website: format docs with prettier (#2833)
* run prettier Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * add scim to comparison Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
This commit is contained in:
parent
26d92d9259
commit
f9469e3f99
|
@ -136,8 +136,8 @@ jobs:
|
|||
key: ${{ runner.os }}-web-${{ hashFiles('web/package-lock.json', 'web/**') }}
|
||||
- name: prepare web ui
|
||||
if: steps.cache-web.outputs.cache-hit != 'true'
|
||||
working-directory: web
|
||||
run: |
|
||||
cd web
|
||||
npm ci
|
||||
npm run build
|
||||
- name: run e2e
|
||||
|
@ -169,8 +169,8 @@ jobs:
|
|||
key: ${{ runner.os }}-web-${{ hashFiles('web/package-lock.json', 'web/**') }}
|
||||
- name: prepare web ui
|
||||
if: steps.cache-web.outputs.cache-hit != 'true'
|
||||
working-directory: web/
|
||||
run: |
|
||||
cd web
|
||||
npm ci
|
||||
npm run build
|
||||
- name: run e2e
|
||||
|
|
|
@ -118,8 +118,8 @@ jobs:
|
|||
- name: Generate API
|
||||
run: make gen-client-go
|
||||
- name: Build web
|
||||
working-directory: web/
|
||||
run: |
|
||||
cd web
|
||||
npm ci
|
||||
npm run build-proxy
|
||||
- name: Build outpost
|
||||
|
|
|
@ -20,15 +20,13 @@ jobs:
|
|||
node-version: '16'
|
||||
cache: 'npm'
|
||||
cache-dependency-path: web/package-lock.json
|
||||
- run: |
|
||||
cd web
|
||||
npm ci
|
||||
- working-directory: web/
|
||||
run: npm ci
|
||||
- name: Generate API
|
||||
run: make gen-client-web
|
||||
- name: Eslint
|
||||
run: |
|
||||
cd web
|
||||
npm run lint
|
||||
working-directory: web/
|
||||
run: npm run lint
|
||||
lint-prettier:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
|
@ -38,15 +36,13 @@ jobs:
|
|||
node-version: '16'
|
||||
cache: 'npm'
|
||||
cache-dependency-path: web/package-lock.json
|
||||
- run: |
|
||||
cd web
|
||||
npm ci
|
||||
- working-directory: web/
|
||||
run: npm ci
|
||||
- name: Generate API
|
||||
run: make gen-client-web
|
||||
- name: prettier
|
||||
run: |
|
||||
cd web
|
||||
npm run prettier-check
|
||||
working-directory: web/
|
||||
run: npm run prettier-check
|
||||
lint-lit-analyse:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
|
@ -56,15 +52,13 @@ jobs:
|
|||
node-version: '16'
|
||||
cache: 'npm'
|
||||
cache-dependency-path: web/package-lock.json
|
||||
- run: |
|
||||
cd web
|
||||
npm ci
|
||||
- working-directory: web/
|
||||
run: npm ci
|
||||
- name: Generate API
|
||||
run: make gen-client-web
|
||||
- name: lit-analyse
|
||||
run: |
|
||||
cd web
|
||||
npm run lit-analyse
|
||||
working-directory: web/
|
||||
run: npm run lit-analyse
|
||||
ci-web-mark:
|
||||
needs:
|
||||
- lint-eslint
|
||||
|
@ -84,12 +78,10 @@ jobs:
|
|||
node-version: '16'
|
||||
cache: 'npm'
|
||||
cache-dependency-path: web/package-lock.json
|
||||
- run: |
|
||||
cd web
|
||||
npm ci
|
||||
- working-directory: web/
|
||||
run: npm ci
|
||||
- name: Generate API
|
||||
run: make gen-client-web
|
||||
- name: build
|
||||
run: |
|
||||
cd web
|
||||
npm run build
|
||||
working-directory: web/
|
||||
run: npm run build
|
||||
|
|
|
@ -0,0 +1,33 @@
|
|||
name: authentik-ci-website
|
||||
|
||||
on:
|
||||
push:
|
||||
branches:
|
||||
- master
|
||||
- next
|
||||
- version-*
|
||||
pull_request:
|
||||
branches:
|
||||
- master
|
||||
|
||||
jobs:
|
||||
lint-prettier:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
- uses: actions/setup-node@v3.1.1
|
||||
with:
|
||||
node-version: '16'
|
||||
cache: 'npm'
|
||||
cache-dependency-path: website/package-lock.json
|
||||
- working-directory: website/
|
||||
run: npm ci
|
||||
- name: prettier
|
||||
working-directory: website/
|
||||
run: npm run prettier-check
|
||||
ci-web-mark:
|
||||
needs:
|
||||
- lint-prettier
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- run: echo mark
|
|
@ -97,8 +97,8 @@ jobs:
|
|||
cache: 'npm'
|
||||
cache-dependency-path: web/package-lock.json
|
||||
- name: Build web
|
||||
working-directory: web/
|
||||
run: |
|
||||
cd web
|
||||
npm ci
|
||||
npm run build-proxy
|
||||
- name: Build outpost
|
||||
|
|
|
@ -17,15 +17,15 @@ jobs:
|
|||
- name: Generate API Client
|
||||
run: make gen-client-web
|
||||
- name: Publish package
|
||||
working-directory: gen-ts-api/
|
||||
run: |
|
||||
cd web-api/
|
||||
npm ci
|
||||
npm publish
|
||||
env:
|
||||
NODE_AUTH_TOKEN: ${{ secrets.NPM_PUBLISH_TOKEN }}
|
||||
- name: Upgrade /web
|
||||
working-directory: web/
|
||||
run: |
|
||||
cd web/
|
||||
export VERSION=`node -e 'console.log(require("../web-api/package.json").version)'`
|
||||
npm i @goauthentik/api@$VERSION
|
||||
- name: Create Pull Request
|
||||
|
|
|
@ -2,3 +2,6 @@
|
|||
build
|
||||
coverage
|
||||
.docusaurus
|
||||
node_modules
|
||||
help
|
||||
static
|
||||
|
|
|
@ -33,10 +33,7 @@ Below is the response, for example for an Identification stage.
|
|||
"component": "ak-stage-identification",
|
||||
|
||||
// Stage-specific fields
|
||||
"user_fields": [
|
||||
"username",
|
||||
"email"
|
||||
],
|
||||
"user_fields": ["username", "email"],
|
||||
"password_fields": false,
|
||||
"primary_action": "Log in",
|
||||
"sources": []
|
||||
|
|
|
@ -4,7 +4,6 @@ title: Websocket API
|
|||
|
||||
authentik has two different WebSocket endpoints, one is used for web-based clients to get real-time updates, and the other is used for outposts to report their healthiness.
|
||||
|
||||
|
||||
### Web `/ws/client/`
|
||||
|
||||
:::info
|
||||
|
|
|
@ -4,4 +4,3 @@ slug: /
|
|||
---
|
||||
|
||||
Welcome to the authentik developer documentation. authentik is fully open source and can be found here: https://github.com/goauthentik/authentik
|
||||
|
||||
|
|
|
@ -28,7 +28,7 @@ If you want to only make changes on the UI, you don't need a backend running fro
|
|||
4. Add this volume mapping to your compose file
|
||||
|
||||
```yaml
|
||||
version: '3.2'
|
||||
version: "3.2"
|
||||
|
||||
services:
|
||||
# [...]
|
||||
|
|
|
@ -9,11 +9,11 @@ Applications are used to configure and separate the authorization / access contr
|
|||
|
||||
## Authorization
|
||||
|
||||
Application access can be configured using (Policy) Bindings. Click on an application in the applications list, and select the *Policy / Group / User Bindings* tab. There you can bind users/groups/policies to grant them access. When nothing is bound, everyone has access. You can use this to grant access to one or multiple users/groups, or dynamically give access using policies.
|
||||
Application access can be configured using (Policy) Bindings. Click on an application in the applications list, and select the _Policy / Group / User Bindings_ tab. There you can bind users/groups/policies to grant them access. When nothing is bound, everyone has access. You can use this to grant access to one or multiple users/groups, or dynamically give access using policies.
|
||||
|
||||
By default, all users can access applications when no policies are bound.
|
||||
|
||||
When multiple policies/groups/users are attached, you can configure the *Policy engine mode* to either
|
||||
When multiple policies/groups/users are attached, you can configure the _Policy engine mode_ to either
|
||||
|
||||
- Require users to pass all bindings/be member of all groups (ALL), or
|
||||
- Require users to pass either binding/be member of either group (ANY)
|
||||
|
@ -22,29 +22,28 @@ When multiple policies/groups/users are attached, you can configure the *Policy
|
|||
|
||||
The following aspects can be configured:
|
||||
|
||||
- *Name*: This is the name shown for the application card
|
||||
- *Launch URL*: The URL that is opened when a user clicks on the application. When left empty, authentik tries to guess it based on the provider
|
||||
- _Name_: This is the name shown for the application card
|
||||
- _Launch URL_: The URL that is opened when a user clicks on the application. When left empty, authentik tries to guess it based on the provider
|
||||
|
||||
Starting with authentik 2022.2, you can use placeholders in the launch url to build them dynamically based on logged in user. For example, you can set the Launch URL to `https://goauthentik.io/%(username)s`, which will be replaced with the currently logged in user's username.
|
||||
|
||||
- *Icon (URL)*: Optionally configure an Icon for the application
|
||||
- _Icon (URL)_: Optionally configure an Icon for the application
|
||||
|
||||
If the authentik server does not have a volume mounted under `/media`, you'll get a text input. This accepts absolute URLs. If you've mounted single files into the container, you can reference them using `https://authentik.company/media/my-file.png`.
|
||||
|
||||
If there is a mount under `/media`, you'll instead see a field to upload a file.
|
||||
|
||||
- *Publisher*: Text shown below the application
|
||||
- *Description*: Subtext shown on the application card below the publisher
|
||||
- _Publisher_: Text shown below the application
|
||||
- _Description_: Subtext shown on the application card below the publisher
|
||||
|
||||
Applications are shown to users when
|
||||
|
||||
- The user has access defined via policies (or the application has no policies bound)
|
||||
- A Valid Launch URL is configured/could be guessed, this consists of URLs starting with http:// and https://
|
||||
|
||||
|
||||
#### Hiding applications
|
||||
|
||||
To hide applications without modifying policy settings and without removing it, you can simply set the *Launch URL* to `blank://blank`, which will hide the application from users.
|
||||
To hide applications without modifying policy settings and without removing it, you can simply set the _Launch URL_ to `blank://blank`, which will hide the application from users.
|
||||
|
||||
Keep in mind, the users still have access, so they can still authorize access when the login process is started from the application.
|
||||
|
||||
|
|
|
@ -12,7 +12,7 @@ Certificates in authentik are used for the following use cases:
|
|||
|
||||
## Default certificate
|
||||
|
||||
Every authentik install generates a self-signed certificate on the first start. The certificate is called *authentik Self-signed Certificate* and is valid for 1 year.
|
||||
Every authentik install generates a self-signed certificate on the first start. The certificate is called _authentik Self-signed Certificate_ and is valid for 1 year.
|
||||
|
||||
This certificate is generated to be used as a default for all OAuth2/OIDC providers, as these don't require the certificate to be configured on both sides (the signature of a JWT is validated using the [JWKS](https://auth0.com/docs/security/tokens/json-web-tokens/json-web-key-sets) URL).
|
||||
|
||||
|
@ -66,7 +66,7 @@ Starting with authentik 2021.12.4, you can configure the certificate authentik u
|
|||
To use let's encrypt certificates with this setup, using certbot, you can use this compose override (create or edit a file called `docker-compose.override.yml` in the same folder as the authentik docker-compose file)
|
||||
|
||||
```yaml
|
||||
version: '3.2'
|
||||
version: "3.2"
|
||||
|
||||
services:
|
||||
certbot:
|
||||
|
@ -89,6 +89,6 @@ services:
|
|||
|
||||
Afterwards, run `docker-compose up -d`, which will start certbot and generate your certificate. Within a few minutes, you'll see the certificate in your authentik interface. (If the certificate does not appear, restart the worker container. This is caused by incompatible permissions set by certbot).
|
||||
|
||||
Navigate to *System -> Tenants*, edit any tenant and select the certificate of your choice.
|
||||
Navigate to _System -> Tenants_, edit any tenant and select the certificate of your choice.
|
||||
|
||||
Keep in mind this certbot container will only run once, but there are a variety of ways to schedule regular renewals.
|
||||
|
|
|
@ -13,7 +13,7 @@ This will send a POST request to the given URL with the following contents:
|
|||
"body": "body of the notification message",
|
||||
"severity": "severity level as configured in the trigger",
|
||||
"user_email": "user's email",
|
||||
"user_username": "user's username",
|
||||
"user_username": "user's username"
|
||||
}
|
||||
```
|
||||
|
||||
|
|
|
@ -9,6 +9,6 @@ Requires authentik 2022.3.1
|
|||
The user interface (`/if/user/`) embeds a downsized flow executor to allow the user to configure their profile using custom stages and prompts.
|
||||
|
||||
This executor only supports [**prompt**](../stages/prompt/) stages. If the configured flow contains another stage, a button will be shown to open the default executor.
|
||||
Because the stages in a flow can change during it execution, this executor will redirect the user to the default interface *if* a non-supported stage is returned.
|
||||
Because the stages in a flow can change during it execution, this executor will redirect the user to the default interface _if_ a non-supported stage is returned.
|
||||
|
||||
To configure which flow is used for this, configure it in the tenant settings.
|
||||
|
|
|
@ -8,23 +8,23 @@ This stage configures an SMS-based authenticator using either Twilio, or a gener
|
|||
|
||||
Navigate to https://console.twilio.com/, and log in to your existing account, or create a new one.
|
||||
|
||||
In the sidebar, navigate to *Explore Products*, then *Messaging*, and *Services* below that.
|
||||
In the sidebar, navigate to _Explore Products_, then _Messaging_, and _Services_ below that.
|
||||
|
||||
Click on *Create Messaging Service* to create a new set of API credentials.
|
||||
Click on _Create Messaging Service_ to create a new set of API credentials.
|
||||
|
||||
Give the service a Name, and select *Verify users* as a use-case.
|
||||
Give the service a Name, and select _Verify users_ as a use-case.
|
||||
|
||||
In the next step, add an address from your Sender Pool. Instructions on how to create numbers are not covered here, please check the Twilio documentation [here](https://www.twilio.com/docs).
|
||||
|
||||
The other two steps can be skipped using the *Skip setup* button.
|
||||
The other two steps can be skipped using the _Skip setup_ button.
|
||||
|
||||
Afterwards, copy the value of **Messaging Service SID**. This is the value for the *Twilio Account SID* field in authentik.
|
||||
Afterwards, copy the value of **Messaging Service SID**. This is the value for the _Twilio Account SID_ field in authentik.
|
||||
|
||||
Navigate back to the root of your Twilio console, and copy the Auth token. This is the value for the *Twilio Auth Token* field in authentik.
|
||||
Navigate back to the root of your Twilio console, and copy the Auth token. This is the value for the _Twilio Auth Token_ field in authentik.
|
||||
|
||||
## Generic
|
||||
|
||||
For the generic provider, a POST request will be sent to the URL you have specified in the *External API URL* field. The request payload looks like this
|
||||
For the generic provider, a POST request will be sent to the URL you have specified in the _External API URL_ field. The request payload looks like this
|
||||
|
||||
```json
|
||||
{
|
||||
|
|
|
@ -16,7 +16,7 @@ Using the `Not configured action`, you can choose what happens when a user does
|
|||
|
||||
- Skip: Validation is skipped and the flow continues
|
||||
- Deny: Access is denied, the flow execution ends
|
||||
- Configure: This option requires a *Configuration stage* to be set. The validation stage will be marked as successful, and the configuration stage will be injected into the flow.
|
||||
- Configure: This option requires a _Configuration stage_ to be set. The validation stage will be marked as successful, and the configuration stage will be injected into the flow.
|
||||
|
||||
## Passwordless authentication
|
||||
|
||||
|
@ -26,17 +26,17 @@ Requires authentik 2021.12.4
|
|||
|
||||
Passwordless authentication currently only supports WebAuthn devices, like security keys and biometrics.
|
||||
|
||||
To configure passwordless authentication, create a new Flow with the delegation set to *Authentication*.
|
||||
To configure passwordless authentication, create a new Flow with the delegation set to _Authentication_.
|
||||
|
||||
As first stage, add an *Authentication validation* stage, with the WebAuthn device class allowed.
|
||||
As first stage, add an _Authentication validation_ stage, with the WebAuthn device class allowed.
|
||||
After this stage you can bind any additional verification stages.
|
||||
As final stage, bind a *User login* stage.
