rename

emerald-theory/authentik/README.md

@@ -0,0 +1,186 @@
+# **Overview**
+---
+Authentik is an open-source Identity Provider (IdP) that allows users to self-host authentication and single sign-on (SSO)
+
+[GitHub Repository](https://github.com/goauthentik/authentik)
+[Official Documentation](https://docs.goauthentik.io/docs)
+# **Pre-Install**
+---
+## Dependencies
+- None
+## Generate PG_PASS for .env
+- `openssl rand -base64 36`
+## Generate AUTHENTIK_SECRET_KEY for .env
+- `openssl rand -base64 60`
+## Create Volume Folders
+- certs
+- custom-templates
+- database
+- media
+- redis
+## Create a .env file
+```docker
+AUTHENTIK_PORT_HTTP=9000
+AUTHENTIK_PORT_HTTPS=9443
+PG_PASS=
+AUTHENTIK_SECRET_KEY=
+AUTHENTIK_ERROR_REPORTING__ENABLED=true
+AUTHENTIK_EMAIL__HOST=
+AUTHENTIK_EMAIL__PORT=25
+AUTHENTIK_EMAIL__USERNAME=
+AUTHENTIK_EMAIL__PASSWORD=
+AUTHENTIK_EMAIL__USE_TLS=true
+AUTHENTIK_EMAIL__USE_SSL=false
+AUTHENTIK_EMAIL__TIMEOUT=10
+AUTHENTIK_EMAIL__FROM=
+```
+
+# **Post-Install**
+---
+>[!warning] Wait a few minutes before attempting to connect for the first time. All servers need to show as **Healthy** in Dockge
+
+Go to http://your-server-ip:9000/if/flow/initial-setup/ 
+- Create a unique email and password for admin account
+- Don't use your primary email address for this account as it will conflict when you register yourself as a user
+
+# **NGINX Proxy Manager**
+---
+## Details
+- **Domain Names:** auth.ignitedinspirations.net
+- **Scheme:** http
+- **Forward Hostname / IP:** 172.18.1.10
+- **Forward Port:** 9443
+- **Cache Assets:** True
+- **Block Common Exploits:** True
+- **Websockets Support:** True
+- **Access Lists:** Publicly Accessible
+## Custom Locations
+- None
+## SSL
+- **SSL Certificate:** Let's Encrypt
+- **Force SSL:** True
+- **HTTP/2 Support:** True
+- **HSTS Enabled:** False
+- **HSTS Subdomains:** False
+
+## Advanced
+The following code needs to be entered into the **Custom Nginx Configuration** in order to have Authentik protect this app
+```NGINX
+# Increase buffer size for large headers
+# This is needed only if you get 'upstream sent too big header while reading response
+# header from upstream' error when trying to access an application protected by goauthentik
+proxy_buffers 8 16k;
+proxy_buffer_size 32k;
+
+location / {
+    # Put your proxy_pass to your application here
+    proxy_pass          $forward_scheme://$server:$port;
+
+    # authentik-specific config
+    auth_request        /outpost.goauthentik.io/auth/nginx;
+    error_page          401 = @goauthentik_proxy_signin;
+    auth_request_set $auth_cookie $upstream_http_set_cookie;
+    add_header Set-Cookie $auth_cookie;
+
+    # translate headers from the outposts back to the actual upstream
+    auth_request_set $authentik_username $upstream_http_x_authentik_username;
+    auth_request_set $authentik_groups $upstream_http_x_authentik_groups;
+    auth_request_set $authentik_email $upstream_http_x_authentik_email;
+    auth_request_set $authentik_name $upstream_http_x_authentik_name;
+    auth_request_set $authentik_uid $upstream_http_x_authentik_uid;
+
+    proxy_set_header X-authentik-username $authentik_username;
+    proxy_set_header X-authentik-groups $authentik_groups;
+    proxy_set_header X-authentik-email $authentik_email;
+    proxy_set_header X-authentik-name $authentik_name;
+    proxy_set_header X-authentik-uid $authentik_uid;
+}
+
+# all requests to /outpost.goauthentik.io must be accessible without authentication
+location /outpost.goauthentik.io {
+    proxy_pass          https://172.18.1.10:9443/outpost.goauthentik.io;
+    # ensure the host of this vserver matches your external URL you've configured
+    # in authentik
+    proxy_set_header    Host $host;
+    proxy_set_header    X-Original-URL $scheme://$http_host$request_uri;
+    add_header          Set-Cookie $auth_cookie;
