website: format docs with prettier (#2833)

* run prettier

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* add scim to comparison

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
This commit is contained in:
Jens L 2022-05-09 21:22:41 +02:00 committed by GitHub
parent 26d92d9259
commit f9469e3f99
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
148 changed files with 3447 additions and 3107 deletions

View File

@ -136,8 +136,8 @@ jobs:
key: ${{ runner.os }}-web-${{ hashFiles('web/package-lock.json', 'web/**') }} key: ${{ runner.os }}-web-${{ hashFiles('web/package-lock.json', 'web/**') }}
- name: prepare web ui - name: prepare web ui
if: steps.cache-web.outputs.cache-hit != 'true' if: steps.cache-web.outputs.cache-hit != 'true'
working-directory: web
run: | run: |
cd web
npm ci npm ci
npm run build npm run build
- name: run e2e - name: run e2e
@ -169,8 +169,8 @@ jobs:
key: ${{ runner.os }}-web-${{ hashFiles('web/package-lock.json', 'web/**') }} key: ${{ runner.os }}-web-${{ hashFiles('web/package-lock.json', 'web/**') }}
- name: prepare web ui - name: prepare web ui
if: steps.cache-web.outputs.cache-hit != 'true' if: steps.cache-web.outputs.cache-hit != 'true'
working-directory: web/
run: | run: |
cd web
npm ci npm ci
npm run build npm run build
- name: run e2e - name: run e2e

View File

@ -118,8 +118,8 @@ jobs:
- name: Generate API - name: Generate API
run: make gen-client-go run: make gen-client-go
- name: Build web - name: Build web
working-directory: web/
run: | run: |
cd web
npm ci npm ci
npm run build-proxy npm run build-proxy
- name: Build outpost - name: Build outpost

View File

@ -20,15 +20,13 @@ jobs:
node-version: '16' node-version: '16'
cache: 'npm' cache: 'npm'
cache-dependency-path: web/package-lock.json cache-dependency-path: web/package-lock.json
- run: | - working-directory: web/
cd web run: npm ci
npm ci
- name: Generate API - name: Generate API
run: make gen-client-web run: make gen-client-web
- name: Eslint - name: Eslint
run: | working-directory: web/
cd web run: npm run lint
npm run lint
lint-prettier: lint-prettier:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
@ -38,15 +36,13 @@ jobs:
node-version: '16' node-version: '16'
cache: 'npm' cache: 'npm'
cache-dependency-path: web/package-lock.json cache-dependency-path: web/package-lock.json
- run: | - working-directory: web/
cd web run: npm ci
npm ci
- name: Generate API - name: Generate API
run: make gen-client-web run: make gen-client-web
- name: prettier - name: prettier
run: | working-directory: web/
cd web run: npm run prettier-check
npm run prettier-check
lint-lit-analyse: lint-lit-analyse:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
@ -56,15 +52,13 @@ jobs:
node-version: '16' node-version: '16'
cache: 'npm' cache: 'npm'
cache-dependency-path: web/package-lock.json cache-dependency-path: web/package-lock.json
- run: | - working-directory: web/
cd web run: npm ci
npm ci
- name: Generate API - name: Generate API
run: make gen-client-web run: make gen-client-web
- name: lit-analyse - name: lit-analyse
run: | working-directory: web/
cd web run: npm run lit-analyse
npm run lit-analyse
ci-web-mark: ci-web-mark:
needs: needs:
- lint-eslint - lint-eslint
@ -84,12 +78,10 @@ jobs:
node-version: '16' node-version: '16'
cache: 'npm' cache: 'npm'
cache-dependency-path: web/package-lock.json cache-dependency-path: web/package-lock.json
- run: | - working-directory: web/
cd web run: npm ci
npm ci
- name: Generate API - name: Generate API
run: make gen-client-web run: make gen-client-web
- name: build - name: build
run: | working-directory: web/
cd web run: npm run build
npm run build

33
.github/workflows/ci-website.yml vendored Normal file
View File

@ -0,0 +1,33 @@
name: authentik-ci-website
on:
push:
branches:
- master
- next
- version-*
pull_request:
branches:
- master
jobs:
lint-prettier:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/setup-node@v3.1.1
with:
node-version: '16'
cache: 'npm'
cache-dependency-path: website/package-lock.json
- working-directory: website/
run: npm ci
- name: prettier
working-directory: website/
run: npm run prettier-check
ci-web-mark:
needs:
- lint-prettier
runs-on: ubuntu-latest
steps:
- run: echo mark

View File

@ -97,8 +97,8 @@ jobs:
cache: 'npm' cache: 'npm'
cache-dependency-path: web/package-lock.json cache-dependency-path: web/package-lock.json
- name: Build web - name: Build web
working-directory: web/
run: | run: |
cd web
npm ci npm ci
npm run build-proxy npm run build-proxy
- name: Build outpost - name: Build outpost

View File

@ -17,15 +17,15 @@ jobs:
- name: Generate API Client - name: Generate API Client
run: make gen-client-web run: make gen-client-web
- name: Publish package - name: Publish package
working-directory: gen-ts-api/
run: | run: |
cd web-api/
npm ci npm ci
npm publish npm publish
env: env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_PUBLISH_TOKEN }} NODE_AUTH_TOKEN: ${{ secrets.NPM_PUBLISH_TOKEN }}
- name: Upgrade /web - name: Upgrade /web
working-directory: web/
run: | run: |
cd web/
export VERSION=`node -e 'console.log(require("../web-api/package.json").version)'` export VERSION=`node -e 'console.log(require("../web-api/package.json").version)'`
npm i @goauthentik/api@$VERSION npm i @goauthentik/api@$VERSION
- name: Create Pull Request - name: Create Pull Request

View File

@ -2,3 +2,6 @@
build build
coverage coverage
.docusaurus .docusaurus
node_modules
help
static

View File

@ -33,10 +33,7 @@ Below is the response, for example for an Identification stage.
"component": "ak-stage-identification", "component": "ak-stage-identification",
// Stage-specific fields // Stage-specific fields
"user_fields": [ "user_fields": ["username", "email"],
"username",
"email"
],
"password_fields": false, "password_fields": false,
"primary_action": "Log in", "primary_action": "Log in",
"sources": [] "sources": []

View File

@ -4,7 +4,6 @@ title: Websocket API
authentik has two different WebSocket endpoints, one is used for web-based clients to get real-time updates, and the other is used for outposts to report their healthiness. authentik has two different WebSocket endpoints, one is used for web-based clients to get real-time updates, and the other is used for outposts to report their healthiness.
### Web `/ws/client/` ### Web `/ws/client/`
:::info :::info

View File

@ -4,4 +4,3 @@ slug: /
--- ---
Welcome to the authentik developer documentation. authentik is fully open source and can be found here: https://github.com/goauthentik/authentik Welcome to the authentik developer documentation. authentik is fully open source and can be found here: https://github.com/goauthentik/authentik

View File

@ -28,7 +28,7 @@ If you want to only make changes on the UI, you don't need a backend running fro
4. Add this volume mapping to your compose file 4. Add this volume mapping to your compose file
```yaml ```yaml
version: '3.2' version: "3.2"
services: services:
# [...] # [...]

View File

@ -9,11 +9,11 @@ Applications are used to configure and separate the authorization / access contr
## Authorization ## Authorization
Application access can be configured using (Policy) Bindings. Click on an application in the applications list, and select the *Policy / Group / User Bindings* tab. There you can bind users/groups/policies to grant them access. When nothing is bound, everyone has access. You can use this to grant access to one or multiple users/groups, or dynamically give access using policies. Application access can be configured using (Policy) Bindings. Click on an application in the applications list, and select the _Policy / Group / User Bindings_ tab. There you can bind users/groups/policies to grant them access. When nothing is bound, everyone has access. You can use this to grant access to one or multiple users/groups, or dynamically give access using policies.
By default, all users can access applications when no policies are bound. By default, all users can access applications when no policies are bound.
When multiple policies/groups/users are attached, you can configure the *Policy engine mode* to either When multiple policies/groups/users are attached, you can configure the _Policy engine mode_ to either
- Require users to pass all bindings/be member of all groups (ALL), or - Require users to pass all bindings/be member of all groups (ALL), or
- Require users to pass either binding/be member of either group (ANY) - Require users to pass either binding/be member of either group (ANY)
@ -22,29 +22,28 @@ When multiple policies/groups/users are attached, you can configure the *Policy
The following aspects can be configured: The following aspects can be configured:
- *Name*: This is the name shown for the application card - _Name_: This is the name shown for the application card
- *Launch URL*: The URL that is opened when a user clicks on the application. When left empty, authentik tries to guess it based on the provider - _Launch URL_: The URL that is opened when a user clicks on the application. When left empty, authentik tries to guess it based on the provider
Starting with authentik 2022.2, you can use placeholders in the launch url to build them dynamically based on logged in user. For example, you can set the Launch URL to `https://goauthentik.io/%(username)s`, which will be replaced with the currently logged in user's username. Starting with authentik 2022.2, you can use placeholders in the launch url to build them dynamically based on logged in user. For example, you can set the Launch URL to `https://goauthentik.io/%(username)s`, which will be replaced with the currently logged in user's username.
- *Icon (URL)*: Optionally configure an Icon for the application - _Icon (URL)_: Optionally configure an Icon for the application
If the authentik server does not have a volume mounted under `/media`, you'll get a text input. This accepts absolute URLs. If you've mounted single files into the container, you can reference them using `https://authentik.company/media/my-file.png`. If the authentik server does not have a volume mounted under `/media`, you'll get a text input. This accepts absolute URLs. If you've mounted single files into the container, you can reference them using `https://authentik.company/media/my-file.png`.
If there is a mount under `/media`, you'll instead see a field to upload a file. If there is a mount under `/media`, you'll instead see a field to upload a file.
- *Publisher*: Text shown below the application - _Publisher_: Text shown below the application
- *Description*: Subtext shown on the application card below the publisher - _Description_: Subtext shown on the application card below the publisher
Applications are shown to users when Applications are shown to users when
- The user has access defined via policies (or the application has no policies bound) - The user has access defined via policies (or the application has no policies bound)
- A Valid Launch URL is configured/could be guessed, this consists of URLs starting with http:// and https:// - A Valid Launch URL is configured/could be guessed, this consists of URLs starting with http:// and https://
#### Hiding applications #### Hiding applications
To hide applications without modifying policy settings and without removing it, you can simply set the *Launch URL* to `blank://blank`, which will hide the application from users. To hide applications without modifying policy settings and without removing it, you can simply set the _Launch URL_ to `blank://blank`, which will hide the application from users.
Keep in mind, the users still have access, so they can still authorize access when the login process is started from the application. Keep in mind, the users still have access, so they can still authorize access when the login process is started from the application.

View File

@ -12,7 +12,7 @@ Certificates in authentik are used for the following use cases:
## Default certificate ## Default certificate
Every authentik install generates a self-signed certificate on the first start. The certificate is called *authentik Self-signed Certificate* and is valid for 1 year. Every authentik install generates a self-signed certificate on the first start. The certificate is called _authentik Self-signed Certificate_ and is valid for 1 year.
This certificate is generated to be used as a default for all OAuth2/OIDC providers, as these don't require the certificate to be configured on both sides (the signature of a JWT is validated using the [JWKS](https://auth0.com/docs/security/tokens/json-web-tokens/json-web-key-sets) URL). This certificate is generated to be used as a default for all OAuth2/OIDC providers, as these don't require the certificate to be configured on both sides (the signature of a JWT is validated using the [JWKS](https://auth0.com/docs/security/tokens/json-web-tokens/json-web-key-sets) URL).
@ -66,7 +66,7 @@ Starting with authentik 2021.12.4, you can configure the certificate authentik u
To use let's encrypt certificates with this setup, using certbot, you can use this compose override (create or edit a file called `docker-compose.override.yml` in the same folder as the authentik docker-compose file) To use let's encrypt certificates with this setup, using certbot, you can use this compose override (create or edit a file called `docker-compose.override.yml` in the same folder as the authentik docker-compose file)
```yaml ```yaml
version: '3.2' version: "3.2"
services: services:
certbot: certbot:
@ -89,6 +89,6 @@ services:
Afterwards, run `docker-compose up -d`, which will start certbot and generate your certificate. Within a few minutes, you'll see the certificate in your authentik interface. (If the certificate does not appear, restart the worker container. This is caused by incompatible permissions set by certbot). Afterwards, run `docker-compose up -d`, which will start certbot and generate your certificate. Within a few minutes, you'll see the certificate in your authentik interface. (If the certificate does not appear, restart the worker container. This is caused by incompatible permissions set by certbot).
Navigate to *System -> Tenants*, edit any tenant and select the certificate of your choice. Navigate to _System -> Tenants_, edit any tenant and select the certificate of your choice.
Keep in mind this certbot container will only run once, but there are a variety of ways to schedule regular renewals. Keep in mind this certbot container will only run once, but there are a variety of ways to schedule regular renewals.

View File

@ -13,7 +13,7 @@ This will send a POST request to the given URL with the following contents:
"body": "body of the notification message", "body": "body of the notification message",
"severity": "severity level as configured in the trigger", "severity": "severity level as configured in the trigger",
"user_email": "user's email", "user_email": "user's email",
"user_username": "user's username", "user_username": "user's username"
} }
``` ```

View File

@ -9,6 +9,6 @@ Requires authentik 2022.3.1
The user interface (`/if/user/`) embeds a downsized flow executor to allow the user to configure their profile using custom stages and prompts. The user interface (`/if/user/`) embeds a downsized flow executor to allow the user to configure their profile using custom stages and prompts.
This executor only supports [**prompt**](../stages/prompt/) stages. If the configured flow contains another stage, a button will be shown to open the default executor. This executor only supports [**prompt**](../stages/prompt/) stages. If the configured flow contains another stage, a button will be shown to open the default executor.
Because the stages in a flow can change during it execution, this executor will redirect the user to the default interface *if* a non-supported stage is returned. Because the stages in a flow can change during it execution, this executor will redirect the user to the default interface _if_ a non-supported stage is returned.
To configure which flow is used for this, configure it in the tenant settings. To configure which flow is used for this, configure it in the tenant settings.

View File

@ -8,23 +8,23 @@ This stage configures an SMS-based authenticator using either Twilio, or a gener
Navigate to https://console.twilio.com/, and log in to your existing account, or create a new one. Navigate to https://console.twilio.com/, and log in to your existing account, or create a new one.
In the sidebar, navigate to *Explore Products*, then *Messaging*, and *Services* below that. In the sidebar, navigate to _Explore Products_, then _Messaging_, and _Services_ below that.
Click on *Create Messaging Service* to create a new set of API credentials. Click on _Create Messaging Service_ to create a new set of API credentials.
Give the service a Name, and select *Verify users* as a use-case. Give the service a Name, and select _Verify users_ as a use-case.
In the next step, add an address from your Sender Pool. Instructions on how to create numbers are not covered here, please check the Twilio documentation [here](https://www.twilio.com/docs). In the next step, add an address from your Sender Pool. Instructions on how to create numbers are not covered here, please check the Twilio documentation [here](https://www.twilio.com/docs).
The other two steps can be skipped using the *Skip setup* button. The other two steps can be skipped using the _Skip setup_ button.
Afterwards, copy the value of **Messaging Service SID**. This is the value for the *Twilio Account SID* field in authentik. Afterwards, copy the value of **Messaging Service SID**. This is the value for the _Twilio Account SID_ field in authentik.
Navigate back to the root of your Twilio console, and copy the Auth token. This is the value for the *Twilio Auth Token* field in authentik. Navigate back to the root of your Twilio console, and copy the Auth token. This is the value for the _Twilio Auth Token_ field in authentik.
## Generic ## Generic
For the generic provider, a POST request will be sent to the URL you have specified in the *External API URL* field. The request payload looks like this For the generic provider, a POST request will be sent to the URL you have specified in the _External API URL_ field. The request payload looks like this
```json ```json
{ {

