diff --git a/.github/workflows/ci-main.yml b/.github/workflows/ci-main.yml index a0a8cadb6..dfd9774ea 100644 --- a/.github/workflows/ci-main.yml +++ b/.github/workflows/ci-main.yml @@ -136,8 +136,8 @@ jobs: key: ${{ runner.os }}-web-${{ hashFiles('web/package-lock.json', 'web/**') }} - name: prepare web ui if: steps.cache-web.outputs.cache-hit != 'true' + working-directory: web run: | - cd web npm ci npm run build - name: run e2e @@ -169,8 +169,8 @@ jobs: key: ${{ runner.os }}-web-${{ hashFiles('web/package-lock.json', 'web/**') }} - name: prepare web ui if: steps.cache-web.outputs.cache-hit != 'true' + working-directory: web/ run: | - cd web npm ci npm run build - name: run e2e diff --git a/.github/workflows/ci-outpost.yml b/.github/workflows/ci-outpost.yml index 95be51bb2..7fdc87630 100644 --- a/.github/workflows/ci-outpost.yml +++ b/.github/workflows/ci-outpost.yml @@ -118,8 +118,8 @@ jobs: - name: Generate API run: make gen-client-go - name: Build web + working-directory: web/ run: | - cd web npm ci npm run build-proxy - name: Build outpost diff --git a/.github/workflows/ci-web.yml b/.github/workflows/ci-web.yml index dfb18e25b..6601d355a 100644 --- a/.github/workflows/ci-web.yml +++ b/.github/workflows/ci-web.yml @@ -20,15 +20,13 @@ jobs: node-version: '16' cache: 'npm' cache-dependency-path: web/package-lock.json - - run: | - cd web - npm ci + - working-directory: web/ + run: npm ci - name: Generate API run: make gen-client-web - name: Eslint - run: | - cd web - npm run lint + working-directory: web/ + run: npm run lint lint-prettier: runs-on: ubuntu-latest steps: @@ -38,15 +36,13 @@ jobs: node-version: '16' cache: 'npm' cache-dependency-path: web/package-lock.json - - run: | - cd web - npm ci + - working-directory: web/ + run: npm ci - name: Generate API run: make gen-client-web - name: prettier - run: | - cd web - npm run prettier-check + working-directory: web/ + run: npm run prettier-check lint-lit-analyse: runs-on: ubuntu-latest steps: @@ -56,15 +52,13 @@ jobs: node-version: '16' cache: 'npm' cache-dependency-path: web/package-lock.json - - run: | - cd web - npm ci + - working-directory: web/ + run: npm ci - name: Generate API run: make gen-client-web - name: lit-analyse - run: | - cd web - npm run lit-analyse + working-directory: web/ + run: npm run lit-analyse ci-web-mark: needs: - lint-eslint @@ -84,12 +78,10 @@ jobs: node-version: '16' cache: 'npm' cache-dependency-path: web/package-lock.json - - run: | - cd web - npm ci + - working-directory: web/ + run: npm ci - name: Generate API run: make gen-client-web - name: build - run: | - cd web - npm run build + working-directory: web/ + run: npm run build diff --git a/.github/workflows/ci-website.yml b/.github/workflows/ci-website.yml new file mode 100644 index 000000000..a5a4e4389 --- /dev/null +++ b/.github/workflows/ci-website.yml @@ -0,0 +1,33 @@ +name: authentik-ci-website + +on: + push: + branches: + - master + - next + - version-* + pull_request: + branches: + - master + +jobs: + lint-prettier: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - uses: actions/setup-node@v3.1.1 + with: + node-version: '16' + cache: 'npm' + cache-dependency-path: website/package-lock.json + - working-directory: website/ + run: npm ci + - name: prettier + working-directory: website/ + run: npm run prettier-check + ci-web-mark: + needs: + - lint-prettier + runs-on: ubuntu-latest + steps: + - run: echo mark diff --git a/.github/workflows/release-publish.yml b/.github/workflows/release-publish.yml index 7289db645..a8339fab8 100644 --- a/.github/workflows/release-publish.yml +++ b/.github/workflows/release-publish.yml @@ -97,8 +97,8 @@ jobs: cache: 'npm' cache-dependency-path: web/package-lock.json - name: Build web + working-directory: web/ run: | - cd web npm ci npm run build-proxy - name: Build outpost diff --git a/.github/workflows/web-api-publish.yml b/.github/workflows/web-api-publish.yml index c21e4dac0..115b221cc 100644 --- a/.github/workflows/web-api-publish.yml +++ b/.github/workflows/web-api-publish.yml @@ -17,15 +17,15 @@ jobs: - name: Generate API Client run: make gen-client-web - name: Publish package + working-directory: gen-ts-api/ run: | - cd web-api/ npm ci npm publish env: NODE_AUTH_TOKEN: ${{ secrets.NPM_PUBLISH_TOKEN }} - name: Upgrade /web + working-directory: web/ run: | - cd web/ export VERSION=`node -e 'console.log(require("../web-api/package.json").version)'` npm i @goauthentik/api@$VERSION - name: Create Pull Request diff --git a/website/.prettierignore b/website/.prettierignore index db6177e6f..4b64495dd 100644 --- a/website/.prettierignore +++ b/website/.prettierignore @@ -2,3 +2,6 @@ build coverage .docusaurus +node_modules +help +static diff --git a/website/developer-docs/api/flow-executor.md b/website/developer-docs/api/flow-executor.md index 6d30fd272..7be271c85 100644 --- a/website/developer-docs/api/flow-executor.md +++ b/website/developer-docs/api/flow-executor.md @@ -33,10 +33,7 @@ Below is the response, for example for an Identification stage. "component": "ak-stage-identification", // Stage-specific fields - "user_fields": [ - "username", - "email" - ], + "user_fields": ["username", "email"], "password_fields": false, "primary_action": "Log in", "sources": [] diff --git a/website/developer-docs/api/websocket.md b/website/developer-docs/api/websocket.md index b664ccac9..f7f165f80 100644 --- a/website/developer-docs/api/websocket.md +++ b/website/developer-docs/api/websocket.md @@ -4,7 +4,6 @@ title: Websocket API authentik has two different WebSocket endpoints, one is used for web-based clients to get real-time updates, and the other is used for outposts to report their healthiness. - ### Web `/ws/client/` :::info @@ -34,15 +33,15 @@ Authentication is done via the `Authorization` header, same as the regular API. All messages have two fields, `instruction` and `args`. Instruction is any number from this list: -- `0`: ACK, simply acknowledges the previous message -- `1`: HELLO, used for monitoring and regularly sent by outposts -- `2`: TRIGGER_UPDATE, sent by authentik to trigger a reload of the configuration +- `0`: ACK, simply acknowledges the previous message +- `1`: HELLO, used for monitoring and regularly sent by outposts +- `2`: TRIGGER_UPDATE, sent by authentik to trigger a reload of the configuration Arguments for these messages vary, all though these common args are always sent: -- `args['uuid']`: A unique UUID generated on startup of an outpost, used to uniquely identify it. +- `args['uuid']`: A unique UUID generated on startup of an outpost, used to uniquely identify it. These fields are only sent for HELLO instructions: -- `args['version']`: Version of the outpost -- `args['buildHash']`: Build hash of the outpost, when available +- `args['version']`: Version of the outpost +- `args['buildHash']`: Build hash of the outpost, when available diff --git a/website/developer-docs/docs/writing-documentation.md b/website/developer-docs/docs/writing-documentation.md index fd2c23a8a..d21b1e26c 100644 --- a/website/developer-docs/docs/writing-documentation.md +++ b/website/developer-docs/docs/writing-documentation.md @@ -7,19 +7,19 @@ the documentation is easy to read and uses similar phrasing. # General guidelines -- authentik should always be stylized as `authentik` (with a lower-case a and ending with a k) -- Documentation should use American english -- Feel free to use Docusaurus-specific features, see [here](https://docusaurus.io/docs/next/markdown-features) -- Use abbreviations where it makes sense (for commonly used terms like SAML and OAuth) -- Phrasing should never blame the user, and should be subjective, i.e +- authentik should always be stylized as `authentik` (with a lower-case a and ending with a k) +- Documentation should use American english +- Feel free to use Docusaurus-specific features, see [here](https://docusaurus.io/docs/next/markdown-features) +- Use abbreviations where it makes sense (for commonly used terms like SAML and OAuth) +- Phrasing should never blame the user, and should be subjective, i.e - - **DON'T** `You may never click x.` - - **DO** `x should never be clicked.` + - **DON'T** `You may never click x.` + - **DO** `x should never be clicked.` -- When referring to other objects in authentik, use _cursive_ text, and link to the corresponding documentation if possible. -- When referring to external tools, give an example how to use the tools or explain how the user can use them. -- Make sure to add the documentation to add to the sidebar, if adding a new page. -- Test how the documentation renders using the Netlify Preview, especially when using Docusaurus-specific features. +- When referring to other objects in authentik, use _cursive_ text, and link to the corresponding documentation if possible. +- When referring to external tools, give an example how to use the tools or explain how the user can use them. +- Make sure to add the documentation to add to the sidebar, if adding a new page. +- Test how the documentation renders using the Netlify Preview, especially when using Docusaurus-specific features. If you find any documentation that doesn't match these guidelines, feel free to either open an Issue or a PR so they can be fixed. @@ -27,12 +27,12 @@ If you find any documentation that doesn't match these guidelines, feel free to These guidelines apply in addition to the ones above. -- For placeholders, use angle brackets (``). +- For placeholders, use angle brackets (``). Make sure to also define if the placeholder is something the user needs to define, something another system defines, or randomly generated. If you're adding configuration snippets to the documentation, and the snippet is in a language that supports comments, other placeholders may be used, for example comments referencing an earlier step. -- For placeholder domains, use `authentik.company` and `app-name.company`, where `app-name` is the name of the application you are writing documentation for. -- Try to order the documentation in the order that makes it easiest for the user to configure. +- For placeholder domains, use `authentik.company` and `app-name.company`, where `app-name` is the name of the application you are writing documentation for. +- Try to order the documentation in the order that makes it easiest for the user to configure. diff --git a/website/developer-docs/index.md b/website/developer-docs/index.md index 6b04ac78f..51093b981 100644 --- a/website/developer-docs/index.md +++ b/website/developer-docs/index.md @@ -4,4 +4,3 @@ slug: / --- Welcome to the authentik developer documentation. authentik is fully open source and can be found here: https://github.com/goauthentik/authentik - diff --git a/website/developer-docs/setup/frontend-only-dev-environment.md b/website/developer-docs/setup/frontend-only-dev-environment.md index 676a54487..50076826e 100644 --- a/website/developer-docs/setup/frontend-only-dev-environment.md +++ b/website/developer-docs/setup/frontend-only-dev-environment.md @@ -6,9 +6,9 @@ If you want to only make changes on the UI, you don't need a backend running fro ### Prerequisites -- Node (any recent version should work, we use 16.x to build) -- Make (again, any recent version should work) -- Docker and docker-compose +- Node (any recent version should work, we use 16.x to build) +- Make (again, any recent version should work) +- Docker and docker-compose ### Instructions @@ -28,15 +28,15 @@ If you want to only make changes on the UI, you don't need a backend running fro 4. Add this volume mapping to your compose file ```yaml - version: '3.2' + version: "3.2" services: - # [...] - server: # [...] - volumes: - - ./web:/web - - ./local.env.yml:/local.env.yml + server: + # [...] + volumes: + - ./web:/web + - ./local.env.yml:/local.env.yml ``` This makes the local web files and the config file available to the authentik server. diff --git a/website/developer-docs/setup/full-dev-environment.md b/website/developer-docs/setup/full-dev-environment.md index 84a68d8df..b5b22521b 100644 --- a/website/developer-docs/setup/full-dev-environment.md +++ b/website/developer-docs/setup/full-dev-environment.md @@ -8,11 +8,11 @@ To create a local development setup for authentik, you need the following: ### Requirements -- Python 3.10 -- poetry, which is used to manage dependencies, and can be installed with `pip install poetry` -- Go 1.18 -- PostgreSQL (any recent version will do) -- Redis (any recent version will do) +- Python 3.10 +- poetry, which is used to manage dependencies, and can be installed with `pip install poetry` +- Go 1.18 +- PostgreSQL (any recent version will do) +- Redis (any recent version will do) For PostgreSQL and Redis, you can use the docker-compose file in `scripts/`. You can also use a native install, if you prefer. @@ -28,7 +28,7 @@ To configure authentik to use the local databases, create a file in the authenti ```yaml debug: true postgresql: - user: postgres + user: postgres log_level: debug secret_key: "A long key you can generate with `pwgen 40 1` for example" diff --git a/website/developer-docs/translation.md b/website/developer-docs/translation.md index cfadcb068..838e6ecde 100644 --- a/website/developer-docs/translation.md +++ b/website/developer-docs/translation.md @@ -18,9 +18,9 @@ To simplify translation you can use https://www.transifex.com/beryjuorg/authenti ### Prerequisites -- Node (any recent version should work, we use 16.x to build) -- Make (again, any recent version should work) -- Docker +- Node (any recent version should work, we use 16.x to build) +- Make (again, any recent version should work) +- Docker Run `npm i` in the `/web` folder to install all dependencies. diff --git a/website/docs/core/applications.md b/website/docs/core/applications.md index b73cf3a90..668378af7 100644 --- a/website/docs/core/applications.md +++ b/website/docs/core/applications.md @@ -9,42 +9,41 @@ Applications are used to configure and separate the authorization / access contr ## Authorization -Application access can be configured using (Policy) Bindings. Click on an application in the applications list, and select the *Policy / Group / User Bindings* tab. There you can bind users/groups/policies to grant them access. When nothing is bound, everyone has access. You can use this to grant access to one or multiple users/groups, or dynamically give access using policies. +Application access can be configured using (Policy) Bindings. Click on an application in the applications list, and select the _Policy / Group / User Bindings_ tab. There you can bind users/groups/policies to grant them access. When nothing is bound, everyone has access. You can use this to grant access to one or multiple users/groups, or dynamically give access using policies. By default, all users can access applications when no policies are bound. -When multiple policies/groups/users are attached, you can configure the *Policy engine mode* to either +When multiple policies/groups/users are attached, you can configure the _Policy engine mode_ to either -- Require users to pass all bindings/be member of all groups (ALL), or -- Require users to pass either binding/be member of either group (ANY) +- Require users to pass all bindings/be member of all groups (ALL), or +- Require users to pass either binding/be member of either group (ANY) ## Appearance The following aspects can be configured: -- *Name*: This is the name shown for the application card -- *Launch URL*: The URL that is opened when a user clicks on the application. When left empty, authentik tries to guess it based on the provider +- _Name_: This is the name shown for the application card +- _Launch URL_: The URL that is opened when a user clicks on the application. When left empty, authentik tries to guess it based on the provider Starting with authentik 2022.2, you can use placeholders in the launch url to build them dynamically based on logged in user. For example, you can set the Launch URL to `https://goauthentik.io/%(username)s`, which will be replaced with the currently logged in user's username. -- *Icon (URL)*: Optionally configure an Icon for the application +- _Icon (URL)_: Optionally configure an Icon for the application If the authentik server does not have a volume mounted under `/media`, you'll get a text input. This accepts absolute URLs. If you've mounted single files into the container, you can reference them using `https://authentik.company/media/my-file.png`. If there is a mount under `/media`, you'll instead see a field to upload a file. -- *Publisher*: Text shown below the application -- *Description*: Subtext shown on the application card below the publisher +- _Publisher_: Text shown below the application +- _Description_: Subtext shown on the application card below the publisher Applications are shown to users when -- The user has access defined via policies (or the application has no policies bound) -- A Valid Launch URL is configured/could be guessed, this consists of URLs starting with http:// and https:// - +- The user has access defined via policies (or the application has no policies bound) +- A Valid Launch URL is configured/could be guessed, this consists of URLs starting with http:// and https:// #### Hiding applications -To hide applications without modifying policy settings and without removing it, you can simply set the *Launch URL* to `blank://blank`, which will hide the application from users. +To hide applications without modifying policy settings and without removing it, you can simply set the _Launch URL_ to `blank://blank`, which will hide the application from users. Keep in mind, the users still have access, so they can still authorize access when the login process is started from the application. diff --git a/website/docs/core/certificates.md b/website/docs/core/certificates.md index 8520a38c1..43af6f41b 100644 --- a/website/docs/core/certificates.md +++ b/website/docs/core/certificates.md @@ -4,15 +4,15 @@ title: Certificates Certificates in authentik are used for the following use cases: -- Signing and verifying SAML Requests and Responses -- Signing JSON Web Tokens for OAuth and OIDC -- Connecting to remote docker hosts using the Docker integration -- Verifying LDAP Servers' certificates -- Encrypting outposts's endpoints +- Signing and verifying SAML Requests and Responses +- Signing JSON Web Tokens for OAuth and OIDC +- Connecting to remote docker hosts using the Docker integration +- Verifying LDAP Servers' certificates +- Encrypting outposts's endpoints ## Default certificate -Every authentik install generates a self-signed certificate on the first start. The certificate is called *authentik Self-signed Certificate* and is valid for 1 year. +Every authentik install generates a self-signed certificate on the first start. The certificate is called _authentik Self-signed Certificate_ and is valid for 1 year. This certificate is generated to be used as a default for all OAuth2/OIDC providers, as these don't require the certificate to be configured on both sides (the signature of a JWT is validated using the [JWKS](https://auth0.com/docs/security/tokens/json-web-tokens/json-web-key-sets) URL). @@ -30,7 +30,7 @@ For Kubernetes, you can map custom secrets/volumes under `/certs`. You can also bind mount single files into the folder, as long as they fall under this naming schema. -- Files in the root directory will be imported based on their filename. +- Files in the root directory will be imported based on their filename. `/foo.pem` Will be imported as the keypair `foo`. Based on its content its either imported as certificate or private key. @@ -38,9 +38,9 @@ You can also bind mount single files into the folder, as long as they fall under Otherwise it will be imported as certificate. -- If the file is called `fullchain.pem` or `privkey.pem` (the output naming of certbot), they will get the name of the parent folder. -- Files can be in any arbitrary file structure, and can have any extension. -- If the path contains `archive`, the files will be ignored (to better support certbot setups). +- If the file is called `fullchain.pem` or `privkey.pem` (the output naming of certbot), they will get the name of the parent folder. +- Files can be in any arbitrary file structure, and can have any extension. +- If the path contains `archive`, the files will be ignored (to better support certbot setups). ``` certs/ @@ -66,29 +66,29 @@ Starting with authentik 2021.12.4, you can configure the certificate authentik u To use let's encrypt certificates with this setup, using certbot, you can use this compose override (create or edit a file called `docker-compose.override.yml` in the same folder as the authentik docker-compose file) ```yaml -version: '3.2' +version: "3.2" services: - certbot: - image: certbot/dns-route53:v1.22.0 - volumes: - - ./letsencrypt:/etc/letsencrypt - - ../authentik/certs/:/etc/letsencrypt/live - # Variables depending on DNS Plugin - environment: - AWS_ACCESS_KEY_ID: ... - command: - - certonly - - --non-interactive - - --agree-tos - - -m your.email@company - - -d authentik.company - # Again, match with your provider - - --dns-route53 + certbot: + image: certbot/dns-route53:v1.22.0 + volumes: + - ./letsencrypt:/etc/letsencrypt + - ../authentik/certs/:/etc/letsencrypt/live + # Variables depending on DNS Plugin + environment: + AWS_ACCESS_KEY_ID: ... + command: + - certonly + - --non-interactive + - --agree-tos + - -m your.email@company + - -d authentik.company + # Again, match with your provider + - --dns-route53 ``` Afterwards, run `docker-compose up -d`, which will start certbot and generate your certificate. Within a few minutes, you'll see the certificate in your authentik interface. (If the certificate does not appear, restart the worker container. This is caused by incompatible permissions set by certbot). -Navigate to *System -> Tenants*, edit any tenant and select the certificate of your choice. +Navigate to _System -> Tenants_, edit any tenant and select the certificate of your choice. Keep in mind this certbot container will only run once, but there are a variety of ways to schedule regular renewals. diff --git a/website/docs/events/index.md b/website/docs/events/index.md index 0ce3271a4..069f2a48a 100644 --- a/website/docs/events/index.md +++ b/website/docs/events/index.md @@ -4,29 +4,29 @@ title: Events Events are authentik's built-in logging system. Whenever any of the following actions occur, an event is created: -- A user logs in/logs out (including the source, if available) -- A user fails to login -- A user sets their password +- A user logs in/logs out (including the source, if available) +- A user fails to login +- A user sets their password -- A user views a token +- A user views a token -- An invitation is used +- An invitation is used -- A user object is written to during a flow +- A user object is written to during a flow -- A user authorizes an application -- A user links a source to their account +- A user authorizes an application +- A user links a source to their account -- A user starts/ends impersonation, including the user that was impersonated +- A user starts/ends impersonation, including the user that was impersonated -- A policy is executed (when a policy has "Execution Logging" enabled) -- A policy or property mapping causes an exception +- A policy is executed (when a policy has "Execution Logging" enabled) +- A policy or property mapping causes an exception -- A configuration error occurs, for example during the authorization of an application +- A configuration error occurs, for example during the authorization of an application -- Any objects is created/updated/deleted +- Any objects is created/updated/deleted -- An update is available +- An update is available Certain information is stripped from events, to ensure no passwords or other credentials are saved in the log. diff --git a/website/docs/events/transports.md b/website/docs/events/transports.md index 6d864c465..3a52be419 100644 --- a/website/docs/events/transports.md +++ b/website/docs/events/transports.md @@ -13,7 +13,7 @@ This will send a POST request to the given URL with the following contents: "body": "body of the notification message", "severity": "severity level as configured in the trigger", "user_email": "user's email", - "user_username": "user's username", + "user_username": "user's username" } ``` diff --git a/website/docs/expressions/_objects.md b/website/docs/expressions/_objects.md index 9690eb83e..f1b3b18f8 100644 --- a/website/docs/expressions/_objects.md +++ b/website/docs/expressions/_objects.md @@ -1,4 +1,4 @@ -- `ak_logger`: structlog BoundLogger. See ([structlog documentation](https://www.structlog.org/en/stable/api.html#structlog.BoundLogger)) +- `ak_logger`: structlog BoundLogger. See ([structlog documentation](https://www.structlog.org/en/stable/api.html#structlog.BoundLogger)) Example: @@ -8,4 +8,4 @@ ak_logger.info("Passing structured data", request=request) ``` -- `requests`: requests Session object. See ([request documentation](https://requests.readthedocs.io/en/master/user/advanced/)) +- `requests`: requests Session object. See ([request documentation](https://requests.readthedocs.io/en/master/user/advanced/)) diff --git a/website/docs/expressions/_user.md b/website/docs/expressions/_user.md index aab77387f..cc747ccad 100644 --- a/website/docs/expressions/_user.md +++ b/website/docs/expressions/_user.md @@ -1,4 +1,4 @@ -- `user`: The current user. This may be `None` if there is no contextual user. See ([User](../user-group/user.md#object-attributes)) +- `user`: The current user. This may be `None` if there is no contextual user. See ([User](../user-group/user.md#object-attributes)) Example: @@ -6,4 +6,4 @@ Example: return { "custom_attribute": request.user.attributes.get("custom_attribute", "default"), } -``` \ No newline at end of file +``` diff --git a/website/docs/flow/executors/headless.md b/website/docs/flow/executors/headless.md index d4cdeda3e..4fd4f1c6b 100644 --- a/website/docs/flow/executors/headless.md +++ b/website/docs/flow/executors/headless.md @@ -6,6 +6,6 @@ The headless flow executor is used by clients which don't have access to the web The following stages are supported: -- [**identification**](../stages/identification/) -- [**password**](../stages/password/) -- [**authenticator_validate**](../stages/authenticator_validate/) (currently only DUO devices are supported) +- [**identification**](../stages/identification/) +- [**password**](../stages/password/) +- [**authenticator_validate**](../stages/authenticator_validate/) (currently only DUO devices are supported) diff --git a/website/docs/flow/executors/user-settings.md b/website/docs/flow/executors/user-settings.md index 65817bb4a..b15192cfb 100644 --- a/website/docs/flow/executors/user-settings.md +++ b/website/docs/flow/executors/user-settings.md @@ -9,6 +9,6 @@ Requires authentik 2022.3.1 The user interface (`/if/user/`) embeds a downsized flow executor to allow the user to configure their profile using custom stages and prompts. This executor only supports [**prompt**](../stages/prompt/) stages. If the configured flow contains another stage, a button will be shown to open the default executor. -Because the stages in a flow can change during it execution, this executor will redirect the user to the default interface *if* a non-supported stage is returned. +Because the stages in a flow can change during it execution, this executor will redirect the user to the default interface _if_ a non-supported stage is returned. To configure which flow is used for this, configure it in the tenant settings. diff --git a/website/docs/flow/index.md b/website/docs/flow/index.md index 7839ebb25..5b21a708f 100644 --- a/website/docs/flow/index.md +++ b/website/docs/flow/index.md @@ -6,9 +6,9 @@ Flows are a method of describing a sequence of stages. A stage represents a sing For example, a standard login flow would consist of the following stages: -- Identification, user identifies themselves via a username or email address -- Password, the user's password is checked against the hash in the database -- Log the user in +- Identification, user identifies themselves via a username or email address +- Password, the user's password is checked against the hash in the database +- Log the user in Upon flow execution, a plan containing all stages is generated. This means that all attached policies are evaluated upon execution. This behaviour can be altered by enabling the **Re-evaluate Policies** option on the binding. diff --git a/website/docs/flow/stages/authenticator_duo/index.md b/website/docs/flow/stages/authenticator_duo/index.md index 4502ed310..3cd806222 100644 --- a/website/docs/flow/stages/authenticator_duo/index.md +++ b/website/docs/flow/stages/authenticator_duo/index.md @@ -22,7 +22,7 @@ This API requires version 2021.9.1 or later You can call the `/api/v3/stages/authenticator/duo/{stage_uuid}/import_devices/` endpoint ([see here](https://goauthentik.io/api/#post-/stages/authenticator/duo/-stage_uuid-/import_devices/)) using the following parameters: -- `duo_user_id`: The Duo User's ID. This can be found in the Duo Admin Portal, navigating to the user list and clicking on a single user. Their ID is shown in th URL. -- `username`: The authentik user's username to assign the device to. +- `duo_user_id`: The Duo User's ID. This can be found in the Duo Admin Portal, navigating to the user list and clicking on a single user. Their ID is shown in th URL. +- `username`: The authentik user's username to assign the device to. Additionally, you need to pass `stage_uuid` which is the `authenticator_duo` stage, in which you entered your API credentials. diff --git a/website/docs/flow/stages/authenticator_sms/index.md b/website/docs/flow/stages/authenticator_sms/index.md index 6568a8170..a53b079d7 100644 --- a/website/docs/flow/stages/authenticator_sms/index.md +++ b/website/docs/flow/stages/authenticator_sms/index.md @@ -8,23 +8,23 @@ This stage configures an SMS-based authenticator using either Twilio, or a gener Navigate to https://console.twilio.com/, and log in to your existing account, or create a new one. -In the sidebar, navigate to *Explore Products*, then *Messaging*, and *Services* below that. +In the sidebar, navigate to _Explore Products_, then _Messaging_, and _Services_ below that. -Click on *Create Messaging Service* to create a new set of API credentials. +Click on _Create Messaging Service_ to create a new set of API credentials. -Give the service a Name, and select *Verify users* as a use-case. +Give the service a Name, and select _Verify users_ as a use-case. In the next step, add an address from your Sender Pool. Instructions on how to create numbers are not covered here, please check the Twilio documentation [here](https://www.twilio.com/docs). -The other two steps can be skipped using the *Skip setup* button. +The other two steps can be skipped using the _Skip setup_ button. -Afterwards, copy the value of **Messaging Service SID**. This is the value for the *Twilio Account SID* field in authentik. +Afterwards, copy the value of **Messaging Service SID**. This is the value for the _Twilio Account SID_ field in authentik. -Navigate back to the root of your Twilio console, and copy the Auth token. This is the value for the *Twilio Auth Token* field in authentik. +Navigate back to the root of your Twilio console, and copy the Auth token. This is the value for the _Twilio Auth Token_ field in authentik. ## Generic -For the generic provider, a POST request will be sent to the URL you have specified in the *External API URL* field. The request payload looks like this +For the generic provider, a POST request will be sent to the URL you have specified in the _External API URL_ field. The request payload looks like this ```json { diff --git a/website/docs/flow/stages/authenticator_validate/index.md b/website/docs/flow/stages/authenticator_validate/index.md index ddae672e4..458a6e92e 100644 --- a/website/docs/flow/stages/authenticator_validate/index.md +++ b/website/docs/flow/stages/authenticator_validate/index.md @@ -4,19 +4,19 @@ title: Authenticator Validation Stage This stage validates an already configured Authenticator Device. This device has to be configured using any of the other authenticator stages: -- [Duo authenticator stage](../authenticator_duo/) -- [SMS authenticator stage](../authenticator_sms/). -- [Static authenticator stage](../authenticator_static/). -- [TOTP authenticator stage](../authenticator_totp/) -- [WebAuth authenticator stage](../authenticator_webauthn/). +- [Duo authenticator stage](../authenticator_duo/) +- [SMS authenticator stage](../authenticator_sms/). +- [Static authenticator stage](../authenticator_static/). +- [TOTP authenticator stage](../authenticator_totp/) +- [WebAuth authenticator stage](../authenticator_webauthn/). You can select which type of device classes are allowed. Using the `Not configured action`, you can choose what happens when a user does not have any matching devices. -- Skip: Validation is skipped and the flow continues -- Deny: Access is denied, the flow execution ends -- Configure: This option requires a *Configuration stage* to be set. The validation stage will be marked as successful, and the configuration stage will be injected into the flow. +- Skip: Validation is skipped and the flow continues +- Deny: Access is denied, the flow execution ends +- Configure: This option requires a _Configuration stage_ to be set. The validation stage will be marked as successful, and the configuration stage will be injected into the flow. ## Passwordless authentication @@ -26,17 +26,17 @@ Requires authentik 2021.12.4 Passwordless authentication currently only supports WebAuthn devices, like security keys and biometrics. -To configure passwordless authentication, create a new Flow with the delegation set to *Authentication*. +To configure passwordless authentication, create a new Flow with the delegation set to _Authentication_. -As first stage, add an *Authentication validation* stage, with the WebAuthn device class allowed. +As first stage, add an _Authentication validation_ stage, with the WebAuthn device class allowed. After this stage you can bind any additional verification stages. -As final stage, bind a *User login* stage. +As final stage, bind a _User login_ stage. Users can either access this flow directly via it's URL, or you can modify any Identification stage to add a direct link to this flow. #### Logging -Logins which used Passwordless authentication have the *auth_method* context variable set to `auth_webauthn_pwl`, and the device used is saved in the arguments. Example: +Logins which used Passwordless authentication have the _auth_method_ context variable set to `auth_webauthn_pwl`, and the device used is saved in the arguments. Example: ```json { diff --git a/website/docs/flow/stages/deny.md b/website/docs/flow/stages/deny.md index f5877336a..49249d57a 100644 --- a/website/docs/flow/stages/deny.md +++ b/website/docs/flow/stages/deny.md @@ -6,5 +6,5 @@ This stage stops the execution of a flow. This can be used to conditionally deny even if they are not signed in (and permissions can't be checked via groups). :::caution -To effectively use this stage, make sure to **disable** *Evaluate on plan* on the Stage binding. +To effectively use this stage, make sure to **disable** _Evaluate on plan_ on the Stage binding. ::: diff --git a/website/docs/flow/stages/email/index.md b/website/docs/flow/stages/email/index.md index 406d32132..d9ebc532b 100644 --- a/website/docs/flow/stages/email/index.md +++ b/website/docs/flow/stages/email/index.md @@ -41,27 +41,21 @@ If you've add the line and created a file, and can't see if, check the logs usin Templates are rendered using Django's templating engine. The following variables can be used: -- `url`: The full URL for the user to click on -- `user`: The pending user object. -- `expires`: The timestamp when the token expires. +- `url`: The full URL for the user to click on +- `user`: The pending user object. +- `expires`: The timestamp when the token expires. ```html -{# This is how you can write comments which aren't rendered. #} - -{# Extend this template from the base email template, which includes base layout and CSS. #} -{% extends "email/base.html" %} - -{# Load the internationalization module to translate strings, and humanize to show date-time #} -{% load i18n %} -{% load humanize %} - -{# The email/base.html template uses a single "content" block #} -{% block content %} +{# This is how you can write comments which aren't rendered. #} {# Extend this +template from the base email template, which includes base layout and CSS. #} {% +extends "email/base.html" %} {# Load the internationalization module to +translate strings, and humanize to show date-time #} {% load i18n %} {% load +humanize %} {# The email/base.html template uses a single "content" block #} {% +block content %} - {% blocktrans with username=user.username %} - Hi {{ username }}, - {% endblocktrans %} + {% blocktrans with username=user.username %} Hi {{ username }}, {% + endblocktrans %} @@ -69,35 +63,55 @@ Templates are rendered using Django's templating engine. The following variables
- {% blocktrans %} - You recently requested to change your password for you authentik account. Use the button below to set a new password. - {% endblocktrans %} + {% blocktrans %} You recently requested to change your + password for you authentik account. Use the button below to + set a new password. {% endblocktrans %}
- + - - - + + +
- {% blocktrans with expires=expires|naturaltime %} - If you did not request a password change, please ignore this Email. The link above is valid for {{ expires }}. - {% endblocktrans %} + {% blocktrans with expires=expires|naturaltime %} If you did + not request a password change, please ignore this Email. The + link above is valid for {{ expires }}. {% endblocktrans %}
diff --git a/website/docs/flow/stages/identification/index.md b/website/docs/flow/stages/identification/index.md index 3ce5ec69e..facbb6c65 100644 --- a/website/docs/flow/stages/identification/index.md +++ b/website/docs/flow/stages/identification/index.md @@ -11,8 +11,8 @@ This stage provides a ready-to-go form for users to identify themselves. Select which fields the user can use to identify themselves. Multiple fields can be specified and separated with a comma. Valid choices: -- email -- username +- email +- username ### Template diff --git a/website/docs/flow/stages/invitation/index.md b/website/docs/flow/stages/invitation/index.md index 7080d04a7..1969ee4a0 100644 --- a/website/docs/flow/stages/invitation/index.md +++ b/website/docs/flow/stages/invitation/index.md @@ -10,4 +10,4 @@ To check if a user has used an invitation within a policy, you can check `reques To use an invitation, use the URL `https://authentik.tld/if/flow/your-enrollment-flow/?itoken=invitation-token`. -You can also prompt the user for an invite by using the [*Prompt stage*](../prompt/) by using a field with a field key of `token`. +You can also prompt the user for an invite by using the [_Prompt stage_](../prompt/) by using a field with a field key of `token`. diff --git a/website/docs/flow/stages/password/index.md b/website/docs/flow/stages/password/index.md index 2d3906e23..74ed43598 100644 --- a/website/docs/flow/stages/password/index.md +++ b/website/docs/flow/stages/password/index.md @@ -6,7 +6,7 @@ This is a generic password prompt which authenticates the current `pending_user` ## Passwordless login -To achieve a "passwordless" experience; authenticating users based only on TOTP/WebAuthn/Duo, create an expression policy and optionally skip the password stage. +To achieve a "passwordless" experience; authenticating users based only on TOTP/WebAuthn/Duo, create an expression policy and optionally skip the password stage. Depending on what kind of device you want to require the user to have: @@ -26,4 +26,4 @@ return DuoDevice.objects.filter(user=request.user, confirmed=True).exists() Afterwards, bind the policy you've created to the stage binding of the password stage. -Make sure to uncheck *Evaluate on plan* and check *Re-evaluate policies*, otherwise an invalid result will be cached. +Make sure to uncheck _Evaluate on plan_ and check _Re-evaluate policies_, otherwise an invalid result will be cached. diff --git a/website/docs/flow/stages/prompt/index.md b/website/docs/flow/stages/prompt/index.md index 388220b04..73db1db67 100644 --- a/website/docs/flow/stages/prompt/index.md +++ b/website/docs/flow/stages/prompt/index.md @@ -8,27 +8,27 @@ This stage is used to show the user arbitrary prompts. The prompt can be any of the following types: -| Type | Description | -| -------- | ----------------------------------------------------------------- | -| Text | Arbitrary text. No client-side validation is done. | -| Text (Read only) | Same as above, but cannot be edited. | -| Username | Same as text, except the username is validated to be unique. | -| Email | Text input, ensures the value is an email address (validation is only done client-side). | -| Password | Same as text, shown as a password field client-side, and custom validation (see below). | -| Number | Numerical textbox. | -| Checkbox | Simple checkbox. | -| Date | Same as text, except the client renders a date-picker | -| Date-time | Same as text, except the client renders a date-time-picker | -| Separator | Passive element to group surrounding elements | -| Hidden | Hidden input field. Allows for the pre-setting of default values. | -| Static | Display arbitrary value as is | -| authentik: Locale | Display a list of all locales authentik supports. | +| Type | Description | +| ----------------- | ---------------------------------------------------------------------------------------- | +| Text | Arbitrary text. No client-side validation is done. | +| Text (Read only) | Same as above, but cannot be edited. | +| Username | Same as text, except the username is validated to be unique. | +| Email | Text input, ensures the value is an email address (validation is only done client-side). | +| Password | Same as text, shown as a password field client-side, and custom validation (see below). | +| Number | Numerical textbox. | +| Checkbox | Simple checkbox. | +| Date | Same as text, except the client renders a date-picker | +| Date-time | Same as text, except the client renders a date-time-picker | +| Separator | Passive element to group surrounding elements | +| Hidden | Hidden input field. Allows for the pre-setting of default values. | +| Static | Display arbitrary value as is | +| authentik: Locale | Display a list of all locales authentik supports. | Some types have special behaviors: - - *Username*: Input is validated against other usernames to ensure a unique value is provided. - - *Password*: All prompts with the type password within the same stage are compared and must be equal. If they are not equal, an error is shown - - *Hidden* and *Static*: Their placeholder values are defaults and are not user-changeable. +- _Username_: Input is validated against other usernames to ensure a unique value is provided. +- _Password_: All prompts with the type password within the same stage are compared and must be equal. If they are not equal, an error is shown +- _Hidden_ and _Static_: Their placeholder values are defaults and are not user-changeable. A prompt has the following attributes: @@ -52,7 +52,7 @@ A flag which decides whether or not this field is required. A field placeholder, shown within the input field. This field is also used by the `hidden` type as the actual value. -By default, the placeholder is interpreted as-is. If you enable *Interpret placeholder as expression*, the placeholder +By default, the placeholder is interpreted as-is. If you enable _Interpret placeholder as expression_, the placeholder will be evaluated as a python expression. This happens in the same environment as [_Property mappings_](../../../property-mappings/expression). You can access both the HTTP request and the user as with a mapping. Additionally, you can access `prompt_context`, which is a dictionary of the current state of the prompt stage's data. diff --git a/website/docs/flow/stages/user_login.md b/website/docs/flow/stages/user_login.md index 186a54cad..efe331da5 100644 --- a/website/docs/flow/stages/user_login.md +++ b/website/docs/flow/stages/user_login.md @@ -8,16 +8,16 @@ It can be used after `user_write` during an enrollment flow, or after a `passwor ## Session duration -By default, the authentik session expires when you close your browser (*seconds=0*). +By default, the authentik session expires when you close your browser (_seconds=0_). You can set the session to expire after any duration using the syntax of `hours=1,minutes=2,seconds=3`. The following keys are allowed: -- Microseconds -- Milliseconds -- Seconds -- Minutes -- Hours -- Days -- Weeks +- Microseconds +- Milliseconds +- Seconds +- Minutes +- Hours +- Days +- Weeks All values accept floating-point values. diff --git a/website/docs/index.md b/website/docs/index.md index 36cdf52ea..307988b9f 100755 --- a/website/docs/index.md +++ b/website/docs/index.md @@ -13,7 +13,7 @@ See [Docker-compose](installation/docker-compose) or [Kubernetes](installation/k ## Screenshots -Light | Dark ---- | --- -![](/img/screen_apps_light.jpg) | ![](/img/screen_apps_dark.jpg) -![](/img/screen_admin_light.jpg) | ![](/img/screen_admin_dark.jpg) +| Light | Dark | +| -------------------------------- | ------------------------------- | +| ![](/img/screen_apps_light.jpg) | ![](/img/screen_apps_dark.jpg) | +| ![](/img/screen_admin_light.jpg) | ![](/img/screen_admin_dark.jpg) | diff --git a/website/docs/installation/air-gapped.md b/website/docs/installation/air-gapped.md index 9e01f6241..fca43699e 100644 --- a/website/docs/installation/air-gapped.md +++ b/website/docs/installation/air-gapped.md @@ -6,10 +6,10 @@ title: Air-gapped environments By default, authentik creates outbound connections to the following URLs: -- https://version.goauthentik.io: Periodic update check -- https://goauthentik.io: Anonymous analytics on startup -- https://secure.gravatar.com: Avatars for users -- https://sentry.beryju.org: Error reporting +- https://version.goauthentik.io: Periodic update check +- https://goauthentik.io: Anonymous analytics on startup +- https://secure.gravatar.com: Avatars for users +- https://sentry.beryju.org: Error reporting To disable these outbound connections, set the following in your `.env` file: @@ -35,6 +35,6 @@ authentik: Container images can be pulled from the following URLs: -- ghcr.io/goauthentik/server (https://ghcr.io) -- goauthentik.io/server (https://goauthentik.io) -- beryju/authentik (https://index.docker.io) +- ghcr.io/goauthentik/server (https://ghcr.io) +- goauthentik.io/server (https://goauthentik.io) +- beryju/authentik (https://index.docker.io) diff --git a/website/docs/installation/beta.mdx b/website/docs/installation/beta.mdx index 42d35007a..4b6554b61 100644 --- a/website/docs/installation/beta.mdx +++ b/website/docs/installation/beta.mdx @@ -2,10 +2,10 @@ title: Beta versions --- -You can test upcoming authentik versions by switching to the *next* images. These beta versions supported upgrades from the latest stable version, and have a supported upgrade plan to the next stable version. +You can test upcoming authentik versions by switching to the _next_ images. These beta versions supported upgrades from the latest stable version, and have a supported upgrade plan to the next stable version. -import Tabs from '@theme/Tabs'; -import TabItem from '@theme/TabItem'; +import Tabs from "@theme/Tabs"; +import TabItem from "@theme/TabItem"; Add the following block to your `values.yml` file: ```yaml authentik: - outposts: - container_image_base: ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s + outposts: + container_image_base: ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s image: - repository: ghcr.io/goauthentik/dev-server - tag: gh-next - # pullPolicy: Always to ensure you always get the latest version - pullPolicy: Always + repository: ghcr.io/goauthentik/dev-server + tag: gh-next + # pullPolicy: Always to ensure you always get the latest version + pullPolicy: Always ``` Afterwards, run the upgrade commands from the latest release notes. + diff --git a/website/docs/installation/configuration.md b/website/docs/installation/configuration.md index 5101ef817..da6fe8253 100644 --- a/website/docs/installation/configuration.md +++ b/website/docs/installation/configuration.md @@ -12,30 +12,30 @@ The double-underscores are intentional, as all these settings are translated to All of these variables can be set to values, but you can also use a URI-like format to load values from other places: -- `env://` Loads the value from the environment variable ``. Fallback can be optionally set like `env://?` -- `file://` Loads the value from the file ``. Fallback can be optionally set like `file://?` +- `env://` Loads the value from the environment variable ``. Fallback can be optionally set like `env://?` +- `file://` Loads the value from the file ``. Fallback can be optionally set like `file://?