|
||||
As final stage, bind a _User login_ stage.
|
||||
|
||||
Users can either access this flow directly via it's URL, or you can modify any Identification stage to add a direct link to this flow.
|
||||
|
||||
#### Logging
|
||||
|
||||
Logins which used Passwordless authentication have the *auth_method* context variable set to `auth_webauthn_pwl`, and the device used is saved in the arguments. Example:
|
||||
Logins which used Passwordless authentication have the _auth_method_ context variable set to `auth_webauthn_pwl`, and the device used is saved in the arguments. Example:
|
||||
|
||||
```json
|
||||
{
|
||||
|
|
|
@ -6,5 +6,5 @@ This stage stops the execution of a flow. This can be used to conditionally deny
|
|||
even if they are not signed in (and permissions can't be checked via groups).
|
||||
|
||||
:::caution
|
||||
To effectively use this stage, make sure to **disable** *Evaluate on plan* on the Stage binding.
|
||||
To effectively use this stage, make sure to **disable** _Evaluate on plan_ on the Stage binding.
|
||||
:::
|
||||
|
|
|
@ -46,22 +46,16 @@ Templates are rendered using Django's templating engine. The following variables
|
|||
- `expires`: The timestamp when the token expires.
|
||||
|
||||
```html
|
||||
{# This is how you can write comments which aren't rendered. #}
|
||||
|
||||
{# Extend this template from the base email template, which includes base layout and CSS. #}
|
||||
{% extends "email/base.html" %}
|
||||
|
||||
{# Load the internationalization module to translate strings, and humanize to show date-time #}
|
||||
{% load i18n %}
|
||||
{% load humanize %}
|
||||
|
||||
{# The email/base.html template uses a single "content" block #}
|
||||
{% block content %}
|
||||
{# This is how you can write comments which aren't rendered. #} {# Extend this
|
||||
template from the base email template, which includes base layout and CSS. #} {%
|
||||
extends "email/base.html" %} {# Load the internationalization module to
|
||||
translate strings, and humanize to show date-time #} {% load i18n %} {% load
|
||||
humanize %} {# The email/base.html template uses a single "content" block #} {%
|
||||
block content %}
|
||||
<tr>
|
||||
<td class="alert alert-success">
|
||||
{% blocktrans with username=user.username %}
|
||||
Hi {{ username }},
|
||||
{% endblocktrans %}
|
||||
{% blocktrans with username=user.username %} Hi {{ username }}, {%
|
||||
endblocktrans %}
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
|
@ -69,21 +63,41 @@ Templates are rendered using Django's templating engine. The following variables
|
|||
<table width="100%" cellpadding="0" cellspacing="0">
|
||||
<tr>
|
||||
<td class="content-block">
|
||||
{% blocktrans %}
|
||||
You recently requested to change your password for you authentik account. Use the button below to set a new password.
|
||||
{% endblocktrans %}
|
||||
{% blocktrans %} You recently requested to change your
|
||||
password for you authentik account. Use the button below to
|
||||
set a new password. {% endblocktrans %}
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td class="content-block">
|
||||
<table role="presentation" border="0" cellpadding="0" cellspacing="0" class="btn btn-primary">
|
||||
<table
|
||||
role="presentation"
|
||||
border="0"
|
||||
cellpadding="0"
|
||||
cellspacing="0"
|
||||
class="btn btn-primary"
|
||||
>
|
||||
<tbody>
|
||||
<tr>
|
||||
<td align="center">
|
||||
<table role="presentation" border="0" cellpadding="0" cellspacing="0">
|
||||
<table
|
||||
role="presentation"
|
||||
border="0"
|
||||
cellpadding="0"
|
||||
cellspacing="0"
|
||||
>
|
||||
<tbody>
|
||||
<tr>
|
||||
<td> <a id="confirm" href="{{ url }}" rel="noopener noreferrer" target="_blank">{% trans 'Reset Password' %}</a> </td>
|
||||
<td>
|
||||
<a
|
||||
id="confirm"
|
||||
href="{{ url }}"
|
||||
rel="noopener noreferrer"
|
||||
target="_blank"
|
||||
>{% trans 'Reset
|
||||
Password' %}</a
|
||||
>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
|
@ -95,9 +109,9 @@ Templates are rendered using Django's templating engine. The following variables
|
|||
</tr>
|
||||
<tr>
|
||||
<td class="content-block">
|
||||
{% blocktrans with expires=expires|naturaltime %}
|
||||
If you did not request a password change, please ignore this Email. The link above is valid for {{ expires }}.
|
||||
{% endblocktrans %}
|
||||
{% blocktrans with expires=expires|naturaltime %} If you did
|
||||
not request a password change, please ignore this Email. The
|
||||
link above is valid for {{ expires }}. {% endblocktrans %}
|
||||
</td>
|
||||
</tr>
|
||||
</table>
|
||||
|
|
|
@ -10,4 +10,4 @@ To check if a user has used an invitation within a policy, you can check `reques
|
|||
|
||||
To use an invitation, use the URL `https://authentik.tld/if/flow/your-enrollment-flow/?itoken=invitation-token`.
|
||||
|
||||
You can also prompt the user for an invite by using the [*Prompt stage*](../prompt/) by using a field with a field key of `token`.
|
||||
You can also prompt the user for an invite by using the [_Prompt stage_](../prompt/) by using a field with a field key of `token`.
|
||||
|
|
|
@ -26,4 +26,4 @@ return DuoDevice.objects.filter(user=request.user, confirmed=True).exists()
|
|||
|
||||
Afterwards, bind the policy you've created to the stage binding of the password stage.
|
||||
|
||||
Make sure to uncheck *Evaluate on plan* and check *Re-evaluate policies*, otherwise an invalid result will be cached.
|
||||
Make sure to uncheck _Evaluate on plan_ and check _Re-evaluate policies_, otherwise an invalid result will be cached.
|
||||
|
|
|
@ -9,7 +9,7 @@ This stage is used to show the user arbitrary prompts.
|
|||
The prompt can be any of the following types:
|
||||
|
||||
| Type | Description |
|
||||
| -------- | ----------------------------------------------------------------- |
|
||||
| ----------------- | ---------------------------------------------------------------------------------------- |
|
||||
| Text | Arbitrary text. No client-side validation is done. |
|
||||
| Text (Read only) | Same as above, but cannot be edited. |
|
||||
| Username | Same as text, except the username is validated to be unique. |
|
||||
|
@ -26,9 +26,9 @@ The prompt can be any of the following types:
|
|||
|
||||
Some types have special behaviors:
|
||||
|
||||
- *Username*: Input is validated against other usernames to ensure a unique value is provided.
|
||||
- *Password*: All prompts with the type password within the same stage are compared and must be equal. If they are not equal, an error is shown
|
||||
- *Hidden* and *Static*: Their placeholder values are defaults and are not user-changeable.
|
||||
- _Username_: Input is validated against other usernames to ensure a unique value is provided.
|
||||
- _Password_: All prompts with the type password within the same stage are compared and must be equal. If they are not equal, an error is shown
|
||||
- _Hidden_ and _Static_: Their placeholder values are defaults and are not user-changeable.
|
||||
|
||||
A prompt has the following attributes:
|
||||
|
||||
|
@ -52,7 +52,7 @@ A flag which decides whether or not this field is required.
|
|||
|
||||
A field placeholder, shown within the input field. This field is also used by the `hidden` type as the actual value.
|
||||
|
||||
By default, the placeholder is interpreted as-is. If you enable *Interpret placeholder as expression*, the placeholder
|
||||
By default, the placeholder is interpreted as-is. If you enable _Interpret placeholder as expression_, the placeholder
|
||||
will be evaluated as a python expression. This happens in the same environment as [_Property mappings_](../../../property-mappings/expression).
|
||||
|
||||
You can access both the HTTP request and the user as with a mapping. Additionally, you can access `prompt_context`, which is a dictionary of the current state of the prompt stage's data.
|
||||
|
|
|
@ -8,7 +8,7 @@ It can be used after `user_write` during an enrollment flow, or after a `passwor
|
|||
|
||||
## Session duration
|
||||
|
||||
By default, the authentik session expires when you close your browser (*seconds=0*).
|
||||
By default, the authentik session expires when you close your browser (_seconds=0_).
|
||||
|
||||
You can set the session to expire after any duration using the syntax of `hours=1,minutes=2,seconds=3`. The following keys are allowed:
|
||||
|
||||
|
|
|
@ -13,7 +13,7 @@ See [Docker-compose](installation/docker-compose) or [Kubernetes](installation/k
|
|||
|
||||
## Screenshots
|
||||
|
||||
Light | Dark
|
||||
--- | ---
|
||||
![](/img/screen_apps_light.jpg) | ![](/img/screen_apps_dark.jpg)
|
||||
![](/img/screen_admin_light.jpg) | ![](/img/screen_admin_dark.jpg)
|
||||
| Light | Dark |
|
||||
| -------------------------------- | ------------------------------- |
|
||||
| ![](/img/screen_apps_light.jpg) | ![](/img/screen_apps_dark.jpg) |
|
||||
| ![](/img/screen_admin_light.jpg) | ![](/img/screen_admin_dark.jpg) |
|
||||
|
|
|
@ -2,10 +2,10 @@
|
|||
title: Beta versions
|
||||
---
|
||||
|
||||
You can test upcoming authentik versions by switching to the *next* images. These beta versions supported upgrades from the latest stable version, and have a supported upgrade plan to the next stable version.
|
||||
You can test upcoming authentik versions by switching to the _next_ images. These beta versions supported upgrades from the latest stable version, and have a supported upgrade plan to the next stable version.
|
||||
|
||||
import Tabs from '@theme/Tabs';
|
||||
import TabItem from '@theme/TabItem';
|
||||
import Tabs from "@theme/Tabs";
|
||||
import TabItem from "@theme/TabItem";
|
||||
|
||||
<Tabs
|
||||
defaultValue="docker-compose"
|
||||
|
@ -23,6 +23,7 @@ AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=ghcr.io/goauthentik/dev-%(type)s:gh-nex
|
|||
```
|
||||
|
||||
Afterwards, run the upgrade commands from the latest release notes.
|
||||
|
||||
</TabItem>
|
||||
<TabItem value="kubernetes">
|
||||
Add the following block to your `values.yml` file:
|
||||
|
@ -39,5 +40,6 @@ image:
|
|||
```
|
||||
|
||||
Afterwards, run the upgrade commands from the latest release notes.
|
||||
|
||||
</TabItem>
|
||||
</Tabs>
|
||||
|
|
|
@ -47,7 +47,7 @@ Secret key used for cookie signing and unique user IDs, don't change this after
|
|||
|
||||
Log level for the server and worker containers. Possible values: debug, info, warning, error
|
||||
|
||||
Starting with 2021.12.3, you can also set the log level to *trace*. This has no affect on the core authentik server, but shows additional messages for the embedded outpost.
|
||||
Starting with 2021.12.3, you can also set the log level to _trace_. This has no affect on the core authentik server, but shows additional messages for the embedded outpost.
|
||||
|
||||
Defaults to `info`.
|
||||
|
||||
|
@ -118,6 +118,7 @@ Disable the inbuilt update-checker. Defaults to `false`.
|
|||
- `AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE`
|
||||
|
||||
Placeholders:
|
||||
|
||||
- `%(type)s`: Outpost type; proxy, ldap, etc
|
||||
- `%(version)s`: Current version; 2021.4.1
|
||||
- `%(build_hash)s`: Build hash if you're running a beta version
|
||||
|
|
|
@ -101,7 +101,7 @@ The docker-compose project contains the following containers:
|
|||
|
||||
- worker
|
||||
|
||||
This container executes background tasks, everything you can see on the *System Tasks* page in the frontend.
|
||||
This container executes background tasks, everything you can see on the _System Tasks_ page in the frontend.
|
||||
|
||||
- redis & postgresql
|
||||
|
||||
|
|
|
@ -31,7 +31,6 @@ postgresql:
|
|||
postgresqlPassword: "ThisIsNotASecurePassword"
|
||||
redis:
|
||||
enabled: true
|
||||
|
||||
```
|
||||
|
||||
See all configurable values on [artifacthub](https://artifacthub.io/packages/helm/goauthentik/authentik).
|
||||
|
|
|
@ -9,15 +9,19 @@ The following features can be enabled/disabled. By default, all of them are enab
|
|||
- `settings.enabledFeatures.apiDrawer`
|
||||
|
||||
API Request drawer in navbar
|
||||
|
||||
- `settings.enabledFeatures.notificationDrawer`
|
||||
|
||||
Notification drawer in navbar
|
||||
|
||||
- `settings.enabledFeatures.settings`
|
||||
|
||||
Settings link in navbar
|
||||
|
||||
- `settings.enabledFeatures.applicationEdit`
|
||||
|
||||
Application edit in library (only shown when user is superuser)
|
||||
|
||||
- `settings.enabledFeatures.search`
|
||||
|
||||
Search bar
|
||||
|
|
|
@ -49,7 +49,7 @@ Afterwards, create two Certificate-keypairs in authentik:
|
|||
- `Docker CA`, with the contents of `~/.docker/ca.pem` as Certificate
|
||||
- `Docker Cert`, with the contents of `~/.docker/cert.pem` as Certificate and `~/.docker/key.pem` as Private key.
|
||||
|
||||
Create an integration with `Docker CA` as *TLS Verification Certificate* and `Docker Cert` as *TLS Authentication Certificate*.
|
||||
Create an integration with `Docker CA` as _TLS Verification Certificate_ and `Docker Cert` as _TLS Authentication Certificate_.
|
||||
|
||||
## Remote hosts (SSH)
|
||||
|
||||
|
@ -69,6 +69,6 @@ You'll end up with three files:
|
|||
- `authentik` is the private key, which should be imported into a Keypair in authentik.
|
||||
- `certificate.pem` is the matching certificate for the keypair above.
|
||||
|
||||
Modify/create a new Docker integration, and set your *Docker URL* to `ssh://hostname`, and select the keypair you created above as *TLS Authentication Certificate/SSH Keypair*.
|
||||
Modify/create a new Docker integration, and set your _Docker URL_ to `ssh://hostname`, and select the keypair you created above as _TLS Authentication Certificate/SSH Keypair_.
|
||||
|
||||
The *Docker URL* field include a user, if none is specified authentik connects with the user `authentik`.
|
||||
The _Docker URL_ field include a user, if none is specified authentik connects with the user `authentik`.
|
||||
|
|
|
@ -3,13 +3,17 @@ title: Expression Policies
|
|||
---
|
||||
|
||||
The passing of the policy is determined by the return value of the code. Use
|
||||
|
||||
```python
|
||||
return True
|
||||
```
|
||||
|
||||
to pass a policy and
|
||||
|
||||
```python
|
||||
return False
|
||||
```
|
||||
|
||||
to fail it.
|
||||
|
||||
## Available Functions
|
||||
|
@ -44,7 +48,7 @@ return ak_user_has_authenticator(request.user)
|
|||
|
||||
### `ak_call_policy(name: str, **kwargs) -> PolicyResult` (2021.12+)
|
||||
|
||||
Call another policy with the name *name*. Current request is passed to policy. Key-word arguments
|
||||
Call another policy with the name _name_. Current request is passed to policy. Key-word arguments
|
||||
can be used to modify the request's context.
|
||||
|
||||
Example:
|
||||
|
@ -59,13 +63,13 @@ result = ak_call_policy("test-policy-2", foo="bar")
|
|||
return result.passing
|
||||
```
|
||||
|
||||
import Functions from '../expressions/_functions.md'
|
||||
import Functions from "../expressions/_functions.md";
|
||||
|
||||
<Functions />
|
||||
|
||||
## Variables
|
||||
|
||||
import Objects from '../expressions/_objects.md'
|
||||
import Objects from "../expressions/_objects.md";
|
||||
|
||||
<Objects />
|
||||
|
||||
|
@ -103,6 +107,7 @@ This includes the following:
|
|||
- `app_password`: App password (token)
|
||||
|
||||
Sets `context['auth_method_args']` to
|
||||
|
||||
```json
|
||||
{
|
||||
"token": {
|
||||
|
@ -113,9 +118,11 @@ This includes the following:
|
|||
}
|
||||
}
|
||||
```
|
||||
|
||||
- `ldap`: LDAP bind authentication
|
||||
|
||||
Sets `context['auth_method_args']` to
|
||||
|
||||
```json
|
||||
{
|
||||
"source": {} // Information about the source used
|
||||
|
|
|
@ -4,20 +4,19 @@ title: Expressions
|
|||
|
||||
The property mapping should return a value that is expected by the Provider/Source. Supported types are documented in the individual Provider/Source. Returning `None` is always accepted and would simply skip the mapping for which `None` was returned.