View File

@ -16,7 +16,7 @@ Using the `Not configured action`, you can choose what happens when a user does
- Skip: Validation is skipped and the flow continues - Skip: Validation is skipped and the flow continues
- Deny: Access is denied, the flow execution ends - Deny: Access is denied, the flow execution ends
- Configure: This option requires a *Configuration stage* to be set. The validation stage will be marked as successful, and the configuration stage will be injected into the flow. - Configure: This option requires a _Configuration stage_ to be set. The validation stage will be marked as successful, and the configuration stage will be injected into the flow.
## Passwordless authentication ## Passwordless authentication
@ -26,17 +26,17 @@ Requires authentik 2021.12.4
Passwordless authentication currently only supports WebAuthn devices, like security keys and biometrics. Passwordless authentication currently only supports WebAuthn devices, like security keys and biometrics.
To configure passwordless authentication, create a new Flow with the delegation set to *Authentication*. To configure passwordless authentication, create a new Flow with the delegation set to _Authentication_.
As first stage, add an *Authentication validation* stage, with the WebAuthn device class allowed. As first stage, add an _Authentication validation_ stage, with the WebAuthn device class allowed.
After this stage you can bind any additional verification stages. After this stage you can bind any additional verification stages.
As final stage, bind a *User login* stage. As final stage, bind a _User login_ stage.
Users can either access this flow directly via it's URL, or you can modify any Identification stage to add a direct link to this flow. Users can either access this flow directly via it's URL, or you can modify any Identification stage to add a direct link to this flow.
#### Logging #### Logging
Logins which used Passwordless authentication have the *auth_method* context variable set to `auth_webauthn_pwl`, and the device used is saved in the arguments. Example: Logins which used Passwordless authentication have the _auth_method_ context variable set to `auth_webauthn_pwl`, and the device used is saved in the arguments. Example:
```json ```json
{ {

View File

@ -6,5 +6,5 @@ This stage stops the execution of a flow. This can be used to conditionally deny
even if they are not signed in (and permissions can't be checked via groups). even if they are not signed in (and permissions can't be checked via groups).
:::caution :::caution
To effectively use this stage, make sure to **disable** *Evaluate on plan* on the Stage binding. To effectively use this stage, make sure to **disable** _Evaluate on plan_ on the Stage binding.
::: :::

View File

@ -46,22 +46,16 @@ Templates are rendered using Django's templating engine. The following variables
- `expires`: The timestamp when the token expires. - `expires`: The timestamp when the token expires.
```html ```html
{# This is how you can write comments which aren't rendered. #} {# This is how you can write comments which aren't rendered. #} {# Extend this
template from the base email template, which includes base layout and CSS. #} {%
{# Extend this template from the base email template, which includes base layout and CSS. #} extends "email/base.html" %} {# Load the internationalization module to
{% extends "email/base.html" %} translate strings, and humanize to show date-time #} {% load i18n %} {% load
humanize %} {# The email/base.html template uses a single "content" block #} {%
{# Load the internationalization module to translate strings, and humanize to show date-time #} block content %}
{% load i18n %}
{% load humanize %}
{# The email/base.html template uses a single "content" block #}
{% block content %}
<tr> <tr>
<td class="alert alert-success"> <td class="alert alert-success">
{% blocktrans with username=user.username %} {% blocktrans with username=user.username %} Hi {{ username }}, {%
Hi {{ username }}, endblocktrans %}
{% endblocktrans %}
</td> </td>
</tr> </tr>
<tr> <tr>
@ -69,21 +63,41 @@ Templates are rendered using Django's templating engine. The following variables
<table width="100%" cellpadding="0" cellspacing="0"> <table width="100%" cellpadding="0" cellspacing="0">
<tr> <tr>
<td class="content-block"> <td class="content-block">
{% blocktrans %} {% blocktrans %} You recently requested to change your
You recently requested to change your password for you authentik account. Use the button below to set a new password. password for you authentik account. Use the button below to
{% endblocktrans %} set a new password. {% endblocktrans %}
</td> </td>
</tr> </tr>
<tr> <tr>
<td class="content-block"> <td class="content-block">
<table role="presentation" border="0" cellpadding="0" cellspacing="0" class="btn btn-primary"> <table
role="presentation"
border="0"
cellpadding="0"
cellspacing="0"
class="btn btn-primary"
>
<tbody> <tbody>
<tr> <tr>
<td align="center"> <td align="center">
<table role="presentation" border="0" cellpadding="0" cellspacing="0"> <table
role="presentation"
border="0"
cellpadding="0"
cellspacing="0"
>
<tbody> <tbody>
<tr> <tr>
<td> <a id="confirm" href="{{ url }}" rel="noopener noreferrer" target="_blank">{% trans 'Reset Password' %}</a> </td> <td>
<a
id="confirm"
href="{{ url }}"
rel="noopener noreferrer"
target="_blank"
>{% trans 'Reset
Password' %}</a
>
</td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
@ -95,9 +109,9 @@ Templates are rendered using Django's templating engine. The following variables
</tr> </tr>
<tr> <tr>
<td class="content-block"> <td class="content-block">
{% blocktrans with expires=expires|naturaltime %} {% blocktrans with expires=expires|naturaltime %} If you did
If you did not request a password change, please ignore this Email. The link above is valid for {{ expires }}. not request a password change, please ignore this Email. The
{% endblocktrans %} link above is valid for {{ expires }}. {% endblocktrans %}
</td> </td>
</tr> </tr>
</table> </table>

View File

@ -10,4 +10,4 @@ To check if a user has used an invitation within a policy, you can check `reques
To use an invitation, use the URL `https://authentik.tld/if/flow/your-enrollment-flow/?itoken=invitation-token`. To use an invitation, use the URL `https://authentik.tld/if/flow/your-enrollment-flow/?itoken=invitation-token`.
You can also prompt the user for an invite by using the [*Prompt stage*](../prompt/) by using a field with a field key of `token`. You can also prompt the user for an invite by using the [_Prompt stage_](../prompt/) by using a field with a field key of `token`.

View File

@ -26,4 +26,4 @@ return DuoDevice.objects.filter(user=request.user, confirmed=True).exists()
Afterwards, bind the policy you've created to the stage binding of the password stage. Afterwards, bind the policy you've created to the stage binding of the password stage.
Make sure to uncheck *Evaluate on plan* and check *Re-evaluate policies*, otherwise an invalid result will be cached. Make sure to uncheck _Evaluate on plan_ and check _Re-evaluate policies_, otherwise an invalid result will be cached.

View File

@ -9,7 +9,7 @@ This stage is used to show the user arbitrary prompts.
The prompt can be any of the following types: The prompt can be any of the following types:
| Type | Description | | Type | Description |
| -------- | ----------------------------------------------------------------- | | ----------------- | ---------------------------------------------------------------------------------------- |
| Text | Arbitrary text. No client-side validation is done. | | Text | Arbitrary text. No client-side validation is done. |
| Text (Read only) | Same as above, but cannot be edited. | | Text (Read only) | Same as above, but cannot be edited. |
| Username | Same as text, except the username is validated to be unique. | | Username | Same as text, except the username is validated to be unique. |
@ -26,9 +26,9 @@ The prompt can be any of the following types:
Some types have special behaviors: Some types have special behaviors:
- *Username*: Input is validated against other usernames to ensure a unique value is provided. - _Username_: Input is validated against other usernames to ensure a unique value is provided.
- *Password*: All prompts with the type password within the same stage are compared and must be equal. If they are not equal, an error is shown - _Password_: All prompts with the type password within the same stage are compared and must be equal. If they are not equal, an error is shown
- *Hidden* and *Static*: Their placeholder values are defaults and are not user-changeable. - _Hidden_ and _Static_: Their placeholder values are defaults and are not user-changeable.
A prompt has the following attributes: A prompt has the following attributes:
@ -52,7 +52,7 @@ A flag which decides whether or not this field is required.
A field placeholder, shown within the input field. This field is also used by the `hidden` type as the actual value. A field placeholder, shown within the input field. This field is also used by the `hidden` type as the actual value.
By default, the placeholder is interpreted as-is. If you enable *Interpret placeholder as expression*, the placeholder By default, the placeholder is interpreted as-is. If you enable _Interpret placeholder as expression_, the placeholder
will be evaluated as a python expression. This happens in the same environment as [_Property mappings_](../../../property-mappings/expression). will be evaluated as a python expression. This happens in the same environment as [_Property mappings_](../../../property-mappings/expression).
You can access both the HTTP request and the user as with a mapping. Additionally, you can access `prompt_context`, which is a dictionary of the current state of the prompt stage's data. You can access both the HTTP request and the user as with a mapping. Additionally, you can access `prompt_context`, which is a dictionary of the current state of the prompt stage's data.

View File

@ -8,7 +8,7 @@ It can be used after `user_write` during an enrollment flow, or after a `passwor
## Session duration ## Session duration
By default, the authentik session expires when you close your browser (*seconds=0*). By default, the authentik session expires when you close your browser (_seconds=0_).
You can set the session to expire after any duration using the syntax of `hours=1,minutes=2,seconds=3`. The following keys are allowed: You can set the session to expire after any duration using the syntax of `hours=1,minutes=2,seconds=3`. The following keys are allowed:

View File

@ -13,7 +13,7 @@ See [Docker-compose](installation/docker-compose) or [Kubernetes](installation/k
## Screenshots ## Screenshots
Light | Dark | Light | Dark |
--- | --- | -------------------------------- | ------------------------------- |
![](/img/screen_apps_light.jpg) | ![](/img/screen_apps_dark.jpg) | ![](/img/screen_apps_light.jpg) | ![](/img/screen_apps_dark.jpg) |
![](/img/screen_admin_light.jpg) | ![](/img/screen_admin_dark.jpg) | ![](/img/screen_admin_light.jpg) | ![](/img/screen_admin_dark.jpg) |

View File

@ -2,10 +2,10 @@
title: Beta versions title: Beta versions
--- ---
You can test upcoming authentik versions by switching to the *next* images. These beta versions supported upgrades from the latest stable version, and have a supported upgrade plan to the next stable version. You can test upcoming authentik versions by switching to the _next_ images. These beta versions supported upgrades from the latest stable version, and have a supported upgrade plan to the next stable version.
import Tabs from '@theme/Tabs'; import Tabs from "@theme/Tabs";
import TabItem from '@theme/TabItem'; import TabItem from "@theme/TabItem";
<Tabs <Tabs
defaultValue="docker-compose" defaultValue="docker-compose"
@ -23,6 +23,7 @@ AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=ghcr.io/goauthentik/dev-%(type)s:gh-nex
``` ```
Afterwards, run the upgrade commands from the latest release notes. Afterwards, run the upgrade commands from the latest release notes.
</TabItem> </TabItem>
<TabItem value="kubernetes"> <TabItem value="kubernetes">
Add the following block to your `values.yml` file: Add the following block to your `values.yml` file:
@ -39,5 +40,6 @@ image:
``` ```
Afterwards, run the upgrade commands from the latest release notes. Afterwards, run the upgrade commands from the latest release notes.
</TabItem> </TabItem>
</Tabs> </Tabs>

View File

@ -47,7 +47,7 @@ Secret key used for cookie signing and unique user IDs, don't change this after
Log level for the server and worker containers. Possible values: debug, info, warning, error Log level for the server and worker containers. Possible values: debug, info, warning, error
Starting with 2021.12.3, you can also set the log level to *trace*. This has no affect on the core authentik server, but shows additional messages for the embedded outpost. Starting with 2021.12.3, you can also set the log level to _trace_. This has no affect on the core authentik server, but shows additional messages for the embedded outpost.
Defaults to `info`. Defaults to `info`.
@ -118,6 +118,7 @@ Disable the inbuilt update-checker. Defaults to `false`.
- `AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE` - `AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE`
Placeholders: Placeholders:
- `%(type)s`: Outpost type; proxy, ldap, etc - `%(type)s`: Outpost type; proxy, ldap, etc
- `%(version)s`: Current version; 2021.4.1 - `%(version)s`: Current version; 2021.4.1
- `%(build_hash)s`: Build hash if you're running a beta version - `%(build_hash)s`: Build hash if you're running a beta version

View File

@ -101,7 +101,7 @@ The docker-compose project contains the following containers:
- worker - worker
This container executes background tasks, everything you can see on the *System Tasks* page in the frontend. This container executes background tasks, everything you can see on the _System Tasks_ page in the frontend.
- redis & postgresql - redis & postgresql

View File

@ -31,7 +31,6 @@ postgresql:
postgresqlPassword: "ThisIsNotASecurePassword" postgresqlPassword: "ThisIsNotASecurePassword"
redis: redis:
enabled: true enabled: true
``` ```
See all configurable values on [artifacthub](https://artifacthub.io/packages/helm/goauthentik/authentik). See all configurable values on [artifacthub](https://artifacthub.io/packages/helm/goauthentik/authentik).

View File

@ -9,15 +9,19 @@ The following features can be enabled/disabled. By default, all of them are enab
- `settings.enabledFeatures.apiDrawer` - `settings.enabledFeatures.apiDrawer`
API Request drawer in navbar API Request drawer in navbar
- `settings.enabledFeatures.notificationDrawer` - `settings.enabledFeatures.notificationDrawer`
Notification drawer in navbar Notification drawer in navbar
- `settings.enabledFeatures.settings` - `settings.enabledFeatures.settings`
Settings link in navbar Settings link in navbar
- `settings.enabledFeatures.applicationEdit` - `settings.enabledFeatures.applicationEdit`
Application edit in library (only shown when user is superuser) Application edit in library (only shown when user is superuser)
- `settings.enabledFeatures.search` - `settings.enabledFeatures.search`
Search bar Search bar

View File

@ -49,7 +49,7 @@ Afterwards, create two Certificate-keypairs in authentik:
- `Docker CA`, with the contents of `~/.docker/ca.pem` as Certificate - `Docker CA`, with the contents of `~/.docker/ca.pem` as Certificate
- `Docker Cert`, with the contents of `~/.docker/cert.pem` as Certificate and `~/.docker/key.pem` as Private key. - `Docker Cert`, with the contents of `~/.docker/cert.pem` as Certificate and `~/.docker/key.pem` as Private key.
Create an integration with `Docker CA` as *TLS Verification Certificate* and `Docker Cert` as *TLS Authentication Certificate*. Create an integration with `Docker CA` as _TLS Verification Certificate_ and `Docker Cert` as _TLS Authentication Certificate_.
## Remote hosts (SSH) ## Remote hosts (SSH)
@ -69,6 +69,6 @@ You'll end up with three files:
- `authentik` is the private key, which should be imported into a Keypair in authentik. - `authentik` is the private key, which should be imported into a Keypair in authentik.
- `certificate.pem` is the matching certificate for the keypair above. - `certificate.pem` is the matching certificate for the keypair above.
Modify/create a new Docker integration, and set your *Docker URL* to `ssh://hostname`, and select the keypair you created above as *TLS Authentication Certificate/SSH Keypair*. Modify/create a new Docker integration, and set your _Docker URL_ to `ssh://hostname`, and select the keypair you created above as _TLS Authentication Certificate/SSH Keypair_.
The *Docker URL* field include a user, if none is specified authentik connects with the user `authentik`. The _Docker URL_ field include a user, if none is specified authentik connects with the user `authentik`.

View File

@ -3,13 +3,17 @@ title: Expression Policies
--- ---
The passing of the policy is determined by the return value of the code. Use The passing of the policy is determined by the return value of the code. Use
```python ```python
return True return True
``` ```
to pass a policy and to pass a policy and
```python ```python
return False return False
``` ```
to fail it. to fail it.
## Available Functions ## Available Functions
@ -44,7 +48,7 @@ return ak_user_has_authenticator(request.user)
### `ak_call_policy(name: str, **kwargs) -> PolicyResult` (2021.12+) ### `ak_call_policy(name: str, **kwargs) -> PolicyResult` (2021.12+)
Call another policy with the name *name*. Current request is passed to policy. Key-word arguments Call another policy with the name _name_. Current request is passed to policy. Key-word arguments
can be used to modify the request's context. can be used to modify the request's context.
Example: Example:
@ -59,13 +63,13 @@ result = ak_call_policy("test-policy-2", foo="bar")
return result.passing return result.passing
``` ```
import Functions from '../expressions/_functions.md' import Functions from "../expressions/_functions.md";
<Functions /> <Functions />
## Variables ## Variables
import Objects from '../expressions/_objects.md' import Objects from "../expressions/_objects.md";
<Objects /> <Objects />
@ -103,6 +107,7 @@ This includes the following:
- `app_password`: App password (token) - `app_password`: App password (token)
Sets `context['auth_method_args']` to Sets `context['auth_method_args']` to
```json ```json
{ {
"token": { "token": {
@ -113,9 +118,11 @@ This includes the following:
} }
} }
``` ```
- `ldap`: LDAP bind authentication - `ldap`: LDAP bind authentication
Sets `context['auth_method_args']` to Sets `context['auth_method_args']` to
```json ```json
{ {
"source": {} // Information about the source used "source": {} // Information about the source used

View File

@ -4,20 +4,19 @@ title: Expressions
The property mapping should return a value that is expected by the Provider/Source. Supported types are documented in the individual Provider/Source. Returning `None` is always accepted and would simply skip the mapping for which `None` was returned. The property mapping should return a value that is expected by the Provider/Source. Supported types are documented in the individual Provider/Source. Returning `None` is always accepted and would simply skip the mapping for which `None` was returned.
## Available Functions ## Available Functions
import Functions from '../expressions/_functions.md' import Functions from "../expressions/_functions.md";
<Functions /> <Functions />
## Variables ## Variables
import Objects from '../expressions/_objects.md' import Objects from "../expressions/_objects.md";
<Objects /> <Objects />
import User from '../expressions/_user.md' import User from "../expressions/_user.md";
<User /> <User />

View File

@ -85,9 +85,9 @@ All bind modes rely on flows.
The following stages are supported: The following stages are supported:
- [Identification](../flow/stages/identification/) - [Identification](../flow/stages/identification/)
- [Password](../flow/stages/password/) - [Password](../flow/stages/password/)
- [Authenticator validation](../flow/stages/authenticator_validate/) - [Authenticator validation](../flow/stages/authenticator_validate/)
Note: Authenticator validation currently only supports DUO devices Note: Authenticator validation currently only supports DUO devices
@ -97,7 +97,7 @@ In this mode, the outpost will always execute the configured flow when a new bin
#### Cached bind #### Cached bind
This mode uses the same logic as direct bind, however the result is cached for the entered credentials, and saved in memory for the standard session duration. Sessions are saved independently, meaning that revoking sessions does *not* remove them from the outpost, and neither will changing a users credentials. This mode uses the same logic as direct bind, however the result is cached for the entered credentials, and saved in memory for the standard session duration. Sessions are saved independently, meaning that revoking sessions does _not_ remove them from the outpost, and neither will changing a users credentials.
## Search Modes ## Search Modes

View File

@ -6,7 +6,7 @@ Note that authentik does treat a grant type of `password` the same as `client_cr
### Static authentication ### Static authentication
Hence identification is based on service-accounts, and authentication is based on App-password tokens. These objects can be created in a single step using the *Create Service account* function. Hence identification is based on service-accounts, and authentication is based on App-password tokens. These objects can be created in a single step using the _Create Service account_ function.
An example request can look like this: An example request can look like this:
@ -29,7 +29,7 @@ Starting with authentik 2022.4, you can authenticate and get a token using an ex
(For readability we will refer to the JWT issued by the external issuer/platform as input JWT, and the resulting JWT from authentik as the output JWT) (For readability we will refer to the JWT issued by the external issuer/platform as input JWT, and the resulting JWT from authentik as the output JWT)
To configure this, the certificate used to sign the input JWT must be created in authentik. The certificate is enough, a private key is not required. Afterwards, configure the certificate in the OAuth2 provider settings under *Verification certificates*. To configure this, the certificate used to sign the input JWT must be created in authentik. The certificate is enough, a private key is not required. Afterwards, configure the certificate in the OAuth2 provider settings under _Verification certificates_.
With this configure, any JWT issued by the configured certificates can be used to authenticate: With this configure, any JWT issued by the configured certificates can be used to authenticate:
@ -46,9 +46,9 @@ client_id=application_client_id
Alternatively, you can set the `client_secret` parameter to the `$inputJWT`, for applications which can set the password from a file but not other parameters. Alternatively, you can set the `client_secret` parameter to the `$inputJWT`, for applications which can set the password from a file but not other parameters.
Input JWTs are checked to be signed by any of the selected *Verification certificates*, and their `exp` attribute must not be now or in the past. Input JWTs are checked to be signed by any of the selected _Verification certificates_, and their `exp` attribute must not be now or in the past.
To do additional checks, you can use *[Expression policies](../../policies/expression)*: To do additional checks, you can use _[Expression policies](../../policies/expression)_:
```python ```python
return request.context["oauth_jwt"]["iss"] == "https://my.issuer" return request.context["oauth_jwt"]["iss"] == "https://my.issuer"