` ## PostgreSQL Settings -- `AUTHENTIK_POSTGRESQL__HOST`: Hostname of your PostgreSQL Server -- `AUTHENTIK_POSTGRESQL__NAME`: Database name -- `AUTHENTIK_POSTGRESQL__USER`: Database user -- `AUTHENTIK_POSTGRESQL__PORT`: Database port, defaults to 5432 -- `AUTHENTIK_POSTGRESQL__PASSWORD`: Database password, defaults to the environment variable `POSTGRES_PASSWORD` +- `AUTHENTIK_POSTGRESQL__HOST`: Hostname of your PostgreSQL Server +- `AUTHENTIK_POSTGRESQL__NAME`: Database name +- `AUTHENTIK_POSTGRESQL__USER`: Database user +- `AUTHENTIK_POSTGRESQL__PORT`: Database port, defaults to 5432 +- `AUTHENTIK_POSTGRESQL__PASSWORD`: Database password, defaults to the environment variable `POSTGRES_PASSWORD` ## Redis Settings -- `AUTHENTIK_REDIS__HOST`: Hostname of your Redis Server -- `AUTHENTIK_REDIS__PORT`: Redis port, defaults to 6379 -- `AUTHENTIK_REDIS__PASSWORD`: Password for your Redis Server -- `AUTHENTIK_REDIS__CACHE_DB`: Database for caching, defaults to 0 -- `AUTHENTIK_REDIS__MESSAGE_QUEUE_DB`: Database for the message queue, defaults to 1 -- `AUTHENTIK_REDIS__WS_DB`: Database for websocket connections, defaults to 2 -- `AUTHENTIK_REDIS__OUTPOST_SESSION_DB`: Database for sessions for the embedded outpost, defaults to 3 -- `AUTHENTIK_REDIS__CACHE_TIMEOUT`: Timeout for cached data until it expires in seconds, defaults to 300 -- `AUTHENTIK_REDIS__CACHE_TIMEOUT_FLOWS`: Timeout for cached flow plans until they expire in seconds, defaults to 300 -- `AUTHENTIK_REDIS__CACHE_TIMEOUT_POLICIES`: Timeout for cached policies until they expire in seconds, defaults to 300 -- `AUTHENTIK_REDIS__CACHE_TIMEOUT_REPUTATION`: Timeout for cached reputation until they expire in seconds, defaults to 300 +- `AUTHENTIK_REDIS__HOST`: Hostname of your Redis Server +- `AUTHENTIK_REDIS__PORT`: Redis port, defaults to 6379 +- `AUTHENTIK_REDIS__PASSWORD`: Password for your Redis Server +- `AUTHENTIK_REDIS__CACHE_DB`: Database for caching, defaults to 0 +- `AUTHENTIK_REDIS__MESSAGE_QUEUE_DB`: Database for the message queue, defaults to 1 +- `AUTHENTIK_REDIS__WS_DB`: Database for websocket connections, defaults to 2 +- `AUTHENTIK_REDIS__OUTPOST_SESSION_DB`: Database for sessions for the embedded outpost, defaults to 3 +- `AUTHENTIK_REDIS__CACHE_TIMEOUT`: Timeout for cached data until it expires in seconds, defaults to 300 +- `AUTHENTIK_REDIS__CACHE_TIMEOUT_FLOWS`: Timeout for cached flow plans until they expire in seconds, defaults to 300 +- `AUTHENTIK_REDIS__CACHE_TIMEOUT_POLICIES`: Timeout for cached policies until they expire in seconds, defaults to 300 +- `AUTHENTIK_REDIS__CACHE_TIMEOUT_REPUTATION`: Timeout for cached reputation until they expire in seconds, defaults to 300 ## authentik Settings @@ -47,7 +47,7 @@ Secret key used for cookie signing and unique user IDs, don't change this after Log level for the server and worker containers. Possible values: debug, info, warning, error -Starting with 2021.12.3, you can also set the log level to *trace*. This has no affect on the core authentik server, but shows additional messages for the embedded outpost. +Starting with 2021.12.3, you can also set the log level to _trace_. This has no affect on the core authentik server, but shows additional messages for the embedded outpost. Defaults to `info`. @@ -61,92 +61,93 @@ Disable the inbuilt update-checker. Defaults to `false`. ### AUTHENTIK_ERROR_REPORTING -- `AUTHENTIK_ERROR_REPORTING__ENABLED` +- `AUTHENTIK_ERROR_REPORTING__ENABLED` - Enable error reporting. Defaults to `false`. + Enable error reporting. Defaults to `false`. - Error reports are sent to https://sentry.beryju.org, and are used for debugging and general feedback. Anonymous performance data is also sent. + Error reports are sent to https://sentry.beryju.org, and are used for debugging and general feedback. Anonymous performance data is also sent. -- `AUTHENTIK_ERROR_REPORTING__ENVIRONMENT` +- `AUTHENTIK_ERROR_REPORTING__ENVIRONMENT` - Unique environment that is attached to your error reports, should be set to your email address for example. Defaults to `customer`. + Unique environment that is attached to your error reports, should be set to your email address for example. Defaults to `customer`. -- `AUTHENTIK_ERROR_REPORTING__SEND_PII` +- `AUTHENTIK_ERROR_REPORTING__SEND_PII` - Whether or not to send personal data, like usernames. Defaults to `false`. + Whether or not to send personal data, like usernames. Defaults to `false`. ### AUTHENTIK_EMAIL -- `AUTHENTIK_EMAIL__HOST` +- `AUTHENTIK_EMAIL__HOST` - Default: `localhost` + Default: `localhost` -- `AUTHENTIK_EMAIL__PORT` +- `AUTHENTIK_EMAIL__PORT` - Default: `25` + Default: `25` -- `AUTHENTIK_EMAIL__USERNAME` +- `AUTHENTIK_EMAIL__USERNAME` - Default: `` (Don't add quotation marks) + Default: `` (Don't add quotation marks) -- `AUTHENTIK_EMAIL__PASSWORD` +- `AUTHENTIK_EMAIL__PASSWORD` - Default: `` (Don't add quotation marks) + Default: `` (Don't add quotation marks) -- `AUTHENTIK_EMAIL__USE_TLS` +- `AUTHENTIK_EMAIL__USE_TLS` - Default: `false` + Default: `false` -- `AUTHENTIK_EMAIL__USE_SSL` +- `AUTHENTIK_EMAIL__USE_SSL` - Default: `false` + Default: `false` -- `AUTHENTIK_EMAIL__TIMEOUT` +- `AUTHENTIK_EMAIL__TIMEOUT` - Default: `10` + Default: `10` -- `AUTHENTIK_EMAIL__FROM` +- `AUTHENTIK_EMAIL__FROM` - Default: `authentik@localhost` + Default: `authentik@localhost` - Email address authentik will send from, should have a correct @domain + Email address authentik will send from, should have a correct @domain - To change the sender's display name, use a format like `Name `. + To change the sender's display name, use a format like `Name `. ### AUTHENTIK_OUTPOSTS -- `AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE` +- `AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE` - Placeholders: - - `%(type)s`: Outpost type; proxy, ldap, etc - - `%(version)s`: Current version; 2021.4.1 - - `%(build_hash)s`: Build hash if you're running a beta version + Placeholders: - Placeholder for outpost docker images. Default: `ghcr.io/goauthentik/%(type)s:%(version)s`. + - `%(type)s`: Outpost type; proxy, ldap, etc + - `%(version)s`: Current version; 2021.4.1 + - `%(build_hash)s`: Build hash if you're running a beta version -- `AUTHENTIK_OUTPOSTS__DISCOVER` + Placeholder for outpost docker images. Default: `ghcr.io/goauthentik/%(type)s:%(version)s`. - Configure the automatic discovery of integrations. Defaults to `true`. +- `AUTHENTIK_OUTPOSTS__DISCOVER` - By default, the following is discovered: + Configure the automatic discovery of integrations. Defaults to `true`. - - Kubernetes in-cluster config - - Kubeconfig - - Existence of a docker socket + By default, the following is discovered: + + - Kubernetes in-cluster config + - Kubeconfig + - Existence of a docker socket ### AUTHENTIK_AVATARS Configure how authentik should show avatars for users. Following values can be set: -- `none`: Disables per-user avatars and just shows a 1x1 pixel transparent picture -- `gravatar`: Uses gravatar with the user's email address (default) -- Any URL: If you want to use images hosted on another server, you can set any URL. +- `none`: Disables per-user avatars and just shows a 1x1 pixel transparent picture +- `gravatar`: Uses gravatar with the user's email address (default) +- Any URL: If you want to use images hosted on another server, you can set any URL. - Additionally, these placeholders can be used: + Additionally, these placeholders can be used: - - `%(username)s`: The user's username - - `%(mail_hash)s`: The email address, md5 hashed - - `%(upn)s`: The user's UPN, if set (otherwise an empty string) + - `%(username)s`: The user's username + - `%(mail_hash)s`: The email address, md5 hashed + - `%(upn)s`: The user's UPN, if set (otherwise an empty string) ### AUTHENTIK_DEFAULT_USER_CHANGE_NAME diff --git a/website/docs/installation/docker-compose.md b/website/docs/installation/docker-compose.md index fb2c3489e..3654abb4a 100644 --- a/website/docs/installation/docker-compose.md +++ b/website/docs/installation/docker-compose.md @@ -6,9 +6,9 @@ This installation method is for test-setups and small-scale productive setups. ## Requirements -- A Linux host with at least 2 CPU cores and 2 GB of RAM. -- docker -- docker-compose +- A Linux host with at least 2 CPU cores and 2 GB of RAM. +- docker +- docker-compose ## Preparation @@ -95,15 +95,15 @@ To start the initial setup, navigate to `https:///if/flow/initial-s The docker-compose project contains the following containers: -- server +- server This is the backend service, which does all the logic, runs the API and the actual SSO part. It also runs the frontend, hosts the JS/CSS files, and also serves the files you've uploaded for icons/etc. -- worker +- worker - This container executes background tasks, everything you can see on the *System Tasks* page in the frontend. + This container executes background tasks, everything you can see on the _System Tasks_ page in the frontend. -- redis & postgresql +- redis & postgresql Cache and database respectively. diff --git a/website/docs/installation/kubernetes.md b/website/docs/installation/kubernetes.md index 325ff881e..462ff9679 100644 --- a/website/docs/installation/kubernetes.md +++ b/website/docs/installation/kubernetes.md @@ -10,28 +10,27 @@ Create a values.yaml file with a minimum of these settings: ```yaml authentik: - secret_key: "PleaseGenerateA50CharKey" - # This sends anonymous usage-data, stack traces on errors and - # performance data to sentry.beryju.org, and is fully opt-in - error_reporting: - enabled: true - postgresql: - password: "ThisIsNotASecurePassword" + secret_key: "PleaseGenerateA50CharKey" + # This sends anonymous usage-data, stack traces on errors and + # performance data to sentry.beryju.org, and is fully opt-in + error_reporting: + enabled: true + postgresql: + password: "ThisIsNotASecurePassword" ingress: - enabled: true - hosts: - - host: authentik.domain.tld - paths: - - path: "/" - pathType: Prefix + enabled: true + hosts: + - host: authentik.domain.tld + paths: + - path: "/" + pathType: Prefix postgresql: - enabled: true - postgresqlPassword: "ThisIsNotASecurePassword" + enabled: true + postgresqlPassword: "ThisIsNotASecurePassword" redis: - enabled: true - + enabled: true ``` See all configurable values on [artifacthub](https://artifacthub.io/packages/helm/goauthentik/authentik). diff --git a/website/docs/interfaces/user/customization.md b/website/docs/interfaces/user/customization.md index 627c51e45..40480c545 100644 --- a/website/docs/interfaces/user/customization.md +++ b/website/docs/interfaces/user/customization.md @@ -6,19 +6,23 @@ The user interface can be customized through attributes, and will be inherited f The following features can be enabled/disabled. By default, all of them are enabled: -- `settings.enabledFeatures.apiDrawer` +- `settings.enabledFeatures.apiDrawer` API Request drawer in navbar -- `settings.enabledFeatures.notificationDrawer` + +- `settings.enabledFeatures.notificationDrawer` Notification drawer in navbar -- `settings.enabledFeatures.settings` + +- `settings.enabledFeatures.settings` Settings link in navbar -- `settings.enabledFeatures.applicationEdit` + +- `settings.enabledFeatures.applicationEdit` Application edit in library (only shown when user is superuser) -- `settings.enabledFeatures.search` + +- `settings.enabledFeatures.search` Search bar @@ -34,13 +38,13 @@ Optional CSS which is applied in the background of the background of the user in ```yaml settings: - theme: - background: > - background: url('https://picsum.photos/1920/1080'); - filter: blur(8px); - background-position: center; - background-repeat: no-repeat; - background-size: cover; + theme: + background: > + background: url('https://picsum.photos/1920/1080'); + filter: blur(8px); + background-position: center; + background-repeat: no-repeat; + background-size: cover; ``` ### `settings.layout.type` diff --git a/website/docs/outposts/index.md b/website/docs/outposts/index.md index 4898d0a99..f00ad1db4 100644 --- a/website/docs/outposts/index.md +++ b/website/docs/outposts/index.md @@ -10,15 +10,15 @@ Upon creation, a service account and a token is generated. The service account o authentik can manage the deployment, updating and general lifecycle of an Outpost. To communicate with the underlying platforms on which the outpost is deployed, authentik has several built-in integrations. -- If you've deployed authentik on docker-compose, authentik automatically creates an integration for the local docker socket (See [Docker](./integrations/docker.md)). -- If you've deployed authentik on Kubernetes, with `kubernetesIntegration` set to true (default), authentik automatically creates an integrations for the local Kubernetes Cluster (See [Kubernetes](./integrations/kubernetes.md)). +- If you've deployed authentik on docker-compose, authentik automatically creates an integration for the local docker socket (See [Docker](./integrations/docker.md)). +- If you've deployed authentik on Kubernetes, with `kubernetesIntegration` set to true (default), authentik automatically creates an integrations for the local Kubernetes Cluster (See [Kubernetes](./integrations/kubernetes.md)). To deploy an outpost with these integrations, simply select them during the creation of an Outpost. A background task is started, which creates the container/deployment. You can see that Status on the System Tasks page. To deploy an outpost manually, see: -- [Kubernetes](./manual-deploy-kubernetes.md) -- [docker-compose](./manual-deploy-docker-compose.md) +- [Kubernetes](./manual-deploy-kubernetes.md) +- [docker-compose](./manual-deploy-docker-compose.md) ## Configuration diff --git a/website/docs/outposts/integrations/docker.md b/website/docs/outposts/integrations/docker.md index fe3dd8fea..2badbec2b 100644 --- a/website/docs/outposts/integrations/docker.md +++ b/website/docs/outposts/integrations/docker.md @@ -8,37 +8,37 @@ This integration has the advantage over manual deployments of automatic updates The following outpost settings are used: -- `object_naming_template`: Configures how the container is called -- `container_image`: Optionally overwrites the standard container image (see [Configuration](../../installation/configuration.md) to configure the global default) -- `docker_network`: The docker network the container should be added to. This needs to be modified if you plan to connect to authentik using the internal hostname. -- `docker_map_ports`: Enable/disable the mapping of ports. When using a proxy outpost with traefik for example, you might not want to bind ports as they are routed through traefik. -- `docker_labels`: Optional additional labels that can be applied to the container. +- `object_naming_template`: Configures how the container is called +- `container_image`: Optionally overwrites the standard container image (see [Configuration](../../installation/configuration.md) to configure the global default) +- `docker_network`: The docker network the container should be added to. This needs to be modified if you plan to connect to authentik using the internal hostname. +- `docker_map_ports`: Enable/disable the mapping of ports. When using a proxy outpost with traefik for example, you might not want to bind ports as they are routed through traefik. +- `docker_labels`: Optional additional labels that can be applied to the container. The container is created with the following hardcoded properties: -- Labels +- Labels - - `io.goauthentik.outpost-uuid`: Used by authentik to identify the container, and to allow for name changes. + - `io.goauthentik.outpost-uuid`: Used by authentik to identify the container, and to allow for name changes. Additionally, the proxy outposts have the following extra labels to add themselves into traefik automatically. - - `traefik.enable`: "true" - - `traefik.http.routers.ak-outpost--router.rule`: `Host(...)` - - `traefik.http.routers.ak-outpost--router.service`: `ak-outpost--service` - - `traefik.http.routers.ak-outpost--router.tls`: "true" - - `traefik.http.services.ak-outpost--service.loadbalancer.healthcheck.path`: "/outpost.goauthentik.io/ping" - - `traefik.http.services.ak-outpost--service.loadbalancer.healthcheck.port`: "9300" - - `traefik.http.services.ak-outpost--service.loadbalancer.server.port`: "9000" + - `traefik.enable`: "true" + - `traefik.http.routers.ak-outpost--router.rule`: `Host(...)` + - `traefik.http.routers.ak-outpost--router.service`: `ak-outpost--service` + - `traefik.http.routers.ak-outpost--router.tls`: "true" + - `traefik.http.services.ak-outpost--service.loadbalancer.healthcheck.path`: "/outpost.goauthentik.io/ping" + - `traefik.http.services.ak-outpost--service.loadbalancer.healthcheck.port`: "9300" + - `traefik.http.services.ak-outpost--service.loadbalancer.server.port`: "9000" ## Permissions To minimise the potential risks of mapping the docker socket into a container/giving an application access to the docker API, many people use Projects like [docker-socket-proxy](https://github.com/Tecnativa/docker-socket-proxy). authentik requires these permissions from the docker API: -- Images/Pull: authentik tries to pre-pull the custom image if one is configured, otherwise falling back to the default image. -- Containers/Read: Gather infos about currently running container -- Containers/Create: Create new containers -- Containers/Kill: Cleanup during upgrades -- Containers/Remove: Removal of outposts +- Images/Pull: authentik tries to pre-pull the custom image if one is configured, otherwise falling back to the default image. +- Containers/Read: Gather infos about currently running container +- Containers/Create: Create new containers +- Containers/Kill: Cleanup during upgrades +- Containers/Remove: Removal of outposts ## Remote hosts (TLS) @@ -46,10 +46,10 @@ To connect remote hosts, you can follow this Guide from Docker [Use TLS (HTTPS) Afterwards, create two Certificate-keypairs in authentik: -- `Docker CA`, with the contents of `~/.docker/ca.pem` as Certificate -- `Docker Cert`, with the contents of `~/.docker/cert.pem` as Certificate and `~/.docker/key.pem` as Private key. +- `Docker CA`, with the contents of `~/.docker/ca.pem` as Certificate +- `Docker Cert`, with the contents of `~/.docker/cert.pem` as Certificate and `~/.docker/key.pem` as Private key. -Create an integration with `Docker CA` as *TLS Verification Certificate* and `Docker Cert` as *TLS Authentication Certificate*. +Create an integration with `Docker CA` as _TLS Verification Certificate_ and `Docker Cert` as _TLS Authentication Certificate_. ## Remote hosts (SSH) @@ -65,10 +65,10 @@ openssl req -x509 -sha256 -nodes -days 365 -out certificate.pem -key authentik You'll end up with three files: -- `authentik.pub` is the public key, this should be added to the `~/.ssh/authorized_keys` file on the target host and user. -- `authentik` is the private key, which should be imported into a Keypair in authentik. -- `certificate.pem` is the matching certificate for the keypair above. +- `authentik.pub` is the public key, this should be added to the `~/.ssh/authorized_keys` file on the target host and user. +- `authentik` is the private key, which should be imported into a Keypair in authentik. +- `certificate.pem` is the matching certificate for the keypair above. -Modify/create a new Docker integration, and set your *Docker URL* to `ssh://hostname`, and select the keypair you created above as *TLS Authentication Certificate/SSH Keypair*. +Modify/create a new Docker integration, and set your _Docker URL_ to `ssh://hostname`, and select the keypair you created above as _TLS Authentication Certificate/SSH Keypair_. -The *Docker URL* field include a user, if none is specified authentik connects with the user `authentik`. +The _Docker URL_ field include a user, if none is specified authentik connects with the user `authentik`. diff --git a/website/docs/outposts/integrations/kubernetes.md b/website/docs/outposts/integrations/kubernetes.md index 1147f5aa2..b8354f460 100644 --- a/website/docs/outposts/integrations/kubernetes.md +++ b/website/docs/outposts/integrations/kubernetes.md @@ -8,30 +8,30 @@ This integration has the advantage over manual deployments of automatic updates This integration creates the following objects: -- Deployment for the outpost container -- Service -- Secret to store the token -- Prometheus ServiceMonitor (if the Prometheus Operator is installed in the target cluster) -- Ingress (only Proxy outposts) -- Traefik Middleware (only Proxy outposts with forward auth enabled) +- Deployment for the outpost container +- Service +- Secret to store the token +- Prometheus ServiceMonitor (if the Prometheus Operator is installed in the target cluster) +- Ingress (only Proxy outposts) +- Traefik Middleware (only Proxy outposts with forward auth enabled) The following outpost settings are used: -- `object_naming_template`: Configures how the container is called -- `container_image`: Optionally overwrites the standard container image (see [Configuration](../../installation/configuration.md) to configure the global default) -- `kubernetes_replicas`: Replica count for the deployment of the outpost -- `kubernetes_namespace`: Namespace to deploy in, defaults to the same namespace authentik is deployed in (if available) -- `kubernetes_ingress_annotations`: Any additional annotations to add to the ingress object, for example cert-manager -- `kubernetes_ingress_secret_name`: Name of the secret that is used for TLS connections -- `kubernetes_service_type`: Service kind created, can be set to LoadBalancer for LDAP outposts for example -- `kubernetes_disabled_components`: Disable any components of the kubernetes integration, can be any of - - 'secret' - - 'deployment' - - 'service' - - 'prometheus servicemonitor' - - 'ingress' - - 'traefik middleware' -- `kubernetes_image_pull_secrets`: If the above docker image is in a private repository, use these secrets to pull. +- `object_naming_template`: Configures how the container is called +- `container_image`: Optionally overwrites the standard container image (see [Configuration](../../installation/configuration.md) to configure the global default) +- `kubernetes_replicas`: Replica count for the deployment of the outpost +- `kubernetes_namespace`: Namespace to deploy in, defaults to the same namespace authentik is deployed in (if available) +- `kubernetes_ingress_annotations`: Any additional annotations to add to the ingress object, for example cert-manager +- `kubernetes_ingress_secret_name`: Name of the secret that is used for TLS connections +- `kubernetes_service_type`: Service kind created, can be set to LoadBalancer for LDAP outposts for example +- `kubernetes_disabled_components`: Disable any components of the kubernetes integration, can be any of + - 'secret' + - 'deployment' + - 'service' + - 'prometheus servicemonitor' + - 'ingress' + - 'traefik middleware' +- `kubernetes_image_pull_secrets`: If the above docker image is in a private repository, use these secrets to pull. NOTE: The secret must be created manually in the namespace first. diff --git a/website/docs/outposts/manual-deploy-docker-compose.md b/website/docs/outposts/manual-deploy-docker-compose.md index 3cdb46624..814122f2c 100644 --- a/website/docs/outposts/manual-deploy-docker-compose.md +++ b/website/docs/outposts/manual-deploy-docker-compose.md @@ -12,25 +12,25 @@ You can also run the outpost in a separate docker-compose project, you just have version: "3.5" services: - authentik_proxy: - image: ghcr.io/goauthentik/proxy - # Optionally specify which networks the container should be - # might be needed to reach the core authentik server - # networks: - # - foo - ports: - - 4180:4180 - - 4443:4443 - # Starting in authentik 2021.9, use the ports below - # - 9000:9000 - # - 9443:9443 - environment: - AUTHENTIK_HOST: https://your-authentik.tld - AUTHENTIK_INSECURE: "false" - AUTHENTIK_TOKEN: token-generated-by-authentik - # Starting with 2021.9, you can optionally set this too - # when authentik_host for internal communication doesn't match the public URL - # AUTHENTIK_HOST_BROWSER: https://external-domain.tld + authentik_proxy: + image: ghcr.io/goauthentik/proxy + # Optionally specify which networks the container should be + # might be needed to reach the core authentik server + # networks: + # - foo + ports: + - 4180:4180 + - 4443:4443 + # Starting in authentik 2021.9, use the ports below + # - 9000:9000 + # - 9443:9443 + environment: + AUTHENTIK_HOST: https://your-authentik.tld + AUTHENTIK_INSECURE: "false" + AUTHENTIK_TOKEN: token-generated-by-authentik + # Starting with 2021.9, you can optionally set this too + # when authentik_host for internal communication doesn't match the public URL + # AUTHENTIK_HOST_BROWSER: https://external-domain.tld ``` ### LDAP outpost @@ -39,17 +39,17 @@ services: version: "3.5" services: - authentik_ldap: - image: ghcr.io/goauthentik/ldap - # Optionally specify which networks the container should be - # might be needed to reach the core authentik server - # networks: - # - foo - ports: - - 389:3389 - - 636:6636 - environment: - AUTHENTIK_HOST: https://your-authentik.tld - AUTHENTIK_INSECURE: "false" - AUTHENTIK_TOKEN: token-generated-by-authentik + authentik_ldap: + image: ghcr.io/goauthentik/ldap + # Optionally specify which networks the container should be + # might be needed to reach the core authentik server + # networks: + # - foo + ports: + - 389:3389 + - 636:6636 + environment: + AUTHENTIK_HOST: https://your-authentik.tld + AUTHENTIK_INSECURE: "false" + AUTHENTIK_TOKEN: token-generated-by-authentik ``` diff --git a/website/docs/policies/expression.mdx b/website/docs/policies/expression.mdx index bb102c201..1321e8b62 100644 --- a/website/docs/policies/expression.mdx +++ b/website/docs/policies/expression.mdx @@ -3,13 +3,17 @@ title: Expression Policies --- The passing of the policy is determined by the return value of the code. Use + ```python return True ``` + to pass a policy and + ```python return False ``` + to fail it. ## Available Functions @@ -31,10 +35,10 @@ Check if a user has any authenticator devices. Only fully validated devices are Optionally, you can filter a specific device type. The following options are valid: -- `totp` -- `duo` -- `static` -- `webauthn` +- `totp` +- `duo` +- `static` +- `webauthn` Example: @@ -44,7 +48,7 @@ return ak_user_has_authenticator(request.user) ### `ak_call_policy(name: str, **kwargs) -> PolicyResult` (2021.12+) -Call another policy with the name *name*. Current request is passed to policy. Key-word arguments +Call another policy with the name _name_. Current request is passed to policy. Key-word arguments can be used to modify the request's context. Example: @@ -59,24 +63,24 @@ result = ak_call_policy("test-policy-2", foo="bar") return result.passing ``` -import Functions from '../expressions/_functions.md' +import Functions from "../expressions/_functions.md"; ## Variables -import Objects from '../expressions/_objects.md' +import Objects from "../expressions/_objects.md"; -- `request`: A PolicyRequest object, which has the following properties: - - `request.user`: The current user, against which the policy is applied. See [User](../user-group/user.md#object-attributes) - - `request.http_request`: The Django HTTP Request. See ([Django documentation](https://docs.djangoproject.com/en/3.0/ref/request-response/#httprequest-objects)) - - `request.obj`: A Django Model instance. This is only set if the policy is ran against an object. - - `request.context`: A dictionary with dynamic data. This depends on the origin of the execution. -- `geoip`: GeoIP object, which is added when GeoIP is enabled. See [GeoIP](https://geoip2.readthedocs.io/en/latest/#geoip2.models.City) -- `ak_is_sso_flow`: Boolean which is true if request was initiated by authenticating through an external provider. -- `ak_client_ip`: Client's IP Address or 255.255.255.255 if no IP Address could be extracted. Can be [compared](#comparing-ip-addresses), for example +- `request`: A PolicyRequest object, which has the following properties: + - `request.user`: The current user, against which the policy is applied. See [User](../user-group/user.md#object-attributes) + - `request.http_request`: The Django HTTP Request. See ([Django documentation](https://docs.djangoproject.com/en/3.0/ref/request-response/#httprequest-objects)) + - `request.obj`: A Django Model instance. This is only set if the policy is ran against an object. + - `request.context`: A dictionary with dynamic data. This depends on the origin of the execution. +- `geoip`: GeoIP object, which is added when GeoIP is enabled. See [GeoIP](https://geoip2.readthedocs.io/en/latest/#geoip2.models.City) +- `ak_is_sso_flow`: Boolean which is true if request was initiated by authenticating through an external provider. +- `ak_client_ip`: Client's IP Address or 255.255.255.255 if no IP Address could be extracted. Can be [compared](#comparing-ip-addresses), for example ```python return ak_client_ip in ip_network('10.0.0.0/24') @@ -90,19 +94,20 @@ Additionally, when the policy is executed from a flow, every variable from the f This includes the following: -- `context['prompt_data']`: Data which has been saved from a prompt stage or an external source. -- `context['application']`: The application the user is in the process of authorizing. -- `context['pending_user']`: The currently pending user, see [User](../user-group/user.md#object-attributes) -- `context['auth_method']`: Authentication method set (this value is set by password stages) +- `context['prompt_data']`: Data which has been saved from a prompt stage or an external source. +- `context['application']`: The application the user is in the process of authorizing. +- `context['pending_user']`: The currently pending user, see [User](../user-group/user.md#object-attributes) +- `context['auth_method']`: Authentication method set (this value is set by password stages) Depending on method, `context['auth_method_args']` is also set. Can be any of: - - `password`: Standard password login - - `app_password`: App password (token) + - `password`: Standard password login + - `app_password`: App password (token) Sets `context['auth_method_args']` to + ```json { "token": { @@ -113,9 +118,11 @@ This includes the following: } } ``` - - `ldap`: LDAP bind authentication + + - `ldap`: LDAP bind authentication Sets `context['auth_method_args']` to + ```json { "source": {} // Information about the source used diff --git a/website/docs/policies/index.md b/website/docs/policies/index.md index c3807a32b..5dc3e9eee 100644 --- a/website/docs/policies/index.md +++ b/website/docs/policies/index.md @@ -23,11 +23,11 @@ This policy can enforce regular password rotation by expiring set passwords afte This policy allows you to specify password rules, such as length and required characters. The following rules can be set: -- Minimum amount of uppercase characters. -- Minimum amount of lowercase characters. -- Minimum amount of symbols characters. -- Minimum length. -- Symbol charset (define which characters are counted as symbols). +- Minimum amount of uppercase characters. +- Minimum amount of lowercase characters. +- Minimum amount of symbols characters. +- Minimum length. +- Symbol charset (define which characters are counted as symbols). ## Reputation Policy diff --git a/website/docs/property-mappings/expression.mdx b/website/docs/property-mappings/expression.mdx index c8c0e36bb..566d6b11f 100644 --- a/website/docs/property-mappings/expression.mdx +++ b/website/docs/property-mappings/expression.mdx @@ -4,22 +4,21 @@ title: Expressions The property mapping should return a value that is expected by the Provider/Source. Supported types are documented in the individual Provider/Source. Returning `None` is always accepted and would simply skip the mapping for which `None` was returned. - ## Available Functions -import Functions from '../expressions/_functions.md' +import Functions from "../expressions/_functions.md"; ## Variables -import Objects from '../expressions/_objects.md' +import Objects from "../expressions/_objects.md"; -import User from '../expressions/_user.md' +import User from "../expressions/_user.md"; -- `request`: The current request. This may be `None` if there is no contextual request. See ([Django documentation](https://docs.djangoproject.com/en/3.0/ref/request-response/#httprequest-objects)) -- Other arbitrary arguments given by the provider, this is documented on the Provider/Source. +- `request`: The current request. This may be `None` if there is no contextual request. See ([Django documentation](https://docs.djangoproject.com/en/3.0/ref/request-response/#httprequest-objects)) +- Other arbitrary arguments given by the provider, this is documented on the Provider/Source. diff --git a/website/docs/property-mappings/index.md b/website/docs/property-mappings/index.md index 61da532bb..87b31611b 100644 --- a/website/docs/property-mappings/index.md +++ b/website/docs/property-mappings/index.md @@ -12,14 +12,14 @@ SAML Property Mappings allow you embed information into the SAML AuthN request. LDAP Property Mappings are used when you define a LDAP Source. These mappings define which LDAP property maps to which authentik property. By default, the following mappings are created: -- authentik default Active Directory Mapping: givenName -- authentik default Active Directory Mapping: sAMAccountName -- authentik default Active Directory Mapping: sn -- authentik default Active Directory Mapping: userPrincipalName -- authentik default LDAP Mapping: mail -- authentik default LDAP Mapping: Name -- authentik default OpenLDAP Mapping: cn -- authentik default OpenLDAP Mapping: uid +- authentik default Active Directory Mapping: givenName +- authentik default Active Directory Mapping: sAMAccountName +- authentik default Active Directory Mapping: sn +- authentik default Active Directory Mapping: userPrincipalName +- authentik default LDAP Mapping: mail +- authentik default LDAP Mapping: Name +- authentik default OpenLDAP Mapping: cn +- authentik default OpenLDAP Mapping: uid These are configured with most common LDAP setups. diff --git a/website/docs/providers/ldap.md b/website/docs/providers/ldap.md index 8a5692a1b..d0b2a2879 100644 --- a/website/docs/providers/ldap.md +++ b/website/docs/providers/ldap.md @@ -35,29 +35,29 @@ ldapsearch \ The following fields are currently sent for users: -- `cn`: User's username -- `uid`: Unique user identifier -- `uidNumber`: A unique numeric identifier for the user -- `name`: User's name -- `displayName`: User's name -- `mail`: User's email address -- `objectClass`: A list of these strings: - - "user" - - "organizationalPerson" - - "goauthentik.io/ldap/user" -- `memberOf`: A list of all DNs that the user is a member of -- `goauthentik.io/ldap/active`: "true" if the account is active, otherwise "false" -- `goauthentik.io/ldap/superuser`: "true" if the account is part of a group with superuser permissions, otherwise "false" +- `cn`: User's username +- `uid`: Unique user identifier +- `uidNumber`: A unique numeric identifier for the user +- `name`: User's name +- `displayName`: User's name +- `mail`: User's email address +- `objectClass`: A list of these strings: + - "user" + - "organizationalPerson" + - "goauthentik.io/ldap/user" +- `memberOf`: A list of all DNs that the user is a member of +- `goauthentik.io/ldap/active`: "true" if the account is active, otherwise "false" +- `goauthentik.io/ldap/superuser`: "true" if the account is part of a group with superuser permissions, otherwise "false" The following fields are current set for groups: -- `cn`: The group's name -- `uid`: Unique group identifier -- `gidNumber`: A unique numeric identifier for the group -- `member`: A list of all DNs of the groups members -- `objectClass`: A list of these strings: - - "group" - - "goauthentik.io/ldap/group" +- `cn`: The group's name +- `uid`: Unique group identifier +- `gidNumber`: A unique numeric identifier for the group +- `member`: A list of all DNs of the groups members +- `objectClass`: A list of these strings: + - "group" + - "goauthentik.io/ldap/group" A virtual group is also created for each user, they have the same fields as groups but have an additional objectClass: `goauthentik.io/ldap/virtual-group`. The virtual groups gidNumber is equal to the uidNumber of the user. @@ -85,11 +85,11 @@ All bind modes rely on flows. The following stages are supported: - - [Identification](../flow/stages/identification/) - - [Password](../flow/stages/password/) - - [Authenticator validation](../flow/stages/authenticator_validate/) +- [Identification](../flow/stages/identification/) +- [Password](../flow/stages/password/) +- [Authenticator validation](../flow/stages/authenticator_validate/) - Note: Authenticator validation currently only supports DUO devices + Note: Authenticator validation currently only supports DUO devices #### Direct bind @@ -97,7 +97,7 @@ In this mode, the outpost will always execute the configured flow when a new bin #### Cached bind -This mode uses the same logic as direct bind, however the result is cached for the entered credentials, and saved in memory for the standard session duration. Sessions are saved independently, meaning that revoking sessions does *not* remove them from the outpost, and neither will changing a users credentials. +This mode uses the same logic as direct bind, however the result is cached for the entered credentials, and saved in memory for the standard session duration. Sessions are saved independently, meaning that revoking sessions does _not_ remove them from the outpost, and neither will changing a users credentials. ## Search Modes diff --git a/website/docs/providers/oauth2/client_credentials.md b/website/docs/providers/oauth2/client_credentials.md index bb6ef70bb..c0f3a1ec9 100644 --- a/website/docs/providers/oauth2/client_credentials.md +++ b/website/docs/providers/oauth2/client_credentials.md @@ -6,7 +6,7 @@ Note that authentik does treat a grant type of `password` the same as `client_cr ### Static authentication -Hence identification is based on service-accounts, and authentication is based on App-password tokens. These objects can be created in a single step using the *Create Service account* function. +Hence identification is based on service-accounts, and authentication is based on App-password tokens. These objects can be created in a single step using the _Create Service account_ function. An example request can look like this: @@ -29,7 +29,7 @@ Starting with authentik 2022.4, you can authenticate and get a token using an ex (For readability we will refer to the JWT issued by the external issuer/platform as input JWT, and the resulting JWT from authentik as the output JWT) -To configure this, the certificate used to sign the input JWT must be created in authentik. The certificate is enough, a private key is not required. Afterwards, configure the certificate in the OAuth2 provider settings under *Verification certificates*. +To configure this, the certificate used to sign the input JWT must be created in authentik. The certificate is enough, a private key is not required. Afterwards, configure the certificate in the OAuth2 provider settings under _Verification certificates_. With this configure, any JWT issued by the configured certificates can be used to authenticate: @@ -46,9 +46,9 @@ client_id=application_client_id Alternatively, you can set the `client_secret` parameter to the `$inputJWT`, for applications which can set the password from a file but not other parameters. -Input JWTs are checked to be signed by any of the selected *Verification certificates*, and their `exp` attribute must not be now or in the past. +Input JWTs are checked to be signed by any of the selected _Verification certificates_, and their `exp` attribute must not be now or in the past. -To do additional checks, you can use *[Expression policies](../../policies/expression)*: +To do additional checks, you can use _[Expression policies](../../policies/expression)_: ```python return request.context["oauth_jwt"]["iss"] == "https://my.issuer" diff --git a/website/docs/providers/proxy/_nginx_ingress.md b/website/docs/providers/proxy/_nginx_ingress.md index 2eb4b6d85..4da3c30b1 100644 --- a/website/docs/providers/proxy/_nginx_ingress.md +++ b/website/docs/providers/proxy/_nginx_ingress.md @@ -4,18 +4,18 @@ Create a new ingress for the outpost apiVersion: networking.k8s.io/v1beta1 kind: Ingress metadata: - name: authentik-outpost + name: authentik-outpost spec: - rules: - - host: app.company - http: - paths: - - backend: - # Or, to use an external Outpost, create an ExternalName service and reference that here. - # See https://kubernetes.io/docs/concepts/services-networking/service/#externalname - serviceName: ak-outpost-example-outpost - servicePort: 9000 - path: /outpost.goauthentik.io + rules: + - host: app.company + http: + paths: + - backend: + # Or, to use an external Outpost, create an ExternalName service and reference that here. + # See https://kubernetes.io/docs/concepts/services-networking/service/#externalname + serviceName: ak-outpost-example-outpost + servicePort: 9000 + path: /outpost.goauthentik.io ``` This ingress handles authentication requests, and the sign-in flow. @@ -24,14 +24,14 @@ Add these annotations to the ingress you want to protect ```yaml metadata: - annotations: - nginx.ingress.kubernetes.io/auth-url: |- - http://outpost.company:9000/outpost.goauthentik.io/auth/nginx - # If you're using domain-level auth, use the authentication URL instead of the application URL - nginx.ingress.kubernetes.io/auth-signin: |- - https://app.company/outpost.goauthentik.io/start?rd=$escaped_request_uri - nginx.ingress.kubernetes.io/auth-response-headers: |- - Set-Cookie,X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid - nginx.ingress.kubernetes.io/auth-snippet: | - proxy_set_header X-Forwarded-Host $http_host; + annotations: + nginx.ingress.kubernetes.io/auth-url: |- + http://outpost.company:9000/outpost.goauthentik.io/auth/nginx + # If you're using domain-level auth, use the authentication URL instead of the application URL + nginx.ingress.kubernetes.io/auth-signin: |- + https://app.company/outpost.goauthentik.io/start?rd=$escaped_request_uri + nginx.ingress.kubernetes.io/auth-response-headers: |- + Set-Cookie,X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid + nginx.ingress.kubernetes.io/auth-snippet: | + proxy_set_header X-Forwarded-Host $http_host; ``` diff --git a/website/docs/providers/proxy/_nginx_standalone.md b/website/docs/providers/proxy/_nginx_standalone.md index 3b1934352..1c881c3bb 100644 --- a/website/docs/providers/proxy/_nginx_standalone.md +++ b/website/docs/providers/proxy/_nginx_standalone.md @@ -1,4 +1,3 @@ - ``` server { # SSL and VHost configuration diff --git a/website/docs/providers/proxy/_traefik_compose.md b/website/docs/providers/proxy/_traefik_compose.md index 808e617f4..146d12aed 100644 --- a/website/docs/providers/proxy/_traefik_compose.md +++ b/website/docs/providers/proxy/_traefik_compose.md @@ -1,47 +1,46 @@ - ```yaml -version: '3.7' +version: "3.7" services: - traefik: - image: traefik:v2.2 - container_name: traefik - volumes: - - /var/run/docker.sock:/var/run/docker.sock - ports: - - 80:80 - command: - - '--api' - - '--providers.docker=true' - - '--providers.docker.exposedByDefault=false' - - "--entrypoints.web.address=:80" + traefik: + image: traefik:v2.2 + container_name: traefik + volumes: + - /var/run/docker.sock:/var/run/docker.sock + ports: + - 80:80 + command: + - "--api" + - "--providers.docker=true" + - "--providers.docker.exposedByDefault=false" + - "--entrypoints.web.address=:80" - authentik-proxy: - image: ghcr.io/goauthentik/proxy - ports: - - 9000:9000 - - 9443:9443 - environment: - AUTHENTIK_HOST: https://your-authentik.tld - AUTHENTIK_INSECURE: "false" - AUTHENTIK_TOKEN: token-generated-by-authentik - # Starting with 2021.9, you can optionally set this too - # when authentik_host for internal communication doesn't match the public URL - # AUTHENTIK_HOST_BROWSER: https://external-domain.tld - labels: - traefik.enable: true - traefik.port: 9000 - traefik.http.routers.authentik.rule: Host(`app.company`) && PathPrefix(`/outpost.goauthentik.io/`) - # `authentik-proxy` refers to the service name in the compose file. - traefik.http.middlewares.authentik.forwardauth.address: http://authentik-proxy:9000/outpost.goauthentik.io/auth/traefik - traefik.http.middlewares.authentik.forwardauth.trustForwardHeader: true - traefik.http.middlewares.authentik.forwardauth.authResponseHeaders: X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid,X-authentik-jwt,X-authentik-meta-jwks,X-authentik-meta-outpost,X-authentik-meta-provider,X-authentik-meta-app,X-authentik-meta-version - restart: unless-stopped + authentik-proxy: + image: ghcr.io/goauthentik/proxy + ports: + - 9000:9000 + - 9443:9443 + environment: + AUTHENTIK_HOST: https://your-authentik.tld + AUTHENTIK_INSECURE: "false" + AUTHENTIK_TOKEN: token-generated-by-authentik + # Starting with 2021.9, you can optionally set this too + # when authentik_host for internal communication doesn't match the public URL + # AUTHENTIK_HOST_BROWSER: https://external-domain.tld + labels: + traefik.enable: true + traefik.port: 9000 + traefik.http.routers.authentik.rule: Host(`app.company`) && PathPrefix(`/outpost.goauthentik.io/`) + # `authentik-proxy` refers to the service name in the compose file. + traefik.http.middlewares.authentik.forwardauth.address: http://authentik-proxy:9000/outpost.goauthentik.io/auth/traefik + traefik.http.middlewares.authentik.forwardauth.trustForwardHeader: true + traefik.http.middlewares.authentik.forwardauth.authResponseHeaders: X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid,X-authentik-jwt,X-authentik-meta-jwks,X-authentik-meta-outpost,X-authentik-meta-provider,X-authentik-meta-app,X-authentik-meta-version + restart: unless-stopped - whoami: - image: containous/whoami - labels: - traefik.enable: true - traefik.http.routers.whoami.rule: Host(`app.company`) - traefik.http.routers.whoami.middlewares: authentik@docker - restart: unless-stopped + whoami: + image: containous/whoami + labels: + traefik.enable: true + traefik.http.routers.whoami.rule: Host(`app.company`) + traefik.http.routers.whoami.middlewares: authentik@docker + restart: unless-stopped ``` diff --git a/website/docs/providers/proxy/_traefik_ingress.md b/website/docs/providers/proxy/_traefik_ingress.md index c48e626e7..b3f54c542 100644 --- a/website/docs/providers/proxy/_traefik_ingress.md +++ b/website/docs/providers/proxy/_traefik_ingress.md @@ -4,23 +4,23 @@ Create a middleware: apiVersion: traefik.containo.us/v1alpha1 kind: Middleware metadata: - name: authentik + name: authentik spec: - forwardAuth: - address: http://outpost.company:9000/outpost.goauthentik.io/auth/traefik - trustForwardHeader: true - authResponseHeaders: - - X-authentik-username - - X-authentik-groups - - X-authentik-email - - X-authentik-name - - X-authentik-uid - - X-authentik-jwt - - X-authentik-meta-jwks - - X-authentik-meta-outpost - - X-authentik-meta-provider - - X-authentik-meta-app - - X-authentik-meta-version + forwardAuth: + address: http://outpost.company:9000/outpost.goauthentik.io/auth/traefik + trustForwardHeader: true + authResponseHeaders: + - X-authentik-username + - X-authentik-groups + - X-authentik-email + - X-authentik-name + - X-authentik-uid + - X-authentik-jwt + - X-authentik-meta-jwks + - X-authentik-meta-outpost + - X-authentik-meta-provider + - X-authentik-meta-app + - X-authentik-meta-version ``` Add the following settings to your IngressRoute @@ -31,22 +31,22 @@ See [here](https://doc.traefik.io/traefik/v2.4/providers/kubernetes-crd/#allowcr ```yaml spec: - routes: - - kind: Rule - match: "Host(`app.company`)" - middlewares: - - name: authentik - namespace: authentik - priority: 10 - services: # Unchanged - # This part is only required for single-app setups - - kind: Rule - match: "Host(`app.company`) && PathPrefix(`/outpost.goauthentik.io/`)" - priority: 15 - services: - - kind: Service - # Or, to use an external Outpost, create an ExternalName service and reference that here. - # See https://kubernetes.io/docs/concepts/services-networking/service/#externalname - name: ak-outpost-example-outpost - port: 9000 + routes: + - kind: Rule + match: "Host(`app.company`)" + middlewares: + - name: authentik + namespace: authentik + priority: 10 + services: # Unchanged + # This part is only required for single-app setups + - kind: Rule + match: "Host(`app.company`) && PathPrefix(`/outpost.goauthentik.io/`)" + priority: 15 + services: + - kind: Service + # Or, to use an external Outpost, create an ExternalName service and reference that here. + # See https://kubernetes.io/docs/concepts/services-networking/service/#externalname + name: ak-outpost-example-outpost + port: 9000 ``` diff --git a/website/docs/providers/proxy/_traefik_standalone.md b/website/docs/providers/proxy/_traefik_standalone.md index 6fb1610c3..16579fcde 100644 --- a/website/docs/providers/proxy/_traefik_standalone.md +++ b/website/docs/providers/proxy/_traefik_standalone.md @@ -1,31 +1,31 @@ ```yaml http: - middlewares: - authentik: - forwardAuth: - address: http://outpost.company:9000/outpost.goauthentik.io/auth/traefik - trustForwardHeader: true - authResponseHeaders: - - X-authentik-username - - X-authentik-groups - - X-authentik-email - - X-authentik-name - - X-authentik-uid - - X-authentik-jwt - - X-authentik-meta-jwks - - X-authentik-meta-outpost - - X-authentik-meta-provider - - X-authentik-meta-app - - X-authentik-meta-version - routers: - default-router: - rule: "Host(`app.company`)" - middlewares: - - name: authentik - priority: 10 - services: # Unchanged - default-router-auth: - match: "Host(`app.company`) && PathPrefix(`/outpost.goauthentik.io/`)" - priority: 15 - services: http://outpost.company:9000/outpost.goauthentik.io + middlewares: + authentik: + forwardAuth: + address: http://outpost.company:9000/outpost.goauthentik.io/auth/traefik + trustForwardHeader: true + authResponseHeaders: + - X-authentik-username + - X-authentik-groups + - X-authentik-email + - X-authentik-name + - X-authentik-uid + - X-authentik-jwt + - X-authentik-meta-jwks + - X-authentik-meta-outpost + - X-authentik-meta-provider + - X-authentik-meta-app + - X-authentik-meta-version + routers: + default-router: + rule: "Host(`app.company`)" + middlewares: + - name: authentik + priority: 10 + services: # Unchanged + default-router-auth: + match: "Host(`app.company`) && PathPrefix(`/outpost.goauthentik.io/`)" + priority: 15 + services: http://outpost.company:9000/outpost.goauthentik.io ``` diff --git a/website/docs/providers/proxy/custom_headers.md b/website/docs/providers/proxy/custom_headers.md index 4fa39d39f..581c82e8c 100644 --- a/website/docs/providers/proxy/custom_headers.md +++ b/website/docs/providers/proxy/custom_headers.md @@ -4,8 +4,8 @@ title: Custom headers The proxy can send custom headers to your upstream application. These can be configured in one of two ways: -- Group attributes; this allows for inheritance, but only allows static values -- Property mappings; this allows for dynamic values +- Group attributes; this allows for inheritance, but only allows static values +- Property mappings; this allows for dynamic values ## Group attributes diff --git a/website/docs/providers/proxy/forward_auth.mdx b/website/docs/providers/proxy/forward_auth.mdx index 84d03c474..76547dda3 100644 --- a/website/docs/providers/proxy/forward_auth.mdx +++ b/website/docs/providers/proxy/forward_auth.mdx @@ -16,11 +16,12 @@ has the advantage that you can still do per-application access policies in authe ## Domain level To use forward auth instead of proxying, you have to change a couple of settings. -In the Proxy Provider, make sure to use the *Forward auth (domain level)* mode. +In the Proxy Provider, make sure to use the _Forward auth (domain level)_ mode. -This mode differs from the *Forward auth (single application)* mode in the following points: -- You don't have to configure an application in authentik for each domain -- Users don't have to authorize multiple times +This mode differs from the _Forward auth (single application)_ mode in the following points: + +- You don't have to configure an application in authentik for each domain +- Users don't have to authorize multiple times There are however also some downsides, mainly the fact that you **can't** restrict individual applications to different users. @@ -33,16 +34,16 @@ is redirected to the outpost. For domain level, you'd use the same domain as authentik. :::info -*example-outpost* is used as a placeholder for the outpost name. -*authentik.company* is used as a placeholder for the authentik install. -*app.company* is used as a placeholder for the external domain for the application. -*outpost.company* is used as a placeholder for the outpost. When using the embedded outpost, this can be the same as *authentik.company* +_example-outpost_ is used as a placeholder for the outpost name. +_authentik.company_ is used as a placeholder for the authentik install. +_app.company_ is used as a placeholder for the external domain for the application. +_outpost.company_ is used as a placeholder for the outpost. When using the embedded outpost, this can be the same as _authentik.company_ ::: ## Nginx -import Tabs from '@theme/Tabs'; -import TabItem from '@theme/TabItem'; +import Tabs from "@theme/Tabs"; +import TabItem from "@theme/TabItem"; -import NginxStandalone from './_nginx_standalone.md' +import NginxStandalone from "./_nginx_standalone.md"; -import NginxIngress from './_nginx_ingress.md' +import NginxIngress from "./_nginx_ingress.md"; -import NginxProxyManager from './_nginx_proxy_manager.md' +import NginxProxyManager from "./_nginx_proxy_manager.md"; @@ -85,21 +86,21 @@ import NginxProxyManager from './_nginx_proxy_manager.md' ]}> -import TraefikStandalone from './_traefik_standalone.md' +import TraefikStandalone from "./_traefik_standalone.md"; -import TraefikCompose from './_traefik_compose.md' +import TraefikCompose from "./_traefik_compose.md"; -import TraefikIngress from './_traefik_ingress.md' +import TraefikIngress from "./_traefik_ingress.md"; diff --git a/website/docs/providers/proxy/proxy.md b/website/docs/providers/proxy/proxy.md index 66b97dd4b..e295d4e74 100644 --- a/website/docs/providers/proxy/proxy.md +++ b/website/docs/providers/proxy/proxy.md @@ -4,51 +4,51 @@ title: Overview The proxy outpost sets the following user-specific headers: -- X-authentik-username: `akadmin` +- X-authentik-username: `akadmin` The username of the currently logged in user -- X-authentik-groups: `foo|bar|baz` +- X-authentik-groups: `foo|bar|baz` The groups the user is member of, separated by a pipe -- X-authentik-email: `root@localhost` +- X-authentik-email: `root@localhost` The email address of the currently logged in user -- X-authentik-name: `authentik Default Admin` +- X-authentik-name: `authentik Default Admin` Full name of the current user -- X-authentik-uid: `900347b8a29876b45ca6f75722635ecfedf0e931c6022e3a29a8aa13fb5516fb` +- X-authentik-uid: `900347b8a29876b45ca6f75722635ecfedf0e931c6022e3a29a8aa13fb5516fb` The hashed identifier of the currently logged in user. Additionally, you can set `additionalHeaders` on groups or users to set additional headers. -If you enable *Set HTTP-Basic Authentication* option, the HTTP Authorization header is being set. +If you enable _Set HTTP-Basic Authentication_ option, the HTTP Authorization header is being set. Besides these user-specific headers, some application specific headers are also set: -- X-authentik-meta-outpost: `authentik Embedded Outpost` +- X-authentik-meta-outpost: `authentik Embedded Outpost` The authentik outpost's name. -- X-authentik-meta-provider: `test` +- X-authentik-meta-provider: `test` The authentik provider's name. -- X-authentik-meta-app: `test` +- X-authentik-meta-app: `test` The authentik application's slug. -- X-authentik-meta-version: `goauthentik.io/outpost/1.2.3` +- X-authentik-meta-version: `goauthentik.io/outpost/1.2.3` The authentik outpost's version. ### Only in proxy mode -- X-Forwarded-Host: +- X-Forwarded-Host: The original Host header sent by the client. This is set as the `Host` header is set to the host of the configured backend. @@ -72,7 +72,7 @@ To log out, navigate to `/outpost.goauthentik.io/sign_out`. ## Allowing unauthenticated requests -To allow un-authenticated requests to certain paths/URLs, you can use the *Unauthenticated URLs* / *Unauthenticated Paths* field. +To allow un-authenticated requests to certain paths/URLs, you can use the _Unauthenticated URLs_ / _Unauthenticated Paths_ field. Each new line is interpreted as a regular expression, and is compiled and checked using the standard Golang regex parser. @@ -88,7 +88,7 @@ In this mode, the regular expressions are matched against the Request's full URL ## Dynamic backend selection -You can configure the backend the proxy should access dynamically via *Scope mappings*. To do so, create a new *Scope mapping*, with a name and scope of your choice. As expression, use this: +You can configure the backend the proxy should access dynamically via _Scope mappings_. To do so, create a new _Scope mapping_, with a name and scope of your choice. As expression, use this: ```python return { @@ -98,4 +98,4 @@ return { } ``` -Afterwards, edit the *Proxy provider* and add this new mapping. The expression is only evaluated when the user logs into the application. +Afterwards, edit the _Proxy provider_ and add this new mapping. The expression is only evaluated when the user logs into the application. diff --git a/website/docs/providers/saml.md b/website/docs/providers/saml.md index 0d5351450..83adf3df6 100644 --- a/website/docs/providers/saml.md +++ b/website/docs/providers/saml.md @@ -5,12 +5,12 @@ title: SAML Provider This provider allows you to integrate enterprise software using the SAML2 Protocol. It supports signed requests and uses [Property Mappings](../property-mappings/#saml-property-mapping) to determine which fields are exposed and what values they return. This makes it possible to expose vendor-specific fields. Default fields are exposed through auto-generated Property Mappings, which are prefixed with "authentik default". -| Endpoint | URL | -| ---------------------- | -------------------------------------------------------------- | -| SSO (Redirect binding) | `/application/saml//sso/binding/redirect/` | -| SSO (POST binding) | `/application/saml//sso/binding/post/` | -| IdP-initiated login | `/application/saml//sso/binding/init/` | -| Metadata Download | `/api/v3/providers/saml//metadata/?download/`| +| Endpoint | URL | +| ---------------------- | ------------------------------------------------------------ | +| SSO (Redirect binding) | `/application/saml//sso/binding/redirect/` | +| SSO (POST binding) | `/application/saml//sso/binding/post/` | +| IdP-initiated login | `/application/saml//sso/binding/init/` | +| Metadata Download | `/api/v3/providers/saml//metadata/?download/` | You can download the metadata through the Webinterface, this link might be handy if your software wants to download the metadata directly. @@ -20,8 +20,8 @@ The metadata download link can also be copied with a button on the provider over You can select a custom SAML Property Mapping after which the NameID field will be generated. If left default, the following checks are done: -- When the request asks for `urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress`, the NameID will be set to the user's email address. -- When the request asks for `urn:oasis:names:tc:SAML:2.0:nameid-format:persistent`, the NameID will be set to the hashed user ID. -- When the request asks for `urn:oasis:names:tc:SAML:2.0:nameid-format:X509SubjectName`, the NameID will be set to the user's `distinguishedName` attribute. This attribute is set by the LDAP source by default. If the attribute does not exist, it will fall back the persistent identifier. -- When the request asks for `urn:oasis:names:tc:SAML:2.0:nameid-format:WindowsDomainQualifiedName`, the NameID will be set to the user's UPN. This is also set by the LDAP source, and also falls back to the persistent identifier. -- When the request asks for `urn:oasis:names:tc:SAML:2.0:nameid-format:transient`, the NameID will be set based on the user's session ID. +- When the request asks for `urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress`, the NameID will be set to the user's email address. +- When the request asks for `urn:oasis:names:tc:SAML:2.0:nameid-format:persistent`, the NameID will be set to the hashed user ID. +- When the request asks for `urn:oasis:names:tc:SAML:2.0:nameid-format:X509SubjectName`, the NameID will be set to the user's `distinguishedName` attribute. This attribute is set by the LDAP source by default. If the attribute does not exist, it will fall back the persistent identifier. +- When the request asks for `urn:oasis:names:tc:SAML:2.0:nameid-format:WindowsDomainQualifiedName`, the NameID will be set to the user's UPN. This is also set by the LDAP source, and also falls back to the persistent identifier. +- When the request asks for `urn:oasis:names:tc:SAML:2.0:nameid-format:transient`, the NameID will be set based on the user's session ID. diff --git a/website/docs/releases/_template.md b/website/docs/releases/_template.md index a50880b17..4a544ab59 100644 --- a/website/docs/releases/_template.md +++ b/website/docs/releases/_template.md @@ -23,6 +23,6 @@ Update your values to use the new images: ```yaml image: - repository: ghcr.io/goauthentik/server - tag: xxxx.x.1 + repository: ghcr.io/goauthentik/server + tag: xxxx.x.1 ``` diff --git a/website/docs/releases/v0.10.md b/website/docs/releases/v0.10.md index 5446eefd7..191b48395 100644 --- a/website/docs/releases/v0.10.md +++ b/website/docs/releases/v0.10.md @@ -5,33 +5,33 @@ slug: "0.10" This update brings a lot of big features, such as: -- New OAuth2/OpenID Provider +- New OAuth2/OpenID Provider This new provider merges both OAuth2 and OpenID. It is based on the codebase of the old provider, which has been simplified and cleaned from the ground up. Support for Property Mappings has also been added. Because of this change, OpenID and OAuth2 Providers will have to be re-created. -- Proxy Provider +- Proxy Provider Due to this new OAuth2 Provider, the Application Gateway Provider, now simply called "Proxy Provider" has been revamped as well. The new authentik Proxy integrates more tightly with authentik via the new Outposts system. The new