|
||||
|
||||
|
||||
## Available Functions
|
||||
|
||||
import Functions from '../expressions/_functions.md'
|
||||
import Functions from "../expressions/_functions.md";
|
||||
|
||||
<Functions />
|
||||
|
||||
## Variables
|
||||
|
||||
import Objects from '../expressions/_objects.md'
|
||||
import Objects from "../expressions/_objects.md";
|
||||
|
||||
<Objects />
|
||||
|
||||
import User from '../expressions/_user.md'
|
||||
import User from "../expressions/_user.md";
|
||||
|
||||
<User />
|
||||
|
||||
|
|
|
@ -85,9 +85,9 @@ All bind modes rely on flows.
|
|||
|
||||
The following stages are supported:
|
||||
|
||||
- [Identification](../flow/stages/identification/)
|
||||
- [Password](../flow/stages/password/)
|
||||
- [Authenticator validation](../flow/stages/authenticator_validate/)
|
||||
- [Identification](../flow/stages/identification/)
|
||||
- [Password](../flow/stages/password/)
|
||||
- [Authenticator validation](../flow/stages/authenticator_validate/)
|
||||
|
||||
Note: Authenticator validation currently only supports DUO devices
|
||||
|
||||
|
@ -97,7 +97,7 @@ In this mode, the outpost will always execute the configured flow when a new bin
|
|||
|
||||
#### Cached bind
|
||||
|
||||
This mode uses the same logic as direct bind, however the result is cached for the entered credentials, and saved in memory for the standard session duration. Sessions are saved independently, meaning that revoking sessions does *not* remove them from the outpost, and neither will changing a users credentials.
|
||||
This mode uses the same logic as direct bind, however the result is cached for the entered credentials, and saved in memory for the standard session duration. Sessions are saved independently, meaning that revoking sessions does _not_ remove them from the outpost, and neither will changing a users credentials.
|
||||
|
||||
## Search Modes
|
||||
|
||||
|
|
|
@ -6,7 +6,7 @@ Note that authentik does treat a grant type of `password` the same as `client_cr
|
|||
|
||||
### Static authentication
|
||||
|
||||
Hence identification is based on service-accounts, and authentication is based on App-password tokens. These objects can be created in a single step using the *Create Service account* function.
|
||||
Hence identification is based on service-accounts, and authentication is based on App-password tokens. These objects can be created in a single step using the _Create Service account_ function.
|
||||
|
||||
An example request can look like this:
|
||||
|
||||
|
@ -29,7 +29,7 @@ Starting with authentik 2022.4, you can authenticate and get a token using an ex
|
|||
|
||||
(For readability we will refer to the JWT issued by the external issuer/platform as input JWT, and the resulting JWT from authentik as the output JWT)
|
||||
|
||||
To configure this, the certificate used to sign the input JWT must be created in authentik. The certificate is enough, a private key is not required. Afterwards, configure the certificate in the OAuth2 provider settings under *Verification certificates*.
|
||||
To configure this, the certificate used to sign the input JWT must be created in authentik. The certificate is enough, a private key is not required. Afterwards, configure the certificate in the OAuth2 provider settings under _Verification certificates_.
|
||||
|
||||
With this configure, any JWT issued by the configured certificates can be used to authenticate:
|
||||
|
||||
|
@ -46,9 +46,9 @@ client_id=application_client_id
|
|||
|
||||
Alternatively, you can set the `client_secret` parameter to the `$inputJWT`, for applications which can set the password from a file but not other parameters.
|
||||
|
||||
Input JWTs are checked to be signed by any of the selected *Verification certificates*, and their `exp` attribute must not be now or in the past.
|
||||
Input JWTs are checked to be signed by any of the selected _Verification certificates_, and their `exp` attribute must not be now or in the past.
|
||||
|
||||
To do additional checks, you can use *[Expression policies](../../policies/expression)*:
|
||||
To do additional checks, you can use _[Expression policies](../../policies/expression)_:
|
||||
|
||||
```python
|
||||
return request.context["oauth_jwt"]["iss"] == "https://my.issuer"
|
||||
|
|
|
@ -1,4 +1,3 @@
|
|||
|
||||
```
|
||||
server {
|
||||
# SSL and VHost configuration
|
||||
|
|
|
@ -1,6 +1,5 @@
|
|||
|
||||
```yaml
|
||||
version: '3.7'
|
||||
version: "3.7"
|
||||
services:
|
||||
traefik:
|
||||
image: traefik:v2.2
|
||||
|
@ -10,9 +9,9 @@ services:
|
|||
ports:
|
||||
- 80:80
|
||||
command:
|
||||
- '--api'
|
||||
- '--providers.docker=true'
|
||||
- '--providers.docker.exposedByDefault=false'
|
||||
- "--api"
|
||||
- "--providers.docker=true"
|
||||
- "--providers.docker.exposedByDefault=false"
|
||||
- "--entrypoints.web.address=:80"
|
||||
|
||||
authentik-proxy:
|
||||
|
|
|
@ -16,9 +16,10 @@ has the advantage that you can still do per-application access policies in authe
|
|||
## Domain level
|
||||
|
||||
To use forward auth instead of proxying, you have to change a couple of settings.
|
||||
In the Proxy Provider, make sure to use the *Forward auth (domain level)* mode.
|
||||
In the Proxy Provider, make sure to use the _Forward auth (domain level)_ mode.
|
||||
|
||||
This mode differs from the _Forward auth (single application)_ mode in the following points:
|
||||
|
||||
This mode differs from the *Forward auth (single application)* mode in the following points:
|
||||
- You don't have to configure an application in authentik for each domain
|
||||
- Users don't have to authorize multiple times
|
||||
|
||||
|
@ -33,16 +34,16 @@ is redirected to the outpost.
|
|||
For domain level, you'd use the same domain as authentik.
|
||||
|
||||
:::info
|
||||
*example-outpost* is used as a placeholder for the outpost name.
|
||||
*authentik.company* is used as a placeholder for the authentik install.
|
||||
*app.company* is used as a placeholder for the external domain for the application.
|
||||
*outpost.company* is used as a placeholder for the outpost. When using the embedded outpost, this can be the same as *authentik.company*
|
||||
_example-outpost_ is used as a placeholder for the outpost name.
|
||||
_authentik.company_ is used as a placeholder for the authentik install.
|
||||
_app.company_ is used as a placeholder for the external domain for the application.
|
||||
_outpost.company_ is used as a placeholder for the outpost. When using the embedded outpost, this can be the same as _authentik.company_
|
||||
:::
|
||||
|
||||
## Nginx
|
||||
|
||||
import Tabs from '@theme/Tabs';
|
||||
import TabItem from '@theme/TabItem';
|
||||
import Tabs from "@theme/Tabs";
|
||||
import TabItem from "@theme/TabItem";
|
||||
|
||||
<Tabs
|
||||
defaultValue="standalone-nginx"
|
||||
|
@ -53,21 +54,21 @@ import TabItem from '@theme/TabItem';
|
|||
]}>
|
||||
<TabItem value="standalone-nginx">
|
||||
|
||||
import NginxStandalone from './_nginx_standalone.md'
|
||||
import NginxStandalone from "./_nginx_standalone.md";
|
||||
|
||||
<NginxStandalone />
|
||||
|
||||
</TabItem>
|
||||
<TabItem value="ingress">
|
||||
|
||||
import NginxIngress from './_nginx_ingress.md'
|
||||
import NginxIngress from "./_nginx_ingress.md";
|
||||
|
||||
<NginxIngress />
|
||||
|
||||
</TabItem>
|
||||
<TabItem value="proxy-manager">
|
||||
|
||||
import NginxProxyManager from './_nginx_proxy_manager.md'
|
||||
import NginxProxyManager from "./_nginx_proxy_manager.md";
|
||||
|
||||
<NginxProxyManager />
|
||||
|
||||
|
@ -85,21 +86,21 @@ import NginxProxyManager from './_nginx_proxy_manager.md'
|
|||
]}>
|
||||
<TabItem value="standalone-traefik">
|
||||
|
||||
import TraefikStandalone from './_traefik_standalone.md'
|
||||
import TraefikStandalone from "./_traefik_standalone.md";
|
||||
|
||||
<TraefikStandalone />
|
||||
|
||||
</TabItem>
|
||||
<TabItem value="docker-compose">
|
||||
|
||||
import TraefikCompose from './_traefik_compose.md'
|
||||
import TraefikCompose from "./_traefik_compose.md";
|
||||
|
||||
<TraefikCompose />
|
||||
|
||||
</TabItem>
|
||||
<TabItem value="ingress">
|
||||
|
||||
import TraefikIngress from './_traefik_ingress.md'
|
||||
import TraefikIngress from "./_traefik_ingress.md";
|
||||
|
||||
<TraefikIngress />
|
||||
|
||||
|
|
|
@ -26,7 +26,7 @@ The proxy outpost sets the following user-specific headers:
|
|||
|
||||
Additionally, you can set `additionalHeaders` on groups or users to set additional headers.
|
||||
|
||||
If you enable *Set HTTP-Basic Authentication* option, the HTTP Authorization header is being set.
|
||||
If you enable _Set HTTP-Basic Authentication_ option, the HTTP Authorization header is being set.
|
||||
|
||||
Besides these user-specific headers, some application specific headers are also set:
|
||||
|
||||
|
@ -72,7 +72,7 @@ To log out, navigate to `/outpost.goauthentik.io/sign_out`.
|
|||
|
||||
## Allowing unauthenticated requests
|
||||
|
||||
To allow un-authenticated requests to certain paths/URLs, you can use the *Unauthenticated URLs* / *Unauthenticated Paths* field.
|
||||
To allow un-authenticated requests to certain paths/URLs, you can use the _Unauthenticated URLs_ / _Unauthenticated Paths_ field.
|
||||
|
||||
Each new line is interpreted as a regular expression, and is compiled and checked using the standard Golang regex parser.
|
||||
|
||||
|
@ -88,7 +88,7 @@ In this mode, the regular expressions are matched against the Request's full URL
|
|||
|
||||
## Dynamic backend selection
|
||||
|
||||
You can configure the backend the proxy should access dynamically via *Scope mappings*. To do so, create a new *Scope mapping*, with a name and scope of your choice. As expression, use this:
|
||||
You can configure the backend the proxy should access dynamically via _Scope mappings_. To do so, create a new _Scope mapping_, with a name and scope of your choice. As expression, use this:
|
||||
|
||||
```python
|
||||
return {
|
||||
|
@ -98,4 +98,4 @@ return {
|
|||
}
|
||||
```
|
||||
|
||||
Afterwards, edit the *Proxy provider* and add this new mapping. The expression is only evaluated when the user logs into the application.
|
||||
Afterwards, edit the _Proxy provider_ and add this new mapping. The expression is only evaluated when the user logs into the application.
|
||||
|
|
|
@ -6,11 +6,11 @@ This provider allows you to integrate enterprise software using the SAML2 Protoc
|
|||
Default fields are exposed through auto-generated Property Mappings, which are prefixed with "authentik default".
|
||||
|
||||
| Endpoint | URL |
|
||||
| ---------------------- | -------------------------------------------------------------- |
|
||||
| ---------------------- | ------------------------------------------------------------ |
|
||||
| SSO (Redirect binding) | `/application/saml/<application slug>/sso/binding/redirect/` |
|
||||
| SSO (POST binding) | `/application/saml/<application slug>/sso/binding/post/` |
|
||||
| IdP-initiated login | `/application/saml/<application slug>/sso/binding/init/` |
|
||||
| Metadata Download | `/api/v3/providers/saml/<provider uid>/metadata/?download/`|
|
||||
| Metadata Download | `/api/v3/providers/saml/<provider uid>/metadata/?download/` |
|
||||
|
||||
You can download the metadata through the Webinterface, this link might be handy if your software wants to download the metadata directly.
|
||||
|
||||
|
|
|
@ -29,10 +29,11 @@ Docker-compose users should download the latest docker-compose file from [here](
|
|||
|
||||
:::caution
|
||||
If you decided to rename the folder you're running the docker-compose file from, be aware that this will also change the name, that docker-compose will give the database volume. To mitigate this, either
|
||||
|
||||
- Keep the original directory name
|
||||
- Move the directory and set `COMPOSE_PROJECT_NAME` to the name of the old directory (see [here](https://docs.docker.com/compose/reference/envvars/#compose_project_name))
|
||||
- Create a backup, rename the directory and restore from backup.
|
||||
:::
|
||||
:::
|
||||
|
||||
The only manual change you have to do is replace the `PASSBOOK_` prefix in your `.env` file, so `PASSBOOK_SECRET_KEY` gets changed to `AUTHENTIK_SECRET_KEY`.
|
||||
|
||||
|
|
|
@ -30,7 +30,7 @@ slug: "2021.1"
|
|||
|
||||
### Fixed in 2021.1.2
|
||||
|
||||
- sources/*: Add source to flow context, so source is logged during login
|
||||
- sources/\*: Add source to flow context, so source is logged during login
|
||||
- outposts: Fix outpost not correctly updating on outpost modification
|
||||
- outposts: Improve drift detection on kubernetes
|
||||
- providers/saml: Fix metadata not being signed when signature is enabled
|
||||
|
|
|
@ -23,7 +23,7 @@ A huge shoutout to all the people that contributed, helped test and also transla
|
|||
|
||||
## Minor changes
|
||||
|
||||
- *: Squash Migrations (#1593)
|
||||
- \*: Squash Migrations (#1593)
|
||||
- admin: clear update notification when notification's version matches current version
|
||||
- cmd: prevent outposts from panicking when failing to get their config
|
||||
- core: add default for user's settings attribute
|
||||
|
@ -171,7 +171,7 @@ A huge shoutout to all the people that contributed, helped test and also transla
|
|||
- internal: start embedded outpost directly after backend is healthy instead of waiting
|
||||
- lifecycle: revert to non-h11 worker
|
||||
- outpost/ldap: don't cleanup user info as it is overwritten on bind
|
||||
- providers/*: include list of outposts
|
||||
- providers/\*: include list of outposts
|
||||
- providers/ldap: add/squash migrations
|
||||
- providers/ldap: memory Query (#1681)
|
||||
- recovery: add create_admin_group management command
|
||||
|
@ -182,7 +182,7 @@ A huge shoutout to all the people that contributed, helped test and also transla
|
|||
- sources/oauth: set prompt=none for Discord provider
|
||||
- sources/plex: allow users to connect their plex account without login flow
|
||||
- sources/plex: use exception_to_string in tasks
|
||||
- stages/authenticator_*: add default name for authenticators
|
||||
- stages/authenticator\_\*: add default name for authenticators
|
||||
- stages/identification: only allow limited challenges for login sources
|
||||
- stages/identification: use random sleep
|
||||
- stages/prompt: add text_read_only field
|
||||
|
@ -211,7 +211,7 @@ A huge shoutout to all the people that contributed, helped test and also transla
|
|||
- root: use python slim-bullseye as base
|
||||
- sources/ldap: fix user/group sync overwriting attributes instead of merging them
|
||||
- sources/ldap: set connect/receive timeout (default to 15s)
|
||||
- stages/*: disable trim_whitespace on important fields
|
||||
- stages/\*: disable trim_whitespace on important fields
|
||||
- stages/authenticator_duo: fix devices created with name
|
||||
- stages/authenticator_validate: enable all device classes by default
|
||||
- web: write interfaces to different folders and remove custom chunk names
|
||||
|
|
|
@ -13,7 +13,7 @@ This release does not have any headline features, and mostly fixes bugs.
|
|||
|
||||
## Minor changes
|
||||
|
||||
- core: make defaults for _change_email and _change_username configurable
|
||||
- core: make defaults for \_change_email and \_change_username configurable
|
||||
- core: remove dump_config, handle directly in config loader without booting django, don't check database
|
||||
- events: add gdpr_compliance option
|
||||
- internal: fix integrated docs not working
|
||||
|
@ -63,7 +63,7 @@ This release does not have any headline features, and mostly fixes bugs.
|
|||
|
||||
## Fixed in 2021.12.1-rc2
|
||||
|
||||
- *: don't use go embed to make using custom files easier
|
||||
- \*: don't use go embed to make using custom files easier
|
||||
- crypto: add certificate discovery to automatically import certificates from lets encrypt
|
||||
- crypto: fix default API not having an ordering
|
||||
- outposts: always trigger outpost reconcile on startup
|
||||
|
@ -94,7 +94,7 @@ This release does not have any headline features, and mostly fixes bugs.