View File

@ -1,4 +1,3 @@
``` ```
server { server {
# SSL and VHost configuration # SSL and VHost configuration

View File

@ -1,6 +1,5 @@
```yaml ```yaml
version: '3.7' version: "3.7"
services: services:
traefik: traefik:
image: traefik:v2.2 image: traefik:v2.2
@ -10,9 +9,9 @@ services:
ports: ports:
- 80:80 - 80:80
command: command:
- '--api' - "--api"
- '--providers.docker=true' - "--providers.docker=true"
- '--providers.docker.exposedByDefault=false' - "--providers.docker.exposedByDefault=false"
- "--entrypoints.web.address=:80" - "--entrypoints.web.address=:80"
authentik-proxy: authentik-proxy:

View File

@ -16,9 +16,10 @@ has the advantage that you can still do per-application access policies in authe
## Domain level ## Domain level
To use forward auth instead of proxying, you have to change a couple of settings. To use forward auth instead of proxying, you have to change a couple of settings.
In the Proxy Provider, make sure to use the *Forward auth (domain level)* mode. In the Proxy Provider, make sure to use the _Forward auth (domain level)_ mode.
This mode differs from the _Forward auth (single application)_ mode in the following points:
This mode differs from the *Forward auth (single application)* mode in the following points:
- You don't have to configure an application in authentik for each domain - You don't have to configure an application in authentik for each domain
- Users don't have to authorize multiple times - Users don't have to authorize multiple times
@ -33,16 +34,16 @@ is redirected to the outpost.
For domain level, you'd use the same domain as authentik. For domain level, you'd use the same domain as authentik.
:::info :::info
*example-outpost* is used as a placeholder for the outpost name. _example-outpost_ is used as a placeholder for the outpost name.
*authentik.company* is used as a placeholder for the authentik install. _authentik.company_ is used as a placeholder for the authentik install.
*app.company* is used as a placeholder for the external domain for the application. _app.company_ is used as a placeholder for the external domain for the application.
*outpost.company* is used as a placeholder for the outpost. When using the embedded outpost, this can be the same as *authentik.company* _outpost.company_ is used as a placeholder for the outpost. When using the embedded outpost, this can be the same as _authentik.company_
::: :::
## Nginx ## Nginx
import Tabs from '@theme/Tabs'; import Tabs from "@theme/Tabs";
import TabItem from '@theme/TabItem'; import TabItem from "@theme/TabItem";
<Tabs <Tabs
defaultValue="standalone-nginx" defaultValue="standalone-nginx"
@ -53,21 +54,21 @@ import TabItem from '@theme/TabItem';
]}> ]}>
<TabItem value="standalone-nginx"> <TabItem value="standalone-nginx">
import NginxStandalone from './_nginx_standalone.md' import NginxStandalone from "./_nginx_standalone.md";
<NginxStandalone /> <NginxStandalone />
</TabItem> </TabItem>
<TabItem value="ingress"> <TabItem value="ingress">
import NginxIngress from './_nginx_ingress.md' import NginxIngress from "./_nginx_ingress.md";
<NginxIngress /> <NginxIngress />
</TabItem> </TabItem>
<TabItem value="proxy-manager"> <TabItem value="proxy-manager">
import NginxProxyManager from './_nginx_proxy_manager.md' import NginxProxyManager from "./_nginx_proxy_manager.md";
<NginxProxyManager /> <NginxProxyManager />
@ -85,21 +86,21 @@ import NginxProxyManager from './_nginx_proxy_manager.md'
]}> ]}>
<TabItem value="standalone-traefik"> <TabItem value="standalone-traefik">
import TraefikStandalone from './_traefik_standalone.md' import TraefikStandalone from "./_traefik_standalone.md";
<TraefikStandalone /> <TraefikStandalone />
</TabItem> </TabItem>
<TabItem value="docker-compose"> <TabItem value="docker-compose">
import TraefikCompose from './_traefik_compose.md' import TraefikCompose from "./_traefik_compose.md";
<TraefikCompose /> <TraefikCompose />
</TabItem> </TabItem>
<TabItem value="ingress"> <TabItem value="ingress">
import TraefikIngress from './_traefik_ingress.md' import TraefikIngress from "./_traefik_ingress.md";
<TraefikIngress /> <TraefikIngress />

View File

@ -26,7 +26,7 @@ The proxy outpost sets the following user-specific headers:
Additionally, you can set `additionalHeaders` on groups or users to set additional headers. Additionally, you can set `additionalHeaders` on groups or users to set additional headers.
If you enable *Set HTTP-Basic Authentication* option, the HTTP Authorization header is being set. If you enable _Set HTTP-Basic Authentication_ option, the HTTP Authorization header is being set.
Besides these user-specific headers, some application specific headers are also set: Besides these user-specific headers, some application specific headers are also set:
@ -72,7 +72,7 @@ To log out, navigate to `/outpost.goauthentik.io/sign_out`.
## Allowing unauthenticated requests ## Allowing unauthenticated requests
To allow un-authenticated requests to certain paths/URLs, you can use the *Unauthenticated URLs* / *Unauthenticated Paths* field. To allow un-authenticated requests to certain paths/URLs, you can use the _Unauthenticated URLs_ / _Unauthenticated Paths_ field.
Each new line is interpreted as a regular expression, and is compiled and checked using the standard Golang regex parser. Each new line is interpreted as a regular expression, and is compiled and checked using the standard Golang regex parser.
@ -88,7 +88,7 @@ In this mode, the regular expressions are matched against the Request's full URL
## Dynamic backend selection ## Dynamic backend selection
You can configure the backend the proxy should access dynamically via *Scope mappings*. To do so, create a new *Scope mapping*, with a name and scope of your choice. As expression, use this: You can configure the backend the proxy should access dynamically via _Scope mappings_. To do so, create a new _Scope mapping_, with a name and scope of your choice. As expression, use this:
```python ```python
return { return {
@ -98,4 +98,4 @@ return {
} }
``` ```
Afterwards, edit the *Proxy provider* and add this new mapping. The expression is only evaluated when the user logs into the application. Afterwards, edit the _Proxy provider_ and add this new mapping. The expression is only evaluated when the user logs into the application.

View File

@ -6,11 +6,11 @@ This provider allows you to integrate enterprise software using the SAML2 Protoc
Default fields are exposed through auto-generated Property Mappings, which are prefixed with "authentik default". Default fields are exposed through auto-generated Property Mappings, which are prefixed with "authentik default".
| Endpoint | URL | | Endpoint | URL |
| ---------------------- | -------------------------------------------------------------- | | ---------------------- | ------------------------------------------------------------ |
| SSO (Redirect binding) | `/application/saml/<application slug>/sso/binding/redirect/` | | SSO (Redirect binding) | `/application/saml/<application slug>/sso/binding/redirect/` |
| SSO (POST binding) | `/application/saml/<application slug>/sso/binding/post/` | | SSO (POST binding) | `/application/saml/<application slug>/sso/binding/post/` |
| IdP-initiated login | `/application/saml/<application slug>/sso/binding/init/` | | IdP-initiated login | `/application/saml/<application slug>/sso/binding/init/` |
| Metadata Download | `/api/v3/providers/saml/<provider uid>/metadata/?download/`| | Metadata Download | `/api/v3/providers/saml/<provider uid>/metadata/?download/` |
You can download the metadata through the Webinterface, this link might be handy if your software wants to download the metadata directly. You can download the metadata through the Webinterface, this link might be handy if your software wants to download the metadata directly.

View File

@ -29,10 +29,11 @@ Docker-compose users should download the latest docker-compose file from [here](
:::caution :::caution
If you decided to rename the folder you're running the docker-compose file from, be aware that this will also change the name, that docker-compose will give the database volume. To mitigate this, either If you decided to rename the folder you're running the docker-compose file from, be aware that this will also change the name, that docker-compose will give the database volume. To mitigate this, either
- Keep the original directory name - Keep the original directory name
- Move the directory and set `COMPOSE_PROJECT_NAME` to the name of the old directory (see [here](https://docs.docker.com/compose/reference/envvars/#compose_project_name)) - Move the directory and set `COMPOSE_PROJECT_NAME` to the name of the old directory (see [here](https://docs.docker.com/compose/reference/envvars/#compose_project_name))
- Create a backup, rename the directory and restore from backup. - Create a backup, rename the directory and restore from backup.
::: :::
The only manual change you have to do is replace the `PASSBOOK_` prefix in your `.env` file, so `PASSBOOK_SECRET_KEY` gets changed to `AUTHENTIK_SECRET_KEY`. The only manual change you have to do is replace the `PASSBOOK_` prefix in your `.env` file, so `PASSBOOK_SECRET_KEY` gets changed to `AUTHENTIK_SECRET_KEY`.

View File

@ -30,7 +30,7 @@ slug: "2021.1"
### Fixed in 2021.1.2 ### Fixed in 2021.1.2
- sources/*: Add source to flow context, so source is logged during login - sources/\*: Add source to flow context, so source is logged during login
- outposts: Fix outpost not correctly updating on outpost modification - outposts: Fix outpost not correctly updating on outpost modification
- outposts: Improve drift detection on kubernetes - outposts: Improve drift detection on kubernetes
- providers/saml: Fix metadata not being signed when signature is enabled - providers/saml: Fix metadata not being signed when signature is enabled

View File

@ -23,7 +23,7 @@ A huge shoutout to all the people that contributed, helped test and also transla
## Minor changes ## Minor changes
- *: Squash Migrations (#1593) - \*: Squash Migrations (#1593)
- admin: clear update notification when notification's version matches current version - admin: clear update notification when notification's version matches current version
- cmd: prevent outposts from panicking when failing to get their config - cmd: prevent outposts from panicking when failing to get their config
- core: add default for user's settings attribute - core: add default for user's settings attribute
@ -171,7 +171,7 @@ A huge shoutout to all the people that contributed, helped test and also transla
- internal: start embedded outpost directly after backend is healthy instead of waiting - internal: start embedded outpost directly after backend is healthy instead of waiting
- lifecycle: revert to non-h11 worker - lifecycle: revert to non-h11 worker
- outpost/ldap: don't cleanup user info as it is overwritten on bind - outpost/ldap: don't cleanup user info as it is overwritten on bind
- providers/*: include list of outposts - providers/\*: include list of outposts
- providers/ldap: add/squash migrations - providers/ldap: add/squash migrations
- providers/ldap: memory Query (#1681) - providers/ldap: memory Query (#1681)
- recovery: add create_admin_group management command - recovery: add create_admin_group management command
@ -182,7 +182,7 @@ A huge shoutout to all the people that contributed, helped test and also transla
- sources/oauth: set prompt=none for Discord provider - sources/oauth: set prompt=none for Discord provider
- sources/plex: allow users to connect their plex account without login flow - sources/plex: allow users to connect their plex account without login flow
- sources/plex: use exception_to_string in tasks - sources/plex: use exception_to_string in tasks
- stages/authenticator_*: add default name for authenticators - stages/authenticator\_\*: add default name for authenticators
- stages/identification: only allow limited challenges for login sources - stages/identification: only allow limited challenges for login sources
- stages/identification: use random sleep - stages/identification: use random sleep
- stages/prompt: add text_read_only field - stages/prompt: add text_read_only field
@ -211,7 +211,7 @@ A huge shoutout to all the people that contributed, helped test and also transla
- root: use python slim-bullseye as base - root: use python slim-bullseye as base
- sources/ldap: fix user/group sync overwriting attributes instead of merging them - sources/ldap: fix user/group sync overwriting attributes instead of merging them
- sources/ldap: set connect/receive timeout (default to 15s) - sources/ldap: set connect/receive timeout (default to 15s)
- stages/*: disable trim_whitespace on important fields - stages/\*: disable trim_whitespace on important fields
- stages/authenticator_duo: fix devices created with name - stages/authenticator_duo: fix devices created with name
- stages/authenticator_validate: enable all device classes by default - stages/authenticator_validate: enable all device classes by default
- web: write interfaces to different folders and remove custom chunk names - web: write interfaces to different folders and remove custom chunk names