proxy also supports multiple applications per proxy instance, can configure TLS based on authentik Keypairs, and more. See [Proxy](../providers/proxy/proxy.md) -- Outpost System +- Outpost System This is a new Object type, currently used only by the Proxy Provider. It manages the creation and permissions of service accounts, which are used by the outposts to communicate with authentik. See [Outposts](../outposts/) -- Flow Import/Export +- Flow Import/Export Flows can now be imported and exported. This feature can be used as a backup system, or to share complex flows with other people. Example flows have also been added to the documentation to help you get going with authentik. ## Under the hood -- authentik now runs on Django 3.1 and Channels with complete ASGI enabled -- uwsgi has been replaced with Gunicorn and uvicorn -- Elastic APM has been replaced with Sentry Performance metrics -- Flow title is now configurable separately from the name -- All logging output is now json +- authentik now runs on Django 3.1 and Channels with complete ASGI enabled +- uwsgi has been replaced with Gunicorn and uvicorn +- Elastic APM has been replaced with Sentry Performance metrics +- Flow title is now configurable separately from the name +- All logging output is now json ## Upgrading @@ -55,7 +55,7 @@ docker-compose up -d A few options have changed: -- `error_reporting` was changed from a simple boolean to a dictionary: +- `error_reporting` was changed from a simple boolean to a dictionary: ```yaml error_reporting: @@ -64,8 +64,8 @@ error_reporting: send_pii: false ``` -- The `apm` and `monitoring` blocks have been removed. -- `serverReplicas` and `workerReplicas` have been added +- The `apm` and `monitoring` blocks have been removed. +- `serverReplicas` and `workerReplicas` have been added ### Upgrading diff --git a/website/docs/releases/v0.11.md b/website/docs/releases/v0.11.md index a1608bc19..2a6ec08ef 100644 --- a/website/docs/releases/v0.11.md +++ b/website/docs/releases/v0.11.md @@ -5,18 +5,18 @@ slug: "0.11" This update brings these headline features: -- Add Backup and Restore, currently only externally schedulable, documented [here](https://github.com/goauthentik/authentik/blob/version-2022.1/website/docs/maintenance/backups/index.md) -- New Admin Dashboard with more metrics and Charts +- Add Backup and Restore, currently only externally schedulable, documented [here](https://github.com/goauthentik/authentik/blob/version-2022.1/website/docs/maintenance/backups/index.md) +- New Admin Dashboard with more metrics and Charts Shows successful and failed logins from the last 24 hours, as well as the most used applications -- Add search to all table views -- Outpost now supports a Docker Controller, which installs the Outpost on the same host as authentik, updates and manages it -- Add Token Identifier +- Add search to all table views +- Outpost now supports a Docker Controller, which installs the Outpost on the same host as authentik, updates and manages it +- Add Token Identifier Tokens now have an identifier which is used to reference to them, so the Primary key is not shown in URLs -- `core/applications/list` API now shows applications the user has access to via policies +- `core/applications/list` API now shows applications the user has access to via policies ## Upgrading diff --git a/website/docs/releases/v0.12.md b/website/docs/releases/v0.12.md index de89d6be5..1c7cf73f1 100644 --- a/website/docs/releases/v0.12.md +++ b/website/docs/releases/v0.12.md @@ -5,17 +5,17 @@ slug: "0.12" This update brings these headline features: -- Rewrite Outpost state Logic, which now supports multiple concurrent Outpost instances. -- Add Kubernetes Integration for Outposts, which deploys and maintains Outposts with High Availability in a Kubernetes Cluster -- Add System Task Overview to see all background tasks, their status, the log output, and retry them -- Alerts now disappear automatically -- Audit Logs are now searchable -- Users can now create their own Tokens to access the API -- docker-compose deployment now uses traefik 2.3 +- Rewrite Outpost state Logic, which now supports multiple concurrent Outpost instances. +- Add Kubernetes Integration for Outposts, which deploys and maintains Outposts with High Availability in a Kubernetes Cluster +- Add System Task Overview to see all background tasks, their status, the log output, and retry them +- Alerts now disappear automatically +- Audit Logs are now searchable +- Users can now create their own Tokens to access the API +- docker-compose deployment now uses traefik 2.3 Fixes: -- Fix high CPU Usage of the proxy when Websocket connections fail +- Fix high CPU Usage of the proxy when Websocket connections fail ## Upgrading diff --git a/website/docs/releases/v0.13.md b/website/docs/releases/v0.13.md index 7007952f0..bf562dc86 100644 --- a/website/docs/releases/v0.13.md +++ b/website/docs/releases/v0.13.md @@ -7,19 +7,19 @@ After a long back and forth, we've finally switched to a more permanent name. Wh # Headline changes -- New name (https://github.com/goauthentik/authentik/pull/361) -- The web interface is now a semi-SPA Experience. This means that most operations are done through Asynchronous requests +- New name (https://github.com/goauthentik/authentik/pull/361) +- The web interface is now a semi-SPA Experience. This means that most operations are done through Asynchronous requests In this initial release, this brings features such as a refresh button, a generally better User experience due to shorter loading times and fewer visual context changes. -- The web interface now has a darkmode, which is enabled automatically based on your Operating system darkmode. -- Application Icons can now be uploaded directly to authentik, rather than just being loaded from a URL +- The web interface now has a darkmode, which is enabled automatically based on your Operating system darkmode. +- Application Icons can now be uploaded directly to authentik, rather than just being loaded from a URL ## Smaller changes -- Add better support for Docker Service Connections with Certificates -- Fix application API not returning the same format as other APIs +- Add better support for Docker Service Connections with Certificates +- Fix application API not returning the same format as other APIs ## Upgrading @@ -29,10 +29,11 @@ Docker-compose users should download the latest docker-compose file from [here]( :::caution If you decided to rename the folder you're running the docker-compose file from, be aware that this will also change the name, that docker-compose will give the database volume. To mitigate this, either -- Keep the original directory name -- Move the directory and set `COMPOSE_PROJECT_NAME` to the name of the old directory (see [here](https://docs.docker.com/compose/reference/envvars/#compose_project_name)) -- Create a backup, rename the directory and restore from backup. -::: + +- Keep the original directory name +- Move the directory and set `COMPOSE_PROJECT_NAME` to the name of the old directory (see [here](https://docs.docker.com/compose/reference/envvars/#compose_project_name)) +- Create a backup, rename the directory and restore from backup. + ::: The only manual change you have to do is replace the `PASSBOOK_` prefix in your `.env` file, so `PASSBOOK_SECRET_KEY` gets changed to `AUTHENTIK_SECRET_KEY`. @@ -73,10 +74,10 @@ helm upgrade authentik authentik/authentik --devel -f values.yaml ## Post-upgrade notes -- Some default values change, for example the SAML Provider's default issuer. +- Some default values change, for example the SAML Provider's default issuer. This only makes a difference for newly created providers. -- Expression Policies variables change +- Expression Policies variables change Anything prefixed with `pb_` changes to `ak_`, this change is done **automatically** diff --git a/website/docs/releases/v0.14.md b/website/docs/releases/v0.14.md index 2e3d1248d..61b939ada 100644 --- a/website/docs/releases/v0.14.md +++ b/website/docs/releases/v0.14.md @@ -5,45 +5,45 @@ slug: "0.14" ## Headline features -- Flows are now graphically shown as diagrams, to visualise which stages and policies are bound. +- Flows are now graphically shown as diagrams, to visualise which stages and policies are bound. This diagram makes it significantly easier to understand how a flow works, as well as helping you design a flow that does exactly what you need. -- Events now have a more general purpose, rather than just logging audit actions. +- Events now have a more general purpose, rather than just logging audit actions. The following new events are now logged: - - Policy Execution (Has to be enabled on a per-policy basis) - - Policy Exceptions - - Property Mapping Exceptions - - Configuration Errors (currently these events are created by incorrectly configured providers, but will be used further in the future.) - - Update availability + - Policy Execution (Has to be enabled on a per-policy basis) + - Policy Exceptions + - Property Mapping Exceptions + - Configuration Errors (currently these events are created by incorrectly configured providers, but will be used further in the future.) + - Update availability -- The OAuth2 Provider has been updated to closer match the OpenID Connect Specifications +- The OAuth2 Provider has been updated to closer match the OpenID Connect Specifications Response type no longer has to be configured manually. The issuer field can be configured now (the default behaviour is the same as pre-0.14) Authorization Codes are now generated as a JWT Token, which is not specified as spec, but seems to be a quasi-standard. -- SAML Providers can now be created from SAML Metadata -- The authentik proxy is now using the currently latest version of oauth2_proxy (6.1.1) -- The license has been changed to GNU/GPL 3.0 +- SAML Providers can now be created from SAML Metadata +- The authentik proxy is now using the currently latest version of oauth2_proxy (6.1.1) +- The license has been changed to GNU/GPL 3.0 ## Fixes -- admin: fix policy test button in dark theme -- core: fix anonymous user being included in User API -- core: fix token update/delete not working -- core: fix User's token creation not working -- core: make application's provider not required -- core: show multi-select notice for SelectMultiple Widgets -- outposts: allow blank kubeconfig -- outposts: validate kubeconfig before saving -- proxy: update to latest stable oauth2_proxy version -- root: update license -- web: fix sidebar being overlaid over modal backdrop -- web: fix table styling on mobile -- web: use displyname in sidebar for user +- admin: fix policy test button in dark theme +- core: fix anonymous user being included in User API +- core: fix token update/delete not working +- core: fix User's token creation not working +- core: make application's provider not required +- core: show multi-select notice for SelectMultiple Widgets +- outposts: allow blank kubeconfig +- outposts: validate kubeconfig before saving +- proxy: update to latest stable oauth2_proxy version +- root: update license +- web: fix sidebar being overlaid over modal backdrop +- web: fix table styling on mobile +- web: use displyname in sidebar for user ## Upgrading diff --git a/website/docs/releases/v0.9.md b/website/docs/releases/v0.9.md index 886fb839e..7fd95e93d 100644 --- a/website/docs/releases/v0.9.md +++ b/website/docs/releases/v0.9.md @@ -7,14 +7,14 @@ Due to some database changes that had to be rather sooner than later, there is n To export data from your old instance, run this command: -- docker-compose +- docker-compose ``` docker-compose exec server ./manage.py dumpdata -o /tmp/authentik_dump.json authentik_core.User authentik_core.Group authentik_crypto.CertificateKeyPair authentik_audit.Event otp_totp.totpdevice otp_static.staticdevice otp_static.statictoken docker cp authentik_server_1:/tmp/authentik_dump.json authentik_dump.json ``` -- kubernetes +- kubernetes ``` kubectl exec -it authentik-web-... -- ./manage.py dumpdata -o /tmp/authentik_dump.json authentik_core.User authentik_core.Group authentik_crypto.CertificateKeyPair authentik_audit.Event otp_totp.totpdevice otp_static.staticdevice otp_static.statictoken @@ -23,14 +23,14 @@ kubectl cp authentik-web-...:/tmp/authentik_dump.json authentik_dump.json After that, create a new authentik instance in a different namespace (kubernetes) or in a different folder (docker-compose). Once this instance is running, you can use the following commands to restore the data. On docker-compose, you still have to run the `migrate` command, to create all database structures. -- docker-compose +- docker-compose ``` docker cp authentik_dump.json new_authentik_server_1:/tmp/authentik_dump.json docker-compose exec server ./manage.py loaddata /tmp/authentik_dump.json ``` -- kubernetes +- kubernetes ``` kubectl cp authentik_dump.json authentik-web-...:/tmp/authentik_dump.json diff --git a/website/docs/releases/v2021.1.md b/website/docs/releases/v2021.1.md index f9ad78941..455ca2b06 100644 --- a/website/docs/releases/v2021.1.md +++ b/website/docs/releases/v2021.1.md @@ -5,14 +5,14 @@ slug: "2021.1" ## Headline Changes -- New versioning schema (year.month.release) -- Add global email settings +- New versioning schema (year.month.release) +- Add global email settings In previous versions, you had to configure email connection details per [Email Stage](../flow/stages/email/). Now, you can (and should) configure global settings. This is documented under the [docker-compose](../installation/docker-compose.md) and [Kubernetes](../installation/kubernetes.md) sections. -- New notification system +- New notification system More info can be found under [Notifications](../events/notifications.md) and [Transports](../events/transports.md). @@ -22,37 +22,37 @@ slug: "2021.1" ## Fixes -- events: create event when system task fails -- helm: fix old reference to static secret_key -- helm: fix s3 secret key and email password not being base64 encoded -- policies: fix logic error for sync mode -- stages/email: fix email task not falling back to use_global_settings +- events: create event when system task fails +- helm: fix old reference to static secret_key +- helm: fix s3 secret key and email password not being base64 encoded +- policies: fix logic error for sync mode +- stages/email: fix email task not falling back to use_global_settings ### Fixed in 2021.1.2 -- sources/*: Add source to flow context, so source is logged during login -- outposts: Fix outpost not correctly updating on outpost modification -- outposts: Improve drift detection on kubernetes -- providers/saml: Fix metadata not being signed when signature is enabled -- policies: Improve error handling, ensure original stacktrace is preserved +- sources/\*: Add source to flow context, so source is logged during login +- outposts: Fix outpost not correctly updating on outpost modification +- outposts: Improve drift detection on kubernetes +- providers/saml: Fix metadata not being signed when signature is enabled +- policies: Improve error handling, ensure original stacktrace is preserved ### Fixed in 2021.1.3 -- admin: handle FlowNonApplicableException during flow plan -- flows: fix FlowNonApplicableException not being Sentry Ignored -- lifecycle: fix typo causing single process in docker-compose +- admin: handle FlowNonApplicableException during flow plan +- flows: fix FlowNonApplicableException not being Sentry Ignored +- lifecycle: fix typo causing single process in docker-compose ### Fixed in 2021.1.4 -- admin: fix providers not showing SAML Import on empty state -- core: only cache Applications API when no filtering is done -- events: fix email template for notifications -- lib: fix ak_is_group_member checking wrong groups -- providers/saml: add support for WindowsDomainQualifiedName, add docs for NameID -- providers/saml: import SAML Provider with all autogenerated mappings -- providers/saml: make NameID configurable using a Property Mapping -- providers/saml: update default OIDs for default property mappings -- web: fix site-shell being cut off when not full height +- admin: fix providers not showing SAML Import on empty state +- core: only cache Applications API when no filtering is done +- events: fix email template for notifications +- lib: fix ak_is_group_member checking wrong groups +- providers/saml: add support for WindowsDomainQualifiedName, add docs for NameID +- providers/saml: import SAML Provider with all autogenerated mappings +- providers/saml: make NameID configurable using a Property Mapping +- providers/saml: update default OIDs for default property mappings +- web: fix site-shell being cut off when not full height ## Upgrading diff --git a/website/docs/releases/v2021.10.md b/website/docs/releases/v2021.10.md index 57002eecc..e1ffedd0a 100644 --- a/website/docs/releases/v2021.10.md +++ b/website/docs/releases/v2021.10.md @@ -5,219 +5,219 @@ slug: "2021.10" ## Headline Changes -- Flow Inspector +- Flow Inspector - To better understand how a flow works, and why things might not be working as intended, you can now launch Flows with an inspector enabled. This is simply triggered by adding a `?inspector` to the URL. Currently, only superuser have the permission to access the Inspector. + To better understand how a flow works, and why things might not be working as intended, you can now launch Flows with an inspector enabled. This is simply triggered by adding a `?inspector` to the URL. Currently, only superuser have the permission to access the Inspector. - The inspector shows the current stage, previous stages, next planned stages, and the current flow context. + The inspector shows the current stage, previous stages, next planned stages, and the current flow context. -- SMS Authenticator +- SMS Authenticator - You can now use SMS-based TOTP authenticators. This new Stage supports both Twilio, and a generic API endpoint, if using another provider. This stage does not have to be used for authentication, it can simply be used during enrollment to verify your users phone numbers. + You can now use SMS-based TOTP authenticators. This new Stage supports both Twilio, and a generic API endpoint, if using another provider. This stage does not have to be used for authentication, it can simply be used during enrollment to verify your users phone numbers. -- Sign in with Apple +- Sign in with Apple - It is now possible to add an Apple OAuth Source, to allow your users to authenticate with their Apple ID. + It is now possible to add an Apple OAuth Source, to allow your users to authenticate with their Apple ID. A huge shoutout to all the people that contributed, helped test and also translated authentik. This is the first release that has as full French translation! ## Minor changes -- *: Squash Migrations (#1593) -- admin: clear update notification when notification's version matches current version -- cmd: prevent outposts from panicking when failing to get their config -- core: add default for user's settings attribute -- core: add settings serializer to user/me and update_self endpoints, saved in a key in attributes -- core: improve detection for s3 settings to trigger backup -- core: include group uuids in self serializer -- core: make user's name field fully optional -- flows: inspector (#1469) -- internal: add internal healthchecking to prevent websocket errors -- internal/proxyv2: improve error handling when configuring app -- lifecycle: bump celery healthcheck to 5s timeout -- lifecycle: only lock database when system migrations need to be applied, and during django migrations, and don't double unlock -- lifecycle: only set prometheus_multiproc_dir in ak wrapper to prevent full disk on worker -- managed: don't run managed reconciler in foreground on startup -- outpost/proxy: fix missing negation for internal host ssl verification -- outposts: add additional error checking for docker controller -- outposts: Adding more flexibility to outposts in Kubernetes. (#1617) -- outposts: allow disabling of docker controller port mapping -- outposts: check ports of deployment in kubernetes outpost controller -- outposts: don't always build permissions on outpost.user access, only in signals and tasks -- outposts: fallback to known-good outpost image if configured image cannot be pulled -- outposts: fix error when comparing ports in docker controller when port mapping is disabled -- outposts: handle k8s 422 response code by recreating objects -- outposts: rename docker_image_base to container_image_base, since its not docker specific -- outposts/ldap: Support hard coded `uidNumber` and `gidNumber`. (#1582) -- outposts/proxy: add new headers with unified naming -- outposts/proxy: fix duplicate protocol in domain auth mode -- outposts/proxy: show full error message when user is authenticated -- policies: add additional filters to create flow charts on frontend -- policies/password: add extra sub_text field in tests -- providers/ldap: use RDN when using posixGroup's memberUid attribute (#1514) -- providers/proxy: always check ingress secret in kubernetes controller -- providers/proxy: update ingress controller to work with k8s 1.22 -- recovery: handle error when user doesn't exist -- root: add docker-native healthcheck for web and celery -- root: add translation for backend strings -- root: coverage with toml support -- root: fix error with sentry proxy -- root: migrate docker images to netlify proxy (#1603) -- root: remove redundant internal network from compose -- root: remove structlog.processors.format_exc_info for new structlog version -- root: Use fully qualified names for docker bases base images. (#1490) -- sources/ldap: add support for Active Directory `userAccountControl` attribute -- sources/ldap: don't sync ldap source when no property mappings are set -- sources/ldap: fix logic error in Active Directory account disabled status -- sources/oauth: add Sign in with Apple (#1635) -- stages/authenticator_sms: add generic provider (#1595) -- stages/authenticator_sms: Add SMS Authenticator Stage (#1577) -- stages/authenticator_validate: create a default authenticator validate stage with sensible defaults -- stages/email: add activate_user_on_success flag, add for all example flows -- stages/prompt: add sub_text field to add HTML below prompt fields -- stages/prompt: fix sub_text not allowing blank -- stages/prompt: fix wrong field type of field_key -- stages/user_login: add check for user.is_active and tests -- stages/user_write: allow recursive writing to user.attributes -- web: add locale detection -- web: ensure fallback locale is loaded -- web: fix rendering of token copy button in dark mode -- web: fix strings not being translated at all when matching browser locale not found -- web: make table pagination size user-configurable -- web: new default flow background -- web: Translate /web/src/locales/en.po in fr_FR (#1506) -- web/admin: add fallback font for doughnut charts -- web/admin: default to warning state for backup task -- web/admin: don't require username nor name for activate/deactivate toggles -- web/admin: fix description for flow import -- web/admin: fix LDAP Source form not exposing syncParentGroup -- web/admin: fix search group label -- web/admin: fix SMS Authenticator stage not loading state correctly -- web/admin: improve visibility of oauth rsa key -- web/admin: only show outpost deployment info when not embedded -- web/admin: truncate prompt label when too long -- web/elements: fix initialLoad not being done when viewportCheck was disabled -- web/elements: fix model form always loading when viewport check is disabled -- web/elements: use dedicated button for search clear instead of webkit exclusive one -- web/flows: adjust message for email stage -- web/user: don't show managed tokens in user interface -- web/user: initial optimisation for smaller screens -- web/user: load interface settings from user settings +- \*: Squash Migrations (#1593) +- admin: clear update notification when notification's version matches current version +- cmd: prevent outposts from panicking when failing to get their config +- core: add default for user's settings attribute +- core: add settings serializer to user/me and update_self endpoints, saved in a key in attributes +- core: improve detection for s3 settings to trigger backup +- core: include group uuids in self serializer +- core: make user's name field fully optional +- flows: inspector (#1469) +- internal: add internal healthchecking to prevent websocket errors +- internal/proxyv2: improve error handling when configuring app +- lifecycle: bump celery healthcheck to 5s timeout +- lifecycle: only lock database when system migrations need to be applied, and during django migrations, and don't double unlock +- lifecycle: only set prometheus_multiproc_dir in ak wrapper to prevent full disk on worker +- managed: don't run managed reconciler in foreground on startup +- outpost/proxy: fix missing negation for internal host ssl verification +- outposts: add additional error checking for docker controller +- outposts: Adding more flexibility to outposts in Kubernetes. (#1617) +- outposts: allow disabling of docker controller port mapping +- outposts: check ports of deployment in kubernetes outpost controller +- outposts: don't always build permissions on outpost.user access, only in signals and tasks +- outposts: fallback to known-good outpost image if configured image cannot be pulled +- outposts: fix error when comparing ports in docker controller when port mapping is disabled +- outposts: handle k8s 422 response code by recreating objects +- outposts: rename docker_image_base to container_image_base, since its not docker specific +- outposts/ldap: Support hard coded `uidNumber` and `gidNumber`. (#1582) +- outposts/proxy: add new headers with unified naming +- outposts/proxy: fix duplicate protocol in domain auth mode +- outposts/proxy: show full error message when user is authenticated +- policies: add additional filters to create flow charts on frontend +- policies/password: add extra sub_text field in tests +- providers/ldap: use RDN when using posixGroup's memberUid attribute (#1514) +- providers/proxy: always check ingress secret in kubernetes controller +- providers/proxy: update ingress controller to work with k8s 1.22 +- recovery: handle error when user doesn't exist +- root: add docker-native healthcheck for web and celery +- root: add translation for backend strings +- root: coverage with toml support +- root: fix error with sentry proxy +- root: migrate docker images to netlify proxy (#1603) +- root: remove redundant internal network from compose +- root: remove structlog.processors.format_exc_info for new structlog version +- root: Use fully qualified names for docker bases base images. (#1490) +- sources/ldap: add support for Active Directory `userAccountControl` attribute +- sources/ldap: don't sync ldap source when no property mappings are set +- sources/ldap: fix logic error in Active Directory account disabled status +- sources/oauth: add Sign in with Apple (#1635) +- stages/authenticator_sms: add generic provider (#1595) +- stages/authenticator_sms: Add SMS Authenticator Stage (#1577) +- stages/authenticator_validate: create a default authenticator validate stage with sensible defaults +- stages/email: add activate_user_on_success flag, add for all example flows +- stages/prompt: add sub_text field to add HTML below prompt fields +- stages/prompt: fix sub_text not allowing blank +- stages/prompt: fix wrong field type of field_key +- stages/user_login: add check for user.is_active and tests +- stages/user_write: allow recursive writing to user.attributes +- web: add locale detection +- web: ensure fallback locale is loaded +- web: fix rendering of token copy button in dark mode +- web: fix strings not being translated at all when matching browser locale not found +- web: make table pagination size user-configurable +- web: new default flow background +- web: Translate /web/src/locales/en.po in fr_FR (#1506) +- web/admin: add fallback font for doughnut charts +- web/admin: default to warning state for backup task +- web/admin: don't require username nor name for activate/deactivate toggles +- web/admin: fix description for flow import +- web/admin: fix LDAP Source form not exposing syncParentGroup +- web/admin: fix search group label +- web/admin: fix SMS Authenticator stage not loading state correctly +- web/admin: improve visibility of oauth rsa key +- web/admin: only show outpost deployment info when not embedded +- web/admin: truncate prompt label when too long +- web/elements: fix initialLoad not being done when viewportCheck was disabled +- web/elements: fix model form always loading when viewport check is disabled +- web/elements: use dedicated button for search clear instead of webkit exclusive one +- web/flows: adjust message for email stage +- web/user: don't show managed tokens in user interface +- web/user: initial optimisation for smaller screens +- web/user: load interface settings from user settings ## Fixed in 2021.10.1-rc2 -- core: add user flag to prevent users from changing their usernames -- core: log user for http requests -- flows: clear cache when deleting bindings -- outpost/ldap: fix logging for mismatched provider -- root: add cookie domain setting -- sources/oauth: add choices to oauth provider_type -- web: disable Sentry.showReportDialog -- web/flows: showing of authentik logo in flow executor -- web/flows: fix authenticator device selection not updating -- web/flows: show cancel link when choosing authenticator challenge +- core: add user flag to prevent users from changing their usernames +- core: log user for http requests +- flows: clear cache when deleting bindings +- outpost/ldap: fix logging for mismatched provider +- root: add cookie domain setting +- sources/oauth: add choices to oauth provider_type +- web: disable Sentry.showReportDialog +- web/flows: showing of authentik logo in flow executor +- web/flows: fix authenticator device selection not updating +- web/flows: show cancel link when choosing authenticator challenge ## Fixed in 2021.10.1-rc3 -- api: fix error when connection to websocket via secret_key -- core: add toggle to completely disable backup mechanism -- core: add USER_ATTRIBUTE_CHANGE_EMAIL -- events: fix error when notification transport doesn't exist anymore -- outposts: fix docker controller not using object_naming_template -- providers/oauth2: fallback to uid if UPN was selected but isn't available -- providers/oauth2: fix events being created from /application/o/authorize/ -- sources/ldap: prevent key `users` from being set as this is an M2M relation -- sources/ldap: skip values which are of type bytes +- api: fix error when connection to websocket via secret_key +- core: add toggle to completely disable backup mechanism +- core: add USER_ATTRIBUTE_CHANGE_EMAIL +- events: fix error when notification transport doesn't exist anymore +- outposts: fix docker controller not using object_naming_template +- providers/oauth2: fallback to uid if UPN was selected but isn't available +- providers/oauth2: fix events being created from /application/o/authorize/ +- sources/ldap: prevent key `users` from being set as this is an M2M relation +- sources/ldap: skip values which are of type bytes ## Fixed in 2021.10.1 -- core: add API for all user-source connections -- core: add API to list all authenticator devices -- core: add created field to source connection -- flows: optimise stage user_settings API -- outposts: separate websocket re-connection logic to decrease requests on reconnect -- root: pin node images to v16 -- root: update golang ldap server package -- web/user: fix wrong device being selected in user's mfa update form -- web/user: rework MFA Device UI to support multiple devices -- web/user: update form to update mfa devices +- core: add API for all user-source connections +- core: add API to list all authenticator devices +- core: add created field to source connection +- flows: optimise stage user_settings API +- outposts: separate websocket re-connection logic to decrease requests on reconnect +- root: pin node images to v16 +- root: update golang ldap server package +- web/user: fix wrong device being selected in user's mfa update form +- web/user: rework MFA Device UI to support multiple devices +- web/user: update form to update mfa devices ## Fixed in 2021.10.2 -- api: replace django sentry proxy with go proxy to prevent login issues -- providers/proxy: allow configuring of additional scope mappings for proxy -- providers/saml: fix error on missing AssertionConsumerServiceURL, fall back to default ACS -- root: fix Detection of S3 settings for backups -- root: fix postgres install on bullseye -- root: update base images for outposts -- root: update to buster -- stages/identification: add show_source_labels option, to show labels for sources -- stages/invitation: don't throw 404 error in stage -- stages/invitation: remove invitation from plan context after deletion -- stages/prompt: fix type in Prompt not having enum set -- web/flows: fix invalid validation for static tokens -- web/flows: fix sub_text not rendering for static fields -- web/user: fix configureUrl not being passed to `` +- api: replace django sentry proxy with go proxy to prevent login issues +- providers/proxy: allow configuring of additional scope mappings for proxy +- providers/saml: fix error on missing AssertionConsumerServiceURL, fall back to default ACS +- root: fix Detection of S3 settings for backups +- root: fix postgres install on bullseye +- root: update base images for outposts +- root: update to buster +- stages/identification: add show_source_labels option, to show labels for sources +- stages/invitation: don't throw 404 error in stage +- stages/invitation: remove invitation from plan context after deletion +- stages/prompt: fix type in Prompt not having enum set +- web/flows: fix invalid validation for static tokens +- web/flows: fix sub_text not rendering for static fields +- web/user: fix configureUrl not being passed to `` ## Fixed in 2021.10.3 -- admin: improve check to remove version notifications -- cmd/server: improve cleanup on shutdown -- core: add command to output full config -- core: fix auth_method for tokens -- core: include parent group name -- core: make group membership lookup respect parent groups (upwards) -- events: ignore creation/deletion of AuthenticatedSession objects -- internal: start embedded outpost directly after backend is healthy instead of waiting -- lifecycle: revert to non-h11 worker -- outpost/ldap: don't cleanup user info as it is overwritten on bind -- providers/*: include list of outposts -- providers/ldap: add/squash migrations -- providers/ldap: memory Query (#1681) -- recovery: add create_admin_group management command -- root: fix defaults for EMAIL_USE_TLS -- root: improve compose detection, add anonymous stats -- root: keep last 30 backups -- sources/ldap: remove deprecated default -- sources/oauth: set prompt=none for Discord provider -- sources/plex: allow users to connect their plex account without login flow -- sources/plex: use exception_to_string in tasks -- stages/authenticator_*: add default name for authenticators -- stages/identification: only allow limited challenges for login sources -- stages/identification: use random sleep -- stages/prompt: add text_read_only field -- stages/prompt: default prompts to the current value of the context -- stages/prompt: only set placeholder when in context -- stages/prompt: set field placeholder based on plan context -- stages/prompt: use initial instead of default -- web: fix linting errors by adding a wrapper for next param -- web/admin: only show flows with an invitation stage configured instead of all enrollment flows -- web/admin: show warning on invitation list when no stage exists or is bound -- web/admin: show warning on provider when not used with outpost -- web/flows: fix authenticator_validate not allowing alphanumeric codes due to empty pattern -- web/flows: improve display of static tokens -- web/user: fix ak-user-settings-password getting wrong configureUrl -- web/user: fix device type for static tokens -- web/user: fix empty page when no sources to connect exist -- web/user: fix redirect after starting configuration flow from user interface +- admin: improve check to remove version notifications +- cmd/server: improve cleanup on shutdown +- core: add command to output full config +- core: fix auth_method for tokens +- core: include parent group name +- core: make group membership lookup respect parent groups (upwards) +- events: ignore creation/deletion of AuthenticatedSession objects +- internal: start embedded outpost directly after backend is healthy instead of waiting +- lifecycle: revert to non-h11 worker +- outpost/ldap: don't cleanup user info as it is overwritten on bind +- providers/\*: include list of outposts +- providers/ldap: add/squash migrations +- providers/ldap: memory Query (#1681) +- recovery: add create_admin_group management command +- root: fix defaults for EMAIL_USE_TLS +- root: improve compose detection, add anonymous stats +- root: keep last 30 backups +- sources/ldap: remove deprecated default +- sources/oauth: set prompt=none for Discord provider +- sources/plex: allow users to connect their plex account without login flow +- sources/plex: use exception_to_string in tasks +- stages/authenticator\_\*: add default name for authenticators +- stages/identification: only allow limited challenges for login sources +- stages/identification: use random sleep +- stages/prompt: add text_read_only field +- stages/prompt: default prompts to the current value of the context +- stages/prompt: only set placeholder when in context +- stages/prompt: set field placeholder based on plan context +- stages/prompt: use initial instead of default +- web: fix linting errors by adding a wrapper for next param +- web/admin: only show flows with an invitation stage configured instead of all enrollment flows +- web/admin: show warning on invitation list when no stage exists or is bound +- web/admin: show warning on provider when not used with outpost +- web/flows: fix authenticator_validate not allowing alphanumeric codes due to empty pattern +- web/flows: improve display of static tokens +- web/user: fix ak-user-settings-password getting wrong configureUrl +- web/user: fix device type for static tokens +- web/user: fix empty page when no sources to connect exist +- web/user: fix redirect after starting configuration flow from user interface ## Fixed in 2021.10.4 -- core: force lowercase emails for gravatar usage -- outposts: fix MFA Challenges not working with outpost -- outposts/ldap: fix logic error in cached ldap searcher -- outposts/proxy: fix static files not being served in proxy mode -- providers/proxy: return list of configured scope names so outpost requests custom scopes -- root: use python slim-bullseye as base -- sources/ldap: fix user/group sync overwriting attributes instead of merging them -- sources/ldap: set connect/receive timeout (default to 15s) -- stages/*: disable trim_whitespace on important fields -- stages/authenticator_duo: fix devices created with name -- stages/authenticator_validate: enable all device classes by default -- web: write interfaces to different folders and remove custom chunk names -- web/admin: fix display issues with flow execute buttons -- web/admin: show warnings above tab bar -- web/admin: use more natural default ordering for objects +- core: force lowercase emails for gravatar usage +- outposts: fix MFA Challenges not working with outpost +- outposts/ldap: fix logic error in cached ldap searcher +- outposts/proxy: fix static files not being served in proxy mode +- providers/proxy: return list of configured scope names so outpost requests custom scopes +- root: use python slim-bullseye as base +- sources/ldap: fix user/group sync overwriting attributes instead of merging them +- sources/ldap: set connect/receive timeout (default to 15s) +- stages/\*: disable trim_whitespace on important fields +- stages/authenticator_duo: fix devices created with name +- stages/authenticator_validate: enable all device classes by default +- web: write interfaces to different folders and remove custom chunk names +- web/admin: fix display issues with flow execute buttons +- web/admin: show warnings above tab bar +- web/admin: use more natural default ordering for objects ## Upgrading @@ -233,6 +233,6 @@ Update your values to use the new images: ```yaml image: - repository: ghcr.io/goauthentik/server - tag: 2021.10.1 + repository: ghcr.io/goauthentik/server + tag: 2021.10.1 ``` diff --git a/website/docs/releases/v2021.12.md b/website/docs/releases/v2021.12.md index 138f0cbb6..aa6105f64 100644 --- a/website/docs/releases/v2021.12.md +++ b/website/docs/releases/v2021.12.md @@ -9,252 +9,252 @@ This release does not have any headline features, and mostly fixes bugs. ## Breaking changes -- stages/prompt: Before 2021.12, any policy was required to pass for the result to be considered valid. This has been changed, and now all policies are required to be valid. +- stages/prompt: Before 2021.12, any policy was required to pass for the result to be considered valid. This has been changed, and now all policies are required to be valid. ## Minor changes -- core: make defaults for _change_email and _change_username configurable -- core: remove dump_config, handle directly in config loader without booting django, don't check database -- events: add gdpr_compliance option -- internal: fix integrated docs not working -- internal: use runserver when debug for code reload -- lib: add cli option for lib.config -- lib: add improved log to sentry events being sent -- lib: fix custom URL schemes being overwritten -- lib: load json strings in config env variables -- lib: log error for file:// in config -- lifecycle: allow custom worker count in k8s -- lifecycle: improve backup restore by dropping database before -- lifecycle: improve redis connection debug py printing full URL -- outpost: configure error reporting based off of main instance config -- outposts: don't panic when listening for metrics fails -- outposts: reload on signal USR1, fix display of reload offset -- outposts/ldap: copy boundUsers map when running refresh instead of using blank map -- outposts/ldap: fix panic when attempting to update without locked users mutex -- outposts/proxy: continue compiling additional regexes even when one fails -- outposts/proxy: show better error when hostname isn't configured -- outposts/proxy: use disableIndex for static files -- policies/expression: fix ak_user_has_authenticator evaluation when not specifying optional device_type (#1849) -- providers/saml: fix SessionNotOnOrAfter not being included -- root: add lifespan shim to prevent errors -- root: fix settings for managed not loaded -- root: make sentry sample rate configurable -- stages/authenticator_validate: catch error when attempting to configure user without flow -- stages/email: fix missing component in response when retrying email send -- stages/email: minify email css template -- stages/email: prevent error with duplicate token -- web: improve dark theme for vertical tabs -- web: only show applications with http link -- web/admin: allow flow edit on flow view page -- web/admin: fix actions column on ip reputation page -- web/admin: fix Forms with file uploads not handling errors correctly -- web/admin: make object view pages more consistent -- web/admin: make user clickable for bound policies list -- web/admin: redesign provider pages to provide more info -- web/admin: show changelog on user info page -- web/admin: unify rendering and sorting of user lists -- web/elements: add new API to store attributes in URL, use for table and tabs -- web/elements: allow app.model names for ak-object-changelog -- web/elements: allow multiple tabs with different state -- web/flows: fix spinner during webauthn not centred -- web/flows: update default background -- web/user: fix filtering for applications based on launchURL -- web/user: fix height issues on user interface +- core: make defaults for \_change_email and \_change_username configurable +- core: remove dump_config, handle directly in config loader without booting django, don't check database +- events: add gdpr_compliance option +- internal: fix integrated docs not working +- internal: use runserver when debug for code reload +- lib: add cli option for lib.config +- lib: add improved log to sentry events being sent +- lib: fix custom URL schemes being overwritten +- lib: load json strings in config env variables +- lib: log error for file:// in config +- lifecycle: allow custom worker count in k8s +- lifecycle: improve backup restore by dropping database before +- lifecycle: improve redis connection debug py printing full URL +- outpost: configure error reporting based off of main instance config +- outposts: don't panic when listening for metrics fails +- outposts: reload on signal USR1, fix display of reload offset +- outposts/ldap: copy boundUsers map when running refresh instead of using blank map +- outposts/ldap: fix panic when attempting to update without locked users mutex +- outposts/proxy: continue compiling additional regexes even when one fails +- outposts/proxy: show better error when hostname isn't configured +- outposts/proxy: use disableIndex for static files +- policies/expression: fix ak_user_has_authenticator evaluation when not specifying optional device_type (#1849) +- providers/saml: fix SessionNotOnOrAfter not being included +- root: add lifespan shim to prevent errors +- root: fix settings for managed not loaded +- root: make sentry sample rate configurable +- stages/authenticator_validate: catch error when attempting to configure user without flow +- stages/email: fix missing component in response when retrying email send +- stages/email: minify email css template +- stages/email: prevent error with duplicate token +- web: improve dark theme for vertical tabs +- web: only show applications with http link +- web/admin: allow flow edit on flow view page +- web/admin: fix actions column on ip reputation page +- web/admin: fix Forms with file uploads not handling errors correctly +- web/admin: make object view pages more consistent +- web/admin: make user clickable for bound policies list +- web/admin: redesign provider pages to provide more info +- web/admin: show changelog on user info page +- web/admin: unify rendering and sorting of user lists +- web/elements: add new API to store attributes in URL, use for table and tabs +- web/elements: allow app.model names for ak-object-changelog +- web/elements: allow multiple tabs with different state +- web/flows: fix spinner during webauthn not centred +- web/flows: update default background +- web/user: fix filtering for applications based on launchURL +- web/user: fix height issues on user interface ## Fixed in 2021.12.1-rc2 -- *: don't use go embed to make using custom files easier -- crypto: add certificate discovery to automatically import certificates from lets encrypt -- crypto: fix default API not having an ordering -- outposts: always trigger outpost reconcile on startup -- outposts/ldap: Rework/improve LDAP search logic. (#1687) -- outposts/proxy: make logging fields more consistent -- outposts/proxy: re-add rs256 support -- providers/proxy: fix defaults for traefik integration -- providers/proxy: use wildcard for traefik headers copy -- providers/saml: fix error when using post bindings and user freshly logged in -- providers/saml: fix IndexError in signature check -- sources/ldap: add optional tls verification certificate -- sources/ldap: allow multiple server URIs for loadbalancing and failover -- sources/ldap: don't cache LDAP Connection, use random server -- sources/ldap: handle typeerror during creation of objects when using wrong keyword params -- sources/plex: fix plex token being included in event log -- stages/prompt: fix error when both default and required are set -- web/admin: add spinner to table refresh button to show progress -- web/admin: don't show disabled http basic as red -- web/admin: fix wrong description for reputation policy -- web/flows: fix linting errors -- web/flows: Revise duo authenticator login prompt text (#1872) +- \*: don't use go embed to make using custom files easier +- crypto: add certificate discovery to automatically import certificates from lets encrypt +- crypto: fix default API not having an ordering +- outposts: always trigger outpost reconcile on startup +- outposts/ldap: Rework/improve LDAP search logic. (#1687) +- outposts/proxy: make logging fields more consistent +- outposts/proxy: re-add rs256 support +- providers/proxy: fix defaults for traefik integration +- providers/proxy: use wildcard for traefik headers copy +- providers/saml: fix error when using post bindings and user freshly logged in +- providers/saml: fix IndexError in signature check +- sources/ldap: add optional tls verification certificate +- sources/ldap: allow multiple server URIs for loadbalancing and failover +- sources/ldap: don't cache LDAP Connection, use random server +- sources/ldap: handle typeerror during creation of objects when using wrong keyword params +- sources/plex: fix plex token being included in event log +- stages/prompt: fix error when both default and required are set +- web/admin: add spinner to table refresh button to show progress +- web/admin: don't show disabled http basic as red +- web/admin: fix wrong description for reputation policy +- web/flows: fix linting errors +- web/flows: Revise duo authenticator login prompt text (#1872) ## Fixed in 2021.12.1-rc3 -- core: add FlowToken which saves the pickled flow plan, replace standard token in email stage to allow finishing flows in different sessions -- core: fix missing permission check for group creating when creating service account -- outposts/ldap: Fix search case sensitivity. (#1897) -- policies/expression: add ak_call_policy -- providers/saml: add ?force_binding to limit bindings for metadata endpoint -- root: add request_id to celery tasks, prefixed with "task-" -- sources/*: Allow creation of source connections via API -- stages/prompt: use policyenginemode all -- tests/e2e: add post binding test -- web: fix duplicate classes, make generic icon clickable -- web: fix text colour for bad request on light mode -- web/admin: show outpost warning on application page too -- web/elements: close dropdown when refresh event is dispatched -- web/user: allow custom font-awesome icons for applications +- core: add FlowToken which saves the pickled flow plan, replace standard token in email stage to allow finishing flows in different sessions +- core: fix missing permission check for group creating when creating service account +- outposts/ldap: Fix search case sensitivity. (#1897) +- policies/expression: add ak_call_policy +- providers/saml: add ?force_binding to limit bindings for metadata endpoint +- root: add request_id to celery tasks, prefixed with "task-" +- sources/\*: Allow creation of source connections via API +- stages/prompt: use policyenginemode all +- tests/e2e: add post binding test +- web: fix duplicate classes, make generic icon clickable +- web: fix text colour for bad request on light mode +- web/admin: show outpost warning on application page too +- web/elements: close dropdown when refresh event is dispatched +- web/user: allow custom font-awesome icons for applications ## Fixed in 2021.12.1-rc4 -- core: fix error when using invalid key-values in attributes query -- flows: fix error in inspector view -- flows: fix error when trying to print FlowToken objects -- lib: correctly report "faked" IPs to sentry -- outposts: add additional checks for websocket connection -- outposts: cleanup logs for failed binds -- outposts: don't try to create docker client for embedded outpost -- outposts: fix docker controller not stopping containers -- outposts: fix unlabeled transaction -- outposts: handle RuntimeError during websocket connect -- outposts: rewrite re-connect logic without recws -- outposts: set display name for outpost service account -- outposts/ldap: fix searches with mixed casing -- outposts/proxy: use filesystem storage for non-embedded outposts -- policies: don't always clear application cache on post_save -- stagse/authenticator_webauthn: remove pydantic import -- web: fix borders of sidebars in dark mode +- core: fix error when using invalid key-values in attributes query +- flows: fix error in inspector view +- flows: fix error when trying to print FlowToken objects +- lib: correctly report "faked" IPs to sentry +- outposts: add additional checks for websocket connection +- outposts: cleanup logs for failed binds +- outposts: don't try to create docker client for embedded outpost +- outposts: fix docker controller not stopping containers +- outposts: fix unlabeled transaction +- outposts: handle RuntimeError during websocket connect +- outposts: rewrite re-connect logic without recws +- outposts: set display name for outpost service account +- outposts/ldap: fix searches with mixed casing +- outposts/proxy: use filesystem storage for non-embedded outposts +- policies: don't always clear application cache on post_save +- stagse/authenticator_webauthn: remove pydantic import +- web: fix borders of sidebars in dark mode ## Fixed in 2021.12.1-rc5 -- crypto: add additional validation before importing a certificate -- events: add flow_execution event type -- events: fix schema for top_per_user -- flows: fix wrong exception being caught in flow inspector -- outposts: reset backoff after successful connect -- outposts/proxy: fix securecookie: the value is too long again, since it can happen even with filesystem storage -- providers/oauth2: add additional logging to show with token path is taken -- providers/oauth2: use generate_key instead of uuid4 -- sources/ldap: fix incorrect task names being referenced, use source native slug -- sources/oauth: add initial okta type -- sources/oauth: allow oauth types to override their login button challenge -- sources/oauth: implement apple native sign-in using the apple JS SDK -- sources/oauth: strip parts of custom apple client_id -- stages/authenticator_webauthn: make user_verification configurable -- stages/identification: fix miscalculated sleep -- stages/invitation: use GroupMemberSerializer serializer to prevent all of the user's groups and their users from being returned -- web: add link to open API Browser for API Drawer -- web/admin: add dashboard with user creation/login statistics -- web/admin: fix invalid display for LDAP Source sync status -- web/admin: fix rendering for applications on view page -- web/admin: fix rendering of applications with custom icon -- web/admin: improve wording for froward_auth, don't show setup when using proxy mode -- web/admin: show warning when deleting currently logged in user -- web/admin: update overview page -- web/flows: fix error when attempting to enroll new webauthn device +- crypto: add additional validation before importing a certificate +- events: add flow_execution event type +- events: fix schema for top_per_user +- flows: fix wrong exception being caught in flow inspector +- outposts: reset backoff after successful connect +- outposts/proxy: fix securecookie: the value is too long again, since it can happen even with filesystem storage +- providers/oauth2: add additional logging to show with token path is taken +- providers/oauth2: use generate_key instead of uuid4 +- sources/ldap: fix incorrect task names being referenced, use source native slug +- sources/oauth: add initial okta type +- sources/oauth: allow oauth types to override their login button challenge +- sources/oauth: implement apple native sign-in using