|
|||
- policies/expression: add ak_call_policy
|
||||
- providers/saml: add ?force_binding to limit bindings for metadata endpoint
|
||||
- root: add request_id to celery tasks, prefixed with "task-"
|
||||
- sources/*: Allow creation of source connections via API
|
||||
- sources/\*: Allow creation of source connections via API
|
||||
- stages/prompt: use policyenginemode all
|
||||
- tests/e2e: add post binding test
|
||||
- web: fix duplicate classes, make generic icon clickable
|
||||
|
@ -179,7 +179,7 @@ This release does not have any headline features, and mostly fixes bugs.
|
|||
|
||||
## Fixed in 2021.12.3
|
||||
|
||||
- *: revert to using GHCR directly
|
||||
- \*: revert to using GHCR directly
|
||||
- core: fix error when getting launch URL for application with non-existent Provider
|
||||
- internal: fix sentry sample rate not applying to proxy
|
||||
- internal: rework global logging settings, embedded outpost no longer overwrites core
|
||||
|
@ -216,7 +216,7 @@ This release does not have any headline features, and mostly fixes bugs.
|
|||
|
||||
## Fixed in 2021.12.5
|
||||
|
||||
- *: use py3.10 syntax for unions, remove old Type[] import when possible
|
||||
- \*: use py3.10 syntax for unions, remove old Type[] import when possible
|
||||
- core: add API endpoint to directly set user's password
|
||||
- core: add error handling in source flow manager when flow isn't applicable
|
||||
- core: fix UserSelfSerializer's save() overwriting other user attributes
|
||||
|
|
|
@ -68,7 +68,7 @@ slug: "2021.2"
|
|||
- policies: skip cache on debug request
|
||||
- providers/proxy: fix certificates without key being selectable
|
||||
- root: log runtime in milliseconds
|
||||
- sources/*: switch API to use slug in URL
|
||||
- sources/\*: switch API to use slug in URL
|
||||
- sources/ldap: add API for sync status
|
||||
- sources/oauth: add callback URL to api
|
||||
- web: fix ModalButton working in global scope, causing issues on 2nd use
|
||||
|
@ -116,6 +116,7 @@ Due to the switch to managed objects, some default property mappings are changin
|
|||
The change affects the "SAML Name" property, which has been changed from an oid to a Schema URI to aid readability.
|
||||
|
||||
The integrations affected are:
|
||||
|
||||
- [Ansible Tower/AWX](/integrations/services/awx-tower/)
|
||||
- [GitLab](/integrations/services/gitlab/)
|
||||
- [NextCloud](/integrations/services/nextcloud/)
|
||||
|
|
|
@ -39,7 +39,6 @@ slug: "2021.3"
|
|||
|
||||
If you conditionally include this stage in a flow, make sure to disable "Evaluate on plan", as that will always include the stage in the flow, regardless of the inputs.
|
||||
|
||||
|
||||
## Fixed in 2021.3.2
|
||||
|
||||
- sources/ldap: fix sync for Users without pwdLastSet
|
||||
|
@ -58,7 +57,7 @@ slug: "2021.3"
|
|||
|
||||
## Fixed in 2021.3.4
|
||||
|
||||
- admin: include git build hash in gh-* tags and show build hash in admin overview
|
||||
- admin: include git build hash in gh-\* tags and show build hash in admin overview
|
||||
- events: don't fail on boot when geoip can't be opened
|
||||
- helm: add initial geoip
|
||||
- outposts: improve logs for outpost connection
|
||||
|
@ -80,7 +79,6 @@ slug: "2021.3"
|
|||
- web: use loadingState for autosubmitStage
|
||||
- web: use sections in sidebar, adjust colouring
|
||||
|
||||
|
||||
## Upgrading
|
||||
|
||||
This release does not introduce any new requirements.
|
||||
|
|
|
@ -7,8 +7,8 @@ slug: "2021.4"
|
|||
|
||||
- Configurable Policy engine mode
|
||||
|
||||
In the past, all objects, which could have policies attached to them, required *all* policies to pass to consider an action successful.
|
||||
You can now configure if *all* policies need to pass, or if *any* policy needs to pass.
|
||||
In the past, all objects, which could have policies attached to them, required _all_ policies to pass to consider an action successful.
|
||||
You can now configure if _all_ policies need to pass, or if _any_ policy needs to pass.
|
||||
|
||||
This can now be configured for the following objects:
|
||||
|
||||
|
@ -17,7 +17,7 @@ slug: "2021.4"
|
|||
- Flows
|
||||
- Flow-stage bindings
|
||||
|
||||
For backwards compatibility, this is set to *all*, but new objects will default to *any*.
|
||||
For backwards compatibility, this is set to _all_, but new objects will default to _any_.
|
||||
|
||||
- Expiring Events
|
||||
|
||||
|
@ -60,10 +60,9 @@ slug: "2021.4"
|
|||
- web/admin: fix error when user doesn't have permissions to read source
|
||||
- web/admin: fix errors in user profile when non-superuser
|
||||
|
||||
|
||||
## Fixed in 2021.4.3
|
||||
|
||||
- *: add model_name to TypeCreate API to distinguish between models sharing a component
|
||||
- \*: add model_name to TypeCreate API to distinguish between models sharing a component
|
||||
- api: fix CSRF error when using POST/PATCH/PUT in API Browser
|
||||
- api: make 401 messages clearer
|
||||
- api: mount outposts under outposts/instances to match flows
|
||||
|
@ -86,7 +85,7 @@ slug: "2021.4"
|
|||
|
||||
## Fixed in 2021.4.4
|
||||
|
||||
- *: make tasks run every 60 minutes not :00 every hour
|
||||
- \*: make tasks run every 60 minutes not :00 every hour
|
||||
- outposts: check for X-Forwarded-Host to switch context
|
||||
- outposts: improve update performance
|
||||
- outposts: move local connection check to task, run every 60 minutes
|
||||
|
|
|
@ -93,7 +93,7 @@ This feature is still in technical preview, so please report any Bugs you run in
|
|||
## Fixed in 2021.5.4
|
||||
|
||||
- providers/oauth2: add missing kid header to JWT Tokens
|
||||
- stages/authenticator_*: fix Permission Error when disabling Authenticator as non-superuser
|
||||
- stages/authenticator\_\*: fix Permission Error when disabling Authenticator as non-superuser
|
||||
- web: fix missing flow and policy cache clearing UI
|
||||
- web: set x-forwarded-proto based on upstream TLS Status
|
||||
|
||||
|
|
|
@ -20,21 +20,21 @@ slug: "2021.8"
|
|||
|
||||
## Minor changes
|
||||
|
||||
- admin: add API to show embedded outpost status, add notice when its not configured properly
|
||||
- api: ensure all resources can be filtered
|
||||
- api: make all PropertyMappings filterable by multiple managed attributes
|
||||
- core: add API to directly send recovery link to user
|
||||
- core: add UserSelfSerializer and separate method for users to update themselves with limited fields
|
||||
- core: allow changing of groups a user is in from user api
|
||||
- flows: fix unhandled error in stage execution not being logged as SYSTEM_EXCEPTION event
|
||||
- lifecycle: decrease default worker count on compose
|
||||
- outpost/ldap: Performance improvements, support for (member=) lookup
|
||||
- providers/proxy: don't create ingress when no hosts are defined
|
||||
- sources/plex: add API to get user connections
|
||||
- web: add API Drawer
|
||||
- web/admin: add UI to copy invitation link
|
||||
- web/admin: allow modification of users groups from user view
|
||||
- web/admin: re-name service connection to integration
|
||||
- admin: add API to show embedded outpost status, add notice when its not configured properly
|
||||
- api: ensure all resources can be filtered
|
||||
- api: make all PropertyMappings filterable by multiple managed attributes
|
||||
- core: add API to directly send recovery link to user
|
||||
- core: add UserSelfSerializer and separate method for users to update themselves with limited fields
|
||||
- core: allow changing of groups a user is in from user api
|
||||
- flows: fix unhandled error in stage execution not being logged as SYSTEM_EXCEPTION event
|
||||
- lifecycle: decrease default worker count on compose
|
||||
- outpost/ldap: Performance improvements, support for (member=) lookup
|
||||
- providers/proxy: don't create ingress when no hosts are defined
|
||||
- sources/plex: add API to get user connections
|
||||
- web: add API Drawer
|
||||
- web/admin: add UI to copy invitation link
|
||||
- web/admin: allow modification of users groups from user view
|
||||
- web/admin: re-name service connection to integration
|
||||
|
||||
## Fixed in 2021.8.1-rc2
|
||||
|
||||
|
@ -78,7 +78,7 @@ slug: "2021.8"
|
|||
|
||||
## Fixed in 2021.8.1
|
||||
|
||||
- *: cleanup api schema warnings
|
||||
- \*: cleanup api schema warnings
|
||||
- core: fix error for asgi error handler with websockets
|
||||
- core: fix error when user updates themselves
|
||||
- core: fix user object for token not be set-able
|
||||
|
|
|
@ -31,7 +31,7 @@ slug: "2021.9"
|
|||
|
||||
## Minor changes
|
||||
|
||||
- *: use common user agent for all outgoing requests
|
||||
- \*: use common user agent for all outgoing requests
|
||||
- admin: migrate to new update check, add option to disable update check
|
||||
- api: add additional filters for ldap and proxy providers
|
||||
- core: optimise groups api by removing member superuser status
|
||||
|
|
|
@ -25,7 +25,7 @@ This release mostly removes legacy fields and features that have been deprecated
|
|||
|
||||
The proxy now also sets the host header based on what is configured as upstream in the proxy provider. The original Host is forwarded as `X-Forwarded-Host`.
|
||||
|
||||
Additionally, the header requirements for nginx have changed. Either a `X-Original-URL` or `X-Original-URI` header are now required. See the [*Proxy provider*](../providers/proxy/forward_auth) documentation for updated snippets.
|
||||
Additionally, the header requirements for nginx have changed. Either a `X-Original-URL` or `X-Original-URI` header are now required. See the [_Proxy provider_](../providers/proxy/forward_auth) documentation for updated snippets.
|
||||
|
||||
- API:
|
||||
|
||||
|
|
|
@ -30,8 +30,8 @@ In an authenticator validation stage you can now configure multiple configuratio
|
|||
|
||||
## Minor changes/fixes
|
||||
|
||||
- *: add placeholder custom.css to easily allow user customisation
|
||||
- *: rename akprox to outpost.goauthentik.io (#2266)
|
||||
- \*: add placeholder custom.css to easily allow user customisation
|
||||
- \*: rename akprox to outpost.goauthentik.io (#2266)
|
||||
- internal: don't attempt to lookup SNI Certificate if no SNI is sent
|
||||
- internal: improve error handling for internal reverse proxy
|
||||
- internal: increase logging for no hostname found
|
||||
|
|
|
@ -15,7 +15,7 @@ slug: "2022.5"
|
|||
|
||||
## Minor changes/fixes
|
||||
|
||||
- *: decrease frequency of background tasks, smear tasks based on name and fqdn
|
||||
- \*: decrease frequency of background tasks, smear tasks based on name and fqdn
|
||||
- core: add custom shell command which imports all models and creates events for model events
|
||||
- core: add flag to globally disable impersonation
|
||||
- events: fix created events only being logged as debug level
|
||||
|
|
|
@ -4,7 +4,7 @@ title: Missing admin group
|
|||
|
||||
If all of the Admin groups have been deleted, or misconfigured during sync, you can use the following command to gain access back.
|
||||
|
||||
Run the following command, where *username* is the user you want to add to the newly created group:
|
||||
Run the following command, where _username_ is the user you want to add to the newly created group:
|
||||
|
||||
```
|
||||
docker-compose run --rm server create_admin_group username
|
||||
|
|
|
@ -10,4 +10,4 @@ When you bind a group to an application or flow, any members of any child group
|
|||
|
||||
## Attributes
|
||||
|
||||
Attributes of groups are recursively merged, for all groups the user is a *direct* member of.
|
||||
Attributes of groups are recursively merged, for all groups the user is a _direct_ member of.
|
||||
|
|
|
@ -48,12 +48,15 @@ The User object has the following attributes:
|
|||
- `ak_groups` This is a queryset of all the user's groups.
|
||||
|
||||
You can do additional filtering like
|
||||
|
||||
```python
|
||||
user.ak_groups.filter(name__startswith='test')
|
||||
```
|
||||
|
||||
see [here](https://docs.djangoproject.com/en/3.1/ref/models/querysets/#id4)
|
||||
|
||||
To get the name of all groups, you can do
|
||||
|
||||
```python
|
||||
[group.name for group in user.ak_groups.all()]
|
||||
```
|
||||
|
|
|
@ -23,7 +23,7 @@ Create an OAuth2/OpenID provider with the following parameters:
|
|||
- Redirect URIs: `https://guacamole.company/` (depending on your Tomcat setup, you might have to add `/guacamole/` if the application runs in a subfolder)
|
||||
- Scopes: OpenID, Email and Profile
|
||||
|
||||
Under *Advanced protocol settings*, set the following:
|
||||
Under _Advanced protocol settings_, set the following:
|
||||
|
||||
- Token validity: Any value to configure how long the session should last. Guacamole will not accept any tokens valid longer than 300 Minutes.
|
||||
|
||||
|
@ -31,8 +31,8 @@ Note the Client ID value. Create an application, using the provider you've creat
|
|||
|
||||
## Guacamole
|
||||
|
||||
import Tabs from '@theme/Tabs';
|
||||
import TabItem from '@theme/TabItem';
|
||||
import Tabs from "@theme/Tabs";
|
||||
import TabItem from "@theme/TabItem";
|
||||
|
||||
<Tabs
|
||||
defaultValue="docker"
|
||||
|
@ -50,6 +50,7 @@ OPENID_ISSUER: https://authentik.company/application/o/*Slug of the application
|
|||
OPENID_JWKS_ENDPOINT: https://authentik.company/application/o/*Slug of the application from above*/jwks/
|
||||
OPENID_REDIRECT_URI: https://guacamole.company/ # This must match the redirect URI above
|
||||
```
|
||||
|
||||
</TabItem>
|
||||
<TabItem value="standalone">
|
||||
Standalone Guacamole is configured using the `guacamole.properties` file. Add the following settings:
|
||||
|
@ -61,5 +62,6 @@ openid-issuer=https://authentik.company/application/o/*Slug of the application f
|
|||
openid-jwks-endpoint=https://authentik.company/application/o/*Slug of the application from above*/jwks/
|
||||
openid-redirect-uri=https://guacamole.company/ # This must match the redirect URI above
|
||||
```
|
||||
|
||||
</TabItem>
|
||||
</Tabs>
|
||||
|
|
|
@ -27,6 +27,7 @@ The following placeholders will be used:
|
|||
In authentik, under _Providers_, create a _SAML Provider_ with these settings:
|
||||
|
||||
**Protocol Settings**
|
||||
|
||||
- Name: Bookstack
|
||||
- ACS URL: https://book.company/saml2/acs
|
||||
- Issuer: https://authentik.company
|
||||
|
@ -34,8 +35,9 @@ In authentik, under _Providers_, create a _SAML Provider_ with these settings:
|
|||
- Audience: https://book.company/saml2/metadata
|
||||
|
||||
**Advanced protocol settings**
|
||||
|
||||
- Signing Certificate: Choose your certificate or the default authentik Self-signed Certificate
|
||||
All other options as default.
|
||||
All other options as default.
|
||||
|
||||
![](./authentik_saml_bookstack.png)
|
||||
|
||||
|
|
|
@ -22,6 +22,7 @@ The following placeholders will be used:
|
|||
Create an application and Provider in authentik, note the slug, as this will be used later. Create a SAML provider with the following parameters:
|
||||
|
||||
Provider:
|
||||
|
||||
- ACS URL: `https://fgm.company/saml/?acs`
|
||||
- Issuer: `https://authentik.company/application/saml/fgm/sso/binding/redirect/`
|
||||
- Service Provider Binding: Post
|
||||
|
@ -29,6 +30,7 @@ Provider:
|
|||
You can of course use a custom signing certificate, and adjust durations.
|
||||
|
||||
Application:
|
||||
|
||||
- Launch URL: 'https://fgm.company/p/sso_sp/'
|
||||
|
||||
## FortiManager Configuration
|
||||
|
|
|
@ -24,12 +24,12 @@ Create an application in authentik and note the slug, as this will be used later
|
|||
- Issuer: `https://gitlab.company`
|
||||
- Binding: `Redirect`
|
||||
|
||||
Under *Advanced protocol settings*, set a certificate for *Signing Certificate*.
|
||||
Under _Advanced protocol settings_, set a certificate for _Signing Certificate_.
|
||||
|
||||
## GitLab Configuration
|
||||
|
||||
Paste the following block in your `gitlab.rb` file, after replacing the placeholder values from above. The file is located in `/etc/gitlab`.
