# **Authentik Overview** Authentik is an open-source Identity Provider (IdP) that allows users to self-host authentication and single sign-on (SSO) [GitHub Repository](https://github.com/goauthentik/authentik) [Official Documentation](https://docs.goauthentik.io/docs) # **Pre-Install** ## Dependencies - None ## Generate PG_PASS for .env - `openssl rand -base64 36` ## Generate AUTHENTIK_SECRET_KEY for .env - `openssl rand -base64 60` ## Create Volume Folders - certs - custom-templates - database - media - redis ## Create a .env file ```docker AUTHENTIK_PORT_HTTP=9000 AUTHENTIK_PORT_HTTPS=9443 PG_PASS= AUTHENTIK_SECRET_KEY= AUTHENTIK_ERROR_REPORTING__ENABLED=true AUTHENTIK_EMAIL__HOST= AUTHENTIK_EMAIL__PORT=25 AUTHENTIK_EMAIL__USERNAME= AUTHENTIK_EMAIL__PASSWORD= AUTHENTIK_EMAIL__USE_TLS=true AUTHENTIK_EMAIL__USE_SSL=false AUTHENTIK_EMAIL__TIMEOUT=10 AUTHENTIK_EMAIL__FROM= ``` # **Post-Install** > **⚠️ WARNING** > Wait a few minutes before attempting to connect for the first time. All servers need to show as **Healthy** in Dockge Go to http://your-server-ip:9000/if/flow/initial-setup/ - Create a unique email and password for admin account - Don't use your primary email address for this account as it will conflict when you register yourself as a user # **NGINX Proxy Manager** ## Details - **Domain Names:** auth.ignitedinspirations.net - **Scheme:** http - **Forward Hostname / IP:** 172.18.1.10 - **Forward Port:** 9443 - **Cache Assets:** True - **Block Common Exploits:** True - **Websockets Support:** True - **Access Lists:** Publicly Accessible ## Custom Locations - None ## SSL - **SSL Certificate:** Let's Encrypt - **Force SSL:** True - **HTTP/2 Support:** True - **HSTS Enabled:** False - **HSTS Subdomains:** False ## Advanced The following code needs to be entered into the **Custom Nginx Configuration** in order to have Authentik protect this app ```NGINX # Increase buffer size for large headers # This is needed only if you get 'upstream sent too big header while reading response # header from upstream' error when trying to access an application protected by goauthentik proxy_buffers 8 16k; proxy_buffer_size 32k; location / { # Put your proxy_pass to your application here proxy_pass $forward_scheme://$server:$port; # authentik-specific config auth_request /outpost.goauthentik.io/auth/nginx; error_page 401 = @goauthentik_proxy_signin; auth_request_set $auth_cookie $upstream_http_set_cookie; add_header Set-Cookie $auth_cookie; # translate headers from the outposts back to the actual upstream auth_request_set $authentik_username $upstream_http_x_authentik_username; auth_request_set $authentik_groups $upstream_http_x_authentik_groups; auth_request_set $authentik_email $upstream_http_x_authentik_email; auth_request_set $authentik_name $upstream_http_x_authentik_name; auth_request_set $authentik_uid $upstream_http_x_authentik_uid; proxy_set_header X-authentik-username $authentik_username; proxy_set_header X-authentik-groups $authentik_groups; proxy_set_header X-authentik-email $authentik_email; proxy_set_header X-authentik-name $authentik_name; proxy_set_header X-authentik-uid $authentik_uid; } # all requests to /outpost.goauthentik.io must be accessible without authentication location /outpost.goauthentik.io { proxy_pass https://:9443/outpost.goauthentik.io; # ensure the host of this vserver matches your external URL you've configured # in authentik proxy_set_header Host $host; proxy_set_header X-Original-URL $scheme://$http_host$request_uri; add_header Set-Cookie $auth_cookie; auth_request_set $auth_cookie $upstream_http_set_cookie; # required for POST requests to work proxy_pass_request_body off; proxy_set_header Content-Length ""; } # Special location for when the /auth endpoint returns a 401, # redirect to the /start URL which initiates SSO location @goauthentik_proxy_signin { internal; add_header Set-Cookie $auth_cookie; return 302 /outpost.goauthentik.io/start?rd=$request_uri; # For domain level, use the below error_page to redirect to your authentik server with the full redirect path # return 302 https://authentik-server:9443/outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri; } ``` > **Note** > If you are using Portainer to manage your Docker environment, you need to specify the ENV_FILE name to be `stacks.env` Edit the IP address in `proxy_pass` above and make sure it matches the one you specify in the Authentik docker-compose file # **Authentik** ## Create Google OAuth2 token 1) Go to [Official Documentation](https://support.google.com/cloud/answer/6158849?hl=en) and follow steps there - Make note of the Client ID and Client Secret 2) Add `https://your-authentik-domain-name/source/oauth/callback/google` to list of Authorized redirect URI ## Add Google SSO Support [Official Documentation](https://docs.goauthentik.io/docs/users-sources/sources/social-logins/google/cloud/) 1) Click on **Directory** and then click on **Federation & Social login** 2) Click on **Create** 3) Click on **Google OAuth Source** and click **Next** 4) Enter Google for the **Name** 5) The **Slug** will automatically be filled 6) Enter your Client ID and Client Secret generated when creating Google OAuth2 token 7) Click **Finish** ## Add Google as a Login Source [Official Documentation](https://docs.goauthentik.io/docs/users-sources/sources/#add-sources-to-default-login-page) 1) Click on **Flow and Stages** then click on **Stages** 2) Find the `default-authentication-identification` stage and click on the Edit button 3) Under **Source settings** click on `google` and then click on `>` to add it ## Add User to Directory 1) Navigate to **Directory** then click on **Users** 2) Enter your email address for the **Username** 3) Enter your full name for **Name** 4) Set **User type** to **Internal** 5) Enter your email address for **Email** 6) Click **Create** ## Add User to Admin Group 1) Navigate to **Directory** then click on **Groups** 2) Click on `authentik Admins` 3) Click on **Users** tab 4) Click on **Add existing user** 5) Click on `+` then select your account and click **Add** 6) Click **Add** ## Set New Users to Inactive by Default 1) Click on **Flow and Stages** then click on **Stages** 2) Find the `default-source-enrollment-write` stage and click the Edit button 3) Toggle the **Create users as inactive** to On ## Create Application & Provider 1) Click on **Create with Wizard** 2) Enter the Application's Name - This will automatically fill the **Slug** name 3) Do not enter a Group Name 4) Set **Policy engine mode** to `any` and click **Next** 5) Select **Proxy Provider** and click **Next** 6) **Name** will automatically be filled in 7) Select `default-provider-authorization-explicit-consent` for **Authorization Flow** 8) Click on **Forward auth (single application)** 9) Enter the **External host** name and click **Next** - This is generally the proxy hostname (ex. https://docker.mysite.com) 10) Skip **Policy/User/Group Bindings** step and click **Next** 11) Click **Close** ## Add Application to Outpost 1) Click on **Application** then click on **Outposts** 2) Find the `authentik Embedded Outpost` and click the Edit button on the right 3) Click on the application under the **Available Applications** and then click on the `>` button 4) Click on **Update** # **Additional Information** --- > **⚠️ WARNING** > If you are using Portainer to manage your Docker environment, you need to specify the ENV_FILE name to be `stacks.env`