the apple JS SDK +- sources/oauth: strip parts of custom apple client_id +- stages/authenticator_webauthn: make user_verification configurable +- stages/identification: fix miscalculated sleep +- stages/invitation: use GroupMemberSerializer serializer to prevent all of the user's groups and their users from being returned +- web: add link to open API Browser for API Drawer +- web/admin: add dashboard with user creation/login statistics +- web/admin: fix invalid display for LDAP Source sync status +- web/admin: fix rendering for applications on view page +- web/admin: fix rendering of applications with custom icon +- web/admin: improve wording for froward_auth, don't show setup when using proxy mode +- web/admin: show warning when deleting currently logged in user +- web/admin: update overview page +- web/flows: fix error when attempting to enroll new webauthn device ## Fixed in 2021.12.1 -- core: fix error when attempting to provider from cached application -- events: improve app lookup for event creation -- internal: cleanup duplicate and redundant code, properly set sentry SDK scope settings -- lifecycle: add -Ofair to celery -- web/admin: add sidebar to applications -- web/admin: fix notification unread colours not matching on user and admin interface -- web/admin: fix stage related flows not being shown in a list -- web/elements: add Markdown component to improve rendering -- web/elements: add support for sidebar on table page -- web/elements: close notification drawer when clearing all notifications +- core: fix error when attempting to provider from cached application +- events: improve app lookup for event creation +- internal: cleanup duplicate and redundant code, properly set sentry SDK scope settings +- lifecycle: add -Ofair to celery +- web/admin: add sidebar to applications +- web/admin: fix notification unread colours not matching on user and admin interface +- web/admin: fix stage related flows not being shown in a list +- web/elements: add Markdown component to improve rendering +- web/elements: add support for sidebar on table page +- web/elements: close notification drawer when clearing all notifications ## Fixed in 2021.12.2 -- core: don't rotate non-api tokens -- crypto: fix private keys not being imported correctly -- outposts: release binary outposts (#1954) -- outposts/proxy: match skipPathRegex against full URL on domain auth -- policies/password: add minimum digits -- providers/oauth2: don't rely on expiry task for access codes and refresh tokens -- sources/oauth: allow writing to user in SourceConnection -- web: ignore instantSearchSDKJSBridgeClearHighlight error on edge on iOS -- web/admin: fix background colour for application sidebar -- web/elements: fix border between search buttons +- core: don't rotate non-api tokens +- crypto: fix private keys not being imported correctly +- outposts: release binary outposts (#1954) +- outposts/proxy: match skipPathRegex against full URL on domain auth +- policies/password: add minimum digits +- providers/oauth2: don't rely on expiry task for access codes and refresh tokens +- sources/oauth: allow writing to user in SourceConnection +- web: ignore instantSearchSDKJSBridgeClearHighlight error on edge on iOS +- web/admin: fix background colour for application sidebar +- web/elements: fix border between search buttons ## Fixed in 2021.12.3 -- *: revert to using GHCR directly -- core: fix error when getting launch URL for application with non-existent Provider -- internal: fix sentry sample rate not applying to proxy -- internal: rework global logging settings, embedded outpost no longer overwrites core -- outpost: re-run globalSetup when updating config, allowing for live log level changes -- outposts: handle/ignore http Abort handler -- outposts/ldap: fix log formatter and level not being set correctly -- outposts/proxy: add initial redirect-loop prevention -- outposts/proxy: fix allowlist for forward_auth and traefik -- outposts/proxy: fix ping URI not being routed -- outposts/proxy: fix session not expiring correctly due to miscalculation -- root: allow trace log level to work for core/embedded -- root: don't set secure cross opener policy -- root: drop redis cache sentry errors -- root: fix inconsistent URL quoting of redis URLs -- web/admin: add outpost type to list -- web/admin: auto set the embedded outpost's authentik_host on first view -- web/admin: don't auto-select certificate for LDAP source verification -- web/admin: fix border for outpost health status +- \*: revert to using GHCR directly +- core: fix error when getting launch URL for application with non-existent Provider +- internal: fix sentry sample rate not applying to proxy +- internal: rework global logging settings, embedded outpost no longer overwrites core +- outpost: re-run globalSetup when updating config, allowing for live log level changes +- outposts: handle/ignore http Abort handler +- outposts/ldap: fix log formatter and level not being set correctly +- outposts/proxy: add initial redirect-loop prevention +- outposts/proxy: fix allowlist for forward_auth and traefik +- outposts/proxy: fix ping URI not being routed +- outposts/proxy: fix session not expiring correctly due to miscalculation +- root: allow trace log level to work for core/embedded +- root: don't set secure cross opener policy +- root: drop redis cache sentry errors +- root: fix inconsistent URL quoting of redis URLs +- web/admin: add outpost type to list +- web/admin: auto set the embedded outpost's authentik_host on first view +- web/admin: don't auto-select certificate for LDAP source verification +- web/admin: fix border for outpost health status ## Fixed in 2021.12.4 -- crypto: improve handling for non-rsa private keys -- events: create test notification with event with data -- internal: add custom proxy certificates support to embedded outpost -- policies: fix application cache not being cleared correctly -- providers/oauth2: remove jwt_alg field and set algorithm based on selected keypair, select HS256 when no keypair is selected -- stages/authenticator_validate: add passwordless login -- stages/authenticator_validate: fix prompt not triggering when using in non-authentication context -- stages/authenticator_validate: refuse passwordless flow if flow is not for authentication -- tenants: add web certificate field, make authentik's core certificate configurable based on keypair -- web/admin: fix explore integration not opening in new tab -- web/elements: fix link from notification drawer not working in user interface -- web/user: fix user details not rendering when loading to a different user settings tab and then switching +- crypto: improve handling for non-rsa private keys +- events: create test notification with event with data +- internal: add custom proxy certificates support to embedded outpost +- policies: fix application cache not being cleared correctly +- providers/oauth2: remove jwt_alg field and set algorithm based on selected keypair, select HS256 when no keypair is selected +- stages/authenticator_validate: add passwordless login +- stages/authenticator_validate: fix prompt not triggering when using in non-authentication context +- stages/authenticator_validate: refuse passwordless flow if flow is not for authentication +- tenants: add web certificate field, make authentik's core certificate configurable based on keypair +- web/admin: fix explore integration not opening in new tab +- web/elements: fix link from notification drawer not working in user interface +- web/user: fix user details not rendering when loading to a different user settings tab and then switching ## Fixed in 2021.12.5 -- *: use py3.10 syntax for unions, remove old Type[] import when possible -- core: add API endpoint to directly set user's password -- core: add error handling in source flow manager when flow isn't applicable -- core: fix UserSelfSerializer's save() overwriting other user attributes -- core: prevent LDAP password being set for internal hash upgrades -- crypto: return private key's type (required for some oauth2 providers) -- flows: add test helpers to simplify and improve checking of stages, remove force_str -- flows: don't create EventAction.FLOW_EXECUTION -- flows: update default flow titles -- flows: use WithUserInfoChallenge for AccessDeniedChallenge -- lib: strip values for timedelta from string -- outposts: add remote docker integration via SSH -- outposts: fix outpost's sentry not sending release -- outposts: include outposts build hash in state -- outposts/proxy: add support for multiple states, when multiple requests are redirect at once -- outposts/proxy: fix error checking for type assertion -- policies/reputation: rework reputation to use a single entry, include geo_ip data -- sources/oauth: add additional scopes field to get additional data from provider -- sources/oauth: fix github provider not including correct base scopes -- stages/identification: add field for passwordless flow -- tenants: forbid creation of multiple default tenants -- web: add tr to locale -- web: remove page header colour, match user navbar to admin sidebar -- web/admin: add Admin in titlebar for admin interface -- web/admin: fix alignment in outpost list when expanding rows -- web/admin: fix display when groups/users don't fit on a single row -- web/admin: include key type in list -- web/admin: mark additional scopes as non-required -- web/admin: show flow title in list -- web/elements: fix alignment of chipgroup on modal add -- web/elements: fix spacing between chips in chip-group -- web/elements: re-enable codemirror line numbers (fixed on firefox) -- web/flows: add workaround for autofocus not working in password stage -- web/flows: fix duplicate loading spinners when using webauthn -- web/flows: fix helper form not being removed from identification stage (improve password manager compatibility) -- web/flows: include user in access denied stage -- web/flows: only add helper username input if using native shadow dom to prevent browser confusion -- web/user: add language selection -- web/user: rework user source connection UI +- \*: use py3.10 syntax for unions, remove old Type[] import when possible +- core: add API endpoint to directly set user's password +- core: add error handling in source flow manager when flow isn't applicable +- core: fix UserSelfSerializer's save() overwriting other user attributes +- core: prevent LDAP password being set for internal hash upgrades +- crypto: return private key's type (required for some oauth2 providers) +- flows: add test helpers to simplify and improve checking of stages, remove force_str +- flows: don't create EventAction.FLOW_EXECUTION +- flows: update default flow titles +- flows: use WithUserInfoChallenge for AccessDeniedChallenge +- lib: strip values for timedelta from string +- outposts: add remote docker integration via SSH +- outposts: fix outpost's sentry not sending release +- outposts: include outposts build hash in state +- outposts/proxy: add support for multiple states, when multiple requests are redirect at once +- outposts/proxy: fix error checking for type assertion +- policies/reputation: rework reputation to use a single entry, include geo_ip data +- sources/oauth: add additional scopes field to get additional data from provider +- sources/oauth: fix github provider not including correct base scopes +- stages/identification: add field for passwordless flow +- tenants: forbid creation of multiple default tenants +- web: add tr to locale +- web: remove page header colour, match user navbar to admin sidebar +- web/admin: add Admin in titlebar for admin interface +- web/admin: fix alignment in outpost list when expanding rows +- web/admin: fix display when groups/users don't fit on a single row +- web/admin: include key type in list +- web/admin: mark additional scopes as non-required +- web/admin: show flow title in list +- web/elements: fix alignment of chipgroup on modal add +- web/elements: fix spacing between chips in chip-group +- web/elements: re-enable codemirror line numbers (fixed on firefox) +- web/flows: add workaround for autofocus not working in password stage +- web/flows: fix duplicate loading spinners when using webauthn +- web/flows: fix helper form not being removed from identification stage (improve password manager compatibility) +- web/flows: include user in access denied stage +- web/flows: only add helper username input if using native shadow dom to prevent browser confusion +- web/user: add language selection +- web/user: rework user source connection UI ## Upgrading @@ -270,6 +270,6 @@ Update your values to use the new images: ```yaml image: - repository: ghcr.io/goauthentik/server - tag: 2021.12.1 + repository: ghcr.io/goauthentik/server + tag: 2021.12.1 ``` diff --git a/website/docs/releases/v2021.2.md b/website/docs/releases/v2021.2.md index 8a7115bf3..72635038c 100644 --- a/website/docs/releases/v2021.2.md +++ b/website/docs/releases/v2021.2.md @@ -5,107 +5,107 @@ slug: "2021.2" ## Headline Changes -- Managed objects +- Managed objects Objects like property mappings can now be marked as managed, which means that they will be created, updated and deleted by authentik. Currently, this is used to update default property mappings, and mark tokens and users generated by outposts. -- Improved support for different LDAP Servers +- Improved support for different LDAP Servers The LDAP source has improved support for non-Active Directory LDAP setups. This includes the following changes: - - Switch to sync membership from groups to users rather than user to group - - Fix users, which were removed from a group in LDAP not being removed from said group - - Add support for LDAP servers which have core fields declared as lists - - Add property-mappings for groups, to map attributes like `name` or `is_superuser` + - Switch to sync membership from groups to users rather than user to group + - Fix users, which were removed from a group in LDAP not being removed from said group + - Add support for LDAP servers which have core fields declared as lists + - Add property-mappings for groups, to map attributes like `name` or `is_superuser` -- Add test view to debug property-mappings. +- Add test view to debug property-mappings. ## Fixes -- admin: add test view for property mappings -- core: Fix application cache not being cleared correctly (and not being ignored for searches) -- events: add send_once flag to send webhooks only once -- events: allow searching by event id -- events: don't log successful system tasks -- events: improve information sent in notification emails -- providers/oauth2: pass application to configuration error event -- providers/saml: fix imported provider not saving properties correctly -- root: use filtering_bound_logger for speed improvements -- stages/consent: fix wrong widget for expire -- web: migrate Provider List to SPA +- admin: add test view for property mappings +- core: Fix application cache not being cleared correctly (and not being ignored for searches) +- events: add send_once flag to send webhooks only once +- events: allow searching by event id +- events: don't log successful system tasks +- events: improve information sent in notification emails +- providers/oauth2: pass application to configuration error event +- providers/saml: fix imported provider not saving properties correctly +- root: use filtering_bound_logger for speed improvements +- stages/consent: fix wrong widget for expire +- web: migrate Provider List to SPA ## Fixed in 2021.2.1-rc2 -- admin: add Certificate-Keypair generation -- admin: fix property-mapping views redirecting to invalid URL -- admin: improve layout for policy testing -- admin: remove old provider list view -- outpost: cap reconnect backoff at 60 seconds, reset backoff on successful connection -- policies: add debug flag to PolicyRequest to prevent alerts from testing policies -- providers/saml: force-set friendly_name to empty string for managed mappings -- root: add dedicated live and readiness healthcheck views -- web: fix link to provider list on overview page -- web: fix outpost item in sidebar being active on service connection views +- admin: add Certificate-Keypair generation +- admin: fix property-mapping views redirecting to invalid URL +- admin: improve layout for policy testing +- admin: remove old provider list view +- outpost: cap reconnect backoff at 60 seconds, reset backoff on successful connection +- policies: add debug flag to PolicyRequest to prevent alerts from testing policies +- providers/saml: force-set friendly_name to empty string for managed mappings +- root: add dedicated live and readiness healthcheck views +- web: fix link to provider list on overview page +- web: fix outpost item in sidebar being active on service connection views ## Fixed in 2021.2.1-stable -- admin: fix link in source list -- web: rebuild Outposts list in SPA -- outposts: Fix reconnect not working reliably -- providers/oauth2: add authorized scopes to AUTHORIZE_APPLICATION event -- providers/oauth2: add unofficial groups attribute to default profile claim -- web: fix sidebar being active when stage prompts is selected +- admin: fix link in source list +- web: rebuild Outposts list in SPA +- outposts: Fix reconnect not working reliably +- providers/oauth2: add authorized scopes to AUTHORIZE_APPLICATION event +- providers/oauth2: add unofficial groups attribute to default profile claim +- web: fix sidebar being active when stage prompts is selected ## Fixed in 2021.2.2-stable -- crypto: move certificate and key data to separate api calls to create events -- events: rename context.token to context.secret -- events: rename token_view to secret_view -- lib: fix stacktrace for general expressions -- outposts: fix ProxyProvider update not triggering outpost update -- policies: skip cache on debug request -- providers/proxy: fix certificates without key being selectable -- root: log runtime in milliseconds -- sources/*: switch API to use slug in URL -- sources/ldap: add API for sync status -- sources/oauth: add callback URL to api -- web: fix ModalButton working in global scope, causing issues on 2nd use +- crypto: move certificate and key data to separate api calls to create events +- events: rename context.token to context.secret +- events: rename token_view to secret_view +- lib: fix stacktrace for general expressions +- outposts: fix ProxyProvider update not triggering outpost update +- policies: skip cache on debug request +- providers/proxy: fix certificates without key being selectable +- root: log runtime in milliseconds +- sources/\*: switch API to use slug in URL +- sources/ldap: add API for sync status +- sources/oauth: add callback URL to api +- web: fix ModalButton working in global scope, causing issues on 2nd use ## Fixed in 2021.2.3-stable -- core: fix tokens using wrong lookup -- web: fix missing source create button +- core: fix tokens using wrong lookup +- web: fix missing source create button ## Fixed in 2021.2.4-stable -- admin: fix missing success_urls causing errors on create/update forms -- core: fix typo in user settings causing sources to not show +- admin: fix missing success_urls causing errors on create/update forms +- core: fix typo in user settings causing sources to not show ## Fixed in 2021.2.5-stable -- admin: fix policy list not having a refresh button -- events: pass Event's user to Notification policy engine when present -- helm: add initial wait for healthcheck -- outpost: improve logging output, ensure fields match api server -- root: fix request_id not being logged for actual asgi requests -- sources/oauth: fix buttons not being ak-root-link -- web: fix library not being full height, again -- web: fix outpost edit/delete buttons -- web: fix SiteShell breaking links when handlers are updated twice +- admin: fix policy list not having a refresh button +- events: pass Event's user to Notification policy engine when present +- helm: add initial wait for healthcheck +- outpost: improve logging output, ensure fields match api server +- root: fix request_id not being logged for actual asgi requests +- sources/oauth: fix buttons not being ak-root-link +- web: fix library not being full height, again +- web: fix outpost edit/delete buttons +- web: fix SiteShell breaking links when handlers are updated twice ## Fixed in 2021.2.6-stable -- admin: fix missing success_url for Cache clean views -- events: fix error when event can't be loaded in rule task -- flows: handle error when app cannot be found during flow import -- policies: sort groups in GroupMembershipPolicy policy and binding -- providers/oauth2: fix error when no login event could be found -- sources/ldap: fix API error when source has not synced yet -- sources/ldap: fix password setter on users which are not LDAP -- web: add sentry CaptureConsole -- web: fix colourstyles not being included in common_styles +- admin: fix missing success_url for Cache clean views +- events: fix error when event can't be loaded in rule task +- flows: handle error when app cannot be found during flow import +- policies: sort groups in GroupMembershipPolicy policy and binding +- providers/oauth2: fix error when no login event could be found +- sources/ldap: fix API error when source has not synced yet +- sources/ldap: fix password setter on users which are not LDAP +- web: add sentry CaptureConsole +- web: fix colourstyles not being included in common_styles ## Upgrading @@ -116,11 +116,12 @@ Due to the switch to managed objects, some default property mappings are changin The change affects the "SAML Name" property, which has been changed from an oid to a Schema URI to aid readability. The integrations affected are: -- [Ansible Tower/AWX](/integrations/services/awx-tower/) -- [GitLab](/integrations/services/gitlab/) -- [NextCloud](/integrations/services/nextcloud/) -- [Rancher](/integrations/services/rancher/) -- [Sentry](/integrations/services/sentry/) + +- [Ansible Tower/AWX](/integrations/services/awx-tower/) +- [GitLab](/integrations/services/gitlab/) +- [NextCloud](/integrations/services/nextcloud/) +- [Rancher](/integrations/services/rancher/) +- [Sentry](/integrations/services/sentry/) ### docker-compose diff --git a/website/docs/releases/v2021.3.md b/website/docs/releases/v2021.3.md index 419650110..dfc95627f 100644 --- a/website/docs/releases/v2021.3.md +++ b/website/docs/releases/v2021.3.md @@ -5,13 +5,13 @@ slug: "2021.3" ## Headline Changes -- WebAuthn support +- WebAuthn support This release introduces support for [WebAuthn](https://webauthn.io/), an open standard for the use of hardware authentication keys like YubiKeys on the web. You can configure a WebAuthn device using the "WebAuthn Authenticator Setup Stage" stage. Afterwards, it can be used as an n-th factor, just like TOTP authenticators. -- Simplify role-based access +- Simplify role-based access Instead of having to create a Group Membership policy for every group you want to use, you can now select a Group and even a User directly in a binding. @@ -21,65 +21,63 @@ slug: "2021.3" Group Membership policies are automatically migrated to use this simplified access. -- Invisible reCAPTCHA +- Invisible reCAPTCHA The checkbox-based reCAPTCHA has been replaced with [reCAPTCHA v2 Invisible](https://developers.google.com/recaptcha/docs/invisible). This is a breaking change, as a set of reCAPTCHA keys are only valid for a single type. For this, go to https://www.google.com/recaptcha/admin and create a new set of keys with the "reCAPTCHA v2" type and "Invisible reCAPTCHA badge" mode. -- Migration of Flow Executor to SPA/API +- Migration of Flow Executor to SPA/API The flow executor has been migrated to a full SPA/API architecture. This was required for WebAuthn, but also allows for greater customizability. It also allows other services to use the flow executor via an API, which will be used by the outpost further down the road. -- Deny stage +- Deny stage A new stage which simply denies access. This can be used to conditionally deny access to users during a flow. Authorization flows for example required an authenticated user, but there was no previous way to block access for un-authenticated users. If you conditionally include this stage in a flow, make sure to disable "Evaluate on plan", as that will always include the stage in the flow, regardless of the inputs. - ## Fixed in 2021.3.2 -- sources/ldap: fix sync for Users without pwdLastSet -- web: fix date display issue -- web: fix submit in Modal reloading page in firefox +- sources/ldap: fix sync for Users without pwdLastSet +- web: fix date display issue +- web: fix submit in Modal reloading page in firefox ## Fixed in 2021.3.3 -- providers/oauth2: allow protected_resource_view when method is OPTIONS -- stages/authenticator_static: fix error when disable static tokens -- stages/authenticator_webauthn: add missing migration -- web: fix Colours for user settings in dark mode -- web: fix Flow executor not showing spinner when redirecting -- web: fix Source icons not being displayed on firefox -- web: fix styling for static token list +- providers/oauth2: allow protected_resource_view when method is OPTIONS +- stages/authenticator_static: fix error when disable static tokens +- stages/authenticator_webauthn: add missing migration +- web: fix Colours for user settings in dark mode +- web: fix Flow executor not showing spinner when redirecting +- web: fix Source icons not being displayed on firefox +- web: fix styling for static token list ## Fixed in 2021.3.4 -- admin: include git build hash in gh-* tags and show build hash in admin overview -- events: don't fail on boot when geoip can't be opened -- helm: add initial geoip -- outposts: improve logs for outpost connection -- policies: fix error when clearing policy cache when no policies are cached -- root: add comment for error reporting to compose -- root: add geoip config to docker-compose -- sources/oauth: fix error on user enrollment when no enrollment flow is defined -- web: add close button to messages -- web: backport fix: add missing background filter -- web: fix outpost health display -- web: fix path for fallback flow view -- web: fix system task index -- web: improve compatibility with password managers -- web: improve layout of expanded event info -- web: improve styling for application list -- web: prevent duplicate messages -- web: show related edit button for bound stages and policies -- web: use chunking for vendor and api -- web: use loadingState for autosubmitStage -- web: use sections in sidebar, adjust colouring - +- admin: include git build hash in gh-\* tags and show build hash in admin overview +- events: don't fail on boot when geoip can't be opened +- helm: add initial geoip +- outposts: improve logs for outpost connection +- policies: fix error when clearing policy cache when no policies are cached +- root: add comment for error reporting to compose +- root: add geoip config to docker-compose +- sources/oauth: fix error on user enrollment when no enrollment flow is defined +- web: add close button to messages +- web: backport fix: add missing background filter +- web: fix outpost health display +- web: fix path for fallback flow view +- web: fix system task index +- web: improve compatibility with password managers +- web: improve layout of expanded event info +- web: improve styling for application list +- web: prevent duplicate messages +- web: show related edit button for bound stages and policies +- web: use chunking for vendor and api +- web: use loadingState for autosubmitStage +- web: use sections in sidebar, adjust colouring ## Upgrading diff --git a/website/docs/releases/v2021.4.md b/website/docs/releases/v2021.4.md index 552b4a2f0..458ae3df9 100644 --- a/website/docs/releases/v2021.4.md +++ b/website/docs/releases/v2021.4.md @@ -5,127 +5,126 @@ slug: "2021.4" ## Headline Changes -- Configurable Policy engine mode +- Configurable Policy engine mode - In the past, all objects, which could have policies attached to them, required *all* policies to pass to consider an action successful. - You can now configure if *all* policies need to pass, or if *any* policy needs to pass. + In the past, all objects, which could have policies attached to them, required _all_ policies to pass to consider an action successful. + You can now configure if _all_ policies need to pass, or if _any_ policy needs to pass. This can now be configured for the following objects: - - Applications (access restrictions) - - Sources - - Flows - - Flow-stage bindings + - Applications (access restrictions) + - Sources + - Flows + - Flow-stage bindings - For backwards compatibility, this is set to *all*, but new objects will default to *any*. + For backwards compatibility, this is set to _all_, but new objects will default to _any_. -- Expiring Events +- Expiring Events Previously, events would stay in the database forever, and had to eventually be cleaned up manually. This version add expiry to events with a default timeout of 1 Year. This also applies to existing events, and their expiry will be set during the migration. -- New UI +- New UI While the UI mostly looks the same, under the hood a lot has changed. The Web UI is now a Single-page application based on rollup and lit-html. This has several consequences and new features, for example: - - You can now see a user's OAuth Access/Refresh tokens and the consents they've given - - You can now see a per-object changelog based on the model_create/update/delete events being created. - - A new API Browser is available under `https://authentink.company/api/v2beta/` - - Several new charts, new pages and quality-of-life improvements - - Credentials of objects are no longer shown while editing them + - You can now see a user's OAuth Access/Refresh tokens and the consents they've given + - You can now see a per-object changelog based on the model_create/update/delete events being created. + - A new API Browser is available under `https://authentink.company/api/v2beta/` + - Several new charts, new pages and quality-of-life improvements + - Credentials of objects are no longer shown while editing them -- Deprecated Group membership has been removed. +- Deprecated Group membership has been removed. ## Minor changes -- You can now specify the amount of processes started in docker-compose using the `WORKERS` environment variable. +- You can now specify the amount of processes started in docker-compose using the `WORKERS` environment variable. ## Fixed in 2021.4.2 -- core: fix propertymapping API returning invalid value for components (https://github.com/goauthentik/authentik/issues/746) -- core: improve messaging when creating a recovery link for a user when no recovery flow exists -- flows: annotate flows executor 404 error -- flows: include configure_flow in stages API -- helm: make storage class, size and mode configurable -- helm: turn off monitoring by default (https://github.com/goauthentik/authentik/issues/741) -- outposts: fix errors when creating multiple outposts -- root: add restart: unless-stopped to compose -- root: base Websocket message storage on Base not fallback -- root: fix healthcheck part in docker-compose -- root: fix setting of EMAIL_USE_TLS and EMAIL_USE_SSL -- sources/ldap: improve error handling during sync -- sources/oauth: fix error when creating an oauth source which has fixed URLs -- sources/oauth: fix resolution of sources' provider type -- web: fix background-color on router outlet on light mode -- web/admin: fix error when user doesn't have permissions to read source -- web/admin: fix errors in user profile when non-superuser - +- core: fix propertymapping API returning invalid value for components (https://github.com/goauthentik/authentik/issues/746) +- core: improve messaging when creating a recovery link for a user when no recovery flow exists +- flows: annotate flows executor 404 error +- flows: include configure_flow in stages API +- helm: make storage class, size and mode configurable +- helm: turn off monitoring by default (https://github.com/goauthentik/authentik/issues/741) +- outposts: fix errors when creating multiple outposts +- root: add restart: unless-stopped to compose +- root: base Websocket message storage on Base not fallback +- root: fix healthcheck part in docker-compose +- root: fix setting of EMAIL_USE_TLS and EMAIL_USE_SSL +- sources/ldap: improve error handling during sync +- sources/oauth: fix error when creating an oauth source which has fixed URLs +- sources/oauth: fix resolution of sources' provider type +- web: fix background-color on router outlet on light mode +- web/admin: fix error when user doesn't have permissions to read source +- web/admin: fix errors in user profile when non-superuser ## Fixed in 2021.4.3 -- *: add model_name to TypeCreate API to distinguish between models sharing a component -- api: fix CSRF error when using POST/PATCH/PUT in API Browser -- api: make 401 messages clearer -- api: mount outposts under outposts/instances to match flows -- core: add parameter to output property mapping test result formatted -- core: add superuser_full_list to applications list, shows all applications when superuser -- core: fix Tokens being created with incorrect intent by default -- outposts: don't run outpost_controller when no service connection is set -- providers/oauth2: Set CORS Headers for token endpoint, check Origin header against redirect URLs -- root: auto-migrate on startup, lock database using pg_advisory_lock -- sources/oauth: add login with plex support -- sources/oauth: fix redirect loop for source with non-configurable URLs -- sources/oauth: save null instead of empty string for sources without configurable URLs -- web/admin: add ability to add users to a group whilst creating a group -- web/admin: fix default for codemirror -- web/admin: fix group member table order -- web/admin: fix non-matching provider type being selected when creating an OAuth Source -- web/admin: fix provider type resetting when changing provider type -- web/admin: fix undefined being shown when viewing application -- web/admin: improve default selection for property-mappings +- \*: add model_name to TypeCreate API to distinguish between models sharing a component +- api: fix CSRF error when using POST/PATCH/PUT in API Browser +- api: make 401 messages clearer +- api: mount outposts under outposts/instances to match flows +- core: add parameter to output property mapping test result formatted +- core: add superuser_full_list to applications list, shows all applications when superuser +- core: fix Tokens being created with incorrect intent by default +- outposts: don't run outpost_controller when no service connection is set +- providers/oauth2: Set CORS Headers for token endpoint, check Origin header against redirect URLs +- root: auto-migrate on startup, lock database using pg_advisory_lock +- sources/oauth: add login with plex support +- sources/oauth: fix redirect loop for source with non-configurable URLs +- sources/oauth: save null instead of empty string for sources without configurable URLs +- web/admin: add ability to add users to a group whilst creating a group +- web/admin: fix default for codemirror +- web/admin: fix group member table order +- web/admin: fix non-matching provider type being selected when creating an OAuth Source +- web/admin: fix provider type resetting when changing provider type +- web/admin: fix undefined being shown when viewing application +- web/admin: improve default selection for property-mappings ## Fixed in 2021.4.4 -- *: make tasks run every 60 minutes not :00 every hour -- outposts: check for X-Forwarded-Host to switch context -- outposts: improve update performance -- outposts: move local connection check to task, run every 60 minutes -- providers/oauth2: add proper support for non-http schemes as redirect URIs -- providers/oauth2: fix TokenView not having CORS headers set even with proper Origin -- sources/oauth: fix error whilst fetching user profile when source uses fixed URLs -- sources/oauth: handle error in AzureAD when ID Can't be extracted -- stages/user_login: add default backend -- web: fix title not being loaded from config -- web: only report http errors for 500 and above -- web: send response info when response is thrown -- web/admin: add description for fields in proxy provider form -- web/admin: adjust phrasing of cards on overview page -- web/admin: fix display for user supseruser status -- web/admin: fix error when me() returns 403 -- web/admin: fix error when updating identification stage -- web/admin: fix invalid group member count -- web/admin: fix link to providers on overview page -- web/admin: fix mismatched required tags -- web/admin: improve phrasing for Policy bindings -- web/admin: only allow policies to be bound to sources as users/groups cannot be checked -- web/admin: only pre-select items when creating a new object -- web/flows: fix Sentry not being loaded correctly +- \*: make tasks run every 60 minutes not :00 every hour +- outposts: check for X-Forwarded-Host to switch context +- outposts: improve update performance +- outposts: move local connection check to task, run every 60 minutes +- providers/oauth2: add proper support for non-http schemes as redirect URIs +- providers/oauth2: fix TokenView not having CORS headers set even with proper Origin +- sources/oauth: fix error whilst fetching user profile when source uses fixed URLs +- sources/oauth: handle error in AzureAD when ID Can't be extracted +- stages/user_login: add default backend +- web: fix title not being loaded from config +- web: only report http errors for 500 and above +- web: send response info when response is thrown +- web/admin: add description for fields in proxy provider form +- web/admin: adjust phrasing of cards on overview page +- web/admin: fix display for user supseruser status +- web/admin: fix error when me() returns 403 +- web/admin: fix error when updating identification stage +- web/admin: fix invalid group member count +- web/admin: fix link to providers on overview page +- web/admin: fix mismatched required tags +- web/admin: improve phrasing for Policy bindings +- web/admin: only allow policies to be bound to sources as users/groups cannot be checked +- web/admin: only pre-select items when creating a new object +- web/flows: fix Sentry not being loaded correctly ## Fixed in 2021.4.5 -- core: fix text on error pages being hard to read -- outposts: only kill docker container if its running -- root: add middleware to properly report websocket connection to sentry -- root: don't use .error of structlog to not send to sentry -- stages/email: catch ValueError when global email settings are invalid -- stages/invitation: accept token from prompt_data -- stages/invitation: fix token not being loaded correctly from query string -- web: fix text-colour for form help text -- web: ignore network errors for sentry -- web/admin: don't show docker certs as required -- web/flows: fix redirect loop when sentry is enabled on flow views -- web/flows: include ShadyDOM, always enable ShadyDOM for flow interface, improve compatibility with password -- web/flows/identification: fix phrasing account recovery +- core: fix text on error pages being hard to read +- outposts: only kill docker container if its running +- root: add middleware to properly report websocket connection to sentry +- root: don't use .error of structlog to not send to sentry +- stages/email: catch ValueError when global email settings are invalid +- stages/invitation: accept token from prompt_data +- stages/invitation: fix token not being loaded correctly from query string +- web: fix text-colour for form help text +- web: ignore network errors for sentry +- web/admin: don't show docker certs as required +- web/flows: fix redirect loop when sentry is enabled on flow views +- web/flows: include ShadyDOM, always enable ShadyDOM for flow interface, improve compatibility with password +- web/flows/identification: fix phrasing account recovery ## Upgrading diff --git a/website/docs/releases/v2021.5.md b/website/docs/releases/v2021.5.md index a1f30e223..d36f596fe 100644 --- a/website/docs/releases/v2021.5.md +++ b/website/docs/releases/v2021.5.md @@ -5,7 +5,7 @@ slug: "2021.5" ## Headline Changes -- LDAP Provider +- LDAP Provider :::info This feature is still in technical preview, so please report any Bugs you run into on [GitHub](https://github.com/goauthentik/authentik/issues) @@ -17,85 +17,85 @@ This feature is still in technical preview, so please report any Bugs you run in Binding against the LDAP Server uses a flow in the background. This allows you to use the same policies and flows as you do for web-based logins. The only limitation is that currently only identification and password stages are supported, due to how LDAP works. -- Compatibility with forwardAuth/auth_request +- Compatibility with forwardAuth/auth_request The authentik proxy is now compatible with forwardAuth (traefik) / auth_request (nginx). All that is required is the latest version of the outpost, and the correct config from [here](../providers/proxy/forward_auth.mdx). -- Docker images for ARM +- Docker images for ARM Docker images are now built for amd64 and arm64. -- Reduced setup complexity +- Reduced setup complexity The authentik server now requires less containers. The static container (as well as the traefik when using docker-compose) are no longer required. As the first stage of a migration to Golang instead of Python, authentik now runs behind an in-container reverse proxy, which hosts the static files. -- New Plex authentication source +- New Plex authentication source The plex source (previously a provider for the OAuth Source) has been rewritten to a dedicated Source. You can now limit access to authentik based on which servers a Plex user is member of. -- Configurable source behaviour +- Configurable source behaviour You can now configure how a source behaves after the user has authenticated themselves to the source. Previously, authentik always checked the unique identifier from the source, enrolled the user when the identifier didn't exist and authenticated the user otherwise. Now you can configure how the matching should be done: - - Identifier: Keeps the old behaviour, can lead to duplicate user accounts - - Email (link): If a user with the same Email address exists, they are linked. Can have security implications when a source doesn't validate email addresses. - - Email (deny): Deny the flow if the Email address is already used. - - Username (link): If a user with the same username address exists, they are linked. Can have security implications when a username is used with another source. - - Username (deny): Deny the flow if the username address is already used. + - Identifier: Keeps the old behaviour, can lead to duplicate user accounts + - Email (link): If a user with the same Email address exists, they are linked. Can have security implications when a source doesn't validate email addresses. + - Email (deny): Deny the flow if the Email address is already used. + - Username (link): If a user with the same username address exists, they are linked. Can have security implications when a username is used with another source. + - Username (deny): Deny the flow if the username address is already used. ## Minor changes -- Improved compatibility of the flow interface with password managers. -- Improved compatibility when using SAML Sources with a redirect binding. -- Improved configurability of outpost docker image name for managed Outposts. -- Add customization of access code validity for OAuth2 Providers. -- Add ability to configure no login fields on identification stage to only allow logins with Sources. -- Add single-use flag for invitations to delete token after use. -- Fix sidebar not collapsible on mobile. +- Improved compatibility of the flow interface with password managers. +- Improved compatibility when using SAML Sources with a redirect binding. +- Improved configurability of outpost docker image name for managed Outposts. +- Add customization of access code validity for OAuth2 Providers. +- Add ability to configure no login fields on identification stage to only allow logins with Sources. +- Add single-use flag for invitations to delete token after use. +- Fix sidebar not collapsible on mobile. ## Fixed in 2021.5.2 -- core: fix application's slug field not being set to unique -- flows: fix error when using cancel flow -- lib: Fix config loading of secrets from files (#887) -- lib: fix parsing of remote IP header when behind multiple reverse proxies -- lifecycle: check if group of docker socket exists -- lifecycle: fix error when worker is not running as root -- outposts: fix error when controller loads from cache but cache has expired -- outposts: fix missing default for OutpostState.for_channel -- outposts: fix reload notification not working due to wrong ID being cached -- outposts/ldap: fix AUTHENTIK_INSECURE not being respected for API client during bind -- outposts/proxy: fix error redeeming code when using non-standard ports -- outposts/proxy: fix insecure TLS Skip -- providers/ldap: use username instead of name for user dn (#883) -- providers/proxy: connect ingress to https instead of http -- root: only load debug secret key when debug is enabled -- web: fix chunks overwriting each other -- web/admin: add notice for LDAP Provider's group selection -- web/admin: fix PropertyMappings not loading correctly -- website/docs: add example ldapsearch command +- core: fix application's slug field not being set to unique +- flows: fix error when using cancel flow +- lib: Fix config loading of secrets from files (#887) +- lib: fix parsing of remote IP header when behind multiple reverse proxies +- lifecycle: check if group of docker socket exists +- lifecycle: fix error when worker is not running as root +- outposts: fix error when controller loads from cache but cache has expired +- outposts: fix missing default for OutpostState.for_channel +- outposts: fix reload notification not working due to wrong ID being cached +- outposts/ldap: fix AUTHENTIK_INSECURE not being respected for API client during bind +- outposts/proxy: fix error redeeming code when using non-standard ports +- outposts/proxy: fix insecure TLS Skip +- providers/ldap: use username instead of name for user dn (#883) +- providers/proxy: connect ingress to https instead of http +- root: only load debug secret key when debug is enabled +- web: fix chunks overwriting each other +- web/admin: add notice for LDAP Provider's group selection +- web/admin: fix PropertyMappings not loading correctly +- website/docs: add example ldapsearch command ## Fixed in 2021.5.3 -- outposts: fix update signal not being sent to correct instances -- providers/oauth2: fix double login required when prompt=login -- providers/proxy: fix redirect_uris not always being set on save -- sources/plex: force setting of plex token -- web: fix t.reset is not a function -- web: remove nginx config, add caching headers to static files -- web/admin: fix flow form not loading data +- outposts: fix update signal not being sent to correct instances +- providers/oauth2: fix double login required when prompt=login +- providers/proxy: fix redirect_uris not always being set on save +- sources/plex: force setting of plex token +- web: fix t.reset is not a function +- web: remove nginx config, add caching headers to static files +- web/admin: fix flow form not loading data ## Fixed in 2021.5.4 -- providers/oauth2: add missing kid header to JWT Tokens -- stages/authenticator_*: fix Permission Error when disabling Authenticator as non-superuser -- web: fix missing flow and policy cache clearing UI -- web: set x-forwarded-proto based on upstream TLS Status +- providers/oauth2: add missing kid header to JWT Tokens +- stages/authenticator\_\*: fix Permission Error when disabling Authenticator as non-superuser +- web: fix missing flow and policy cache clearing UI +- web: set x-forwarded-proto based on upstream TLS Status ## Upgrading diff --git a/website/docs/releases/v2021.6.md b/website/docs/releases/v2021.6.md index 1a856e19f..4af8b3ac2 100644 --- a/website/docs/releases/v2021.6.md +++ b/website/docs/releases/v2021.6.md @@ -5,161 +5,161 @@ slug: "2021.6" ## Headline Changes -- Duo two-factor support +- Duo two-factor support You can now add the new `authenticator_duo` stage to configure Duo authenticators. Duo has also been added as device class to the `authenticator_validation` stage. Currently, only Duo push notifications are supported. Because no additional input is required, Duo also works with the LDAP Outpost. -- Multi-tenancy +- Multi-tenancy This version adds soft multi-tenancy. This means you can configure different branding settings and different default flows per domain. This also changes how a default flow is determined. Previously, for defaults flow, authentik would pick the first flow that - - matches the required designation - - comes first sorted by slug - - is allowed by policies + - matches the required designation + - comes first sorted by slug + - is allowed by policies Now, authentik first checks if the current tenant has a default flow configured for the selected designation. If not, it behaves the same as before, meaning that if you want to select a default flow based on policy, you can just leave the tenant default empty. -- Domain-level authorization with proxy providers +- Domain-level authorization with proxy providers Instead of simply being able to toggle between forward auth and proxy mode, you can now enable forward auth for an entire domain. This has the downside that you can't do per-application authorization, but also simplifies configuration as you don't have to create each application in authentik. -- API Schema now uses OpenAPI v3 +- API Schema now uses OpenAPI v3 The API endpoints are mostly the same, however all the clients are now built from an OpenAPI v3 schema. You can retrieve the schema from `authentik.company.tld/api/v2beta/schema/` -- On Kubernetes installs without a /media PVC, you can now set URLs instead of uploading files. -- Expanded prometheus metrics for PolicyEngine and FlowPlanner +- On Kubernetes installs without a /media PVC, you can now set URLs instead of uploading files. +- Expanded prometheus metrics for PolicyEngine and FlowPlanner ## Minor changes -- You can now specify which sources should be shown on an Identification stage. -- Add UI for the reputation of IPs and usernames for reputation policies. -- Fix proxy outpost not being able to redeem tokens when using with an un-trusted SSL Certificate -- Add UI to check access of any application for any user +- You can now specify which sources should be shown on an Identification stage. +- Add UI for the reputation of IPs and usernames for reputation policies. +- Fix proxy outpost not being able to redeem tokens when using with an un-trusted SSL Certificate +- Add UI to check access of any application for any user ## Fixed in 2021.6.1-rc5 -- flows: fix configuration URL being set when no flow is configure -- stages/authenticator_totp: set TOTP issuer based on slug'd tenant title -- stages/authenticator_webauthn: use tenant title as RP_NAME -- stages/identification: add UPN -- stages/password: add constants for password backends -- web: fix flow download link +- flows: fix configuration URL being set when no flow is configure +- stages/authenticator_totp: set TOTP issuer based on slug'd tenant title +- stages/authenticator_webauthn: use tenant title as RP_NAME +- stages/identification: add UPN +- stages/password: add constants for password backends +- web: fix flow download link ## Fixed in 2021.6.1-rc6 -- ci: build and push stable tag when rc not in release name -- core: delete real session when AuthenticatedSession is deleted -- core: fix impersonation not working with inactive users -- core: fix upload api not checking clear properly -- core: revert check_access API to get to prevent CSRF errors -- events: add tenant to event -- events: catch unhandled exceptions from request as event, add button to open github issue -- flows: fix error clearing flow background when no files have been uploaded -- outpost: fix syntax error when creating an outpost with connection -- outposts: fix integrity error with tokens -- outposts/ldap: improve responses for unsuccessful binds -- policies/reputation: fix race condition in tests -- provider/proxy: mark forward_auth flag as deprecated -- providers/saml: improve error handling for signature errors -- root: fix build_hash being set incorrectly for tagged versions -- sources/saml: check sessions before deleting user -- stages/authenticator_duo: don't create default duo stage -- stages/authenticator_validate: add tests for authenticator validation -- stages/identification: fix challenges not being annotated correctly and API client not loading data correctly -- web: add capabilities to sentry event -- web: migrate banner to sidebar -- web/admin: fix user enable/disable modal not matching other modals -- web/admin: select service connection by default when only one exists -- web/flows: fix expiry not shown on consent stage when loading -- web/flows: fix IdentificationStage's label not matching fields -- web/flows: improve display of allowed fields for identification stage -- website/docs: add docs for outpost configuration +- ci: build and push stable tag when rc not in release name +- core: delete real session when AuthenticatedSession is deleted +- core: fix impersonation not working with inactive users +- core: fix upload api not checking clear properly +- core: revert check_access API to get to prevent CSRF errors +- events: add tenant to event +- events: catch unhandled exceptions from request as event, add button to open github issue +- flows: fix error clearing flow background when no files have been uploaded +- outpost: fix syntax error when creating an outpost with connection +- outposts: fix integrity error with tokens +- outposts/ldap: improve responses for unsuccessful binds +- policies/reputation: fix race condition in tests +- provider/proxy: mark forward_auth flag as deprecated +- providers/saml: improve error handling for signature errors +- root: fix build_hash being set incorrectly for tagged versions +- sources/saml: check sessions before deleting user +- stages/authenticator_duo: don't create default duo stage +- stages/authenticator_validate: add tests for authenticator validation +- stages/identification: fix challenges not being annotated correctly and API client not loading data correctly +- web: add capabilities to sentry event +- web: migrate banner to sidebar +- web/admin: fix user enable/disable modal not matching other modals +- web/admin: select service connection by default when only one exists +- web/flows: fix expiry not shown on consent stage when loading +- web/flows: fix IdentificationStage's label not matching fields +- web/flows: improve display of allowed fields for identification stage +- website/docs: add docs for outpost configuration ## Fixed in 2021.6.1 -- core: fix error getting stages when enrollment flow isn't set -- core: fix error when creating AuthenticatedSession without key -- flows: fix error when stage has incorrect type -- providers/saml: add support for NameID type unspecified -- providers/saml: fix error when getting transient user identifier -- providers/saml: fix NameIDPolicy not being parsed correctly -- recovery: fix error when creating multiple keys for the same user -- stages/authenticator_duo: fix error when enrolling an existing user -- stages/authenticator_duo: make Duo-admin viewset writeable -- website/docs: remove migrate command +- core: fix error getting stages when enrollment flow isn't set +- core: fix error when creating AuthenticatedSession without key +- flows: fix error when stage has incorrect