integrated docs not working
|
- internal: fix integrated docs not working
|
||||||
|
@ -63,7 +63,7 @@ This release does not have any headline features, and mostly fixes bugs.
|
||||||
|
|
||||||
## Fixed in 2021.12.1-rc2
|
## Fixed in 2021.12.1-rc2
|
||||||
|
|
||||||
- *: don't use go embed to make using custom files easier
|
- \*: don't use go embed to make using custom files easier
|
||||||
- crypto: add certificate discovery to automatically import certificates from lets encrypt
|
- crypto: add certificate discovery to automatically import certificates from lets encrypt
|
||||||
- crypto: fix default API not having an ordering
|
- crypto: fix default API not having an ordering
|
||||||
- outposts: always trigger outpost reconcile on startup
|
- outposts: always trigger outpost reconcile on startup
|
||||||
|
@ -94,7 +94,7 @@ This release does not have any headline features, and mostly fixes bugs.
|
||||||
- policies/expression: add ak_call_policy
|
- policies/expression: add ak_call_policy
|
||||||
- providers/saml: add ?force_binding to limit bindings for metadata endpoint
|
- providers/saml: add ?force_binding to limit bindings for metadata endpoint
|
||||||
- root: add request_id to celery tasks, prefixed with "task-"
|
- root: add request_id to celery tasks, prefixed with "task-"
|
||||||
- sources/*: Allow creation of source connections via API
|
- sources/\*: Allow creation of source connections via API
|
||||||
- stages/prompt: use policyenginemode all
|
- stages/prompt: use policyenginemode all
|
||||||
- tests/e2e: add post binding test
|
- tests/e2e: add post binding test
|
||||||
- web: fix duplicate classes, make generic icon clickable
|
- web: fix duplicate classes, make generic icon clickable
|
||||||
|
@ -179,7 +179,7 @@ This release does not have any headline features, and mostly fixes bugs.
|
||||||
|
|
||||||
## Fixed in 2021.12.3
|
## Fixed in 2021.12.3
|
||||||
|
|
||||||
- *: revert to using GHCR directly
|
- \*: revert to using GHCR directly
|
||||||
- core: fix error when getting launch URL for application with non-existent Provider
|
- core: fix error when getting launch URL for application with non-existent Provider
|
||||||
- internal: fix sentry sample rate not applying to proxy
|
- internal: fix sentry sample rate not applying to proxy
|
||||||
- internal: rework global logging settings, embedded outpost no longer overwrites core
|
- internal: rework global logging settings, embedded outpost no longer overwrites core
|
||||||
|
@ -216,7 +216,7 @@ This release does not have any headline features, and mostly fixes bugs.
|
||||||
|
|
||||||
## Fixed in 2021.12.5
|
## Fixed in 2021.12.5
|
||||||
|
|
||||||
- *: use py3.10 syntax for unions, remove old Type[] import when possible
|
- \*: use py3.10 syntax for unions, remove old Type[] import when possible
|
||||||
- core: add API endpoint to directly set user's password
|
- core: add API endpoint to directly set user's password
|
||||||
- core: add error handling in source flow manager when flow isn't applicable
|
- core: add error handling in source flow manager when flow isn't applicable
|
||||||
- core: fix UserSelfSerializer's save() overwriting other user attributes
|
- core: fix UserSelfSerializer's save() overwriting other user attributes
|
||||||
|
|
|
@ -68,7 +68,7 @@ slug: "2021.2"
|
||||||
- policies: skip cache on debug request
|
- policies: skip cache on debug request
|
||||||
- providers/proxy: fix certificates without key being selectable
|
- providers/proxy: fix certificates without key being selectable
|
||||||
- root: log runtime in milliseconds
|
- root: log runtime in milliseconds
|
||||||
- sources/*: switch API to use slug in URL
|
- sources/\*: switch API to use slug in URL
|
||||||
- sources/ldap: add API for sync status
|
- sources/ldap: add API for sync status
|
||||||
- sources/oauth: add callback URL to api
|
- sources/oauth: add callback URL to api
|
||||||
- web: fix ModalButton working in global scope, causing issues on 2nd use
|
- web: fix ModalButton working in global scope, causing issues on 2nd use
|
||||||
|
@ -116,6 +116,7 @@ Due to the switch to managed objects, some default property mappings are changin
|
||||||
The change affects the "SAML Name" property, which has been changed from an oid to a Schema URI to aid readability.
|
The change affects the "SAML Name" property, which has been changed from an oid to a Schema URI to aid readability.
|
||||||
|
|
||||||
The integrations affected are:
|
The integrations affected are:
|
||||||
|
|
||||||
- [Ansible Tower/AWX](/integrations/services/awx-tower/)
|
- [Ansible Tower/AWX](/integrations/services/awx-tower/)
|
||||||
- [GitLab](/integrations/services/gitlab/)
|
- [GitLab](/integrations/services/gitlab/)
|
||||||
- [NextCloud](/integrations/services/nextcloud/)
|
- [NextCloud](/integrations/services/nextcloud/)
|
||||||
|
|
|
@ -39,7 +39,6 @@ slug: "2021.3"
|
||||||
|
|
||||||
If you conditionally include this stage in a flow, make sure to disable "Evaluate on plan", as that will always include the stage in the flow, regardless of the inputs.
|
If you conditionally include this stage in a flow, make sure to disable "Evaluate on plan", as that will always include the stage in the flow, regardless of the inputs.
|
||||||
|
|
||||||
|
|
||||||
## Fixed in 2021.3.2
|
## Fixed in 2021.3.2
|
||||||
|
|
||||||
- sources/ldap: fix sync for Users without pwdLastSet
|
- sources/ldap: fix sync for Users without pwdLastSet
|
||||||
|
@ -58,7 +57,7 @@ slug: "2021.3"
|
||||||
|
|
||||||
## Fixed in 2021.3.4
|
## Fixed in 2021.3.4
|
||||||
|
|
||||||
- admin: include git build hash in gh-* tags and show build hash in admin overview
|
- admin: include git build hash in gh-\* tags and show build hash in admin overview
|
||||||
- events: don't fail on boot when geoip can't be opened
|
- events: don't fail on boot when geoip can't be opened
|
||||||
- helm: add initial geoip
|
- helm: add initial geoip
|
||||||
- outposts: improve logs for outpost connection
|
- outposts: improve logs for outpost connection
|
||||||
|
@ -80,7 +79,6 @@ slug: "2021.3"
|
||||||
- web: use loadingState for autosubmitStage
|
- web: use loadingState for autosubmitStage
|
||||||
- web: use sections in sidebar, adjust colouring
|
- web: use sections in sidebar, adjust colouring
|
||||||
|
|
||||||
|
|
||||||
## Upgrading
|
## Upgrading
|
||||||
|
|
||||||
This release does not introduce any new requirements.
|
This release does not introduce any new requirements.
|
||||||
|
|
|
@ -7,8 +7,8 @@ slug: "2021.4"
|
||||||
|
|
||||||
- Configurable Policy engine mode
|
- Configurable Policy engine mode
|
||||||
|
|
||||||
In the past, all objects, which could have policies attached to them, required *all* policies to pass to consider an action successful.
|
In the past, all objects, which could have policies attached to them, required _all_ policies to pass to consider an action successful.
|
||||||
You can now configure if *all* policies need to pass, or if *any* policy needs to pass.
|
You can now configure if _all_ policies need to pass, or if _any_ policy needs to pass.
|
||||||
|
|
||||||
This can now be configured for the following objects:
|
This can now be configured for the following objects:
|
||||||
|
|
||||||
|
@ -17,7 +17,7 @@ slug: "2021.4"
|
||||||
- Flows
|
- Flows
|
||||||
- Flow-stage bindings
|
- Flow-stage bindings
|
||||||
|
|
||||||
For backwards compatibility, this is set to *all*, but new objects will default to *any*.
|
For backwards compatibility, this is set to _all_, but new objects will default to _any_.
|
||||||
|
|
||||||
- Expiring Events
|
- Expiring Events
|
||||||
|
|
||||||
|
@ -60,10 +60,9 @@ slug: "2021.4"
|
||||||
- web/admin: fix error when user doesn't have permissions to read source
|
- web/admin: fix error when user doesn't have permissions to read source
|
||||||
- web/admin: fix errors in user profile when non-superuser
|
- web/admin: fix errors in user profile when non-superuser
|
||||||
|
|
||||||
|
|
||||||
## Fixed in 2021.4.3
|
## Fixed in 2021.4.3
|
||||||
|
|
||||||
- *: add model_name to TypeCreate API to distinguish between models sharing a component
|
- \*: add model_name to TypeCreate API to distinguish between models sharing a component
|
||||||
- api: fix CSRF error when using POST/PATCH/PUT in API Browser
|
- api: fix CSRF error when using POST/PATCH/PUT in API Browser
|
||||||
- api: make 401 messages clearer
|
- api: make 401 messages clearer
|
||||||
- api: mount outposts under outposts/instances to match flows
|
- api: mount outposts under outposts/instances to match flows
|
||||||
|
@ -86,7 +85,7 @@ slug: "2021.4"
|
||||||
|
|
||||||
## Fixed in 2021.4.4
|
## Fixed in 2021.4.4
|
||||||
|
|
||||||
- *: make tasks run every 60 minutes not :00 every hour
|
- \*: make tasks run every 60 minutes not :00 every hour
|
||||||
- outposts: check for X-Forwarded-Host to switch context
|
- outposts: check for X-Forwarded-Host to switch context
|
||||||
- outposts: improve update performance
|
- outposts: improve update performance
|
||||||
- outposts: move local connection check to task, run every 60 minutes
|
- outposts: move local connection check to task, run every 60 minutes
|
||||||
|
|
|
@ -93,7 +93,7 @@ This feature is still in technical preview, so please report any Bugs you run in
|
||||||
## Fixed in 2021.5.4
|
## Fixed in 2021.5.4
|
||||||
|
|
||||||
- providers/oauth2: add missing kid header to JWT Tokens
|
- providers/oauth2: add missing kid header to JWT Tokens
|
||||||
- stages/authenticator_*: fix Permission Error when disabling Authenticator as non-superuser
|
- stages/authenticator\_\*: fix Permission Error when disabling Authenticator as non-superuser
|
||||||
- web: fix missing flow and policy cache clearing UI
|
- web: fix missing flow and policy cache clearing UI
|
||||||
- web: set x-forwarded-proto based on upstream TLS Status
|
- web: set x-forwarded-proto based on upstream TLS Status
|
||||||
|
|
||||||
|
|
|
@ -20,21 +20,21 @@ slug: "2021.8"
|
||||||
|
|
||||||
## Minor changes
|
## Minor changes
|
||||||
|
|
||||||
- admin: add API to show embedded outpost status, add notice when its not configured properly
|
- admin: add API to show embedded outpost status, add notice when its not configured properly
|
||||||
- api: ensure all resources can be filtered
|
- api: ensure all resources can be filtered
|
||||||
- api: make all PropertyMappings filterable by multiple managed attributes
|
- api: make all PropertyMappings filterable by multiple managed attributes
|
||||||
- core: add API to directly send recovery link to user
|
- core: add API to directly send recovery link to user
|
||||||
- core: add UserSelfSerializer and separate method for users to update themselves with limited fields
|
- core: add UserSelfSerializer and separate method for users to update themselves with limited fields
|
||||||
- core: allow changing of groups a user is in from user api
|
- core: allow changing of groups a user is in from user api
|
||||||
- flows: fix unhandled error in stage execution not being logged as SYSTEM_EXCEPTION event
|
- flows: fix unhandled error in stage execution not being logged as SYSTEM_EXCEPTION event
|
||||||
- lifecycle: decrease default worker count on compose
|
- lifecycle: decrease default worker count on compose
|
||||||
- outpost/ldap: Performance improvements, support for (member=) lookup
|
- outpost/ldap: Performance improvements, support for (member=) lookup
|
||||||
- providers/proxy: don't create ingress when no hosts are defined
|
- providers/proxy: don't create ingress when no hosts are defined
|
||||||
- sources/plex: add API to get user connections
|
- sources/plex: add API to get user connections
|
||||||
- web: add API Drawer
|
- web: add API Drawer
|
||||||
- web/admin: add UI to copy invitation link
|
- web/admin: add UI to copy invitation link
|
||||||
- web/admin: allow modification of users groups from user view
|
- web/admin: allow modification of users groups from user view
|
||||||
- web/admin: re-name service connection to integration
|
- web/admin: re-name service connection to integration
|
||||||
|
|
||||||
## Fixed in 2021.8.1-rc2
|
## Fixed in 2021.8.1-rc2
|
||||||
|
|
||||||
|
@ -78,7 +78,7 @@ slug: "2021.8"
|
||||||
|
|
||||||
## Fixed in 2021.8.1
|
## Fixed in 2021.8.1
|
||||||
|
|
||||||
- *: cleanup api schema warnings
|
- \*: cleanup api schema warnings
|
||||||
- core: fix error for asgi error handler with websockets
|
- core: fix error for asgi error handler with websockets
|
||||||
- core: fix error when user updates themselves
|
- core: fix error when user updates themselves
|
||||||
- core: fix user object for token not be set-able
|
- core: fix user object for token not be set-able
|
||||||
|
|
|
@ -31,7 +31,7 @@ slug: "2021.9"
|
||||||
|
|
||||||
## Minor changes
|
## Minor changes
|
||||||
|
|
||||||
- *: use common user agent for all outgoing requests
|
- \*: use common user agent for all outgoing requests
|
||||||
- admin: migrate to new update check, add option to disable update check
|
- admin: migrate to new update check, add option to disable update check
|
||||||
- api: add additional filters for ldap and proxy providers
|
- api: add additional filters for ldap and proxy providers
|
||||||
- core: optimise groups api by removing member superuser status
|
- core: optimise groups api by removing member superuser status
|
||||||
|
|
|
@ -25,7 +25,7 @@ This release mostly removes legacy fields and features that have been deprecated
|
||||||
|
|
||||||
The proxy now also sets the host header based on what is configured as upstream in the proxy provider. The original Host is forwarded as `X-Forwarded-Host`.
|
The proxy now also sets the host header based on what is configured as upstream in the proxy provider. The original Host is forwarded as `X-Forwarded-Host`.
|
||||||
|
|
||||||
Additionally, the header requirements for nginx have changed. Either a `X-Original-URL` or `X-Original-URI` header are now required. See the [*Proxy provider*](../providers/proxy/forward_auth) documentation for updated snippets.
|
Additionally, the header requirements for nginx have changed. Either a `X-Original-URL` or `X-Original-URI` header are now required. See the [_Proxy provider_](../providers/proxy/forward_auth) documentation for updated snippets.