|
||||
To get the value for `idp_cert_fingerprint`, go to the Certificate list under *Identity & Cryptography*, and expand the selected certificate.
|
||||
To get the value for `idp_cert_fingerprint`, go to the Certificate list under _Identity & Cryptography_, and expand the selected certificate.
|
||||
|
||||
```ruby
|
||||
gitlab_rails['omniauth_enabled'] = true
|
||||
|
|
|
@ -28,8 +28,8 @@ Note the Client ID and Client Secret values. Create an application, using the pr
|
|||
|
||||
## Grafana
|
||||
|
||||
import Tabs from '@theme/Tabs';
|
||||
import TabItem from '@theme/TabItem';
|
||||
import Tabs from "@theme/Tabs";
|
||||
import TabItem from "@theme/TabItem";
|
||||
|
||||
<Tabs
|
||||
defaultValue="docker"
|
||||
|
@ -56,6 +56,7 @@ environment:
|
|||
# Optionally map user groups to Grafana roles
|
||||
GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH: "contains(groups[*], 'Grafana Admins') && 'Admin' || contains(groups[*], 'Grafana Editors') && 'Editor' || 'Viewer'"
|
||||
```
|
||||
|
||||
</TabItem>
|
||||
<TabItem value="standalone">
|
||||
If you are using a config-file instead, you have to set these options:
|
||||
|
@ -78,6 +79,7 @@ api_url = https://authentik.company/application/o/userinfo/
|
|||
# Optionally map user groups to Grafana roles
|
||||
role_attribute_path = contains(groups[*], 'Grafana Admins') && 'Admin' || contains(groups[*], 'Grafana Editors') && 'Editor' || 'Viewer'
|
||||
```
|
||||
|
||||
</TabItem>
|
||||
</Tabs>
|
||||
|
||||
|
|
|
@ -35,11 +35,13 @@ Only settings that have been modified from default have been listed.
|
|||
- Signing Key: Select any available key
|
||||
|
||||
- Redirect URIs/Origins:
|
||||
|
||||
```
|
||||
https://vault.company/ui/vault/auth/oidc/oidc/callback
|
||||
https://vault.company/oidc/callback
|
||||
http://localhost:8250/oidc/callback
|
||||
```
|
||||
|
||||
:::note
|
||||
Take note of the `Client ID` and `Client Secret`, you'll need to give them to Vault in _Step 3_.
|
||||
:::
|
||||
|
@ -59,9 +61,10 @@ Only settings that have been modified from default have been listed.
|
|||
### Step 3
|
||||
|
||||
Enable the oidc auth method
|
||||
```vault auth enable oidc```
|
||||
`vault auth enable oidc`
|
||||
|
||||
Configure the oidc auth method, oidc discovery url is the OpenID Configuration Issuer in your provider
|
||||
|
||||
```
|
||||
vault write auth/oidc/config \
|
||||
oidc_discovery_url="https://authentik.company/application/o/vault-slug/" \
|
||||
|
@ -71,6 +74,7 @@ vault write auth/oidc/config \
|
|||
```
|
||||
|
||||
Create the reader role
|
||||
|
||||
```
|
||||
vault write auth/oidc/role/reader \
|
||||
bound_audiences="Client ID" \
|
||||
|
@ -82,4 +86,4 @@ vault write auth/oidc/role/reader \
|
|||
```
|
||||
|
||||
You should then be able to sign in via OIDC
|
||||
```vault login -method=oidc role="reader"```
|
||||
`vault login -method=oidc role="reader"`
|
||||
|
|
|
@ -33,14 +33,14 @@ You need to set the following `env` Variables for Docker based installations.
|
|||
Set the following values:
|
||||
|
||||
```yaml
|
||||
CMD_OAUTH2_PROVIDERNAME: 'authentik'
|
||||
CMD_OAUTH2_CLIENT_ID: '<Client ID from above>'
|
||||
CMD_OAUTH2_CLIENT_SECRET: '<Client Secret from above>'
|
||||
CMD_OAUTH2_SCOPE: 'openid email profile'
|
||||
CMD_OAUTH2_USER_PROFILE_URL: 'https://authentik.company/application/o/userinfo/'
|
||||
CMD_OAUTH2_TOKEN_URL: 'https://authentik.company/application/o/token/'
|
||||
CMD_OAUTH2_AUTHORIZATION_URL: 'https://authentik.company/application/o/authorize/'
|
||||
CMD_OAUTH2_USER_PROFILE_USERNAME_ATTR: 'preferred_username'
|
||||
CMD_OAUTH2_USER_PROFILE_DISPLAY_NAME_ATTR: 'name'
|
||||
CMD_OAUTH2_USER_PROFILE_EMAIL_ATTR: 'email'
|
||||
CMD_OAUTH2_PROVIDERNAME: "authentik"
|
||||
CMD_OAUTH2_CLIENT_ID: "<Client ID from above>"
|
||||
CMD_OAUTH2_CLIENT_SECRET: "<Client Secret from above>"
|
||||
CMD_OAUTH2_SCOPE: "openid email profile"
|
||||
CMD_OAUTH2_USER_PROFILE_URL: "https://authentik.company/application/o/userinfo/"
|
||||
CMD_OAUTH2_TOKEN_URL: "https://authentik.company/application/o/token/"
|
||||
CMD_OAUTH2_AUTHORIZATION_URL: "https://authentik.company/application/o/authorize/"
|
||||
CMD_OAUTH2_USER_PROFILE_USERNAME_ATTR: "preferred_username"
|
||||
CMD_OAUTH2_USER_PROFILE_DISPLAY_NAME_ATTR: "name"
|
||||
CMD_OAUTH2_USER_PROFILE_EMAIL_ATTR: "email"
|
||||
```
|
||||
|
|
|
@ -27,13 +27,13 @@ Create a SAML provider with the following parameters:
|
|||
- Issuer: `https://authentik.company`
|
||||
- Binding: `Post`
|
||||
|
||||
Under *Advanced protocol settings*, set a certificate for *Signing Certificate*.
|
||||
Under _Advanced protocol settings_, set a certificate for _Signing Certificate_.
|
||||
|
||||
## Kimai Configuration
|
||||
|
||||
Paste the following block in your `local.yaml` file, after replacing the placeholder values from above. The file is usually located in `/opt/kimai/config/packages/local.yaml`.
|
||||
|
||||
To get the value for `x509cert`, go to *System* > *Certificates*, and download the public Signing Certificate. To avoid further problems, concat it into "string format" using e.g.: https://www.samltool.com/format_x509cert.php
|
||||
To get the value for `x509cert`, go to _System_ > _Certificates_, and download the public Signing Certificate. To avoid further problems, concat it into "string format" using e.g.: https://www.samltool.com/format_x509cert.php
|
||||
|
||||
```yaml
|
||||
# Optionally add this for docker debug-logging
|
||||
|
@ -111,7 +111,6 @@ kimai:
|
|||
name: "Kimai"
|
||||
displayname: "Kimai"
|
||||
url: "https://kimai.company"
|
||||
|
||||
```
|
||||
|
||||
Afterwards, either [rebuild the cache](https://www.kimai.org/documentation/cache.html) or restart the docker container.
|
||||
|
|
|
@ -68,8 +68,8 @@ See https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/r
|
|||
Create a group for each different level of quota you want users to have. Set a custom attribute, for example called `nextcloud_quota`, to the quota you want, for example `15 GB`.
|
||||
|
||||
Afterwards, create a custom SAML Property Mapping with the name `SAML NextCloud Quota`.
|
||||
Set the *SAML Name* to `nextcloud_quota`.
|
||||
Set the *Expression* to `return user.group_attributes().get("nextcloud_quota", "1 GB")`, where `1 GB` is the default value for users that don't belong to another group (or have another value set).
|
||||
Set the _SAML Name_ to `nextcloud_quota`.
|
||||
Set the _Expression_ to `return user.group_attributes().get("nextcloud_quota", "1 GB")`, where `1 GB` is the default value for users that don't belong to another group (or have another value set).
|
||||
|
||||
## Admin Group
|
||||
|
||||
|
|
|
@ -21,30 +21,30 @@ The following placeholders will be used:
|
|||
- `authentik.company` is the FQDN of authentik.
|
||||
- `onlyoffice.company` is the FQDN of the OnlyOffice instance.
|
||||
|
||||
Open your OnlyOffice instance, navigate to the settings by clicking the cog-icon in the navbar, then click on *Control Panel* on the sidebar.
|
||||
Open your OnlyOffice instance, navigate to the settings by clicking the cog-icon in the navbar, then click on _Control Panel_ on the sidebar.
|
||||
|
||||
In the new tab, click on *SSO* in the sidebar.
|
||||
In the new tab, click on _SSO_ in the sidebar.
|
||||
|
||||
Click the *Enable Single Sign-on Authentication* checkbox to enable SSO.
|
||||
Click the _Enable Single Sign-on Authentication_ checkbox to enable SSO.
|
||||
|
||||
Scroll down to *ONLYOFFICE SP Metadata*, and copy the *SP Entity ID (link to metadata XML)* URL. Open this URL in a new tab, and download the XML file.
|
||||
Scroll down to _ONLYOFFICE SP Metadata_, and copy the _SP Entity ID (link to metadata XML)_ URL. Open this URL in a new tab, and download the XML file.
|
||||
|
||||
## authentik Setup
|
||||
|
||||
Create an application in authentik, and create a SAML Provider by using *SAML Provider from Metadata*. Give the provider a name, and upload the XML file you've downloaded in the previous step.
|
||||
Create an application in authentik, and create a SAML Provider by using _SAML Provider from Metadata_. Give the provider a name, and upload the XML file you've downloaded in the previous step.
|
||||
|
||||
Edit the resulting Provider, and ensure *Signing Certificate* is set to any certificate.
|
||||
Edit the resulting Provider, and ensure _Signing Certificate_ is set to any certificate.
|
||||
|
||||
Navigate on the *Metadata* tab on the Provider page, and click *Copy download URL*.
|
||||
Navigate on the _Metadata_ tab on the Provider page, and click _Copy download URL_.
|
||||
|
||||
## OnlyOffice Setup
|
||||
|
||||
Navigate back to your OnlyOffice Control panel, and paste the URL into *Load metadata from XML to fill the required fields automatically*, and click the upload button next to the input field.
|
||||
Navigate back to your OnlyOffice Control panel, and paste the URL into _Load metadata from XML to fill the required fields automatically_, and click the upload button next to the input field.
|
||||
|
||||
Under *Attribute Mapping*, set the following values
|
||||
Under _Attribute Mapping_, set the following values
|
||||
|
||||
- *First Name*: `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name`
|
||||
- *Last Name*: `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name`
|
||||
- *Email*: `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress`
|
||||
- _First Name_: `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name`
|
||||
- _Last Name_: `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name`
|
||||
- _Email_: `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress`
|
||||
|
||||
Click save and a new SSO button will appear on the OnlyOffice login page.
|
||||
|
|
|
@ -40,6 +40,7 @@ Only settings that have been modified from default have been listed.
|
|||
:::
|
||||
|
||||
**Protocol Settings**
|
||||
|
||||
- Name: LDAP
|
||||
- Search group: opnsense
|
||||
- Certificate: authentik Self-signed certificate
|
||||
|
@ -66,6 +67,7 @@ Only settings that have been modified from default have been listed.
|
|||
|
||||
- Name: LDAP
|
||||
- Type: LDAP
|
||||
|
||||
### Step 5
|
||||
|
||||
Add your authentik LDAP server to OPNsense by going to your OPNsense Web UI and clicking the `+` under _System/Access/Servers_.
|
||||
|
@ -83,6 +85,7 @@ Change the following fields
|
|||
- Extended Query: &(objectClass=user)
|
||||
|
||||
![](./opnsense1.png)
|
||||
|
||||
### Step 6
|
||||
|
||||
In OPNsense, go to _System/Settings/Administration_ and under _Authentication_ at the bottom of that page, add `authentik` to the Server list
|
||||
|
|
|
@ -24,14 +24,15 @@ The following placeholders will be used:
|
|||
|
||||
Also set up your proxy server to use forward auth with paperless.company: https://goauthentik.io/docs/providers/proxy/forward_auth
|
||||
|
||||
|
||||
## Paperless
|
||||
|
||||
Start by adding the following environment variables to your Paperless-ng setup. If you are using docker-compose, then add the following to your docker-compose.env file:
|
||||
|
||||
```
|
||||
PAPERLESS_ENABLE_HTTP_REMOTE_USER=TRUE
|
||||
PAPERLESS_HTTP_REMOTE_USER_HEADER_NAME=HTTP_X_AUTHENTIK_USERNAME
|
||||
```
|
||||
|
||||
Authentik automatically sets this header when we use a proxy outpost.
|
||||
|
||||
Now restart your container:
|
||||
|
|
|
@ -22,7 +22,6 @@ The following placeholders will be used:
|
|||
- `pfsense-user` is the name of the authentik Service account we'll create.
|
||||
- `DC=ldap,DC=goauthentik,DC=io` is the Base DN of the LDAP Provider (default)
|
||||
|
||||
|
||||
### Step 1 - Service account
|
||||
|
||||
In authentik, create a service account (under _Directory/Users_) for pfSense to use as the LDAP Binder and take note of the password generated.
|
||||
|
@ -33,10 +32,10 @@ In this example, we'll use `pfsense-user` as the Service account's username
|
|||
If you didn't keep the password, you can copy it from _Directory/Tokens & App password_.
|
||||
:::
|
||||
|
||||
|
||||
### Step 2 - LDAP Provider
|
||||
|
||||
In authentik, create a LDAP Provider (under _Applications/Providers_) with these settings :
|
||||
|
||||
- Name : LDAP
|
||||
- Bind DN : `DC=ldap,DC=goauthentik,DC=io`
|
||||
- Certificate : `self-signed`
|
||||
|
@ -79,8 +78,6 @@ Change the following fields
|
|||
- Extended Query: &(objectClass=user)
|
||||
- Allow unauthenticated bind: **unticked**
|
||||
|
||||
|
||||
|
||||
## pfSense secure setup (with SSL)
|
||||
|
||||
When enabling SSL, authentik will send a certificate to pfSense. This certificate has to be signed by a certificate authority trusted by pfSense. In this setup we will create our own certificate authority in pfSense and create a certificate that will be used by authentik.
|
||||
|
@ -139,24 +136,18 @@ Change the following fields
|
|||
- Extended Query: &(objectClass=user)
|
||||
- Allow unauthenticated bind: **unticked**
|
||||
|
||||
|
||||
|
||||
## Test your setup
|
||||
|
||||
In pfSense, you can validate the authentication backend setup by going to _Diagnostics/Authentication_ and then select `LDAP authentik` as _Authentication Server_.
|
||||
|
||||
You can use the credentials of an authentik user, pfSense will tell you if the connection was successful or not. If it is, congratulations, you can now change the pfSense default authentication backend.
|
||||
|
||||
|
||||
|
||||
## Change pfSense default authentication backend
|
||||
|
||||
In pfSense, you can change the authentication backend used by the Web UI by going to _System/User Manager_ and then click on _Settings_ tab.
|
||||
|
||||
- Authentication Server: `LDAP authentik`
|
||||
|
||||
|
||||
|
||||
## Notes
|
||||
|
||||
:::tip
|
||||
|
|
|
@ -21,12 +21,12 @@ The following placeholders will be used:
|
|||
- `pgadmin.company` is the FQDN of pgAdmin.
|
||||
- `authentik.company` is the FQDN of authentik.
|
||||
|
||||
|
||||
### Step 1: Create authentik Provider
|
||||
|
||||
In authentik, under _Providers_, create an _OAuth2/OpenID Provider_ with these settings:
|
||||
|
||||
**Provider Settings**
|
||||
|
||||
- Name: pgAdmin
|
||||
- Client type: Confidential
|
||||
- Client ID: Copy and Save this for Later
|
||||
|
@ -34,6 +34,7 @@ In authentik, under _Providers_, create an _OAuth2/OpenID Provider_ with these s
|
|||
- Redirect URIs/Origins: `http://pgadmin.company/oauth2/authorize`
|
||||
|
||||
### Step 2: Create authentik Application
|
||||
|
||||
In authentik, create an application which uses this provider. Optionally apply access restrictions to the application using policy bindings.