type +- providers/saml: add support for NameID type unspecified +- providers/saml: fix error when getting transient user identifier +- providers/saml: fix NameIDPolicy not being parsed correctly +- recovery: fix error when creating multiple keys for the same user +- stages/authenticator_duo: fix error when enrolling an existing user +- stages/authenticator_duo: make Duo-admin viewset writeable +- website/docs: remove migrate command ## Fixed in 2021.6.2 -- core: add support for custom urls for avatars -- core: deepmerge user.group_attributes, use group_attributes for user settings -- core: fix PropertyMapping's globals not matching Expression policy -- core: remove default flow background from default css, set static in base_full and dynamically in if/flow -- crypto: catch error when loading private key -- flows: make flow plan cache timeout configurable -- outposts: fix port and inner_port being mixed on docker controller -- outposts/proxy: fix additionalHeaders not being set properly -- policies: don't use policy cache when checking application access -- policies: make policy result cache timeout configurable -- root: allow loading local /static files without debug flag -- root: make general cache timeouts configurable -- root: remove old traefik labels -- root: save temporary database dump in /tmp -- root: set outposts.docker_image_base to gh-master for tests -- stages/authenticator_validate: fix error when using not_configured_action=configure -- tenants: fix tenant not being queried correctly when using accessing over a child domain -- web/admin: fix tenant's default flag not being saved -- web/admin: handle elements in slot=form not being forms -- web/admin: sort inputs on authenticator validation stage form +- core: add support for custom urls for avatars +- core: deepmerge user.group_attributes, use group_attributes for user settings +- core: fix PropertyMapping's globals not matching Expression policy +- core: remove default flow background from default css, set static in base_full and dynamically in if/flow +- crypto: catch error when loading private key +- flows: make flow plan cache timeout configurable +- outposts: fix port and inner_port being mixed on docker controller +- outposts/proxy: fix additionalHeaders not being set properly +- policies: don't use policy cache when checking application access +- policies: make policy result cache timeout configurable +- root: allow loading local /static files without debug flag +- root: make general cache timeouts configurable +- root: remove old traefik labels +- root: save temporary database dump in /tmp +- root: set outposts.docker_image_base to gh-master for tests +- stages/authenticator_validate: fix error when using not_configured_action=configure +- tenants: fix tenant not being queried correctly when using accessing over a child domain +- web/admin: fix tenant's default flag not being saved +- web/admin: handle elements in slot=form not being forms +- web/admin: sort inputs on authenticator validation stage form ## Fixed in 2021.6.3 -- api: use partition instead of split for token -- core: fix flow background not correctly loading on initial draw -- events: add ability to create events via API -- events: ignore notification non-existent in transport -- events: only create SYSTEM_EXCEPTION event when error would've been sent to sentry -- expressions: fix regex_match result being inverted -- flows: add FlowStageBinding to flow plan instead of just stage -- flows: add invalid_response_action to configure how the FlowExecutor should handle invalid responses -- flows: handle possible errors with FlowPlans received from cache -- outposts: check docker container ports match -- outposts/ldap: fixed IsActive and IsSuperuser returning swapped incorrect values (#1078) -- providers/oauth2: fix exp of JWT when not using seconds -- sources/ldap: improve error handling when checking for password complexity on non-ad setups -- stages/authenticator_duo: fix component not being set in API -- stages/prompt: ensure hidden and static fields keep the value they had set -- stages/user_write: add flag to create new users as inactive -- tenants: include all default flows in current_tenant -- web/admin: fix deletion of authenticator not reloading the state correctly -- web/admin: fix only recovery flows being selectable for unenrollment flow in tenant form -- web/admin: fix text color on pf-c-card +- api: use partition instead of split for token +- core: fix flow background not correctly loading on initial draw +- events: add ability to create events via API +- events: ignore notification non-existent in transport +- events: only create SYSTEM_EXCEPTION event when error would've been sent to sentry +- expressions: fix regex_match result being inverted +- flows: add FlowStageBinding to flow plan instead of just stage +- flows: add invalid_response_action to configure how the FlowExecutor should handle invalid responses +- flows: handle possible errors with FlowPlans received from cache +- outposts: check docker container ports match +- outposts/ldap: fixed IsActive and IsSuperuser returning swapped incorrect values (#1078) +- providers/oauth2: fix exp of JWT when not using seconds +- sources/ldap: improve error handling when checking for password complexity on non-ad setups +- stages/authenticator_duo: fix component not being set in API +- stages/prompt: ensure hidden and static fields keep the value they had set +- stages/user_write: add flag to create new users as inactive +- tenants: include all default flows in current_tenant +- web/admin: fix deletion of authenticator not reloading the state correctly +- web/admin: fix only recovery flows being selectable for unenrollment flow in tenant form +- web/admin: fix text color on pf-c-card ## Fixed in 2021.6.4 -- core: only show `Reset password` link when recovery flow is configured -- crypto: show both sha1 and sha256 fingerprints -- flows: handle old cached flow plans better -- g: fix static and media caching not working properly -- outposts: fix container not being started after creation -- outposts: fix docker controller not checking env correctly -- outposts: fix docker controller not checking ports correctly -- outposts: fix empty message when docker outpost controller has changed nothing -- outposts: fix permissions not being set correctly upon outpost creation -- outposts/ldap: add support for boolean fields in ldap -- outposts/proxy: always redirect to session-end interface on sign_out -- providers/oauth2: add revoked field, create suspicious event when previous token is used -- providers/oauth2: deepmerge claims -- providers/oauth2: fix CORS headers not being set for unsuccessful requests -- providers/oauth2: use self.expires for exp field instead of calculating it again -- sources/oauth: create configuration error event when profile can't be parsed as json -- stages/user_write: add wrapper for post to user_write -- web/admin: fix ModelForm not re-loading after being reset -- web/admin: show oauth2 token revoked status +- core: only show `Reset password` link when recovery flow is configured +- crypto: show both sha1 and sha256 fingerprints +- flows: handle old cached flow plans better +- g: fix static and media caching not working properly +- outposts: fix container not being started after creation +- outposts: fix docker controller not checking env correctly +- outposts: fix docker controller not checking ports correctly +- outposts: fix empty message when docker outpost controller has changed nothing +- outposts: fix permissions not being set correctly upon outpost creation +- outposts/ldap: add support for boolean fields in ldap +- outposts/proxy: always redirect to session-end interface on sign_out +- providers/oauth2: add revoked field, create suspicious event when previous token is used +- providers/oauth2: deepmerge claims +- providers/oauth2: fix CORS headers not being set for unsuccessful requests +- providers/oauth2: use self.expires for exp field instead of calculating it again +- sources/oauth: create configuration error event when profile can't be parsed as json +- stages/user_write: add wrapper for post to user_write +- web/admin: fix ModelForm not re-loading after being reset +- web/admin: show oauth2 token revoked status ## Upgrading diff --git a/website/docs/releases/v2021.7.md b/website/docs/releases/v2021.7.md index 2ef6d005e..61acd2a8b 100644 --- a/website/docs/releases/v2021.7.md +++ b/website/docs/releases/v2021.7.md @@ -5,107 +5,107 @@ slug: "2021.7" ## Headline Changes -- SSL Support for LDAP Providers +- SSL Support for LDAP Providers You can now configure certificates for your LDAP Providers, meaning that all communication will be done encrypted. Currently, only SSL on port 636 is supported, not StartTLS. -- Add bundled docs +- Add bundled docs You can now browse the authentik docs for your version by browsing to `/help`. This means you don't have to rely on an internet connection to check the docs, and you also have the correct docs for your currently running version. ## Minor changes -- api: Tunnel Sentry requests through authentik to prevent them being blocked by ad-blockers -- core: fix error when setting icon/background to url longer than 100 chars -- events: fix error when slack notification request failed without a response -- flows: allow variable substitution in flow titles -- outposts/ldap: Fix LDAP outpost missing a `member` field on groups with all member DNs -- outposts/ldap: Fix LDAP outpost not parsing arrays from user and group attributes correctly -- providers/oauth2: allow blank redirect_uris to allow any redirect_uri -- providers/saml: fix parsing of POST bindings -- root: add PROXY protocol support for http, https, ldap and ldaps servers -- root: Allow configuration of Redis port -- root: set samesite to None for SAML POST flows -- root: subclass SessionMiddleware to set Secure and SameSite flag depending on context -- web: fix error when showing error message of request +- api: Tunnel Sentry requests through authentik to prevent them being blocked by ad-blockers +- core: fix error when setting icon/background to url longer than 100 chars +- events: fix error when slack notification request failed without a response +- flows: allow variable substitution in flow titles +- outposts/ldap: Fix LDAP outpost missing a `member` field on groups with all member DNs +- outposts/ldap: Fix LDAP outpost not parsing arrays from user and group attributes correctly +- providers/oauth2: allow blank redirect_uris to allow any redirect_uri +- providers/saml: fix parsing of POST bindings +- root: add PROXY protocol support for http, https, ldap and ldaps servers +- root: Allow configuration of Redis port +- root: set samesite to None for SAML POST flows +- root: subclass SessionMiddleware to set Secure and SameSite flag depending on context +- web: fix error when showing error message of request ## Fixed in 2021.7.1-rc2 -- core: add email filter for user -- core: add group filter by member username and pk -- core: broaden error catching for propertymappings -- lib: fix outpost fake-ip not working, add tests -- outpost: fix 100% CPU Usage when not connected to websocket -- outposts: ensure outpost SAs always have permissions to fake IP -- outposts: fix git hash not being set in outposts -- outposts: save certificate fingerprint and check before re-fetching to cleanup logs -- outposts/ldap: add tracing for LDAP bind and search -- outposts/ldap: improve parsing of LDAP filters -- outposts/ldap: optimise backend Search API requests -- outposts/proxy: add X-Auth-Groups header to pass groups -- providers/oauth2: handler PropertyMapping exceptions and create event -- providers/saml: improve error handling for property mappings -- sources/ldap: improve error handling for property mappings -- web: fix icon flashing in header, fix notification header icon in dark mode -- web: separate websocket connection from messages -- web/admin: fix missing dark theme for notifications -- web/admin: fix negative count for policies when more cached than total policies -- web/admin: improve UI for notification toggle -- website/docs: clear up outpost uuids -- website/docs: remove duplicate proxy docs +- core: add email filter for user +- core: add group filter by member username and pk +- core: broaden error catching for propertymappings +- lib: fix outpost fake-ip not working, add tests +- outpost: fix 100% CPU Usage when not connected to websocket +- outposts: ensure outpost SAs always have permissions to fake IP +- outposts: fix git hash not being set in outposts +- outposts: save certificate fingerprint and check before re-fetching to cleanup logs +- outposts/ldap: add tracing for LDAP bind and search +- outposts/ldap: improve parsing of LDAP filters +- outposts/ldap: optimise backend Search API requests +- outposts/proxy: add X-Auth-Groups header to pass groups +- providers/oauth2: handler PropertyMapping exceptions and create event +- providers/saml: improve error handling for property mappings +- sources/ldap: improve error handling for property mappings +- web: fix icon flashing in header, fix notification header icon in dark mode +- web: separate websocket connection from messages +- web/admin: fix missing dark theme for notifications +- web/admin: fix negative count for policies when more cached than total policies +- web/admin: improve UI for notification toggle +- website/docs: clear up outpost uuids +- website/docs: remove duplicate proxy docs ## Fixed in 2021.7.1 -- core: add tests for flow_manager -- core: fix CheckApplication's for_user flag not being checked correctly -- core: fix pagination not working correctly with applications API -- providers/oauth2: fix blank redirect_uri not working with TokenView -- root: add code of conduct and PR template -- root: add contributing file -- tenants: make event retention configurable on tenant level -- tenants: set tenant uuid in sentry -- web/admin: add notice for event_retention -- web/admin: add status card for https and timedrift -- web/admin: default to authentication flow for LDAP provider -- web/admin: fix ApplicationView's CheckAccess not sending UserID correctly -- website/docs: add go requirement -- website/docs: update terminology for dark mode +- core: add tests for flow_manager +- core: fix CheckApplication's for_user flag not being checked correctly +- core: fix pagination not working correctly with applications API +- providers/oauth2: fix blank redirect_uri not working with TokenView +- root: add code of conduct and PR template +- root: add contributing file +- tenants: make event retention configurable on tenant level +- tenants: set tenant uuid in sentry +- web/admin: add notice for event_retention +- web/admin: add status card for https and timedrift +- web/admin: default to authentication flow for LDAP provider +- web/admin: fix ApplicationView's CheckAccess not sending UserID correctly +- website/docs: add go requirement +- website/docs: update terminology for dark mode ## Fixed in 2021.7.2 -- ci: fix sentry sourcemap path -- e2e: fix broken selenium by locking images -- events: ensure fallback result is set for on_failure -- events: remove default result for MonitoredTasks, only save when result was set -- flows: don't check redirect URL when set from flow plan (set from authentik or policy) -- flows: fix unhandled error in stage execution not being logged as SYSTEM_EXCEPTION event -- outpost: bump timer for periodic config reloads -- outposts: catch invalid ServiceConnection error in outpost controller -- providers/oauth2: fix error when requesting jwks keys with no rs256 aet -- providers/proxy: fix hosts for ingress not being compared correctly -- providers/saml: fix Error when getting metadata for invalid ID -- providers/saml: fix metadata being inaccessible without authentication -- sources/ldap: improve ms-ad password complexity checking -- sources/plex: add background task to monitor validity of plex token -- stages/email: fix error when re-requesting email after token has expired -- stages/invitation: delete invite only after full enrollment flow is completed -- web/admin: add re-authenticate button for plex -- web/admin: add UI to copy invitation link -- web/admin: fix empty column when no invitation expiry was set -- web/admin: fix LDAP Provider bind flow list being empty -- web/admin: fully remove response cloning due to errors +- ci: fix sentry sourcemap path +- e2e: fix broken selenium by locking images +- events: ensure fallback result is set for on_failure +- events: remove default result for MonitoredTasks, only save when result was set +- flows: don't check redirect URL when set from flow plan (set from authentik or policy) +- flows: fix unhandled error in stage execution not being logged as SYSTEM_EXCEPTION event +- outpost: bump timer for periodic config reloads +- outposts: catch invalid ServiceConnection error in outpost controller +- providers/oauth2: fix error when requesting jwks keys with no rs256 aet +- providers/proxy: fix hosts for ingress not being compared correctly +- providers/saml: fix Error when getting metadata for invalid ID +- providers/saml: fix metadata being inaccessible without authentication +- sources/ldap: improve ms-ad password complexity checking +- sources/plex: add background task to monitor validity of plex token +- stages/email: fix error when re-requesting email after token has expired +- stages/invitation: delete invite only after full enrollment flow is completed +- web/admin: add re-authenticate button for plex +- web/admin: add UI to copy invitation link +- web/admin: fix empty column when no invitation expiry was set +- web/admin: fix LDAP Provider bind flow list being empty +- web/admin: fully remove response cloning due to errors ## Fixed in 2021.7.3 -- core: fix users not being able to update their profile -- lifecycle: decrease default worker count on compose -- providers/saml: fix error when WantAssertionsSigned is missing -- providers/saml: fix error when PropertyMapping return value isn't string -- web/admin: fix user's email field being required -- web/admin: fix source form's userMatchingMode being swapped +- core: fix users not being able to update their profile +- lifecycle: decrease default worker count on compose +- providers/saml: fix error when WantAssertionsSigned is missing +- providers/saml: fix error when PropertyMapping return value isn't string +- web/admin: fix user's email field being required +- web/admin: fix source form's userMatchingMode being swapped ## Upgrading diff --git a/website/docs/releases/v2021.8.md b/website/docs/releases/v2021.8.md index 1d2edce42..63e01cc87 100644 --- a/website/docs/releases/v2021.8.md +++ b/website/docs/releases/v2021.8.md @@ -5,14 +5,14 @@ slug: "2021.8" ## Headline Changes -- Embedded Outpost +- Embedded Outpost To simplify the setup, an embedded outpost has been added. This outpost runs as part of the main authentik server, and requires no additional setup. You can simply assign providers to the embedded outpost, and either use the integrations to configure reverse proxies, or point your traffic to the main authentik server. Traffic is routed based on host-header, meaning every host that has been configured as a provider and is assigned to the embedded proxy will be sent to the outpost, and every sub-path under `/outpost.goauthentik.io` is sent to the outpost too. The rest is sent to authentik itself. -- App passwords +- App passwords You can now create Tokens with the intent `app_password`, and use them when authenticating with a flow. This requires the `User database + app passwords` backend in your password stage (this is done automatically on upgrade). @@ -20,122 +20,122 @@ slug: "2021.8" ## Minor changes - - admin: add API to show embedded outpost status, add notice when its not configured properly - - api: ensure all resources can be filtered - - api: make all PropertyMappings filterable by multiple managed attributes - - core: add API to directly send recovery link to user - - core: add UserSelfSerializer and separate method for users to update themselves with limited fields - - core: allow changing of groups a user is in from user api - - flows: fix unhandled error in stage execution not being logged as SYSTEM_EXCEPTION event - - lifecycle: decrease default worker count on compose - - outpost/ldap: Performance improvements, support for (member=) lookup - - providers/proxy: don't create ingress when no hosts are defined - - sources/plex: add API to get user connections - - web: add API Drawer - - web/admin: add UI to copy invitation link - - web/admin: allow modification of users groups from user view - - web/admin: re-name service connection to integration +- admin: add API to show embedded outpost status, add notice when its not configured properly +- api: ensure all resources can be filtered +- api: make all PropertyMappings filterable by multiple managed attributes +- core: add API to directly send recovery link to user +- core: add UserSelfSerializer and separate method for users to update themselves with limited fields +- core: allow changing of groups a user is in from user api +- flows: fix unhandled error in stage execution not being logged as SYSTEM_EXCEPTION event +- lifecycle: decrease default worker count on compose +- outpost/ldap: Performance improvements, support for (member=) lookup +- providers/proxy: don't create ingress when no hosts are defined +- sources/plex: add API to get user connections +- web: add API Drawer +- web/admin: add UI to copy invitation link +- web/admin: allow modification of users groups from user view +- web/admin: re-name service connection to integration ## Fixed in 2021.8.1-rc2 -- ci: add pipeline to build and push js api package -- ci: upgrade web api client when schema changes -- core: add new token intent and auth backend (#1284) -- core: add token tests for invalid intent and token auth -- core: fix token intent not defaulting correctly -- core: handle error when ?for_user is not numberical -- lib: move id and key generators to lib (#1286) -- lifecycle: rename to ak -- outpost: handle non-existent permission -- outpost: add recursion limit for docker controller -- outpost: add repair_permissions command -- root: add alias for akflow files -- root: add ASGI Error handler -- root: add License to NPM package -- root: fix error_handler for websocket -- root: fix mis-matched postgres version for CI -- root: remove remainders from gen -- root: remove usage of make-gen -- root: test schema auto-update -- root: update schema -- stages/password: auto-enable app password backend -- stages/user_write: fix wrong fallback authentication backend -- web: add custom readme to api client -- web: add ESM to generated Client -- web: build. api in different folder -- web: improve api client versioning -- web: Merge pull request #1258 from goauthentik/publish-api-to-npm -- web: migrate to @goauthentik/api -- web: Update Web API Client version (#1283) -- web/admin: allow users to create app password tokens -- web/admin: display token's intents -- web/admin: fix missing app passwords backend -- web/admin: improve delete modal for stage bindings and policy bindings -- web/admin: select all password stage backends by default -- website: add docs for making schema changes -- website: make default login-2fa flow ignore 2fa with app passwords -- website/docs: add docs for `auth_method` and `auth_method_args` fields +- ci: add pipeline to build and push js api package +- ci: upgrade web api client when schema changes +- core: add new token intent and auth backend (#1284) +- core: add token tests for invalid intent and token auth +- core: fix token intent not defaulting correctly +- core: handle error when ?for_user is not numberical +- lib: move id and key generators to lib (#1286) +- lifecycle: rename to ak +- outpost: handle non-existent permission +- outpost: add recursion limit for docker controller +- outpost: add repair_permissions command +- root: add alias for akflow files +- root: add ASGI Error handler +- root: add License to NPM package +- root: fix error_handler for websocket +- root: fix mis-matched postgres version for CI +- root: remove remainders from gen +- root: remove usage of make-gen +- root: test schema auto-update +- root: update schema +- stages/password: auto-enable app password backend +- stages/user_write: fix wrong fallback authentication backend +- web: add custom readme to api client +- web: add ESM to generated Client +- web: build. api in different folder +- web: improve api client versioning +- web: Merge pull request #1258 from goauthentik/publish-api-to-npm +- web: migrate to @goauthentik/api +- web: Update Web API Client version (#1283) +- web/admin: allow users to create app password tokens +- web/admin: display token's intents +- web/admin: fix missing app passwords backend +- web/admin: improve delete modal for stage bindings and policy bindings +- web/admin: select all password stage backends by default +- website: add docs for making schema changes +- website: make default login-2fa flow ignore 2fa with app passwords +- website/docs: add docs for `auth_method` and `auth_method_args` fields ## Fixed in 2021.8.1 -- *: cleanup api schema warnings -- core: fix error for asgi error handler with websockets -- core: fix error when user updates themselves -- core: fix user object for token not be set-able -- root: Fix table of contents for CONTRIBUTING.md (#1302) -- root: Require PG_PASS to be set (#1303) -- web/admin: allow admins to create tokens +- \*: cleanup api schema warnings +- core: fix error for asgi error handler with websockets +- core: fix error when user updates themselves +- core: fix user object for token not be set-able +- root: Fix table of contents for CONTRIBUTING.md (#1302) +- root: Require PG_PASS to be set (#1303) +- web/admin: allow admins to create tokens ## Fixed in 2021.8.2 -- root: fix login loop created by old settings stored in cache +- root: fix login loop created by old settings stored in cache ## Fixed in 2021.8.3 -- outpost: fix FlowExecutor not sending password for identification stage -- outpost: fix generated traefik labels containing invalid hosts -- outpost: make docker network configurable when using docker integration -- web/flow: fix redirects to application being sent multiple times, causing issues with OAuth providers -- web/flow: fix rendering of checkboxes in prompt stages +- outpost: fix FlowExecutor not sending password for identification stage +- outpost: fix generated traefik labels containing invalid hosts +- outpost: make docker network configurable when using docker integration +- web/flow: fix redirects to application being sent multiple times, causing issues with OAuth providers +- web/flow: fix rendering of checkboxes in prompt stages ## Fixed in 2021.8.4 -- api: add /api/v3 path -- api: add basic rate limiting for sentry proxy endpoint -- core: fix user_obj being empty on token API -- events: improve logging for task exceptions -- outpost/embedded: only send requests for non-akprox paths when we're doing proxy mode -- outpost/ldap: delay user information removal upon closing of connection -- policies/password: fix PasswordStage not being usable with prompt stages -- providers/proxy: fix traefik middleware being generated with wrong ports for embedded outposts -- providers/proxy: improve error handling for non-tls ingresses -- stages/authenticator_validate: show single button for multiple webauthn authenticators -- stages/invitation: fix invitation not inheriting ExpiringModel -- web/admin: fallback for invitation list on first load -- web/admin: fix flow executor not opening in new tab -- web/admin: fix list of webauthn devices not updating after rename -- web/flows: fix FlowExecutor not updating when challenge changes from outside +- api: add /api/v3 path +- api: add basic rate limiting for sentry proxy endpoint +- core: fix user_obj being empty on token API +- events: improve logging for task exceptions +- outpost/embedded: only send requests for non-akprox paths when we're doing proxy mode +- outpost/ldap: delay user information removal upon closing of connection +- policies/password: fix PasswordStage not being usable with prompt stages +- providers/proxy: fix traefik middleware being generated with wrong ports for embedded outposts +- providers/proxy: improve error handling for non-tls ingresses +- stages/authenticator_validate: show single button for multiple webauthn authenticators +- stages/invitation: fix invitation not inheriting ExpiringModel +- web/admin: fallback for invitation list on first load +- web/admin: fix flow executor not opening in new tab +- web/admin: fix list of webauthn devices not updating after rename +- web/flows: fix FlowExecutor not updating when challenge changes from outside ## Fixed in 2021.8.5 -- api: add additional filters for ldap and proxy providers -- api: cache schema, fix server urls -- core: minor query optimization -- events: add mark_all_seen -- events: remove authentik_events gauge -- internal: disable directory listing on static files -- internal: fix font loading errors on safari -- internal: fix web requests not having a logger set -- outpost: fix spans being sent without parent context -- outposts: add expected outpost replica count to metrics -- outposts/ldap: improve logging of client IPs -- policies/password: fix symbols not being checked correctly -- root: fix is_secure with safari on debug environments -- root: include authentik version in backup naming -- stages/identification: fix empty user_fields query returning first user -- web/admin: fix user selection in token form -- web/admin: show applications instead of providers in outpost form -- web/flows: fix display error when using IdentificationStage without input fields +- api: add additional filters for ldap and proxy providers +- api: cache schema, fix server urls +- core: minor query optimization +- events: add mark_all_seen +- events: remove authentik_events gauge +- internal: disable directory listing on static files +- internal: fix font loading errors on safari +- internal: fix web requests not having a logger set +- outpost: fix spans being sent without parent context +- outposts: add expected outpost replica count to metrics +- outposts/ldap: improve logging of client IPs +- policies/password: fix symbols not being checked correctly +- root: fix is_secure with safari on debug environments +- root: include authentik version in backup naming +- stages/identification: fix empty user_fields query returning first user +- web/admin: fix user selection in token form +- web/admin: show applications instead of providers in outpost form +- web/flows: fix display error when using IdentificationStage without input fields ## Upgrading @@ -151,6 +151,6 @@ Update your values to use the new images: ```yaml image: - repository: ghcr.io/goauthentik/server - tag: 2021.8.5 + repository: ghcr.io/goauthentik/server + tag: 2021.8.5 ``` diff --git a/website/docs/releases/v2021.9.md b/website/docs/releases/v2021.9.md index 774aa4ab9..bee7aa726 100644 --- a/website/docs/releases/v2021.9.md +++ b/website/docs/releases/v2021.9.md @@ -5,7 +5,7 @@ slug: "2021.9" ## Headline Changes -- Split user interface +- Split user interface This release splits the administration interface from the end-user interface. This makes things clearer for end-users, as all their options are laid out more clearly. @@ -13,7 +13,7 @@ slug: "2021.9" The admin interface remains the same, and familiar buttons will redirect you between interfaces. -- New proxy +- New proxy The proxy outpost has been rewritten from scratch. This replaces the old proxy, which was based on oauth2_proxy. The new proxy allows us a much greater degree of flexibility, is much lighter and reports errors better. @@ -23,7 +23,7 @@ slug: "2021.9" If you're using a manually deployed outpost, keep in mind that the ports change to 9000 and 9443 instead of 4180 and 4443 -- New metrics +- New metrics This version introduces new and simplified Prometheus metrics. There is a new common monitoring port across the server and all outposts, 9300. This port requires no authentication, making it easier to configure. @@ -31,166 +31,166 @@ slug: "2021.9" ## Minor changes -- *: use common user agent for all outgoing requests -- admin: migrate to new update check, add option to disable update check -- api: add additional filters for ldap and proxy providers -- core: optimise groups api by removing member superuser status -- core: remove ?v from static files -- events: add mark_all_seen -- events: allow setting a mapping for webhook transport to customise request payloads -- internal: fix font loading errors on safari -- lifecycle: fix worker startup error when docker socket's group is not called docker -- outpost: fix spans being sent without parent context -- outpost: update global outpost config on refresh -- outposts: add expected outpost replica count to metrics -- outposts/controllers: re-create service when mismatched ports to prevent errors -- outposts/controllers/kubernetes: don't create service monitor for embedded outpost -- outposts/ldap: improve logging of client IPs -- policies/password: fix symbols not being checked correctly -- root: include authentik version in backup naming -- root: show location header in logs when redirecting -- sources/oauth: prevent potentially confidential data from being logged -- stages/authenticator_duo: add API to "import" devices from duo -- stages/identification: fix empty user_fields query returning first user -- tenants: optimise db queries in middleware -- web: allow duplicate messages -- web: ignore network error -- web/admin: fix notification clear all not triggering render -- web/admin: fix user selection in token form -- web/admin: increase default expiry for refresh tokens -- web/admin: show applications instead of providers in outpost form -- web/flows: fix display error when using IdentificationStage without input fields +- \*: use common user agent for all outgoing requests +- admin: migrate to new update check, add option to disable update check +- api: add additional filters for ldap and proxy providers +- core: optimise groups api by removing member superuser status +- core: remove ?v from static files +- events: add mark_all_seen +- events: allow setting a mapping for webhook transport to customise request payloads +- internal: fix font loading errors on safari +- lifecycle: fix worker startup error when docker socket's group is not called docker +- outpost: fix spans being sent without parent context +- outpost: update global outpost config on refresh +- outposts: add expected outpost replica count to metrics +- outposts/controllers: re-create service when mismatched ports to prevent errors +- outposts/controllers/kubernetes: don't create service monitor for embedded outpost +- outposts/ldap: improve logging of client IPs +- policies/password: fix symbols not being checked correctly +- root: include authentik version in backup naming +- root: show location header in logs when redirecting +- sources/oauth: prevent potentially confidential data from being logged +- stages/authenticator_duo: add API to "import" devices from duo +- stages/identification: fix empty user_fields query returning first user +- tenants: optimise db queries in middleware +- web: allow duplicate messages +- web: ignore network error +- web/admin: fix notification clear all not triggering render +- web/admin: fix user selection in token form +- web/admin: increase default expiry for refresh tokens +- web/admin: show applications instead of providers in outpost form +- web/flows: fix display error when using IdentificationStage without input fields ## Fixed in 2021.9.1-rc2 -- core: fix token expiry for service accounts being only 30 minutes -- outposts: add consistent name and type to metrics -- outposts/proxy: remove deprecated rs256 -- policies: improve error handling when using bindings without policy -- providers/saml: improved error handling -- stages/email: don't crash when testing stage does not exist -- web: update background image +- core: fix token expiry for service accounts being only 30 minutes +- outposts: add consistent name and type to metrics +- outposts/proxy: remove deprecated rs256 +- policies: improve error handling when using bindings without policy +- providers/saml: improved error handling +- stages/email: don't crash when testing stage does not exist +- web: update background image ## Fixed in 2021.9.1-rc3 -- core: allow admins to create tokens with all parameters, re-add user to token form -- core: fix tokens not being viewable but superusers -- root: log failed celery tasks to event log -- sources/ldap: bump timeout, run each sync component in its own task -- sources/ldap: improve messages of sync tasks in UI -- sources/ldap: prevent error when retrying old system task with no arguments -- web: fix datetime-local fields throwing errors on firefox -- web: fix text colour in delete form in dark mode -- web: improve display of action buttons with non-primary classes -- web/admin: fix error in firefox when creating token -- web/admin: fix ldap sync status for new API -- web/admin: fix settings link on user avatar -- web/admin: trigger refresh after syncing ldap -- web/user: add auto-focus search for applications -- web/user: add missing stop impersonation button -- web/user: fix edit button for applications -- web/user: fix final redirect after stage setup -- web/user: optimise load, fix unread status for notifications +- core: allow admins to create tokens with all parameters, re-add user to token form +- core: fix tokens not being viewable but superusers +- root: log failed celery tasks to event log +- sources/ldap: bump timeout, run each sync component in its own task +- sources/ldap: improve messages of sync tasks in UI +- sources/ldap: prevent error when retrying old system task with no arguments +- web: fix datetime-local fields throwing errors on firefox +- web: fix text colour in delete form in dark mode +- web: improve display of action buttons with non-primary classes +- web/admin: fix error in firefox when creating token +- web/admin: fix ldap sync status for new API +- web/admin: fix settings link on user avatar +- web/admin: trigger refresh after syncing ldap +- web/user: add auto-focus search for applications +- web/user: add missing stop impersonation button +- web/user: fix edit button for applications +- web/user: fix final redirect after stage setup +- web/user: optimise load, fix unread status for notifications ## Fixed in 2021.9.1 -- api: disable include_format_suffixes -- core: fix token identifier not being slugified when created with user-controller input -- outposts: don't map port 9300 on docker, only expose port -- outposts: don't restart container when health checks are starting -- outposts/ldap: allow custom attributes to shadow built-in attributes -- policies/expression: add ak_user_has_authenticator -- root: use tagged go client version -- stages/email: don't throw 404 when token can't be found -- stages/email: slugify token identifier -- stages/email: use different query arguments for email and invitation tokens -- web: fix notification badge not refreshing after clearing notifications +- api: disable include_format_suffixes +- core: fix token identifier not being slugified when created with user-controller input +- outposts: don't map port 9300 on docker, only expose port +- outposts: don't restart container when health checks are starting +- outposts/ldap: allow custom attributes to shadow built-in attributes +- policies/expression: add ak_user_has_authenticator +- root: use tagged go client version +- stages/email: don't throw 404 when token can't be found +- stages/email: slugify token identifier +- stages/email: use different query arguments for email and invitation tokens +- web: fix notification badge not refreshing after clearing notifications ## Fixed in 2021.9.2 -- api: add logging to sentry proxy -- internal: add asset paths for user interface -- web: fix import order of polyfills causing shadydom to not work on firefox and safari -- web/user: enable sentry +- api: add logging to sentry proxy +- internal: add asset paths for user interface +- web: fix import order of polyfills causing shadydom to not work on firefox and safari +- web/user: enable sentry ## Fixed in 2021.9.3 -- core: fix api return code for user self-update -- events: add additional validation for event transport -- outposts: ensure service is always re-created with mismatching ports -- outposts: fix outposts not correctly updating central state -- outposts: make AUTHENTIK_HOST_BROWSER configurable from central config -- outposts/proxy: ensure cookies only last as long as tokens -- outposts/proxy: Fix failing traefik healthcheck (#1470) -- outposts/proxyv2: fix routing not working correctly for domain auth -- providers/proxy: add token_validity field for outpost configuration -- web/admin: add notice for recovery -- web/admin: fix NotificationWebhookMapping not loading correctly -- web/admin: fix Transport Form not loading mode correctly on edit -- web/admin: handle error correctly when creating user recovery link -- web/elements: fix token copy error in safari -- web/elements: improve error handling on forms -- web/user: fix brand not being shown in safari -- web/user: search apps when user typed before apps have loaded -- website/docs: fix typos and grammar (#1459) +- core: fix api return code for user self-update +- events: add additional validation for event transport +- outposts: ensure service is always re-created with mismatching ports +- outposts: fix outposts not correctly updating central state +- outposts: make AUTHENTIK_HOST_BROWSER configurable from central config +- outposts/proxy: ensure cookies only last as long as tokens +- outposts/proxy: Fix failing traefik healthcheck (#1470) +- outposts/proxyv2: fix routing not working correctly for domain auth +- providers/proxy: add token_validity field for outpost configuration +- web/admin: add notice for recovery +- web/admin: fix NotificationWebhookMapping not loading correctly +- web/admin: fix Transport Form not loading mode correctly on edit +- web/admin: handle error correctly when creating user recovery link +- web/elements: fix token copy error in safari +- web/elements: improve error handling on forms +- web/user: fix brand not being shown in safari +- web/user: search apps when user typed before apps have loaded +- website/docs: fix typos and grammar (#1459) ## Fixed in 2021.9.4 -- outposts: allow disabling of docker controller port mapping -- outposts/proxy: fix duplicate protocol in domain auth mode -- root: Use fully qualified names for docker bases base images. (#1490) -- sources/ldap: add support for Active Directory `userAccountControl` attribute -- sources/ldap: don't sync ldap source when no property mappings are set -- web/admin: don't require username nor name for activate/deactivate toggles -- web/admin: fix LDAP Source form not exposing syncParentGroup -- web/elements: fix initialLoad not being done when viewportCheck was disabled -- web/elements: use dedicated button for search clear instead of webkit exclusive one +- outposts: allow disabling of docker controller port mapping +- outposts/proxy: fix duplicate protocol in domain auth mode +- root: Use fully qualified names for docker bases base images. (#1490) +- sources/ldap: add support for Active Directory `userAccountControl` attribute +- sources/ldap: don't sync ldap source when no property mappings are set +- web/admin: don't require username nor name for activate/deactivate toggles +- web/admin: fix LDAP Source form not exposing syncParentGroup +- web/elements: fix initialLoad not being done when viewportCheck was disabled +- web/elements: use dedicated button for search clear instead of webkit exclusive one ## Fixed in 2021.9.5 -- events: add missing migration -- lifecycle: switch to h11 uvicorn worker for now -- outpost/proxy: fix missing negation for internal host ssl verification -- outposts: check ports of deployment in kubernetes outpost controller -- outposts: don't always build permissions on outpost.user access, only in signals and tasks -- outposts: fix circular import in kubernetes controller -- outposts/proxy: add new headers with unified naming -- outposts/proxy: show full error message when user is authenticated -- providers/ldap: use RDN when using posixGroup's memberUid attribute (#1514) -- providers/proxy: always check ingress secret in kubernetes controller -- sources/ldap: fix logic error in Active Directory account disabled status -- stages/email: add activate_user_on_success flag, add for all example flows -- stages/user_login: add check for user.is_active and tests -- tests/integration: fix tests failing due to incorrect comparison -- web/admin: fix search group label +- events: add missing migration +- lifecycle: switch to h11 uvicorn worker for now +- outpost/proxy: fix missing negation for internal host ssl verification +- outposts: check ports of deployment in kubernetes outpost controller +- outposts: don't always build permissions on outpost.user access, only in signals and tasks +- outposts: fix circular import in kubernetes controller +- outposts/proxy: add new headers with unified naming +- outposts/proxy: show full error message when user is authenticated +- providers/ldap: use RDN when using posixGroup's memberUid attribute (#1514) +- providers/proxy: always check ingress secret in kubernetes controller +- sources/ldap: fix logic error in Active Directory account disabled status +- stages/email: add activate_user_on_success flag, add for all example flows +- stages/user_login: add check for user.is_active and tests +- tests/integration: fix tests failing due to incorrect comparison +- web/admin: fix search group label ## Fixed in 2021.9.6 -- admin: clear update notification when notification's version matches current version -- api: ensure viewsets have default ordering -- core: include group uuids in self serializer -- core: make user's name field fully options -- core: only return group names for user_self -- internal: add internal healthchecking to prevent websocket errors -- outposts: fix error when comparing ports in docker controller when port mapping is disabled -- root: add docker-native healthcheck for web and celery -- root: remove redundant internal network from compose -- web: add locale detection -- web: fix rendering of token copy button in dark mode -- web: fix strings not being translated at all when matching browser locale not found -- web/admin: only show outpost deployment info when not embedded -- web/elements: fix model form always loading when viewport check is disabled -- web/flows: adjust message for email stage -- web/user: don't show managed tokens in user interface +- admin: clear update notification when notification's version matches current version +- api: ensure viewsets have default ordering +- core: include group uuids in self serializer +- core: make user's name field fully options +- core: only return group names for user_self +- internal: add internal healthchecking to prevent websocket errors +- outposts: fix error when comparing ports in docker controller when port mapping is disabled +- root: add docker-native healthcheck for web and celery +- root: remove redundant internal network from compose +- web: add locale detection +- web: fix rendering of token copy button in dark mode +- web: fix strings not being translated at all when matching browser locale not found +- web/admin: only show outpost deployment info when not embedded +- web/elements: fix model form always loading when viewport check is disabled +- web/flows: adjust message for email stage +- web/user: don't show managed tokens in user interface ## Fixed in 2021.9.7 -- root: fix syntax error in dockerfile healthcheck -- web/admin: fix description for flow import +- root: fix syntax error in dockerfile healthcheck +- web/admin: fix description for flow import ## Fixed in 2021.9.8 -- web: fix interface crashing in non-blink browsers +- web: fix interface crashing in non-blink browsers ## Upgrading @@ -206,6 +206,6 @@ Update your values to use the new images: ```yaml image: - repository: ghcr.io/goauthentik/server - tag: 2021.9.1 + repository: ghcr.io/goauthentik/server + tag: 2021.9.1 ``` diff --git a/website/docs/releases/v2022.1.md b/website/docs/releases/v2022.1.md index ce313f347..b90f7fcbf 100644 --- a/website/docs/releases/v2022.1.md +++ b/website/docs/releases/v2022.1.md @@ -7,126 +7,126 @@ slug: "2022.1" This release mostly removes legacy fields and features that have been deprecated for several releases. -- LDAP Outposts: +- LDAP Outposts: - This release removes the `accountStatus` and `superuser` fields. Use the direct replacements `goauthentik.io/ldap/active` and `goauthentik.io/ldap/superuser`. + This release removes the `accountStatus` and `superuser` fields. Use the direct replacements `goauthentik.io/ldap/active` and `goauthentik.io/ldap/superuser`. -- Proxy Outposts: +- Proxy Outposts: - This release consolidates headers sent by authentik to have a common prefix. + This release consolidates headers sent by authentik to have a common prefix. - The following headers have been removed: + The following headers have been removed: - - X-Auth-Username, use `X-authentik-username` - - X-Auth-Groups, use `X-authentik-groups` - - X-Forwarded-Email, use `X-authentik-email` - - X-Forwarded-Preferred-Username, use `X-authentik-username` - - X-Forwarded-User, use `X-authentik-uid` + - X-Auth-Username, use `X-authentik-username` + - X-Auth-Groups, use `X-authentik-groups` + - X-Forwarded-Email, use `X-authentik-email` + - X-Forwarded-Preferred-Username, use `X-authentik-username` + - X-Forwarded-User, use `X-authentik-uid` - The proxy now also sets the host header based on what is configured as upstream in the proxy provider. The original Host is forwarded as `X-Forwarded-Host`. + The proxy now also sets the host header based on what is configured as upstream in the proxy provider. The original Host is forwarded as `X-Forwarded-Host`. - Additionally, the header requirements for nginx have changed. Either a `X-Original-URL` or `X-Original-URI` header are now required. See the [*Proxy provider*](../providers/proxy/forward_auth) documentation for updated snippets. + Additionally, the header requirements for nginx have changed. Either a `X-Original-URL` or `X-Original-URI` header are now required. See the [_Proxy provider_](../providers/proxy/forward_auth) documentation for updated snippets. -- API: +- API: - The deprecated /api/v2beta/ Endpoint is removed. Use `/api/v3/`. + The deprecated /api/v2beta/ Endpoint is removed. Use `/api/v3/`. -- Backup: +- Backup: - The integrated backup has been deprecated for the following reasons: + The integrated backup has been deprecated for the following reasons: - - Difficulty with restores not working properly - - Inflexible configuration (fixed retention, limited to once a day, only S3 supported) - - Most users will already have an existing backup infrastructure + - Difficulty with restores not working properly + - Inflexible configuration (fixed retention, limited to once a day, only S3 supported) + - Most users will already have an existing backup infrastructure ## Minor changes/fixes -- core: dont return 404 when trying to view key of expired token -- crypto: fully parse certificate on validation in serializer to prevent invalid certificates from being saved -- flows: handle error if flow title contains invalid format string -- internal: route traffic to proxy providers based on cookie domain when multiple domain-level providers exist -- internal: use math.MaxInt for compatibility -- lifecycle: add early check for missing/invalid secret key -- outposts/proxyv2: allow access to /outpost.goauthentik.io urls in forward auth mode to make routing in nginx/traefik easier -- outposts/proxyv2: fix before-redirect url not being saved in proxy mode -- outposts/proxyv2: fix JWKS url pointing to localhost on embedded outpost -- providers/oauth2: change default redirect uri behaviour; set first used url when blank and use star for wildcard -- root: allow customisation of ports in compose without override -- root: decrease to 10 backup history -- root: fix backups running every minute instead of once -- stages/authenticator_webauthn: make more WebAuthn options configurable -- web: add polyfill for Intl.ListFormat -- web: directly read csrf token before injecting into request -- web: fix double plural in label -- web/admin: also set embedded outpost host when it doesn't include scheme -- web/admin: fix missing configure flow setting on webuahtn setup stage form -- web/flows: remove node directly instead of using removeChild() +- core: dont return 404 when trying to view key of expired token +- crypto: fully parse certificate on validation in serializer to prevent invalid certificates from being saved +- flows: handle error if flow title contains invalid format string +- internal: route traffic to proxy providers based on cookie domain when multiple domain-level providers exist +- internal: use math.MaxInt for compatibility +- lifecycle: add early check for missing/invalid secret key +- outposts/proxyv2: allow access to /outpost.goauthentik.io urls in forward auth mode to make routing in nginx/traefik easier +- outposts/proxyv2: fix before-redirect url not being saved in proxy mode +- outposts/proxyv2: fix JWKS url pointing to localhost on embedded outpost +- providers/oauth2: change default redirect uri behaviour; set first used url when blank and use star for wildcard +- root: allow customisation of ports in compose without override +- root: decrease to 10 backup history +- root: fix backups running every minute instead of once +- stages/authenticator_webauthn: make more WebAuthn options configurable +- web: add polyfill for Intl.ListFormat +- web: directly read csrf token before injecting into request +- web: fix double plural in label +- web/admin: also set embedded outpost host when it doesn't include scheme +- web/admin: fix missing configure flow setting on webuahtn setup stage form +- web/flows: remove node directly instead of using removeChild() ## Fixed in 2022.1.2 -- internal/proxyv2: only allow access to /outpost.goauthentik.io in nginx mode when forward url could be extracted -- lib: disable backup by default, add note to configuration -- lifecycle: replace lowercase, deprecated prometheus_multiproc_dir -- outposts: allow custom label for docker containers -- policies/hibp: ensure password is encodable -- providers/proxy: add PathPrefix to auto-traefik labels -- root: upgrade python dependencies +- internal/proxyv2: only allow access to /outpost.goauthentik.io in nginx mode when forward url could be extracted +- lib: disable backup by default, add note to configuration +- lifecycle: replace lowercase, deprecated prometheus_multiproc_dir +- outposts: allow custom label for docker containers +- policies/hibp: ensure password is encodable +- providers/proxy: add PathPrefix to auto-traefik labels +- root: upgrade python dependencies ## Fixed in 2022.1.3 -- internal: add support for X-Original-URL -- internal: add optional debug server listening on 9900 -- internal: don't override server header -- internal: start adding tests to outpost -- lifecycle: make secret_key warning more prominent -- lifecycle: wait for db in worker -- outposts/ldap: Fix more case sensitivity issues. (#2144) -- outposts/proxy: add more test cases for domain-level auth -- outposts/proxy: fix potential empty redirect, add tests -- outposts/proxy: trace full headers to debug -- providers/proxy: fix traefik label -- root: add max-requests for gunicorn and max tasks for celery -- root: fix redis passwords not being encoded