fxequals/docker-compose
1
0
Fork 0
Code Issues Activity
Files
f591b1e314194d9ef8ab8ae7453aff955859abe5
docker-compose/emerald-theory/authentik/README.md
fxequals f591b1e314 minor update
2025-07-19 09:43:46 -04:00

192 lines
7.5 KiB
Markdown
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# **Authentik Overview**
Authentik is an open-source Identity Provider (IdP) that allows users to self-host authentication and single sign-on (SSO)
[GitHub Repository](https://github.com/goauthentik/authentik)
[Official Documentation](https://docs.goauthentik.io/docs)
# **Pre-Install**
## Dependencies
- None
## Generate PG_PASS for .env
- `openssl rand -base64 36`
## Generate AUTHENTIK_SECRET_KEY for .env
- `openssl rand -base64 60`
## Create Volume Folders
- certs
- custom-templates
- database
- media
- redis
## Create a .env file
```docker
AUTHENTIK_PORT_HTTP=9000
AUTHENTIK_PORT_HTTPS=9443
PG_PASS=
AUTHENTIK_SECRET_KEY=
AUTHENTIK_ERROR_REPORTING__ENABLED=true
AUTHENTIK_EMAIL__HOST=
AUTHENTIK_EMAIL__PORT=25
AUTHENTIK_EMAIL__USERNAME=
AUTHENTIK_EMAIL__PASSWORD=
AUTHENTIK_EMAIL__USE_TLS=true
AUTHENTIK_EMAIL__USE_SSL=false
AUTHENTIK_EMAIL__TIMEOUT=10
AUTHENTIK_EMAIL__FROM=
```
# **Post-Install**
> **⚠WARNING**
> Wait a few minutes before attempting to connect for the first time. All servers need to show as **Healthy** in Dockge
Go to http://your-server-ip:9000/if/flow/initial-setup/
- Create a unique email and password for admin account
- Don't use your primary email address for this account as it will conflict when you register yourself as a user
# **NGINX Proxy Manager**
## Details
- **Domain Names:** auth.ignitedinspirations.net
- **Scheme:** http
- **Forward Hostname / IP:** 172.18.1.10
- **Forward Port:** 9443
- **Cache Assets:** True
- **Block Common Exploits:** True
- **Websockets Support:** True
- **Access Lists:** Publicly Accessible
## Custom Locations
- None
## SSL
- **SSL Certificate:** Let's Encrypt
- **Force SSL:** True
- **HTTP/2 Support:** True
- **HSTS Enabled:** False
- **HSTS Subdomains:** False
## Advanced
The following code needs to be entered into the **Custom Nginx Configuration** in order to have Authentik protect this app
```NGINX
# Increase buffer size for large headers
# This is needed only if you get 'upstream sent too big header while reading response
# header from upstream' error when trying to access an application protected by goauthentik
proxy_buffers 8 16k;
proxy_buffer_size 32k;
location / {
# Put your proxy_pass to your application here
proxy_pass $forward_scheme://$server:$port;
# authentik-specific config
auth_request /outpost.goauthentik.io/auth/nginx;
error_page 401 = @goauthentik_proxy_signin;
auth_request_set $auth_cookie $upstream_http_set_cookie;
add_header Set-Cookie $auth_cookie;
# translate headers from the outposts back to the actual upstream
auth_request_set $authentik_username $upstream_http_x_authentik_username;
auth_request_set $authentik_groups $upstream_http_x_authentik_groups;
auth_request_set $authentik_email $upstream_http_x_authentik_email;
auth_request_set $authentik_name $upstream_http_x_authentik_name;
auth_request_set $authentik_uid $upstream_http_x_authentik_uid;
proxy_set_header X-authentik-username $authentik_username;
proxy_set_header X-authentik-groups $authentik_groups;
proxy_set_header X-authentik-email $authentik_email;
proxy_set_header X-authentik-name $authentik_name;
proxy_set_header X-authentik-uid $authentik_uid;
}
# all requests to /outpost.goauthentik.io must be accessible without authentication
location /outpost.goauthentik.io {
proxy_pass https://<IP_ADDRESS>:9443/outpost.goauthentik.io;
# ensure the host of this vserver matches your external URL you've configured
# in authentik
proxy_set_header Host $host;
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
add_header Set-Cookie $auth_cookie;
auth_request_set $auth_cookie $upstream_http_set_cookie;