|
||||
|
||||
- Name: pgAdmin
|
||||
|
@ -41,8 +42,8 @@ In authentik, create an application which uses this provider. Optionally apply a
|
|||
- Provider: pgAdmin
|
||||
- Launch URL: https://pgadmin.company
|
||||
|
||||
|
||||
### Step 3: Configure pgAdmin
|
||||
|
||||
All settings for OAuth in pgAdmin are configured in the `config_local.py` file. This file can usually be found in the path `/pgadmin4/config_local.py`
|
||||
|
||||
:::note
|
||||
|
@ -71,7 +72,9 @@ OAUTH2_CONFIG = [{
|
|||
'OAUTH2_BUTTON_COLOR' : '<button-color>'
|
||||
}]
|
||||
```
|
||||
|
||||
In the code above the following placeholders have been used:
|
||||
|
||||
- `<display-name>`: The name that is displayed on the Login Button
|
||||
- `<client-id>`: The Client ID from step 1
|
||||
- `<client-secret>`: The Client Secret from step 1
|
||||
|
|
|
@ -30,13 +30,13 @@ Only settings that have been modified from default have been listed.
|
|||
:::
|
||||
|
||||
**Protocol Settings**
|
||||
|
||||
- Name: Portainer
|
||||
- Client type: Confidential
|
||||
- Client ID: Copy and Save this for Later
|
||||
- Client Secret: Copy and Save this for later
|
||||
- Redirect URIs/Origins: `https://port.company`
|
||||
|
||||
|
||||
### Step 2 - Portainer
|
||||
|
||||
In Portainer, under _Settings_, _Authentication_, Select _OAuth_ and _Custom_
|
||||
|
@ -66,7 +66,6 @@ In authentik, create an application which uses this provider. Optionally apply a
|
|||
- Provider: Portainer
|
||||
- Launch URL: https://port.company
|
||||
|
||||
|
||||
## Notes
|
||||
|
||||
:::note
|
||||
|
|
|
@ -58,8 +58,9 @@ SAML_CERT=/saml.crt
|
|||
You must mount the certificate selected in authentik as a file in the Docker container. The path in the container must match the path in the env variable `SAML_CERT`.
|
||||
|
||||
### docker-compose
|
||||
|
||||
```yaml
|
||||
version: '3.3'
|
||||
version: "3.3"
|
||||
services:
|
||||
powerdns-admin:
|
||||
image: ngoduykhanh/powerdns-admin:latest
|
||||
|
|
|
@ -14,7 +14,6 @@ Proxmox Virtual Environment is an open source server virtualization management s
|
|||
This requires Proxmox VE 7.0 or newer.
|
||||
:::
|
||||
|
||||
|
||||
## Preparation
|
||||
|
||||
The following placeholders will be used:
|
||||
|
|
|
@ -18,7 +18,7 @@ The following placeholders will be used:
|
|||
- `rancher.company` is the FQDN of the Rancher install.
|
||||
- `authentik.company` is the FQDN of the authentik install.
|
||||
|
||||
Under *Property Mappings*, create a *SAML Property Mapping*. Give it a name like "SAML Rancher User ID". Set the SAML name to `rancherUidUsername` and the expression to the following
|
||||
Under _Property Mappings_, create a _SAML Property Mapping_. Give it a name like "SAML Rancher User ID". Set the SAML name to `rancherUidUsername` and the expression to the following
|
||||
|
||||
```python
|
||||
return f"{user.pk}-{user.username}"
|
||||
|
@ -37,7 +37,7 @@ You can of course use a custom signing certificate, and adjust durations.
|
|||
|
||||
## Rancher
|
||||
|
||||
In Rancher, navigate to *Global* -> *Security* -> *Authentication*, and select ADFS.
|
||||
In Rancher, navigate to _Global_ -> _Security_ -> _Authentication_, and select ADFS.
|
||||
|
||||
Fill in the fields
|
||||
|
||||
|
@ -46,7 +46,7 @@ Fill in the fields
|
|||
- UID Field: `rancherUidUsername`
|
||||
- Groups Field: `http://schemas.xmlsoap.org/claims/Group`
|
||||
|
||||
For the private key and certificate, you can either generate a new pair (in authentik, navigate to *Identity & Cryptography* -> *Certificates* and select Generate), or use an existing pair.
|
||||
For the private key and certificate, you can either generate a new pair (in authentik, navigate to _Identity & Cryptography_ -> _Certificates_ and select Generate), or use an existing pair.
|
||||
|
||||
Copy the metadata from authentik, and paste it in the metadata field.
|
||||
|
||||
|
|
|
@ -30,11 +30,13 @@ Only settings that have been modified from default have been listed.
|
|||
:::
|
||||
|
||||
**Protocol Settings**
|
||||
|
||||
- Name: RocketChat
|
||||
- Client type: Confidential
|
||||
- Client ID: Copy and Save this for Later
|
||||
- Client Secret: Copy and Save this for later
|
||||
- Redirect URIs/Origins:
|
||||
|
||||
```
|
||||
https://rocket.company/_oauth/authentik
|
||||
|
||||
|
@ -47,10 +49,12 @@ https://rocket.company/_oauth/authentik
|
|||
In authentik, under _Applications_, create a new application with these settings:
|
||||
|
||||
**Application Settings**
|
||||
|
||||
- Name: Rocket.chat
|
||||
- Slug: rocketchat
|
||||
- Provider: RocketChat
|
||||
- Launch URL:
|
||||
|
||||
```
|
||||
https://rocket.company/_oauth/authentik
|
||||
|
||||
|
@ -79,6 +83,7 @@ In Rocket.chat, follow the procedure below:
|
|||
![](./rocketchat6.png)
|
||||
|
||||
5. Scroll down to the new OAuth application, expand the dropdown, and enter the following settings:
|
||||
|
||||
- Enable: Turn the radio button to the _on_ position
|
||||
- URL: https://authentik.company/application/o
|
||||
- Token Path: /token/
|
||||
|
@ -114,8 +119,6 @@ In Rocket.chat, follow the procedure below:
|
|||
|
||||
6. Click _Save changes_ in the top right corner of the screen
|
||||
|
||||
|
||||
|
||||
### Step 4 (Optional)
|
||||
|
||||
:::note
|
||||
|
|
|
@ -56,6 +56,7 @@ $config['oauth_scope'] = "email openid dovecotprofile";
|
|||
$config['oauth_auth_parameters'] = [];
|
||||
$config['oauth_identity_fields'] = ['email'];
|
||||
```
|
||||
|
||||
## Dovecot Configuration
|
||||
|
||||
Add xoauth2 as an authentication mechanism and configure the following parameters in your Dovecot configuration.
|
||||
|
|
|
@ -28,7 +28,7 @@ Create an application in authentik. Create a SAML Provider with the following va
|
|||
- Service Provider Binding: `Post`
|
||||
- Audience: `https://sentry.company/saml/metadata/<sentry organisation name>/`
|
||||
|
||||
Under *Advanced protocol settings*, set the following:
|
||||
Under _Advanced protocol settings_, set the following:
|
||||
|
||||
- Signing Certificate: Select any certificate.
|
||||
- Property Mapping: Select all Managed Mappings
|
||||
|
|
|
@ -49,6 +49,7 @@ Because Sonarr can use HTTP Basic credentials, you can save your HTTP Basic Cred
|
|||
sonarr_user: username
|
||||
sonarr_password: password
|
||||
```
|
||||
|
||||
Add all Sonarr users to the Group. You should also create a Group Membership Policy to limit access to the application.
|
||||
|
||||
Enable the `Use Basic Authentication` option. Set and `HTTP-Basic Username` and `HTTP-Basic Password` to `sonarr_user` and `sonarr_password` respectively. These values can be chosen freely, `sonarr_` is just used as a prefix for clarity.
|
||||
|
|
|
@ -35,6 +35,7 @@ Create an application in authentik. Create a Proxy provider with the following p
|
|||
- Skip path regex
|
||||
|
||||
Add the following regex rules to keep the public status page accessible without authentication.
|
||||
|
||||
```
|
||||
^/$
|
||||
^/status
|
||||
|
|
|
@ -30,11 +30,13 @@ Only settings that have been modified from default have been listed.
|
|||
:::
|
||||
|
||||
**Protocol Settings**
|
||||
|
||||
- Name: Vikunja
|
||||
- Client type: Confidential
|
||||
- Client ID: Copy and Save this for Later
|
||||
- Client Secret: Copy and Save this for later
|
||||
- Redirect URIs/Origins:
|
||||
|
||||
```
|
||||
https://vik.company/auth/openid
|
||||
https://vik.company/auth/openid/Vikunja
|
||||
|
|
|
@ -10,7 +10,6 @@ From https://weblate.org/en/
|
|||
Weblate is a copylefted libre software web-based continuous localization system, used by over 2500 libre projects and companies in more than 165 countries.
|
||||
:::
|
||||
|
||||
|
||||
## Preparation
|
||||
|
||||
The following placeholders will be used:
|
||||
|
@ -33,33 +32,41 @@ You can of course use a custom signing certificate, and adjust durations.
|
|||
We need to create some property mappings so our application will work. After you create the property mappings, assign them to the provider.
|
||||
|
||||
### Full name
|
||||
* Name: `Weblate - Full name`
|
||||
* SAML Attribute Name: `urn:oid:2.5.4.3`
|
||||
* Expression
|
||||
|
||||
- Name: `Weblate - Full name`
|
||||
- SAML Attribute Name: `urn:oid:2.5.4.3`
|
||||
- Expression
|
||||
|
||||
```python
|
||||
return request.user.name
|
||||
```
|
||||
|
||||
### OID_USERID
|
||||
* Name: `Weblate - OID_USERID`
|
||||
* SAML Attribute Name: `urn:oid:0.9.2342.19200300.100.1.1`
|
||||
* Expression
|
||||
|
||||
- Name: `Weblate - OID_USERID`
|
||||
- SAML Attribute Name: `urn:oid:0.9.2342.19200300.100.1.1`
|
||||
- Expression
|
||||
|
||||
```python
|
||||
return request.user.username
|
||||
```
|
||||
|
||||
### Username
|
||||
* Name: `Weblate - Username`
|
||||
* SAML Attribute Name: `username`
|
||||
* Expression
|
||||
|
||||
- Name: `Weblate - Username`
|
||||
- SAML Attribute Name: `username`
|
||||
- Expression
|
||||
|
||||
```python
|
||||
return request.user.username
|
||||
```
|
||||
|
||||
### Email
|
||||
* Name: `Weblate - Email`
|
||||
* SAML Attribute Name: `email`
|
||||
* Expression
|
||||
|
||||
- Name: `Weblate - Email`
|
||||
- SAML Attribute Name: `email`
|
||||
- Expression
|
||||
|
||||
```python
|
||||
return request.user.email
|
||||
```
|
||||
|
@ -68,23 +75,23 @@ return request.user.email
|
|||
|
||||
The variables bellow need to be set, depending on if you deploy in a container or not you can take a look at the following links
|
||||
|
||||
* https://docs.weblate.org/en/latest/admin/config.html#config
|
||||
* https://docs.weblate.org/en/latest/admin/install/docker.html#docker-environment
|
||||
- https://docs.weblate.org/en/latest/admin/config.html#config
|
||||
- https://docs.weblate.org/en/latest/admin/install/docker.html#docker-environment
|
||||
|
||||
Variables to set
|
||||
|
||||
* ENABLE_HTTPS: `1`
|
||||
* SAML_IDP_ENTITY_ID: `https://authentik.company/application/saml/weblate-slug/sso/binding/redirect/`
|
||||
* SAML_IDP_URL: `https://authentik.company/application/saml/weblate-slug/sso/binding/redirect/`
|
||||
* SAML_IDP_X509CERT: `MIIFDjCCAvagAwIBAgIRAJV8hH0wGkhGvbhhDKppWIYwDQYJKoZIhvcNAQELBQAw....F9lT9hHwHhsnA=`
|
||||
- ENABLE_HTTPS: `1`
|
||||
- SAML_IDP_ENTITY_ID: `https://authentik.company/application/saml/weblate-slug/sso/binding/redirect/`
|
||||
- SAML_IDP_URL: `https://authentik.company/application/saml/weblate-slug/sso/binding/redirect/`
|
||||
- SAML_IDP_X509CERT: `MIIFDjCCAvagAwIBAgIRAJV8hH0wGkhGvbhhDKppWIYwDQYJKoZIhvcNAQELBQAw....F9lT9hHwHhsnA=`
|
||||
|
||||
The `SAML_IDP_X509CERT` is the certificate in the SAML Metadata `X509Certificate` key.
|
||||
|
||||
Should you wish to only allow registration and login through Authentik, you should set the following variables as well.
|
||||
|
||||
* REGISTRATION_OPEN: `0`
|
||||
* REGISTRATION_ALLOW_BACKENDS: `saml`
|
||||
* REQUIRE_LOGIN: `1`
|
||||
* NO_EMAIL_AUTH: `1`
|
||||
- REGISTRATION_OPEN: `0`
|
||||
- REGISTRATION_ALLOW_BACKENDS: `saml`
|
||||
- REQUIRE_LOGIN: `1`
|
||||
- NO_EMAIL_AUTH: `1`
|
||||
|
||||
Should you wish to deploy this in a container prefix all the variables with `WEBLATE_` and set them as enviornment variables
|
||||
|
|
|
@ -28,8 +28,8 @@ Note the Client ID and Client Secret values. Create an application, using the pr
|
|||
|
||||
## Wekan
|
||||
|
||||
import Tabs from '@theme/Tabs';
|
||||
import TabItem from '@theme/TabItem';
|
||||
import Tabs from "@theme/Tabs";
|
||||
import TabItem from "@theme/TabItem";
|
||||
|
||||
<Tabs
|
||||
defaultValue="docker"
|
||||
|
@ -41,8 +41,7 @@ import TabItem from '@theme/TabItem';
|
|||
If your Wekan is running in docker, add the following environment variables for authentik
|
||||
|
||||
```yaml
|
||||
environment:
|
||||
OAUTH2_ENABLED=true
|
||||
environment: OAUTH2_ENABLED=true
|
||||
OAUTH2_LOGIN_STYLE=redirect
|
||||
OAUTH2_CLIENT_ID=<Client ID from above>
|
||||
OAUTH2_SERVER_URL=https://authentik.company
|
||||
|
@ -55,6 +54,7 @@ environment:
|
|||
OAUTH2_FULLNAME_MAP=given_name
|
||||
OAUTH2_EMAIL_MAP=email
|
||||
```
|
||||
|
||||
</TabItem>
|
||||
<TabItem value="standalone">
|
||||
|
||||
|
@ -75,5 +75,6 @@ edit `.env` and add the following:
|
|||
OAUTH2_FULLNAME_MAP='given_name'
|
||||
OAUTH2_EMAIL_MAP='email'
|
||||
```
|
||||
|
||||
</TabItem>
|
||||
</Tabs>
|
||||
|
|
|
@ -69,4 +69,3 @@ In authentik, create an application which uses this provider. Optionally apply a
|
|||
Set the Launch URL to the _Callback URL / Redirect URI_ without the `/callback` at the end, as shown below. This will skip Wiki.js' login prompt and log you in directly.
|
||||
|
||||
![](./authentik_application.png)
|
||||
|
||||
|
|
|
@ -30,13 +30,13 @@ Only settings that have been modified from default have been listed.
|
|||
:::
|
||||
|
||||
**Protocol Settings**
|
||||
|
||||
- Name: Wordpress
|
||||
- Client type: Confidential
|
||||
- Client ID: Copy and Save this for Later
|
||||
- Client Secret: Copy and Save this for later
|
||||
- Redirect URIs/Origins: `https://wp.company/wp-admin/admin-ajax.php?action=openid-connect-authorize`
|
||||
|
||||
|
||||
### Step 2 - Wordpress
|
||||
|
||||
:::note
|
||||
|
@ -58,7 +58,6 @@ Only settings that have been modified from default have been listed.
|
|||
- Token Validation Endpoint URL: `https://authentik.company/application/o/token/`
|
||||
- End Session Endpoint URL: `https://authentik.company/application/o/wordpress/end-session/`
|
||||
|
||||
|
||||
:::note
|
||||
Review each setting and choose the ones that you require for your installation. Examples of popular settings are _Link Existing Users_, _Create user if does not exist_, and _Enforce Privacy_
|
||||
:::
|
||||
|
@ -72,7 +71,6 @@ In authentik, create an application which uses this provider. Optionally apply a
|
|||
- Provider: wordpress
|
||||
- Launch URL: https://wp.company
|
||||
|
||||
|
||||
## Notes
|
||||
|
||||
:::note
|
||||
|
|
|
@ -61,4 +61,3 @@ For additional security you can enable the Verification Certificate by checking
|
|||
```
|
||||
$SSO['IDP_CERT'] = '<path to the IDP cert file>';
|
||||
```
|
||||
|
||||
|
|
|
@ -63,6 +63,7 @@ The certificate file name must match the idp identifier name you set in the conf
|
|||
:::note
|
||||
Remember to restart Zulip.