correctly -- web/admin: fix links which look like labels -- web/admin: fix SMS Stage form not working +- internal: add support for X-Original-URL +- internal: add optional debug server listening on 9900 +- internal: don't override server header +- internal: start adding tests to outpost +- lifecycle: make secret_key warning more prominent +- lifecycle: wait for db in worker +- outposts/ldap: Fix more case sensitivity issues. (#2144) +- outposts/proxy: add more test cases for domain-level auth +- outposts/proxy: fix potential empty redirect, add tests +- outposts/proxy: trace full headers to debug +- providers/proxy: fix traefik label +- root: add max-requests for gunicorn and max tasks for celery +- root: fix redis passwords not being encoded correctly +- web/admin: fix links which look like labels +- web/admin: fix SMS Stage form not working ## Fixed in 2022.1.4 -- core: fix view_token permission not being assigned on token creation for non-admin user -- lifecycle: remove gunicorn reload option -- lifecycle: send analytics in gunicorn config to decrease outgoing requests when workers get restarted -- providers/proxy: add support for X-Original-URI in nginx, better handle missing headers and report errors to authentik -- providers/proxy: don't include hostname and scheme in redirect when we only got a path and not a full URL -- providers/proxy: fix routing for external_host when using forward_auth_domain -- providers/proxy: set traefik labels using object_naming_template instead of UUID -- sources/ldap: add list_flatten function to property mappings, enable on managed LDAP mappings -- web: add es locale -- web: add pl locale -- web/admin: only check first half of locale when detecting -- web/flows: fix width on flow container -- web/user: include locale code in locale selection +- core: fix view_token permission not being assigned on token creation for non-admin user +- lifecycle: remove gunicorn reload option +- lifecycle: send analytics in gunicorn config to decrease outgoing requests when workers get restarted +- providers/proxy: add support for X-Original-URI in nginx, better handle missing headers and report errors to authentik +- providers/proxy: don't include hostname and scheme in redirect when we only got a path and not a full URL +- providers/proxy: fix routing for external_host when using forward_auth_domain +- providers/proxy: set traefik labels using object_naming_template instead of UUID +- sources/ldap: add list_flatten function to property mappings, enable on managed LDAP mappings +- web: add es locale +- web: add pl locale +- web/admin: only check first half of locale when detecting +- web/flows: fix width on flow container +- web/user: include locale code in locale selection ## Fixed in 2022.1.5 -- build(deps): bump uvicorn from 0.17.1 to 0.17.3 (#2229) -- core: allow formatting strings to be used for applications' launch URLs -- internal: don't attempt to lookup SNI Certificate if no SNI is sent -- internal: fix CSRF error caused by Host header -- internal: improve error handling for internal reverse proxy -- internal: remove uvicorn server header -- internal: trace headers and url for backend requests -- outposts: fix channel not always having a logger attribute -- outposts: fix compare_ports to support both service and container ports -- outposts: fix service reconciler re-creating services -- outposts: remove node_port on V1ServicePort checks to prevent service creation loops -- providers/proxy: fix Host/:Authority not being modified -- providers/proxy: fix nil error in claims -- providers/proxy: improve error handling for invalid backend_override -- sources/ldap: log entire exception -- sources/saml: fix incorrect ProtocolBinding being sent -- sources/saml: fix server error -- stages/authenticator_validate: handle non-existent device_challenges -- web/admin: fix mismatched icons in overview and lists +- build(deps): bump uvicorn from 0.17.1 to 0.17.3 (#2229) +- core: allow formatting strings to be used for applications' launch URLs +- internal: don't attempt to lookup SNI Certificate if no SNI is sent +- internal: fix CSRF error caused by Host header +- internal: improve error handling for internal reverse proxy +- internal: remove uvicorn server header +- internal: trace headers and url for backend requests +- outposts: fix channel not always having a logger attribute +- outposts: fix compare_ports to support both service and container ports +- outposts: fix service reconciler re-creating services +- outposts: remove node_port on V1ServicePort checks to prevent service creation loops +- providers/proxy: fix Host/:Authority not being modified +- providers/proxy: fix nil error in claims +- providers/proxy: improve error handling for invalid backend_override +- sources/ldap: log entire exception +- sources/saml: fix incorrect ProtocolBinding being sent +- sources/saml: fix server error +- stages/authenticator_validate: handle non-existent device_challenges +- web/admin: fix mismatched icons in overview and lists ## Upgrading @@ -142,6 +142,6 @@ Update your values to use the new images: ```yaml image: - repository: ghcr.io/goauthentik/server - tag: 2022.1.1 + repository: ghcr.io/goauthentik/server + tag: 2022.1.1 ``` diff --git a/website/docs/releases/v2022.2.md b/website/docs/releases/v2022.2.md index d17c83e42..5d44185be 100644 --- a/website/docs/releases/v2022.2.md +++ b/website/docs/releases/v2022.2.md @@ -9,14 +9,14 @@ slug: "2022.2" The integrated backup functionality has been removed due to the following reasons: -- It caused a lot of issues during restore, with things breaking and difficult to restore backups -- Limited compatibility (only supported local and S3 backups) -- Most environments already have a solution for backups, so we feel that investing more time into making this feature better should be spent on more important things. +- It caused a lot of issues during restore, with things breaking and difficult to restore backups +- Limited compatibility (only supported local and S3 backups) +- Most environments already have a solution for backups, so we feel that investing more time into making this feature better should be spent on more important things. If you don't already have a standard backup solution for other applications, you can consider these replacements: -- https://github.com/kartoza/docker-pg-backup for docker-compose and -- https://devtron.ai/blog/creating-a-kubernetes-cron-job-to-backup-postgres-db/ or https://cwienczek.com/2020/06/simple-backup-of-postgres-database-in-kubernetes/ for Kubernetes +- https://github.com/kartoza/docker-pg-backup for docker-compose and +- https://devtron.ai/blog/creating-a-kubernetes-cron-job-to-backup-postgres-db/ or https://cwienczek.com/2020/06/simple-backup-of-postgres-database-in-kubernetes/ for Kubernetes ### Changed URLs for forward auth @@ -30,38 +30,38 @@ In an authenticator validation stage you can now configure multiple configuratio ## Minor changes/fixes -- *: add placeholder custom.css to easily allow user customisation -- *: rename akprox to outpost.goauthentik.io (#2266) -- internal: don't attempt to lookup SNI Certificate if no SNI is sent -- internal: improve error handling for internal reverse proxy -- internal: increase logging for no hostname found -- internal: remove uvicorn server header -- outposts: ensure keypair is set for SSH connections -- outposts: fix channel not always having a logger attribute -- outposts: fix compare_ports to support both service and container ports -- outposts: fix service reconciler re-creating services -- outposts: make local discovery configurable -- outposts: remove node_port on V1ServicePort checks to prevent service creation loops -- outposts/proxy: correctly check host in forward domain redirect -- outposts/proxy: correctly handle ?rd= param -- providers/oauth2: add support for explicit response_mode -- providers/oauth2: fix redirect_uri being lowercased on successful validation -- providers/proxy: enable TLS in ingress via traefik annotation -- providers/proxy: improve error handling for invalid backend_override -- providers/proxy: remove leading slash to allow subdirectories in proxy -- sources/ldap: log entire exception -- sources/ldap: use merger that only appends unique items to list -- sources/saml: fix incorrect ProtocolBinding being sent -- stages/authenticator_validate: add ability to select multiple configuration stages which the user can choose -- stages/authenticator_validate: fix handling when single configuration stage is selected -- stages/authenticator_validate: handle non-existent device_challenges -- Translate /web/src/locales/en.po in de (#2291) -- Translate /web/src/locales/en.po in pl (#2274) -- Translate /web/src/locales/en.po in zh_TW (#2263) -- Translate /web/src/locales/en.po in zh-Hans (#2262) -- Translate /web/src/locales/en.po in zh-Hant (#2261) -- web/admin: fix invalid URLs in example proxy config -- web/admin: fix mismatched icons in overview and lists +- \*: add placeholder custom.css to easily allow user customisation +- \*: rename akprox to outpost.goauthentik.io (#2266) +- internal: don't attempt to lookup SNI Certificate if no SNI is sent +- internal: improve error handling for internal reverse proxy +- internal: increase logging for no hostname found +- internal: remove uvicorn server header +- outposts: ensure keypair is set for SSH connections +- outposts: fix channel not always having a logger attribute +- outposts: fix compare_ports to support both service and container ports +- outposts: fix service reconciler re-creating services +- outposts: make local discovery configurable +- outposts: remove node_port on V1ServicePort checks to prevent service creation loops +- outposts/proxy: correctly check host in forward domain redirect +- outposts/proxy: correctly handle ?rd= param +- providers/oauth2: add support for explicit response_mode +- providers/oauth2: fix redirect_uri being lowercased on successful validation +- providers/proxy: enable TLS in ingress via traefik annotation +- providers/proxy: improve error handling for invalid backend_override +- providers/proxy: remove leading slash to allow subdirectories in proxy +- sources/ldap: log entire exception +- sources/ldap: use merger that only appends unique items to list +- sources/saml: fix incorrect ProtocolBinding being sent +- stages/authenticator_validate: add ability to select multiple configuration stages which the user can choose +- stages/authenticator_validate: fix handling when single configuration stage is selected +- stages/authenticator_validate: handle non-existent device_challenges +- Translate /web/src/locales/en.po in de (#2291) +- Translate /web/src/locales/en.po in pl (#2274) +- Translate /web/src/locales/en.po in zh_TW (#2263) +- Translate /web/src/locales/en.po in zh-Hans (#2262) +- Translate /web/src/locales/en.po in zh-Hant (#2261) +- web/admin: fix invalid URLs in example proxy config +- web/admin: fix mismatched icons in overview and lists ## Upgrading @@ -79,8 +79,8 @@ Update your values to use the new images: ```yaml image: - repository: ghcr.io/goauthentik/server - tag: 2022.2.1 + repository: ghcr.io/goauthentik/server + tag: 2022.2.1 ``` Backup-related settings can be removed but will not cause any errors either. diff --git a/website/docs/releases/v2022.3.md b/website/docs/releases/v2022.3.md index 5c52a7876..578acdd64 100644 --- a/website/docs/releases/v2022.3.md +++ b/website/docs/releases/v2022.3.md @@ -21,43 +21,43 @@ To simplify the release process we don't publish explicitly tagged release-candi ## Minor changes/fixes -- core: add initial app launch url (#2367) -- core: customisable user settings (#2397) -- core/api: allow filtering users by uid, add uid to search -- internal/ldap: fix panic when parsing lists with mixed types -- lib: fix default geoip path -- providers/oauth2: fix invalid launch URL being generated -- providers/oauth2: initial client_credentials grant support (#2437) -- providers/proxy: always set rd param in addition to session to prevent wrong url in session -- web: cleanup default footer links -- web: prioritise ?locale parameter over saved locale -- web/admin: improve user and group management by showing related objects -- web/admin: use searchable select field for users and groups in policy binding form -- web/flows: fix rendering of help text on prompt stages +- core: add initial app launch url (#2367) +- core: customisable user settings (#2397) +- core/api: allow filtering users by uid, add uid to search +- internal/ldap: fix panic when parsing lists with mixed types +- lib: fix default geoip path +- providers/oauth2: fix invalid launch URL being generated +- providers/oauth2: initial client_credentials grant support (#2437) +- providers/proxy: always set rd param in addition to session to prevent wrong url in session +- web: cleanup default footer links +- web: prioritise ?locale parameter over saved locale +- web/admin: improve user and group management by showing related objects +- web/admin: use searchable select field for users and groups in policy binding form +- web/flows: fix rendering of help text on prompt stages ## Fixed in 2022.3.2 -- core: replace uid with uuid search -- flows: revert default flow user change -- lib: lower default sample rate -- sources/ldap: fix parent_group not being applied -- stages/authenticator_validate: fix passwordless flows not working -- web/elements: fix error with blank SearchSelect elements in forms -- web/elements: fix search select background in dark mode -- web/elements: fix search-select hover background -- web/user: filter applications by launch URL lto show empty state -- web/user: fix duplicate help text in prompts +- core: replace uid with uuid search +- flows: revert default flow user change +- lib: lower default sample rate +- sources/ldap: fix parent_group not being applied +- stages/authenticator_validate: fix passwordless flows not working +- web/elements: fix error with blank SearchSelect elements in forms +- web/elements: fix search select background in dark mode +- web/elements: fix search-select hover background +- web/user: filter applications by launch URL lto show empty state +- web/user: fix duplicate help text in prompts ## Fixed in 2022.3.3 -- core: fix provider launch URL being prioritised over manually configured launch URL -- crypto: open files in read-only mode for importing (#2536) -- outposts/ldap: prevent operations error from nil dereference (#2447) -- outposts/proxy: use Prefix in ingress for k8s -- web: fix style for selected item in select in dark mode -- web/admin: default to not include current session in flow play, add option to start with current session -- web/admin: fix user defaulting to 0 when not set in PolicyBindingForm -- web/elements: make SearchSelect optionally blankable +- core: fix provider launch URL being prioritised over manually configured launch URL +- crypto: open files in read-only mode for importing (#2536) +- outposts/ldap: prevent operations error from nil dereference (#2447) +- outposts/proxy: use Prefix in ingress for k8s +- web: fix style for selected item in select in dark mode +- web/admin: default to not include current session in flow play, add option to start with current session +- web/admin: fix user defaulting to 0 when not set in PolicyBindingForm +- web/elements: make SearchSelect optionally blankable ## Upgrading @@ -73,6 +73,6 @@ Update your values to use the new images: ```yaml image: - repository: ghcr.io/goauthentik/server - tag: 2022.3.1 + repository: ghcr.io/goauthentik/server + tag: 2022.3.1 ``` diff --git a/website/docs/releases/v2022.4.md b/website/docs/releases/v2022.4.md index 5cc8f283c..b395fcfc8 100644 --- a/website/docs/releases/v2022.4.md +++ b/website/docs/releases/v2022.4.md @@ -5,46 +5,46 @@ slug: "2022.4" ## Breaking changes -- Removal of HTTP Basic authentication for API requests +- Removal of HTTP Basic authentication for API requests - For legacy reasons, authentik used to support HTTP-Basic authenticated requests, using the token as a password. This has been removed. + For legacy reasons, authentik used to support HTTP-Basic authenticated requests, using the token as a password. This has been removed. -- Removal of deprecated context in Expression policies used in prompt stages +- Removal of deprecated context in Expression policies used in prompt stages - Before this version, you could use both `context['*field_name*']` and `context['prompt_data']['*field_name*']`. The former one has been removed as it could overwrite other data in the context if the field name is the same as another context value. + Before this version, you could use both `context['*field_name*']` and `context['prompt_data']['*field_name*']`. The former one has been removed as it could overwrite other data in the context if the field name is the same as another context value. ## New features -- Application Grouping +- Application Grouping - Applications can now be grouped together to better organise connected applications in the user dashboard. + Applications can now be grouped together to better organise connected applications in the user dashboard. -- JWT authentication for `client_credentials` grants +- JWT authentication for `client_credentials` grants - Providers can now be configured to accept JWTs signed by configured certificates, which makes it a lot easier to services access to authentik, when an existing machine/service identity is provided (for example, this can be used to let Kubernetes Pods authenticate themselves to authentik via their service account) + Providers can now be configured to accept JWTs signed by configured certificates, which makes it a lot easier to services access to authentik, when an existing machine/service identity is provided (for example, this can be used to let Kubernetes Pods authenticate themselves to authentik via their service account) ## Minor changes/fixes -- core: add method to set key of token -- core: add num_pk to group for applications that need a numerical group id -- internal: disable HTML encoding in go-generated log messages -- lifecycle: fix password and hostname in redis URI not properly quoted -- outposts: check if docker ports should be mapped before comparing ports -- policies: add policy log messages to test endpoints -- providers/oauth2: map internal groups to GitHub teams in GHE OAuth emulation (#2497) -- providers/oauth2: pass scope and other parameters to access policy request context -- stages/email: allow overriding of destination email in plan context -- stages/invitation: add invitation name -- stages/prompt: filter rest_framework.fields.empty when field is not required -- stages/prompt: fix non-required fields not allowing blank values -- stages/prompt: set field default based on placeholder -- tenants: add tenant-level attributes, applied to users based on request -- web: live-convert to slug in fields where only slugs are allowed -- web: migrate dropdowns to wizards (#2633) -- web/admin: allow editing of invitations -- web/admin: fix missing protocols on generated nginx config -- web/admin: trigger update when provider wizard finishes -- web/user: add column layouts +- core: add method to set key of token +- core: add num_pk to group for applications that need a numerical group id +- internal: disable HTML encoding in go-generated log messages +- lifecycle: fix password and hostname in redis URI not properly quoted +- outposts: check if docker ports should be mapped before comparing ports +- policies: add policy log messages to test endpoints +- providers/oauth2: map internal groups to GitHub teams in GHE OAuth emulation (#2497) +- providers/oauth2: pass scope and other parameters to access policy request context +- stages/email: allow overriding of destination email in plan context +- stages/invitation: add invitation name +- stages/prompt: filter rest_framework.fields.empty when field is not required +- stages/prompt: fix non-required fields not allowing blank values +- stages/prompt: set field default based on placeholder +- tenants: add tenant-level attributes, applied to users based on request +- web: live-convert to slug in fields where only slugs are allowed +- web: migrate dropdowns to wizards (#2633) +- web/admin: allow editing of invitations +- web/admin: fix missing protocols on generated nginx config +- web/admin: trigger update when provider wizard finishes +- web/user: add column layouts ## Upgrading @@ -60,6 +60,6 @@ Update your values to use the new images: ```yaml image: - repository: ghcr.io/goauthentik/server - tag: 2022.4.1 + repository: ghcr.io/goauthentik/server + tag: 2022.4.1 ``` diff --git a/website/docs/releases/v2022.5.md b/website/docs/releases/v2022.5.md index badac388d..78ef8e0b8 100644 --- a/website/docs/releases/v2022.5.md +++ b/website/docs/releases/v2022.5.md @@ -7,28 +7,28 @@ slug: "2022.5" ## New features -- LDAP Outpost cached binding +- LDAP Outpost cached binding - Instead of always executing the configured flow when a new Bind request is received, the provider can now be configured to cache the session from the initial flow execution, and directly validate credentials in the outpost. This drastically improves the bind performance. + Instead of always executing the configured flow when a new Bind request is received, the provider can now be configured to cache the session from the initial flow execution, and directly validate credentials in the outpost. This drastically improves the bind performance. - See [LDAP provider](../providers/ldap.md#cached-bind) + See [LDAP provider](../providers/ldap.md#cached-bind) ## Minor changes/fixes -- *: decrease frequency of background tasks, smear tasks based on name and fqdn -- core: add custom shell command which imports all models and creates events for model events -- core: add flag to globally disable impersonation -- events: fix created events only being logged as debug level -- flows: handle flow title formatting error better, add user to flow title context -- outposts/ldap: cached bind (#2824) -- policies: fix current user not being set in server-side policy deny -- root: export poetry deps to requirements.txt so we don't need poetry … (#2823) -- root: handle JSON error in metrics too -- root: set SESSION_SAVE_EVERY_REQUEST to enable sliding sessions -- root: use npm ci -- sources/oauth: Fix wording for OAuth source names (#2732) -- stages/user_delete: fix delete stage failing when pending user is not explicitly set -- web/user: add missing checkbox element in user settings (#2762) +- \*: decrease frequency of background tasks, smear tasks based on name and fqdn +- core: add custom shell command which imports all models and creates events for model events +- core: add flag to globally disable impersonation +- events: fix created events only being logged as debug level +- flows: handle flow title formatting error better, add user to flow title context +- outposts/ldap: cached bind (#2824) +- policies: fix current user not being set in server-side policy deny +- root: export poetry deps to requirements.txt so we don't need poetry … (#2823) +- root: handle JSON error in metrics too +- root: set SESSION_SAVE_EVERY_REQUEST to enable sliding sessions +- root: use npm ci +- sources/oauth: Fix wording for OAuth source names (#2732) +- stages/user_delete: fix delete stage failing when pending user is not explicitly set +- web/user: add missing checkbox element in user settings (#2762) ## Upgrading @@ -44,6 +44,6 @@ Update your values to use the new images: ```yaml image: - repository: ghcr.io/goauthentik/server - tag: 2022.5.1 + repository: ghcr.io/goauthentik/server + tag: 2022.5.1 ``` diff --git a/website/docs/troubleshooting/missing_admin_group.md b/website/docs/troubleshooting/missing_admin_group.md index 82b3d5c58..a1e612dfd 100644 --- a/website/docs/troubleshooting/missing_admin_group.md +++ b/website/docs/troubleshooting/missing_admin_group.md @@ -4,7 +4,7 @@ title: Missing admin group If all of the Admin groups have been deleted, or misconfigured during sync, you can use the following command to gain access back. -Run the following command, where *username* is the user you want to add to the newly created group: +Run the following command, where _username_ is the user you want to add to the newly created group: ``` docker-compose run --rm server create_admin_group username diff --git a/website/docs/user-group/group.md b/website/docs/user-group/group.md index 2e287f61e..0e6707b96 100644 --- a/website/docs/user-group/group.md +++ b/website/docs/user-group/group.md @@ -10,4 +10,4 @@ When you bind a group to an application or flow, any members of any child group ## Attributes -Attributes of groups are recursively merged, for all groups the user is a *direct* member of. +Attributes of groups are recursively merged, for all groups the user is a _direct_ member of. diff --git a/website/docs/user-group/user.md b/website/docs/user-group/user.md index 6b526db97..ac2287ad5 100644 --- a/website/docs/user-group/user.md +++ b/website/docs/user-group/user.md @@ -36,24 +36,27 @@ These headers will now be passed to the application when the user logs in. Most The User object has the following attributes: -- `username`: User's username. -- `email` User's email. -- `name` User's display name. -- `is_staff` Boolean field if user is staff. -- `is_active` Boolean field if user is active. -- `date_joined` Date user joined/was created. -- `password_change_date` Date password was last changed. -- `attributes` Dynamic attributes, see above -- `group_attributes()` Merged attributes of all groups the user is member of and the user's own attributes. -- `ak_groups` This is a queryset of all the user's groups. +- `username`: User's username. +- `email` User's email. +- `name` User's display name. +- `is_staff` Boolean field if user is staff. +- `is_active` Boolean field if user is active. +- `date_joined` Date user joined/was created. +- `password_change_date` Date password was last changed. +- `attributes` Dynamic attributes, see above +- `group_attributes()` Merged attributes of all groups the user is member of and the user's own attributes. +- `ak_groups` This is a queryset of all the user's groups. You can do additional filtering like + ```python user.ak_groups.filter(name__startswith='test') ``` + see [here](https://docs.djangoproject.com/en/3.1/ref/models/querysets/#id4) To get the name of all groups, you can do + ```python [group.name for group in user.ak_groups.all()] ``` diff --git a/website/integrations/services/apache-guacamole/index.mdx b/website/integrations/services/apache-guacamole/index.mdx index 75c47ce14..ab6070389 100644 --- a/website/integrations/services/apache-guacamole/index.mdx +++ b/website/integrations/services/apache-guacamole/index.mdx @@ -14,25 +14,25 @@ Apache Guacamole is a clientless remote desktop gateway. It supports standard pr The following placeholders will be used: -- `guacamole.company` is the FQDN of the Guacamole install. -- `authentik.company` is the FQDN of the authentik install. +- `guacamole.company` is the FQDN of the Guacamole install. +- `authentik.company` is the FQDN of the authentik install. Create an OAuth2/OpenID provider with the following parameters: -- Client Type: `Confidential` -- Redirect URIs: `https://guacamole.company/` (depending on your Tomcat setup, you might have to add `/guacamole/` if the application runs in a subfolder) -- Scopes: OpenID, Email and Profile +- Client Type: `Confidential` +- Redirect URIs: `https://guacamole.company/` (depending on your Tomcat setup, you might have to add `/guacamole/` if the application runs in a subfolder) +- Scopes: OpenID, Email and Profile -Under *Advanced protocol settings*, set the following: +Under _Advanced protocol settings_, set the following: -- Token validity: Any value to configure how long the session should last. Guacamole will not accept any tokens valid longer than 300 Minutes. +- Token validity: Any value to configure how long the session should last. Guacamole will not accept any tokens valid longer than 300 Minutes. Note the Client ID value. Create an application, using the provider you've created above. ## Guacamole -import Tabs from '@theme/Tabs'; -import TabItem from '@theme/TabItem'; +import Tabs from "@theme/Tabs"; +import TabItem from "@theme/TabItem"; Standalone Guacamole is configured using the `guacamole.properties` file. Add the following settings: @@ -61,5 +62,6 @@ openid-issuer=https://authentik.company/application/o/*Slug of the application f openid-jwks-endpoint=https://authentik.company/application/o/*Slug of the application from above*/jwks/ openid-redirect-uri=https://guacamole.company/ # This must match the redirect URI above ``` + diff --git a/website/integrations/services/aws/index.md b/website/integrations/services/aws/index.md index 4d2d5060d..95ae45bfc 100644 --- a/website/integrations/services/aws/index.md +++ b/website/integrations/services/aws/index.md @@ -12,14 +12,14 @@ Amazon Web Services (AWS) is the world’s most comprehensive and broadly adopte The following placeholders will be used: -- `authentik.company` is the FQDN of the authentik install. +- `authentik.company` is the FQDN of the authentik install. Create an application in authentik and note the slug, as this will be used later. Create a SAML provider with the following parameters: -- ACS URL: `https://signin.aws.amazon.com/saml` -- Audience: `urn:amazon:webservices` -- Issuer: `authentik` -- Binding: `Post` +- ACS URL: `https://signin.aws.amazon.com/saml` +- Audience: `urn:amazon:webservices` +- Issuer: `authentik` +- Binding: `Post` You can of course use a custom signing certificate, and adjust durations. diff --git a/website/integrations/services/awx-tower/index.md b/website/integrations/services/awx-tower/index.md index f588d76cc..62970490f 100644 --- a/website/integrations/services/awx-tower/index.md +++ b/website/integrations/services/awx-tower/index.md @@ -20,15 +20,15 @@ AWX is the open-source version of Tower. The term "AWX" will be used interchange The following placeholders will be used: -- `awx.company` is the FQDN of the AWX/Tower install. -- `authentik.company` is the FQDN of the authentik install. +- `awx.company` is the FQDN of the AWX/Tower install. +- `authentik.company` is the FQDN of the authentik install. Create an application in authentik and note the slug, as this will be used later. Create a SAML provider with the following parameters: -- ACS URL: `https://awx.company/sso/complete/saml/` -- Audience: `awx` -- Service Provider Binding: Post -- Issuer: `https://awx.company/sso/metadata/saml/` +- ACS URL: `https://awx.company/sso/complete/saml/` +- Audience: `awx` +- Service Provider Binding: Post +- Issuer: `https://awx.company/sso/metadata/saml/` You can of course use a custom signing certificate, and adjust durations. diff --git a/website/integrations/services/bookstack/index.md b/website/integrations/services/bookstack/index.md index be0923836..4e10b46fb 100644 --- a/website/integrations/services/bookstack/index.md +++ b/website/integrations/services/bookstack/index.md @@ -18,24 +18,26 @@ This is based on authentik 2021.7.2 and BookStack V21.05.3. Instructions may dif The following placeholders will be used: -- `book.company` is the FQDN of BookStack. -- `authentik.company` is the FQDN of authentik. -- `METADATAURL` is the url for the SAML metadata from authentik +- `book.company` is the FQDN of BookStack. +- `authentik.company` is the FQDN of authentik. +- `METADATAURL` is the url for the SAML metadata from authentik ### Step 1 In authentik, under _Providers_, create a _SAML Provider_ with these settings: **Protocol Settings** -- Name: Bookstack -- ACS URL: https://book.company/saml2/acs -- Issuer: https://authentik.company -- Service Provider Binding: Post -- Audience: https://book.company/saml2/metadata + +- Name: Bookstack +- ACS URL: https://book.company/saml2/acs +- Issuer: https://authentik.company +- Service Provider Binding: Post +- Audience: https://book.company/saml2/metadata **Advanced protocol settings** -- Signing Certificate: Choose your certificate or the default authentik Self-signed Certificate -All other options as default. + +- Signing Certificate: Choose your certificate or the default authentik Self-signed Certificate + All other options as default. ![](./authentik_saml_bookstack.png) @@ -43,10 +45,10 @@ All other options as default. In authentik, create an application which uses this provider. Optionally apply access restrictions to the application using policy bindings. -- Name: Bookstack -- Slug: bookstack -- Provider: Bookstack -- Launch URL: https://book.company +- Name: Bookstack +- Slug: bookstack +- Provider: Bookstack +- Launch URL: https://book.company ### Step 3 @@ -99,7 +101,7 @@ BookStack will attempt to match the SAML user to an existing BookStack user base ::: :::note -SAML Group Sync is supported by Bookstack. Review the BookStack documentation on the required Environment variables. https://www.bookstackapp.com/docs/admin/saml2-auth/ +SAML Group Sync is supported by Bookstack. Review the BookStack documentation on the required Environment variables. https://www.bookstackapp.com/docs/admin/saml2-auth/ ::: :::note diff --git a/website/integrations/services/budibase/index.md b/website/integrations/services/budibase/index.md index 062353449..f1334bf3e 100644 --- a/website/integrations/services/budibase/index.md +++ b/website/integrations/services/budibase/index.md @@ -14,15 +14,15 @@ Budibase is an open source low-code platform, and the easiest way to build inter The following placeholders will be used: -- `budibase.company` is the FQDN of the Budibase install. -- `authentik.company` is the FQDN of the authentik install. +- `budibase.company` is the FQDN of the Budibase install. +- `authentik.company` is the FQDN of the authentik install. Create an application in authentik. Create an OAuth2/OpenID provider with the following parameters: -- Client Type: `Confidential` -- Scopes: OpenID, Email and Profile -- Signing Key: Select any available key -- Redirect URIs: `https://budibase.company/api/global/auth/oidc/callback` +- Client Type: `Confidential` +- Scopes: OpenID, Email and Profile +- Signing Key: Select any available key +- Redirect URIs: `https://budibase.company/api/global/auth/oidc/callback` Note the Client ID and Client Secret values. Create an application, using the provider you've created above. @@ -30,6 +30,6 @@ Note the Client ID and Client Secret values. Create an application, using the pr In Budibase under `Auth` set the following values -- Config URL: `https://authentik.company/application/o//.well-known/openid-configuration` -- Client ID: `Client ID from above` -- Client Secret: `Client Secret from above` +- Config URL: `https://authentik.company/application/o//.well-known/openid-configuration` +- Client ID: `Client ID from above` +- Client Secret: `Client Secret from above` diff --git a/website/integrations/services/fortimanager/index.md b/website/integrations/services/fortimanager/index.md index 07bf6dfe9..14ecb4f23 100644 --- a/website/integrations/services/fortimanager/index.md +++ b/website/integrations/services/fortimanager/index.md @@ -16,20 +16,22 @@ FortiManager is a paid enterprise product. The following placeholders will be used: -- `fgm.company` is the FQDN of the FortiManager install. -- `authentik.company` is the FQDN of the authentik install. +- `fgm.company` is the FQDN of the FortiManager install. +- `authentik.company` is the FQDN of the authentik install. Create an application and Provider in authentik, note the slug, as this will be used later. Create a SAML provider with the following parameters: Provider: -- ACS URL: `https://fgm.company/saml/?acs` -- Issuer: `https://authentik.company/application/saml/fgm/sso/binding/redirect/` -- Service Provider Binding: Post + +- ACS URL: `https://fgm.company/saml/?acs` +- Issuer: `https://authentik.company/application/saml/fgm/sso/binding/redirect/` +- Service Provider Binding: Post You can of course use a custom signing certificate, and adjust durations. Application: -- Launch URL: 'https://fgm.company/p/sso_sp/' + +- Launch URL: 'https://fgm.company/p/sso_sp/' ## FortiManager Configuration diff --git a/website/integrations/services/gitea/index.md b/website/integrations/services/gitea/index.md index 62873628c..6972b8208 100644 --- a/website/integrations/services/gitea/index.md +++ b/website/integrations/services/gitea/index.md @@ -18,8 +18,8 @@ This is based on authentik 2021.10.3 and Gitea 1.16.0+rc1 installed using https: The following placeholders will be used: -- `authentik.company` is the FQDN of authentik. -- `gitea.company` is the FQDN of Gitea. +- `authentik.company` is the FQDN of authentik. +- `gitea.company` is the FQDN of Gitea. ### Step 1 @@ -31,8 +31,8 @@ Only settings that have been modified from default have been listed. **Protocol Settings** -- Name: Gitea -- Signing Key: Select any available key +- Name: Gitea +- Signing Key: Select any available key :::note Take note of the `Client ID` and `Client Secret`, you'll need to give them to Gitea in _Step 3_. @@ -46,9 +46,9 @@ In authentik, create an application (under _Resources/Applications_) which uses Only settings that have been modified from default have been listed. ::: -- Name: Gitea -- Slug: gitea-slug -- Provider: Gitea +- Name: Gitea +- Slug: gitea-slug +- Provider: Gitea ### Step 3 @@ -56,13 +56,13 @@ Navigate to the _Authentication Sources_ page at https://gitea.company/admin/aut Change the following fields -- Authentication Name: authentik -- OAuth2 Provider: OpenID Connect -- Client ID (Key): Step 2 -- Client Secret: Step 2 -- Icon URL: https://raw.githubusercontent.com/goauthentik/authentik/master/web/icons/icon.png -- OpenID Connect Auto Discovery URL: https://authentik.company/application/o/gitea-slug/.well-known/openid-configuration -- Additional Scopes: `email profile` +- Authentication Name: authentik +- OAuth2 Provider: OpenID Connect +- Client ID (Key): Step 2 +- Client Secret: Step 2 +- Icon URL: https://raw.githubusercontent.com/goauthentik/authentik/master/web/icons/icon.png +- OpenID Connect Auto Discovery URL: https://authentik.company/application/o/gitea-slug/.well-known/openid-configuration +- Additional Scopes: `email profile` ![](./gitea1.png) diff --git a/website/integrations/services/gitlab/index.md b/website/integrations/services/gitlab/index.md index 32b061d2b..e1dbd15fb 100644 --- a/website/integrations/services/gitlab/index.md +++ b/website/integrations/services/gitlab/index.md @@ -14,22 +14,22 @@ GitLab is a complete DevOps platform, delivered as a single application. This ma The following placeholders will be used: -- `gitlab.company` is the FQDN of the GitLab Install -- `authentik.company` is the FQDN of the authentik Install +- `gitlab.company` is the FQDN of the GitLab Install +- `authentik.company` is the FQDN of the authentik Install Create an application in authentik and note the slug, as this will be used later. Create a SAML provider with the following parameters: -- ACS URL: `https://gitlab.company/users/auth/saml/callback` -- Audience: `https://gitlab.company` -- Issuer: `https://gitlab.company` -- Binding: `Redirect` +- ACS URL: `https://gitlab.company/users/auth/saml/callback` +- Audience: `https://gitlab.company` +- Issuer: `https://gitlab.company` +- Binding: `Redirect` -Under *Advanced protocol settings*, set a certificate for *Signing Certificate*. +Under _Advanced protocol settings_, set a certificate for _Signing Certificate_. ## GitLab Configuration Paste the following block in your `gitlab.rb` file, after replacing the placeholder values from above. The file is located in `/etc/gitlab`. -To get the value for `idp_cert_fingerprint`, go to the Certificate list under *Identity & Cryptography*, and expand the selected certificate. +To get the value for `idp_cert_fingerprint`, go to the Certificate list under _Identity & Cryptography_, and expand the selected certificate. ```ruby gitlab_rails['omniauth_enabled'] = true diff --git a/website/integrations/services/grafana/index.mdx b/website/integrations/services/grafana/index.mdx index f68d1242d..49c8c512f 100644 --- a/website/integrations/services/grafana/index.mdx +++ b/website/integrations/services/grafana/index.mdx @@ -14,22 +14,22 @@ Grafana is a multi-platform open source analytics and interactive visualization The following placeholders will be used: -- `grafana.company` is the FQDN of the Grafana install. -- `authentik.company` is the FQDN of the authentik install. +- `grafana.company` is the FQDN of the Grafana install. +- `authentik.company` is the FQDN of the authentik install. Create an application in authentik. Create an OAuth2/OpenID provider with the following parameters: -- Client Type: `Confidential` -- Scopes: OpenID, Email and Profile -- Signing Key: Select any available key -- Redirect URIs: `https://grafana.company/login/generic_oauth` +- Client Type: `Confidential` +- Scopes: OpenID, Email and Profile +- Signing Key: Select any available key +- Redirect URIs: `https://grafana.company/login/generic_oauth` Note the Client ID and Client Secret values. Create an application, using the provider you've created above. Note the slug of the application you've created. ## Grafana -import Tabs from '@theme/Tabs'; -import TabItem from '@theme/TabItem'; +import Tabs from "@theme/Tabs"; +import TabItem from "@theme/TabItem"; If you are using a config-file instead, you have to set these options: @@ -78,6 +79,7 @@ api_url = https://authentik.company/application/o/userinfo/ # Optionally map user groups to Grafana roles role_attribute_path = contains(groups[*], 'Grafana Admins') && 'Admin' || contains(groups[*], 'Grafana Editors') && 'Editor' || 'Viewer' ``` + diff --git a/website/integrations/services/harbor/index.md b/website/integrations/services/harbor/index.md index e9bb910f6..8a1ce9367 100644 --- a/website/integrations/services/harbor/index.md +++ b/website/integrations/services/harbor/index.md @@ -14,14 +14,14 @@ Harbor is an open source container image registry that secures images with role- The following placeholders will be used: -- `harbor.company` is the FQDN of the Harbor install. -- `authentik.company` is the FQDN of the authentik install. +- `harbor.company` is the FQDN of the Harbor install. +- `authentik.company` is the FQDN of the authentik install. Create an OAuth2/OpenID provider with the following parameters: -- Client Type: `Confidential` -- Redirect URIs: `https://harbor.company/c/oidc/callback` -- Scopes: OpenID, Email and Profile +- Client Type: `Confidential` +- Redirect URIs: `https://harbor.company/c/oidc/callback` +- Scopes: OpenID, Email and Profile Note the Client ID and Client Secret values. Create an application, using the provider you've created above. diff --git a/website/integrations/services/hashicorp-vault/index.md b/website/integrations/services/hashicorp-vault/index.md index 02349dc73..57e55b993 100644 --- a/website/integrations/services/hashicorp-vault/index.md +++ b/website/integrations/services/hashicorp-vault/index.md @@ -18,8 +18,8 @@ This is based on authentik 2022.2.1 and Vault 1.9.3. Instructions may differ bet The following placeholders will be used: -- `authentik.company` is the FQDN of authentik. -- `vault.company` is the FQDN of Vault. +- `authentik.company` is the FQDN of authentik. +- `vault.company` is the FQDN of Vault. ### Step 1 @@ -31,15 +31,17 @@ Only settings that have been modified from default have been listed. **Protocol Settings** -- Name: Vault -- Signing Key: Select any available key +- Name: Vault +- Signing Key: Select any available key + +- Redirect URIs/Origins: -- Redirect URIs/Origins: ``` https://vault.company/ui/vault/auth/oidc/oidc/callback https://vault.company/oidc/callback http://localhost:8250/oidc/callback ``` + :::note Take note of the `Client ID` and `Client Secret`, you'll need to give them to Vault in _Step 3_. ::: @@ -52,16 +54,17 @@ In authentik, create an application (under _Resources/Applications_) which uses Only settings that have been modified from default have been listed. ::: -- Name: Vault -- Slug: vault-slug -- Provider: Vault +- Name: Vault +- Slug: vault-slug +- Provider: Vault ### Step 3 Enable the oidc auth method -```vault auth enable oidc``` +`vault auth enable oidc` Configure the oidc auth method, oidc discovery url is the OpenID Configuration Issuer in your provider + ``` vault write auth/oidc/config \ oidc_discovery_url="https://authentik.company/application/o/vault-slug/" \ @@ -71,6 +74,7 @@ vault write auth/oidc/config \ ``` Create the reader role + ``` vault write auth/oidc/role/reader \ bound_audiences="Client ID" \ @@ -82,4 +86,4 @@ vault write auth/oidc/role/reader \ ``` You should then be able to sign in via OIDC -```vault login -method=oidc role="reader"``` +`vault login -method=oidc role="reader"` diff --git a/website/integrations/services/hedgedoc/index.md b/website/integrations/services/hedgedoc/index.md index deda9da1a..97389afda 100644 --- a/website/integrations/services/hedgedoc/index.md +++ b/website/integrations/services/hedgedoc/index.md @@ -14,15 +14,15 @@ HedgeDoc lets you create real-time collaborative markdown notes. The following placeholders will be used: -- `hedgedoc.company` is the FQDN of the HedgeDoc install. -- `authentik.company` is the FQDN of the authentik install. +- `hedgedoc.company` is the FQDN of the HedgeDoc install. +- `authentik.company` is the FQDN of the authentik install. Create an application in authentik. Create an OAuth2/OpenID provider with the following parameters: -- Client Type: `Confidential` -- Scopes: OpenID, Email and Profile -- Signing Key: Select any available key -- Redirect URIs: `https://hedgedoc.company/auth/oauth2/callback` +- Client Type: `Confidential` +- Scopes: OpenID, Email and Profile +- Signing Key: Select any available key +- Redirect URIs: `https://hedgedoc.company/auth/oauth2/callback` Note the Client ID and Client Secret values. Create an application, using the provider you've created above. @@ -33,14 +33,14 @@ You need to set the following `env` Variables for Docker based installations. Set the following values: ```yaml -CMD_OAUTH2_PROVIDERNAME: 'authentik' -CMD_OAUTH2_CLIENT_ID: '' -CMD_OAUTH2_CLIENT_SECRET: '' -CMD_OAUTH2_SCOPE: 'openid email profile' -CMD_OAUTH2_USER_PROFILE_URL: 'https://authentik.company/application/o/userinfo/' -CMD_OAUTH2_TOKEN_URL: 'https://authentik.company/application/o/token/' -CMD_OAUTH2_AUTHORIZATION_URL: 'https://authentik.company/application/o/authorize/' -CMD_OAUTH2_USER_PROFILE_USERNAME_ATTR: 'preferred_username' -CMD_OAUTH2_USER_PROFILE_DISPLAY_NAME_ATTR: 'name' -CMD_OAUTH2_USER_PROFILE_EMAIL_ATTR: 'email' +CMD_OAUTH2_PROVIDERNAME: "authentik" +CMD_OAUTH2_CLIENT_ID: "" +CMD_OAUTH2_CLIENT_SECRET: "" +CMD_OAUTH2_SCOPE: "openid email profile" +CMD_OAUTH2_USER_PROFILE_URL: "https://authentik.company/application/o/userinfo/" +CMD_OAUTH2_TOKEN_URL: "https://authentik.company/application/o/token/" +CMD_OAUTH2_AUTHORIZATION_URL: "https://authentik.company/application/o/authorize/" +CMD_OAUTH2_USER_PROFILE_USERNAME_ATTR: "preferred_username" +CMD_OAUTH2_USER_PROFILE_DISPLAY_NAME_ATTR: "name" +CMD_OAUTH2_USER_PROFILE_EMAIL_ATTR: "email" ``` diff --git a/website/integrations/services/home-assistant/index.md b/website/integrations/services/home-assistant/index.md index 49eb7b21e..b3d0ff34e 100644 --- a/website/integrations/services/home-assistant/index.md +++ b/website/integrations/services/home-assistant/index.md @@ -18,8 +18,8 @@ You might run into CSRF errors, this is caused by Home-assistant and not authent The following placeholders will be used: -- `hass.company` is the FQDN of the Home-Assistant install. -- `authentik.company` is the FQDN of the authentik install. +- `hass.company` is the FQDN of the Home-Assistant install. +- `authentik.company` is the FQDN of the authentik install. :::note This setup uses https://github.com/BeryJu/hass-auth-header and the authentik proxy for authentication. When this [PR](https://github.com/home-assistant/core/pull/32926) is merged, this will no longer be necessary. @@ -51,13 +51,13 @@ additionalHeaders: Create a Proxy Provider with the following values -- Internal host +- Internal host If Home-Assistant is running in docker, and you're deploying the authentik proxy on the same host, set the value to `http://homeassistant:8123`, where Home-Assistant is the name of your container. If Home-Assistant is running on a different server than where you are deploying the authentik proxy, set the value to `http://hass.company:8123`. -- External host +- External host Set this to the external URL you will be accessing Home-Assistant from. diff --git a/website/integrations/services/kimai/index.md b/website/integrations/services/kimai/index.md index 00ade8cce..b63487c3d 100644 --- a/website/integrations/services/kimai/index.md +++ b/website/integrations/services/kimai/index.md @@ -14,26 +14,26 @@ Kimai is a free & open source timetracker. It tracks work time and prints out a The following placeholders will be used: -- `kimai.company` is the FQDN of the Kimai Install -- `authentik.company` is the FQDN of the authentik Install -- `admin.group` is the authentik group to be made Admin in Kimai +- `kimai.company` is the FQDN of the Kimai Install +- `authentik.company` is the FQDN of the authentik Install +- `admin.group` is the authentik group to be made Admin in Kimai Create an application in authentik and use the slug for later as ``. Create a SAML provider with the following parameters: -- ACS URL: `https://kimai.company/auth/saml/acs` -- Audience: `https://kimai.company/auth/saml` -- Issuer: `https://authentik.company` -- Binding: `Post` +- ACS URL: `https://kimai.company/auth/saml/acs` +- Audience: `https://kimai.company/auth/saml` +- Issuer: `https://authentik.company` +- Binding: `Post` -Under *Advanced protocol settings*, set a certificate for *Signing Certificate*. +Under _Advanced protocol settings_, set a certificate for _Signing Certificate_. ## Kimai Configuration Paste the following block in your `local.yaml` file, after replacing the placeholder values from above. The file is usually located in `/opt/kimai/config/packages/local.yaml`. -To get the value for `x509cert`, go to *System* > *Certificates*, and download the public Signing Certificate. To avoid further problems, concat it into "string format" using e.g.: https://www.samltool.com/format_x509cert.php +To get the value for `x509cert`, go to _System_ > _Certificates_, and download the public Signing Certificate. To avoid further problems, concat it into "string format" using e.g.: https://www.samltool.com/format_x509cert.php ```yaml # Optionally add this for docker debug-logging @@ -43,75 +43,74 @@ To get the value for `x509cert`, go to *System* > *Certificates*, and download t # path: php://stderr kimai: - saml: - activate: true - title: Login with authentik - mapping: - - { - saml: $http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress, - kimai: email, - } - - { - saml: $http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name, - kimai: alias, - } - roles: - attribute: http://schemas.xmlsoap.org/claims/Group - mapping: - # Insert your roles here (ROLE_USER is added automatically) - - { saml: admin.group, kimai: ROLE_ADMIN } - connection: - # You SAML provider - # Your authentik instance, replace https://authentik.company with your authentik URL - idp: - entityId: "https://authentik.company/" - singleSignOnService: - url: "https://authentik.company/application/saml//sso/binding/redirect/" - binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" - # the "single logout" feature was not yet tested, if you want to help, please let me know! - singleLogoutService: - url: "https://authentik.company/if/session-end//" - binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" - # Signing certificate from *Advanced protocol settings* - x509cert: "XXXXXXXXXXXXXXXXXXXXXXXXXXX==" - # Service Provider Data that we are deploying. - # Your Kimai instance, replace https://kimai.company with your Kimai URL - sp: - entityId: "https://kimai.company/" - assertionConsumerService: - url: "https://kimai.company/auth/saml/acs" - binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" - singleLogoutService: - url: "https://kimai.company/auth/saml/logout" - binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" - #privateKey: '' - # only set baseurl, if auto-detection doesn't work - baseurl: "https://kimai.company/auth/saml/" - strict: false - debug: true - security: - nameIdEncrypted: false - authnRequestsSigned: false - logoutRequestSigned: false - logoutResponseSigned: false - wantMessagesSigned: false - wantAssertionsSigned: false - wantNameIdEncrypted: false - requestedAuthnContext: true - signMetadata: false - wantXMLValidation: true - signatureAlgorithm: "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" - digestAlgorithm: "http://www.w3.org/2001/04/xmlenc#sha256" - contactPerson: - technical: - givenName: "Kimai Admin" - emailAddress: "admin@example.com" - organization: - en: - name: "Kimai" - displayname: "Kimai" - url: "https://kimai.company" - + saml: + activate: true + title: Login with authentik + mapping: + - { + saml: $http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress, + kimai: email, + } + - { + saml: $http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name, + kimai: alias, + } + roles: + attribute: http://schemas.xmlsoap.org/claims/Group + mapping: + # Insert your roles here (ROLE_USER is added automatically) + - { saml: admin.group, kimai: ROLE_ADMIN } + connection: + # You SAML provider + # Your authentik instance, replace https://authentik.company with your authentik URL + idp: + entityId: "https://authentik.company/" + singleSignOnService: + url: "https://authentik.company/application/saml//sso/binding/redirect/" + binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" + # the "single logout" feature was not yet tested, if you want to help, please let me know! + singleLogoutService: + url: "https://authentik.company/if/session-end//" + binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" + # Signing certificate from *Advanced protocol settings* + x509cert: "XXXXXXXXXXXXXXXXXXXXXXXXXXX==" + # Service Provider Data that we are deploying. + # Your Kimai instance, replace https://kimai.company with your Kimai URL + sp: + entityId: "https://kimai.company/" + assertionConsumerService: + url: "https://kimai.company/auth/saml/acs" + binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" + singleLogoutService: + url: "https://kimai.company/auth/saml/logout" + binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" + #privateKey: '' + # only set baseurl, if auto-detection doesn't work + baseurl: "https://kimai.company/auth/saml/" + strict: false + debug: true + security: + nameIdEncrypted: false + authnRequestsSigned: false + logoutRequestSigned: false + logoutResponseSigned: false + wantMessagesSigned: false + wantAssertionsSigned: false + wantNameIdEncrypted: false + requestedAuthnContext: true + signMetadata: false + wantXMLValidation: true + signatureAlgorithm: "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" + digestAlgorithm: "http://www.w3.org/2001/04/xmlenc#sha256" + contactPerson: + technical: + givenName: "Kimai Admin" + emailAddress: "admin@example.com" + organization: + en: + name: "Kimai" + displayname: "Kimai" + url: "https://kimai.company" ``` Afterwards, either [rebuild the cache](https://www.kimai.org/documentation/cache.html) or restart the docker container. diff --git a/website/integrations/services/matrix-synapse/index.md b/website/integrations/services/matrix-synapse/index.md index f0ddaaa6d..b326a99f2 100644 --- a/website/integrations/services/matrix-synapse/index.md +++ b/website/integrations/services/matrix-synapse/index.md @@ -15,15 +15,15 @@ reference implementations. The following