# required for POST requests to work
proxy_pass_request_body off;
proxy_set_header Content-Length "";
}
# Special location for when the /auth endpoint returns a 401,
# redirect to the /start URL which initiates SSO
location @goauthentik_proxy_signin {
internal;
add_header Set-Cookie $auth_cookie;
return 302 /outpost.goauthentik.io/start?rd=$request_uri;
# For domain level, use the below error_page to redirect to your authentik server with the full redirect path
# return 302 https://authentik-server:9443/outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri;
}
```
> **Note**
> If you are using Portainer to manage your Docker environment, you need to specify the ENV_FILE name to be `stacks.env`
Edit the IP address in `proxy_pass` above and make sure it matches the one you specify in the Authentik docker-compose file
# **Authentik**
## Create Google OAuth2 token
1) Go to [Official Documentation](https://support.google.com/cloud/answer/6158849?hl=en) and follow steps there
- Make note of the Client ID and Client Secret
2) Add `https://your-authentik-domain-name/source/oauth/callback/google` to list of Authorized redirect URI
## Add Google SSO Support
[Official Documentation](https://docs.goauthentik.io/docs/users-sources/sources/social-logins/google/cloud/)
1) Click on **Directory** and then click on **Federation & Social login**
2) Click on **Create**
3) Click on **Google OAuth Source** and click **Next**
4) Enter Google for the **Name**
5) The **Slug** will automatically be filled
6) Enter your Client ID and Client Secret generated when creating Google OAuth2 token
7) Click **Finish**
## Add Google as a Login Source
[Official Documentation](https://docs.goauthentik.io/docs/users-sources/sources/#add-sources-to-default-login-page)
1) Click on **Flow and Stages** then click on **Stages**
2) Find the `default-authentication-identification` stage and click on the Edit button
3) Under **Source settings** click on `google` and then click on `>` to add it
## Add User to Directory
1) Navigate to **Directory** then click on **Users**
2) Enter your email address for the **Username**
3) Enter your full name for **Name**
4) Set **User type** to **Internal**
5) Enter your email address for **Email**
6) Click **Create**
## Add User to Admin Group
1) Navigate to **Directory** then click on **Groups**
2) Click on `authentik Admins`
3) Click on **Users** tab
4) Click on **Add existing user**
5) Click on `+` then select your account and click **Add**
6) Click **Add**
## Set New Users to Inactive by Default
1) Click on **Flow and Stages** then click on **Stages**
2) Find the `default-source-enrollment-write` stage and click the Edit button
3) Toggle the **Create users as inactive** to On
## Create Application & Provider
1) Click on **Create with Wizard**
2) Enter the Application's Name
- This will automatically fill the **Slug** name
3) Do not enter a Group Name
4) Set **Policy engine mode** to `any` and click **Next**
5) Select **Proxy Provider** and click **Next**
6) **Name** will automatically be filled in
7) Select `default-provider-authorization-explicit-consent` for **Authorization Flow**
8) Click on **Forward auth (single application)**
9) Enter the **External host** name and click **Next**
- This is generally the proxy hostname (ex. https://docker.mysite.com)
10) Skip **Policy/User/Group Bindings** step and click **Next**
11) Click **Close**
## Add Application to Outpost
1) Click on **Application** then click on **Outposts**
2) Find the `authentik Embedded Outpost` and click the Edit button on the right
3) Click on the application under the **Available Applications** and then click on the `>` button
4) Click on **Update**
# **Additional Information**
---
> **⚠WARNING**
> If you are using Portainer to manage your Docker environment, you need to specify the ENV_FILE name to be `stacks.env`
Reference in New Issue View Git Blame Copy Permalink