|
||||||
|
|
||||||
- API:
|
- API:
|
||||||
|
|
||||||
|
|
|
@ -30,8 +30,8 @@ In an authenticator validation stage you can now configure multiple configuratio
|
||||||
|
|
||||||
## Minor changes/fixes
|
## Minor changes/fixes
|
||||||
|
|
||||||
- *: add placeholder custom.css to easily allow user customisation
|
- \*: add placeholder custom.css to easily allow user customisation
|
||||||
- *: rename akprox to outpost.goauthentik.io (#2266)
|
- \*: rename akprox to outpost.goauthentik.io (#2266)
|
||||||
- internal: don't attempt to lookup SNI Certificate if no SNI is sent
|
- internal: don't attempt to lookup SNI Certificate if no SNI is sent
|
||||||
- internal: improve error handling for internal reverse proxy
|
- internal: improve error handling for internal reverse proxy
|
||||||
- internal: increase logging for no hostname found
|
- internal: increase logging for no hostname found
|
||||||
|
|
|
@ -15,7 +15,7 @@ slug: "2022.5"
|
||||||
|
|
||||||
## Minor changes/fixes
|
## Minor changes/fixes
|
||||||
|
|
||||||
- *: decrease frequency of background tasks, smear tasks based on name and fqdn
|
- \*: decrease frequency of background tasks, smear tasks based on name and fqdn
|
||||||
- core: add custom shell command which imports all models and creates events for model events
|
- core: add custom shell command which imports all models and creates events for model events
|
||||||
- core: add flag to globally disable impersonation
|
- core: add flag to globally disable impersonation
|
||||||
- events: fix created events only being logged as debug level
|
- events: fix created events only being logged as debug level
|
||||||
|
|
|
@ -4,7 +4,7 @@ title: Missing admin group
|
||||||
|
|
||||||
If all of the Admin groups have been deleted, or misconfigured during sync, you can use the following command to gain access back.
|
If all of the Admin groups have been deleted, or misconfigured during sync, you can use the following command to gain access back.
|
||||||
|
|
||||||
Run the following command, where *username* is the user you want to add to the newly created group:
|
Run the following command, where _username_ is the user you want to add to the newly created group:
|
||||||
|
|
||||||
```
|
```
|
||||||
docker-compose run --rm server create_admin_group username
|
docker-compose run --rm server create_admin_group username
|
||||||
|
|
|
@ -10,4 +10,4 @@ When you bind a group to an application or flow, any members of any child group
|
||||||
|
|
||||||
## Attributes
|
## Attributes
|
||||||
|
|
||||||
Attributes of groups are recursively merged, for all groups the user is a *direct* member of.
|
Attributes of groups are recursively merged, for all groups the user is a _direct_ member of.
|
||||||
|
|
|
@ -48,12 +48,15 @@ The User object has the following attributes:
|
||||||
- `ak_groups` This is a queryset of all the user's groups.
|
- `ak_groups` This is a queryset of all the user's groups.
|
||||||
|
|
||||||
You can do additional filtering like
|
You can do additional filtering like
|
||||||
|
|
||||||
```python
|
```python
|
||||||
user.ak_groups.filter(name__startswith='test')
|
user.ak_groups.filter(name__startswith='test')
|
||||||
```
|
```
|
||||||
|
|
||||||
see [here](https://docs.djangoproject.com/en/3.1/ref/models/querysets/#id4)
|
see [here](https://docs.djangoproject.com/en/3.1/ref/models/querysets/#id4)
|
||||||
|
|
||||||
To get the name of all groups, you can do
|
To get the name of all groups, you can do
|
||||||
|
|
||||||
```python
|
```python
|
||||||
[group.name for group in user.ak_groups.all()]
|
[group.name for group in user.ak_groups.all()]
|
||||||
```
|
```
|
||||||
|
|
|
@ -23,7 +23,7 @@ Create an OAuth2/OpenID provider with the following parameters:
|
||||||
- Redirect URIs: `https://guacamole.company/` (depending on your Tomcat setup, you might have to add `/guacamole/` if the application runs in a subfolder)
|
- Redirect URIs: `https://guacamole.company/` (depending on your Tomcat setup, you might have to add `/guacamole/` if the application runs in a subfolder)
|
||||||
- Scopes: OpenID, Email and Profile
|
- Scopes: OpenID, Email and Profile
|
||||||
|
|
||||||
Under *Advanced protocol settings*, set the following:
|
Under _Advanced protocol settings_, set the following:
|
||||||
|
|
||||||
- Token validity: Any value to configure how long the session should last. Guacamole will not accept any tokens valid longer than 300 Minutes.
|
- Token validity: Any value to configure how long the session should last. Guacamole will not accept any tokens valid longer than 300 Minutes.
|
||||||
|
|
||||||
|
@ -31,8 +31,8 @@ Note the Client ID value. Create an application, using the provider you've creat
|
||||||
|
|
||||||
## Guacamole
|
## Guacamole
|
||||||
|
|
||||||
import Tabs from '@theme/Tabs';
|
import Tabs from "@theme/Tabs";
|
||||||
import TabItem from '@theme/TabItem';
|
import TabItem from "@theme/TabItem";
|
||||||
|
|
||||||
<Tabs
|
<Tabs
|
||||||
defaultValue="docker"
|
defaultValue="docker"
|
||||||
|
@ -50,6 +50,7 @@ OPENID_ISSUER: https://authentik.company/application/o/*Slug of the application
|
||||||
OPENID_JWKS_ENDPOINT: https://authentik.company/application/o/*Slug of the application from above*/jwks/
|
OPENID_JWKS_ENDPOINT: https://authentik.company/application/o/*Slug of the application from above*/jwks/
|
||||||
OPENID_REDIRECT_URI: https://guacamole.company/ # This must match the redirect URI above
|
OPENID_REDIRECT_URI: https://guacamole.company/ # This must match the redirect URI above
|
||||||
```
|
```
|
||||||
|
|
||||||
</TabItem>
|
</TabItem>
|
||||||
<TabItem value="standalone">
|
<TabItem value="standalone">
|
||||||
Standalone Guacamole is configured using the `guacamole.properties` file. Add the following settings:
|
Standalone Guacamole is configured using the `guacamole.properties` file. Add the following settings:
|
||||||
|
@ -61,5 +62,6 @@ openid-issuer=https://authentik.company/application/o/*Slug of the application f
|
||||||
openid-jwks-endpoint=https://authentik.company/application/o/*Slug of the application from above*/jwks/
|
openid-jwks-endpoint=https://authentik.company/application/o/*Slug of the application from above*/jwks/
|
||||||
openid-redirect-uri=https://guacamole.company/ # This must match the redirect URI above
|
openid-redirect-uri=https://guacamole.company/ # This must match the redirect URI above
|
||||||
```
|
```
|
||||||
|
|
||||||
</TabItem>
|
</TabItem>
|
||||||
</Tabs>
|
</Tabs>
|
||||||
|
|
|
@ -27,6 +27,7 @@ The following placeholders will be used:
|
||||||
In authentik, under _Providers_, create a _SAML Provider_ with these settings:
|
In authentik, under _Providers_, create a _SAML Provider_ with these settings:
|
||||||
|
|
||||||
**Protocol Settings**
|
**Protocol Settings**
|
||||||
|
|
||||||
- Name: Bookstack
|
- Name: Bookstack
|
||||||
- ACS URL: https://book.company/saml2/acs
|
- ACS URL: https://book.company/saml2/acs
|
||||||
- Issuer: https://authentik.company
|
- Issuer: https://authentik.company
|
||||||
|
@ -34,8 +35,9 @@ In authentik, under _Providers_, create a _SAML Provider_ with these settings:
|
||||||
- Audience: https://book.company/saml2/metadata
|
- Audience: https://book.company/saml2/metadata
|
||||||
|
|
||||||
**Advanced protocol settings**
|
**Advanced protocol settings**
|
||||||
|
|
||||||
- Signing Certificate: Choose your certificate or the default authentik Self-signed Certificate
|
- Signing Certificate: Choose your certificate or the default authentik Self-signed Certificate
|
||||||
All other options as default.
|
All other options as default.
|
||||||
|
|
||||||
![](./authentik_saml_bookstack.png)
|
![](./authentik_saml_bookstack.png)
|
||||||
|
|
||||||
|
|
|
@ -22,6 +22,7 @@ The following placeholders will be used:
|
||||||
Create an application and Provider in authentik, note the slug, as this will be used later. Create a SAML provider with the following parameters:
|
Create an application and Provider in authentik, note the slug, as this will be used later. Create a SAML provider with the following parameters:
|
||||||
|
|
||||||
Provider:
|
Provider:
|
||||||
|
|
||||||
- ACS URL: `https://fgm.company/saml/?acs`
|
- ACS URL: `https://fgm.company/saml/?acs`
|
||||||
- Issuer: `https://authentik.company/application/saml/fgm/sso/binding/redirect/`
|
- Issuer: `https://authentik.company/application/saml/fgm/sso/binding/redirect/`
|
||||||
- Service Provider Binding: Post
|
- Service Provider Binding: Post
|
||||||
|
@ -29,6 +30,7 @@ Provider:
|
||||||
You can of course use a custom signing certificate, and adjust durations.
|
You can of course use a custom signing certificate, and adjust durations.
|
||||||
|
|
||||||
Application:
|
Application:
|
||||||
|
|
||||||
- Launch URL: 'https://fgm.company/p/sso_sp/'
|
- Launch URL: 'https://fgm.company/p/sso_sp/'
|
||||||
|
|
||||||
## FortiManager Configuration
|
## FortiManager Configuration
|
||||||
|
|
|
@ -24,12 +24,12 @@ Create an application in authentik and note the slug, as this will be used later
|
||||||
- Issuer: `https://gitlab.company`
|
- Issuer: `https://gitlab.company`
|
||||||
- Binding: `Redirect`
|
- Binding: `Redirect`
|
||||||
|
|
||||||
Under *Advanced protocol settings*, set a certificate for *Signing Certificate*.
|
Under _Advanced protocol settings_, set a certificate for _Signing Certificate_.
|
||||||
|
|
||||||
## GitLab Configuration
|
## GitLab Configuration
|
||||||
|
|
||||||
Paste the following block in your `gitlab.rb` file, after replacing the placeholder values from above. The file is located in `/etc/gitlab`.
|
Paste the following block in your `gitlab.rb` file, after replacing the placeholder values from above. The file is located in `/etc/gitlab`.
|
||||||
To get the value for `idp_cert_fingerprint`, go to the Certificate list under *Identity & Cryptography*, and expand the selected certificate.
|
To get the value for `idp_cert_fingerprint`, go to the Certificate list under _Identity & Cryptography_, and expand the selected certificate.
|
||||||
|
|
||||||
```ruby
|
```ruby
|
||||||
gitlab_rails['omniauth_enabled'] = true
|
gitlab_rails['omniauth_enabled'] = true
|
||||||
|
|
|
@ -28,8 +28,8 @@ Note the Client ID and Client Secret values. Create an application, using the pr
|
||||||
|
|
||||||
## Grafana
|
## Grafana
|
||||||
|
|
||||||
import Tabs from '@theme/Tabs';
|
import Tabs from "@theme/Tabs";
|
||||||
import TabItem from '@theme/TabItem';
|
import TabItem from "@theme/TabItem";
|
||||||
|
|
||||||
<Tabs
|
<Tabs
|
||||||
defaultValue="docker"
|
defaultValue="docker"
|
||||||
|
@ -56,6 +56,7 @@ environment:
|
||||||
# Optionally map user groups to Grafana roles
|
# Optionally map user groups to Grafana roles
|
||||||
GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH: "contains(groups[*], 'Grafana Admins') && 'Admin' || contains(groups[*], 'Grafana Editors') && 'Editor' || 'Viewer'"
|
GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH: "contains(groups[*], 'Grafana Admins') && 'Admin' || contains(groups[*], 'Grafana Editors') && 'Editor' || 'Viewer'"
|
||||||
```
|
```
|
||||||
|
|
||||||
</TabItem>
|
</TabItem>
|
||||||
<TabItem value="standalone">
|
<TabItem value="standalone">
|
||||||
If you are using a config-file instead, you have to set these options:
|
If you are using a config-file instead, you have to set these options:
|
||||||
|
@ -78,6 +79,7 @@ api_url = https://authentik.company/application/o/userinfo/
|
||||||
# Optionally map user groups to Grafana roles
|
# Optionally map user groups to Grafana roles
|
||||||
role_attribute_path = contains(groups[*], 'Grafana Admins') && 'Admin' || contains(groups[*], 'Grafana Editors') && 'Editor' || 'Viewer'
|
role_attribute_path = contains(groups[*], 'Grafana Admins') && 'Admin' || contains(groups[*], 'Grafana Editors') && 'Editor' || 'Viewer'
|
||||||
```
|
```
|
||||||
|
|
||||||
</TabItem>
|
</TabItem>
|
||||||
</Tabs>
|
</Tabs>
|
||||||
|
|
||||||
|
|
|
@ -35,11 +35,13 @@ Only settings that have been modified from default have been listed.
|
||||||
- Signing Key: Select any available key
|
- Signing Key: Select any available key
|
||||||
|
|
||||||
- Redirect URIs/Origins:
|
- Redirect URIs/Origins:
|
||||||
|
|
||||||
```
|
```
|
||||||
https://vault.company/ui/vault/auth/oidc/oidc/callback
|
https://vault.company/ui/vault/auth/oidc/oidc/callback
|
||||||
https://vault.company/oidc/callback
|
https://vault.company/oidc/callback
|
||||||
http://localhost:8250/oidc/callback
|
http://localhost:8250/oidc/callback
|
||||||
```
|
```
|
||||||
|
|
||||||
:::note
|
:::note
|
||||||
Take note of the `Client ID` and `Client Secret`, you'll need to give them to Vault in _Step 3_.
|
Take note of the `Client ID` and `Client Secret`, you'll need to give them to Vault in _Step 3_.
|
||||||
:::
|
:::
|
||||||
|
@ -59,9 +61,10 @@ Only settings that have been modified from default have been listed.
