.env.sample

@@ -48,3 +48,12 @@ LETS_ENCRYPT_ENV=production
 #OAUTH_HOST=https://<your domain>/realms/<your realm>/protocol/openid-connect
 #OAUTH_DISPLAY_NAME=Keycloak
 #OAUTH_CLIENT_SECRET_VERSION=v1
+
+## Uncomment to use Authentik. This only works if Keycloak is disabled.
+## See README.md for explanation.
+#AUTHENTIK_ENABLED=1
+#COMPOSE_FILE="$COMPOSE_FILE:compose.authentik.yml"
+#OAUTH_HOST=https://<your domain>
+#OAUTH_DISPLAY_NAME=Authentik
+#OAUTH_CLIENT_ID_VERSION=v1
+#OAUTH_CLIENT_SECRET_VERSION=v1

README.md

@@ -36,6 +36,44 @@ For the **OAUTH_HOST** config, it uses this format: `https://keycloak.example.co
 
 To set the client secret: `abra app secret insert <domain> oauth_client_secret v1`
 
+## Authentik setup
+
+If you've set up Authentik for SSO, you can integrate it into Writefreely by running the following steps:
+
+1. In the Authentik app, uncomment the Writefreely configuration to enable the associated blueprint:
+
+   ```
+   COMPOSE_FILE="$COMPOSE_FILE:compose.writefreely.yml"
+   WRITEFREELY_DOMAIN=writefreely.example.com
+   SECRET_WRITEFREELY_ID_VERSION=v1
+   SECRET_WRITEFREELY_SECRET_VERSION=v1
+   APP_ICONS="writefreely:~/.abra/recipes/authentik/icons/writefreely.png"
+   WRITEFREELY_APPGROUP="$GROUP_DOCUMENTATION"
+    ```
+
+2. Also in Authentik, generate the client id/secret pair.
+
+    ```
+    abra app secret generate <authentik_app_name> writefreely_id v1
+    ```
+
+    ```
+    abra app secret generate <authentik_app_name> writefreely_secret v1
+    ```
+
+3. Uncomment and properly set the configs for Authentik in `abra app config <domain>`.
+
+4. Set the client id/secret that were generated previously, by running:
+
+    ```
+    abra app secret insert <domain> oauth_client_id v1
+    ```
+
+    ```
+    abra app secret insert <domain> oauth_client_secret v1
+    ```
+
+
 ## MariaDB
 
 By default, this recipe uses sqlite. If you wish to use MariaDB instead:

compose.authentik.yml

@@ -0,0 +1,16 @@
+---
+version: "3.8"
+
+services:
+  app:
+    secrets:
+      - oauth_client_id
+      - oauth_client_secret
+
+secrets:
+  oauth_client_id:
+    external: true
+    name: ${STACK_NAME}_oauth_client_id_${OAUTH_CLIENT_ID_VERSION}
+  oauth_client_secret:
+    external: true
+    name: ${STACK_NAME}_oauth_client_secret_${OAUTH_CLIENT_SECRET_VERSION}

config.ini.tmpl

@@ -69,4 +69,21 @@ map_user_id        = sub
 map_username       = preferred_username
 map_display_name   =
 map_email          = email
+{{ else if eq (env "AUTHENTIK_ENABLED") "1" }}
+[oauth.generic]
+client_id          = {{ secret "oauth_client_id" }}
+client_secret      = {{ secret "oauth_client_secret" }}
+host               = {{ env "OAUTH_HOST" }}
+display_name       = {{ env "OAUTH_DISPLAY_NAME" }}
+callback_proxy     =
+callback_proxy_api =
+token_endpoint     = /application/o/token/
+inspect_endpoint   = /application/o/userinfo/
+auth_endpoint      = /application/o/authorize/
+scope              = openid profile email
+allow_disconnect   = false
+map_user_id        = sub
+map_username       = preferred_username
+map_display_name   =
+map_email          = email
 {{ end }}