fxequals/docker-compose
1
0
Fork 0
Code Issues Activity
Files
f591b1e314194d9ef8ab8ae7453aff955859abe5
docker-compose/emerald-theory/authentik/README.md
fxequals f591b1e314 minor update
2025-07-19 09:43:46 -04:00

7.5 KiB
Raw Blame History

Authentik Overview

Authentik is an open-source Identity Provider (IdP) that allows users to self-host authentication and single sign-on (SSO)

GitHub Repository Official Documentation

Pre-Install

Dependencies

  • None

Generate PG_PASS for .env

  • openssl rand -base64 36

Generate AUTHENTIK_SECRET_KEY for .env

  • openssl rand -base64 60

Create Volume Folders

  • certs
  • custom-templates
  • database
  • media
  • redis

Create a .env file

AUTHENTIK_PORT_HTTP=9000
AUTHENTIK_PORT_HTTPS=9443
PG_PASS=
AUTHENTIK_SECRET_KEY=
AUTHENTIK_ERROR_REPORTING__ENABLED=true
AUTHENTIK_EMAIL__HOST=
AUTHENTIK_EMAIL__PORT=25
AUTHENTIK_EMAIL__USERNAME=
AUTHENTIK_EMAIL__PASSWORD=
AUTHENTIK_EMAIL__USE_TLS=true
AUTHENTIK_EMAIL__USE_SSL=false
AUTHENTIK_EMAIL__TIMEOUT=10
AUTHENTIK_EMAIL__FROM=

Post-Install

⚠️WARNING
Wait a few minutes before attempting to connect for the first time. All servers need to show as Healthy in Dockge

Go to http://your-server-ip:9000/if/flow/initial-setup/

  • Create a unique email and password for admin account
  • Don't use your primary email address for this account as it will conflict when you register yourself as a user

NGINX Proxy Manager

Details

  • Domain Names: auth.ignitedinspirations.net
  • Scheme: http
  • Forward Hostname / IP: 172.18.1.10
  • Forward Port: 9443
  • Cache Assets: True
  • Block Common Exploits: True
  • Websockets Support: True
  • Access Lists: Publicly Accessible

Custom Locations

  • None

SSL

  • SSL Certificate: Let's Encrypt
  • Force SSL: True
  • HTTP/2 Support: True
  • HSTS Enabled: False
  • HSTS Subdomains: False

Advanced

The following code needs to be entered into the Custom Nginx Configuration in order to have Authentik protect this app

# Increase buffer size for large headers
# This is needed only if you get 'upstream sent too big header while reading response
# header from upstream' error when trying to access an application protected by goauthentik
proxy_buffers 8 16k;
proxy_buffer_size 32k;

location / {
    # Put your proxy_pass to your application here
    proxy_pass          $forward_scheme://$server:$port;

    # authentik-specific config
    auth_request        /outpost.goauthentik.io/auth/nginx;
    error_page          401 = @goauthentik_proxy_signin;
    auth_request_set $auth_cookie $upstream_http_set_cookie;
    add_header Set-Cookie $auth_cookie;

    # translate headers from the outposts back to the actual upstream
    auth_request_set $authentik_username $upstream_http_x_authentik_username;
    auth_request_set $authentik_groups $upstream_http_x_authentik_groups;
    auth_request_set $authentik_email $upstream_http_x_authentik_email;
    auth_request_set $authentik_name $upstream_http_x_authentik_name;
    auth_request_set $authentik_uid $upstream_http_x_authentik_uid;

    proxy_set_header X-authentik-username $authentik_username;
    proxy_set_header X-authentik-groups $authentik_groups;
    proxy_set_header X-authentik-email $authentik_email;
    proxy_set_header X-authentik-name $authentik_name;
    proxy_set_header X-authentik-uid $authentik_uid;
}

# all requests to /outpost.goauthentik.io must be accessible without authentication
location /outpost.goauthentik.io {
    proxy_pass          https://<IP_ADDRESS>:9443/outpost.goauthentik.io;
    # ensure the host of this vserver matches your external URL you've configured
    # in authentik
    proxy_set_header    Host $host;
    proxy_set_header    X-Original-URL $scheme://$http_host$request_uri;
    add_header          Set-Cookie $auth_cookie;
    auth_request_set    $auth_cookie $upstream_http_set_cookie;

    # required for POST requests to work
    proxy_pass_request_body off;
    proxy_set_header Content-Length "";
}

# Special location for when the /auth endpoint returns a 401,
# redirect to the /start URL which initiates SSO
location @goauthentik_proxy_signin {
    internal;
    add_header Set-Cookie $auth_cookie;
    return 302 /outpost.goauthentik.io/start?rd=$request_uri;
    # For domain level, use the below error_page to redirect to your authentik server with the full redirect path
    # return 302 https://authentik-server:9443/outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri;
}

Note

If you are using Portainer to manage your Docker environment, you need to specify the ENV_FILE name to be stacks.env

Edit the IP address in proxy_pass above and make sure it matches the one you specify in the Authentik docker-compose file

Authentik

Create Google OAuth2 token

  1. Go to Official Documentation and follow steps there
    • Make note of the Client ID and Client Secret
  2. Add https://your-authentik-domain-name/source/oauth/callback/google to list of Authorized redirect URI

Add Google SSO Support

Official Documentation

  1. Click on Directory and then click on Federation & Social login
  2. Click on Create
  3. Click on Google OAuth Source and click Next
  4. Enter Google for the Name
  5. The Slug will automatically be filled
  6. Enter your Client ID and Client Secret generated when creating Google OAuth2 token
  7. Click Finish

Add Google as a Login Source

Official Documentation

  1. Click on Flow and Stages then click on Stages
  2. Find the default-authentication-identification stage and click on the Edit button
  3. Under Source settings click on google and then click on > to add it

Add User to Directory

  1. Navigate to Directory then click on Users
  2. Enter your email address for the Username
  3. Enter your full name for Name
  4. Set User type to Internal
  5. Enter your email address for Email
  6. Click Create

Add User to Admin Group

  1. Navigate to Directory then click on Groups
  2. Click on authentik Admins
  3. Click on Users tab
  4. Click on Add existing user
  5. Click on + then select your account and click Add
  6. Click Add

Set New Users to Inactive by Default

  1. Click on Flow and Stages then click on Stages
  2. Find the default-source-enrollment-write stage and click the Edit button
  3. Toggle the Create users as inactive to On

Create Application & Provider

  1. Click on Create with Wizard
  2. Enter the Application's Name
    • This will automatically fill the Slug name
  3. Do not enter a Group Name
  4. Set Policy engine mode to any and click Next
  5. Select Proxy Provider and click Next
  6. Name will automatically be filled in
  7. Select default-provider-authorization-explicit-consent for Authorization Flow
  8. Click on Forward auth (single application)
  9. Enter the External host name and click Next
  10. Skip Policy/User/Group Bindings step and click Next
  11. Click Close

Add Application to Outpost

  1. Click on Application then click on Outposts
  2. Find the authentik Embedded Outpost and click the Edit button on the right
  3. Click on the application under the Available Applications and then click on the > button
  4. Click on Update

Additional Information

⚠️WARNING
If you are using Portainer to manage your Docker environment, you need to specify the ENV_FILE name to be stacks.env