|
||||
:::
|
||||
|
||||
## Additional Resources
|
||||
|
||||
Please refer to the following for further information:
|
||||
|
|
|
@ -27,7 +27,7 @@ The following placeholders will be used:
|
|||
|
||||
![](./02_delegate.png)
|
||||
|
||||
7. Grant these additional permissions (only required when *Sync users' password* is enabled, and dependent on your AD Domain)
|
||||
7. Grant these additional permissions (only required when _Sync users' password_ is enabled, and dependent on your AD Domain)
|
||||
|
||||
![](./03_additional_perms.png)
|
||||
|
||||
|
|
|
@ -10,22 +10,24 @@ The following placeholders will be used:
|
|||
|
||||
## Azure setup
|
||||
|
||||
1. Navigate to [portal.azure.com](https://portal.azure.com), and open the *App registration* service
|
||||
1. Navigate to [portal.azure.com](https://portal.azure.com), and open the _App registration_ service
|
||||
2. Register a new application
|
||||
|
||||
Under *Supported account types*, select whichever account type applies to your use-case.
|
||||
Under _Supported account types_, select whichever account type applies to your use-case.
|
||||
|
||||
![](./aad_01.png)
|
||||
3. Take note of the *Application (client) ID* value.
|
||||
|
||||
If you selected *Single tenant* in the *Supported account types* prompt, also note the *Directory (tenant) ID* value.
|
||||
4. Navigate to *Certificates & secrets* in the sidebar, and to the *Client secrets* tab.
|
||||
3. Take note of the _Application (client) ID_ value.
|
||||
|
||||
If you selected _Single tenant_ in the _Supported account types_ prompt, also note the _Directory (tenant) ID_ value.
|
||||
|
||||
4. Navigate to _Certificates & secrets_ in the sidebar, and to the _Client secrets_ tab.
|
||||
5. Add a new secret, with an identifier of your choice, and select any expiration. Currently the secret in authentik has to be rotated manually or via API, so it is recommended to choose at least 12 months.
|
||||
6. Note the secret's value in the *Value* column.
|
||||
6. Note the secret's value in the _Value_ column.
|
||||
|
||||
## authentik Setup
|
||||
|
||||
In authentik, create a new *Azure AD OAuth Source* in Resources -> Sources.
|
||||
In authentik, create a new _Azure AD OAuth Source_ in Resources -> Sources.
|
||||
|
||||
Use the following settings:
|
||||
|
||||
|
@ -34,7 +36,7 @@ Use the following settings:
|
|||
- Consumer key: `*Application (client) ID* value from above`
|
||||
- Consumer secret: `*Value* of the secret from above`
|
||||
|
||||
If you kept the default *Supported account types* selection of *Single tenant*, then you must change the URLs below as well:
|
||||
If you kept the default _Supported account types_ selection of _Single tenant_, then you must change the URLs below as well:
|
||||
|
||||
- Authorization URL: `https://login.microsoftonline.com/*Directory (tenant) ID* from above/oauth2/v2.0/authorize`
|
||||
- Access token URL: `https://login.microsoftonline.com/*Directory (tenant) ID* from above/oauth2/v2.0/token`
|
||||
|
|
|
@ -10,7 +10,6 @@ The following placeholders will be used:
|
|||
|
||||
- `authentik.company` is the FQDN of the authentik install.
|
||||
|
||||
|
||||
## Discord
|
||||
|
||||
1. Create an application in the Discord Developer Portal (This is Free) https://discord.com/developers/applications
|
||||
|
|
|
@ -40,6 +40,7 @@ The following placeholders will be used:
|
|||
Additional info: [22.1.2. Enabling Password Reset Without Prompting for a Password Change at the Next Login](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/user-authentication#user-passwords-no-expiry)
|
||||
|
||||
## authentik Setup
|
||||
|
||||
In authentik, create a new LDAP Source in Resources -> Sources.
|
||||
|
||||
Use these settings:
|
||||
|
|
|
@ -35,7 +35,6 @@ You will need to create a new project, and OAuth credentials in the Google Devel
|
|||
|
||||
![Example Screen](googledeveloper4.png)
|
||||
|
||||
|
||||
10. **User Type:** If you do not have a Google Workspace (GSuite) account choose _External_. If you do have a Google Workspace (Gsuite) account and want to limit access to only users inside of your organization choose _Internal_
|
||||
|
||||
_I'm only going to list the mandatory/important fields to complete._
|
||||
|
@ -47,7 +46,7 @@ _I'm only going to list the mandatory/important fields to complete._
|
|||
15. Click **Save and Continue**
|
||||
16. If you have special scopes configured for google, enter them on this screen. If not click **Save and Continue**
|
||||
17. If you want to create Test Users enter them here, if not click **Save and Continue**
|
||||
18. From the _Summary Page_ click on the **Credentials* link on the left. Same link as step 8
|
||||
18. From the _Summary Page_ click on the \*_Credentials_ link on the left. Same link as step 8
|
||||
19. Click **Create Credentials** on the top of the screen
|
||||
20. Choose **OAuth Client ID**
|
||||
|
||||
|
|
|
@ -7,6 +7,7 @@ Sources allow you to connect authentik to an existing user directory. They can a
|
|||
### Add Sources to Default Login Page
|
||||
|
||||
To have sources show on the default login screen you will need to add them. This is assuming you have not created or renamed the default stages and flows.
|
||||
|
||||
1. Access the **Flows** section
|
||||
2. Click on **default-authentication-flow**
|
||||
3. Click the **Stage Bindings** tab
|
||||
|
|
|
@ -16,6 +16,6 @@ Add _Plex_ as a _source_
|
|||
- Slug: Set a slug
|
||||
- Client ID: Set a unique Client Id or leave the generated ID
|
||||
- Press _Load Servers_ to login to plex and pick the authorized Plex Servers for "allowed users"
|
||||
- Decide if *anyone* with a plex account can authenticate or only friends you share with
|
||||
- Decide if _anyone_ with a plex account can authenticate or only friends you share with
|
||||
|
||||
Save, and you now have Plex as a source.
|
||||
|
|
|
@ -14,6 +14,6 @@ exports.handler = async function (event, context) {
|
|||
headers: {
|
||||
"content-type": "text/html",
|
||||
},
|
||||
body: `<meta name="go-import" content="${event.headers.host}${event.path} git https://github.com/${gitHubNamespace}${repo}">`
|
||||
body: `<meta name="go-import" content="${event.headers.host}${event.path} git https://github.com/${gitHubNamespace}${repo}">`,
|
||||
};
|
||||
}
|
||||
};
|
||||
|
|
|
@ -9,8 +9,8 @@ const config = {
|
|||
};
|
||||
|
||||
async function getToken(event) {
|
||||
const fetch = await import('node-fetch');
|
||||
const querystring = await import('querystring');
|
||||
const fetch = await import("node-fetch");
|
||||
const querystring = await import("querystring");
|
||||
let scope = event.queryStringParameters["scope"];
|
||||
let tokenParams = {
|
||||
service: config.registryService,
|
||||
|
@ -28,12 +28,14 @@ async function getToken(event) {
|
|||
} else {
|
||||
console.debug(`oci-proxy[token]: no scope`);
|
||||
// For non-scoped requests, we need to forward some URL parameters
|
||||
["account", "client_id", "offline_token", "token"].forEach(param => {
|
||||
tokenParams[param] = event.queryStringParameters[param]
|
||||
["account", "client_id", "offline_token", "token"].forEach((param) => {
|
||||
tokenParams[param] = event.queryStringParameters[param];
|
||||
});
|
||||
}
|
||||
const tokenUrl = `${config.registryTokenEndpoint}?${querystring.stringify(tokenParams)}`
|
||||
console.debug(`oci-proxy[token]: final URL to fetch: ${tokenUrl}`)
|
||||
const tokenUrl = `${config.registryTokenEndpoint}?${querystring.stringify(
|
||||
tokenParams
|
||||
)}`;
|
||||
console.debug(`oci-proxy[token]: final URL to fetch: ${tokenUrl}`);
|
||||
const tokenRes = await fetch.default(tokenUrl, {
|
||||
headers: forwardHeaders,
|
||||
});
|
||||
|
@ -51,7 +53,10 @@ exports.handler = async function (event, context) {
|
|||
console.debug("oci-proxy: handler=token proxy");
|
||||
return await getToken(event);
|
||||
}
|
||||
if (event.headers.authorization && event.headers.authorization.startsWith("Bearer ")) {
|
||||
if (
|
||||
event.headers.authorization &&
|
||||
event.headers.authorization.startsWith("Bearer ")
|
||||
) {
|
||||
console.debug("oci-proxy: authenticated root handler, returning 200");
|
||||
return {
|
||||
statusCode: 200,
|
||||
|
@ -60,9 +65,11 @@ exports.handler = async function (event, context) {
|
|||
"content-type": "application/json",
|
||||
},
|
||||
body: JSON.stringify({}),
|
||||
};
|
||||
}
|
||||
}
|
||||
console.debug("oci-proxy: root handler, returning 401 with www-authenticate");
|
||||
console.debug(
|
||||
"oci-proxy: root handler, returning 401 with www-authenticate"
|
||||
);
|
||||
return {
|
||||
statusCode: 401,
|
||||
headers: {
|
||||
|
@ -72,4 +79,4 @@ exports.handler = async function (event, context) {
|
|||
},
|
||||
body: JSON.stringify({}),
|
||||
};
|
||||
}
|
||||
};
|
||||
|
|
|
@ -9,7 +9,9 @@
|
|||
"build-docs-only": "docusaurus build --config docusaurus.docs-only.js --out-dir help",
|
||||
"swizzle": "docusaurus swizzle",
|
||||
"deploy": "docusaurus deploy",
|
||||
"serve": "docusaurus serve"
|
||||
"serve": "docusaurus serve",
|
||||
"prettier-check": "prettier --check .",
|
||||
"prettier": "prettier --write ."
|
||||
},
|
||||
"dependencies": {
|
||||
"@docusaurus/plugin-client-redirects": "2.0.0-beta.18",
|
||||
|
|
|
@ -146,16 +146,12 @@ module.exports = {
|
|||
{
|
||||
type: "category",
|
||||
label: "User",
|
||||
items: [
|
||||
"interfaces/user/customization",
|
||||
],
|
||||
items: ["interfaces/user/customization"],
|
||||
},
|
||||
{
|
||||
type: "category",
|
||||
label: "Admin",
|
||||
items: [
|
||||
"interfaces/admin/customization",
|
||||
],
|
||||
items: ["interfaces/admin/customization"],
|
||||
},
|
||||
],
|
||||
},
|
||||
|
|
|
@ -35,33 +35,99 @@ function Comparison() {
|
|||
<tbody>
|
||||
<tr>
|
||||
<td className="row-label">SAML2</td>
|
||||
<td className="result passed authentik"><Check></Check></td>
|
||||
<td className="result passed"><Check></Check></td>
|
||||
<td className="result passed"><Check></Check></td>
|
||||
<td className="result passed"><Check></Check></td>
|
||||
<td className="result passed"><Check></Check></td>
|
||||
<td className="result passed"><Check></Check></td>
|
||||
<td className="result failed"><X></X></td>
|
||||
<td className="result passed authentik">
|
||||
<Check></Check>
|
||||
</td>
|
||||
<td className="result passed">
|
||||
<Check></Check>
|
||||
</td>
|
||||
<td className="result passed">
|
||||
<Check></Check>
|
||||
</td>
|
||||
<td className="result passed">
|
||||
<Check></Check>
|
||||
</td>
|
||||
<td className="result passed">
|
||||
<Check></Check>
|
||||
</td>
|
||||
<td className="result passed">
|
||||
<Check></Check>
|
||||
</td>
|
||||
<td className="result failed">
|
||||
<X></X>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td className="row-label">OAuth2 and OIDC</td>
|
||||
<td className="result passed authentik"><Check></Check></td>
|
||||
<td className="result passed"><Check></Check></td>
|
||||
<td className="result passed"><Check></Check></td>
|
||||
<td className="result passed"><Check></Check></td>
|
||||
<td className="result passed"><Check></Check></td>
|
||||
<td className="result passed"><Check></Check></td>
|
||||
<td className="result failed"><X></X></td>
|
||||
<td className="result passed authentik">
|
||||
<Check></Check>
|
||||
</td>
|
||||
<td className="result passed">
|
||||
<Check></Check>
|
||||
</td>
|
||||
<td className="result passed">
|
||||
<Check></Check>
|
||||
</td>
|
||||
<td className="result passed">
|
||||
<Check></Check>
|
||||
</td>
|
||||
<td className="result passed">
|
||||
<Check></Check>
|
||||
</td>
|
||||
<td className="result passed">
|
||||
<Check></Check>
|
||||
</td>
|
||||
<td className="result failed">
|
||||
<X></X>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td className="row-label">LDAP</td>
|
||||
<td className="result passed authentik"><Check></Check></td>
|
||||
<td className="result failed"><X></X></td>
|
||||
<td className="result failed"><X></X></td>
|
||||
<td className="result warning"><AlertTriangle></AlertTriangle></td>
|
||||
<td className="result passed"><Check></Check></td>
|
||||
<td className="result passed"><Check></Check></td>
|
||||
<td className="result failed"><X></X></td>
|
||||
<td className="result passed authentik">
|
||||
<Check></Check>
|
||||
</td>
|
||||
<td className="result failed">
|
||||
<X></X>
|
||||
</td>
|
||||
<td className="result failed">
|
||||
<X></X>
|
||||
</td>
|
||||
<td className="result warning">
|
||||
<AlertTriangle></AlertTriangle>
|
||||
</td>
|
||||
<td className="result passed">
|
||||
<Check></Check>
|
||||
</td>
|
||||
<td className="result passed">
|
||||
<Check></Check>
|
||||
</td>
|
||||
<td className="result failed">
|
||||
<X></X>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td className="row-label">SCIM</td>
|
||||
<td className="result failed authentik">
|
||||
<X></X>
|
||||
</td>
|
||||
<td className="result warning">
|
||||
<AlertTriangle></AlertTriangle>
|
||||
</td>
|
||||
<td className="result failed">
|
||||
<X></X>
|
||||
</td>
|
||||
<td className="result passed">
|
||||
<Check></Check>
|
||||
</td>
|
||||
<td className="result passed">
|
||||
<Check></Check>
|
||||
</td>
|
||||
<td className="result failed">
|
||||
<X></X>
|
||||
</td>
|
||||
<td className="result failed">
|
||||
<X></X>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
<thead className="group">
|
||||
|
@ -79,43 +145,123 @@ function Comparison() {
|
|||
<tbody>
|
||||
<tr>
|
||||
<td className="row-label">SAML2</td>
|
||||
<td className="result passed authentik"><Check></Check></td>
|
||||
<td className="result passed"><Check></Check></td>
|
||||
<td className="result failed"><X></X></td>
|
||||
<td className="result passed"><Check></Check></td>
|
||||
<td className="result passed"><Check></Check></td>
|
||||
<td className="result passed"><Check></Check></td>
|
||||
<td className="result failed"><X></X></td>
|
||||
<td className="result passed authentik">
|
||||
<Check></Check>
|
||||
</td>
|
||||
<td className="result passed">
|
||||
<Check></Check>
|
||||
</td>
|
||||
<td className="result failed">
|
||||
<X></X>
|
||||
</td>
|
||||
<td className="result passed">
|
||||
<Check></Check>
|
||||
</td>
|
||||
<td className="result passed">
|
||||
<Check></Check>
|
||||
</td>
|
||||
<td className="result passed">
|
||||
<Check></Check>
|
||||
</td>
|
||||
<td className="result failed">
|
||||
<X></X>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td className="row-label">OAuth2 and OIDC</td>
|
||||
<td className="result passed authentik"><Check></Check></td>
|
||||
<td className="result passed"><Check></Check></td>
|
||||
<td className="result failed"><X></X></td>
|
||||
<td className="result passed"><Check></Check></td>
|
||||
<td className="result passed"><Check></Check></td>
|
||||
<td className="result passed"><Check></Check></td>
|
||||
<td className="result failed"><X></X></td>
|
||||
<td className="result passed authentik">
|
||||
<Check></Check>
|
||||
</td>
|
||||
<td className="result passed">
|
||||
<Check></Check>
|
||||
</td>
|
||||
<td className="result failed">
|
||||
<X></X>
|
||||
</td>
|
||||
<td className="result passed">
|
||||
<Check></Check>
|
||||
</td>
|
||||
<td className="result passed">
|
||||
<Check></Check>
|
||||
</td>
|
||||