|
||||||
### Step 3
|
### Step 3
|
||||||
|
|
||||||
Enable the oidc auth method
|
Enable the oidc auth method
|
||||||
```vault auth enable oidc```
|
`vault auth enable oidc`
|
||||||
|
|
||||||
Configure the oidc auth method, oidc discovery url is the OpenID Configuration Issuer in your provider
|
Configure the oidc auth method, oidc discovery url is the OpenID Configuration Issuer in your provider
|
||||||
|
|
||||||
```
|
```
|
||||||
vault write auth/oidc/config \
|
vault write auth/oidc/config \
|
||||||
oidc_discovery_url="https://authentik.company/application/o/vault-slug/" \
|
oidc_discovery_url="https://authentik.company/application/o/vault-slug/" \
|
||||||
|
@ -71,6 +74,7 @@ vault write auth/oidc/config \
|
||||||
```
|
```
|
||||||
|
|
||||||
Create the reader role
|
Create the reader role
|
||||||
|
|
||||||
```
|
```
|
||||||
vault write auth/oidc/role/reader \
|
vault write auth/oidc/role/reader \
|
||||||
bound_audiences="Client ID" \
|
bound_audiences="Client ID" \
|
||||||
|
@ -82,4 +86,4 @@ vault write auth/oidc/role/reader \
|
||||||
```
|
```
|
||||||
|
|
||||||
You should then be able to sign in via OIDC
|
You should then be able to sign in via OIDC
|
||||||
```vault login -method=oidc role="reader"```
|
`vault login -method=oidc role="reader"`
|
||||||
|
|
|
@ -33,14 +33,14 @@ You need to set the following `env` Variables for Docker based installations.
|
||||||
Set the following values:
|
Set the following values:
|
||||||
|
|
||||||
```yaml
|
```yaml
|
||||||
CMD_OAUTH2_PROVIDERNAME: 'authentik'
|
CMD_OAUTH2_PROVIDERNAME: "authentik"
|
||||||
CMD_OAUTH2_CLIENT_ID: '<Client ID from above>'
|
CMD_OAUTH2_CLIENT_ID: "<Client ID from above>"
|
||||||
CMD_OAUTH2_CLIENT_SECRET: '<Client Secret from above>'
|
CMD_OAUTH2_CLIENT_SECRET: "<Client Secret from above>"
|
||||||
CMD_OAUTH2_SCOPE: 'openid email profile'
|
CMD_OAUTH2_SCOPE: "openid email profile"
|
||||||
CMD_OAUTH2_USER_PROFILE_URL: 'https://authentik.company/application/o/userinfo/'
|
CMD_OAUTH2_USER_PROFILE_URL: "https://authentik.company/application/o/userinfo/"
|
||||||
CMD_OAUTH2_TOKEN_URL: 'https://authentik.company/application/o/token/'
|
CMD_OAUTH2_TOKEN_URL: "https://authentik.company/application/o/token/"
|
||||||
CMD_OAUTH2_AUTHORIZATION_URL: 'https://authentik.company/application/o/authorize/'
|
CMD_OAUTH2_AUTHORIZATION_URL: "https://authentik.company/application/o/authorize/"
|
||||||
CMD_OAUTH2_USER_PROFILE_USERNAME_ATTR: 'preferred_username'
|
CMD_OAUTH2_USER_PROFILE_USERNAME_ATTR: "preferred_username"
|
||||||
CMD_OAUTH2_USER_PROFILE_DISPLAY_NAME_ATTR: 'name'
|
CMD_OAUTH2_USER_PROFILE_DISPLAY_NAME_ATTR: "name"
|
||||||
CMD_OAUTH2_USER_PROFILE_EMAIL_ATTR: 'email'
|
CMD_OAUTH2_USER_PROFILE_EMAIL_ATTR: "email"
|
||||||
```
|
```
|
||||||
|
|
|
@ -27,13 +27,13 @@ Create a SAML provider with the following parameters:
|
||||||
- Issuer: `https://authentik.company`
|
- Issuer: `https://authentik.company`
|
||||||
- Binding: `Post`
|
- Binding: `Post`
|
||||||
|
|
||||||
Under *Advanced protocol settings*, set a certificate for *Signing Certificate*.
|
Under _Advanced protocol settings_, set a certificate for _Signing Certificate_.
|
||||||
|
|
||||||
## Kimai Configuration
|
## Kimai Configuration
|
||||||
|
|
||||||
Paste the following block in your `local.yaml` file, after replacing the placeholder values from above. The file is usually located in `/opt/kimai/config/packages/local.yaml`.
|
Paste the following block in your `local.yaml` file, after replacing the placeholder values from above. The file is usually located in `/opt/kimai/config/packages/local.yaml`.
|
||||||
|
|
||||||
To get the value for `x509cert`, go to *System* > *Certificates*, and download the public Signing Certificate. To avoid further problems, concat it into "string format" using e.g.: https://www.samltool.com/format_x509cert.php
|
To get the value for `x509cert`, go to _System_ > _Certificates_, and download the public Signing Certificate. To avoid further problems, concat it into "string format" using e.g.: https://www.samltool.com/format_x509cert.php
|
||||||
|
|
||||||
```yaml
|
```yaml
|
||||||
# Optionally add this for docker debug-logging
|
# Optionally add this for docker debug-logging
|
||||||
|
@ -111,7 +111,6 @@ kimai:
|
||||||
name: "Kimai"
|
name: "Kimai"
|
||||||
displayname: "Kimai"
|
displayname: "Kimai"
|
||||||
url: "https://kimai.company"
|
url: "https://kimai.company"
|
||||||
|
|
||||||
```
|
```
|
||||||
|
|
||||||
Afterwards, either [rebuild the cache](https://www.kimai.org/documentation/cache.html) or restart the docker container.
|
Afterwards, either [rebuild the cache](https://www.kimai.org/documentation/cache.html) or restart the docker container.
|
||||||
|
|
|
@ -68,8 +68,8 @@ See https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/r
|
||||||
Create a group for each different level of quota you want users to have. Set a custom attribute, for example called `nextcloud_quota`, to the quota you want, for example `15 GB`.
|
Create a group for each different level of quota you want users to have. Set a custom attribute, for example called `nextcloud_quota`, to the quota you want, for example `15 GB`.
|
||||||
|
|
||||||
Afterwards, create a custom SAML Property Mapping with the name `SAML NextCloud Quota`.
|
Afterwards, create a custom SAML Property Mapping with the name `SAML NextCloud Quota`.
|
||||||
Set the *SAML Name* to `nextcloud_quota`.
|
Set the _SAML Name_ to `nextcloud_quota`.
|
||||||
Set the *Expression* to `return user.group_attributes().get("nextcloud_quota", "1 GB")`, where `1 GB` is the default value for users that don't belong to another group (or have another value set).
|
Set the _Expression_ to `return user.group_attributes().get("nextcloud_quota", "1 GB")`, where `1 GB` is the default value for users that don't belong to another group (or have another value set).
|
||||||
|
|
||||||
## Admin Group
|
## Admin Group
|
||||||
|
|
||||||
|
|
|
@ -21,30 +21,30 @@ The following placeholders will be used:
|
||||||
- `authentik.company` is the FQDN of authentik.
|
- `authentik.company` is the FQDN of authentik.
|
||||||
- `onlyoffice.company` is the FQDN of the OnlyOffice instance.
|
- `onlyoffice.company` is the FQDN of the OnlyOffice instance.
|
||||||
|
|
||||||
Open your OnlyOffice instance, navigate to the settings by clicking the cog-icon in the navbar, then click on *Control Panel* on the sidebar.
|
Open your OnlyOffice instance, navigate to the settings by clicking the cog-icon in the navbar, then click on _Control Panel_ on the sidebar.
|
||||||
|
|
||||||
In the new tab, click on *SSO* in the sidebar.
|
In the new tab, click on _SSO_ in the sidebar.
|
||||||
|
|
||||||
Click the *Enable Single Sign-on Authentication* checkbox to enable SSO.
|
Click the _Enable Single Sign-on Authentication_ checkbox to enable SSO.
|
||||||
|
|
||||||
Scroll down to *ONLYOFFICE SP Metadata*, and copy the *SP Entity ID (link to metadata XML)* URL. Open this URL in a new tab, and download the XML file.
|
Scroll down to _ONLYOFFICE SP Metadata_, and copy the _SP Entity ID (link to metadata XML)_ URL. Open this URL in a new tab, and download the XML file.
|
||||||
|
|
||||||
## authentik Setup
|
## authentik Setup
|
||||||
|
|
||||||
Create an application in authentik, and create a SAML Provider by using *SAML Provider from Metadata*. Give the provider a name, and upload the XML file you've downloaded in the previous step.
|
Create an application in authentik, and create a SAML Provider by using _SAML Provider from Metadata_. Give the provider a name, and upload the XML file you've downloaded in the previous step.
|
||||||
|
|
||||||
Edit the resulting Provider, and ensure *Signing Certificate* is set to any certificate.
|
Edit the resulting Provider, and ensure _Signing Certificate_ is set to any certificate.
|
||||||
|
|
||||||
Navigate on the *Metadata* tab on the Provider page, and click *Copy download URL*.
|
Navigate on the _Metadata_ tab on the Provider page, and click _Copy download URL_.
|
||||||
|
|
||||||
## OnlyOffice Setup
|
## OnlyOffice Setup
|
||||||
|
|
||||||
Navigate back to your OnlyOffice Control panel, and paste the URL into *Load metadata from XML to fill the required fields automatically*, and click the upload button next to the input field.
|
Navigate back to your OnlyOffice Control panel, and paste the URL into _Load metadata from XML to fill the required fields automatically_, and click the upload button next to the input field.
|
||||||
|
|
||||||
Under *Attribute Mapping*, set the following values
|
Under _Attribute Mapping_, set the following values
|
||||||
|
|
||||||
- *First Name*: `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name`
|
- _First Name_: `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name`
|
||||||
- *Last Name*: `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name`
|
- _Last Name_: `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name`
|
||||||
- *Email*: `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress`
|
- _Email_: `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress`
|
||||||
|
|
||||||
Click save and a new SSO button will appear on the OnlyOffice login page.
|
Click save and a new SSO button will appear on the OnlyOffice login page.
|
||||||
|
|
|
@ -40,6 +40,7 @@ Only settings that have been modified from default have been listed.
|
||||||
:::
|
:::
|
||||||
|
|
||||||
**Protocol Settings**
|
**Protocol Settings**
|
||||||
|
|
||||||
- Name: LDAP
|
- Name: LDAP
|
||||||
- Search group: opnsense
|
- Search group: opnsense
|
||||||
- Certificate: authentik Self-signed certificate
|
- Certificate: authentik Self-signed certificate
|
||||||
|
@ -66,6 +67,7 @@ Only settings that have been modified from default have been listed.
|
||||||
|
|
||||||
- Name: LDAP
|
- Name: LDAP
|
||||||
- Type: LDAP
|
- Type: LDAP
|
||||||
|
|
||||||
### Step 5
|
### Step 5
|
||||||
|
|
||||||
Add your authentik LDAP server to OPNsense by going to your OPNsense Web UI and clicking the `+` under _System/Access/Servers_.
|
Add your authentik LDAP server to OPNsense by going to your OPNsense Web UI and clicking the `+` under _System/Access/Servers_.
|
||||||
|
@ -83,6 +85,7 @@ Change the following fields
|
||||||
- Extended Query: &(objectClass=user)
|
- Extended Query: &(objectClass=user)
|
||||||
|
|
||||||
![](./opnsense1.png)
|
![](./opnsense1.png)
|
||||||
|
|
||||||
### Step 6
|
### Step 6
|
||||||
|
|
||||||
In OPNsense, go to _System/Settings/Administration_ and under _Authentication_ at the bottom of that page, add `authentik` to the Server list
|
In OPNsense, go to _System/Settings/Administration_ and under _Authentication_ at the bottom of that page, add `authentik` to the Server list
|
||||||
|
|
|
@ -24,14 +24,15 @@ The following placeholders will be used:
|
||||||
|
|
||||||
Also set up your proxy server to use forward auth with paperless.company: https://goauthentik.io/docs/providers/proxy/forward_auth
|
Also set up your proxy server to use forward auth with paperless.company: https://goauthentik.io/docs/providers/proxy/forward_auth
|
||||||
|
|
||||||
|
|
||||||
## Paperless
|
## Paperless
|
||||||
|
|
||||||
Start by adding the following environment variables to your Paperless-ng setup. If you are using docker-compose, then add the following to your docker-compose.env file:
|
Start by adding the following environment variables to your Paperless-ng setup. If you are using docker-compose, then add the following to your docker-compose.env file:
|
||||||
|
|
||||||
```
|
```
|
||||||
PAPERLESS_ENABLE_HTTP_REMOTE_USER=TRUE
|
PAPERLESS_ENABLE_HTTP_REMOTE_USER=TRUE
|
||||||
PAPERLESS_HTTP_REMOTE_USER_HEADER_NAME=HTTP_X_AUTHENTIK_USERNAME
|
PAPERLESS_HTTP_REMOTE_USER_HEADER_NAME=HTTP_X_AUTHENTIK_USERNAME
|
||||||
```
|
```
|
||||||
|
|
||||||
Authentik automatically sets this header when we use a proxy outpost.
|
Authentik automatically sets this header when we use a proxy outpost.
|
||||||
|
|
||||||
Now restart your container:
|
Now restart your container:
|
||||||
|
|
|
@ -22,7 +22,6 @@ The following placeholders will be used:
|
||||||
- `pfsense-user` is the name of the authentik Service account we'll create.
|
- `pfsense-user` is the name of the authentik Service account we'll create.
|
||||||
- `DC=ldap,DC=goauthentik,DC=io` is the Base DN of the LDAP Provider (default)
|
- `DC=ldap,DC=goauthentik,DC=io` is the Base DN of the LDAP Provider (default)
|
||||||
|
|
||||||
|
|
||||||
### Step 1 - Service account
|
### Step 1 - Service account
|
||||||
|
|
||||||
In authentik, create a service account (under _Directory/Users_) for pfSense to use as the LDAP Binder and take note of the password generated.
|
In authentik, create a service account (under _Directory/Users_) for pfSense to use as the LDAP Binder and take note of the password generated.
|
||||||
|
@ -33,10 +32,10 @@ In this example, we'll use `pfsense-user` as the Service account's username
|
||||||
If you didn't keep the password, you can copy it from _Directory/Tokens & App password_.
|
If you didn't keep the password, you can copy it from _Directory/Tokens & App password_.
