Update authentik documentation for forward auth (single application) (#10010)
**Description** <!-- Please include a summary of the change and which issue is fixed. Please also include relevant motivation and context. List any dependencies that are required for this change. --> Updated the documentation for authentik. There are several threads about this in Discord, but the solution is still hard to find. The [closes one is this](https://discord.com/channels/830763548678291466/1101105773850935316), but I only found it after I got it to work on my system. The update contains info about using subdomain level authentication, as well as using basic-auth credentials for services in authentik. **⚙️ Type of change** - [ ] ⚙️ Feature/App addition - [ ] 🪛 Bugfix - [ ] ⚠️ Breaking change (fix or feature that would cause existing functionality to not work as expected) - [ ] 🔃 Refactor of current code - [x] 📄 Documentation Update **🧪 How Has This Been Tested?** <!-- Please describe the tests that you ran to verify your changes. Provide instructions so we can reproduce. Please also list any relevant details for your test configuration --> I tested this locally and from a different network, on multiple devices. **📃 Notes:** <!-- Please enter any other relevant information here --> **✔️ Checklist:** - [ ] ⚖️ My code follows the style guidelines of this project - [ ] 👀 I have performed a self-review of my own code - [ ] #️⃣ I have commented my code, particularly in hard-to-understand areas - [x] 📄 I have made corresponding changes to the documentation - [ ] ⚠️ My changes generate no new warnings - [ ] 🧪 I have added tests to this description that prove my fix is effective or that my feature works - [ ] ⬆️ I increased versions for any altered app according to semantic versioning **➕ App addition** If this PR is an app addition please make sure you have done the following. - [ ] 🪞 I have opened a PR on [truecharts/containers](https://github.com/truecharts/containers) adding the container to TrueCharts mirror repo. - [ ] 🖼️ I have added an icon in the Chart's root directory called `icon.png` --- _Please don't blindly check all the boxes. Read them and only check those that apply. Those checkboxes are there for the reviewer to see what is this all about and the status of this PR with a quick glance._
This commit is contained in:
parent
1f333417ac
commit
93bf3a565e
|
@ -26,6 +26,12 @@ All of the defaults are fine to start off, you must choose a password, however `
|
|||
|
||||
**Ingress Example**
|
||||
|
||||
:::note
|
||||
|
||||
Note that the `*.mydomain.com` host config is only needed if you want to use `Forward auth (single application)` in `authentik`.
|
||||
|
||||
:::
|
||||
|
||||
![Ingress-Auth](img/Ingress-Auth.png)
|
||||
|
||||
## Authentik GUI Setup
|
||||
|
@ -54,6 +60,14 @@ Default username is `akadmin` and password is whatever you entered in the initia
|
|||
|
||||
![New-Provider-2](img/New-Provider-2.png)
|
||||
|
||||
- If you want to use subdomain-level access control, select `Forward auth (single application)` and enter the URL you have chosen for your apps' ingress.
|
||||
- The example uses `https://application.mydomain.com/`, make sure your app is reachable and uses a valid certificate beforehand.
|
||||
- You can set HTTP-Basic Authentication Attributes under `Authentication settings` for your service here.
|
||||
- Don't use a `basicAuth` middleware in the apps' ingress settings. Only use this if your app has build in basic auth support.
|
||||
- Add the attributes in a `authentik` group, then assign any user you want to be able to access the application to this group.
|
||||
|
||||
![New-Provider-3](image.png)
|
||||
|
||||
- Once done use that new `Provider` you created
|
||||
|
||||
![Create-Applications-3](img/Create-Applications-3.png)
|
||||
|
@ -86,12 +100,19 @@ Once `authentik` is setup and running, you must create a `forwardAuth` inside `T
|
|||
|
||||
The main thing about this screen is to use the internal DNS name for simplicity
|
||||
|
||||
- I have successfully used an `authentik` instance on a difference host together with `external-service` using this URL:
|
||||
- `https://authentik-external-service.ix-authentik.svc.cluster.local:9443/outpost.goauthentik.io/auth/traefik`
|
||||
- Use `heavyscript dns -a` to get the internal DNS name for your `authentik` instance in that case.
|
||||
- I suggest using the `https` endpoint and port because it is what worked for me.
|
||||
|
||||
:::
|
||||
|
||||
```
|
||||
http://authentik-http.ix-authentik.svc.cluster.local:10230/outpost.goauthentik.io/auth/traefik
|
||||
```
|
||||
|
||||
**Double-check the DNS name and port.**
|
||||
|
||||
There's also a list of `authResponseHeaders` inside `authentik` listed for use with `Traefik`, so in case you need them here they are.
|
||||
|
||||
- `X-authentik-username`
|
||||
|
@ -106,6 +127,8 @@ There's also a list of `authResponseHeaders` inside `authentik` listed for use w
|
|||
- `X-authentik-meta-app`
|
||||
- `X-authentik-meta-version`
|
||||
|
||||
Add the `authorization` header to pass the HTTP-Basic headers from `authentik` to you application.
|
||||
|
||||
### Add Traefik forwardAuth to Charts
|
||||
|
||||
- Once that is done all you need to add the `middleware` to your Charts under the `Ingress section`, as in my case it's called `auth`.
|
||||
|
|
Binary file not shown.
Before Width: | Height: | Size: 38 KiB After Width: | Height: | Size: 31 KiB |
Binary file not shown.
After Width: | Height: | Size: 33 KiB |
Binary file not shown.
Before Width: | Height: | Size: 50 KiB After Width: | Height: | Size: 32 KiB |
Loading…
Reference in New Issue