+    auth_request_set    $auth_cookie $upstream_http_set_cookie;
+
+    # required for POST requests to work
+    proxy_pass_request_body off;
+    proxy_set_header Content-Length "";
+}
+
+# Special location for when the /auth endpoint returns a 401,
+# redirect to the /start URL which initiates SSO
+location @goauthentik_proxy_signin {
+    internal;
+    add_header Set-Cookie $auth_cookie;
+    return 302 /outpost.goauthentik.io/start?rd=$request_uri;
+    # For domain level, use the below error_page to redirect to your authentik server with the full redirect path
+    # return 302 https://authentik-server:9443/outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri;
+}
+```
+
+>[!note] Edit the IP address in `proxy_pass` above and make sure it matches the one you specify in the Authentik docker-compose file
+
+# **Authentik**
+---
+## Create Google OAuth2 token
+1) Go to [Official Documentation](https://support.google.com/cloud/answer/6158849?hl=en) and follow steps there
+	- Make note of the Client ID and Client Secret
+2) Add `https://your-authentik-domain-name/source/oauth/callback/google` to list of Authorized redirect URI
+## Add Google SSO Support
+[Official Documentation](https://docs.goauthentik.io/docs/users-sources/sources/social-logins/google/cloud/)
+1) Click on **Directory** and then click on **Federation & Social login**
+2) Click on **Create**
+3) Click on **Google OAuth Source** and click **Next**
+4) Enter Google for the **Name**
+5) The **Slug** will automatically be filled
+6) Enter your Client ID and Client Secret generated when creating Google OAuth2 token
+7) Click **Finish**
+## Add Google as a Login Source
+[Official Documentation](https://docs.goauthentik.io/docs/users-sources/sources/#add-sources-to-default-login-page)
+1) Click on **Flow and Stages** then click on **Stages**
+2) Find the `default-authentication-identification` stage and click on the Edit button
+3) Under **Source settings** click on `google` and then click on `>` to add it
+## Add User to Directory
+1) Navigate to **Directory** then click on **Users**
+2) Enter your email address for the **Username**
+3) Enter your full name for **Name**
+4) Set **User type** to **Internal**
+5) Enter your email address for **Email**
+6) Click **Create**
+## Add User to Admin Group
+1) Navigate to **Directory** then click on **Groups**
+2) Click on `authentik Admins`
+3) Click on **Users** tab
+4) Click on **Add existing user**
+5) Click on `+` then select your account and click **Add**
+6) Click **Add**
+## Set New Users to Inactive by Default
+1) Click on **Flow and Stages** then click on **Stages**
+2) Find the `default-source-enrollment-write` stage and click the Edit button
+3) Toggle the **Create users as inactive** to On
+## Create Application & Provider
+1) Click on **Create with Wizard**
+2) Enter the Application's Name
+	- This will automatically fill the **Slug** name
+3) Do not enter a Group Name
+4) Set **Policy engine mode** to `any` and click **Next**
+5) Select **Proxy Provider** and click **Next**
+6) **Name** will automatically be filled in
+7) Select `default-provider-authorization-explicit-consent` for **Authorization Flow**
+8) Click on **Forward auth (single application)**
+9) Enter the **External host** name and click **Next**
+	- This is generally the proxy hostname (ex. https://docker.mydigitalfix.com)
+10) Skip **Policy/User/Group Bindings** step and click **Next**
+11) Click **Close**
+## Add Application to Outpost
+1) Click on **Application** then click on **Outposts**
+2) Find the `authentik Embedded Outpost` and click the Edit button on the right
+3) Click on the application under the **Available Applications** and then click on the `>` button
+4) Click on **Update**
+# **Additional Information**
+---
+>[!warning] If you are using Portainer to manage your Docker environment, you need to specify the ENV_FILE name to be `stacks.env`