|
||||||
:::
|
:::
|
||||||
|
|
||||||
|
|
||||||
### Step 2 - LDAP Provider
|
### Step 2 - LDAP Provider
|
||||||
|
|
||||||
In authentik, create a LDAP Provider (under _Applications/Providers_) with these settings :
|
In authentik, create a LDAP Provider (under _Applications/Providers_) with these settings :
|
||||||
|
|
||||||
- Name : LDAP
|
- Name : LDAP
|
||||||
- Bind DN : `DC=ldap,DC=goauthentik,DC=io`
|
- Bind DN : `DC=ldap,DC=goauthentik,DC=io`
|
||||||
- Certificate : `self-signed`
|
- Certificate : `self-signed`
|
||||||
|
@ -79,8 +78,6 @@ Change the following fields
|
||||||
- Extended Query: &(objectClass=user)
|
- Extended Query: &(objectClass=user)
|
||||||
- Allow unauthenticated bind: **unticked**
|
- Allow unauthenticated bind: **unticked**
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
## pfSense secure setup (with SSL)
|
## pfSense secure setup (with SSL)
|
||||||
|
|
||||||
When enabling SSL, authentik will send a certificate to pfSense. This certificate has to be signed by a certificate authority trusted by pfSense. In this setup we will create our own certificate authority in pfSense and create a certificate that will be used by authentik.
|
When enabling SSL, authentik will send a certificate to pfSense. This certificate has to be signed by a certificate authority trusted by pfSense. In this setup we will create our own certificate authority in pfSense and create a certificate that will be used by authentik.
|
||||||
|
@ -139,24 +136,18 @@ Change the following fields
|
||||||
- Extended Query: &(objectClass=user)
|
- Extended Query: &(objectClass=user)
|
||||||
- Allow unauthenticated bind: **unticked**
|
- Allow unauthenticated bind: **unticked**
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
## Test your setup
|
## Test your setup
|
||||||
|
|
||||||
In pfSense, you can validate the authentication backend setup by going to _Diagnostics/Authentication_ and then select `LDAP authentik` as _Authentication Server_.
|
In pfSense, you can validate the authentication backend setup by going to _Diagnostics/Authentication_ and then select `LDAP authentik` as _Authentication Server_.
|
||||||
|
|
||||||
You can use the credentials of an authentik user, pfSense will tell you if the connection was successful or not. If it is, congratulations, you can now change the pfSense default authentication backend.
|
You can use the credentials of an authentik user, pfSense will tell you if the connection was successful or not. If it is, congratulations, you can now change the pfSense default authentication backend.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
## Change pfSense default authentication backend
|
## Change pfSense default authentication backend
|
||||||
|
|
||||||
In pfSense, you can change the authentication backend used by the Web UI by going to _System/User Manager_ and then click on _Settings_ tab.
|
In pfSense, you can change the authentication backend used by the Web UI by going to _System/User Manager_ and then click on _Settings_ tab.
|
||||||
|
|
||||||
- Authentication Server: `LDAP authentik`
|
- Authentication Server: `LDAP authentik`
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
## Notes
|
## Notes
|
||||||
|
|
||||||
:::tip
|
:::tip
|
||||||
|
|
|
@ -21,12 +21,12 @@ The following placeholders will be used:
|
||||||
- `pgadmin.company` is the FQDN of pgAdmin.
|
- `pgadmin.company` is the FQDN of pgAdmin.
|
||||||
- `authentik.company` is the FQDN of authentik.
|
- `authentik.company` is the FQDN of authentik.
|
||||||
|
|
||||||
|
|
||||||
### Step 1: Create authentik Provider
|
### Step 1: Create authentik Provider
|
||||||
|
|
||||||
In authentik, under _Providers_, create an _OAuth2/OpenID Provider_ with these settings:
|
In authentik, under _Providers_, create an _OAuth2/OpenID Provider_ with these settings:
|
||||||
|
|
||||||
**Provider Settings**
|
**Provider Settings**
|
||||||
|
|
||||||
- Name: pgAdmin
|
- Name: pgAdmin
|
||||||
- Client type: Confidential
|
- Client type: Confidential
|
||||||
- Client ID: Copy and Save this for Later
|
- Client ID: Copy and Save this for Later
|
||||||
|
@ -34,6 +34,7 @@ In authentik, under _Providers_, create an _OAuth2/OpenID Provider_ with these s
|
||||||
- Redirect URIs/Origins: `http://pgadmin.company/oauth2/authorize`
|
- Redirect URIs/Origins: `http://pgadmin.company/oauth2/authorize`
|
||||||
|
|
||||||
### Step 2: Create authentik Application
|
### Step 2: Create authentik Application
|
||||||
|
|
||||||
In authentik, create an application which uses this provider. Optionally apply access restrictions to the application using policy bindings.
|
In authentik, create an application which uses this provider. Optionally apply access restrictions to the application using policy bindings.
|
||||||
|
|
||||||
- Name: pgAdmin
|
- Name: pgAdmin
|
||||||
|
@ -41,8 +42,8 @@ In authentik, create an application which uses this provider. Optionally apply a
|
||||||
- Provider: pgAdmin
|
- Provider: pgAdmin
|
||||||
- Launch URL: https://pgadmin.company
|
- Launch URL: https://pgadmin.company
|
||||||
|
|
||||||
|
|
||||||
### Step 3: Configure pgAdmin
|
### Step 3: Configure pgAdmin
|
||||||
|
|
||||||
All settings for OAuth in pgAdmin are configured in the `config_local.py` file. This file can usually be found in the path `/pgadmin4/config_local.py`
|
All settings for OAuth in pgAdmin are configured in the `config_local.py` file. This file can usually be found in the path `/pgadmin4/config_local.py`
|
||||||
|
|
||||||
:::note
|
:::note
|
||||||
|
@ -71,7 +72,9 @@ OAUTH2_CONFIG = [{
|
||||||
'OAUTH2_BUTTON_COLOR' : '<button-color>'
|
'OAUTH2_BUTTON_COLOR' : '<button-color>'
|
||||||
}]
|
}]
|
||||||
```
|
```
|
||||||
|
|
||||||
In the code above the following placeholders have been used:
|
In the code above the following placeholders have been used:
|
||||||
|
|
||||||
- `<display-name>`: The name that is displayed on the Login Button
|
- `<display-name>`: The name that is displayed on the Login Button
|
||||||
- `<client-id>`: The Client ID from step 1
|
- `<client-id>`: The Client ID from step 1
|
||||||
- `<client-secret>`: The Client Secret from step 1
|
- `<client-secret>`: The Client Secret from step 1
|
||||||
|
|
|
@ -30,13 +30,13 @@ Only settings that have been modified from default have been listed.
|
||||||
:::
|
:::
|
||||||
|
|
||||||
**Protocol Settings**
|
**Protocol Settings**
|
||||||
|
|
||||||
- Name: Portainer
|
- Name: Portainer
|
||||||
- Client type: Confidential
|
- Client type: Confidential
|
||||||
- Client ID: Copy and Save this for Later
|
- Client ID: Copy and Save this for Later
|
||||||
- Client Secret: Copy and Save this for later
|
- Client Secret: Copy and Save this for later
|
||||||
- Redirect URIs/Origins: `https://port.company`
|
- Redirect URIs/Origins: `https://port.company`
|
||||||
|
|
||||||
|
|
||||||
### Step 2 - Portainer
|
### Step 2 - Portainer
|
||||||
|
|
||||||
In Portainer, under _Settings_, _Authentication_, Select _OAuth_ and _Custom_
|
In Portainer, under _Settings_, _Authentication_, Select _OAuth_ and _Custom_
|
||||||
|
@ -66,7 +66,6 @@ In authentik, create an application which uses this provider. Optionally apply a
|
||||||
- Provider: Portainer
|
- Provider: Portainer
|
||||||
- Launch URL: https://port.company
|
- Launch URL: https://port.company
|
||||||
|
|
||||||
|
|
||||||
## Notes
|
## Notes
|
||||||
|
|
||||||
:::note
|
:::note
|
||||||
|
|
|
@ -58,8 +58,9 @@ SAML_CERT=/saml.crt
|
||||||
You must mount the certificate selected in authentik as a file in the Docker container. The path in the container must match the path in the env variable `SAML_CERT`.
|
You must mount the certificate selected in authentik as a file in the Docker container. The path in the container must match the path in the env variable `SAML_CERT`.
|
||||||
|
|
||||||
### docker-compose
|
### docker-compose
|
||||||
|
|
||||||
```yaml
|
```yaml
|
||||||
version: '3.3'
|
version: "3.3"
|
||||||
services:
|
services:
|
||||||
powerdns-admin:
|
powerdns-admin:
|
||||||
image: ngoduykhanh/powerdns-admin:latest
|
image: ngoduykhanh/powerdns-admin:latest
|
||||||
|
|
|
@ -14,7 +14,6 @@ Proxmox Virtual Environment is an open source server virtualization management s
|
||||||
This requires Proxmox VE 7.0 or newer.
|
This requires Proxmox VE 7.0 or newer.
|
||||||
:::
|
:::
|
||||||
|
|
||||||
|
|
||||||
## Preparation
|
## Preparation
|
||||||
|
|
||||||
The following placeholders will be used:
|
The following placeholders will be used:
|
||||||
|
|
|
@ -18,7 +18,7 @@ The following placeholders will be used:
|
||||||
- `rancher.company` is the FQDN of the Rancher install.
|
- `rancher.company` is the FQDN of the Rancher install.
|
||||||
- `authentik.company` is the FQDN of the authentik install.
|
- `authentik.company` is the FQDN of the authentik install.
|
||||||
|
|
||||||
Under *Property Mappings*, create a *SAML Property Mapping*. Give it a name like "SAML Rancher User ID". Set the SAML name to `rancherUidUsername` and the expression to the following
|
Under _Property Mappings_, create a _SAML Property Mapping_. Give it a name like "SAML Rancher User ID". Set the SAML name to `rancherUidUsername` and the expression to the following
|
||||||
|
|
||||||
```python
|
```python
|
||||||
return f"{user.pk}-{user.username}"
|
return f"{user.pk}-{user.username}"
|
||||||
|
@ -37,7 +37,7 @@ You can of course use a custom signing certificate, and adjust durations.
|
||||||
|
|
||||||
## Rancher
|
## Rancher
|
||||||
|
|
||||||
In Rancher, navigate to *Global* -> *Security* -> *Authentication*, and select ADFS.
|
In Rancher, navigate to _Global_ -> _Security_ -> _Authentication_, and select ADFS.
|
||||||
|
|
||||||
Fill in the fields
|
Fill in the fields
|
||||||
|
|
||||||
|
@ -46,7 +46,7 @@ Fill in the fields
|
||||||
- UID Field: `rancherUidUsername`
|
- UID Field: `rancherUidUsername`
|
||||||
- Groups Field: `http://schemas.xmlsoap.org/claims/Group`
|
- Groups Field: `http://schemas.xmlsoap.org/claims/Group`
|
||||||
|
|
||||||
For the private key and certificate, you can either generate a new pair (in authentik, navigate to *Identity & Cryptography* -> *Certificates* and select Generate), or use an existing pair.
|
For the private key and certificate, you can either generate a new pair (in authentik, navigate to _Identity & Cryptography_ -> _Certificates_ and select Generate), or use an existing pair.
|
||||||
|
|
||||||
Copy the metadata from authentik, and paste it in the metadata field.
|
Copy the metadata from authentik, and paste it in the metadata field.
|
||||||
|
|
||||||
|
|
|
@ -30,11 +30,13 @@ Only settings that have been modified from default have been listed.
|
||||||
:::
|
:::
|
||||||
|
|
||||||
**Protocol Settings**
|
**Protocol Settings**
|
||||||
|
|
||||||
- Name: RocketChat
|
- Name: RocketChat
|
||||||
- Client type: Confidential
|
- Client type: Confidential
|
||||||
- Client ID: Copy and Save this for Later
|
- Client ID: Copy and Save this for Later
|
||||||
- Client Secret: Copy and Save this for later
|
- Client Secret: Copy and Save this for later
|
||||||
- Redirect URIs/Origins:
|
- Redirect URIs/Origins:
|
||||||
|
|
||||||
```
|
```
|
||||||
https://rocket.company/_oauth/authentik
|
https://rocket.company/_oauth/authentik
|
||||||
|
|
||||||
|
@ -47,10 +49,12 @@ https://rocket.company/_oauth/authentik
|
||||||
In authentik, under _Applications_, create a new application with these settings:
|
In authentik, under _Applications_, create a new application with these settings:
|
||||||
|
|
||||||
**Application Settings**
|
**Application Settings**
|
||||||
|
|
||||||
- Name: Rocket.chat
|
- Name: Rocket.chat
|
||||||
- Slug: rocketchat
|
- Slug: rocketchat
|
||||||
- Provider: RocketChat
|
- Provider: RocketChat
|
||||||
- Launch URL:
|
- Launch URL:
|
||||||
|
|
||||||
```
|
```
|
||||||
https://rocket.company/_oauth/authentik
|
https://rocket.company/_oauth/authentik
|
||||||
|
|
||||||
|
@ -79,6 +83,7 @@ In Rocket.chat, follow the procedure below:
|
||||||
![](./rocketchat6.png)
|
![](./rocketchat6.png)
|
||||||
|
|
||||||
5. Scroll down to the new OAuth application, expand the dropdown, and enter the following settings:
|
5. Scroll down to the new OAuth application, expand the dropdown, and enter the following settings:
|
||||||
|
|
||||||
- Enable: Turn the radio button to the _on_ position
|
- Enable: Turn the radio button to the _on_ position
|
||||||
- URL: https://authentik.company/application/o
|
- URL: https://authentik.company/application/o
|
||||||
- Token Path: /token/
|
- Token Path: /token/
|
||||||
|
@ -114,8 +119,6 @@ In Rocket.chat, follow the procedure below:
|
||||||
|
|
||||||
6. Click _Save changes_ in the top right corner of the screen
|
6. Click _Save changes_ in the top right corner of the screen
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
### Step 4 (Optional)
|
### Step 4 (Optional)
|
||||||
|
|
||||||
:::note
|
:::note
|
||||||
|
|
|
@ -56,6 +56,7 @@ $config['oauth_scope'] = "email openid dovecotprofile";
|
||||||
$config['oauth_auth_parameters'] = [];
|
$config['oauth_auth_parameters'] = [];
|
||||||
$config['oauth_identity_fields'] = ['email'];
|
$config['oauth_identity_fields'] = ['email'];
|
||||||
```
|
```
|
||||||
|
|
||||||
## Dovecot Configuration
|
## Dovecot Configuration
|
||||||
|
|
||||||
Add xoauth2 as an authentication mechanism and configure the following parameters in your Dovecot configuration.
|
Add xoauth2 as an authentication mechanism and configure the following parameters in your Dovecot configuration.