placeholders will be used: -- `matrix.company` is the FQDN of the Matrix install. -- `authentik.company` is the FQDN of the authentik install. +- `matrix.company` is the FQDN of the Matrix install. +- `authentik.company` is the FQDN of the authentik install. Create an application in authentik. Create an OAuth2/OpenID provider with the following parameters: -- Client Type: `Confidential` -- Scopes: OpenID, Email and Profile -- Signing Key: Select any available key -- Redirect URIs: `https://matrix.company/_synapse/client/oidc/callback` +- Client Type: `Confidential` +- Scopes: OpenID, Email and Profile +- Signing Key: Select any available key +- Redirect URIs: `https://matrix.company/_synapse/client/oidc/callback` Note the Client ID and Client Secret values. Create an application, using the provider you've created above. Note the slug of the application you've created. @@ -37,18 +37,18 @@ For more info, see https://matrix-org.github.io/synapse/latest/openid.html?highl ```yaml oidc_providers: - - idp_id: authentik - idp_name: authentik - discover: true - issuer: "https://authentik.company/application/o/app-slug/" - client_id: "*client id*" - client_secret: "*client secret*" - scopes: - - "openid" - - "profile" - - "email" - user_mapping_provider: - config: - localpart_template: "{{ user.preferred_username }}" - display_name_template: "{{ user.name|capitalize }}" + - idp_id: authentik + idp_name: authentik + discover: true + issuer: "https://authentik.company/application/o/app-slug/" + client_id: "*client id*" + client_secret: "*client secret*" + scopes: + - "openid" + - "profile" + - "email" + user_mapping_provider: + config: + localpart_template: "{{ user.preferred_username }}" + display_name_template: "{{ user.name|capitalize }}" ``` diff --git a/website/integrations/services/minio/index.md b/website/integrations/services/minio/index.md index 48d9d5c72..3f3fe58e2 100644 --- a/website/integrations/services/minio/index.md +++ b/website/integrations/services/minio/index.md @@ -14,8 +14,8 @@ MinIO is an Amazon S3 compatible object storage suite capable of handling struct The following placeholders will be used: -- `minio.company` is the FQDN of the MinIO install. -- `authentik.company` is the FQDN of the authentik install. +- `minio.company` is the FQDN of the MinIO install. +- `authentik.company` is the FQDN of the authentik install. Under _Property Mappings_, create a _Scope Mapping_. Give it a name like "OIDC-Scope-minio". Set the scope name to `minio` and the expression to the following @@ -27,10 +27,10 @@ return { Create an application in authentik. Create an _OAuth2/OpenID Provider_ with the following parameters: -- Client Type: `Public` -- Scopes: OpenID, Email, Profile and the scope you created above -- Signing Key: Select any available key -- Redirect URIs: `https://minio.company/oauth_callback` +- Client Type: `Public` +- Scopes: OpenID, Email, Profile and the scope you created above +- Signing Key: Select any available key +- Redirect URIs: `https://minio.company/oauth_callback` Note the Client ID and Client Secret values. Create an application, using the provider you've created above. Note the slug of the application you've created. diff --git a/website/integrations/services/nextcloud/index.md b/website/integrations/services/nextcloud/index.md index 95fb28748..1ffbffe09 100644 --- a/website/integrations/services/nextcloud/index.md +++ b/website/integrations/services/nextcloud/index.md @@ -22,17 +22,17 @@ In case something goes wrong with the configuration, you can use the URL `http:/ The following placeholders will be used: -- `nextcloud.company` is the FQDN of the NextCloud install. -- `authentik.company` is the FQDN of the authentik install. +- `nextcloud.company` is the FQDN of the NextCloud install. +- `authentik.company` is the FQDN of the authentik install. Create an application in authentik and note the slug you choose, as this will be used later. In the Admin Interface, go to Applications->Providers. Create a SAML provider with the following parameters: -- ACS URL: `https://nextcloud.company/apps/user_saml/saml/acs` -- Issuer: `https://authentik.company` -- Service Provider Binding: `Post` -- Audience: `https://nextcloud.company/apps/user_saml/saml/metadata` -- Signing certificate: Select any certificate you have. -- Property mappings: Select all Managed mappings. +- ACS URL: `https://nextcloud.company/apps/user_saml/saml/acs` +- Issuer: `https://authentik.company` +- Service Provider Binding: `Post` +- Audience: `https://nextcloud.company/apps/user_saml/saml/metadata` +- Signing certificate: Select any certificate you have. +- Property mappings: Select all Managed mappings. You can of course use a custom signing certificate, and adjust durations. @@ -42,18 +42,18 @@ In NextCloud, ensure that the `SSO & SAML Authentication` app is installed. Navi Set the following values: -- Attribute to map the UID to.: `http://schemas.goauthentik.io/2021/02/saml/username` -- Optional display name of the identity provider (default: "SSO & SAML log in"): `authentik` -- Identifier of the IdP entity (must be a URI): `https://authentik.company` -- URL Target of the IdP where the SP will send the Authentication Request Message: `https://authentik.company/application/saml//sso/binding/redirect/` -- URL Location of IdP where the SP will send the SLO Request: `https://authentik.company/if/session-end//` -- Public X.509 certificate of the IdP: Copy the PEM of the Selected Signing Certificate +- Attribute to map the UID to.: `http://schemas.goauthentik.io/2021/02/saml/username` +- Optional display name of the identity provider (default: "SSO & SAML log in"): `authentik` +- Identifier of the IdP entity (must be a URI): `https://authentik.company` +- URL Target of the IdP where the SP will send the Authentication Request Message: `https://authentik.company/application/saml//sso/binding/redirect/` +- URL Location of IdP where the SP will send the SLO Request: `https://authentik.company/if/session-end//` +- Public X.509 certificate of the IdP: Copy the PEM of the Selected Signing Certificate Under Attribute mapping, set these values: -- Attribute to map the displayname to.: `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name` -- Attribute to map the email address to.: `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress` -- Attribute to map the users groups to.: `http://schemas.xmlsoap.org/claims/Group` +- Attribute to map the displayname to.: `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name` +- Attribute to map the email address to.: `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress` +- Attribute to map the users groups to.: `http://schemas.xmlsoap.org/claims/Group` You should now be able to log in with authentik. @@ -68,8 +68,8 @@ See https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/r Create a group for each different level of quota you want users to have. Set a custom attribute, for example called `nextcloud_quota`, to the quota you want, for example `15 GB`. Afterwards, create a custom SAML Property Mapping with the name `SAML NextCloud Quota`. -Set the *SAML Name* to `nextcloud_quota`. -Set the *Expression* to `return user.group_attributes().get("nextcloud_quota", "1 GB")`, where `1 GB` is the default value for users that don't belong to another group (or have another value set). +Set the _SAML Name_ to `nextcloud_quota`. +Set the _Expression_ to `return user.group_attributes().get("nextcloud_quota", "1 GB")`, where `1 GB` is the default value for users that don't belong to another group (or have another value set). ## Admin Group diff --git a/website/integrations/services/onlyoffice/index.md b/website/integrations/services/onlyoffice/index.md index 68168763b..65c74d95f 100644 --- a/website/integrations/services/onlyoffice/index.md +++ b/website/integrations/services/onlyoffice/index.md @@ -18,33 +18,33 @@ This is based on authentik 2021.10.4 and OnlyOffice 11.5.4.1582. Instructions ma The following placeholders will be used: -- `authentik.company` is the FQDN of authentik. -- `onlyoffice.company` is the FQDN of the OnlyOffice instance. +- `authentik.company` is the FQDN of authentik. +- `onlyoffice.company` is the FQDN of the OnlyOffice instance. -Open your OnlyOffice instance, navigate to the settings by clicking the cog-icon in the navbar, then click on *Control Panel* on the sidebar. +Open your OnlyOffice instance, navigate to the settings by clicking the cog-icon in the navbar, then click on _Control Panel_ on the sidebar. -In the new tab, click on *SSO* in the sidebar. +In the new tab, click on _SSO_ in the sidebar. -Click the *Enable Single Sign-on Authentication* checkbox to enable SSO. +Click the _Enable Single Sign-on Authentication_ checkbox to enable SSO. -Scroll down to *ONLYOFFICE SP Metadata*, and copy the *SP Entity ID (link to metadata XML)* URL. Open this URL in a new tab, and download the XML file. +Scroll down to _ONLYOFFICE SP Metadata_, and copy the _SP Entity ID (link to metadata XML)_ URL. Open this URL in a new tab, and download the XML file. ## authentik Setup -Create an application in authentik, and create a SAML Provider by using *SAML Provider from Metadata*. Give the provider a name, and upload the XML file you've downloaded in the previous step. +Create an application in authentik, and create a SAML Provider by using _SAML Provider from Metadata_. Give the provider a name, and upload the XML file you've downloaded in the previous step. -Edit the resulting Provider, and ensure *Signing Certificate* is set to any certificate. +Edit the resulting Provider, and ensure _Signing Certificate_ is set to any certificate. -Navigate on the *Metadata* tab on the Provider page, and click *Copy download URL*. +Navigate on the _Metadata_ tab on the Provider page, and click _Copy download URL_. ## OnlyOffice Setup -Navigate back to your OnlyOffice Control panel, and paste the URL into *Load metadata from XML to fill the required fields automatically*, and click the upload button next to the input field. +Navigate back to your OnlyOffice Control panel, and paste the URL into _Load metadata from XML to fill the required fields automatically_, and click the upload button next to the input field. -Under *Attribute Mapping*, set the following values +Under _Attribute Mapping_, set the following values -- *First Name*: `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name` -- *Last Name*: `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name` -- *Email*: `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress` +- _First Name_: `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name` +- _Last Name_: `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name` +- _Email_: `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress` Click save and a new SSO button will appear on the OnlyOffice login page. diff --git a/website/integrations/services/opnsense/index.md b/website/integrations/services/opnsense/index.md index 2d386e6e5..2af0f2b52 100644 --- a/website/integrations/services/opnsense/index.md +++ b/website/integrations/services/opnsense/index.md @@ -18,9 +18,9 @@ This is based on authentik 2022.4.1 and OPNsense 22.1.6-amd64 installed using ht The following placeholders will be used: -- `authentik.company` is the FQDN of authentik. -- `opnsense` is the name of the authentik Service account we'll create. -- `DC=ldap,DC=goauthentik,DC=io` is the Base DN of the LDAP Provider (default) +- `authentik.company` is the FQDN of authentik. +- `opnsense` is the name of the authentik Service account we'll create. +- `DC=ldap,DC=goauthentik,DC=io` is the Base DN of the LDAP Provider (default) ### Step 1 @@ -40,9 +40,10 @@ Only settings that have been modified from default have been listed. ::: **Protocol Settings** -- Name: LDAP -- Search group: opnsense -- Certificate: authentik Self-signed certificate + +- Name: LDAP +- Search group: opnsense +- Certificate: authentik Self-signed certificate ### Step 3 @@ -52,9 +53,9 @@ In authentik, create an application (under _Applications/Applications_) which us Only settings that have been modified from default have been listed. ::: -- Name: LDAP -- Slug: ldap -- Provider: LDAP +- Name: LDAP +- Slug: ldap +- Provider: LDAP ### Step 4 @@ -64,25 +65,27 @@ In authentik, create an outpost (under _Applications/Outposts_) of type `LDAP` t Only settings that have been modified from default have been listed. ::: -- Name: LDAP -- Type: LDAP +- Name: LDAP +- Type: LDAP + ### Step 5 Add your authentik LDAP server to OPNsense by going to your OPNsense Web UI and clicking the `+` under _System/Access/Servers_. Change the following fields -- Descriptive name: authentik -- Hostname or IP address: authentik.company -- Transport: SSL - Encrypted -- Bind credentials - - User DN: CN=opnsense-user,OU=users,DC=ldap,DC=goauthentik,DC=io - - Password: whatever-you-set - - Base DN: DC=ldap,DC=goauthentik,DC=io -- Authentication containers: OU=users,DC=ldap,DC=goauthentik,DC=io;OU=groups,DC=ldap,DC=goauthentik,DC=io -- Extended Query: &(objectClass=user) +- Descriptive name: authentik +- Hostname or IP address: authentik.company +- Transport: SSL - Encrypted +- Bind credentials + - User DN: CN=opnsense-user,OU=users,DC=ldap,DC=goauthentik,DC=io + - Password: whatever-you-set + - Base DN: DC=ldap,DC=goauthentik,DC=io +- Authentication containers: OU=users,DC=ldap,DC=goauthentik,DC=io;OU=groups,DC=ldap,DC=goauthentik,DC=io +- Extended Query: &(objectClass=user) ![](./opnsense1.png) + ### Step 6 In OPNsense, go to _System/Settings/Administration_ and under _Authentication_ at the bottom of that page, add `authentik` to the Server list diff --git a/website/integrations/services/paperless-ng/index.md b/website/integrations/services/paperless-ng/index.md index c206c8814..ec6762259 100644 --- a/website/integrations/services/paperless-ng/index.md +++ b/website/integrations/services/paperless-ng/index.md @@ -20,18 +20,19 @@ The author of Paperless-ng recommends you do not expose Paperless outside your n The following placeholders will be used: -- `paperless.company` is the FQDN of the Paperless-ng install. - +- `paperless.company` is the FQDN of the Paperless-ng install. + Also set up your proxy server to use forward auth with paperless.company: https://goauthentik.io/docs/providers/proxy/forward_auth - ## Paperless - + Start by adding the following environment variables to your Paperless-ng setup. If you are using docker-compose, then add the following to your docker-compose.env file: + ``` PAPERLESS_ENABLE_HTTP_REMOTE_USER=TRUE PAPERLESS_HTTP_REMOTE_USER_HEADER_NAME=HTTP_X_AUTHENTIK_USERNAME ``` + Authentik automatically sets this header when we use a proxy outpost. Now restart your container: @@ -44,28 +45,28 @@ In authentik, go to the Admin Interface and click _Applications/Providers_. Create a Proxy Provider. Give it a name (e.g. `Paperless Proxy`), then choose explicit or implicit consent (whether you want authentic to show a button to proceed to Paperless after login, or to just go there). -Choose Forward Auth (single application), then add the External host: `https://paperless.company` +Choose Forward Auth (single application), then add the External host: `https://paperless.company` Click Create to finish creating the provider. - + **Application** - + Now go to _Applications/Applications_ and create a new application. Give it a name, this one is displayed to users. E.g. `Paperless`. Set the slug, let's use `paperless`. - + Now select the provider we created earlier, e.g. `Paperless Proxy`. - + Click Create to create the application. - + **Outpost** - + Now go to _Applications/Outposts_ and click the edit button for _"authentik Embedded Outpost"_. -Under Applications, click Paperless to select it (use ctrl+click to select multiple), then click Update at the bottom. +Under Applications, click Paperless to select it (use ctrl+click to select multiple), then click Update at the bottom. ## Finished - + Now you can access Paperless-ng by logging in with authentik. Note that your authentik username and your Paperless username MUST match. diff --git a/website/integrations/services/pfsense/index.md b/website/integrations/services/pfsense/index.md index aecbc4d30..3b4f0d7c6 100644 --- a/website/integrations/services/pfsense/index.md +++ b/website/integrations/services/pfsense/index.md @@ -18,10 +18,9 @@ This is based on authentik 2022.3.31 and pfSense 2.6.0-amd64 The following placeholders will be used: -- `authentik.company` is the FQDN of authentik. -- `pfsense-user` is the name of the authentik Service account we'll create. -- `DC=ldap,DC=goauthentik,DC=io` is the Base DN of the LDAP Provider (default) - +- `authentik.company` is the FQDN of authentik. +- `pfsense-user` is the name of the authentik Service account we'll create. +- `DC=ldap,DC=goauthentik,DC=io` is the Base DN of the LDAP Provider (default) ### Step 1 - Service account @@ -33,28 +32,28 @@ In this example, we'll use `pfsense-user` as the Service account's username If you didn't keep the password, you can copy it from _Directory/Tokens & App password_. ::: - ### Step 2 - LDAP Provider In authentik, create a LDAP Provider (under _Applications/Providers_) with these settings : -- Name : LDAP -- Bind DN : `DC=ldap,DC=goauthentik,DC=io` -- Certificate : `self-signed` + +- Name : LDAP +- Bind DN : `DC=ldap,DC=goauthentik,DC=io` +- Certificate : `self-signed` ### Step 3 - Application In authentik, create an application (under _Resources/Applications_) with these settings : -- Name: LDAP -- Slug: ldap -- Provider: LDAP +- Name: LDAP +- Slug: ldap +- Provider: LDAP ### Step 4 - Outpost In authentik, create an outpost (under _Applications/Outposts_) of type `LDAP` that uses the LDAP Application you created in _Step 3_. -- Name: LDAP -- Type: LDAP +- Name: LDAP +- Type: LDAP ## pfSense unsecure setup (without SSL) @@ -66,20 +65,18 @@ Add your authentik LDAP server to pfSense by going to your pfSense Web UI and cl Change the following fields -- Descriptive name: LDAP authentik -- Hostname or IP address: `authentik.company` -- Port value: 389 -- Transport: Standard TCP -- Base DN: `DC=ldap,DC=goauthentik,DC=io` -- Authentication containers: `OU=users,DC=ldap,DC=goauthentik,DC=io` -- Bind anonymous: **unticked** -- Bind credentials: - - User DN: `cn=pfsense-user,ou=users,dc=ldap,dc=goauthentik,dc=io` - - Password: `` -- Extended Query: &(objectClass=user) -- Allow unauthenticated bind: **unticked** - - +- Descriptive name: LDAP authentik +- Hostname or IP address: `authentik.company` +- Port value: 389 +- Transport: Standard TCP +- Base DN: `DC=ldap,DC=goauthentik,DC=io` +- Authentication containers: `OU=users,DC=ldap,DC=goauthentik,DC=io` +- Bind anonymous: **unticked** +- Bind credentials: + - User DN: `cn=pfsense-user,ou=users,dc=ldap,dc=goauthentik,dc=io` + - Password: `` +- Extended Query: &(objectClass=user) +- Allow unauthenticated bind: **unticked** ## pfSense secure setup (with SSL) @@ -89,9 +86,9 @@ When enabling SSL, authentik will send a certificate to pfSense. This certificat In pfSense, create a certificate authority under _System/Cert. Manager_ and click the `+ Add` button. -- Descriptive Name: `pfSense CA` -- Method: Create an internal Certificate Authority -- Common Name : `pfSense CA` +- Descriptive Name: `pfSense CA` +- Method: Create an internal Certificate Authority +- Common Name : `pfSense CA` ### Step 2 - Server Certificate @@ -99,11 +96,11 @@ In pfSense, create a server certificate under _System/Cert. Manager_. Go to the Change the following fields -- Method: Create an internal Certificate -- Descriptive name: `authentik.company` -- Lifetime: `398` -- Common Name: `authentik.company` -- Certificate Type: `Server Certificate` +- Method: Create an internal Certificate +- Descriptive name: `authentik.company` +- Lifetime: `398` +- Common Name: `authentik.company` +- Certificate Type: `Server Certificate` All other field can be left blank. @@ -125,21 +122,19 @@ In pfSense, add your authentik LDAP server by going to your pfSense Web UI and c Change the following fields -- Descriptive name: LDAP authentik -- Hostname or IP address: `authentik.company` -- Port value: 636 -- Transport: SSL/TLS Encrypted -- Peer Certificate Authority: `pfSense CA` -- Base DN: `DC=ldap,DC=goauthentik,DC=io` -- Authentication containers: `OU=users,DC=ldap,DC=goauthentik,DC=io` -- Bind anonymous: **unticked** -- Bind credentials: - - User DN: `cn=pfsense-user,ou=users,dc=ldap,dc=goauthentik,dc=io` - - Password: `` -- Extended Query: &(objectClass=user) -- Allow unauthenticated bind: **unticked** - - +- Descriptive name: LDAP authentik +- Hostname or IP address: `authentik.company` +- Port value: 636 +- Transport: SSL/TLS Encrypted +- Peer Certificate Authority: `pfSense CA` +- Base DN: `DC=ldap,DC=goauthentik,DC=io` +- Authentication containers: `OU=users,DC=ldap,DC=goauthentik,DC=io` +- Bind anonymous: **unticked** +- Bind credentials: + - User DN: `cn=pfsense-user,ou=users,dc=ldap,dc=goauthentik,dc=io` + - Password: `` +- Extended Query: &(objectClass=user) +- Allow unauthenticated bind: **unticked** ## Test your setup @@ -147,18 +142,14 @@ In pfSense, you can validate the authentication backend setup by going to _Diagn You can use the credentials of an authentik user, pfSense will tell you if the connection was successful or not. If it is, congratulations, you can now change the pfSense default authentication backend. - - ## Change pfSense default authentication backend In pfSense, you can change the authentication backend used by the Web UI by going to _System/User Manager_ and then click on _Settings_ tab. -- Authentication Server: `LDAP authentik` - - +- Authentication Server: `LDAP authentik` ## Notes :::tip Secure LDAP more by creating a group for your `DN Bind` users and restricting the `Search group` of the LDAP Provider to them. -::: \ No newline at end of file +::: diff --git a/website/integrations/services/pgadmin/index.md b/website/integrations/services/pgadmin/index.md index bae10e35d..6596cc68e 100644 --- a/website/integrations/services/pgadmin/index.md +++ b/website/integrations/services/pgadmin/index.md @@ -18,31 +18,32 @@ This is based on authentik 2022.3.3 and pgAdmin4 v6.7 The following placeholders will be used: -- `pgadmin.company` is the FQDN of pgAdmin. -- `authentik.company` is the FQDN of authentik. - +- `pgadmin.company` is the FQDN of pgAdmin. +- `authentik.company` is the FQDN of authentik. ### Step 1: Create authentik Provider In authentik, under _Providers_, create an _OAuth2/OpenID Provider_ with these settings: **Provider Settings** -- Name: pgAdmin -- Client type: Confidential -- Client ID: Copy and Save this for Later -- Client Secret: Copy and Save this for later -- Redirect URIs/Origins: `http://pgadmin.company/oauth2/authorize` + +- Name: pgAdmin +- Client type: Confidential +- Client ID: Copy and Save this for Later +- Client Secret: Copy and Save this for later +- Redirect URIs/Origins: `http://pgadmin.company/oauth2/authorize` ### Step 2: Create authentik Application + In authentik, create an application which uses this provider. Optionally apply access restrictions to the application using policy bindings. -- Name: pgAdmin -- Slug: pgadmin -- Provider: pgAdmin -- Launch URL: https://pgadmin.company - +- Name: pgAdmin +- Slug: pgadmin +- Provider: pgAdmin +- Launch URL: https://pgadmin.company ### Step 3: Configure pgAdmin + All settings for OAuth in pgAdmin are configured in the `config_local.py` file. This file can usually be found in the path `/pgadmin4/config_local.py` :::note @@ -71,12 +72,14 @@ OAUTH2_CONFIG = [{ 'OAUTH2_BUTTON_COLOR' : '' }] ``` + In the code above the following placeholders have been used: -- ``: The name that is displayed on the Login Button -- ``: The Client ID from step 1 -- ``: The Client Secret from step 1 -- ``: An icon name from [fontawesome](https://fontawesome.com). Only brand icons seem to be supported. This icon is displayed in front of the ``. E.g.: _fa-github_. -- ``: Sets the color of the Login Button. Should be in Hex format, E.g.: _#fd4b2d_ + +- ``: The name that is displayed on the Login Button +- ``: The Client ID from step 1 +- ``: The Client Secret from step 1 +- ``: An icon name from [fontawesome](https://fontawesome.com). Only brand icons seem to be supported. This icon is displayed in front of the ``. E.g.: _fa-github_. +- ``: Sets the color of the Login Button. Should be in Hex format, E.g.: _#fd4b2d_ :::note To only allow authentication via authentik set `AUTHENTICATION_SOURCES` to _['oauth2']_. This should **only** be done once at least one user registered via authentik has been made an admin in pgAdmin. @@ -90,4 +93,4 @@ Finally, restart pgAdmin to apply the changes. :::note pgAdmin needs to be restarted **every** time changes to `config_local.py` are made -::: \ No newline at end of file +::: diff --git a/website/integrations/services/portainer/index.md b/website/integrations/services/portainer/index.md index b26713195..7eeb02217 100644 --- a/website/integrations/services/portainer/index.md +++ b/website/integrations/services/portainer/index.md @@ -11,15 +11,15 @@ Portainer is a powerful, GUI-based Container-as-a-Service solution that helps or ::: :::note -This is based on authentik 2021.7.3 and Portainer 2.6.x-CE. Portainer 2.6 supports OAuth without additional licenses, 1.x Series requires a paid license for OAuth. +This is based on authentik 2021.7.3 and Portainer 2.6.x-CE. Portainer 2.6 supports OAuth without additional licenses, 1.x Series requires a paid license for OAuth. ::: ## Preparation The following placeholders will be used: -- `port.company` is the FQDN of Portainer. -- `authentik.company` is the FQDN of authentik. +- `port.company` is the FQDN of Portainer. +- `authentik.company` is the FQDN of authentik. ### Step 1 - authentik @@ -30,29 +30,29 @@ Only settings that have been modified from default have been listed. ::: **Protocol Settings** -- Name: Portainer -- Client type: Confidential -- Client ID: Copy and Save this for Later -- Client Secret: Copy and Save this for later -- Redirect URIs/Origins: `https://port.company` +- Name: Portainer +- Client type: Confidential +- Client ID: Copy and Save this for Later +- Client Secret: Copy and Save this for later +- Redirect URIs/Origins: `https://port.company` ### Step 2 - Portainer In Portainer, under _Settings_, _Authentication_, Select _OAuth_ and _Custom_ -- Client ID: Client ID from step 1 -- Client Secret: Client Secret from step 1 -- Authorization URL: `https://authentik.company/application/o/authorize/` -- Access Token URL: `https://authentik.company/application/o/token/` -- Redirect URL: `https://port.company` -- Resource URL: `https://authentik.company/application/o/userinfo/` -- Logout URL: `https://authentik.company/application/o/portainer/end-session/` -- User Identifier: `email` -- Scopes: `email openid profile` +- Client ID: Client ID from step 1 +- Client Secret: Client Secret from step 1 +- Authorization URL: `https://authentik.company/application/o/authorize/` +- Access Token URL: `https://authentik.company/application/o/token/` +- Redirect URL: `https://port.company` +- Resource URL: `https://authentik.company/application/o/userinfo/` +- Logout URL: `https://authentik.company/application/o/portainer/end-session/` +- User Identifier: `email` +- Scopes: `email openid profile` :::note -Portainer by default shows commas between each item in the Scopes field. Do **NOT** use commas. Use a _space_ +Portainer by default shows commas between each item in the Scopes field. Do **NOT** use commas. Use a _space_ ::: ![](./port1.png) @@ -61,11 +61,10 @@ Portainer by default shows commas between each item in the Scopes field. Do **N In authentik, create an application which uses this provider. Optionally apply access restrictions to the application using policy bindings. -- Name: Portainer -- Slug: portainer -- Provider: Portainer -- Launch URL: https://port.company - +- Name: Portainer +- Slug: portainer +- Provider: Portainer +- Launch URL: https://port.company ## Notes diff --git a/website/integrations/services/powerdns-admin/index.md b/website/integrations/services/powerdns-admin/index.md index 0695be916..edfb8f801 100644 --- a/website/integrations/services/powerdns-admin/index.md +++ b/website/integrations/services/powerdns-admin/index.md @@ -1,5 +1,5 @@ --- -title: PowerDNS-Admin +title: PowerDNS-Admin --- ## What is PowerDNS-Admin @@ -14,17 +14,17 @@ A PowerDNS web interface with advanced features. The following placeholders will be used: -- `pdns-admin.company` is the FQDN of the PowerDNS-Admin install. -- `authentik.company` is the FQDN of the authentik install. +- `pdns-admin.company` is the FQDN of the PowerDNS-Admin install. +- `authentik.company` is the FQDN of the authentik install. Create a SAML provider with the following parameters: -- ACS URL: `https://pdns-admin.company/saml/authorized` -- Issuer: `https://authentik.company` -- Service Provider Binding: `Post` -- Audience: `pdns-admin` -- Signing Keypair: Select any certificate you have. -- Property mappings: Select all Managed mappings. +- ACS URL: `https://pdns-admin.company/saml/authorized` +- Issuer: `https://authentik.company` +- Service Provider Binding: `Post` +- Audience: `pdns-admin` +- Signing Keypair: Select any certificate you have. +- Property mappings: Select all Managed mappings. You can of course use a custom signing certificate, and adjust durations. @@ -58,14 +58,15 @@ SAML_CERT=/saml.crt You must mount the certificate selected in authentik as a file in the Docker container. The path in the container must match the path in the env variable `SAML_CERT`. ### docker-compose + ```yaml -version: '3.3' +version: "3.3" services: - powerdns-admin: - image: ngoduykhanh/powerdns-admin:latest - restart: always - ports: - - 80:80 - volumes: - - ./saml.crt:/saml.crt:ro -``` \ No newline at end of file + powerdns-admin: + image: ngoduykhanh/powerdns-admin:latest + restart: always + ports: + - 80:80 + volumes: + - ./saml.crt:/saml.crt:ro +``` diff --git a/website/integrations/services/proxmox-ve/index.md b/website/integrations/services/proxmox-ve/index.md index d3bf50281..d9934e8ee 100644 --- a/website/integrations/services/proxmox-ve/index.md +++ b/website/integrations/services/proxmox-ve/index.md @@ -14,22 +14,21 @@ Proxmox Virtual Environment is an open source server virtualization management s This requires Proxmox VE 7.0 or newer. ::: - ## Preparation The following placeholders will be used: -- `proxmox.company` is the FQDN of the Proxmox VE server. -- `authentik.company` is the FQDN of the authentik install. +- `proxmox.company` is the FQDN of the Proxmox VE server. +- `authentik.company` is the FQDN of the authentik install. ### Step 1 Under _Providers_, create an OAuth2/OpenID provider with these settings: -- Name: proxmox -- Client Type: Confidential -- JWT Algorithm: RS256 -- Redirect URI: `https://proxmox.company:8006` (Note the absence of the trailing slash, and the inclusion of the webinterface port) +- Name: proxmox +- Client Type: Confidential +- JWT Algorithm: RS256 +- Redirect URI: `https://proxmox.company:8006` (Note the absence of the trailing slash, and the inclusion of the webinterface port) ### Step 2 diff --git a/website/integrations/services/rancher/index.md b/website/integrations/services/rancher/index.md index 8bbcf6cf0..5f8650241 100644 --- a/website/integrations/services/rancher/index.md +++ b/website/integrations/services/rancher/index.md @@ -15,10 +15,10 @@ Rancher is a platform built to address the needs of the DevOps teams deploying a The following placeholders will be used: -- `rancher.company` is the FQDN of the Rancher install. -- `authentik.company` is the FQDN of the authentik install. +- `rancher.company` is the FQDN of the Rancher install. +- `authentik.company` is the FQDN of the authentik install. -Under *Property Mappings*, create a *SAML Property Mapping*. Give it a name like "SAML Rancher User ID". Set the SAML name to `rancherUidUsername` and the expression to the following +Under _Property Mappings_, create a _SAML Property Mapping_. Give it a name like "SAML Rancher User ID". Set the SAML name to `rancherUidUsername` and the expression to the following ```python return f"{user.pk}-{user.username}" @@ -26,27 +26,27 @@ return f"{user.pk}-{user.username}" Create an application in authentik. Create a SAML provider with the following parameters: -- ACS URL: `https://rancher.company/v1-saml/adfs/saml/acs` -- Audience: `https://rancher.company/v1-saml/adfs/saml/metadata` -- Issuer: `authentik` -- Service Provider Binding: `Post` -- Property mappings: Select all default mappings and the mapping you've created above. -- Signing Certificate: Select the authentik self-signed certificate. +- ACS URL: `https://rancher.company/v1-saml/adfs/saml/acs` +- Audience: `https://rancher.company/v1-saml/adfs/saml/metadata` +- Issuer: `authentik` +- Service Provider Binding: `Post` +- Property mappings: Select all default mappings and the mapping you've created above. +- Signing Certificate: Select the authentik self-signed certificate. You can of course use a custom signing certificate, and adjust durations. ## Rancher -In Rancher, navigate to *Global* -> *Security* -> *Authentication*, and select ADFS. +In Rancher, navigate to _Global_ -> _Security_ -> _Authentication_, and select ADFS. Fill in the fields -- Display Name Field: `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name` -- User Name Field: `http://schemas.goauthentik.io/2021/02/saml/username` -- UID Field: `rancherUidUsername` -- Groups Field: `http://schemas.xmlsoap.org/claims/Group` +- Display Name Field: `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name` +- User Name Field: `http://schemas.goauthentik.io/2021/02/saml/username` +- UID Field: `rancherUidUsername` +- Groups Field: `http://schemas.xmlsoap.org/claims/Group` -For the private key and certificate, you can either generate a new pair (in authentik, navigate to *Identity & Cryptography* -> *Certificates* and select Generate), or use an existing pair. +For the private key and certificate, you can either generate a new pair (in authentik, navigate to _Identity & Cryptography_ -> _Certificates_ and select Generate), or use an existing pair. Copy the metadata from authentik, and paste it in the metadata field. diff --git a/website/integrations/services/rocketchat/index.md b/website/integrations/services/rocketchat/index.md index 7152ce321..ec267649b 100644 --- a/website/integrations/services/rocketchat/index.md +++ b/website/integrations/services/rocketchat/index.md @@ -1,141 +1,144 @@ ---- -title: Rocket.chat ---- - -## What is Rocket.chat - -From https://github.com/RocketChat/Rocket.Chat - -:::note -Rocket.Chat is an open-source fully customizable communications platform developed in JavaScript for organizations with high standards of data protection. It is licensed under the MIT License with some other licenses mixed in. See [Rocket.chat Git Hub](https://github.com/RocketChat/Rocket.Chat/blob/develop/LICENSE) for licensing information. -::: - -:::note -This is based on authentik 2022.3.1 and Rocket.chat 4.5.1 using the [Docker-Compose install](https://docs.rocket.chat/quick-start/installing-and-updating/rapid-deployment-methods/docker-and-docker-compose/docker-containers). Instructions may differ between versions. -::: - -## Preparation - -The following placeholders will be used: - -- `rocket.company` is the FQDN of Rocket.chat. -- `authentik.company` is the FQDN of authentik. - -### Step 1 - -In authentik, under _Providers_, create an _OAuth2/OpenID Provider_ with these settings: - -:::note -Only settings that have been modified from default have been listed. -::: - -**Protocol Settings** -- Name: RocketChat -- Client type: Confidential -- Client ID: Copy and Save this for Later -- Client Secret: Copy and Save this for later -- Redirect URIs/Origins: -``` -https://rocket.company/_oauth/authentik - -``` - -![](./rocketchat1.png) - -### Step 2 - -In authentik, under _Applications_, create a new application with these settings: - -**Application Settings** -- Name: Rocket.chat -- Slug: rocketchat -- Provider: RocketChat -- Launch URL: -``` -https://rocket.company/_oauth/authentik - -``` - -![](./rocketchat2.png) - -### Step 3 - -:::note -Only settings that have been modified from default have been listed. - -You may have different settings for some of the group and role mapping for advanced configurations. The settings below are the base settings to connect authentik and Rocket.chat. -::: - -In Rocket.chat, follow the procedure below: - -1. Log in as a System Administrator, click on your avatar, and choose _Administration_ - -2. Scroll down and click on _OAuth_ - -3. In the top right corner, click _Add custom oauth_ - -4. Give your new oauth the name of _Authenik_, then click _Send_ - -![](./rocketchat6.png) - -5. Scroll down to the new OAuth application, expand the dropdown, and enter the following settings: - - Enable: Turn the radio button to the _on_ position - - URL: https://authentik.company/application/o - - Token Path: /token/ - - Token Sent Via: Payload - - Identity Token Sent Via: Same as "Token Sent Via" - - Identity Path: /userinfo/ - - Authorize Path: /authorize/ - - Scope: email profile openid - - Param Name for access token: access_token - - Id: _THIS IS THE CLIENT ID YOU COPIED FROM STEP 1 in authentik_ - - Secret: _THIS IS THE CLIENT SECRET YOU COPIED FROM STEP 1 in authentik_ - - Login Style: Redirect - - Button Text: _Fill in with what you want the SSO button to say_ - - Button Text Color: _Hex Color for Text on the SSO login button_ - - Button Color: _Hex Color for the SSO login button_ - - Key Field: Username - - Username field: preferred_username - - Email field: email - - Name field: name - - Roles/Groups field name: groups - - Roles/Groups field for channel mapping: groups - - User Data Group Map: rocket.cat - - Merge users: Turn the radio button to the _on_ position - - Show Button on Login Page: Turn the radio button to the _on_ position - - ![](./rocketchat7.png) - - ![](./rocketchat8.png) - - ![](./rocketchat9.png) - - ![](./rocketchat10.png) - -6. Click _Save changes_ in the top right corner of the screen - - - -### Step 4 (Optional) - -:::note -By default, Rocket.chat will attempt to use two-factor authentication with any new user coming in to the system and allows users to change their information -::: - -**To disable changing user information and other options inside Rocket.chat:** - -Navigate to the _Accounts_ settings to change the following: - -- Allow Name Change: Off -- Allow Username Change: Off -- Allow Email Change: Off -- Allow Password Change for OAuth Users: Off - -**If you are using Two Factor authentication through authentik:** - -Navigate to the _Accounts_ settings, Scroll Down to Two Factor Authentication and turn off _Enable Two Factor Authentication_ - -**Registration Options** -Navigate to the _Accounts_ settings, Scroll Down to Registration and choose your [registration options](https://docs.rocket.chat/guides/administration/settings/account-settings#registration), such as: - -- Registration Form: Disabled +--- +title: Rocket.chat +--- + +## What is Rocket.chat + +From https://github.com/RocketChat/Rocket.Chat + +:::note +Rocket.Chat is an open-source fully customizable communications platform developed in JavaScript for organizations with high standards of data protection. It is licensed under the MIT License with some other licenses mixed in. See [Rocket.chat Git Hub](https://github.com/RocketChat/Rocket.Chat/blob/develop/LICENSE) for licensing information. +::: + +:::note +This is based on authentik 2022.3.1 and Rocket.chat 4.5.1 using the [Docker-Compose install](https://docs.rocket.chat/quick-start/installing-and-updating/rapid-deployment-methods/docker-and-docker-compose/docker-containers). Instructions may differ between versions. +::: + +## Preparation + +The following placeholders will be used: + +- `rocket.company` is the FQDN of Rocket.chat. +- `authentik.company` is the FQDN of authentik. + +### Step 1 + +In authentik, under _Providers_, create an _OAuth2/OpenID Provider_ with these settings: + +:::note +Only settings that have been modified from default have been listed. +::: + +**Protocol Settings** + +- Name: RocketChat +- Client type: Confidential +- Client ID: Copy and Save this for Later +- Client Secret: Copy and Save this for later +- Redirect URIs/Origins: + +``` +https://rocket.company/_oauth/authentik + +``` + +![](./rocketchat1.png) + +### Step 2 + +In authentik, under _Applications_, create a new application with these settings: + +**Application Settings** + +- Name: Rocket.chat +- Slug: rocketchat +- Provider: RocketChat +- Launch URL: + +``` +https://rocket.company/_oauth/authentik + +``` + +![](./rocketchat2.png) + +### Step 3 + +:::note +Only settings that have been modified from default have been listed. + +You may have different settings for some of the group and role mapping for advanced configurations. The settings below are the base settings to connect authentik and Rocket.chat. +::: + +In Rocket.chat, follow the procedure below: + +1. Log in as a System Administrator, click on your avatar, and choose _Administration_ + +2. Scroll down and click on _OAuth_ + +3. In the top right corner, click _Add custom oauth_ + +4. Give your new oauth the name of _Authenik_, then click _Send_ + +![](./rocketchat6.png) + +5. Scroll down to the new OAuth application, expand the dropdown, and enter the following settings: + + - Enable: Turn the radio button to the _on_ position + - URL: https://authentik.company/application/o + - Token Path: /token/ + - Token Sent Via: Payload + - Identity Token Sent Via: Same as "Token Sent Via" + - Identity Path: /userinfo/ + - Authorize Path: /authorize/ + - Scope: email profile openid + - Param Name for access token: access_token + - Id: _THIS IS THE CLIENT ID YOU COPIED FROM STEP 1 in authentik_ + - Secret: _THIS IS THE CLIENT SECRET YOU COPIED FROM STEP 1 in authentik_ + - Login Style: Redirect + - Button Text: _Fill in with what you want the SSO button to say_ + - Button Text Color: _Hex Color for Text on the SSO login button_ + - Button Color: _Hex Color for the SSO login button_ + - Key Field: Username + - Username field: preferred_username + - Email field: email + - Name field: name + - Roles/Groups field name: groups + - Roles/Groups field for channel mapping: groups + - User Data Group Map: rocket.cat + - Merge users: Turn the radio button to the _on_ position + - Show Button on Login Page: Turn the radio button to the _on_ position + + ![](./rocketchat7.png) + + ![](./rocketchat8.png) + + ![](./rocketchat9.png) + + ![](./rocketchat10.png) + +6. Click _Save changes_ in the top right corner of the screen + +### Step 4 (Optional) + +:::note +By default, Rocket.chat will attempt to use two-factor authentication with any new user coming in to the system and allows users to change their information +::: + +**To disable changing user information and other options inside Rocket.chat:** + +Navigate to the _Accounts_ settings to change the following: + +- Allow Name Change: Off +- Allow Username Change: Off +- Allow Email Change: Off +- Allow Password Change for OAuth Users: Off + +**If you are using Two Factor authentication through authentik:** + +Navigate to the _Accounts_ settings, Scroll Down to Two Factor Authentication and turn off _Enable Two Factor Authentication_ + +**Registration Options** +Navigate to the _Accounts_ settings, Scroll Down to Registration and choose your [registration options](https://docs.rocket.chat/guides/administration/settings/account-settings#registration), such as: + +- Registration Form: Disabled diff --git a/website/integrations/services/roundcube/index.md b/website/integrations/services/roundcube/index.md index 8ab5e4b87..10ab6471e 100644 --- a/website/integrations/services/roundcube/index.md +++ b/website/integrations/services/roundcube/index.md @@ -7,20 +7,20 @@ title: Roundcube From https://roundcube.net :::note -**Roundcube** is a browser-based multilingual IMAP client with an application-like user interface. -It provides full functionality you expect from an email client, including MIME support, address book, folder manipulation, message searching and spell checking +**Roundcube** is a browser-based multilingual IMAP client with an application-like user interface. +It provides full functionality you expect from an email client, including MIME support, address book, folder manipulation, message searching and spell checking ::: -This integration describes how to use Roundcube's oauth support with authentik to automatically sign into an email account. +This integration describes how to use Roundcube's oauth support with authentik to automatically sign into an email account. The mail server must support XOAUTH2 for both SMTPD and IMAP/POP. Postfix SMTP server can also use Dovecot for authentication which provides Postfix with xoauth2 capability without configuring it separately. ## Preperation The following placeholders will be used: -- `authentik.company` is the FQDN of the authentik install. +- `authentik.company` is the FQDN of the authentik install. -Create a new oauth2 Scope Mapping which does not return the 'group' values and associate this mapping +Create a new oauth2 Scope Mapping which does not return the 'group' values and associate this mapping in the provider settings instead of the default oauth mapping. Under _Property Mappings_, create a _Scope Mapping_. Give it a name like "oauth2-Scope-dovecot". Set the scope name to `dovecotprofile` and the expression to the following @@ -38,9 +38,9 @@ return { Create an application in authentik. Create an _OAuth2/OpenID Provider_ with the following parameters: -- Client Type: `Confidential` -- Scopes: OpenID, Email, and the scope you created above -- Signing Key: Select any available key +- Client Type: `Confidential` +- Scopes: OpenID, Email, and the scope you created above +- Signing Key: Select any available key ## Roundcube Configuration @@ -56,6 +56,7 @@ $config['oauth_scope'] = "email openid dovecotprofile"; $config['oauth_auth_parameters'] = []; $config['oauth_identity_fields'] = ['email']; ``` + ## Dovecot Configuration Add xoauth2 as an authentication mechanism and configure the following parameters in your Dovecot configuration. @@ -72,7 +73,7 @@ tls_ca_cert_file = /etc/ssl/certs/ca-certificates.crt ``` :::note -With this setup Dovecot can also be used with other email clients that support XOAUTH2 authentication, however +With this setup Dovecot can also be used with other email clients that support XOAUTH2 authentication, however most available software (including Fair Email for Android and Thunderbird) only come with support for Gmail, Outlook etc with no way to configure custom email servers. ::: @@ -81,6 +82,6 @@ Outlook etc with no way to configure custom email servers. Please refer to the following for further configuration information: -- https://roundcube.net -- https://github.com/roundcube/roundcubemail/wiki/Configuration:-OAuth2 -- https://doc.dovecot.org/configuration_manual/authentication/oauth2/ +- https://roundcube.net +- https://github.com/roundcube/roundcubemail/wiki/Configuration:-OAuth2 +- https://doc.dovecot.org/configuration_manual/authentication/oauth2/ diff --git a/website/integrations/services/sentry/index.md b/website/integrations/services/sentry/index.md index 24a33d5bf..b0484514d 100644 --- a/website/integrations/services/sentry/index.md +++ b/website/integrations/services/sentry/index.md @@ -18,20 +18,20 @@ better software faster with Sentry. Won’t you join them? The following placeholders will be used: -- `sentry.company` is the FQDN of the Sentry install. -- `authentik.company` is the FQDN of the authentik install. +- `sentry.company` is the FQDN of the Sentry install. +- `authentik.company` is the FQDN of the authentik install. Create an application in authentik. Create a SAML Provider with the following values -- ACS URL: `https://sentry.company/saml/acs//` -- Issuer: `authentik` -- Service Provider Binding: `Post` -- Audience: `https://sentry.company/saml/metadata//` +- ACS URL: `https://sentry.company/saml/acs//` +- Issuer: `authentik` +- Service Provider Binding: `Post` +- Audience: `https://sentry.company/saml/metadata//` -Under *Advanced protocol settings*, set the following: +Under _Advanced protocol settings_, set the following: -- Signing Certificate: Select any certificate. -- Property Mapping: Select all Managed Mappings +- Signing Certificate: Select any certificate. +- Property Mapping: Select all Managed Mappings ## Sentry @@ -45,8 +45,8 @@ In authentik, get the Metadata URL by right-clicking `Download Metadata` and sel On the next screen, input these Values -- IdP User ID: `http://schemas.goauthentik.io/2021/02/saml/uid` -- User Email: `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress` -- First Name: `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name` +- IdP User ID: `http://schemas.goauthentik.io/2021/02/saml/uid` +- User Email: `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress` +- First Name: `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name` After confirming, Sentry will authenticate with authentik, and you should be redirected back to a page confirming your settings. diff --git a/website/integrations/services/sonarr/index.md b/website/integrations/services/sonarr/index.md index 0c8a24956..212bd5a9b 100644 --- a/website/integrations/services/sonarr/index.md +++ b/website/integrations/services/sonarr/index.md @@ -18,18 +18,18 @@ Sonarr is a PVR for Usenet and BitTorrent users. It can monitor multiple RSS fee The following placeholders will be used: -- `sonarr.company` is the FQDN of the Sonarr install. -- `authentik.company` is the FQDN of the authentik install. +- `sonarr.company` is the FQDN of the Sonarr install. +- `authentik.company` is the FQDN of the authentik install. Create a Proxy Provider with the following values -- Internal host +- Internal host If Sonarr is running in docker, and you're deploying the authentik proxy on the same host, set the value to `http://sonarr:8989`, where sonarr is the name of your container. If Sonarr is running on a different server than where you are deploying the authentik proxy, set the value to `http://sonarr.company:8989`. -- External host +- External host Set this to the external URL you will be accessing Sonarr from. @@ -49,6 +49,7 @@ Because Sonarr can use HTTP Basic credentials, you can save your HTTP Basic Cred sonarr_user: username sonarr_password: password ``` + Add all Sonarr users to the Group. You should also create a Group Membership Policy to limit access to the application. Enable the `Use Basic Authentication` option. Set and `HTTP-Basic Username` and `HTTP-Basic Password` to `sonarr_user` and `sonarr_password` respectively. These values can be chosen freely, `sonarr_` is just used as a prefix for clarity. diff --git a/website/integrations/services/sssd/index.md b/website/integrations/services/sssd/index.md index e0bb57643..d4d4ea63f 100644 --- a/website/integrations/services/sssd/index.md +++ b/website/integrations/services/sssd/index.md @@ -24,17 +24,17 @@ Kerberos is also not supported. The following placeholders will be used: -- `authentik.company` is the FQDN of the authentik install. -- `ldap.baseDN` is the Base DN you configure in the LDAP provider. -- `ldap.domain` is (typically) an FQDN for your domain. Usually - it is just the components of your base DN. For example, if - `ldap.baseDN` is `dc=ldap,dc=goauthentik,dc=io` then the domain - might be `ldap.goauthentik.io`. -- `ldap.searchGroup` is the "Search Group" that can can see all - users and groups in authentik. -- `sssd.serviceAccount` is a service account created in authentik -- `sssd.serviceAccountToken` is the service account token generated - by authentik. +- `authentik.company` is the FQDN of the authentik install. +- `ldap.baseDN` is the Base DN you configure in the LDAP provider. +- `ldap.domain` is (typically) an FQDN for your domain. Usually + it is just the components of your base DN. For example, if + `ldap.baseDN` is `dc=ldap,dc=goauthentik,dc=io` then the domain + might be `ldap.goauthentik.io`. +- `ldap.searchGroup` is the "Search Group" that can can see all + users and groups in authentik. +- `sssd.serviceAccount` is a service account created in authentik +- `sssd.serviceAccountToken` is the service account token generated + by authentik. Create an LDAP Provider if you don't already have one setup. This guide assumes you will be running with TLS and that you've @@ -134,8 +134,8 @@ authentik is providing a simple LDAP server, not an Active Directory domain. Be sure you're looking at the correct sections in these guides. ::: -- https://sssd.io/docs/quick-start.html#quick-start-ldap -- https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system-level_authentication_guide/configuring_services -- https://ubuntu.com/server/docs/service-sssd -- https://manpages.debian.org/unstable/sssd-ldap/sssd-ldap.5.en.html -- https://wiki.archlinux.org/title/LDAP_authentication +- https://sssd.io/docs/quick-start.html#quick-start-ldap +- https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system-level_authentication_guide/configuring_services +- https://ubuntu.com/server/docs/service-sssd +- https://manpages.debian.org/unstable/sssd-ldap/sssd-ldap.5.en.html +- https://wiki.archlinux.org/title/LDAP_authentication diff --git a/website/integrations/services/tautulli/index.md b/website/integrations/services/tautulli/index.md index 4c6f4ec68..556175145 100644 --- a/website/integrations/services/tautulli/index.md +++ b/website/integrations/services/tautulli/index.md @@ -14,8 +14,8 @@ Tautulli is a 3rd party application that you can run alongside your Plex Media S The following placeholders will be used: -- `tautulli.company` is the FQDN of the Tautulli install. -- `authentik.company` is the FQDN of the authentik install. +- `tautulli.company` is the FQDN of the Tautulli install. +- `authentik.company` is the FQDN of the authentik install. ## authentik Setup @@ -30,13 +30,13 @@ Add all Tautulli users to the Group. You should also create a Group Membership P Create an application in authentik. Create a Proxy provider with the following parameters: -- Internal host +- Internal host If Tautulli is running in docker, and you're deploying the authentik proxy on the same host, set the value to `http://tautulli:3579`, where tautulli is the name of your container. If Tautulli is running on a different server to where you are deploying the authentik proxy, set the value to `http://tautulli.company:3579`. -- External host +- External host Set this to the external URL you will be accessing Tautulli from. diff --git a/website/integrations/services/ubuntu-landscape/index.md b/website/integrations/services/ubuntu-landscape/index.md index a05c4ca15..42f789356 100644 --- a/website/integrations/services/ubuntu-landscape/index.md +++ b/website/integrations/services/ubuntu-landscape/index.md @@ -18,8 +18,8 @@ This requires authentik 0.10.3 or newer. The following placeholders will be used: -- `landscape.company` is the FQDN of the Landscape server. -- `authentik.company` is the FQDN of the authentik install. +- `landscape.company` is the FQDN of the Landscape server. +- `authentik.company` is the FQDN of the authentik install. Landscape uses the OpenID-Connect Protocol for single-sign on. diff --git a/website/integrations/services/uptime-kuma/index.md b/website/integrations/services/uptime-kuma/index.md index 0ee075563..7a8424bfc 100644 --- a/website/integrations/services/uptime-kuma/index.md +++ b/website/integrations/services/uptime-kuma/index.md @@ -16,35 +16,36 @@ Uptime Kuma currently supports only a single user and no native SSO solution. To The following placeholders will be used: -- `uptime-kuma.company` is the FQDN of the Uptime Kuma install. -- `authentik.company` is the FQDN of the authentik install. +- `uptime-kuma.company` is the FQDN of the Uptime Kuma install. +- `authentik.company` is the FQDN of the authentik install. Create an application in authentik. Create a Proxy provider with the following parameters: -- Internal host +- Internal host - If Uptime Kuma is running in docker, and you're deploying the authentik proxy on the same host, set the value to `http://uptime-kuma:3001`, where uptime-kuma is the name of your container. - - If Uptime Kuma is running on a different server to where you are deploying the authentik proxy, set the value to `http://:3001`. + If Uptime Kuma is running in docker, and you're deploying the authentik proxy on the same host, set the value to `http://uptime-kuma:3001`, where uptime-kuma is the name of your container. -- External host + If Uptime Kuma is running on a different server to where you are deploying the authentik proxy, set the value to `http://:3001`. - `https://uptime-kuma.company` - Set this to the external URL you will be accessing Uptime Kuma from. +- External host -- Skip path regex + `https://uptime-kuma.company` + Set this to the external URL you will be accessing Uptime Kuma from. - Add the following regex rules to keep the public status page accessible without authentication. - ``` - ^/$ - ^/status - ^/assets/ - ^/assets - ^/icon.svg - ^/api/.