View File

@ -13,7 +13,7 @@ This release does not have any headline features, and mostly fixes bugs.
## Minor changes ## Minor changes
- core: make defaults for _change_email and _change_username configurable - core: make defaults for \_change_email and \_change_username configurable
- core: remove dump_config, handle directly in config loader without booting django, don't check database - core: remove dump_config, handle directly in config loader without booting django, don't check database
- events: add gdpr_compliance option - events: add gdpr_compliance option
- internal: fix integrated docs not working - internal: fix integrated docs not working
@ -63,7 +63,7 @@ This release does not have any headline features, and mostly fixes bugs.
## Fixed in 2021.12.1-rc2 ## Fixed in 2021.12.1-rc2
- *: don't use go embed to make using custom files easier - \*: don't use go embed to make using custom files easier
- crypto: add certificate discovery to automatically import certificates from lets encrypt - crypto: add certificate discovery to automatically import certificates from lets encrypt
- crypto: fix default API not having an ordering - crypto: fix default API not having an ordering
- outposts: always trigger outpost reconcile on startup - outposts: always trigger outpost reconcile on startup
@ -94,7 +94,7 @@ This release does not have any headline features, and mostly fixes bugs.
- policies/expression: add ak_call_policy - policies/expression: add ak_call_policy
- providers/saml: add ?force_binding to limit bindings for metadata endpoint - providers/saml: add ?force_binding to limit bindings for metadata endpoint
- root: add request_id to celery tasks, prefixed with "task-" - root: add request_id to celery tasks, prefixed with "task-"
- sources/*: Allow creation of source connections via API - sources/\*: Allow creation of source connections via API
- stages/prompt: use policyenginemode all - stages/prompt: use policyenginemode all
- tests/e2e: add post binding test - tests/e2e: add post binding test
- web: fix duplicate classes, make generic icon clickable - web: fix duplicate classes, make generic icon clickable
@ -179,7 +179,7 @@ This release does not have any headline features, and mostly fixes bugs.
## Fixed in 2021.12.3 ## Fixed in 2021.12.3
- *: revert to using GHCR directly - \*: revert to using GHCR directly
- core: fix error when getting launch URL for application with non-existent Provider - core: fix error when getting launch URL for application with non-existent Provider
- internal: fix sentry sample rate not applying to proxy - internal: fix sentry sample rate not applying to proxy
- internal: rework global logging settings, embedded outpost no longer overwrites core - internal: rework global logging settings, embedded outpost no longer overwrites core
@ -216,7 +216,7 @@ This release does not have any headline features, and mostly fixes bugs.
## Fixed in 2021.12.5 ## Fixed in 2021.12.5
- *: use py3.10 syntax for unions, remove old Type[] import when possible - \*: use py3.10 syntax for unions, remove old Type[] import when possible
- core: add API endpoint to directly set user's password - core: add API endpoint to directly set user's password
- core: add error handling in source flow manager when flow isn't applicable - core: add error handling in source flow manager when flow isn't applicable
- core: fix UserSelfSerializer's save() overwriting other user attributes - core: fix UserSelfSerializer's save() overwriting other user attributes

View File

@ -68,7 +68,7 @@ slug: "2021.2"
- policies: skip cache on debug request - policies: skip cache on debug request
- providers/proxy: fix certificates without key being selectable - providers/proxy: fix certificates without key being selectable
- root: log runtime in milliseconds - root: log runtime in milliseconds
- sources/*: switch API to use slug in URL - sources/\*: switch API to use slug in URL
- sources/ldap: add API for sync status - sources/ldap: add API for sync status
- sources/oauth: add callback URL to api - sources/oauth: add callback URL to api
- web: fix ModalButton working in global scope, causing issues on 2nd use - web: fix ModalButton working in global scope, causing issues on 2nd use
@ -116,6 +116,7 @@ Due to the switch to managed objects, some default property mappings are changin
The change affects the "SAML Name" property, which has been changed from an oid to a Schema URI to aid readability. The change affects the "SAML Name" property, which has been changed from an oid to a Schema URI to aid readability.
The integrations affected are: The integrations affected are:
- [Ansible Tower/AWX](/integrations/services/awx-tower/) - [Ansible Tower/AWX](/integrations/services/awx-tower/)
- [GitLab](/integrations/services/gitlab/) - [GitLab](/integrations/services/gitlab/)
- [NextCloud](/integrations/services/nextcloud/) - [NextCloud](/integrations/services/nextcloud/)

View File

@ -39,7 +39,6 @@ slug: "2021.3"
If you conditionally include this stage in a flow, make sure to disable "Evaluate on plan", as that will always include the stage in the flow, regardless of the inputs. If you conditionally include this stage in a flow, make sure to disable "Evaluate on plan", as that will always include the stage in the flow, regardless of the inputs.
## Fixed in 2021.3.2 ## Fixed in 2021.3.2
- sources/ldap: fix sync for Users without pwdLastSet - sources/ldap: fix sync for Users without pwdLastSet
@ -58,7 +57,7 @@ slug: "2021.3"
## Fixed in 2021.3.4 ## Fixed in 2021.3.4
- admin: include git build hash in gh-* tags and show build hash in admin overview - admin: include git build hash in gh-\* tags and show build hash in admin overview
- events: don't fail on boot when geoip can't be opened - events: don't fail on boot when geoip can't be opened
- helm: add initial geoip - helm: add initial geoip
- outposts: improve logs for outpost connection - outposts: improve logs for outpost connection
@ -80,7 +79,6 @@ slug: "2021.3"
- web: use loadingState for autosubmitStage - web: use loadingState for autosubmitStage
- web: use sections in sidebar, adjust colouring - web: use sections in sidebar, adjust colouring
## Upgrading ## Upgrading
This release does not introduce any new requirements. This release does not introduce any new requirements.

View File

@ -7,8 +7,8 @@ slug: "2021.4"
- Configurable Policy engine mode - Configurable Policy engine mode
In the past, all objects, which could have policies attached to them, required *all* policies to pass to consider an action successful. In the past, all objects, which could have policies attached to them, required _all_ policies to pass to consider an action successful.
You can now configure if *all* policies need to pass, or if *any* policy needs to pass. You can now configure if _all_ policies need to pass, or if _any_ policy needs to pass.
This can now be configured for the following objects: This can now be configured for the following objects:
@ -17,7 +17,7 @@ slug: "2021.4"
- Flows - Flows
- Flow-stage bindings - Flow-stage bindings
For backwards compatibility, this is set to *all*, but new objects will default to *any*. For backwards compatibility, this is set to _all_, but new objects will default to _any_.
- Expiring Events - Expiring Events
@ -60,10 +60,9 @@ slug: "2021.4"
- web/admin: fix error when user doesn't have permissions to read source - web/admin: fix error when user doesn't have permissions to read source
- web/admin: fix errors in user profile when non-superuser - web/admin: fix errors in user profile when non-superuser
## Fixed in 2021.4.3 ## Fixed in 2021.4.3
- *: add model_name to TypeCreate API to distinguish between models sharing a component - \*: add model_name to TypeCreate API to distinguish between models sharing a component
- api: fix CSRF error when using POST/PATCH/PUT in API Browser - api: fix CSRF error when using POST/PATCH/PUT in API Browser
- api: make 401 messages clearer - api: make 401 messages clearer
- api: mount outposts under outposts/instances to match flows - api: mount outposts under outposts/instances to match flows
@ -86,7 +85,7 @@ slug: "2021.4"
## Fixed in 2021.4.4 ## Fixed in 2021.4.4
- *: make tasks run every 60 minutes not :00 every hour - \*: make tasks run every 60 minutes not :00 every hour
- outposts: check for X-Forwarded-Host to switch context - outposts: check for X-Forwarded-Host to switch context
- outposts: improve update performance - outposts: improve update performance
- outposts: move local connection check to task, run every 60 minutes - outposts: move local connection check to task, run every 60 minutes

View File

@ -93,7 +93,7 @@ This feature is still in technical preview, so please report any Bugs you run in
## Fixed in 2021.5.4 ## Fixed in 2021.5.4
- providers/oauth2: add missing kid header to JWT Tokens - providers/oauth2: add missing kid header to JWT Tokens
- stages/authenticator_*: fix Permission Error when disabling Authenticator as non-superuser - stages/authenticator\_\*: fix Permission Error when disabling Authenticator as non-superuser
- web: fix missing flow and policy cache clearing UI - web: fix missing flow and policy cache clearing UI
- web: set x-forwarded-proto based on upstream TLS Status - web: set x-forwarded-proto based on upstream TLS Status

View File

@ -20,21 +20,21 @@ slug: "2021.8"
## Minor changes ## Minor changes
- admin: add API to show embedded outpost status, add notice when its not configured properly - admin: add API to show embedded outpost status, add notice when its not configured properly
- api: ensure all resources can be filtered - api: ensure all resources can be filtered
- api: make all PropertyMappings filterable by multiple managed attributes - api: make all PropertyMappings filterable by multiple managed attributes
- core: add API to directly send recovery link to user - core: add API to directly send recovery link to user
- core: add UserSelfSerializer and separate method for users to update themselves with limited fields - core: add UserSelfSerializer and separate method for users to update themselves with limited fields
- core: allow changing of groups a user is in from user api - core: allow changing of groups a user is in from user api
- flows: fix unhandled error in stage execution not being logged as SYSTEM_EXCEPTION event - flows: fix unhandled error in stage execution not being logged as SYSTEM_EXCEPTION event
- lifecycle: decrease default worker count on compose - lifecycle: decrease default worker count on compose
- outpost/ldap: Performance improvements, support for (member=) lookup - outpost/ldap: Performance improvements, support for (member=) lookup
- providers/proxy: don't create ingress when no hosts are defined - providers/proxy: don't create ingress when no hosts are defined
- sources/plex: add API to get user connections - sources/plex: add API to get user connections
- web: add API Drawer - web: add API Drawer
- web/admin: add UI to copy invitation link - web/admin: add UI to copy invitation link
- web/admin: allow modification of users groups from user view - web/admin: allow modification of users groups from user view
- web/admin: re-name service connection to integration - web/admin: re-name service connection to integration
## Fixed in 2021.8.1-rc2 ## Fixed in 2021.8.1-rc2
@ -78,7 +78,7 @@ slug: "2021.8"
## Fixed in 2021.8.1 ## Fixed in 2021.8.1
- *: cleanup api schema warnings - \*: cleanup api schema warnings
- core: fix error for asgi error handler with websockets - core: fix error for asgi error handler with websockets
- core: fix error when user updates themselves - core: fix error when user updates themselves
- core: fix user object for token not be set-able - core: fix user object for token not be set-able

View File

@ -31,7 +31,7 @@ slug: "2021.9"
## Minor changes ## Minor changes
- *: use common user agent for all outgoing requests - \*: use common user agent for all outgoing requests
- admin: migrate to new update check, add option to disable update check - admin: migrate to new update check, add option to disable update check
- api: add additional filters for ldap and proxy providers - api: add additional filters for ldap and proxy providers
- core: optimise groups api by removing member superuser status - core: optimise groups api by removing member superuser status

View File

@ -25,7 +25,7 @@ This release mostly removes legacy fields and features that have been deprecated
The proxy now also sets the host header based on what is configured as upstream in the proxy provider. The original Host is forwarded as `X-Forwarded-Host`. The proxy now also sets the host header based on what is configured as upstream in the proxy provider. The original Host is forwarded as `X-Forwarded-Host`.
Additionally, the header requirements for nginx have changed. Either a `X-Original-URL` or `X-Original-URI` header are now required. See the [*Proxy provider*](../providers/proxy/forward_auth) documentation for updated snippets. Additionally, the header requirements for nginx have changed. Either a `X-Original-URL` or `X-Original-URI` header are now required. See the [_Proxy provider_](../providers/proxy/forward_auth) documentation for updated snippets.
- API: - API:

View File

@ -30,8 +30,8 @@ In an authenticator validation stage you can now configure multiple configuratio
## Minor changes/fixes ## Minor changes/fixes
- *: add placeholder custom.css to easily allow user customisation - \*: add placeholder custom.css to easily allow user customisation
- *: rename akprox to outpost.goauthentik.io (#2266) - \*: rename akprox to outpost.goauthentik.io (#2266)
- internal: don't attempt to lookup SNI Certificate if no SNI is sent - internal: don't attempt to lookup SNI Certificate if no SNI is sent
- internal: improve error handling for internal reverse proxy - internal: improve error handling for internal reverse proxy
- internal: increase logging for no hostname found - internal: increase logging for no hostname found

View File

@ -15,7 +15,7 @@ slug: "2022.5"
## Minor changes/fixes ## Minor changes/fixes
- *: decrease frequency of background tasks, smear tasks based on name and fqdn - \*: decrease frequency of background tasks, smear tasks based on name and fqdn
- core: add custom shell command which imports all models and creates events for model events - core: add custom shell command which imports all models and creates events for model events
- core: add flag to globally disable impersonation - core: add flag to globally disable impersonation
- events: fix created events only being logged as debug level - events: fix created events only being logged as debug level

View File

@ -4,7 +4,7 @@ title: Missing admin group
If all of the Admin groups have been deleted, or misconfigured during sync, you can use the following command to gain access back. If all of the Admin groups have been deleted, or misconfigured during sync, you can use the following command to gain access back.
Run the following command, where *username* is the user you want to add to the newly created group: Run the following command, where _username_ is the user you want to add to the newly created group:
``` ```
docker-compose run --rm server create_admin_group username docker-compose run --rm server create_admin_group username

View File

@ -10,4 +10,4 @@ When you bind a group to an application or flow, any members of any child group
## Attributes ## Attributes
Attributes of groups are recursively merged, for all groups the user is a *direct* member of. Attributes of groups are recursively merged, for all groups the user is a _direct_ member of.

View File

@ -48,12 +48,15 @@ The User object has the following attributes:
- `ak_groups` This is a queryset of all the user's groups. - `ak_groups` This is a queryset of all the user's groups.
You can do additional filtering like You can do additional filtering like
```python ```python
user.ak_groups.filter(name__startswith='test') user.ak_groups.filter(name__startswith='test')
``` ```
see [here](https://docs.djangoproject.com/en/3.1/ref/models/querysets/#id4) see [here](https://docs.djangoproject.com/en/3.1/ref/models/querysets/#id4)
To get the name of all groups, you can do To get the name of all groups, you can do
```python ```python
[group.name for group in user.ak_groups.all()] [group.name for group in user.ak_groups.all()]
``` ```

View File

@ -23,7 +23,7 @@ Create an OAuth2/OpenID provider with the following parameters:
- Redirect URIs: `https://guacamole.company/` (depending on your Tomcat setup, you might have to add `/guacamole/` if the application runs in a subfolder) - Redirect URIs: `https://guacamole.company/` (depending on your Tomcat setup, you might have to add `/guacamole/` if the application runs in a subfolder)
- Scopes: OpenID, Email and Profile - Scopes: OpenID, Email and Profile
Under *Advanced protocol settings*, set the following: Under _Advanced protocol settings_, set the following:
- Token validity: Any value to configure how long the session should last. Guacamole will not accept any tokens valid longer than 300 Minutes. - Token validity: Any value to configure how long the session should last. Guacamole will not accept any tokens valid longer than 300 Minutes.
@ -31,8 +31,8 @@ Note the Client ID value. Create an application, using the provider you've creat
## Guacamole ## Guacamole
import Tabs from '@theme/Tabs'; import Tabs from "@theme/Tabs";
import TabItem from '@theme/TabItem'; import TabItem from "@theme/TabItem";
<Tabs <Tabs
defaultValue="docker" defaultValue="docker"
@ -50,6 +50,7 @@ OPENID_ISSUER: https://authentik.company/application/o/*Slug of the application
OPENID_JWKS_ENDPOINT: https://authentik.company/application/o/*Slug of the application from above*/jwks/ OPENID_JWKS_ENDPOINT: https://authentik.company/application/o/*Slug of the application from above*/jwks/
OPENID_REDIRECT_URI: https://guacamole.company/ # This must match the redirect URI above OPENID_REDIRECT_URI: https://guacamole.company/ # This must match the redirect URI above
``` ```
</TabItem> </TabItem>
<TabItem value="standalone"> <TabItem value="standalone">
Standalone Guacamole is configured using the `guacamole.properties` file. Add the following settings: Standalone Guacamole is configured using the `guacamole.properties` file. Add the following settings:
@ -61,5 +62,6 @@ openid-issuer=https://authentik.company/application/o/*Slug of the application f
openid-jwks-endpoint=https://authentik.company/application/o/*Slug of the application from above*/jwks/ openid-jwks-endpoint=https://authentik.company/application/o/*Slug of the application from above*/jwks/
openid-redirect-uri=https://guacamole.company/ # This must match the redirect URI above openid-redirect-uri=https://guacamole.company/ # This must match the redirect URI above
``` ```
</TabItem> </TabItem>
</Tabs> </Tabs>

View File

@ -27,6 +27,7 @@ The following placeholders will be used:
In authentik, under _Providers_, create a _SAML Provider_ with these settings: In authentik, under _Providers_, create a _SAML Provider_ with these settings:
**Protocol Settings** **Protocol Settings**
- Name: Bookstack - Name: Bookstack
- ACS URL: https://book.company/saml2/acs - ACS URL: https://book.company/saml2/acs
- Issuer: https://authentik.company - Issuer: https://authentik.company
@ -34,8 +35,9 @@ In authentik, under _Providers_, create a _SAML Provider_ with these settings:
- Audience: https://book.company/saml2/metadata - Audience: https://book.company/saml2/metadata
**Advanced protocol settings** **Advanced protocol settings**
- Signing Certificate: Choose your certificate or the default authentik Self-signed Certificate - Signing Certificate: Choose your certificate or the default authentik Self-signed Certificate
All other options as default. All other options as default.
![](./authentik_saml_bookstack.png) ![](./authentik_saml_bookstack.png)

View File

@ -22,6 +22,7 @@ The following placeholders will be used:
Create an application and Provider in authentik, note the slug, as this will be used later. Create a SAML provider with the following parameters: Create an application and Provider in authentik, note the slug, as this will be used later. Create a SAML provider with the following parameters:
Provider: Provider:
- ACS URL: `https://fgm.company/saml/?acs` - ACS URL: `https://fgm.company/saml/?acs`
- Issuer: `https://authentik.company/application/saml/fgm/sso/binding/redirect/` - Issuer: `https://authentik.company/application/saml/fgm/sso/binding/redirect/`
- Service Provider Binding: Post - Service Provider Binding: Post
@ -29,6 +30,7 @@ Provider:
You can of course use a custom signing certificate, and adjust durations. You can of course use a custom signing certificate, and adjust durations.
Application: Application:
- Launch URL: 'https://fgm.company/p/sso_sp/' - Launch URL: 'https://fgm.company/p/sso_sp/'
## FortiManager Configuration ## FortiManager Configuration

View File

@ -24,12 +24,12 @@ Create an application in authentik and note the slug, as this will be used later
- Issuer: `https://gitlab.company` - Issuer: `https://gitlab.company`
- Binding: `Redirect` - Binding: `Redirect`
Under *Advanced protocol settings*, set a certificate for *Signing Certificate*. Under _Advanced protocol settings_, set a certificate for _Signing Certificate_.
## GitLab Configuration ## GitLab Configuration
Paste the following block in your `gitlab.rb` file, after replacing the placeholder values from above. The file is located in `/etc/gitlab`. Paste the following block in your `gitlab.rb` file, after replacing the placeholder values from above. The file is located in `/etc/gitlab`.
To get the value for `idp_cert_fingerprint`, go to the Certificate list under *Identity & Cryptography*, and expand the selected certificate. To get the value for `idp_cert_fingerprint`, go to the Certificate list under _Identity & Cryptography_, and expand the selected certificate.
```ruby ```ruby
gitlab_rails['omniauth_enabled'] = true gitlab_rails['omniauth_enabled'] = true