|
||||||
|
|
|
@ -28,7 +28,7 @@ Create an application in authentik. Create a SAML Provider with the following va
|
||||||
- Service Provider Binding: `Post`
|
- Service Provider Binding: `Post`
|
||||||
- Audience: `https://sentry.company/saml/metadata/<sentry organisation name>/`
|
- Audience: `https://sentry.company/saml/metadata/<sentry organisation name>/`
|
||||||
|
|
||||||
Under *Advanced protocol settings*, set the following:
|
Under _Advanced protocol settings_, set the following:
|
||||||
|
|
||||||
- Signing Certificate: Select any certificate.
|
- Signing Certificate: Select any certificate.
|
||||||
- Property Mapping: Select all Managed Mappings
|
- Property Mapping: Select all Managed Mappings
|
||||||
|
|
|
@ -49,6 +49,7 @@ Because Sonarr can use HTTP Basic credentials, you can save your HTTP Basic Cred
|
||||||
sonarr_user: username
|
sonarr_user: username
|
||||||
sonarr_password: password
|
sonarr_password: password
|
||||||
```
|
```
|
||||||
|
|
||||||
Add all Sonarr users to the Group. You should also create a Group Membership Policy to limit access to the application.
|
Add all Sonarr users to the Group. You should also create a Group Membership Policy to limit access to the application.
|
||||||
|
|
||||||
Enable the `Use Basic Authentication` option. Set and `HTTP-Basic Username` and `HTTP-Basic Password` to `sonarr_user` and `sonarr_password` respectively. These values can be chosen freely, `sonarr_` is just used as a prefix for clarity.
|
Enable the `Use Basic Authentication` option. Set and `HTTP-Basic Username` and `HTTP-Basic Password` to `sonarr_user` and `sonarr_password` respectively. These values can be chosen freely, `sonarr_` is just used as a prefix for clarity.
|
||||||
|
|
|
@ -35,6 +35,7 @@ Create an application in authentik. Create a Proxy provider with the following p
|
||||||
- Skip path regex
|
- Skip path regex
|
||||||
|
|
||||||
Add the following regex rules to keep the public status page accessible without authentication.
|
Add the following regex rules to keep the public status page accessible without authentication.
|
||||||
|
|
||||||
```
|
```
|
||||||
^/$
|
^/$
|
||||||
^/status
|
^/status
|
||||||
|
|
|
@ -30,11 +30,13 @@ Only settings that have been modified from default have been listed.
|
||||||
:::
|
:::
|
||||||
|
|
||||||
**Protocol Settings**
|
**Protocol Settings**
|
||||||
|
|
||||||
- Name: Vikunja
|
- Name: Vikunja
|
||||||
- Client type: Confidential
|
- Client type: Confidential
|
||||||
- Client ID: Copy and Save this for Later
|
- Client ID: Copy and Save this for Later
|
||||||
- Client Secret: Copy and Save this for later
|
- Client Secret: Copy and Save this for later
|
||||||
- Redirect URIs/Origins:
|
- Redirect URIs/Origins:
|
||||||
|
|
||||||
```
|
```
|
||||||
https://vik.company/auth/openid
|
https://vik.company/auth/openid
|
||||||
https://vik.company/auth/openid/Vikunja
|
https://vik.company/auth/openid/Vikunja
|
||||||
|
|
|
@ -10,7 +10,6 @@ From https://weblate.org/en/
|
||||||
Weblate is a copylefted libre software web-based continuous localization system, used by over 2500 libre projects and companies in more than 165 countries.
|
Weblate is a copylefted libre software web-based continuous localization system, used by over 2500 libre projects and companies in more than 165 countries.
|
||||||
:::
|
:::
|
||||||
|
|
||||||
|
|
||||||
## Preparation
|
## Preparation
|
||||||
|
|
||||||
The following placeholders will be used:
|
The following placeholders will be used:
|
||||||
|
@ -33,33 +32,41 @@ You can of course use a custom signing certificate, and adjust durations.
|
||||||
We need to create some property mappings so our application will work. After you create the property mappings, assign them to the provider.
|
We need to create some property mappings so our application will work. After you create the property mappings, assign them to the provider.
|
||||||
|
|
||||||
### Full name
|
### Full name
|
||||||
* Name: `Weblate - Full name`
|
|
||||||
* SAML Attribute Name: `urn:oid:2.5.4.3`
|
- Name: `Weblate - Full name`
|
||||||
* Expression
|
- SAML Attribute Name: `urn:oid:2.5.4.3`
|
||||||
|
- Expression
|
||||||
|
|
||||||
```python
|
```python
|
||||||
return request.user.name
|
return request.user.name
|
||||||
```
|
```
|
||||||
|
|
||||||
### OID_USERID
|
### OID_USERID
|
||||||
* Name: `Weblate - OID_USERID`
|
|
||||||
* SAML Attribute Name: `urn:oid:0.9.2342.19200300.100.1.1`
|
- Name: `Weblate - OID_USERID`
|
||||||
* Expression
|
- SAML Attribute Name: `urn:oid:0.9.2342.19200300.100.1.1`
|
||||||
|
- Expression
|
||||||
|
|
||||||
```python
|
```python
|
||||||
return request.user.username
|
return request.user.username
|
||||||
```
|
```
|
||||||
|
|
||||||
### Username
|
### Username
|
||||||
* Name: `Weblate - Username`
|
|
||||||
* SAML Attribute Name: `username`
|
- Name: `Weblate - Username`
|
||||||
* Expression
|
- SAML Attribute Name: `username`
|
||||||
|
- Expression
|
||||||
|
|
||||||
```python
|
```python
|
||||||
return request.user.username
|
return request.user.username
|
||||||
```
|
```
|
||||||
|
|
||||||
### Email
|
### Email
|
||||||
* Name: `Weblate - Email`
|
|
||||||
* SAML Attribute Name: `email`
|
- Name: `Weblate - Email`
|
||||||
* Expression
|
- SAML Attribute Name: `email`
|
||||||
|
- Expression
|
||||||
|
|
||||||
```python
|
```python
|
||||||
return request.user.email
|
return request.user.email
|
||||||
```
|
```
|
||||||
|
@ -68,23 +75,23 @@ return request.user.email
|
||||||
|
|
||||||
The variables bellow need to be set, depending on if you deploy in a container or not you can take a look at the following links
|
The variables bellow need to be set, depending on if you deploy in a container or not you can take a look at the following links
|
||||||
|
|
||||||
* https://docs.weblate.org/en/latest/admin/config.html#config
|
- https://docs.weblate.org/en/latest/admin/config.html#config
|
||||||
* https://docs.weblate.org/en/latest/admin/install/docker.html#docker-environment
|
- https://docs.weblate.org/en/latest/admin/install/docker.html#docker-environment
|
||||||
|
|
||||||
Variables to set
|
Variables to set
|
||||||
|
|
||||||
* ENABLE_HTTPS: `1`
|
- ENABLE_HTTPS: `1`
|
||||||
* SAML_IDP_ENTITY_ID: `https://authentik.company/application/saml/weblate-slug/sso/binding/redirect/`
|
- SAML_IDP_ENTITY_ID: `https://authentik.company/application/saml/weblate-slug/sso/binding/redirect/`
|
||||||
* SAML_IDP_URL: `https://authentik.company/application/saml/weblate-slug/sso/binding/redirect/`
|
- SAML_IDP_URL: `https://authentik.company/application/saml/weblate-slug/sso/binding/redirect/`
|
||||||
* SAML_IDP_X509CERT: `MIIFDjCCAvagAwIBAgIRAJV8hH0wGkhGvbhhDKppWIYwDQYJKoZIhvcNAQELBQAw....F9lT9hHwHhsnA=`
|
- SAML_IDP_X509CERT: `MIIFDjCCAvagAwIBAgIRAJV8hH0wGkhGvbhhDKppWIYwDQYJKoZIhvcNAQELBQAw....F9lT9hHwHhsnA=`
|
||||||
|
|
||||||
The `SAML_IDP_X509CERT` is the certificate in the SAML Metadata `X509Certificate` key.
|
The `SAML_IDP_X509CERT` is the certificate in the SAML Metadata `X509Certificate` key.
|
||||||
|
|
||||||
Should you wish to only allow registration and login through Authentik, you should set the following variables as well.
|
Should you wish to only allow registration and login through Authentik, you should set the following variables as well.
|
||||||
|
|
||||||
* REGISTRATION_OPEN: `0`
|
- REGISTRATION_OPEN: `0`
|
||||||
* REGISTRATION_ALLOW_BACKENDS: `saml`
|
- REGISTRATION_ALLOW_BACKENDS: `saml`
|
||||||
* REQUIRE_LOGIN: `1`
|
- REQUIRE_LOGIN: `1`
|
||||||
* NO_EMAIL_AUTH: `1`
|
- NO_EMAIL_AUTH: `1`
|
||||||
|
|
||||||
Should you wish to deploy this in a container prefix all the variables with `WEBLATE_` and set them as enviornment variables
|
Should you wish to deploy this in a container prefix all the variables with `WEBLATE_` and set them as enviornment variables
|
||||||
|
|
|
@ -28,8 +28,8 @@ Note the Client ID and Client Secret values. Create an application, using the pr
|
||||||
|
|
||||||
## Wekan
|
## Wekan
|
||||||
|
|
||||||
import Tabs from '@theme/Tabs';
|
import Tabs from "@theme/Tabs";
|
||||||
import TabItem from '@theme/TabItem';
|
import TabItem from "@theme/TabItem";
|
||||||
|
|
||||||
<Tabs
|
<Tabs
|
||||||
defaultValue="docker"
|
defaultValue="docker"
|
||||||
|
@ -41,8 +41,7 @@ import TabItem from '@theme/TabItem';
|
||||||
If your Wekan is running in docker, add the following environment variables for authentik
|
If your Wekan is running in docker, add the following environment variables for authentik
|
||||||
|
|
||||||
```yaml
|
```yaml
|
||||||
environment:
|
environment: OAUTH2_ENABLED=true
|
||||||
OAUTH2_ENABLED=true
|
|
||||||
OAUTH2_LOGIN_STYLE=redirect
|
OAUTH2_LOGIN_STYLE=redirect
|
||||||
OAUTH2_CLIENT_ID=<Client ID from above>
|
OAUTH2_CLIENT_ID=<Client ID from above>
|
||||||
OAUTH2_SERVER_URL=https://authentik.company
|
OAUTH2_SERVER_URL=https://authentik.company
|
||||||
|
@ -55,6 +54,7 @@ environment:
|
||||||
OAUTH2_FULLNAME_MAP=given_name
|
OAUTH2_FULLNAME_MAP=given_name
|
||||||
OAUTH2_EMAIL_MAP=email
|
OAUTH2_EMAIL_MAP=email
|
||||||
```
|
```
|
||||||
|
|
||||||
</TabItem>
|
</TabItem>
|
||||||
<TabItem value="standalone">
|
<TabItem value="standalone">
|
||||||
|
|
||||||
|
@ -75,5 +75,6 @@ edit `.env` and add the following:
|
||||||
OAUTH2_FULLNAME_MAP='given_name'
|
OAUTH2_FULLNAME_MAP='given_name'
|
||||||
OAUTH2_EMAIL_MAP='email'
|
OAUTH2_EMAIL_MAP='email'
|
||||||
```
|
```
|
||||||
|
|
||||||
</TabItem>
|
</TabItem>
|
||||||
</Tabs>
|
</Tabs>
|
||||||
|
|
|
@ -69,4 +69,3 @@ In authentik, create an application which uses this provider. Optionally apply a
|
||||||
Set the Launch URL to the _Callback URL / Redirect URI_ without the `/callback` at the end, as shown below. This will skip Wiki.js' login prompt and log you in directly.
|
Set the Launch URL to the _Callback URL / Redirect URI_ without the `/callback` at the end, as shown below. This will skip Wiki.js' login prompt and log you in directly.
|
||||||
|
|
||||||
![](./authentik_application.png)
|
![](./authentik_application.png)
|
||||||
|
|
||||||
|
|
|
@ -30,13 +30,13 @@ Only settings that have been modified from default have been listed.
|
||||||
:::
|
:::
|
||||||
|
|
||||||
**Protocol Settings**
|
**Protocol Settings**
|
||||||
|
|
||||||
- Name: Wordpress
|
- Name: Wordpress
|
||||||
- Client type: Confidential
|
- Client type: Confidential
|
||||||
- Client ID: Copy and Save this for Later
|
- Client ID: Copy and Save this for Later
|
||||||
- Client Secret: Copy and Save this for later
|
- Client Secret: Copy and Save this for later
|
||||||
- Redirect URIs/Origins: `https://wp.company/wp-admin/admin-ajax.php?action=openid-connect-authorize`
|
- Redirect URIs/Origins: `https://wp.company/wp-admin/admin-ajax.php?action=openid-connect-authorize`
|
||||||
|
|
||||||
|
|
||||||
### Step 2 - Wordpress
|
### Step 2 - Wordpress
|
||||||
|
|
||||||
:::note
|
:::note
|
||||||
|
@ -58,7 +58,6 @@ Only settings that have been modified from default have been listed.
|
||||||
- Token Validation Endpoint URL: `https://authentik.company/application/o/token/`
|
- Token Validation Endpoint URL: `https://authentik.company/application/o/token/`
|
||||||
- End Session Endpoint URL: `https://authentik.company/application/o/wordpress/end-session/`
|
- End Session Endpoint URL: `https://authentik.company/application/o/wordpress/end-session/`
|
||||||
|
|
||||||
|
|
||||||
:::note
|
:::note
|
||||||
Review each setting and choose the ones that you require for your installation. Examples of popular settings are _Link Existing Users_, _Create user if does not exist_, and _Enforce Privacy_
|
Review each setting and choose the ones that you require for your installation. Examples of popular settings are _Link Existing Users_, _Create user if does not exist_, and _Enforce Privacy_
|
||||||
:::
|
:::
|
||||||
|
@ -72,7 +71,6 @@ In authentik, create an application which uses this provider. Optionally apply a
|
||||||
- Provider: wordpress
|
- Provider: wordpress
|
||||||
- Launch URL: https://wp.company
|
- Launch URL: https://wp.company
|
||||||
|
|
||||||
|
|
||||||
## Notes
|
## Notes
|
||||||
|
|
||||||
:::note
|
:::note
|
||||||
|
|
|
@ -61,4 +61,3 @@ For additional security you can enable the Verification Certificate by checking
|
||||||
```
|
```
|
||||||
$SSO['IDP_CERT'] = '<path to the IDP cert file>';
|
$SSO['IDP_CERT'] = '<path to the IDP cert file>';
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
|
@ -63,6 +63,7 @@ The certificate file name must match the idp identifier name you set in the conf
|
||||||
:::note
|
:::note
|
||||||
Remember to restart Zulip.
|
Remember to restart Zulip.
