authentik

authentik is an open-source Identity Provider focused on flexibility and versatility

List of all possible environment variables

• Category: Apps
• Status: 0, work-in-progress
• Image: ghcr/goauthentik/server, 4, upstream
• Healthcheck: Yes
• Backups: Yes
• Email: Yes
• Tests: No
• SSO: Yes

Quick start

• abra app new authentik
• abra app config <app-name>
• abra app secret insert <app_name> email_pass v1 <password>
• abra app secret generate -a <app_name>
• abra app deploy <app-name>

Rotate Secrets

Increment the secret versions using abra app config <app_name>

abra app secret generate -a <app_name>
abra app undeploy <app_name>
abra app deploy <app_name>
abra app cmd <app_name> db rotate_db_pass
abra app cmd <app_name> app set_admin_pass

Add SSO for Nextcloud

Uncomment Nextcloud configuration and set NEXTCLOUD_DOMAIN the using abra app config <app_name>:

COMPOSE_FILE="$COMPOSE_FILE:compose.nextcloud.yml"
NEXTCLOUD_DOMAIN=nextcloud.example.com
SECRET_NEXTCLOUD_ID_VERSION=v1
SECRET_NEXTCLOUD_SECRET_VERSION=v1
APP_ICONS="nextcloud:~/.abra/recipes/authentik/icons/nextcloud.png"

Set the nextcloud Icon using abra app cmd -l -d <app_name> set_icons

Generate OAuth client id and secret using abra app secret generate <app_name> -a (all secrets) or individually:

• abra app secret generate <app_name> nextcloud_id
• abra app secret generate <app_name> nextcloud_secret

Add the id and secret to nextcloud as secrets with:

• abra app secret insert <nextcloud_app_name> authentik_id v1 <id>
• abra app secret insert <nextcloud_app_name> authentik_secret v1 <secret>

Redeploy Authentik to enable the nextcloud client.

The configuration inside Nextcloud can be found in the nextcloud recipe

Add LDAP outpost

• Follow this official guide and skip the LDAP Flow as we don't need it.
• Copy token under Applications -> Outposts -> View Deployment Info`
• Comment in envs for compose.outposts.ldap.yaml and secret version
• Insert token as secret abra app secret insert <DOMAIN> ldap_token v1 <TOKEN>
• Update deployment -> Outpost should be up and running

Import User from CSV

Users can be imported from a CSV file of the following format:

First and last name, username, email@example.com, group1;group2;group3

Run the following command to import the file users.csv:

abra app cmd -l <app_name> import_user users.csv

Users will only be created if the username does not exits. I a group does not exists it will be created.

Customization

Place the files you want to overwrite in a directory <assets_path>. Run abra app config <app_name> and define the env variable COPY_ASSETS in the following format:

"<source_file1>|<service>:<target_directory1> <source_file2>|<service>:<target_directory2> ...

For example:

COPY_ASSETS="flow_background.jpg|app:/web/dist/assets/images/"
COPY_ASSETS="$COPY_ASSETS icon_left_brand.svg|app:/web/dist/assets/icons/
COPY_ASSETS="$COPY_ASSETS icon.png|app:/web/dist/assets/icons/"

Run this command after every deploy/upgrade:

abra app command --local <app-name> customize <assets_path>

Custom CSS

Uncomment the following env:

COMPOSE_FILE="$COMPOSE_FILE:compose.css-volume.yml"

Redeploy the app:

abra app deploy -f <app_name>

Copy the CSS and restart the container:

abra app cp <app_name> my_custom.css app:/web/dist/assets/custom.css
abra app restart <app_name> app

Email templates

Add custom email templates:

abra app cmd -l <app_name> add_email_templates local/path/to/mail_template.html

Blueprints

These blueprints overwrite default blueprint values:

• flow_translation.yaml
• flow_authentication.yaml

The following default blueprints will be overwritten by customizations:

• flow-password-change.yaml
• flow-default-authentication-flow.yaml
• flow-default-user-settings-flow.yaml
• flow-default-source-enrollment.yaml

The abra.sh function apply_blueprints needs to be executed to deactivate these blueprints to ensure that the customizations won't be overwritten. It will further execute flow_translation.yaml and flow_authentication.yaml again.

Blueprint Overwrite/Use Dependencies

• Recovery with email verification
  • Default - Password change flow
    • USE:
      • default-password-change-prompt
      • default-password-change-write
  • Default - Authentication flow
    • USE:
      • default-authentication-login
• Custom Authentication Flow
  • Default - Authentication flow
    • USE:
      • default-authentication-password
    • OVERWRITE:
      • default-authentication-flow
    • APPEND:
      • default-authentication-identification
      • default-authentication-login
    • REMOVE: authentik_flows.flowstagebinding order:20
  • Recovery with email verification
    • USE:
      • default-recovery-flow
• Invitation Enrollment Flow
  • Default - User settings flow
    • USE:
      • default-user-settings-field-name
      • default-user-settings-field-email
  • Default - Password change flow
    • USE:
      • default-password-change-field-password
      • default-password-change-field-password-repeat
  • Default - Authentication flow
    • USE:
      • default-authentication-login
  • Default - Source enrollment flow
    • USE:
      • default-source-enrollment-field-username
      • default-source-enrollment-write
• Custom Invalidation Flow
  • Default - Invalidation flow
    • APPEND_ATTR:
      • authentik_flows.flowstagebinding order: 0
• Flow Translations
  • Recovery with email verification
    • APPEND: default-recovery-flow
  • Default - Password change flow
    • OVERWRITE:
      • default-password-change-field-password
      • default-password-change-field-password-repeat
  • Default - User settings flow
    • OVERWRITE:
      • default-user-settings-field-username
      • default-user-settings-field-name
  • Default - Source enrollment flow
    • OVERWRITE:
      • default-source-enrollment-field-username
• Custom System Brand
  • Default - Brand
    • APPEND: authentik_brands.brand domain: authentik-default
  • Recovery with email verification
    • USE:
      • default-recovery-flow

Blueprint Dependency Execution Order

5. Custom System Brand
   • Default - Brand
   1. Recovery with email verification
      • Default - Authentication flow
        • Default - Password change flow
6. Invitation Enrollment Flow 3. Flow Translations - Default - User settings flow - Default - Source enrollment flow 1. Recovery with email verification - Default - Authentication flow - Default - Password change flow
7. Custom Authentication Flow
   1. Recovery with email verification
      • Default - Authentication flow
        • Default - Password change flow
8. Custom Invalidation Flow
   • Default - Invalidation flow

For more, see docs.coopcloud.tech.