* - ^/upload/.* - ^/metrics - ``` +- Skip path regex + + Add the following regex rules to keep the public status page accessible without authentication. + + ``` + ^/$ + ^/status + ^/assets/ + ^/assets + ^/icon.svg + ^/api/.* + ^/upload/.* + ^/metrics + ``` To avoid that all users get admin access to Uptime Kuma create a group in authentik for the admin user. Next set in authentik for the application under `Policy / Group / User Bindings` a group binding with the group created above. @@ -52,4 +53,4 @@ To avoid that all users get admin access to Uptime Kuma create a group in authen Disble auth from Uptime Kuma, go to `Settings` > `Advanced` > `Disable Auth` -To access the dashboard, open `https://uptime-kuma.company/dashboard`, this will start the login with authentik. You can also set this address as the Launch URL for the application. \ No newline at end of file +To access the dashboard, open `https://uptime-kuma.company/dashboard`, this will start the login with authentik. You can also set this address as the Launch URL for the application. diff --git a/website/integrations/services/veeam-enterprise-manager/index.md b/website/integrations/services/veeam-enterprise-manager/index.md index e4333a565..f709dc03b 100644 --- a/website/integrations/services/veeam-enterprise-manager/index.md +++ b/website/integrations/services/veeam-enterprise-manager/index.md @@ -14,8 +14,8 @@ Veeam Backup Enterprise Manager (Enterprise Manager) is a management and reporti The following placeholders will be used: -- `veeam.company` is the FQDN of the Veeam Enterprise Manager install. -- `authentik.company` is the FQDN of the authentik install. +- `veeam.company` is the FQDN of the Veeam Enterprise Manager install. +- `authentik.company` is the FQDN of the authentik install. You will need an existing group or multiple in authentik to assign roles in Veeam Enterprise Manager to. diff --git a/website/integrations/services/vikunja/index.md b/website/integrations/services/vikunja/index.md index 8cea6cdb5..3bdd9138c 100644 --- a/website/integrations/services/vikunja/index.md +++ b/website/integrations/services/vikunja/index.md @@ -18,8 +18,8 @@ This is based on authentik 2021.7.3 and Vikunja V0.17.1 using the Docker-Compose The following placeholders will be used: -- `vik.company` is the FQDN of Vikunja. -- `authentik.company` is the FQDN of authentik. +- `vik.company` is the FQDN of Vikunja. +- `authentik.company` is the FQDN of authentik. ### Step 1 @@ -30,11 +30,13 @@ Only settings that have been modified from default have been listed. ::: **Protocol Settings** -- Name: Vikunja -- Client type: Confidential -- Client ID: Copy and Save this for Later -- Client Secret: Copy and Save this for later -- Redirect URIs/Origins: + +- Name: Vikunja +- Client type: Confidential +- Client ID: Copy and Save this for Later +- Client Secret: Copy and Save this for later +- Redirect URIs/Origins: + ``` https://vik.company/auth/openid https://vik.company/auth/openid/Vikunja @@ -89,10 +91,10 @@ Vikunja Reference link: https://vikunja.io/docs/config-options/#auth In authentik, create an application which uses this provider. Optionally apply access restrictions to the application using policy bindings. -- Name: Vikunja -- Slug: vikunja -- Provider: vikunja -- Launch URL: https://vik.company +- Name: Vikunja +- Slug: vikunja +- Provider: vikunja +- Launch URL: https://vik.company ## Notes diff --git a/website/integrations/services/vmware-vcenter/index.md b/website/integrations/services/vmware-vcenter/index.md index 8201db561..5faeb3767 100644 --- a/website/integrations/services/vmware-vcenter/index.md +++ b/website/integrations/services/vmware-vcenter/index.md @@ -26,8 +26,8 @@ It seems that the vCenter still needs to be joined to the Active Directory Domai The following placeholders will be used: -- `vcenter.company` is the FQDN of the vCenter server. -- `authentik.company` is the FQDN of the authentik install. +- `vcenter.company` is the FQDN of the vCenter server. +- `authentik.company` is the FQDN of the authentik install. Since vCenter only allows OpenID-Connect in combination with Active Directory, it is recommended to have authentik sync with the same Active Directory. @@ -53,11 +53,11 @@ Under _Sources_, click _Edit_ and ensure that "authentik default Active Director Under _Providers_, create an OAuth2/OpenID provider with these settings: -- Client Type: Confidential -- JWT Algorithm: RS256 -- Redirect URI: `https://vcenter.company/ui/login/oauth2/authcode` -- Sub Mode: If your Email address Schema matches your UPN, select "Based on the User's Email...", otherwise select "Based on the User's UPN...". -- Scopes: Select the Scope Mapping you've created in Step 1 +- Client Type: Confidential +- JWT Algorithm: RS256 +- Redirect URI: `https://vcenter.company/ui/login/oauth2/authcode` +- Sub Mode: If your Email address Schema matches your UPN, select "Based on the User's Email...", otherwise select "Based on the User's UPN...". +- Scopes: Select the Scope Mapping you've created in Step 1 ![](./authentik_setup.png) diff --git a/website/integrations/services/weblate/index.md b/website/integrations/services/weblate/index.md index 440f3a200..baebb805e 100644 --- a/website/integrations/services/weblate/index.md +++ b/website/integrations/services/weblate/index.md @@ -10,21 +10,20 @@ From https://weblate.org/en/ Weblate is a copylefted libre software web-based continuous localization system, used by over 2500 libre projects and companies in more than 165 countries. ::: - ## Preparation The following placeholders will be used: -- `weblate.company` is the FQDN of the Weblate install. -- `authentik.company` is the FQDN of the authentik install. -- `weblate-slug` is the slug of the Weblate application +- `weblate.company` is the FQDN of the Weblate install. +- `authentik.company` is the FQDN of the authentik install. +- `weblate-slug` is the slug of the Weblate application Create an application in authentik and note the slug, as this will be used later. Create a SAML provider with the following parameters: -- ACS URL: `https://weblate.company/accounts/complete/saml/` -- Audience: `https://weblate.company/accounts/metadata/saml/` -- Service Provider Binding: Post -- Issuer: `https://authentik.company/application/saml/weblate-slug/sso/binding/redirect/` +- ACS URL: `https://weblate.company/accounts/complete/saml/` +- Audience: `https://weblate.company/accounts/metadata/saml/` +- Service Provider Binding: Post +- Issuer: `https://authentik.company/application/saml/weblate-slug/sso/binding/redirect/` You can of course use a custom signing certificate, and adjust durations. @@ -33,58 +32,66 @@ You can of course use a custom signing certificate, and adjust durations. We need to create some property mappings so our application will work. After you create the property mappings, assign them to the provider. ### Full name -* Name: `Weblate - Full name` -* SAML Attribute Name: `urn:oid:2.5.4.3` -* Expression + +- Name: `Weblate - Full name` +- SAML Attribute Name: `urn:oid:2.5.4.3` +- Expression + ```python return request.user.name ``` ### OID_USERID -* Name: `Weblate - OID_USERID` -* SAML Attribute Name: `urn:oid:0.9.2342.19200300.100.1.1` -* Expression + +- Name: `Weblate - OID_USERID` +- SAML Attribute Name: `urn:oid:0.9.2342.19200300.100.1.1` +- Expression + ```python return request.user.username ``` -### Username -* Name: `Weblate - Username` -* SAML Attribute Name: `username` -* Expression +### Username + +- Name: `Weblate - Username` +- SAML Attribute Name: `username` +- Expression + ```python return request.user.username ``` -### Email -* Name: `Weblate - Email` -* SAML Attribute Name: `email` -* Expression +### Email + +- Name: `Weblate - Email` +- SAML Attribute Name: `email` +- Expression + ```python return request.user.email ``` -## Weblate configuration +## Weblate configuration The variables bellow need to be set, depending on if you deploy in a container or not you can take a look at the following links -* https://docs.weblate.org/en/latest/admin/config.html#config -* https://docs.weblate.org/en/latest/admin/install/docker.html#docker-environment +- https://docs.weblate.org/en/latest/admin/config.html#config +- https://docs.weblate.org/en/latest/admin/install/docker.html#docker-environment Variables to set -* ENABLE_HTTPS: `1` -* SAML_IDP_ENTITY_ID: `https://authentik.company/application/saml/weblate-slug/sso/binding/redirect/` -* SAML_IDP_URL: `https://authentik.company/application/saml/weblate-slug/sso/binding/redirect/` -* SAML_IDP_X509CERT: `MIIFDjCCAvagAwIBAgIRAJV8hH0wGkhGvbhhDKppWIYwDQYJKoZIhvcNAQELBQAw....F9lT9hHwHhsnA=` +- ENABLE_HTTPS: `1` +- SAML_IDP_ENTITY_ID: `https://authentik.company/application/saml/weblate-slug/sso/binding/redirect/` +- SAML_IDP_URL: `https://authentik.company/application/saml/weblate-slug/sso/binding/redirect/` +- SAML_IDP_X509CERT: `MIIFDjCCAvagAwIBAgIRAJV8hH0wGkhGvbhhDKppWIYwDQYJKoZIhvcNAQELBQAw....F9lT9hHwHhsnA=` The `SAML_IDP_X509CERT` is the certificate in the SAML Metadata `X509Certificate` key. Should you wish to only allow registration and login through Authentik, you should set the following variables as well. -* REGISTRATION_OPEN: `0` -* REGISTRATION_ALLOW_BACKENDS: `saml` -* REQUIRE_LOGIN: `1` -* NO_EMAIL_AUTH: `1` +- REGISTRATION_OPEN: `0` +- REGISTRATION_ALLOW_BACKENDS: `saml` +- REQUIRE_LOGIN: `1` +- NO_EMAIL_AUTH: `1` Should you wish to deploy this in a container prefix all the variables with `WEBLATE_` and set them as enviornment variables diff --git a/website/integrations/services/wekan/index.mdx b/website/integrations/services/wekan/index.mdx index 4560eeaf4..9b2f7f3d9 100644 --- a/website/integrations/services/wekan/index.mdx +++ b/website/integrations/services/wekan/index.mdx @@ -14,22 +14,22 @@ Wekan is an open-source kanban board which allows a card-based task and to-do ma The following placeholders will be used: -- `wekan.company` is the FQDN of the wekan install. -- `authentik.company` is the FQDN of the authentik install. +- `wekan.company` is the FQDN of the wekan install. +- `authentik.company` is the FQDN of the authentik install. Create an application in authentik. Create an OAuth2/OpenID provider with the following parameters: -- Client Type: `Confidential` -- Scopes: OpenID, Email and Profile -- Signing Key: Select any available key -- Redirect URIs: `https://wekan.company/_oauth/oidc` +- Client Type: `Confidential` +- Scopes: OpenID, Email and Profile +- Signing Key: Select any available key +- Redirect URIs: `https://wekan.company/_oauth/oidc` Note the Client ID and Client Secret values. Create an application, using the provider you've created above. Note the slug of the application you've created. ## Wekan -import Tabs from '@theme/Tabs'; -import TabItem from '@theme/TabItem'; +import Tabs from "@theme/Tabs"; +import TabItem from "@theme/TabItem"; - OAUTH2_SERVER_URL=https://authentik.company - OAUTH2_AUTH_ENDPOINT=/application/o/authorize/ - OAUTH2_USERINFO_ENDPOINT=/application/o/userinfo/ - OAUTH2_TOKEN_ENDPOINT=/application/o/token/ - OAUTH2_SECRET= - OAUTH2_ID_MAP=preferred_username - OAUTH2_USERNAME_MAP=preferred_username - OAUTH2_FULLNAME_MAP=given_name - OAUTH2_EMAIL_MAP=email +environment: OAUTH2_ENABLED=true + OAUTH2_LOGIN_STYLE=redirect + OAUTH2_CLIENT_ID= + OAUTH2_SERVER_URL=https://authentik.company + OAUTH2_AUTH_ENDPOINT=/application/o/authorize/ + OAUTH2_USERINFO_ENDPOINT=/application/o/userinfo/ + OAUTH2_TOKEN_ENDPOINT=/application/o/token/ + OAUTH2_SECRET= + OAUTH2_ID_MAP=preferred_username + OAUTH2_USERNAME_MAP=preferred_username + OAUTH2_FULLNAME_MAP=given_name + OAUTH2_EMAIL_MAP=email ``` + @@ -75,5 +75,6 @@ edit `.env` and add the following: OAUTH2_FULLNAME_MAP='given_name' OAUTH2_EMAIL_MAP='email' ``` + diff --git a/website/integrations/services/wiki-js/index.md b/website/integrations/services/wiki-js/index.md index 0f1ad8501..a26325015 100644 --- a/website/integrations/services/wiki-js/index.md +++ b/website/integrations/services/wiki-js/index.md @@ -18,8 +18,8 @@ This is based on authentik 2021.3 and Wiki.js 2.5. Instructions may differ betwe The following placeholders will be used: -- `wiki.company` is the FQDN of Wiki.js. -- `authentik.company` is the FQDN of authentik. +- `wiki.company` is the FQDN of Wiki.js. +- `authentik.company` is the FQDN of authentik. ### Step 1 @@ -31,12 +31,12 @@ Add a _Generic OpenID Connect / OAuth2_ strategy and note the _Callback URL / Re In authentik, under _Providers_, create an _OAuth2/OpenID Provider_ with these settings: -- Client Type: Confidential -- JWT Algorithm: RS256 -- Redirect URI: The _Callback URL / Redirect URI_ you noted from the previous step. -- Scopes: Default OAUth mappings for: OpenID, email, profile. -- Signing Key: Select any available key -- Sub Mode: Based on username. +- Client Type: Confidential +- JWT Algorithm: RS256 +- Redirect URI: The _Callback URL / Redirect URI_ you noted from the previous step. +- Scopes: Default OAUth mappings for: OpenID, email, profile. +- Signing Key: Select any available key +- Sub Mode: Based on username. Note the _client ID_ and _client secret_, then save the provider. If you need to retrieve these values, you can do so by editing the provider. @@ -46,15 +46,15 @@ Note the _client ID_ and _client secret_, then save the provider. If you need to In Wiki.js, configure the authentication strategy with these settings: -- Client ID: Client ID from the authentik provider. -- Client Secret: Client Secret from the authentik provider. -- Authorization Endpoint URL: https://authentik.company/application/o/authorize/ -- Token Endpoint URL: https://authentik.company/application/o/token/ -- User Info Endpoint URL: https://authentik.company/application/o/userinfo/ -- Issuer: https://authentik.company/application/o/wikijs/ -- Logout URL: https://authentik.company/application/o/wikijs/end-session/ -- Allow self-registration: Enabled -- Assign to group: The group to which new users logging in from authentik should be assigned. +- Client ID: Client ID from the authentik provider. +- Client Secret: Client Secret from the authentik provider. +- Authorization Endpoint URL: https://authentik.company/application/o/authorize/ +- Token Endpoint URL: https://authentik.company/application/o/token/ +- User Info Endpoint URL: https://authentik.company/application/o/userinfo/ +- Issuer: https://authentik.company/application/o/wikijs/ +- Logout URL: https://authentik.company/application/o/wikijs/end-session/ +- Allow self-registration: Enabled +- Assign to group: The group to which new users logging in from authentik should be assigned. ![](./wiki-js_strategy.png) @@ -69,4 +69,3 @@ In authentik, create an application which uses this provider. Optionally apply a Set the Launch URL to the _Callback URL / Redirect URI_ without the `/callback` at the end, as shown below. This will skip Wiki.js' login prompt and log you in directly. ![](./authentik_application.png) - diff --git a/website/integrations/services/wordpress/index.md b/website/integrations/services/wordpress/index.md index b1a7bee70..2131dcc3c 100644 --- a/website/integrations/services/wordpress/index.md +++ b/website/integrations/services/wordpress/index.md @@ -11,15 +11,15 @@ WordPress is a free and open-source content management system written in PHP and ::: :::note -There are many different plugins for Wordpress that allow you to setup SSO using different authentication methods. The plugin that is explained in this tutorial is "OpenID Connect Generic" version 3.8.5 by daggerhart. This plugin uses OpenID/OAUTH2 and is free without paywalls or subscriptions at the time of writing this. The plugin is available for free in the Wordpress Plugin gallery. +There are many different plugins for Wordpress that allow you to setup SSO using different authentication methods. The plugin that is explained in this tutorial is "OpenID Connect Generic" version 3.8.5 by daggerhart. This plugin uses OpenID/OAUTH2 and is free without paywalls or subscriptions at the time of writing this. The plugin is available for free in the Wordpress Plugin gallery. ::: ## Preparation The following placeholders will be used: -- `wp.company` is the FQDN of Wordpress. -- `authentik.company` is the FQDN of authentik. +- `wp.company` is the FQDN of Wordpress. +- `authentik.company` is the FQDN of authentik. ### Step 1 - authentik @@ -30,12 +30,12 @@ Only settings that have been modified from default have been listed. ::: **Protocol Settings** -- Name: Wordpress -- Client type: Confidential -- Client ID: Copy and Save this for Later -- Client Secret: Copy and Save this for later -- Redirect URIs/Origins: `https://wp.company/wp-admin/admin-ajax.php?action=openid-connect-authorize` +- Name: Wordpress +- Client type: Confidential +- Client ID: Copy and Save this for Later +- Client Secret: Copy and Save this for later +- Redirect URIs/Origins: `https://wp.company/wp-admin/admin-ajax.php?action=openid-connect-authorize` ### Step 2 - Wordpress @@ -49,29 +49,27 @@ In Wordpress, under _Settings_, Select _OpenID Connect Client_ Only settings that have been modified from default have been listed. ::: -- Login Type: OpenID Connect Button on Login (This option display a button to login using OpenID as well as local WP login) -- Client ID: Client ID from step 1 -- Client Secret: Client Secret from step 1 -- OpenID Scope: `email profile openid` -- Login Endpoint URL: `https://authentik.company/application/o/authorize/` -- Userinfo Endpoint URL: `https://authentik.company/application/o/userinfo/` -- Token Validation Endpoint URL: `https://authentik.company/application/o/token/` -- End Session Endpoint URL: `https://authentik.company/application/o/wordpress/end-session/` - +- Login Type: OpenID Connect Button on Login (This option display a button to login using OpenID as well as local WP login) +- Client ID: Client ID from step 1 +- Client Secret: Client Secret from step 1 +- OpenID Scope: `email profile openid` +- Login Endpoint URL: `https://authentik.company/application/o/authorize/` +- Userinfo Endpoint URL: `https://authentik.company/application/o/userinfo/` +- Token Validation Endpoint URL: `https://authentik.company/application/o/token/` +- End Session Endpoint URL: `https://authentik.company/application/o/wordpress/end-session/` :::note -Review each setting and choose the ones that you require for your installation. Examples of popular settings are _Link Existing Users_, _Create user if does not exist_, and _Enforce Privacy_ +Review each setting and choose the ones that you require for your installation. Examples of popular settings are _Link Existing Users_, _Create user if does not exist_, and _Enforce Privacy_ ::: ### Step 3 - authentik In authentik, create an application which uses this provider. Optionally apply access restrictions to the application using policy bindings. -- Name: Wordpress -- Slug: wordpress -- Provider: wordpress -- Launch URL: https://wp.company - +- Name: Wordpress +- Slug: wordpress +- Provider: wordpress +- Launch URL: https://wp.company ## Notes diff --git a/website/integrations/services/zabbix/index.md b/website/integrations/services/zabbix/index.md index 23e5ae6ea..f4d16f994 100644 --- a/website/integrations/services/zabbix/index.md +++ b/website/integrations/services/zabbix/index.md @@ -16,20 +16,20 @@ Zabbix is Open Source and comes at no cost. The following placeholders will be used: -- `zabbix.company` is the FQDN of the Zabbix install. -- `authentik.company` is the FQDN of the authentik install. +- `zabbix.company` is the FQDN of the Zabbix install. +- `authentik.company` is the FQDN of the authentik install. Create an application in authentik and note the slug, as this will be used later. Create a SAML provider with the following parameters: -- ACS URL: `https://zabbix.company/zabbix/index_sso.php?acs` -- Issuer: `zabbix` -- Service Provider Binding: Post +- ACS URL: `https://zabbix.company/zabbix/index_sso.php?acs` +- Issuer: `zabbix` +- Service Provider Binding: Post You can of course use a custom signing certificate, and adjust durations. ## Zabbix Configuration -Navigate to `https://zabbix.company/zabbix/zabbix.php?action=authentication.edit` and select SAML settings to configure SAML. +Navigate to `https://zabbix.company/zabbix/zabbix.php?action=authentication.edit` and select SAML settings to configure SAML. Check the box to enable SAML authentication. @@ -61,4 +61,3 @@ For additional security you can enable the Verification Certificate by checking ``` $SSO['IDP_CERT'] = ''; ``` - diff --git a/website/integrations/services/zulip/index.md b/website/integrations/services/zulip/index.md index 306d5730d..3c9e27da4 100644 --- a/website/integrations/services/zulip/index.md +++ b/website/integrations/services/zulip/index.md @@ -8,28 +8,28 @@ From https://zulip.com :::note **Zulip**: Chat for distributed teams. Zulip combines the immediacy of real-time chat with an email threading model. -With Zulip, you can catch up on important conversations while ignoring irrelevant ones. +With Zulip, you can catch up on important conversations while ignoring irrelevant ones. ::: ## Preperation The following placeholders will be used: -- `authentik.company` is the FQDN of the authentik install. -- `zulip.company` is the FQDN of the Zulip instance. +- `authentik.company` is the FQDN of the authentik install. +- `zulip.company` is the FQDN of the Zulip instance. Create an application in authentik and note the slug, as this will be used later. Create a SAML provider with the following parameters: -- ACS URL: `https://zulip.company/complete/saml/` -- Issuer: `https://authentik.company` -- Service Provider Binding: `Post` -- Signing Keypair: Select any certificate you have. -- Property mappings: Select all Managed mappings. +- ACS URL: `https://zulip.company/complete/saml/` +- Issuer: `https://authentik.company` +- Service Provider Binding: `Post` +- Signing Keypair: Select any certificate you have. +- Property mappings: Select all Managed mappings. ## Zulip Configuration Zulip is a Django application and is configured using `/etc/zulip/settings.py`. Only settings that differ -from the defaults are displayed below. Please make sure you have the latest `settings.py` file as more settings +from the defaults are displayed below. Please make sure you have the latest `settings.py` file as more settings might have been added to defaults since you installed Zulip. Uncomment `zproject.backends.SAMLAuthBackend` inside the `AUTHENTICATION_BACKENDS` parameter to enable SAML support @@ -47,7 +47,7 @@ SOCIAL_AUTH_SAML_ORG_INFO = { SOCIAL_AUTH_SAML_ENABLED_IDPS: Dict[str, Any] = { # idp identifier and settings "authentik": { - + # KEEP OTHER SETTINGS AS DEFAULT OR CONFIGURE THEM ACCORDING TO YOUR PREFERENCES "entity_id": "https://authentik.company", "url": "https://authentik.company/application/saml//sso/binding/redirect/", @@ -57,16 +57,17 @@ SOCIAL_AUTH_SAML_ENABLED_IDPS: Dict[str, Any] = { ``` -Place the certificate you associated with the SAML provider in authentik inside the `/etc/zulip/saml/idps` directory. +Place the certificate you associated with the SAML provider in authentik inside the `/etc/zulip/saml/idps` directory. The certificate file name must match the idp identifier name you set in the configuration (i.e. authentik.crt). :::note Remember to restart Zulip. ::: + ## Additional Resources Please refer to the following for further information: -- https://zulip.com/ -- https://zulip.readthedocs.io -- https://chat.zulip.org/ (Official public Zulip Chat instance) +- https://zulip.com/ +- https://zulip.readthedocs.io +- https://chat.zulip.org/ (Official public Zulip Chat instance) diff --git a/website/integrations/sources/active-directory/index.md b/website/integrations/sources/active-directory/index.md index a5773272a..a590eab5f 100644 --- a/website/integrations/sources/active-directory/index.md +++ b/website/integrations/sources/active-directory/index.md @@ -6,8 +6,8 @@ title: Active Directory The following placeholders will be used: -- `ad.company` is the Name of the Active Directory domain. -- `authentik.company` is the FQDN of the authentik install. +- `ad.company` is the Name of the Active Directory domain. +- `authentik.company` is the FQDN of the authentik install. ## Active Directory setup @@ -27,7 +27,7 @@ The following placeholders will be used: ![](./02_delegate.png) -7. Grant these additional permissions (only required when *Sync users' password* is enabled, and dependent on your AD Domain) +7. Grant these additional permissions (only required when _Sync users' password_ is enabled, and dependent on your AD Domain) ![](./03_additional_perms.png) @@ -39,7 +39,7 @@ In authentik, create a new LDAP Source in Directory -> Federation & Social login Use these settings: -- Server URI: `ldap://ad.company` +- Server URI: `ldap://ad.company` For authentik to be able to write passwords back to Active Directory, make sure to use `ldaps://`. You can test to verify LDAPS is working using `ldp.exe`. @@ -47,20 +47,20 @@ Use these settings: When using a DNS entry with multiple Records, authentik will select a random entry when first connecting. -- Bind CN: `@ad.company` -- Bind Password: The password you've given the user above -- Base DN: The base DN which you want authentik to sync -- Property mappings: Control/Command-select all Mappings which start with "authentik default LDAP" and "authentik default Active Directory" -- Group property mappings: Select "authentik default LDAP Mapping: Name" +- Bind CN: `@ad.company` +- Bind Password: The password you've given the user above +- Base DN: The base DN which you want authentik to sync +- Property mappings: Control/Command-select all Mappings which start with "authentik default LDAP" and "authentik default Active Directory" +- Group property mappings: Select "authentik default LDAP Mapping: Name" Additional settings that might need to be adjusted based on the setup of your domain: -- Group: If enabled, all synchronized groups will be given this group as a parent. -- Addition User/Group DN: Additional DN which is _prepended_ to your Base DN configured above to limit the scope of synchronization for Users and Groups -- User object filter: Which objects should be considered users. For Active Directory set it to `(&(objectClass=user)(!(objectClass=computer)))` to exclude Computer accounts. -- Group object filter: Which objects should be considered groups. -- Group membership field: Which user field saves the group membership -- Object uniqueness field: A user field which contains a unique Identifier +- Group: If enabled, all synchronized groups will be given this group as a parent. +- Addition User/Group DN: Additional DN which is _prepended_ to your Base DN configured above to limit the scope of synchronization for Users and Groups +- User object filter: Which objects should be considered users. For Active Directory set it to `(&(objectClass=user)(!(objectClass=computer)))` to exclude Computer accounts. +- Group object filter: Which objects should be considered groups. +- Group membership field: Which user field saves the group membership +- Object uniqueness field: A user field which contains a unique Identifier After you save the source, a synchronization will start in the background. When its done, you can see the summary under Dashboards -> System Tasks. diff --git a/website/integrations/sources/apple/index.md b/website/integrations/sources/apple/index.md index 4950d5225..27656fa9a 100644 --- a/website/integrations/sources/apple/index.md +++ b/website/integrations/sources/apple/index.md @@ -12,7 +12,7 @@ An Apple developer account is required for this. The following placeholders will be used: -- `authentik.company` is the FQDN of the authentik install. +- `authentik.company` is the FQDN of the authentik install. ## Apple diff --git a/website/integrations/sources/azure-ad/index.md b/website/integrations/sources/azure-ad/index.md index 2a0b4db84..a6dda53c6 100644 --- a/website/integrations/sources/azure-ad/index.md +++ b/website/integrations/sources/azure-ad/index.md @@ -6,38 +6,40 @@ title: Azure AD The following placeholders will be used: -- `authentik.company` is the FQDN of the authentik install. +- `authentik.company` is the FQDN of the authentik install. ## Azure setup -1. Navigate to [portal.azure.com](https://portal.azure.com), and open the *App registration* service +1. Navigate to [portal.azure.com](https://portal.azure.com), and open the _App registration_ service 2. Register a new application - Under *Supported account types*, select whichever account type applies to your use-case. + Under _Supported account types_, select whichever account type applies to your use-case. ![](./aad_01.png) -3. Take note of the *Application (client) ID* value. - If you selected *Single tenant* in the *Supported account types* prompt, also note the *Directory (tenant) ID* value. -4. Navigate to *Certificates & secrets* in the sidebar, and to the *Client secrets* tab. +3. Take note of the _Application (client) ID_ value. + + If you selected _Single tenant_ in the _Supported account types_ prompt, also note the _Directory (tenant) ID_ value. + +4. Navigate to _Certificates & secrets_ in the sidebar, and to the _Client secrets_ tab. 5. Add a new secret, with an identifier of your choice, and select any expiration. Currently the secret in authentik has to be rotated manually or via API, so it is recommended to choose at least 12 months. -6. Note the secret's value in the *Value* column. +6. Note the secret's value in the _Value_ column. ## authentik Setup -In authentik, create a new *Azure AD OAuth Source* in Resources -> Sources. +In authentik, create a new _Azure AD OAuth Source_ in Resources -> Sources. Use the following settings: -- Name: `Azure AD` -- Slug: `azure-ad` (this must match the URL being used above) -- Consumer key: `*Application (client) ID* value from above` -- Consumer secret: `*Value* of the secret from above` +- Name: `Azure AD` +- Slug: `azure-ad` (this must match the URL being used above) +- Consumer key: `*Application (client) ID* value from above` +- Consumer secret: `*Value* of the secret from above` -If you kept the default *Supported account types* selection of *Single tenant*, then you must change the URLs below as well: +If you kept the default _Supported account types_ selection of _Single tenant_, then you must change the URLs below as well: -- Authorization URL: `https://login.microsoftonline.com/*Directory (tenant) ID* from above/oauth2/v2.0/authorize` -- Access token URL: `https://login.microsoftonline.com/*Directory (tenant) ID* from above/oauth2/v2.0/token` +- Authorization URL: `https://login.microsoftonline.com/*Directory (tenant) ID* from above/oauth2/v2.0/authorize` +- Access token URL: `https://login.microsoftonline.com/*Directory (tenant) ID* from above/oauth2/v2.0/token` ![](./authentik_01.png) diff --git a/website/integrations/sources/discord/index.md b/website/integrations/sources/discord/index.md index 8cc550cd1..9be0c8e22 100644 --- a/website/integrations/sources/discord/index.md +++ b/website/integrations/sources/discord/index.md @@ -8,8 +8,7 @@ Allows users to authenticate using their Discord credentials The following placeholders will be used: -- `authentik.company` is the FQDN of the authentik install. - +- `authentik.company` is the FQDN of the authentik install. ## Discord diff --git a/website/integrations/sources/freeipa/index.md b/website/integrations/sources/freeipa/index.md index 193521c33..434e1d3e9 100644 --- a/website/integrations/sources/freeipa/index.md +++ b/website/integrations/sources/freeipa/index.md @@ -6,9 +6,9 @@ title: FreeIPA The following placeholders will be used: -- `svc_authentik` is the name of the bind account. -- `freeipa.company` is the Name of the domain. -- `ipa1.freeipa.company` is the Name of the FreeIPA server. +- `svc_authentik` is the name of the bind account. +- `freeipa.company` is the Name of the domain. +- `ipa1.freeipa.company` is the Name of the FreeIPA server. ## FreeIPA Setup @@ -40,31 +40,32 @@ The following placeholders will be used: Additional info: [22.1.2. Enabling Password Reset Without Prompting for a Password Change at the Next Login](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/user-authentication#user-passwords-no-expiry) ## authentik Setup + In authentik, create a new LDAP Source in Resources -> Sources. Use these settings: -- Server URI: `ldaps://ipa1.freeipa.company` +- Server URI: `ldaps://ipa1.freeipa.company` You can specify multiple servers by separating URIs with a comma, like `ldap://ipa1.freeipa.company,ldap://ipa2.freeipa.company`. When using a DNS entry with multiple Records, authentik will select a random entry when first connecting. -- Bind CN: `uid=svc_authentik,cn=users,cn=accounts,dc=freeipa,dc=company` -- Bind Password: The password you've given the user above -- Base DN: `dc=freeipa,dc=company` -- Property mappings: Control/Command-select all Mappings which start with "authentik default LDAP" and "authentik default OpenLDAP" -- Group property mappings: Select "authentik default OpenLDAP Mapping: cn" +- Bind CN: `uid=svc_authentik,cn=users,cn=accounts,dc=freeipa,dc=company` +- Bind Password: The password you've given the user above +- Base DN: `dc=freeipa,dc=company` +- Property mappings: Control/Command-select all Mappings which start with "authentik default LDAP" and "authentik default OpenLDAP" +- Group property mappings: Select "authentik default OpenLDAP Mapping: cn" Additional settings: -- Group: If selected, all synchronized groups will be given this group as a parent. -- Addition User/Group DN: `cn=users,cn=accounts` -- Addition Group DN: `cn=groups,cn=accounts` -- User object filter: `(objectClass=person)` -- Group object filter: `(objectClass=groupofnames)` -- Group membership field: `member` -- Object uniqueness field: `ipaUniqueID` +- Group: If selected, all synchronized groups will be given this group as a parent. +- Addition User/Group DN: `cn=users,cn=accounts` +- Addition Group DN: `cn=groups,cn=accounts` +- User object filter: `(objectClass=person)` +- Group object filter: `(objectClass=groupofnames)` +- Group membership field: `member` +- Object uniqueness field: `ipaUniqueID` ![](./04_source_settings_1.png) ![](./05_source_settings_2.png) diff --git a/website/integrations/sources/github/index.md b/website/integrations/sources/github/index.md index 0a4c265cb..e038ea007 100644 --- a/website/integrations/sources/github/index.md +++ b/website/integrations/sources/github/index.md @@ -8,8 +8,8 @@ Allows users to authenticate using their Github credentials The following placeholders will be used: -- `authentik.company` is the FQDN of the authentik install. -- `www.my.company` Homepage URL for your site +- `authentik.company` is the FQDN of the authentik install. +- `www.my.company` Homepage URL for your site ## Github @@ -27,7 +27,7 @@ Example screenshot ![Example Screen](githubdeveloperexample.png) 6. Copy the **Client ID** and _save it for later_ -7. Click **Generate a new client secret** and _save it for later_ You will not be able to see the secret again, so be sure to copy it now. +7. Click **Generate a new client secret** and _save it for later_ You will not be able to see the secret again, so be sure to copy it now. ## authentik @@ -35,7 +35,7 @@ Example screenshot 9. **Name**: Choose a name (For the example I use Github) 10. **Slug**: github (If you choose a different slug the URLs will need to be updated to reflect the change) -11. **Consumer Key:** Client ID from step 6 +11. **Consumer Key:** Client ID from step 6 12. **Consumer Secret:** Client Secret from step 7 13. **Provider Type:** Github diff --git a/website/integrations/sources/google/index.md b/website/integrations/sources/google/index.md index dc752ddbc..73aa18dd5 100644 --- a/website/integrations/sources/google/index.md +++ b/website/integrations/sources/google/index.md @@ -8,11 +8,11 @@ Allows users to authenticate using their Google credentials The following placeholders will be used: -- `authentik.company` is the FQDN of the authentik install. +- `authentik.company` is the FQDN of the authentik install. ## Google -You will need to create a new project, and OAuth credentials in the Google Developer console. The developer console can be overwhelming at first. +You will need to create a new project, and OAuth credentials in the Google Developer console. The developer console can be overwhelming at first. 1. Visit https://console.developers.google.com/ to create a new project 2. Create a New project. @@ -27,7 +27,7 @@ You will need to create a new project, and OAuth credentials in the Google Devel 6. Click **Create** 7. Choose your project from the drop down at the top -8. Click the **Credentials** menu item on the left. It looks like a key. +8. Click the **Credentials** menu item on the left. It looks like a key. ![Example Screen](googledeveloper3.png) @@ -35,8 +35,7 @@ You will need to create a new project, and OAuth credentials in the Google Devel ![Example Screen](googledeveloper4.png) - -10. **User Type:** If you do not have a Google Workspace (GSuite) account choose _External_. If you do have a Google Workspace (Gsuite) account and want to limit access to only users inside of your organization choose _Internal_ +10. **User Type:** If you do not have a Google Workspace (GSuite) account choose _External_. If you do have a Google Workspace (Gsuite) account and want to limit access to only users inside of your organization choose _Internal_ _I'm only going to list the mandatory/important fields to complete._ @@ -45,9 +44,9 @@ _I'm only going to list the mandatory/important fields to complete._ 13. **Authorized Domains:** authentik.company 14. **Developer Contact Info:** Must have a value 15. Click **Save and Continue** -16. If you have special scopes configured for google, enter them on this screen. If not click **Save and Continue** +16. If you have special scopes configured for google, enter them on this screen. If not click **Save and Continue** 17. If you want to create Test Users enter them here, if not click **Save and Continue** -18. From the _Summary Page_ click on the **Credentials* link on the left. Same link as step 8 +18. From the _Summary Page_ click on the \*_Credentials_ link on the left. Same link as step 8 19. Click **Create Credentials** on the top of the screen 20. Choose **OAuth Client ID** diff --git a/website/integrations/sources/index.md b/website/integrations/sources/index.md index 22a7d2394..778bf3799 100644 --- a/website/integrations/sources/index.md +++ b/website/integrations/sources/index.md @@ -7,8 +7,9 @@ Sources allow you to connect authentik to an existing user directory. They can a ### Add Sources to Default Login Page To have sources show on the default login screen you will need to add them. This is assuming you have not created or renamed the default stages and flows. + 1. Access the **Flows** section 2. Click on **default-authentication-flow** 3. Click the **Stage Bindings** tab 4. Chose **Edit Stage** for the _default-authentication-identification_ stage -5. Under **Sources** you should see the additional sources you have configured. Click all applicable sources to have them displayed on the Login Page +5. Under **Sources** you should see the additional sources you have configured. Click all applicable sources to have them displayed on the Login Page diff --git a/website/integrations/sources/ldap/index.md b/website/integrations/sources/ldap/index.md index 1ccc99f61..629ff18e3 100644 --- a/website/integrations/sources/ldap/index.md +++ b/website/integrations/sources/ldap/index.md @@ -14,25 +14,25 @@ For Active Directory, follow the [Active Directory Integration](../active-direct For FreeIPA, follow the [FreeIPA Integration](../freeipa/) ::: -- Server URI: URI to your LDAP server/Domain Controller. +- Server URI: URI to your LDAP server/Domain Controller. You can specify multiple servers by separating URIs with a comma, like `ldap://ldap1.company,ldap://ldap2.company`. When using a DNS entry with multiple Records, authentik will select a random entry when first connecting. -- Bind CN: CN of the bind user. This can also be a UPN in the format of `user@domain.tld`. -- Bind password: Password used during the bind process. -- Enable StartTLS: Enables StartTLS functionality. To use LDAPS instead, use port `636`. -- Base DN: Base DN used for all LDAP queries. -- Addition User DN: Prepended to the base DN for user queries. -- Addition Group DN: Prepended to the base DN for group queries. -- User object filter: Consider objects matching this filter to be users. -- Group object filter: Consider objects matching this filter to be groups. -- User group membership field: This field contains the user's group memberships. -- Object uniqueness field: This field contains a unique identifier. -- Sync groups: Enable/disable group synchronization. Groups are synced in the background every 5 minutes. -- Sync parent group: Optionally set this group as the parent group for all synced groups. An example use case of this would be to import Active Directory groups under a root `imported-from-ad` group. -- Property mappings: Define which LDAP properties map to which authentik properties. The default set of property mappings is generated for Active Directory. See also [LDAP Property Mappings](../../../docs/property-mappings/#ldap-property-mapping) +- Bind CN: CN of the bind user. This can also be a UPN in the format of `user@domain.tld`. +- Bind password: Password used during the bind process. +- Enable StartTLS: Enables StartTLS functionality. To use LDAPS instead, use port `636`. +- Base DN: Base DN used for all LDAP queries. +- Addition User DN: Prepended to the base DN for user queries. +- Addition Group DN: Prepended to the base DN for group queries. +- User object filter: Consider objects matching this filter to be users. +- Group object filter: Consider objects matching this filter to be groups. +- User group membership field: This field contains the user's group memberships. +- Object uniqueness field: This field contains a unique identifier. +- Sync groups: Enable/disable group synchronization. Groups are synced in the background every 5 minutes. +- Sync parent group: Optionally set this group as the parent group for all synced groups. An example use case of this would be to import Active Directory groups under a root `imported-from-ad` group. +- Property mappings: Define which LDAP properties map to which authentik properties. The default set of property mappings is generated for Active Directory. See also [LDAP Property Mappings](../../../docs/property-mappings/#ldap-property-mapping) ## Property mappings diff --git a/website/integrations/sources/mailcow/index.md b/website/integrations/sources/mailcow/index.md index 8f507e88a..45ca9b8c3 100644 --- a/website/integrations/sources/mailcow/index.md +++ b/website/integrations/sources/mailcow/index.md @@ -8,12 +8,12 @@ Allows users to authenticate using their Mailcow credentials The following placeholders will be used: -- `authentik.company` is the FQDN of the authentik install. -- `mailcow.company` is the FQDN of the mailcow install. +- `authentik.company` is the FQDN of the authentik install. +- `mailcow.company` is the FQDN of the mailcow install. ## Mailcow -1. Log into mailcow as an admin and navigate to the OAuth2 Apps settings +1. Log into mailcow as an admin and navigate to the OAuth2 Apps settings ![OAuth2 Apps menu](mailcow1.png) @@ -49,4 +49,4 @@ Save, and you now have Mailcow as a source. :::note For more details on how-to have the new source display on the Login Page see [here](../). -::: \ No newline at end of file +::: diff --git a/website/integrations/sources/oauth/index.md b/website/integrations/sources/oauth/index.md index 2a3611eee..44d231000 100644 --- a/website/integrations/sources/oauth/index.md +++ b/website/integrations/sources/oauth/index.md @@ -10,9 +10,9 @@ All Integration-specific Sources are documented in the Integrations Section This source allows users to enroll themselves with an external OAuth-based Identity Provider. The generic provider expects the endpoint to return OpenID-Connect compatible information. Vendor-specific implementations have their own OAuth Source. -- Policies: Allow/Forbid users from linking their accounts with this provider. -- Request Token URL: This field is used for OAuth v1 implementations and will be provided by the provider. -- Authorization URL: This value will be provided by the provider. -- Access Token URL: This value will be provided by the provider. -- Profile URL: This URL is called by authentik to retrieve user information upon successful authentication. -- Consumer key/Consumer secret: These values will be provided by the provider. +- Policies: Allow/Forbid users from linking their accounts with this provider. +- Request Token URL: This field is used for OAuth v1 implementations and will be provided by the provider. +- Authorization URL: This value will be provided by the provider. +- Access Token URL: This value will be provided by the provider. +- Profile URL: This URL is called by authentik to retrieve user information upon successful authentication. +- Consumer key/Consumer secret: These values will be provided by the provider. diff --git a/website/integrations/sources/plex/index.md b/website/integrations/sources/plex/index.md index ef1f523d6..608215251 100644 --- a/website/integrations/sources/plex/index.md +++ b/website/integrations/sources/plex/index.md @@ -12,10 +12,10 @@ None Add _Plex_ as a _source_ -- Name: Choose a name -- Slug: Set a slug -- Client ID: Set a unique Client Id or leave the generated ID -- Press _Load Servers_ to login to plex and pick the authorized Plex Servers for "allowed users" -- Decide if *anyone* with a plex account can authenticate or only friends you share with +- Name: Choose a name +- Slug: Set a slug +- Client ID: Set a unique Client Id or leave the generated ID +- Press _Load Servers_ to login to plex and pick the authorized Plex Servers for "allowed users" +- Decide if _anyone_ with a plex account can authenticate or only friends you share with Save, and you now have Plex as a source. diff --git a/website/netlify/functions/go-get.js b/website/netlify/functions/go-get.js index ac085bda9..4f8a49bcc 100644 --- a/website/netlify/functions/go-get.js +++ b/website/netlify/functions/go-get.js @@ -14,6 +14,6 @@ exports.handler = async function (event, context) { headers: { "content-type": "text/html", }, - body: `` + body: ``, }; -} +}; diff --git a/website/netlify/functions/oci-proxy.js b/website/netlify/functions/oci-proxy.js index de23bcf32..74e990ec0 100644 --- a/website/netlify/functions/oci-proxy.js +++ b/website/netlify/functions/oci-proxy.js @@ -9,8 +9,8 @@ const config = { }; async function getToken(event) { - const fetch = await import('node-fetch'); - const querystring = await import('querystring'); + const fetch = await import("node-fetch"); + const querystring = await import("querystring"); let scope = event.queryStringParameters["scope"]; let tokenParams = { service: config.registryService, @@ -28,12 +28,14 @@ async function getToken(event) { } else { console.debug(`oci-proxy[token]: no scope`); // For non-scoped requests, we need to forward some URL parameters - ["account", "client_id", "offline_token", "token"].forEach(param => { - tokenParams[param] = event.queryStringParameters[param] + ["account", "client_id", "offline_token", "token"].forEach((param) => { + tokenParams[param] = event.queryStringParameters[param]; }); } - const tokenUrl = `${config.registryTokenEndpoint}?${querystring.stringify(tokenParams)}` - console.debug(`oci-proxy[token]: final URL to fetch: ${tokenUrl}`) + const tokenUrl = `${config.registryTokenEndpoint}?${querystring.stringify( + tokenParams + )}`; + console.debug(`oci-proxy[token]: final URL to fetch: ${tokenUrl}`); const tokenRes = await fetch.default(tokenUrl, { headers: forwardHeaders, }); @@ -51,7 +53,10 @@ exports.handler = async function (event, context) { console.debug("oci-proxy: handler=token proxy"); return await getToken(event); } - if (event.headers.authorization && event.headers.authorization.startsWith("Bearer ")) { + if ( + event.headers.authorization && + event.headers.authorization.startsWith("Bearer ") + ) { console.debug("oci-proxy: authenticated root handler, returning 200"); return { statusCode: 200, @@ -60,9 +65,11 @@ exports.handler = async function (event, context) { "content-type": "application/json", }, body: JSON.stringify({}), - } + }; } - console.debug("oci-proxy: root handler, returning 401 with www-authenticate"); + console.debug( + "oci-proxy: root handler, returning 401 with www-authenticate" + ); return { statusCode: 401, headers: { @@ -72,4 +79,4 @@ exports.handler = async function (event, context) { }, body: JSON.stringify({}), }; -} +}; diff --git a/website/package.json b/website/package.json index c93ffa865..8bc965d81 100644 --- a/website/package.json +++ b/website/package.json @@ -9,7 +9,9 @@ "build-docs-only": "docusaurus build --config docusaurus.docs-only.js --out-dir help", "swizzle": "docusaurus swizzle", "deploy": "docusaurus deploy", - "serve": "docusaurus serve" + "serve": "docusaurus serve", + "prettier-check": "prettier --check .", + "prettier": "prettier --write ." }, "dependencies": { "@docusaurus/plugin-client-redirects": "2.0.0-beta.18", diff --git a/website/sidebars.js b/website/sidebars.js index 979129bdf..dc367dc84 100644 --- a/website/sidebars.js +++ b/website/sidebars.js @@ -146,16 +146,12 @@ module.exports = { { type: "category", label: "User", - items: [ - "interfaces/user/customization", - ], + items: ["interfaces/user/customization"], }, { type: "category", label: "Admin", - items: [ - "interfaces/admin/customization", - ], + items: ["interfaces/admin/customization"], }, ], }, diff --git a/website/src/comparison.jsx b/website/src/comparison.jsx index 6439c8a92..f0679a768 100644 --- a/website/src/comparison.jsx +++ b/website/src/comparison.jsx @@ -35,33 +35,99 @@ function Comparison() { SAML2 - - - - - - - + + + + + + + + + + + + + + + + + + + + + OAuth2 and OIDC - - - - - - - + + + + + + + + + + + + + + + + + + + + + LDAP - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + SCIM + + + + + + + + + + + + + + + + + + + + + @@ -79,43 +145,123 @@ function Comparison() { SAML2 - - - - - - - + + + + + + + + + + + + + + + + + + + + + OAuth2 and OIDC - - - - - - - + + + + + + + + + + + + + + + + + + + + + OAuth1 - - - - - - - + + + + + + + + + + + + + + + + + + + + + LDAP - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + SCIM + + + + + + + + + + + + + + + + + + + + + @@ -133,33 +279,75 @@ function Comparison() { Authentication - - - - - - - + + + + + + + + + + + + + + + + + + + + + Enrollment - - - - - - - + + + + + + + + + + + + + + + + + + + + + Self-service - - - - - - - + + + + + + + + + + + + + + + + + + + + + @@ -177,43 +365,101 @@ function Comparison() { MFA - - - - - - - + + + + + + + + + + + + + + + + + + + + + - Conditional Access - - - - - - - + + Conditional Access + + + + + + + + + + + + + + + + + + + + + + Open-source - - - - - - - + + + + + + + + + + + + + + + + + + + + + Application Proxy - - - - - - - + + + + + + + + + + + + + + + + + + + + + diff --git a/website/src/css/custom.css b/website/src/css/custom.css index 65038f463..f9c8e43f7 100644 --- a/website/src/css/custom.css +++ b/website/src/css/custom.css @@ -37,7 +37,6 @@ max-height: 200px; } - .before-after-slider img { max-width: none; } @@ -154,7 +153,7 @@ table.comparison tr td.result.warning { color: var(--ifm-color-warning); } -table.comparison tr td.result.passed.authentik { +table.comparison tr td.result.authentik { background: var(--ifm-color-primary); color: var(--ifm-color-secondary); } diff --git a/website/src/pages/api.jsx b/website/src/pages/api.jsx index 199cb224f..b95e942e8 100644 --- a/website/src/pages/api.jsx +++ b/website/src/pages/api.jsx @@ -11,17 +11,19 @@ function APIBrowser() { {() => { - import('rapidoc'); - return - + import("rapidoc"); + return ( + + ); }} diff --git a/website/src/pages/index.jsx b/website/src/pages/index.jsx index 8cc7fbe38..4df5a6ae6 100644 --- a/website/src/pages/index.jsx +++ b/website/src/pages/index.jsx @@ -7,7 +7,7 @@ import useDocusaurusContext from "@docusaurus/useDocusaurusContext"; import useBaseUrl from "@docusaurus/useBaseUrl"; import styles from "./styles.module.css"; import Comparison from "../comparison"; -import 'react-before-after-slider-component/dist/build.css'; +import "react-before-after-slider-component/dist/build.css"; const features = [ { @@ -87,7 +87,10 @@ function Home() {
- authentik logo + authentik logo
@@ -105,17 +108,23 @@ function Home() {
{() => { - const ReactBeforeSliderComponent = require('react-before-after-slider-component'); - return + const ReactBeforeSliderComponent = require("react-before-after-slider-component"); + return ( + + ); }}
@@ -123,13 +132,13 @@ function Home() {

What is authentik?

- authentik is an open-source Identity Provider - focused on flexibility and versatility. You - can use authentik in an existing environment - to add support for new protocols, implement - sign-up/recovery/etc. in your application so - you don't have to deal with it, and many other - things. + authentik is an open-source Identity + Provider focused on flexibility and + versatility. You can use authentik in an + existing environment to add support for new + protocols, implement sign-up/recovery/etc. + in your application so you don't have to + deal with it, and many other things.

@@ -138,11 +147,12 @@ function Home() {

Utmost flexibility

You can adopt authentik to your environment, - regardless of your requirements. Need an Active-Directory - integrated SSO Provider? Do you want - to implement a custom enrollment process for your - customers? Are you developing an application and - don't want to deal with User verification and recovery? + regardless of your requirements. Need an + Active-Directory integrated SSO Provider? Do + you want to implement a custom enrollment + process for your customers? Are you + developing an application and don't want to + deal with User verification and recovery? authentik can do all of that, and more!

@@ -150,17 +160,23 @@ function Home() {
{() => { - const ReactBeforeSliderComponent = require('react-before-after-slider-component'); - return + const ReactBeforeSliderComponent = require("react-before-after-slider-component"); + return ( + + ); }}