# authentik [authentik](https://goauthentik.io/) is an open-source Identity Provider focused on flexibility and versatility [List of all possible environment variables](https://goauthentik.io/docs/installation/configuration) * **Category**: Apps * **Status**: 0, work-in-progress * **Image**: [ghcr/goauthentik/server](https://ghcr.io/goauthentik/server), 4, upstream * **Healthcheck**: Yes * **Backups**: Yes * **Email**: Yes * **Tests**: No * **SSO**: Yes ## Quick start * `abra app new authentik` * `abra app config ` * `abra app secret insert email_pass v1 ` * `abra app secret generate -a ` * `abra app deploy ` ## Rotate Secrets Increment the secret versions using `abra app config ` ``` abra app secret generate -a abra app undeploy abra app deploy abra app cmd db rotate_db_pass abra app cmd app set_admin_pass ``` ## Add SSO for Nextcloud Uncomment Nextcloud configuration and set `NEXTCLOUD_DOMAIN` the using `abra app config `: ``` COMPOSE_FILE="$COMPOSE_FILE:compose.nextcloud.yml" NEXTCLOUD_DOMAIN=nextcloud.example.com SECRET_NEXTCLOUD_ID_VERSION=v1 SECRET_NEXTCLOUD_SECRET_VERSION=v1 APP_ICONS="nextcloud:~/.abra/recipes/authentik/icons/nextcloud.png" ``` Set the nextcloud Icon using `abra app cmd -l -d set_icons` The configuration inside Nextcloud can be found in the [nextcloud recipe](https://git.coopcloud.tech/coop-cloud/nextcloud#authentik-integration) ## Import User from CSV Users can be imported from a CSV file of the following format: `First and last name, username, email@example.com, group1;group2;group3` Run the following command to import the file `users.csv`: `abra app cmd -l import_user users.csv` Users will only be created if the username does not exits. I a group does not exists it will be created. ## Customization Place the files you want to overwrite in a directory ``. Run `abra app config ` and define the env variable `COPY_ASSETS` in the following format: ``` "|: |: ... ``` For example: ``` COPY_ASSETS="flow_background.jpg|app:/web/dist/assets/images/" COPY_ASSETS="$COPY_ASSETS icon_left_brand.svg|app:/web/dist/assets/icons/ COPY_ASSETS="$COPY_ASSETS icon.png|app:/web/dist/assets/icons/" ``` Run this command after every deploy/upgrade: `abra app command --local customize ` ## Email templates Add custom [email templates](https://goauthentik.io/docs/flow/stages/email/#custom-templates): `abra app cmd -l add_email_templates local/path/to/mail_template.html` ## Blueprints These blueprints overwrite default blueprint values: - flow_translation.yaml - flow_authentication.yaml The following default blueprints will be overwritten by customizations: - flow-password-change.yaml - flow-default-authentication-flow.yaml - flow-default-user-settings-flow.yaml - flow-default-source-enrollment.yaml The `abra.sh` function `apply_blueprints` needs to be executed to deactivate these blueprints to ensure that the customizations won't be overwritten. It will further execute flow_translation.yaml and flow_authentication.yaml again. ### Blueprint Overwrite/Use Dependencies - Recovery with email verification - Default - Password change flow - USE: - `default-password-change-prompt` - `default-password-change-write` - Default - Authentication flow - USE: - `default-authentication-login` - Custom Authentication Flow - Default - Authentication flow - USE: - `default-authentication-password` - OVERWRITE: - `default-authentication-flow` - APPEND: - `default-authentication-identification` - `default-authentication-login` - REMOVE: `authentik_flows.flowstagebinding order:20` - Recovery with email verification - USE: - `default-recovery-flow` - Invitation Enrollment Flow - Default - User settings flow - USE: - `default-user-settings-field-name` - `default-user-settings-field-email` - Default - Password change flow - USE: - `default-password-change-field-password` - `default-password-change-field-password-repeat` - Default - Authentication flow - USE: - `default-authentication-login` - Default - Source enrollment flow - USE: - `default-source-enrollment-field-username` - `default-source-enrollment-write` - Custom Invalidation Flow - Default - Invalidation flow - APPEND_ATTR: - `authentik_flows.flowstagebinding order: 0` - Flow Translations - Recovery with email verification - APPEND: `default-recovery-flow` - Default - Password change flow - OVERWRITE: - `default-password-change-field-password` - `default-password-change-field-password-repeat` - Default - User settings flow - OVERWRITE: - `default-user-settings-field-username` - `default-user-settings-field-name` - Default - Source enrollment flow - OVERWRITE: - `default-source-enrollment-field-username` - Custom System Brand - Default - Brand - APPEND: `authentik_brands.brand domain: authentik-default` - Recovery with email verification - USE: - `default-recovery-flow` ### Blueprint Dependency Execution Order 5. Custom System Brand - Default - Brand 1. Recovery with email verification - Default - Authentication flow - Default - Password change flow 4. Invitation Enrollment Flow 3. Flow Translations - Default - User settings flow - Default - Source enrollment flow 1. Recovery with email verification - Default - Authentication flow - Default - Password change flow 2. Custom Authentication Flow 1. Recovery with email verification - Default - Authentication flow - Default - Password change flow 6. Custom Invalidation Flow - Default - Invalidation flow For more, see [`docs.coopcloud.tech`](https://docs.coopcloud.tech).