homelab/server/config/authentik
2022-07-13 10:47:27 -07:00
..
.env Disable TLS for SSL 2022-07-06 19:46:43 -07:00
docker-compose.yml Disable auto-start for all containers. (Set all restart: "no") 2022-07-13 10:47:27 -07:00
README.md Add to Authentik documentation 2022-07-13 00:27:02 -07:00

Add an OAuth2 Application

  1. Navigate to the Authentik Admin Interface. Open the Navigation pane and expand Applications. Click on Providers.
  2. Create a new provider with the following parameters:
Parameter Value
Provider type OAuth2/OpenID Provider
Name Name of new application (e.g. Grafana)
Authorization flow Authorize Application (default-provider-authorization-implicit-consent)
Client type Confidential
Client ID Copy this value for later use
Client Secret Copy this value for later use
Redirect URIs/Origins Leave blank
Signing Key authentik Self-signed Certificate (RSA)
  1. Leave Advanced protocol settings and Machine-to-Machine authentication settings as defaults. Save by clicking the Finish button.
  2. Navigate to Applications and create a new application with the following parameters:
Parameter Value
Name Name of new application (e.g. Grafana)
Slug URL-compliant version of name (e.g. grafana)
Group Leave empty
Provider Select the provider created in step 2
Policy engine mode ANY, any policy must match to grant access.
  1. Leave UI settings as default, save by clicking the Create button.
  2. Open the OAuth2 configuration settings in the new application and apply settings as follows:
Common Application Configuration Term Value (or Authentik key)
Client Type Confidential
Client ID Client ID
Client Secret Client Secret
Scopes email openid profile
Auth URL Authorize URL
Token URL Token URL
API URl Userinfo URL
  1. Apply and restart the application.

Switching to single-screen (autofill compatible) login

The default out-of-box configuration for Authentik uses two separate screens for inputting username and password (and an optional third for MFA). This breaks compatibility with password managers. To switch to using single-stage username and password login,

  1. Navigate to Flows & Stages --> Stages --> default-authentication-identification and edit the "Password stage" to use default-authentication-password.
  2. Navigate to Flows & Stages --> Flows --> default-authentication-flow and open it. Go to Stage Bindings, select the default-authentication-password stage and delete it from the flow (as it is now included in the previous stage).

All done.

Make Application Admin-only

Some applications should be available only to members of the Jafner.net Admins group. To protect an application behind this role,

  1. Navigate to Applications --> Applications and open the relevant application.
  2. Switch to the "Policy / Group / User Bindings" tab.
  3. Click "Create Binding", switch from "Policy" to "Group" (or "User", if preferred). From the drop-down, select the group which should be permitted to access the application, then click "Create".

All done.