|
||||||
:::
|
:::
|
||||||
|
|
||||||
## Additional Resources
|
## Additional Resources
|
||||||
|
|
||||||
Please refer to the following for further information:
|
Please refer to the following for further information:
|
||||||
|
|
|
@ -27,7 +27,7 @@ The following placeholders will be used:
|
||||||
|
|
||||||
![](./02_delegate.png)
|
![](./02_delegate.png)
|
||||||
|
|
||||||
7. Grant these additional permissions (only required when *Sync users' password* is enabled, and dependent on your AD Domain)
|
7. Grant these additional permissions (only required when _Sync users' password_ is enabled, and dependent on your AD Domain)
|
||||||
|
|
||||||
![](./03_additional_perms.png)
|
![](./03_additional_perms.png)
|
||||||
|
|
||||||
|
|
|
@ -10,22 +10,24 @@ The following placeholders will be used:
|
||||||
|
|
||||||
## Azure setup
|
## Azure setup
|
||||||
|
|
||||||
1. Navigate to [portal.azure.com](https://portal.azure.com), and open the *App registration* service
|
1. Navigate to [portal.azure.com](https://portal.azure.com), and open the _App registration_ service
|
||||||
2. Register a new application
|
2. Register a new application
|
||||||
|
|
||||||
Under *Supported account types*, select whichever account type applies to your use-case.
|
Under _Supported account types_, select whichever account type applies to your use-case.
|
||||||
|
|
||||||
![](./aad_01.png)
|
![](./aad_01.png)
|
||||||
3. Take note of the *Application (client) ID* value.
|
|
||||||
|
|
||||||
If you selected *Single tenant* in the *Supported account types* prompt, also note the *Directory (tenant) ID* value.
|
3. Take note of the _Application (client) ID_ value.
|
||||||
4. Navigate to *Certificates & secrets* in the sidebar, and to the *Client secrets* tab.
|
|
||||||
|
If you selected _Single tenant_ in the _Supported account types_ prompt, also note the _Directory (tenant) ID_ value.
|
||||||
|
|
||||||
|
4. Navigate to _Certificates & secrets_ in the sidebar, and to the _Client secrets_ tab.
|
||||||
5. Add a new secret, with an identifier of your choice, and select any expiration. Currently the secret in authentik has to be rotated manually or via API, so it is recommended to choose at least 12 months.
|
5. Add a new secret, with an identifier of your choice, and select any expiration. Currently the secret in authentik has to be rotated manually or via API, so it is recommended to choose at least 12 months.
|
||||||
6. Note the secret's value in the *Value* column.
|
6. Note the secret's value in the _Value_ column.
|
||||||
|
|
||||||
## authentik Setup
|
## authentik Setup
|
||||||
|
|
||||||
In authentik, create a new *Azure AD OAuth Source* in Resources -> Sources.
|
In authentik, create a new _Azure AD OAuth Source_ in Resources -> Sources.
|
||||||
|
|
||||||
Use the following settings:
|
Use the following settings:
|
||||||
|
|
||||||
|
@ -34,7 +36,7 @@ Use the following settings:
|
||||||
- Consumer key: `*Application (client) ID* value from above`
|
- Consumer key: `*Application (client) ID* value from above`
|
||||||
- Consumer secret: `*Value* of the secret from above`
|
- Consumer secret: `*Value* of the secret from above`
|
||||||
|
|
||||||
If you kept the default *Supported account types* selection of *Single tenant*, then you must change the URLs below as well:
|
If you kept the default _Supported account types_ selection of _Single tenant_, then you must change the URLs below as well:
|
||||||
|
|
||||||
- Authorization URL: `https://login.microsoftonline.com/*Directory (tenant) ID* from above/oauth2/v2.0/authorize`
|
- Authorization URL: `https://login.microsoftonline.com/*Directory (tenant) ID* from above/oauth2/v2.0/authorize`
|
||||||
- Access token URL: `https://login.microsoftonline.com/*Directory (tenant) ID* from above/oauth2/v2.0/token`
|
- Access token URL: `https://login.microsoftonline.com/*Directory (tenant) ID* from above/oauth2/v2.0/token`
|
||||||
|
|
|
@ -10,7 +10,6 @@ The following placeholders will be used:
|
||||||
|
|
||||||
- `authentik.company` is the FQDN of the authentik install.
|
- `authentik.company` is the FQDN of the authentik install.
|
||||||
|
|
||||||
|
|
||||||
## Discord
|
## Discord
|
||||||
|
|
||||||
1. Create an application in the Discord Developer Portal (This is Free) https://discord.com/developers/applications
|
1. Create an application in the Discord Developer Portal (This is Free) https://discord.com/developers/applications
|
||||||
|
|
|
@ -40,6 +40,7 @@ The following placeholders will be used:
|
||||||
Additional info: [22.1.2. Enabling Password Reset Without Prompting for a Password Change at the Next Login](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/user-authentication#user-passwords-no-expiry)
|
Additional info: [22.1.2. Enabling Password Reset Without Prompting for a Password Change at the Next Login](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/user-authentication#user-passwords-no-expiry)
|
||||||
|
|
||||||
## authentik Setup
|
## authentik Setup
|
||||||
|
|
||||||
In authentik, create a new LDAP Source in Resources -> Sources.
|
In authentik, create a new LDAP Source in Resources -> Sources.
|
||||||
|
|
||||||
Use these settings:
|
Use these settings:
|
||||||
|
|
|
@ -35,7 +35,6 @@ You will need to create a new project, and OAuth credentials in the Google Devel
|
||||||
|
|
||||||
![Example Screen](googledeveloper4.png)
|
![Example Screen](googledeveloper4.png)
|
||||||
|
|
||||||
|
|
||||||
10. **User Type:** If you do not have a Google Workspace (GSuite) account choose _External_. If you do have a Google Workspace (Gsuite) account and want to limit access to only users inside of your organization choose _Internal_
|
10. **User Type:** If you do not have a Google Workspace (GSuite) account choose _External_. If you do have a Google Workspace (Gsuite) account and want to limit access to only users inside of your organization choose _Internal_
|
||||||
|
|
||||||
_I'm only going to list the mandatory/important fields to complete._
|
_I'm only going to list the mandatory/important fields to complete._
|
||||||
|
@ -47,7 +46,7 @@ _I'm only going to list the mandatory/important fields to complete._
|
||||||
15. Click **Save and Continue**
|
15. Click **Save and Continue**
|
||||||
16. If you have special scopes configured for google, enter them on this screen. If not click **Save and Continue**
|
16. If you have special scopes configured for google, enter them on this screen. If not click **Save and Continue**
|
||||||
17. If you want to create Test Users enter them here, if not click **Save and Continue**
|
17. If you want to create Test Users enter them here, if not click **Save and Continue**
|
||||||
18. From the _Summary Page_ click on the **Credentials* link on the left. Same link as step 8
|
18. From the _Summary Page_ click on the \*_Credentials_ link on the left. Same link as step 8
|
||||||
19. Click **Create Credentials** on the top of the screen
|
19. Click **Create Credentials** on the top of the screen
|
||||||
20. Choose **OAuth Client ID**
|
20. Choose **OAuth Client ID**
|
||||||
|
|
||||||
|
|
|
@ -7,6 +7,7 @@ Sources allow you to connect authentik to an existing user directory. They can a
|
||||||
### Add Sources to Default Login Page
|
### Add Sources to Default Login Page
|
||||||
|
|
||||||
To have sources show on the default login screen you will need to add them. This is assuming you have not created or renamed the default stages and flows.
|
To have sources show on the default login screen you will need to add them. This is assuming you have not created or renamed the default stages and flows.
|
||||||
|
|
||||||
1. Access the **Flows** section
|
1. Access the **Flows** section
|
||||||
2. Click on **default-authentication-flow**
|
2. Click on **default-authentication-flow**
|
||||||
3. Click the **Stage Bindings** tab
|
3. Click the **Stage Bindings** tab
|
||||||
|
|
|
@ -16,6 +16,6 @@ Add _Plex_ as a _source_
|
||||||
- Slug: Set a slug
|
- Slug: Set a slug
|
||||||
- Client ID: Set a unique Client Id or leave the generated ID
|
- Client ID: Set a unique Client Id or leave the generated ID
|
||||||
- Press _Load Servers_ to login to plex and pick the authorized Plex Servers for "allowed users"
|
- Press _Load Servers_ to login to plex and pick the authorized Plex Servers for "allowed users"
|
||||||
- Decide if *anyone* with a plex account can authenticate or only friends you share with
|
- Decide if _anyone_ with a plex account can authenticate or only friends you share with
|
||||||
|
|
||||||
Save, and you now have Plex as a source.
|
Save, and you now have Plex as a source.
|
||||||
|
|
|
@ -14,6 +14,6 @@ exports.handler = async function (event, context) {
|
||||||
headers: {
|
headers: {
|
||||||
"content-type": "text/html",
|
"content-type": "text/html",
|
||||||
},
|
},
|
||||||
body: `<meta name="go-import" content="${event.headers.host}${event.path} git https://github.com/${gitHubNamespace}${repo}">`
|
body: `<meta name="go-import" content="${event.headers.host}${event.path} git https://github.com/${gitHubNamespace}${repo}">`,
|
||||||
};
|
};
|
||||||
}
|
};
|
||||||
|
|
|
@ -9,8 +9,8 @@ const config = {
|
||||||
};
|
};
|
||||||
|
|
||||||
async function getToken(event) {
|
async function getToken(event) {
|
||||||
const fetch = await import('node-fetch');
|
const fetch = await import("node-fetch");
|
||||||
const querystring = await import('querystring');
|
const querystring = await import("querystring");
|
||||||
let scope = event.queryStringParameters["scope"];
|
let scope = event.queryStringParameters["scope"];
|
||||||
let tokenParams = {
|
let tokenParams = {
|
||||||
service: config.registryService,
|
service: config.registryService,
|
||||||
|
@ -28,12 +28,14 @@ async function getToken(event) {
|
||||||
} else {
|
} else {
|
||||||
console.debug(`oci-proxy[token]: no scope`);
|
console.debug(`oci-proxy[token]: no scope`);
|
||||||
// For non-scoped requests, we need to forward some URL parameters
|
// For non-scoped requests, we need to forward some URL parameters
|
||||||
["account", "client_id", "offline_token", "token"].forEach(param => {
|
["account", "client_id", "offline_token", "token"].forEach((param) => {
|
||||||
tokenParams[param] = event.queryStringParameters[param]
|
tokenParams[param] = event.queryStringParameters[param];
|
||||||
});
|
});
|
||||||
}
|
}
|
||||||
const tokenUrl = `${config.registryTokenEndpoint}?${querystring.stringify(tokenParams)}`
|
const tokenUrl = `${config.registryTokenEndpoint}?${querystring.stringify(
|
||||||
console.debug(`oci-proxy[token]: final URL to fetch: ${tokenUrl}`)
|
tokenParams
|
||||||
|
)}`;
|
||||||
|
console.debug(`oci-proxy[token]: final URL to fetch: ${tokenUrl}`);
|
||||||
const tokenRes = await fetch.default(tokenUrl, {
|
const tokenRes = await fetch.default(tokenUrl, {
|
||||||
headers: forwardHeaders,
|
headers: forwardHeaders,
|
||||||
});
|
});
|
||||||
|
@ -51,7 +53,10 @@ exports.handler = async function (event, context) {
|
||||||
console.debug("oci-proxy: handler=token proxy");
|
console.debug("oci-proxy: handler=token proxy");
|
||||||
return await getToken(event);
|
return await getToken(event);
|
||||||
}
|
}
|
||||||
if (event.headers.authorization && event.headers.authorization.startsWith("Bearer ")) {
|
if (
|
||||||
|
event.headers.authorization &&
|
||||||
|
event.headers.authorization.startsWith("Bearer ")
|
||||||
|
) {
|
||||||
console.debug("oci-proxy: authenticated root handler, returning 200");
|
console.debug("oci-proxy: authenticated root handler, returning 200");
|
||||||
return {
|
return {
|
||||||
statusCode: 200,
|
statusCode: 200,
|
||||||
|
@ -60,9 +65,11 @@ exports.handler = async function (event, context) {
|
||||||
"content-type": "application/json",
|
"content-type": "application/json",
|
||||||
},
|
},
|
||||||
body: JSON.stringify({}),
|
body: JSON.stringify({}),
|
||||||
|
};
|
||||||
}
|
}
|
||||||
}
|
console.debug(
|
||||||
console.debug("oci-proxy: root handler, returning 401 with www-authenticate");
|
"oci-proxy: root handler, returning 401 with www-authenticate"
|
||||||
|
);
|
||||||
return {
|
return {
|
||||||
statusCode: 401,
|
statusCode: 401,
|
||||||
headers: {
|
headers: {
|
||||||
|
@ -72,4 +79,4 @@ exports.handler = async function (event, context) {
|
||||||
},
|
},
|
||||||
body: JSON.stringify({}),
|
body: JSON.stringify({}),
|
||||||
};
|
};
|
||||||
}
|
};
|
||||||
|
|
|
@ -9,7 +9,9 @@
|
||||||
"build-docs-only": "docusaurus build --config docusaurus.docs-only.js --out-dir help",
|
"build-docs-only": "docusaurus build --config docusaurus.docs-only.js --out-dir help",
|
||||||
"swizzle": "docusaurus swizzle",
|
"swizzle": "docusaurus swizzle",
|
||||||
"deploy": "docusaurus deploy",
|
"deploy": "docusaurus deploy",
|
||||||
"serve": "docusaurus serve"
|
"serve": "docusaurus serve",
|
||||||
|
"prettier-check": "prettier --check .",
|
||||||
|
"prettier": "prettier --write ."
