authentik

authentik is an open-source Identity Provider focused on flexibility and versatility

List of all possible environment variables

• Category: Apps
• Status: 0, work-in-progress
• Image: ghcr/goauthentik/server, 4, upstream
• Healthcheck: Yes
• Backups: Yes
• Email: Yes
• Tests: No
• SSO: Yes

Quick start

• abra app new authentik
• abra app config <app-name>
• abra app secret insert <app_name> email_pass v1 <password>
• abra app secret generate -a <app_name>
• abra app deploy <app-name>

Rotate Secrets

Increment the secret versions using abra app config <app_name>

abra app secret generate -a <app_name>
abra app undeploy <app_name>
abra app deploy <app_name>
abra app cmd <app_name> db rotate_db_pass
abra app cmd <app_name> app set_admin_pass

Add SSO for Nextcloud

Uncomment Nextcloud configuration and set NEXTCLOUD_DOMAIN the using abra app config <app_name>:

COMPOSE_FILE="$COMPOSE_FILE:compose.nextcloud.yml"
NEXTCLOUD_DOMAIN=nextcloud.example.com
SECRET_NEXTCLOUD_ID_VERSION=v1
SECRET_NEXTCLOUD_SECRET_VERSION=v1
APP_ICONS="nextcloud:~/.abra/recipes/authentik/icons/nextcloud.png"

Set the nextcloud Icon using abra app cmd -l -d <app_name> set_icons

The configuration inside Nextcloud can be found in the nextcloud recipe

Import User from CSV

Users can be imported from a CSV file of the following format:

First and last name, username, email@example.com, group1;group2;group3

Run the following command to import the file users.csv:

abra app cmd -l <app_name> import_user users.csv

Users will only be created if the username does not exits. I a group does not exists it will be created.

Customization

Place the files you want to overwrite in a directory <assets_path>. Run abra app config <app_name> and define the env variable COPY_ASSETS in the following format:

"<source_file1>|<service>:<target_directory1> <source_file2>|<service>:<target_directory2> ...

For example:

COPY_ASSETS="flow_background.jpg|app:/web/dist/assets/images/"
COPY_ASSETS="$COPY_ASSETS icon_left_brand.svg|app:/web/dist/assets/icons/
COPY_ASSETS="$COPY_ASSETS icon.png|app:/web/dist/assets/icons/"

Run this command after every deploy/upgrade:

abra app command --local <app-name> customize <assets_path>

Email templates

Add custom email templates:

abra app cmd -l <app_name> add_email_templates local/path/to/mail_template.html

Blueprints

These blueprints overwrite default blueprint values:

• flow_translation.yaml
• flow_authentication.yaml

The following default blueprints will be overwritten by customizations:

• flow-password-change.yaml
• flow-default-authentication-flow.yaml
• flow-default-user-settings-flow.yaml
• flow-default-source-enrollment.yaml

The abra.sh function apply_blueprints needs to be executed to deactivate these blueprints to ensure that the customizations won't be overwritten. It will further execute flow_translation.yaml and flow_authentication.yaml again.

Blueprint Overwrite/Use Dependencies

• Recovery with email verification
  • Default - Password change flow
    • USE:
      • default-password-change-prompt
      • default-password-change-write
  • Default - Authentication flow
    • USE:
      • default-authentication-login
• Custom Authentication Flow
  • Default - Authentication flow
    • USE:
      • default-authentication-password
    • OVERWRITE:
      • default-authentication-flow
    • APPEND:
      • default-authentication-identification
      • default-authentication-login
    • REMOVE: authentik_flows.flowstagebinding order:20
  • Recovery with email verification
    • USE:
      • default-recovery-flow
• Invitation Enrollment Flow
  • Default - User settings flow
    • USE:
      • default-user-settings-field-name
      • default-user-settings-field-email
  • Default - Password change flow
    • USE:
      • default-password-change-field-password
      • default-password-change-field-password-repeat
  • Default - Authentication flow
    • USE:
      • default-authentication-login
  • Default - Source enrollment flow
    • USE:
      • default-source-enrollment-field-username
      • default-source-enrollment-write
• Custom Invalidation Flow
  • Default - Invalidation flow
    • APPEND_ATTR:
      • authentik_flows.flowstagebinding order: 0
• Flow Translations
  • Recovery with email verification
    • APPEND: default-recovery-flow
  • Default - Password change flow
    • OVERWRITE:
      • default-password-change-field-password
      • default-password-change-field-password-repeat
  • Default - User settings flow
    • OVERWRITE:
      • default-user-settings-field-username
      • default-user-settings-field-name
  • Default - Source enrollment flow
    • OVERWRITE:
      • default-source-enrollment-field-username
• Custom System Tenant
  • Default - Tenant
    • APPEND: authentik_tenants.tenant domain: authentik-default
  • Recovery with email verification
    • USE:
      • default-recovery-flow

Blueprint Dependency Execution Order

5. Custom System Tenant
   • Default - Tenant
   1. Recovery with email verification
      • Default - Authentication flow
        • Default - Password change flow
6. Invitation Enrollment Flow 3. Flow Translations - Default - User settings flow - Default - Source enrollment flow 1. Recovery with email verification - Default - Authentication flow - Default - Password change flow
7. Custom Authentication Flow
   1. Recovery with email verification
      • Default - Authentication flow
        • Default - Password change flow
8. Custom Invalidation Flow
   • Default - Invalidation flow

For more, see docs.coopcloud.tech.