View File

@ -28,8 +28,8 @@ Note the Client ID and Client Secret values. Create an application, using the pr
## Grafana ## Grafana
import Tabs from '@theme/Tabs'; import Tabs from "@theme/Tabs";
import TabItem from '@theme/TabItem'; import TabItem from "@theme/TabItem";
<Tabs <Tabs
defaultValue="docker" defaultValue="docker"
@ -56,6 +56,7 @@ environment:
# Optionally map user groups to Grafana roles # Optionally map user groups to Grafana roles
GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH: "contains(groups[*], 'Grafana Admins') && 'Admin' || contains(groups[*], 'Grafana Editors') && 'Editor' || 'Viewer'" GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH: "contains(groups[*], 'Grafana Admins') && 'Admin' || contains(groups[*], 'Grafana Editors') && 'Editor' || 'Viewer'"
``` ```
</TabItem> </TabItem>
<TabItem value="standalone"> <TabItem value="standalone">
If you are using a config-file instead, you have to set these options: If you are using a config-file instead, you have to set these options:
@ -78,6 +79,7 @@ api_url = https://authentik.company/application/o/userinfo/
# Optionally map user groups to Grafana roles # Optionally map user groups to Grafana roles
role_attribute_path = contains(groups[*], 'Grafana Admins') && 'Admin' || contains(groups[*], 'Grafana Editors') && 'Editor' || 'Viewer' role_attribute_path = contains(groups[*], 'Grafana Admins') && 'Admin' || contains(groups[*], 'Grafana Editors') && 'Editor' || 'Viewer'
``` ```
</TabItem> </TabItem>
</Tabs> </Tabs>

View File

@ -35,11 +35,13 @@ Only settings that have been modified from default have been listed.
- Signing Key: Select any available key - Signing Key: Select any available key
- Redirect URIs/Origins: - Redirect URIs/Origins:
``` ```
https://vault.company/ui/vault/auth/oidc/oidc/callback https://vault.company/ui/vault/auth/oidc/oidc/callback
https://vault.company/oidc/callback https://vault.company/oidc/callback
http://localhost:8250/oidc/callback http://localhost:8250/oidc/callback
``` ```
:::note :::note
Take note of the `Client ID` and `Client Secret`, you'll need to give them to Vault in _Step 3_. Take note of the `Client ID` and `Client Secret`, you'll need to give them to Vault in _Step 3_.
::: :::
@ -59,9 +61,10 @@ Only settings that have been modified from default have been listed.
### Step 3 ### Step 3
Enable the oidc auth method Enable the oidc auth method
```vault auth enable oidc``` `vault auth enable oidc`
Configure the oidc auth method, oidc discovery url is the OpenID Configuration Issuer in your provider Configure the oidc auth method, oidc discovery url is the OpenID Configuration Issuer in your provider
``` ```
vault write auth/oidc/config \ vault write auth/oidc/config \
oidc_discovery_url="https://authentik.company/application/o/vault-slug/" \ oidc_discovery_url="https://authentik.company/application/o/vault-slug/" \
@ -71,6 +74,7 @@ vault write auth/oidc/config \
``` ```
Create the reader role Create the reader role
``` ```
vault write auth/oidc/role/reader \ vault write auth/oidc/role/reader \
bound_audiences="Client ID" \ bound_audiences="Client ID" \
@ -82,4 +86,4 @@ vault write auth/oidc/role/reader \
``` ```
You should then be able to sign in via OIDC You should then be able to sign in via OIDC
```vault login -method=oidc role="reader"``` `vault login -method=oidc role="reader"`

View File

@ -33,14 +33,14 @@ You need to set the following `env` Variables for Docker based installations.
Set the following values: Set the following values:
```yaml ```yaml
CMD_OAUTH2_PROVIDERNAME: 'authentik' CMD_OAUTH2_PROVIDERNAME: "authentik"
CMD_OAUTH2_CLIENT_ID: '<Client ID from above>' CMD_OAUTH2_CLIENT_ID: "<Client ID from above>"
CMD_OAUTH2_CLIENT_SECRET: '<Client Secret from above>' CMD_OAUTH2_CLIENT_SECRET: "<Client Secret from above>"
CMD_OAUTH2_SCOPE: 'openid email profile' CMD_OAUTH2_SCOPE: "openid email profile"
CMD_OAUTH2_USER_PROFILE_URL: 'https://authentik.company/application/o/userinfo/' CMD_OAUTH2_USER_PROFILE_URL: "https://authentik.company/application/o/userinfo/"
CMD_OAUTH2_TOKEN_URL: 'https://authentik.company/application/o/token/' CMD_OAUTH2_TOKEN_URL: "https://authentik.company/application/o/token/"
CMD_OAUTH2_AUTHORIZATION_URL: 'https://authentik.company/application/o/authorize/' CMD_OAUTH2_AUTHORIZATION_URL: "https://authentik.company/application/o/authorize/"
CMD_OAUTH2_USER_PROFILE_USERNAME_ATTR: 'preferred_username' CMD_OAUTH2_USER_PROFILE_USERNAME_ATTR: "preferred_username"
CMD_OAUTH2_USER_PROFILE_DISPLAY_NAME_ATTR: 'name' CMD_OAUTH2_USER_PROFILE_DISPLAY_NAME_ATTR: "name"
CMD_OAUTH2_USER_PROFILE_EMAIL_ATTR: 'email' CMD_OAUTH2_USER_PROFILE_EMAIL_ATTR: "email"
``` ```

View File

@ -27,13 +27,13 @@ Create a SAML provider with the following parameters:
- Issuer: `https://authentik.company` - Issuer: `https://authentik.company`
- Binding: `Post` - Binding: `Post`
Under *Advanced protocol settings*, set a certificate for *Signing Certificate*. Under _Advanced protocol settings_, set a certificate for _Signing Certificate_.
## Kimai Configuration ## Kimai Configuration
Paste the following block in your `local.yaml` file, after replacing the placeholder values from above. The file is usually located in `/opt/kimai/config/packages/local.yaml`. Paste the following block in your `local.yaml` file, after replacing the placeholder values from above. The file is usually located in `/opt/kimai/config/packages/local.yaml`.
To get the value for `x509cert`, go to *System* > *Certificates*, and download the public Signing Certificate. To avoid further problems, concat it into "string format" using e.g.: https://www.samltool.com/format_x509cert.php To get the value for `x509cert`, go to _System_ > _Certificates_, and download the public Signing Certificate. To avoid further problems, concat it into "string format" using e.g.: https://www.samltool.com/format_x509cert.php
```yaml ```yaml
# Optionally add this for docker debug-logging # Optionally add this for docker debug-logging
@ -111,7 +111,6 @@ kimai:
name: "Kimai" name: "Kimai"
displayname: "Kimai" displayname: "Kimai"
url: "https://kimai.company" url: "https://kimai.company"
``` ```
Afterwards, either [rebuild the cache](https://www.kimai.org/documentation/cache.html) or restart the docker container. Afterwards, either [rebuild the cache](https://www.kimai.org/documentation/cache.html) or restart the docker container.

View File

@ -68,8 +68,8 @@ See https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/r
Create a group for each different level of quota you want users to have. Set a custom attribute, for example called `nextcloud_quota`, to the quota you want, for example `15 GB`. Create a group for each different level of quota you want users to have. Set a custom attribute, for example called `nextcloud_quota`, to the quota you want, for example `15 GB`.
Afterwards, create a custom SAML Property Mapping with the name `SAML NextCloud Quota`. Afterwards, create a custom SAML Property Mapping with the name `SAML NextCloud Quota`.
Set the *SAML Name* to `nextcloud_quota`. Set the _SAML Name_ to `nextcloud_quota`.
Set the *Expression* to `return user.group_attributes().get("nextcloud_quota", "1 GB")`, where `1 GB` is the default value for users that don't belong to another group (or have another value set). Set the _Expression_ to `return user.group_attributes().get("nextcloud_quota", "1 GB")`, where `1 GB` is the default value for users that don't belong to another group (or have another value set).
## Admin Group ## Admin Group

View File

@ -21,30 +21,30 @@ The following placeholders will be used:
- `authentik.company` is the FQDN of authentik. - `authentik.company` is the FQDN of authentik.
- `onlyoffice.company` is the FQDN of the OnlyOffice instance. - `onlyoffice.company` is the FQDN of the OnlyOffice instance.
Open your OnlyOffice instance, navigate to the settings by clicking the cog-icon in the navbar, then click on *Control Panel* on the sidebar. Open your OnlyOffice instance, navigate to the settings by clicking the cog-icon in the navbar, then click on _Control Panel_ on the sidebar.
In the new tab, click on *SSO* in the sidebar. In the new tab, click on _SSO_ in the sidebar.
Click the *Enable Single Sign-on Authentication* checkbox to enable SSO. Click the _Enable Single Sign-on Authentication_ checkbox to enable SSO.
Scroll down to *ONLYOFFICE SP Metadata*, and copy the *SP Entity ID (link to metadata XML)* URL. Open this URL in a new tab, and download the XML file. Scroll down to _ONLYOFFICE SP Metadata_, and copy the _SP Entity ID (link to metadata XML)_ URL. Open this URL in a new tab, and download the XML file.
## authentik Setup ## authentik Setup
Create an application in authentik, and create a SAML Provider by using *SAML Provider from Metadata*. Give the provider a name, and upload the XML file you've downloaded in the previous step. Create an application in authentik, and create a SAML Provider by using _SAML Provider from Metadata_. Give the provider a name, and upload the XML file you've downloaded in the previous step.
Edit the resulting Provider, and ensure *Signing Certificate* is set to any certificate. Edit the resulting Provider, and ensure _Signing Certificate_ is set to any certificate.
Navigate on the *Metadata* tab on the Provider page, and click *Copy download URL*. Navigate on the _Metadata_ tab on the Provider page, and click _Copy download URL_.
## OnlyOffice Setup ## OnlyOffice Setup
Navigate back to your OnlyOffice Control panel, and paste the URL into *Load metadata from XML to fill the required fields automatically*, and click the upload button next to the input field. Navigate back to your OnlyOffice Control panel, and paste the URL into _Load metadata from XML to fill the required fields automatically_, and click the upload button next to the input field.
Under *Attribute Mapping*, set the following values Under _Attribute Mapping_, set the following values
- *First Name*: `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name` - _First Name_: `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name`
- *Last Name*: `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name` - _Last Name_: `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name`
- *Email*: `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress` - _Email_: `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress`
Click save and a new SSO button will appear on the OnlyOffice login page. Click save and a new SSO button will appear on the OnlyOffice login page.

View File

@ -40,6 +40,7 @@ Only settings that have been modified from default have been listed.
::: :::
**Protocol Settings** **Protocol Settings**
- Name: LDAP - Name: LDAP
- Search group: opnsense - Search group: opnsense
- Certificate: authentik Self-signed certificate - Certificate: authentik Self-signed certificate
@ -66,6 +67,7 @@ Only settings that have been modified from default have been listed.
- Name: LDAP - Name: LDAP
- Type: LDAP - Type: LDAP
### Step 5 ### Step 5
Add your authentik LDAP server to OPNsense by going to your OPNsense Web UI and clicking the `+` under _System/Access/Servers_. Add your authentik LDAP server to OPNsense by going to your OPNsense Web UI and clicking the `+` under _System/Access/Servers_.
@ -83,6 +85,7 @@ Change the following fields
- Extended Query: &(objectClass=user) - Extended Query: &(objectClass=user)
![](./opnsense1.png) ![](./opnsense1.png)
### Step 6 ### Step 6
In OPNsense, go to _System/Settings/Administration_ and under _Authentication_ at the bottom of that page, add `authentik` to the Server list In OPNsense, go to _System/Settings/Administration_ and under _Authentication_ at the bottom of that page, add `authentik` to the Server list

View File

@ -24,14 +24,15 @@ The following placeholders will be used:
Also set up your proxy server to use forward auth with paperless.company: https://goauthentik.io/docs/providers/proxy/forward_auth Also set up your proxy server to use forward auth with paperless.company: https://goauthentik.io/docs/providers/proxy/forward_auth
## Paperless ## Paperless
Start by adding the following environment variables to your Paperless-ng setup. If you are using docker-compose, then add the following to your docker-compose.env file: Start by adding the following environment variables to your Paperless-ng setup. If you are using docker-compose, then add the following to your docker-compose.env file:
``` ```
PAPERLESS_ENABLE_HTTP_REMOTE_USER=TRUE PAPERLESS_ENABLE_HTTP_REMOTE_USER=TRUE
PAPERLESS_HTTP_REMOTE_USER_HEADER_NAME=HTTP_X_AUTHENTIK_USERNAME PAPERLESS_HTTP_REMOTE_USER_HEADER_NAME=HTTP_X_AUTHENTIK_USERNAME
``` ```
Authentik automatically sets this header when we use a proxy outpost. Authentik automatically sets this header when we use a proxy outpost.
Now restart your container: Now restart your container:

View File

@ -22,7 +22,6 @@ The following placeholders will be used:
- `pfsense-user` is the name of the authentik Service account we'll create. - `pfsense-user` is the name of the authentik Service account we'll create.
- `DC=ldap,DC=goauthentik,DC=io` is the Base DN of the LDAP Provider (default) - `DC=ldap,DC=goauthentik,DC=io` is the Base DN of the LDAP Provider (default)
### Step 1 - Service account ### Step 1 - Service account
In authentik, create a service account (under _Directory/Users_) for pfSense to use as the LDAP Binder and take note of the password generated. In authentik, create a service account (under _Directory/Users_) for pfSense to use as the LDAP Binder and take note of the password generated.
@ -33,10 +32,10 @@ In this example, we'll use `pfsense-user` as the Service account's username
If you didn't keep the password, you can copy it from _Directory/Tokens & App password_. If you didn't keep the password, you can copy it from _Directory/Tokens & App password_.
::: :::
### Step 2 - LDAP Provider ### Step 2 - LDAP Provider
In authentik, create a LDAP Provider (under _Applications/Providers_) with these settings : In authentik, create a LDAP Provider (under _Applications/Providers_) with these settings :
- Name : LDAP - Name : LDAP
- Bind DN : `DC=ldap,DC=goauthentik,DC=io` - Bind DN : `DC=ldap,DC=goauthentik,DC=io`
- Certificate : `self-signed` - Certificate : `self-signed`
@ -79,8 +78,6 @@ Change the following fields
- Extended Query: &(objectClass=user) - Extended Query: &(objectClass=user)
- Allow unauthenticated bind: **unticked** - Allow unauthenticated bind: **unticked**
## pfSense secure setup (with SSL) ## pfSense secure setup (with SSL)
When enabling SSL, authentik will send a certificate to pfSense. This certificate has to be signed by a certificate authority trusted by pfSense. In this setup we will create our own certificate authority in pfSense and create a certificate that will be used by authentik. When enabling SSL, authentik will send a certificate to pfSense. This certificate has to be signed by a certificate authority trusted by pfSense. In this setup we will create our own certificate authority in pfSense and create a certificate that will be used by authentik.
@ -139,24 +136,18 @@ Change the following fields
- Extended Query: &(objectClass=user) - Extended Query: &(objectClass=user)
- Allow unauthenticated bind: **unticked** - Allow unauthenticated bind: **unticked**
## Test your setup ## Test your setup
In pfSense, you can validate the authentication backend setup by going to _Diagnostics/Authentication_ and then select `LDAP authentik` as _Authentication Server_. In pfSense, you can validate the authentication backend setup by going to _Diagnostics/Authentication_ and then select `LDAP authentik` as _Authentication Server_.
You can use the credentials of an authentik user, pfSense will tell you if the connection was successful or not. If it is, congratulations, you can now change the pfSense default authentication backend. You can use the credentials of an authentik user, pfSense will tell you if the connection was successful or not. If it is, congratulations, you can now change the pfSense default authentication backend.
## Change pfSense default authentication backend ## Change pfSense default authentication backend
In pfSense, you can change the authentication backend used by the Web UI by going to _System/User Manager_ and then click on _Settings_ tab. In pfSense, you can change the authentication backend used by the Web UI by going to _System/User Manager_ and then click on _Settings_ tab.
- Authentication Server: `LDAP authentik` - Authentication Server: `LDAP authentik`
## Notes ## Notes
:::tip :::tip

