From d5d3c1e553bff40aa950130375a6aa2977692324 Mon Sep 17 00:00:00 2001 From: Luis Barrueco Date: Wed, 13 May 2026 19:00:25 -0300 Subject: [PATCH] feat: integrate authentik --- .env.sample | 9 +++++++++ README.md | 38 ++++++++++++++++++++++++++++++++++++++ compose.authentik.yml | 16 ++++++++++++++++ config.ini.tmpl | 17 +++++++++++++++++ 4 files changed, 80 insertions(+) create mode 100644 compose.authentik.yml diff --git a/.env.sample b/.env.sample index c2151fc..4f78794 100644 --- a/.env.sample +++ b/.env.sample @@ -48,3 +48,12 @@ LETS_ENCRYPT_ENV=production #OAUTH_HOST=https:///realms//protocol/openid-connect #OAUTH_DISPLAY_NAME=Keycloak #OAUTH_CLIENT_SECRET_VERSION=v1 + +## Uncomment to use Authentik. This only works if Keycloak is disabled. +## See README.md for explanation. +#AUTHENTIK_ENABLED=1 +#COMPOSE_FILE="$COMPOSE_FILE:compose.authentik.yml" +#OAUTH_HOST=https:// +#OAUTH_DISPLAY_NAME=Authentik +#OAUTH_CLIENT_ID_VERSION=v1 +#OAUTH_CLIENT_SECRET_VERSION=v1 diff --git a/README.md b/README.md index 03f78e7..0e02e40 100644 --- a/README.md +++ b/README.md @@ -36,6 +36,44 @@ For the **OAUTH_HOST** config, it uses this format: `https://keycloak.example.co To set the client secret: `abra app secret insert oauth_client_secret v1` +## Authentik setup + +If you've set up Authentik for SSO, you can integrate it into Writefreely by running the following steps: + +1. In the Authentik app, uncomment the Writefreely configuration to enable the associated blueprint: + + ``` + COMPOSE_FILE="$COMPOSE_FILE:compose.writefreely.yml" + WRITEFREELY_DOMAIN=writefreely.example.com + SECRET_WRITEFREELY_ID_VERSION=v1 + SECRET_WRITEFREELY_SECRET_VERSION=v1 + APP_ICONS="writefreely:~/.abra/recipes/authentik/icons/writefreely.png" + WRITEFREELY_APPGROUP="$GROUP_DOCUMENTATION" + ``` + +2. Also in Authentik, generate the client id/secret pair. + + ``` + abra app secret generate writefreely_id v1 + ``` + + ``` + abra app secret generate writefreely_secret v1 + ``` + +3. Uncomment and properly set the configs for Authentik in `abra app config `. + +4. Set the client id/secret that were generated previously, by running: + + ``` + abra app secret insert oauth_client_id v1 + ``` + + ``` + abra app secret insert oauth_client_secret v1 + ``` + + ## MariaDB By default, this recipe uses sqlite. If you wish to use MariaDB instead: diff --git a/compose.authentik.yml b/compose.authentik.yml new file mode 100644 index 0000000..86b134f --- /dev/null +++ b/compose.authentik.yml @@ -0,0 +1,16 @@ +--- +version: "3.8" + +services: + app: + secrets: + - oauth_client_id + - oauth_client_secret + +secrets: + oauth_client_id: + external: true + name: ${STACK_NAME}_oauth_client_id_${OAUTH_CLIENT_ID_VERSION} + oauth_client_secret: + external: true + name: ${STACK_NAME}_oauth_client_secret_${OAUTH_CLIENT_SECRET_VERSION} diff --git a/config.ini.tmpl b/config.ini.tmpl index 7f7398e..ba595a9 100644 --- a/config.ini.tmpl +++ b/config.ini.tmpl @@ -69,4 +69,21 @@ map_user_id = sub map_username = preferred_username map_display_name = map_email = email +{{ else if eq (env "AUTHENTIK_ENABLED") "1" }} +[oauth.generic] +client_id = {{ secret "oauth_client_id" }} +client_secret = {{ secret "oauth_client_secret" }} +host = {{ env "OAUTH_HOST" }} +display_name = {{ env "OAUTH_DISPLAY_NAME" }} +callback_proxy = +callback_proxy_api = +token_endpoint = /application/o/token/ +inspect_endpoint = /application/o/userinfo/ +auth_endpoint = /application/o/authorize/ +scope = openid profile email +allow_disconnect = false +map_user_id = sub +map_username = preferred_username +map_display_name = +map_email = email {{ end }} -- 2.49.0