|
||||||
},
|
},
|
||||||
"dependencies": {
|
"dependencies": {
|
||||||
"@docusaurus/plugin-client-redirects": "2.0.0-beta.18",
|
"@docusaurus/plugin-client-redirects": "2.0.0-beta.18",
|
||||||
|
|
|
@ -146,16 +146,12 @@ module.exports = {
|
||||||
{
|
{
|
||||||
type: "category",
|
type: "category",
|
||||||
label: "User",
|
label: "User",
|
||||||
items: [
|
items: ["interfaces/user/customization"],
|
||||||
"interfaces/user/customization",
|
|
||||||
],
|
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
type: "category",
|
type: "category",
|
||||||
label: "Admin",
|
label: "Admin",
|
||||||
items: [
|
items: ["interfaces/admin/customization"],
|
||||||
"interfaces/admin/customization",
|
|
||||||
],
|
|
||||||
},
|
},
|
||||||
],
|
],
|
||||||
},
|
},
|
||||||
|
|
|
@ -35,33 +35,99 @@ function Comparison() {
|
||||||
<tbody>
|
<tbody>
|
||||||
<tr>
|
<tr>
|
||||||
<td className="row-label">SAML2</td>
|
<td className="row-label">SAML2</td>
|
||||||
<td className="result passed authentik"><Check></Check></td>
|
<td className="result passed authentik">
|
||||||
<td className="result passed"><Check></Check></td>
|
<Check></Check>
|
||||||
<td className="result passed"><Check></Check></td>
|
</td>
|
||||||
<td className="result passed"><Check></Check></td>
|
<td className="result passed">
|
||||||
<td className="result passed"><Check></Check></td>
|
<Check></Check>
|
||||||
<td className="result passed"><Check></Check></td>
|
</td>
|
||||||
<td className="result failed"><X></X></td>
|
<td className="result passed">
|
||||||
|
<Check></Check>
|
||||||
|
</td>
|
||||||
|
<td className="result passed">
|
||||||
|
<Check></Check>
|
||||||
|
</td>
|
||||||
|
<td className="result passed">
|
||||||
|
<Check></Check>
|
||||||
|
</td>
|
||||||
|
<td className="result passed">
|
||||||
|
<Check></Check>
|
||||||
|
</td>
|
||||||
|
<td className="result failed">
|
||||||
|
<X></X>
|
||||||
|
</td>
|
||||||
</tr>
|
</tr>
|
||||||
<tr>
|
<tr>
|
||||||
<td className="row-label">OAuth2 and OIDC</td>
|
<td className="row-label">OAuth2 and OIDC</td>
|
||||||
<td className="result passed authentik"><Check></Check></td>
|
<td className="result passed authentik">
|
||||||
<td className="result passed"><Check></Check></td>
|
<Check></Check>
|
||||||
<td className="result passed"><Check></Check></td>
|
</td>
|
||||||
<td className="result passed"><Check></Check></td>
|
<td className="result passed">
|
||||||
<td className="result passed"><Check></Check></td>
|
<Check></Check>
|
||||||
<td className="result passed"><Check></Check></td>
|
</td>
|
||||||
<td className="result failed"><X></X></td>
|
<td className="result passed">
|
||||||
|
<Check></Check>
|
||||||
|
</td>
|
||||||
|
<td className="result passed">
|
||||||
|
<Check></Check>
|
||||||
|
</td>
|
||||||
|
<td className="result passed">
|
||||||
|
<Check></Check>
|
||||||
|
</td>
|
||||||
|
<td className="result passed">
|
||||||
|
<Check></Check>
|
||||||
|
</td>
|
||||||
|
<td className="result failed">
|
||||||
|
<X></X>
|
||||||
|
</td>
|
||||||
</tr>
|
</tr>
|
||||||
<tr>
|
<tr>
|
||||||
<td className="row-label">LDAP</td>
|
<td className="row-label">LDAP</td>
|
||||||
<td className="result passed authentik"><Check></Check></td>
|
<td className="result passed authentik">
|
||||||
<td className="result failed"><X></X></td>
|
<Check></Check>
|
||||||
<td className="result failed"><X></X></td>
|
</td>
|
||||||
<td className="result warning"><AlertTriangle></AlertTriangle></td>
|
<td className="result failed">
|
||||||
<td className="result passed"><Check></Check></td>
|
<X></X>
|
||||||
<td className="result passed"><Check></Check></td>
|
</td>
|
||||||
<td className="result failed"><X></X></td>
|
<td className="result failed">
|
||||||
|
<X></X>
|
||||||
|
</td>
|
||||||
|
<td className="result warning">
|
||||||
|
<AlertTriangle></AlertTriangle>
|
||||||
|
</td>
|
||||||
|
<td className="result passed">
|
||||||
|
<Check></Check>
|
||||||
|
</td>
|
||||||
|
<td className="result passed">
|
||||||
|
<Check></Check>
|
||||||
|
</td>
|
||||||
|
<td className="result failed">
|
||||||
|
<X></X>
|
||||||
|
</td>
|
||||||
|
</tr>
|
||||||
|
<tr>
|
||||||
|
<td className="row-label">SCIM</td>
|
||||||
|
<td className="result failed authentik">
|
||||||
|
<X></X>
|
||||||
|
</td>
|
||||||
|
<td className="result warning">
|
||||||
|
<AlertTriangle></AlertTriangle>
|
||||||
|
</td>
|
||||||
|
<td className="result failed">
|
||||||
|
<X></X>
|
||||||
|
</td>
|
||||||
|
<td className="result passed">
|
||||||
|
<Check></Check>
|
||||||
|
</td>
|
||||||
|
<td className="result passed">
|
||||||
|
<Check></Check>
|
||||||
|
</td>
|
||||||
|
<td className="result failed">
|
||||||
|
<X></X>
|
||||||
|
</td>
|
||||||
|
<td className="result failed">
|
||||||
|
<X></X>
|
||||||
|
</td>
|
||||||
</tr>
|
</tr>
|
||||||
</tbody>
|
</tbody>
|
||||||
<thead className="group">
|
<thead className="group">
|
||||||
|
@ -79,43 +145,123 @@ function Comparison() {
|
||||||
<tbody>
|
<tbody>
|
||||||
<tr>
|
<tr>
|
||||||
<td className="row-label">SAML2</td>
|
<td className="row-label">SAML2</td>
|
||||||
<td className="result passed authentik"><Check></Check></td>
|
<td className="result passed authentik">
|
||||||
<td className="result passed"><Check></Check></td>
|
<Check></Check>
|
||||||
<td className="result failed"><X></X></td>
|
</td>
|
||||||
<td className="result passed"><Check></Check></td>
|
<td className="result passed">
|
||||||
<td className="result passed"><Check></Check></td>
|
<Check></Check>
|
||||||
<td className="result passed"><Check></Check></td>
|
</td>
|
||||||
<td className="result failed"><X></X></td>
|
<td className="result failed">
|
||||||
|
<X></X>
|
||||||
|
</td>
|
||||||
|
<td className="result passed">
|
||||||
|
<Check></Check>
|
||||||
|
</td>
|
||||||
|
<td className="result passed">
|
||||||
|
<Check></Check>
|
||||||
|
</td>
|
||||||
|
<td className="result passed">
|
||||||
|
<Check></Check>
|
||||||
|
</td>
|
||||||
|
<td className="result failed">
|
||||||
|
<X></X>
|
||||||
|
</td>
|
||||||
</tr>
|
</tr>
|
||||||
<tr>
|
<tr>
|
||||||
<td className="row-label">OAuth2 and OIDC</td>
|
<td className="row-label">OAuth2 and OIDC</td>
|
||||||
<td className="result passed authentik"><Check></Check></td>
|
<td className="result passed authentik">
|
||||||
<td className="result passed"><Check></Check></td>
|
<Check></Check>
|
||||||
<td className="result failed"><X></X></td>
|
</td>
|
||||||
<td className="result passed"><Check></Check></td>
|
<td className="result passed">
|
||||||
<td className="result passed"><Check></Check></td>
|
<Check></Check>
|
||||||
<td className="result passed"><Check></Check></td>
|
</td>
|
||||||
<td className="result failed"><X></X></td>
|
<td className="result failed">
|
||||||
|
<X></X>
|
||||||
|
</td>
|
||||||
|
<td className="result passed">
|
||||||
|
<Check></Check>
|
||||||
|
</td>
|
||||||
|
<td className="result passed">
|
||||||
|
<Check></Check>
|
||||||
|
</td>
|
||||||
|
<td className="result passed">
|
||||||
|
<Check></Check>
|
||||||
|
</td>
|
||||||
|
<td className="result failed">
|
||||||
|
<X></X>
|
||||||
|
</td>
|
||||||
</tr>
|
</tr>
|
||||||
<tr>
|
<tr>
|
||||||
<td className="row-label">OAuth1</td>
|
<td className="row-label">OAuth1</td>
|
||||||
<td className="result passed authentik"><Check></Check></td>
|
<td className="result passed authentik">
|
||||||
<td className="result passed"><Check></Check></td>
|
<Check></Check>
|
||||||
<td className="result failed"><X></X></td>
|
</td>
|
||||||
<td className="result failed"><X></X></td>
|
<td className="result passed">
|
||||||
<td className="result failed"><X></X></td>
|
<Check></Check>
|
||||||
<td className="result failed"><X></X></td>
|
</td>
|
||||||
<td className="result failed"><X></X></td>
|
<td className="result failed">
|
||||||
|
<X></X>
|
||||||
|
</td>
|
||||||
|
<td className="result failed">
|
||||||
|
<X></X>
|
||||||
|
</td>
|
||||||
|
<td className="result failed">
|
||||||
|
<X></X>
|
||||||
|
</td>
|
||||||
|
<td className="result failed">
|
||||||
|
<X></X>
|
||||||
|
</td>
|
||||||
|
<td className="result failed">
|
||||||
|
<X></X>
|
||||||
|
</td>
|
||||||
</tr>
|
</tr>
|
||||||
<tr>
|
<tr>
|
||||||
<td className="row-label">LDAP</td>
|
<td className="row-label">LDAP</td>
|
||||||
<td className="result passed authentik"><Check></Check></td>
|
<td className="result passed authentik">
|
||||||
<td className="result passed"><Check></Check></td>
|
<Check></Check>
|
||||||
<td className="result passed"><Check></Check></td>
|
</td>
|
||||||
<td className="result passed"><Check></Check></td>
|
<td className="result passed">
|
||||||
<td className="result passed"><Check></Check></td>
|
<Check></Check>
|
||||||
<td className="result passed"><Check></Check></td>
|
</td>
|
||||||
<td className="result passed"><Check></Check></td>
|
<td className="result passed">
|
||||||
|
<Check></Check>
|
||||||
|
</td>
|
||||||
|
<td className="result passed">
|
||||||
|
<Check></Check>
|
||||||
|
</td>
|
||||||
|
<td className="result passed">
|
||||||
|
<Check></Check>
|
||||||
|
</td>
|
||||||
|
<td className="result passed">
|
||||||
|
<Check></Check>
|
||||||
|
</td>
|
||||||
|
<td className="result passed">
|
||||||
|
<Check></Check>
|
||||||
|
</td>
|
||||||
|
</tr>
|
||||||
|
<tr>
|
||||||
|
<td className="row-label">SCIM</td>
|
||||||
|
<td className="result failed authentik">
|
||||||
|
<X></X>
|
||||||
|
</td>
|
||||||
|
<td className="result warning">
|
||||||
|
<AlertTriangle></AlertTriangle>
|
||||||
|
</td>
|
||||||
|
<td className="result failed">
|
||||||
|
<X></X>
|
||||||
|
</td>
|
||||||
|
<td className="result passed">
|
||||||
|
<Check></Check>
|
||||||
|
</td>
|
||||||
|
<td className="result passed">
|
||||||
|
<Check></Check>
|
||||||
|
</td>
|
||||||
|
<td className="result failed">
|
||||||
|
<X></X>
|
||||||
|
</td>
|
||||||
|
<td className="result failed">
|
||||||
|
<X></X>
|
||||||
|
</td>
|
||||||
</tr>
|
</tr>
|
||||||
</tbody>
|
</tbody>
|
||||||
<thead className="group">
|
<thead className="group">
|
||||||
|
@ -133,33 +279,75 @@ function Comparison() {
|
||||||
<tbody>
|
<tbody>
|
||||||
<tr>
|
<tr>
|
||||||
<td className="row-label">Authentication</td>
|
<td className="row-label">Authentication</td>
|
||||||
<td className="result passed authentik"><Check></Check></td>
|
<td className="result passed authentik">
|
||||||
<td className="result passed"><Check></Check></td>
|
<Check></Check>
|
||||||
<td className="result passed"><Check></Check></td>
|
</td>
|
||||||
<td className="result passed"><Check></Check></td>
|
<td className="result passed">
|
||||||
<td className="result passed"><Check></Check></td>
|
<Check></Check>
|
||||||
<td className="result passed"><Check></Check></td>
|
</td>
|
||||||
<td className="result passed"><Check></Check></td>
|
<td className="result passed">
|
||||||
|
<Check></Check>
|
||||||
|
</td>
|
||||||
|
<td className="result passed">
|
||||||
|
<Check></Check>
|
||||||
|
</td>
|
||||||
|
<td className="result passed">
|
||||||
|
<Check></Check>
|
||||||
|
</td>
|
||||||
|
<td className="result passed">
|
||||||
|
<Check></Check>
|
||||||
|
</td>
|
||||||
|
<td className="result passed">
|
||||||
|
<Check></Check>
|
||||||
|
</td>
|
||||||
</tr>
|
</tr>
|
||||||
<tr>
|
<tr>
|
||||||
<td className="row-label">Enrollment</td>
|
<td className="row-label">Enrollment</td>
|
||||||
<td className="result passed authentik"><Check></Check></td>
|
<td className="result passed authentik">
|
||||||
<td className="result passed"><Check></Check></td>
|
<Check></Check>
|
||||||
<td className="result failed"><X></X></td>
|
</td>
|
||||||
<td className="result failed"><X></X></td>
|
<td className="result passed">
|
||||||
<td className="result failed"><X></X></td>
|
<Check></Check>
|
||||||
<td className="result failed"><X></X></td>
|
</td>
|
||||||
<td className="result failed"><X></X></td>
|
<td className="result failed">
|
||||||
|
<X></X>
|
||||||
|
</td>
|
||||||
|
<td className="result failed">
|
||||||
|
<X></X>
|
||||||
|
</td>
|
||||||
|
<td className="result failed">
|
||||||
|
<X></X>
|
||||||
|
</td>
|
||||||
|
<td className="result failed">
|
||||||
|
<X></X>
|
||||||
|
</td>
|
||||||
|
<td className="result failed">
|
||||||
|
<X></X>
|
||||||
|
</td>
|
||||||
</tr>
|
</tr>
|
||||||
<tr>
|
<tr>
|
||||||
<td className="row-label">Self-service</td>
|
<td className="row-label">Self-service</td>