View File

@ -21,12 +21,12 @@ The following placeholders will be used:
- `pgadmin.company` is the FQDN of pgAdmin. - `pgadmin.company` is the FQDN of pgAdmin.
- `authentik.company` is the FQDN of authentik. - `authentik.company` is the FQDN of authentik.
### Step 1: Create authentik Provider ### Step 1: Create authentik Provider
In authentik, under _Providers_, create an _OAuth2/OpenID Provider_ with these settings: In authentik, under _Providers_, create an _OAuth2/OpenID Provider_ with these settings:
**Provider Settings** **Provider Settings**
- Name: pgAdmin - Name: pgAdmin
- Client type: Confidential - Client type: Confidential
- Client ID: Copy and Save this for Later - Client ID: Copy and Save this for Later
@ -34,6 +34,7 @@ In authentik, under _Providers_, create an _OAuth2/OpenID Provider_ with these s
- Redirect URIs/Origins: `http://pgadmin.company/oauth2/authorize` - Redirect URIs/Origins: `http://pgadmin.company/oauth2/authorize`
### Step 2: Create authentik Application ### Step 2: Create authentik Application
In authentik, create an application which uses this provider. Optionally apply access restrictions to the application using policy bindings. In authentik, create an application which uses this provider. Optionally apply access restrictions to the application using policy bindings.
- Name: pgAdmin - Name: pgAdmin
@ -41,8 +42,8 @@ In authentik, create an application which uses this provider. Optionally apply a
- Provider: pgAdmin - Provider: pgAdmin
- Launch URL: https://pgadmin.company - Launch URL: https://pgadmin.company
### Step 3: Configure pgAdmin ### Step 3: Configure pgAdmin
All settings for OAuth in pgAdmin are configured in the `config_local.py` file. This file can usually be found in the path `/pgadmin4/config_local.py` All settings for OAuth in pgAdmin are configured in the `config_local.py` file. This file can usually be found in the path `/pgadmin4/config_local.py`
:::note :::note
@ -71,7 +72,9 @@ OAUTH2_CONFIG = [{
'OAUTH2_BUTTON_COLOR' : '<button-color>' 'OAUTH2_BUTTON_COLOR' : '<button-color>'
}] }]
``` ```
In the code above the following placeholders have been used: In the code above the following placeholders have been used:
- `<display-name>`: The name that is displayed on the Login Button - `<display-name>`: The name that is displayed on the Login Button
- `<client-id>`: The Client ID from step 1 - `<client-id>`: The Client ID from step 1
- `<client-secret>`: The Client Secret from step 1 - `<client-secret>`: The Client Secret from step 1

View File

@ -30,13 +30,13 @@ Only settings that have been modified from default have been listed.
::: :::
**Protocol Settings** **Protocol Settings**
- Name: Portainer - Name: Portainer
- Client type: Confidential - Client type: Confidential
- Client ID: Copy and Save this for Later - Client ID: Copy and Save this for Later
- Client Secret: Copy and Save this for later - Client Secret: Copy and Save this for later
- Redirect URIs/Origins: `https://port.company` - Redirect URIs/Origins: `https://port.company`
### Step 2 - Portainer ### Step 2 - Portainer
In Portainer, under _Settings_, _Authentication_, Select _OAuth_ and _Custom_ In Portainer, under _Settings_, _Authentication_, Select _OAuth_ and _Custom_
@ -66,7 +66,6 @@ In authentik, create an application which uses this provider. Optionally apply a
- Provider: Portainer - Provider: Portainer
- Launch URL: https://port.company - Launch URL: https://port.company
## Notes ## Notes
:::note :::note

View File

@ -58,8 +58,9 @@ SAML_CERT=/saml.crt
You must mount the certificate selected in authentik as a file in the Docker container. The path in the container must match the path in the env variable `SAML_CERT`. You must mount the certificate selected in authentik as a file in the Docker container. The path in the container must match the path in the env variable `SAML_CERT`.
### docker-compose ### docker-compose
```yaml ```yaml
version: '3.3' version: "3.3"
services: services:
powerdns-admin: powerdns-admin:
image: ngoduykhanh/powerdns-admin:latest image: ngoduykhanh/powerdns-admin:latest

View File

@ -14,7 +14,6 @@ Proxmox Virtual Environment is an open source server virtualization management s
This requires Proxmox VE 7.0 or newer. This requires Proxmox VE 7.0 or newer.
::: :::
## Preparation ## Preparation
The following placeholders will be used: The following placeholders will be used:

View File

@ -18,7 +18,7 @@ The following placeholders will be used:
- `rancher.company` is the FQDN of the Rancher install. - `rancher.company` is the FQDN of the Rancher install.
- `authentik.company` is the FQDN of the authentik install. - `authentik.company` is the FQDN of the authentik install.
Under *Property Mappings*, create a *SAML Property Mapping*. Give it a name like "SAML Rancher User ID". Set the SAML name to `rancherUidUsername` and the expression to the following Under _Property Mappings_, create a _SAML Property Mapping_. Give it a name like "SAML Rancher User ID". Set the SAML name to `rancherUidUsername` and the expression to the following
```python ```python
return f"{user.pk}-{user.username}" return f"{user.pk}-{user.username}"
@ -37,7 +37,7 @@ You can of course use a custom signing certificate, and adjust durations.
## Rancher ## Rancher
In Rancher, navigate to *Global* -> *Security* -> *Authentication*, and select ADFS. In Rancher, navigate to _Global_ -> _Security_ -> _Authentication_, and select ADFS.
Fill in the fields Fill in the fields
@ -46,7 +46,7 @@ Fill in the fields
- UID Field: `rancherUidUsername` - UID Field: `rancherUidUsername`
- Groups Field: `http://schemas.xmlsoap.org/claims/Group` - Groups Field: `http://schemas.xmlsoap.org/claims/Group`
For the private key and certificate, you can either generate a new pair (in authentik, navigate to *Identity & Cryptography* -> *Certificates* and select Generate), or use an existing pair. For the private key and certificate, you can either generate a new pair (in authentik, navigate to _Identity & Cryptography_ -> _Certificates_ and select Generate), or use an existing pair.
Copy the metadata from authentik, and paste it in the metadata field. Copy the metadata from authentik, and paste it in the metadata field.

View File

@ -30,11 +30,13 @@ Only settings that have been modified from default have been listed.
::: :::
**Protocol Settings** **Protocol Settings**
- Name: RocketChat - Name: RocketChat
- Client type: Confidential - Client type: Confidential
- Client ID: Copy and Save this for Later - Client ID: Copy and Save this for Later
- Client Secret: Copy and Save this for later - Client Secret: Copy and Save this for later
- Redirect URIs/Origins: - Redirect URIs/Origins:
``` ```
https://rocket.company/_oauth/authentik https://rocket.company/_oauth/authentik
@ -47,10 +49,12 @@ https://rocket.company/_oauth/authentik
In authentik, under _Applications_, create a new application with these settings: In authentik, under _Applications_, create a new application with these settings:
**Application Settings** **Application Settings**
- Name: Rocket.chat - Name: Rocket.chat
- Slug: rocketchat - Slug: rocketchat
- Provider: RocketChat - Provider: RocketChat
- Launch URL: - Launch URL:
``` ```
https://rocket.company/_oauth/authentik https://rocket.company/_oauth/authentik
@ -79,6 +83,7 @@ In Rocket.chat, follow the procedure below:
![](./rocketchat6.png) ![](./rocketchat6.png)
5. Scroll down to the new OAuth application, expand the dropdown, and enter the following settings: 5. Scroll down to the new OAuth application, expand the dropdown, and enter the following settings:
- Enable: Turn the radio button to the _on_ position - Enable: Turn the radio button to the _on_ position
- URL: https://authentik.company/application/o - URL: https://authentik.company/application/o
- Token Path: /token/ - Token Path: /token/
@ -114,8 +119,6 @@ In Rocket.chat, follow the procedure below:
6. Click _Save changes_ in the top right corner of the screen 6. Click _Save changes_ in the top right corner of the screen
### Step 4 (Optional) ### Step 4 (Optional)
:::note :::note

View File

@ -56,6 +56,7 @@ $config['oauth_scope'] = "email openid dovecotprofile";
$config['oauth_auth_parameters'] = []; $config['oauth_auth_parameters'] = [];
$config['oauth_identity_fields'] = ['email']; $config['oauth_identity_fields'] = ['email'];
``` ```
## Dovecot Configuration ## Dovecot Configuration
Add xoauth2 as an authentication mechanism and configure the following parameters in your Dovecot configuration. Add xoauth2 as an authentication mechanism and configure the following parameters in your Dovecot configuration.

View File

@ -28,7 +28,7 @@ Create an application in authentik. Create a SAML Provider with the following va
- Service Provider Binding: `Post` - Service Provider Binding: `Post`
- Audience: `https://sentry.company/saml/metadata/<sentry organisation name>/` - Audience: `https://sentry.company/saml/metadata/<sentry organisation name>/`
Under *Advanced protocol settings*, set the following: Under _Advanced protocol settings_, set the following:
- Signing Certificate: Select any certificate. - Signing Certificate: Select any certificate.
- Property Mapping: Select all Managed Mappings - Property Mapping: Select all Managed Mappings

View File

@ -49,6 +49,7 @@ Because Sonarr can use HTTP Basic credentials, you can save your HTTP Basic Cred
sonarr_user: username sonarr_user: username
sonarr_password: password sonarr_password: password
``` ```
Add all Sonarr users to the Group. You should also create a Group Membership Policy to limit access to the application. Add all Sonarr users to the Group. You should also create a Group Membership Policy to limit access to the application.
Enable the `Use Basic Authentication` option. Set and `HTTP-Basic Username` and `HTTP-Basic Password` to `sonarr_user` and `sonarr_password` respectively. These values can be chosen freely, `sonarr_` is just used as a prefix for clarity. Enable the `Use Basic Authentication` option. Set and `HTTP-Basic Username` and `HTTP-Basic Password` to `sonarr_user` and `sonarr_password` respectively. These values can be chosen freely, `sonarr_` is just used as a prefix for clarity.

View File

@ -35,6 +35,7 @@ Create an application in authentik. Create a Proxy provider with the following p
- Skip path regex - Skip path regex
Add the following regex rules to keep the public status page accessible without authentication. Add the following regex rules to keep the public status page accessible without authentication.
``` ```
^/$ ^/$
^/status ^/status

View File

@ -30,11 +30,13 @@ Only settings that have been modified from default have been listed.
::: :::
**Protocol Settings** **Protocol Settings**
- Name: Vikunja - Name: Vikunja
- Client type: Confidential - Client type: Confidential
- Client ID: Copy and Save this for Later - Client ID: Copy and Save this for Later
- Client Secret: Copy and Save this for later - Client Secret: Copy and Save this for later
- Redirect URIs/Origins: - Redirect URIs/Origins:
``` ```
https://vik.company/auth/openid https://vik.company/auth/openid
https://vik.company/auth/openid/Vikunja https://vik.company/auth/openid/Vikunja

View File

@ -10,7 +10,6 @@ From https://weblate.org/en/
Weblate is a copylefted libre software web-based continuous localization system, used by over 2500 libre projects and companies in more than 165 countries. Weblate is a copylefted libre software web-based continuous localization system, used by over 2500 libre projects and companies in more than 165 countries.
::: :::
## Preparation ## Preparation
The following placeholders will be used: The following placeholders will be used:
@ -33,33 +32,41 @@ You can of course use a custom signing certificate, and adjust durations.
We need to create some property mappings so our application will work. After you create the property mappings, assign them to the provider. We need to create some property mappings so our application will work. After you create the property mappings, assign them to the provider.
### Full name ### Full name
* Name: `Weblate - Full name`
* SAML Attribute Name: `urn:oid:2.5.4.3` - Name: `Weblate - Full name`
* Expression - SAML Attribute Name: `urn:oid:2.5.4.3`
- Expression
```python ```python
return request.user.name return request.user.name
``` ```
### OID_USERID ### OID_USERID
* Name: `Weblate - OID_USERID`
* SAML Attribute Name: `urn:oid:0.9.2342.19200300.100.1.1` - Name: `Weblate - OID_USERID`
* Expression - SAML Attribute Name: `urn:oid:0.9.2342.19200300.100.1.1`
- Expression
```python ```python
return request.user.username return request.user.username
``` ```
### Username ### Username
* Name: `Weblate - Username`
* SAML Attribute Name: `username` - Name: `Weblate - Username`
* Expression - SAML Attribute Name: `username`
- Expression
```python ```python
return request.user.username return request.user.username
``` ```
### Email ### Email
* Name: `Weblate - Email`
* SAML Attribute Name: `email` - Name: `Weblate - Email`
* Expression - SAML Attribute Name: `email`
- Expression
```python ```python
return request.user.email return request.user.email
``` ```
@ -68,23 +75,23 @@ return request.user.email
The variables bellow need to be set, depending on if you deploy in a container or not you can take a look at the following links The variables bellow need to be set, depending on if you deploy in a container or not you can take a look at the following links
* https://docs.weblate.org/en/latest/admin/config.html#config - https://docs.weblate.org/en/latest/admin/config.html#config
* https://docs.weblate.org/en/latest/admin/install/docker.html#docker-environment - https://docs.weblate.org/en/latest/admin/install/docker.html#docker-environment
Variables to set Variables to set
* ENABLE_HTTPS: `1` - ENABLE_HTTPS: `1`
* SAML_IDP_ENTITY_ID: `https://authentik.company/application/saml/weblate-slug/sso/binding/redirect/` - SAML_IDP_ENTITY_ID: `https://authentik.company/application/saml/weblate-slug/sso/binding/redirect/`
* SAML_IDP_URL: `https://authentik.company/application/saml/weblate-slug/sso/binding/redirect/` - SAML_IDP_URL: `https://authentik.company/application/saml/weblate-slug/sso/binding/redirect/`
* SAML_IDP_X509CERT: `MIIFDjCCAvagAwIBAgIRAJV8hH0wGkhGvbhhDKppWIYwDQYJKoZIhvcNAQELBQAw....F9lT9hHwHhsnA=` - SAML_IDP_X509CERT: `MIIFDjCCAvagAwIBAgIRAJV8hH0wGkhGvbhhDKppWIYwDQYJKoZIhvcNAQELBQAw....F9lT9hHwHhsnA=`
The `SAML_IDP_X509CERT` is the certificate in the SAML Metadata `X509Certificate` key. The `SAML_IDP_X509CERT` is the certificate in the SAML Metadata `X509Certificate` key.
Should you wish to only allow registration and login through Authentik, you should set the following variables as well. Should you wish to only allow registration and login through Authentik, you should set the following variables as well.
* REGISTRATION_OPEN: `0` - REGISTRATION_OPEN: `0`
* REGISTRATION_ALLOW_BACKENDS: `saml` - REGISTRATION_ALLOW_BACKENDS: `saml`
* REQUIRE_LOGIN: `1` - REQUIRE_LOGIN: `1`
* NO_EMAIL_AUTH: `1` - NO_EMAIL_AUTH: `1`
Should you wish to deploy this in a container prefix all the variables with `WEBLATE_` and set them as enviornment variables Should you wish to deploy this in a container prefix all the variables with `WEBLATE_` and set them as enviornment variables

View File

@ -28,8 +28,8 @@ Note the Client ID and Client Secret values. Create an application, using the pr
## Wekan ## Wekan
import Tabs from '@theme/Tabs'; import Tabs from "@theme/Tabs";
import TabItem from '@theme/TabItem'; import TabItem from "@theme/TabItem";
<Tabs <Tabs
defaultValue="docker" defaultValue="docker"
@ -41,8 +41,7 @@ import TabItem from '@theme/TabItem';
If your Wekan is running in docker, add the following environment variables for authentik If your Wekan is running in docker, add the following environment variables for authentik
```yaml ```yaml
environment: environment: OAUTH2_ENABLED=true
OAUTH2_ENABLED=true
OAUTH2_LOGIN_STYLE=redirect OAUTH2_LOGIN_STYLE=redirect
OAUTH2_CLIENT_ID=<Client ID from above> OAUTH2_CLIENT_ID=<Client ID from above>
OAUTH2_SERVER_URL=https://authentik.company OAUTH2_SERVER_URL=https://authentik.company
@ -55,6 +54,7 @@ environment:
OAUTH2_FULLNAME_MAP=given_name OAUTH2_FULLNAME_MAP=given_name
OAUTH2_EMAIL_MAP=email OAUTH2_EMAIL_MAP=email
``` ```
</TabItem> </TabItem>
<TabItem value="standalone"> <TabItem value="standalone">
@ -75,5 +75,6 @@ edit `.env` and add the following:
OAUTH2_FULLNAME_MAP='given_name' OAUTH2_FULLNAME_MAP='given_name'
OAUTH2_EMAIL_MAP='email' OAUTH2_EMAIL_MAP='email'
``` ```
</TabItem> </TabItem>
</Tabs> </Tabs>