<td className="result passed">
|
||||
<Check></Check>
|
||||
</td>
|
||||
<td className="result failed">
|
||||
<X></X>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td className="row-label">OAuth1</td>
|
||||
<td className="result passed authentik"><Check></Check></td>
|
||||
<td className="result passed"><Check></Check></td>
|
||||
<td className="result failed"><X></X></td>
|
||||
<td className="result failed"><X></X></td>
|
||||
<td className="result failed"><X></X></td>
|
||||
<td className="result failed"><X></X></td>
|
||||
<td className="result failed"><X></X></td>
|
||||
<td className="result passed authentik">
|
||||
<Check></Check>
|
||||
</td>
|
||||
<td className="result passed">
|
||||
<Check></Check>
|
||||
</td>
|
||||
<td className="result failed">
|
||||
<X></X>
|
||||
</td>
|
||||
<td className="result failed">
|
||||
<X></X>
|
||||
</td>
|
||||
<td className="result failed">
|
||||
<X></X>
|
||||
</td>
|
||||
<td className="result failed">
|
||||
<X></X>
|
||||
</td>
|
||||
<td className="result failed">
|
||||
<X></X>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td className="row-label">LDAP</td>
|
||||
<td className="result passed authentik"><Check></Check></td>
|
||||
<td className="result passed"><Check></Check></td>
|
||||
<td className="result passed"><Check></Check></td>
|
||||
<td className="result passed"><Check></Check></td>
|
||||
<td className="result passed"><Check></Check></td>
|
||||
<td className="result passed"><Check></Check></td>
|
||||
<td className="result passed"><Check></Check></td>
|
||||
<td className="result passed authentik">
|
||||
<Check></Check>
|
||||
</td>
|
||||
<td className="result passed">
|
||||
<Check></Check>
|
||||
</td>
|
||||
<td className="result passed">
|
||||
<Check></Check>
|
||||
</td>
|
||||
<td className="result passed">
|
||||
<Check></Check>
|
||||
</td>
|
||||
<td className="result passed">
|
||||
<Check></Check>
|
||||
</td>
|
||||
<td className="result passed">
|
||||
<Check></Check>
|
||||
</td>
|
||||
<td className="result passed">
|
||||
<Check></Check>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td className="row-label">SCIM</td>
|
||||
<td className="result failed authentik">
|
||||
<X></X>
|
||||
</td>
|
||||
<td className="result warning">
|
||||
<AlertTriangle></AlertTriangle>
|
||||
</td>
|
||||
<td className="result failed">
|
||||
<X></X>
|
||||
</td>
|
||||
<td className="result passed">
|
||||
<Check></Check>
|
||||
</td>
|
||||
<td className="result passed">
|
||||
<Check></Check>
|
||||
</td>
|
||||
<td className="result failed">
|
||||
<X></X>
|
||||
</td>
|
||||
<td className="result failed">
|
||||
<X></X>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
<thead className="group">
|
||||
|
@ -133,33 +279,75 @@ function Comparison() {
|
|||
<tbody>
|
||||
<tr>
|
||||
<td className="row-label">Authentication</td>
|
||||
<td className="result passed authentik"><Check></Check></td>
|
||||
<td className="result passed"><Check></Check></td>
|
||||
<td className="result passed"><Check></Check></td>
|
||||
<td className="result passed"><Check></Check></td>
|
||||
<td className="result passed"><Check></Check></td>
|
||||
<td className="result passed"><Check></Check></td>
|
||||
<td className="result passed"><Check></Check></td>
|
||||
<td className="result passed authentik">
|
||||
<Check></Check>
|
||||
</td>
|
||||
<td className="result passed">
|
||||
<Check></Check>
|
||||
</td>
|
||||
<td className="result passed">
|
||||
<Check></Check>
|
||||
</td>
|
||||
<td className="result passed">
|
||||
<Check></Check>
|
||||
</td>
|
||||
<td className="result passed">
|
||||
<Check></Check>
|
||||
</td>
|
||||
<td className="result passed">
|
||||
<Check></Check>
|
||||
</td>
|
||||
<td className="result passed">
|
||||
<Check></Check>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td className="row-label">Enrollment</td>
|
||||
<td className="result passed authentik"><Check></Check></td>
|
||||
<td className="result passed"><Check></Check></td>
|
||||
<td className="result failed"><X></X></td>
|
||||
<td className="result failed"><X></X></td>
|
||||
<td className="result failed"><X></X></td>
|
||||
<td className="result failed"><X></X></td>
|
||||
<td className="result failed"><X></X></td>
|
||||
<td className="result passed authentik">
|
||||
<Check></Check>
|
||||
</td>
|
||||
<td className="result passed">
|
||||
<Check></Check>
|
||||
</td>
|
||||
<td className="result failed">
|
||||
<X></X>
|
||||
</td>
|
||||
<td className="result failed">
|
||||
<X></X>
|
||||
</td>
|
||||
<td className="result failed">
|
||||
<X></X>
|
||||
</td>
|
||||
<td className="result failed">
|
||||
<X></X>
|
||||
</td>
|
||||
<td className="result failed">
|
||||
<X></X>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td className="row-label">Self-service</td>
|
||||
<td className="result passed authentik"><Check></Check></td>
|
||||
<td className="result passed"><Check></Check></td>
|
||||
<td className="result passed"><Check></Check></td>
|
||||
<td className="result passed"><Check></Check></td>
|
||||
<td className="result passed"><Check></Check></td>
|
||||
<td className="result passed"><Check></Check></td>
|
||||
<td className="result failed"><X></X></td>
|
||||
<td className="result passed authentik">
|
||||
<Check></Check>
|
||||
</td>
|
||||
<td className="result passed">
|
||||
<Check></Check>
|
||||
</td>
|
||||
<td className="result passed">
|
||||
<Check></Check>
|
||||
</td>
|
||||
<td className="result passed">
|
||||
<Check></Check>
|
||||
</td>
|
||||
<td className="result passed">
|
||||
<Check></Check>
|
||||
</td>
|
||||
<td className="result passed">
|
||||
<Check></Check>
|
||||
</td>
|
||||
<td className="result failed">
|
||||
<X></X>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
<thead className="group">
|
||||
|
@ -177,43 +365,101 @@ function Comparison() {
|
|||
<tbody>
|
||||
<tr>
|
||||
<td className="row-label">MFA</td>
|
||||
<td className="result passed authentik"><Check></Check></td>
|
||||
<td className="result passed"><Check></Check></td>
|
||||
<td className="result failed"><X></X></td>
|
||||
<td className="result failed"><Check></Check></td>
|
||||
<td className="result failed"><Check></Check></td>
|
||||
<td className="result passed"><Check></Check></td>
|
||||
<td className="result passed"><Check></Check></td>
|
||||
<td className="result passed authentik">
|
||||
<Check></Check>
|
||||
</td>
|
||||
<td className="result passed">
|
||||
<Check></Check>
|
||||
</td>
|
||||
<td className="result failed">
|
||||
<X></X>
|
||||
</td>
|
||||
<td className="result failed">
|
||||
<Check></Check>
|
||||
</td>
|
||||
<td className="result failed">
|
||||
<Check></Check>
|
||||
</td>
|
||||
<td className="result passed">
|
||||
<Check></Check>
|
||||
</td>
|
||||
<td className="result passed">
|
||||
<Check></Check>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td className="row-label">Conditional Access</td>
|
||||
<td className="result passed authentik"><Check></Check></td>
|
||||
<td className="result passed"><Check></Check></td>
|
||||
<td className="result passed"><Check></Check></td>
|
||||
<td className="result warning"><AlertTriangle></AlertTriangle></td>
|
||||
<td className="result passed"><Check></Check></td>
|
||||
<td className="result warning"><AlertTriangle></AlertTriangle></td>
|
||||
<td className="result passed"><Check></Check></td>
|
||||
<td className="row-label">
|
||||
Conditional Access
|
||||
</td>
|
||||
<td className="result passed authentik">
|
||||
<Check></Check>
|
||||
</td>
|
||||
<td className="result passed">
|
||||
<Check></Check>
|
||||
</td>
|
||||
<td className="result passed">
|
||||
<Check></Check>
|
||||
</td>
|
||||
<td className="result warning">
|
||||
<AlertTriangle></AlertTriangle>
|
||||
</td>
|
||||
<td className="result passed">
|
||||
<Check></Check>
|
||||
</td>
|
||||
<td className="result warning">
|
||||
<AlertTriangle></AlertTriangle>
|
||||
</td>
|
||||
<td className="result passed">
|
||||
<Check></Check>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td className="row-label">Open-source</td>
|
||||
<td className="result passed authentik"><Check></Check></td>
|
||||
<td className="result passed"><Check></Check></td>
|
||||
<td className="result failed"><X></X></td>
|
||||
<td className="result failed"><X></X></td>
|
||||
<td className="result failed"><X></X></td>
|
||||
<td className="result failed"><X></X></td>
|
||||
<td className="result passed"><Check></Check></td>
|
||||
<td className="result passed authentik">
|
||||
<Check></Check>
|
||||
</td>
|
||||
<td className="result passed">
|
||||
<Check></Check>
|
||||
</td>
|
||||
<td className="result failed">
|
||||
<X></X>
|
||||
</td>
|
||||
<td className="result failed">
|
||||
<X></X>
|
||||
</td>
|
||||
<td className="result failed">
|
||||
<X></X>
|
||||
</td>
|
||||
<td className="result failed">
|
||||
<X></X>
|
||||
</td>
|
||||
<td className="result passed">
|
||||
<Check></Check>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td className="row-label">Application Proxy</td>
|
||||
<td className="result passed authentik"><Check></Check></td>
|
||||
<td className="result warning"><AlertTriangle></AlertTriangle></td>
|
||||
<td className="result warning"><AlertTriangle></AlertTriangle></td>
|
||||
<td className="result passed"><Check></Check></td>
|
||||
<td className="result failed"><X></X></td>
|
||||
<td className="result failed"><X></X></td>
|
||||
<td className="result warning"><AlertTriangle></AlertTriangle></td>
|
||||
<td className="result passed authentik">
|
||||
<Check></Check>
|
||||
</td>
|
||||
<td className="result warning">
|
||||
<AlertTriangle></AlertTriangle>
|
||||
</td>
|
||||
<td className="result warning">
|
||||
<AlertTriangle></AlertTriangle>
|
||||
</td>
|
||||
<td className="result passed">
|
||||
<Check></Check>
|
||||
</td>
|
||||
<td className="result failed">
|
||||
<X></X>
|
||||
</td>
|
||||
<td className="result failed">
|
||||
<X></X>
|
||||
</td>
|
||||
<td className="result warning">
|
||||
<AlertTriangle></AlertTriangle>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
|
|
|
@ -37,7 +37,6 @@
|
|||
max-height: 200px;
|
||||
}
|
||||
|
||||
|
||||
.before-after-slider img {
|
||||
max-width: none;
|
||||
}
|
||||
|
@ -154,7 +153,7 @@ table.comparison tr td.result.warning {
|
|||
color: var(--ifm-color-warning);
|
||||
}
|
||||
|
||||
table.comparison tr td.result.passed.authentik {
|
||||
table.comparison tr td.result.authentik {
|
||||
background: var(--ifm-color-primary);
|
||||
color: var(--ifm-color-secondary);
|
||||
}
|
||||
|
|
|
@ -11,8 +11,9 @@ function APIBrowser() {
|
|||
<Layout title="API Browser" description={siteConfig.tagline}>
|
||||
<BrowserOnly>
|
||||
{() => {
|
||||
import('rapidoc');
|
||||
return <rapi-doc
|
||||
import("rapidoc");
|
||||
return (
|
||||
<rapi-doc
|
||||
spec-url={useBaseUrl("schema.yaml")}
|
||||
allow-try="false"
|
||||
show-header="false"
|
||||
|
@ -20,8 +21,9 @@ function APIBrowser() {
|
|||
render-style="view"
|
||||
primary-color="#fd4b2d"
|
||||
allow-spec-url-load="false"
|
||||
allow-spec-file-load="false">
|
||||
</rapi-doc>
|
||||
allow-spec-file-load="false"
|
||||
></rapi-doc>
|
||||
);
|
||||
}}
|
||||
</BrowserOnly>
|
||||
</Layout>
|
||||
|
|
|
@ -7,7 +7,7 @@ import useDocusaurusContext from "@docusaurus/useDocusaurusContext";
|
|||
import useBaseUrl from "@docusaurus/useBaseUrl";
|
||||
import styles from "./styles.module.css";
|
||||
import Comparison from "../comparison";
|
||||
import 'react-before-after-slider-component/dist/build.css';
|
||||
import "react-before-after-slider-component/dist/build.css";
|
||||
|
||||
const features = [
|
||||
{
|
||||
|
@ -87,7 +87,10 @@ function Home() {
|
|||
</div>
|
||||
</div>
|
||||
<div className="col text--center hero_image">
|
||||
<img alt="authentik logo" src={useBaseUrl("img/icon_top_brand.svg")} />
|
||||
<img
|
||||
alt="authentik logo"
|
||||
src={useBaseUrl("img/icon_top_brand.svg")}
|
||||
/>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
|
@ -105,17 +108,23 @@ function Home() {
|
|||
<div>
|
||||
<BrowserOnly>
|
||||
{() => {
|
||||
const ReactBeforeSliderComponent = require('react-before-after-slider-component');
|
||||
return <ReactBeforeSliderComponent
|
||||
const ReactBeforeSliderComponent = require("react-before-after-slider-component");
|
||||
return (
|
||||
<ReactBeforeSliderComponent
|
||||
firstImage={{
|
||||
id: 1,
|
||||
imageUrl: useBaseUrl("img/screen_apps_light.jpg"),
|
||||
imageUrl: useBaseUrl(
|
||||
"img/screen_apps_light.jpg"
|
||||
),
|
||||
}}
|
||||
secondImage={{
|
||||
id: 2,
|
||||
imageUrl: useBaseUrl("img/screen_apps_dark.jpg"),
|
||||
imageUrl: useBaseUrl(
|
||||
"img/screen_apps_dark.jpg"
|
||||
),
|
||||
}}
|
||||
/>
|
||||
);
|
||||
}}
|
||||
</BrowserOnly>
|
||||
</div>
|
||||
|
@ -123,13 +132,13 @@ function Home() {
|
|||
<div className="col col--5 col--offset-2 padding-vert--xl">
|
||||
<h2>What is authentik?</h2>
|
||||
<p>
|
||||
authentik is an open-source Identity Provider
|
||||
focused on flexibility and versatility. You
|
||||
can use authentik in an existing environment
|
||||
to add support for new protocols, implement
|
||||
sign-up/recovery/etc. in your application so
|
||||
you don't have to deal with it, and many other
|
||||
things.
|
||||
authentik is an open-source Identity
|
||||
Provider focused on flexibility and
|
||||
versatility. You can use authentik in an
|
||||
existing environment to add support for new
|
||||
protocols, implement sign-up/recovery/etc.
|
||||
in your application so you don't have to
|
||||
deal with it, and many other things.
|
||||
</p>
|
||||
</div>
|
||||
</div>
|
||||
|
@ -138,11 +147,12 @@ function Home() {
|
|||
<h2>Utmost flexibility</h2>
|
||||
<p>
|
||||
You can adopt authentik to your environment,
|
||||
regardless of your requirements. Need an Active-Directory
|
||||
integrated SSO Provider? Do you want
|
||||
to implement a custom enrollment process for your
|
||||
customers? Are you developing an application and
|
||||
don't want to deal with User verification and recovery?
|
||||
regardless of your requirements. Need an
|
||||
Active-Directory integrated SSO Provider? Do
|
||||
you want to implement a custom enrollment
|
||||
process for your customers? Are you
|
||||
developing an application and don't want to
|
||||
deal with User verification and recovery?
|
||||
authentik can do all of that, and more!
|
||||
</p>
|
||||
</div>
|
||||
|
@ -150,17 +160,23 @@ function Home() {
|
|||
<div>
|
||||
<BrowserOnly>
|
||||
{() => {
|
||||
const ReactBeforeSliderComponent = require('react-before-after-slider-component');
|
||||
return <ReactBeforeSliderComponent
|
||||
const ReactBeforeSliderComponent = require("react-before-after-slider-component");
|
||||
return (
|
||||
<ReactBeforeSliderComponent
|
||||
firstImage={{
|
||||
id: 1,
|
||||
imageUrl: useBaseUrl("img/screen_admin_light.jpg"),
|
||||
imageUrl: useBaseUrl(
|
||||
"img/screen_admin_light.jpg"
|
||||
),
|
||||
}}
|
||||
secondImage={{
|
||||
id: 2,
|
||||
imageUrl: useBaseUrl("img/screen_admin_dark.jpg"),
|
||||
imageUrl: useBaseUrl(
|
||||
"img/screen_admin_dark.jpg"
|
||||
),
|
||||
}}
|
||||
/>
|
||||
);
|
||||
}}
|
||||
</BrowserOnly>
|
||||
</div>
|
||||
|
|
Reference in New Issue