|
||||||
<td className="result passed authentik"><Check></Check></td>
|
<td className="result passed authentik">
|
||||||
<td className="result passed"><Check></Check></td>
|
<Check></Check>
|
||||||
<td className="result passed"><Check></Check></td>
|
</td>
|
||||||
<td className="result passed"><Check></Check></td>
|
<td className="result passed">
|
||||||
<td className="result passed"><Check></Check></td>
|
<Check></Check>
|
||||||
<td className="result passed"><Check></Check></td>
|
</td>
|
||||||
<td className="result failed"><X></X></td>
|
<td className="result passed">
|
||||||
|
<Check></Check>
|
||||||
|
</td>
|
||||||
|
<td className="result passed">
|
||||||
|
<Check></Check>
|
||||||
|
</td>
|
||||||
|
<td className="result passed">
|
||||||
|
<Check></Check>
|
||||||
|
</td>
|
||||||
|
<td className="result passed">
|
||||||
|
<Check></Check>
|
||||||
|
</td>
|
||||||
|
<td className="result failed">
|
||||||
|
<X></X>
|
||||||
|
</td>
|
||||||
</tr>
|
</tr>
|
||||||
</tbody>
|
</tbody>
|
||||||
<thead className="group">
|
<thead className="group">
|
||||||
|
@ -177,43 +365,101 @@ function Comparison() {
|
||||||
<tbody>
|
<tbody>
|
||||||
<tr>
|
<tr>
|
||||||
<td className="row-label">MFA</td>
|
<td className="row-label">MFA</td>
|
||||||
<td className="result passed authentik"><Check></Check></td>
|
<td className="result passed authentik">
|
||||||
<td className="result passed"><Check></Check></td>
|
<Check></Check>
|
||||||
<td className="result failed"><X></X></td>
|
</td>
|
||||||
<td className="result failed"><Check></Check></td>
|
<td className="result passed">
|
||||||
<td className="result failed"><Check></Check></td>
|
<Check></Check>
|
||||||
<td className="result passed"><Check></Check></td>
|
</td>
|
||||||
<td className="result passed"><Check></Check></td>
|
<td className="result failed">
|
||||||
|
<X></X>
|
||||||
|
</td>
|
||||||
|
<td className="result failed">
|
||||||
|
<Check></Check>
|
||||||
|
</td>
|
||||||
|
<td className="result failed">
|
||||||
|
<Check></Check>
|
||||||
|
</td>
|
||||||
|
<td className="result passed">
|
||||||
|
<Check></Check>
|
||||||
|
</td>
|
||||||
|
<td className="result passed">
|
||||||
|
<Check></Check>
|
||||||
|
</td>
|
||||||
</tr>
|
</tr>
|
||||||
<tr>
|
<tr>
|
||||||
<td className="row-label">Conditional Access</td>
|
<td className="row-label">
|
||||||
<td className="result passed authentik"><Check></Check></td>
|
Conditional Access
|
||||||
<td className="result passed"><Check></Check></td>
|
</td>
|
||||||
<td className="result passed"><Check></Check></td>
|
<td className="result passed authentik">
|
||||||
<td className="result warning"><AlertTriangle></AlertTriangle></td>
|
<Check></Check>
|
||||||
<td className="result passed"><Check></Check></td>
|
</td>
|
||||||
<td className="result warning"><AlertTriangle></AlertTriangle></td>
|
<td className="result passed">
|
||||||
<td className="result passed"><Check></Check></td>
|
<Check></Check>
|
||||||
|
</td>
|
||||||
|
<td className="result passed">
|
||||||
|
<Check></Check>
|
||||||
|
</td>
|
||||||
|
<td className="result warning">
|
||||||
|
<AlertTriangle></AlertTriangle>
|
||||||
|
</td>
|
||||||
|
<td className="result passed">
|
||||||
|
<Check></Check>
|
||||||
|
</td>
|
||||||
|
<td className="result warning">
|
||||||
|
<AlertTriangle></AlertTriangle>
|
||||||
|
</td>
|
||||||
|
<td className="result passed">
|
||||||
|
<Check></Check>
|
||||||
|
</td>
|
||||||
</tr>
|
</tr>
|
||||||
<tr>
|
<tr>
|
||||||
<td className="row-label">Open-source</td>
|
<td className="row-label">Open-source</td>
|
||||||
<td className="result passed authentik"><Check></Check></td>
|
<td className="result passed authentik">
|
||||||
<td className="result passed"><Check></Check></td>
|
<Check></Check>
|
||||||
<td className="result failed"><X></X></td>
|
</td>
|
||||||
<td className="result failed"><X></X></td>
|
<td className="result passed">
|
||||||
<td className="result failed"><X></X></td>
|
<Check></Check>
|
||||||
<td className="result failed"><X></X></td>
|
</td>
|
||||||
<td className="result passed"><Check></Check></td>
|
<td className="result failed">
|
||||||
|
<X></X>
|
||||||
|
</td>
|
||||||
|
<td className="result failed">
|
||||||
|
<X></X>
|
||||||
|
</td>
|
||||||
|
<td className="result failed">
|
||||||
|
<X></X>
|
||||||
|
</td>
|
||||||
|
<td className="result failed">
|
||||||
|
<X></X>
|
||||||
|
</td>
|
||||||
|
<td className="result passed">
|
||||||
|
<Check></Check>
|
||||||
|
</td>
|
||||||
</tr>
|
</tr>
|
||||||
<tr>
|
<tr>
|
||||||
<td className="row-label">Application Proxy</td>
|
<td className="row-label">Application Proxy</td>
|
||||||
<td className="result passed authentik"><Check></Check></td>
|
<td className="result passed authentik">
|
||||||
<td className="result warning"><AlertTriangle></AlertTriangle></td>
|
<Check></Check>
|
||||||
<td className="result warning"><AlertTriangle></AlertTriangle></td>
|
</td>
|
||||||
<td className="result passed"><Check></Check></td>
|
<td className="result warning">
|
||||||
<td className="result failed"><X></X></td>
|
<AlertTriangle></AlertTriangle>
|
||||||
<td className="result failed"><X></X></td>
|
</td>
|
||||||
<td className="result warning"><AlertTriangle></AlertTriangle></td>
|
<td className="result warning">
|
||||||
|
<AlertTriangle></AlertTriangle>
|
||||||
|
</td>
|
||||||
|
<td className="result passed">
|
||||||
|
<Check></Check>
|
||||||
|
</td>
|
||||||
|
<td className="result failed">
|
||||||
|
<X></X>
|
||||||
|
</td>
|
||||||
|
<td className="result failed">
|
||||||
|
<X></X>
|
||||||
|
</td>
|
||||||
|
<td className="result warning">
|
||||||
|
<AlertTriangle></AlertTriangle>
|
||||||
|
</td>
|
||||||
</tr>
|
</tr>
|
||||||
</tbody>
|
</tbody>
|
||||||
</table>
|
</table>
|
||||||
|
|
|
@ -37,7 +37,6 @@
|
||||||
max-height: 200px;
|
max-height: 200px;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
.before-after-slider img {
|
.before-after-slider img {
|
||||||
max-width: none;
|
max-width: none;
|
||||||
}
|
}
|
||||||
|
@ -154,7 +153,7 @@ table.comparison tr td.result.warning {
|
||||||
color: var(--ifm-color-warning);
|
color: var(--ifm-color-warning);
|
||||||
}
|
}
|
||||||
|
|
||||||
table.comparison tr td.result.passed.authentik {
|
table.comparison tr td.result.authentik {
|
||||||
background: var(--ifm-color-primary);
|
background: var(--ifm-color-primary);
|
||||||
color: var(--ifm-color-secondary);
|
color: var(--ifm-color-secondary);
|
||||||
}
|
}
|
||||||
|
|
|
@ -11,8 +11,9 @@ function APIBrowser() {
|
||||||
<Layout title="API Browser" description={siteConfig.tagline}>
|
<Layout title="API Browser" description={siteConfig.tagline}>
|
||||||
<BrowserOnly>
|
<BrowserOnly>
|
||||||
{() => {
|
{() => {
|
||||||
import('rapidoc');
|
import("rapidoc");
|
||||||
return <rapi-doc
|
return (
|
||||||
|
<rapi-doc
|
||||||
spec-url={useBaseUrl("schema.yaml")}
|
spec-url={useBaseUrl("schema.yaml")}
|
||||||
allow-try="false"
|
allow-try="false"
|
||||||
show-header="false"
|
show-header="false"
|
||||||
|
@ -20,8 +21,9 @@ function APIBrowser() {
|
||||||
render-style="view"
|
render-style="view"
|
||||||
primary-color="#fd4b2d"
|
primary-color="#fd4b2d"
|
||||||
allow-spec-url-load="false"
|
allow-spec-url-load="false"
|
||||||
allow-spec-file-load="false">
|
allow-spec-file-load="false"
|
||||||
</rapi-doc>
|
></rapi-doc>
|
||||||
|
);
|
||||||
}}
|
}}
|
||||||
</BrowserOnly>
|
</BrowserOnly>
|
||||||
</Layout>
|
</Layout>
|
||||||
|
|
|
@ -7,7 +7,7 @@ import useDocusaurusContext from "@docusaurus/useDocusaurusContext";
|
||||||
import useBaseUrl from "@docusaurus/useBaseUrl";
|
import useBaseUrl from "@docusaurus/useBaseUrl";
|
||||||
import styles from "./styles.module.css";
|
import styles from "./styles.module.css";
|
||||||
import Comparison from "../comparison";
|
import Comparison from "../comparison";
|
||||||
import 'react-before-after-slider-component/dist/build.css';
|
import "react-before-after-slider-component/dist/build.css";
|
||||||
|
|
||||||
const features = [
|
const features = [
|
||||||
{
|
{
|
||||||
|
@ -87,7 +87,10 @@ function Home() {
|
||||||
</div>
|
</div>
|
||||||
</div>
|
</div>
|
||||||
<div className="col text--center hero_image">
|
<div className="col text--center hero_image">
|
||||||
<img alt="authentik logo" src={useBaseUrl("img/icon_top_brand.svg")} />
|
<img
|
||||||
|
alt="authentik logo"
|
||||||
|
src={useBaseUrl("img/icon_top_brand.svg")}
|
||||||
|
/>
|
||||||
</div>
|
</div>
|
||||||
</div>
|
</div>
|
||||||
</div>
|
</div>
|
||||||
|
@ -105,17 +108,23 @@ function Home() {
|
||||||
<div>
|
<div>
|
||||||
<BrowserOnly>
|
<BrowserOnly>
|
||||||
{() => {
|
{() => {
|
||||||
const ReactBeforeSliderComponent = require('react-before-after-slider-component');
|
const ReactBeforeSliderComponent = require("react-before-after-slider-component");
|
||||||
return <ReactBeforeSliderComponent
|
return (
|
||||||
|
<ReactBeforeSliderComponent
|
||||||
firstImage={{
|
firstImage={{
|
||||||
id: 1,
|
id: 1,
|
||||||
imageUrl: useBaseUrl("img/screen_apps_light.jpg"),
|
imageUrl: useBaseUrl(
|
||||||
|
"img/screen_apps_light.jpg"
|
||||||
|
),
|
||||||
}}
|
}}
|
||||||
secondImage={{
|
secondImage={{
|
||||||
id: 2,
|
id: 2,
|
||||||
imageUrl: useBaseUrl("img/screen_apps_dark.jpg"),
|
imageUrl: useBaseUrl(
|
||||||
|
"img/screen_apps_dark.jpg"
|
||||||
|
),
|
||||||
}}
|
}}
|
||||||
/>
|
/>
|
||||||
|
);
|
||||||
}}
|
}}
|
||||||
</BrowserOnly>
|
</BrowserOnly>
|
||||||
</div>
|
</div>
|
||||||
|
@ -123,13 +132,13 @@ function Home() {
|
||||||
<div className="col col--5 col--offset-2 padding-vert--xl">
|
<div className="col col--5 col--offset-2 padding-vert--xl">
|
||||||
<h2>What is authentik?</h2>
|
<h2>What is authentik?</h2>
|
||||||
<p>
|
<p>
|
||||||
authentik is an open-source Identity Provider
|
authentik is an open-source Identity
|
||||||
focused on flexibility and versatility. You
|
Provider focused on flexibility and
|
||||||
can use authentik in an existing environment
|
versatility. You can use authentik in an
|
||||||
to add support for new protocols, implement
|
existing environment to add support for new
|
||||||
sign-up/recovery/etc. in your application so
|
protocols, implement sign-up/recovery/etc.
|
||||||
you don't have to deal with it, and many other
|
in your application so you don't have to
|
||||||
things.
|
deal with it, and many other things.
|
||||||
</p>
|
</p>
|
||||||
</div>
|
</div>
|
||||||
</div>
|
</div>
|
||||||
|
@ -138,11 +147,12 @@ function Home() {
|
||||||
<h2>Utmost flexibility</h2>
|
<h2>Utmost flexibility</h2>
|
||||||
<p>
|
<p>
|
||||||
You can adopt authentik to your environment,
|
You can adopt authentik to your environment,
|
||||||
regardless of your requirements. Need an Active-Directory
|
regardless of your requirements. Need an
|
||||||
integrated SSO Provider? Do you want
|
Active-Directory integrated SSO Provider? Do
|
||||||
to implement a custom enrollment process for your
|
you want to implement a custom enrollment
|
||||||
customers? Are you developing an application and
|
process for your customers? Are you
|
||||||
don't want to deal with User verification and recovery?
|
developing an application and don't want to
|
||||||
|
deal with User verification and recovery?
|
||||||
authentik can do all of that, and more!
|
authentik can do all of that, and more!
|
||||||
</p>
|
</p>
|
||||||
</div>
|
</div>
|
||||||
|
@ -150,17 +160,23 @@ function Home() {
|
||||||
<div>
|
<div>
|
||||||
<BrowserOnly>
|
<BrowserOnly>
|
||||||
{() => {
|
{() => {
|
||||||
const ReactBeforeSliderComponent = require('react-before-after-slider-component');
|
const ReactBeforeSliderComponent = require("react-before-after-slider-component");
|
||||||
return <ReactBeforeSliderComponent
|
return (
|
||||||
|
<ReactBeforeSliderComponent
|
||||||
firstImage={{
|
firstImage={{
|
||||||
id: 1,
|
id: 1,
|
||||||
imageUrl: useBaseUrl("img/screen_admin_light.jpg"),
|
imageUrl: useBaseUrl(
|
||||||
|
"img/screen_admin_light.jpg"
|
||||||
|
),
|
||||||
}}
|
}}
|
||||||
secondImage={{
|
secondImage={{
|
||||||
id: 2,
|
id: 2,
|
||||||
imageUrl: useBaseUrl("img/screen_admin_dark.jpg"),
|
imageUrl: useBaseUrl(
|
||||||
|
"img/screen_admin_dark.jpg"
|
||||||
|
),
|
||||||
}}
|
}}
|
||||||
/>
|
/>
|
||||||
|
);
|
||||||
}}
|
}}
|
||||||
</BrowserOnly>
|
</BrowserOnly>
|
||||||
</div>
|
</div>
|
||||||
|
|
Reference in New Issue