View File

@ -69,4 +69,3 @@ In authentik, create an application which uses this provider. Optionally apply a
Set the Launch URL to the _Callback URL / Redirect URI_ without the `/callback` at the end, as shown below. This will skip Wiki.js' login prompt and log you in directly. Set the Launch URL to the _Callback URL / Redirect URI_ without the `/callback` at the end, as shown below. This will skip Wiki.js' login prompt and log you in directly.
![](./authentik_application.png) ![](./authentik_application.png)

View File

@ -30,13 +30,13 @@ Only settings that have been modified from default have been listed.
::: :::
**Protocol Settings** **Protocol Settings**
- Name: Wordpress - Name: Wordpress
- Client type: Confidential - Client type: Confidential
- Client ID: Copy and Save this for Later - Client ID: Copy and Save this for Later
- Client Secret: Copy and Save this for later - Client Secret: Copy and Save this for later
- Redirect URIs/Origins: `https://wp.company/wp-admin/admin-ajax.php?action=openid-connect-authorize` - Redirect URIs/Origins: `https://wp.company/wp-admin/admin-ajax.php?action=openid-connect-authorize`
### Step 2 - Wordpress ### Step 2 - Wordpress
:::note :::note
@ -58,7 +58,6 @@ Only settings that have been modified from default have been listed.
- Token Validation Endpoint URL: `https://authentik.company/application/o/token/` - Token Validation Endpoint URL: `https://authentik.company/application/o/token/`
- End Session Endpoint URL: `https://authentik.company/application/o/wordpress/end-session/` - End Session Endpoint URL: `https://authentik.company/application/o/wordpress/end-session/`
:::note :::note
Review each setting and choose the ones that you require for your installation. Examples of popular settings are _Link Existing Users_, _Create user if does not exist_, and _Enforce Privacy_ Review each setting and choose the ones that you require for your installation. Examples of popular settings are _Link Existing Users_, _Create user if does not exist_, and _Enforce Privacy_
::: :::
@ -72,7 +71,6 @@ In authentik, create an application which uses this provider. Optionally apply a
- Provider: wordpress - Provider: wordpress
- Launch URL: https://wp.company - Launch URL: https://wp.company
## Notes ## Notes
:::note :::note

View File

@ -61,4 +61,3 @@ For additional security you can enable the Verification Certificate by checking
``` ```
$SSO['IDP_CERT'] = '<path to the IDP cert file>'; $SSO['IDP_CERT'] = '<path to the IDP cert file>';
``` ```

View File

@ -63,6 +63,7 @@ The certificate file name must match the idp identifier name you set in the conf
:::note :::note
Remember to restart Zulip. Remember to restart Zulip.
::: :::
## Additional Resources ## Additional Resources
Please refer to the following for further information: Please refer to the following for further information:

View File

@ -27,7 +27,7 @@ The following placeholders will be used:
![](./02_delegate.png) ![](./02_delegate.png)
7. Grant these additional permissions (only required when *Sync users' password* is enabled, and dependent on your AD Domain) 7. Grant these additional permissions (only required when _Sync users' password_ is enabled, and dependent on your AD Domain)
![](./03_additional_perms.png) ![](./03_additional_perms.png)

View File

@ -10,22 +10,24 @@ The following placeholders will be used:
## Azure setup ## Azure setup
1. Navigate to [portal.azure.com](https://portal.azure.com), and open the *App registration* service 1. Navigate to [portal.azure.com](https://portal.azure.com), and open the _App registration_ service
2. Register a new application 2. Register a new application
Under *Supported account types*, select whichever account type applies to your use-case. Under _Supported account types_, select whichever account type applies to your use-case.
![](./aad_01.png) ![](./aad_01.png)
3. Take note of the *Application (client) ID* value.
If you selected *Single tenant* in the *Supported account types* prompt, also note the *Directory (tenant) ID* value. 3. Take note of the _Application (client) ID_ value.
4. Navigate to *Certificates & secrets* in the sidebar, and to the *Client secrets* tab.
If you selected _Single tenant_ in the _Supported account types_ prompt, also note the _Directory (tenant) ID_ value.
4. Navigate to _Certificates & secrets_ in the sidebar, and to the _Client secrets_ tab.
5. Add a new secret, with an identifier of your choice, and select any expiration. Currently the secret in authentik has to be rotated manually or via API, so it is recommended to choose at least 12 months. 5. Add a new secret, with an identifier of your choice, and select any expiration. Currently the secret in authentik has to be rotated manually or via API, so it is recommended to choose at least 12 months.
6. Note the secret's value in the *Value* column. 6. Note the secret's value in the _Value_ column.
## authentik Setup ## authentik Setup
In authentik, create a new *Azure AD OAuth Source* in Resources -> Sources. In authentik, create a new _Azure AD OAuth Source_ in Resources -> Sources.
Use the following settings: Use the following settings:
@ -34,7 +36,7 @@ Use the following settings:
- Consumer key: `*Application (client) ID* value from above` - Consumer key: `*Application (client) ID* value from above`
- Consumer secret: `*Value* of the secret from above` - Consumer secret: `*Value* of the secret from above`
If you kept the default *Supported account types* selection of *Single tenant*, then you must change the URLs below as well: If you kept the default _Supported account types_ selection of _Single tenant_, then you must change the URLs below as well:
- Authorization URL: `https://login.microsoftonline.com/*Directory (tenant) ID* from above/oauth2/v2.0/authorize` - Authorization URL: `https://login.microsoftonline.com/*Directory (tenant) ID* from above/oauth2/v2.0/authorize`
- Access token URL: `https://login.microsoftonline.com/*Directory (tenant) ID* from above/oauth2/v2.0/token` - Access token URL: `https://login.microsoftonline.com/*Directory (tenant) ID* from above/oauth2/v2.0/token`

View File

@ -10,7 +10,6 @@ The following placeholders will be used:
- `authentik.company` is the FQDN of the authentik install. - `authentik.company` is the FQDN of the authentik install.
## Discord ## Discord
1. Create an application in the Discord Developer Portal (This is Free) https://discord.com/developers/applications 1. Create an application in the Discord Developer Portal (This is Free) https://discord.com/developers/applications

View File

@ -40,6 +40,7 @@ The following placeholders will be used:
Additional info: [22.1.2. Enabling Password Reset Without Prompting for a Password Change at the Next Login](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/user-authentication#user-passwords-no-expiry) Additional info: [22.1.2. Enabling Password Reset Without Prompting for a Password Change at the Next Login](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/user-authentication#user-passwords-no-expiry)
## authentik Setup ## authentik Setup
In authentik, create a new LDAP Source in Resources -> Sources. In authentik, create a new LDAP Source in Resources -> Sources.
Use these settings: Use these settings:

View File

@ -35,7 +35,6 @@ You will need to create a new project, and OAuth credentials in the Google Devel
![Example Screen](googledeveloper4.png) ![Example Screen](googledeveloper4.png)
10. **User Type:** If you do not have a Google Workspace (GSuite) account choose _External_. If you do have a Google Workspace (Gsuite) account and want to limit access to only users inside of your organization choose _Internal_ 10. **User Type:** If you do not have a Google Workspace (GSuite) account choose _External_. If you do have a Google Workspace (Gsuite) account and want to limit access to only users inside of your organization choose _Internal_
_I'm only going to list the mandatory/important fields to complete._ _I'm only going to list the mandatory/important fields to complete._
@ -47,7 +46,7 @@ _I'm only going to list the mandatory/important fields to complete._
15. Click **Save and Continue** 15. Click **Save and Continue**
16. If you have special scopes configured for google, enter them on this screen. If not click **Save and Continue** 16. If you have special scopes configured for google, enter them on this screen. If not click **Save and Continue**
17. If you want to create Test Users enter them here, if not click **Save and Continue** 17. If you want to create Test Users enter them here, if not click **Save and Continue**
18. From the _Summary Page_ click on the **Credentials* link on the left. Same link as step 8 18. From the _Summary Page_ click on the \*_Credentials_ link on the left. Same link as step 8
19. Click **Create Credentials** on the top of the screen 19. Click **Create Credentials** on the top of the screen
20. Choose **OAuth Client ID** 20. Choose **OAuth Client ID**

View File

@ -7,6 +7,7 @@ Sources allow you to connect authentik to an existing user directory. They can a
### Add Sources to Default Login Page ### Add Sources to Default Login Page
To have sources show on the default login screen you will need to add them. This is assuming you have not created or renamed the default stages and flows. To have sources show on the default login screen you will need to add them. This is assuming you have not created or renamed the default stages and flows.
1. Access the **Flows** section 1. Access the **Flows** section
2. Click on **default-authentication-flow** 2. Click on **default-authentication-flow**
3. Click the **Stage Bindings** tab 3. Click the **Stage Bindings** tab

View File

@ -16,6 +16,6 @@ Add _Plex_ as a _source_
- Slug: Set a slug - Slug: Set a slug
- Client ID: Set a unique Client Id or leave the generated ID - Client ID: Set a unique Client Id or leave the generated ID
- Press _Load Servers_ to login to plex and pick the authorized Plex Servers for "allowed users" - Press _Load Servers_ to login to plex and pick the authorized Plex Servers for "allowed users"
- Decide if *anyone* with a plex account can authenticate or only friends you share with - Decide if _anyone_ with a plex account can authenticate or only friends you share with
Save, and you now have Plex as a source. Save, and you now have Plex as a source.

View File

@ -14,6 +14,6 @@ exports.handler = async function (event, context) {
headers: { headers: {
"content-type": "text/html", "content-type": "text/html",
}, },
body: `<meta name="go-import" content="${event.headers.host}${event.path} git https://github.com/${gitHubNamespace}${repo}">` body: `<meta name="go-import" content="${event.headers.host}${event.path} git https://github.com/${gitHubNamespace}${repo}">`,
}; };
} };

View File

@ -9,8 +9,8 @@ const config = {
}; };
async function getToken(event) { async function getToken(event) {
const fetch = await import('node-fetch'); const fetch = await import("node-fetch");
const querystring = await import('querystring'); const querystring = await import("querystring");
let scope = event.queryStringParameters["scope"]; let scope = event.queryStringParameters["scope"];
let tokenParams = { let tokenParams = {
service: config.registryService, service: config.registryService,
@ -28,12 +28,14 @@ async function getToken(event) {
} else { } else {
console.debug(`oci-proxy[token]: no scope`); console.debug(`oci-proxy[token]: no scope`);
// For non-scoped requests, we need to forward some URL parameters // For non-scoped requests, we need to forward some URL parameters
["account", "client_id", "offline_token", "token"].forEach(param => { ["account", "client_id", "offline_token", "token"].forEach((param) => {
tokenParams[param] = event.queryStringParameters[param] tokenParams[param] = event.queryStringParameters[param];
}); });
} }
const tokenUrl = `${config.registryTokenEndpoint}?${querystring.stringify(tokenParams)}` const tokenUrl = `${config.registryTokenEndpoint}?${querystring.stringify(
console.debug(`oci-proxy[token]: final URL to fetch: ${tokenUrl}`) tokenParams
)}`;
console.debug(`oci-proxy[token]: final URL to fetch: ${tokenUrl}`);
const tokenRes = await fetch.default(tokenUrl, { const tokenRes = await fetch.default(tokenUrl, {
headers: forwardHeaders, headers: forwardHeaders,
}); });
@ -51,7 +53,10 @@ exports.handler = async function (event, context) {
console.debug("oci-proxy: handler=token proxy"); console.debug("oci-proxy: handler=token proxy");
return await getToken(event); return await getToken(event);
} }
if (event.headers.authorization && event.headers.authorization.startsWith("Bearer ")) { if (
event.headers.authorization &&
event.headers.authorization.startsWith("Bearer ")
) {
console.debug("oci-proxy: authenticated root handler, returning 200"); console.debug("oci-proxy: authenticated root handler, returning 200");
return { return {
statusCode: 200, statusCode: 200,
@ -60,9 +65,11 @@ exports.handler = async function (event, context) {
"content-type": "application/json", "content-type": "application/json",
}, },
body: JSON.stringify({}), body: JSON.stringify({}),
};
} }
} console.debug(
console.debug("oci-proxy: root handler, returning 401 with www-authenticate"); "oci-proxy: root handler, returning 401 with www-authenticate"
);
return { return {
statusCode: 401, statusCode: 401,
headers: { headers: {
@ -72,4 +79,4 @@ exports.handler = async function (event, context) {
}, },
body: JSON.stringify({}), body: JSON.stringify({}),
}; };
} };

View File

@ -9,7 +9,9 @@
"build-docs-only": "docusaurus build --config docusaurus.docs-only.js --out-dir help", "build-docs-only": "docusaurus build --config docusaurus.docs-only.js --out-dir help",
"swizzle": "docusaurus swizzle", "swizzle": "docusaurus swizzle",
"deploy": "docusaurus deploy", "deploy": "docusaurus deploy",
"serve": "docusaurus serve" "serve": "docusaurus serve",
"prettier-check": "prettier --check .",
"prettier": "prettier --write ."
}, },
"dependencies": { "dependencies": {
"@docusaurus/plugin-client-redirects": "2.0.0-beta.18", "@docusaurus/plugin-client-redirects": "2.0.0-beta.18",

View File

@ -146,16 +146,12 @@ module.exports = {
{ {
type: "category", type: "category",
label: "User", label: "User",
items: [ items: ["interfaces/user/customization"],
"interfaces/user/customization",
],
}, },
{ {
type: "category", type: "category",
label: "Admin", label: "Admin",
items: [ items: ["interfaces/admin/customization"],
"interfaces/admin/customization",
],
}, },
], ],
}, },

View File

@ -35,33 +35,99 @@ function Comparison() {
<tbody> <tbody>
<tr> <tr>
<td className="row-label">SAML2</td> <td className="row-label">SAML2</td>
<td className="result passed authentik"><Check></Check></td> <td className="result passed authentik">
<td className="result passed"><Check></Check></td> <Check></Check>
<td className="result passed"><Check></Check></td> </td>
<td className="result passed"><Check></Check></td> <td className="result passed">
<td className="result passed"><Check></Check></td> <Check></Check>
<td className="result passed"><Check></Check></td> </td>
<td className="result failed"><X></X></td> <td className="result passed">
<Check></Check>
</td>
<td className="result passed">
<Check></Check>
</td>
<td className="result passed">
<Check></Check>
</td>
<td className="result passed">
<Check></Check>
</td>
<td className="result failed">
<X></X>
</td>
</tr> </tr>
<tr> <tr>
<td className="row-label">OAuth2 and OIDC</td> <td className="row-label">OAuth2 and OIDC</td>
<td className="result passed authentik"><Check></Check></td> <td className="result passed authentik">
<td className="result passed"><Check></Check></td> <Check></Check>
<td className="result passed"><Check></Check></td> </td>
<td className="result passed"><Check></Check></td> <td className="result passed">
<td className="result passed"><Check></Check></td> <Check></Check>
<td className="result passed"><Check></Check></td> </td>
<td className="result failed"><X></X></td> <td className="result passed">
<Check></Check>
</td>
<td className="result passed">
<Check></Check>
</td>
<td className="result passed">
<Check></Check>
</td>
<td className="result passed">
<Check></Check>
</td>
<td className="result failed">
<X></X>
</td>
</tr> </tr>
<tr> <tr>
<td className="row-label">LDAP</td> <td className="row-label">LDAP</td>
<td className="result passed authentik"><Check></Check></td> <td className="result passed authentik">
<td className="result failed"><X></X></td> <Check></Check>
<td className="result failed"><X></X></td> </td>
<td className="result warning"><AlertTriangle></AlertTriangle></td> <td className="result failed">
<td className="result passed"><Check></Check></td> <X></X>
<td className="result passed"><Check></Check></td> </td>
<td className="result failed"><X></X></td> <td className="result failed">
<X></X>
</td>
<td className="result warning">
<AlertTriangle></AlertTriangle>
</td>
<td className="result passed">
<Check></Check>
</td>
<td className="result passed">
<Check></Check>
</td>
<td className="result failed">
<X></X>
</td>
</tr>
<tr>
<td className="row-label">SCIM</td>
<td className="result failed authentik">
<X></X>
</td>
<td className="result warning">
<AlertTriangle></AlertTriangle>
</td>
<td className="result failed">
<X></X>
</td>
<td className="result passed">
<Check></Check>
</td>
<td className="result passed">
<Check></Check>
</td>
<td className="result failed">
<X></X>
</td>
<td className="result failed">
<X></X>
</td>
</tr> </tr>
</tbody> </tbody>
<thead className="group"> <thead className="group">
@ -79,43 +145,123 @@ function Comparison() {
<tbody> <tbody>
<tr> <tr>
<td className="row-label">SAML2</td> <td className="row-label">SAML2</td>
<td className="result passed authentik"><Check></Check></td> <td className="result passed authentik">
<td className="result passed"><Check></Check></td> <Check></Check>
<td className="result failed"><X></X></td> </td>
<td className="result passed"><Check></Check></td> <td className="result passed">
<td className="result passed"><Check></Check></td> <Check></Check>
<td className="result passed"><Check></Check></td> </td>
<td className="result failed"><X></X></td> <td className="result failed">
<X></X>
</td>
<td className="result passed">
<Check></Check>
</td>
<td className="result passed">
<Check></Check>
</td>
<td className="result passed">
<Check></Check>
</td>
<td className="result failed">
<X></X>
</td>
</tr> </tr>
<tr> <tr>
<td className="row-label">OAuth2 and OIDC</td> <td className="row-label">OAuth2 and OIDC</td>
<td className="result passed authentik"><Check></Check></td> <td className="result passed authentik">
<td className="result passed"><Check></Check></td> <Check></Check>
<td className="result failed"><X></X></td> </td>
<td className="result passed"><Check></Check></td> <td className="result passed">
<td className="result passed"><Check></Check></td> <Check></Check>
<td className="result passed"><Check></Check></td> </td>
<td className="result failed"><X></X></td> <td className="result failed">
<X></X>
</td>
<td className="result passed">
<Check></Check>
</td>
<td className="result passed">
<Check></Check>
</td>
<td className="result passed">
<Check></Check>
</td>
<td className="result failed">
<X></X>
</td>
</tr> </tr>
<tr> <tr>
<td className="row-label">OAuth1</td> <td className="row-label">OAuth1</td>
<td className="result passed authentik"><Check></Check></td> <td className="result passed authentik">
<td className="result passed"><Check></Check></td> <Check></Check>
<td className="result failed"><X></X></td> </td>
<td className="result failed"><X></X></td> <td className="result passed">
<td className="result failed"><X></X></td> <Check></Check>
<td className="result failed"><X></X></td> </td>
<td className="result failed"><X></X></td> <td className="result failed">
<X></X>
</td>
<td className="result failed">
<X></X>
</td>
<td className="result failed">
<X></X>
</td>
<td className="result failed">
<X></X>
</td>
<td className="result failed">
<X></X>
</td>
</tr> </tr>
<tr> <tr>
<td className="row-label">LDAP</td> <td className="row-label">LDAP</td>
<td className="result passed authentik"><Check></Check></td> <td className="result passed authentik">
<td className="result passed"><Check></Check></td> <Check></Check>
<td className="result passed"><Check></Check></td> </td>
<td className="result passed"><Check></Check></td> <td className="result passed">
<td className="result passed"><Check></Check></td> <Check></Check>
<td className="result passed"><Check></Check></td> </td>
<td className="result passed"><Check></Check></td> <td className="result passed">
<Check></Check>
</td>
<td className="result passed">
<Check></Check>
</td>
<td className="result passed">
<Check></Check>
</td>
<td className="result passed">
<Check></Check>
</td>
<td className="result passed">
<Check></Check>
</td>
</tr>
<tr>
<td className="row-label">SCIM</td>
<td className="result failed authentik">
<X></X>
</td>
<td className="result warning">
<AlertTriangle></AlertTriangle>
</td>
<td className="result failed">
<X></X>
</td>
<td className="result passed">
<Check></Check>
</td>
<td className="result passed">
<Check></Check>
</td>
<td className="result failed">
<X></X>
</td>
<td className="result failed">
<X></X>
</td>
</tr> </tr>
</tbody> </tbody>
<thead className="group"> <thead className="group">
@ -133,33 +279,75 @@ function Comparison() {
<tbody> <tbody>
<tr> <tr>
<td className="row-label">Authentication</td> <td className="row-label">Authentication</td>
<td className="result passed authentik"><Check></Check></td> <td className="result passed authentik">
<td className="result passed"><Check></Check></td> <Check></Check>
<td className="result passed"><Check></Check></td> </td>
<td className="result passed"><Check></Check></td> <td className="result passed">
<td className="result passed"><Check></Check></td> <Check></Check>
<td className="result passed"><Check></Check></td> </td>
<td className="result passed"><Check></Check></td> <td className="result passed">
<Check></Check>
</td>
<td className="result passed">
<Check></Check>
</td>
<td className="result passed">
<Check></Check>
</td>
<td className="result passed">
<Check></Check>
</td>
<td className="result passed">
<Check></Check>
</td>
</tr> </tr>
<tr> <tr>
<td className="row-label">Enrollment</td> <td className="row-label">Enrollment</td>
<td className="result passed authentik"><Check></Check></td> <td className="result passed authentik">
<td className="result passed"><Check></Check></td> <Check></Check>
<td className="result failed"><X></X></td> </td>
<td className="result failed"><X></X></td> <td className="result passed">
<td className="result failed"><X></X></td> <Check></Check>
<td className="result failed"><X></X></td> </td>
<td className="result failed"><X></X></td> <td className="result failed">
<X></X>
</td>
<td className="result failed">
<X></X>
</td>
<td className="result failed">
<X></X>
</td>
<td className="result failed">
<X></X>
</td>
<td className="result failed">
<X></X>
</td>
</tr> </tr>
<tr> <tr>
<td className="row-label">Self-service</td> <td className="row-label">Self-service</td>
<td className="result passed authentik"><Check></Check></td> <td className="result passed authentik">
<td className="result passed"><Check></Check></td> <Check></Check>
<td className="result passed"><Check></Check></td> </td>
<td className="result passed"><Check></Check></td> <td className="result passed">
<td className="result passed"><Check></Check></td> <Check></Check>
<td className="result passed"><Check></Check></td> </td>
<td className="result failed"><X></X></td> <td className="result passed">
<Check></Check>
</td>
<td className="result passed">
<Check></Check>
</td>
<td className="result passed">
<Check></Check>
</td>
<td className="result passed">
<Check></Check>
</td>
<td className="result failed">
<X></X>
</td>
</tr> </tr>
</tbody> </tbody>
<thead className="group"> <thead className="group">
@ -177,43 +365,101 @@ function Comparison() {
<tbody> <tbody>
<tr> <tr>
<td className="row-label">MFA</td> <td className="row-label">MFA</td>
<td className="result passed authentik"><Check></Check></td> <td className="result passed authentik">
<td className="result passed"><Check></Check></td> <Check></Check>
<td className="result failed"><X></X></td> </td>
<td className="result failed"><Check></Check></td> <td className="result passed">
<td className="result failed"><Check></Check></td> <Check></Check>
<td className="result passed"><Check></Check></td> </td>
<td className="result passed"><Check></Check></td> <td className="result failed">
<X></X>
</td>
<td className="result failed">
<Check></Check>
</td>
<td className="result failed">
<Check></Check>
</td>
<td className="result passed">
<Check></Check>
</td>
<td className="result passed">
<Check></Check>
</td>
</tr> </tr>
<tr> <tr>
<td className="row-label">Conditional Access</td> <td className="row-label">
<td className="result passed authentik"><Check></Check></td> Conditional Access
<td className="result passed"><Check></Check></td> </td>
<td className="result passed"><Check></Check></td> <td className="result passed authentik">
<td className="result warning"><AlertTriangle></AlertTriangle></td> <Check></Check>
<td className="result passed"><Check></Check></td> </td>
<td className="result warning"><AlertTriangle></AlertTriangle></td> <td className="result passed">
<td className="result passed"><Check></Check></td> <Check></Check>
</td>
<td className="result passed">
<Check></Check>
</td>
<td className="result warning">
<AlertTriangle></AlertTriangle>
</td>
<td className="result passed">
<Check></Check>
</td>
<td className="result warning">
<AlertTriangle></AlertTriangle>
</td>
<td className="result passed">
<Check></Check>
</td>
</tr> </tr>
<tr> <tr>
<td className="row-label">Open-source</td> <td className="row-label">Open-source</td>
<td className="result passed authentik"><Check></Check></td> <td className="result passed authentik">
<td className="result passed"><Check></Check></td> <Check></Check>
<td className="result failed"><X></X></td> </td>
<td className="result failed"><X></X></td> <td className="result passed">
<td className="result failed"><X></X></td> <Check></Check>
<td className="result failed"><X></X></td> </td>
<td className="result passed"><Check></Check></td> <td className="result failed">
<X></X>
</td>
<td className="result failed">
<X></X>
</td>
<td className="result failed">
<X></X>
</td>
<td className="result failed">
<X></X>
</td>
<td className="result passed">
<Check></Check>
</td>
</tr> </tr>
<tr> <tr>
<td className="row-label">Application Proxy</td> <td className="row-label">Application Proxy</td>
<td className="result passed authentik"><Check></Check></td> <td className="result passed authentik">
<td className="result warning"><AlertTriangle></AlertTriangle></td> <Check></Check>
<td className="result warning"><AlertTriangle></AlertTriangle></td> </td>
<td className="result passed"><Check></Check></td> <td className="result warning">
<td className="result failed"><X></X></td> <AlertTriangle></AlertTriangle>
<td className="result failed"><X></X></td> </td>
<td className="result warning"><AlertTriangle></AlertTriangle></td> <td className="result warning">
<AlertTriangle></AlertTriangle>
</td>
<td className="result passed">
<Check></Check>
</td>
<td className="result failed">
<X></X>
</td>
<td className="result failed">
<X></X>
</td>
<td className="result warning">
<AlertTriangle></AlertTriangle>
</td>
</tr> </tr>
</tbody> </tbody>
</table> </table>

View File

@ -37,7 +37,6 @@
max-height: 200px; max-height: 200px;
} }
.before-after-slider img { .before-after-slider img {
max-width: none; max-width: none;
} }
@ -154,7 +153,7 @@ table.comparison tr td.result.warning {
color: var(--ifm-color-warning); color: var(--ifm-color-warning);
} }
table.comparison tr td.result.passed.authentik { table.comparison tr td.result.authentik {
background: var(--ifm-color-primary); background: var(--ifm-color-primary);
color: var(--ifm-color-secondary); color: var(--ifm-color-secondary);
} }

View File

@ -11,8 +11,9 @@ function APIBrowser() {
<Layout title="API Browser" description={siteConfig.tagline}> <Layout title="API Browser" description={siteConfig.tagline}>
<BrowserOnly> <BrowserOnly>
{() => { {() => {
import('rapidoc'); import("rapidoc");
return <rapi-doc return (
<rapi-doc
spec-url={useBaseUrl("schema.yaml")} spec-url={useBaseUrl("schema.yaml")}
allow-try="false" allow-try="false"
show-header="false" show-header="false"
@ -20,8 +21,9 @@ function APIBrowser() {
render-style="view" render-style="view"
primary-color="#fd4b2d" primary-color="#fd4b2d"
allow-spec-url-load="false" allow-spec-url-load="false"
allow-spec-file-load="false"> allow-spec-file-load="false"
</rapi-doc> ></rapi-doc>
);
}} }}
</BrowserOnly> </BrowserOnly>
</Layout> </Layout>

View File

@ -7,7 +7,7 @@ import useDocusaurusContext from "@docusaurus/useDocusaurusContext";
import useBaseUrl from "@docusaurus/useBaseUrl"; import useBaseUrl from "@docusaurus/useBaseUrl";
import styles from "./styles.module.css"; import styles from "./styles.module.css";
import Comparison from "../comparison"; import Comparison from "../comparison";
import 'react-before-after-slider-component/dist/build.css'; import "react-before-after-slider-component/dist/build.css";
const features = [ const features = [
{ {
@ -87,7 +87,10 @@ function Home() {
</div> </div>
</div> </div>
<div className="col text--center hero_image"> <div className="col text--center hero_image">
<img alt="authentik logo" src={useBaseUrl("img/icon_top_brand.svg")} /> <img
alt="authentik logo"
src={useBaseUrl("img/icon_top_brand.svg")}
/>
</div> </div>
</div> </div>
</div> </div>
@ -105,17 +108,23 @@ function Home() {
<div> <div>
<BrowserOnly> <BrowserOnly>
{() => { {() => {
const ReactBeforeSliderComponent = require('react-before-after-slider-component'); const ReactBeforeSliderComponent = require("react-before-after-slider-component");
return <ReactBeforeSliderComponent return (
<ReactBeforeSliderComponent
firstImage={{ firstImage={{
id: 1, id: 1,
imageUrl: useBaseUrl("img/screen_apps_light.jpg"), imageUrl: useBaseUrl(
"img/screen_apps_light.jpg"
),
}} }}
secondImage={{ secondImage={{
id: 2, id: 2,
imageUrl: useBaseUrl("img/screen_apps_dark.jpg"), imageUrl: useBaseUrl(
"img/screen_apps_dark.jpg"
),
}} }}
/> />
);
}} }}
</BrowserOnly> </BrowserOnly>
</div> </div>
@ -123,13 +132,13 @@ function Home() {
<div className="col col--5 col--offset-2 padding-vert--xl"> <div className="col col--5 col--offset-2 padding-vert--xl">
<h2>What is authentik?</h2> <h2>What is authentik?</h2>
<p> <p>
authentik is an open-source Identity Provider authentik is an open-source Identity
focused on flexibility and versatility. You Provider focused on flexibility and
can use authentik in an existing environment versatility. You can use authentik in an
to add support for new protocols, implement existing environment to add support for new
sign-up/recovery/etc. in your application so protocols, implement sign-up/recovery/etc.
you don't have to deal with it, and many other in your application so you don't have to
things. deal with it, and many other things.
</p> </p>
</div> </div>
</div> </div>
@ -138,11 +147,12 @@ function Home() {
<h2>Utmost flexibility</h2> <h2>Utmost flexibility</h2>
<p> <p>
You can adopt authentik to your environment, You can adopt authentik to your environment,
regardless of your requirements. Need an Active-Directory regardless of your requirements. Need an
integrated SSO Provider? Do you want Active-Directory integrated SSO Provider? Do
to implement a custom enrollment process for your you want to implement a custom enrollment
customers? Are you developing an application and process for your customers? Are you
don't want to deal with User verification and recovery? developing an application and don't want to
deal with User verification and recovery?
authentik can do all of that, and more! authentik can do all of that, and more!
</p> </p>
</div> </div>
@ -150,17 +160,23 @@ function Home() {
<div> <div>
<BrowserOnly> <BrowserOnly>
{() => { {() => {
const ReactBeforeSliderComponent = require('react-before-after-slider-component'); const ReactBeforeSliderComponent = require("react-before-after-slider-component");
return <ReactBeforeSliderComponent return (
<ReactBeforeSliderComponent
firstImage={{ firstImage={{
id: 1, id: 1,
imageUrl: useBaseUrl("img/screen_admin_light.jpg"), imageUrl: useBaseUrl(
"img/screen_admin_light.jpg"
),
}} }}
secondImage={{ secondImage={{
id: 2, id: 2,
imageUrl: useBaseUrl("img/screen_admin_dark.jpg"), imageUrl: useBaseUrl(
"img/screen_admin_dark.jpg"
),
}} }}
/> />
);
}} }}
</BrowserOnly> </BrowserOnly>
</div> </div>