website/integrations: add opencloud integration#22497
Conversation
✅ Deploy Preview for authentik-integrations ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
✅ Deploy Preview for authentik-docs ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
✅ Deploy Preview for authentik-docs ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #22497 +/- ##
=======================================
Coverage 93.28% 93.29%
=======================================
Files 1032 1032
Lines 60059 60062 +3
Branches 400 400
=======================================
+ Hits 56029 56034 +5
+ Misses 4030 4028 -2
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
PeshekDotDev
force-pushed
the
add-opencloud-integration
branch
from
d1acf2d to
691ecbd
Compare
|
So @dewi-tik I ended up reworking this guide a bit. Some people in the ticket clearly wanted the ability to use all of the different clients (desktop. mobile, web) at the same time, which requires setting up a small proxy for a single endpoint in front of authentik. I'm not sure if you'd consider that extending past the point of what we should do for an integration guide. If it is, I wouldn't mind posting a summary of the steps directly on the ticket and leaving this guide to only cover the standard "web" steps, which don't require a reverse proxy. Let me know what you think |
I like it. Ultimately the point is to help users. So I don't think that we should limit sharing information just because it's maybe imperfect or doesn't cover every use case. Plus I like caddy. Will give this a more thorough review and get it approved ASAP |
|
authentik PR Installation instructions Instructions for docker-composeAdd the following block to your AUTHENTIK_IMAGE=ghcr.io/goauthentik/dev-server
AUTHENTIK_TAG=gh-2aef0569fe53d4a34fff51bd8f90a872823e12ee
AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)sAfterwards, run the upgrade commands from the latest release notes. Instructions for KubernetesAdd the following block to your authentik:
outposts:
container_image_base: ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
global:
image:
repository: ghcr.io/goauthentik/dev-server
tag: gh-2aef0569fe53d4a34fff51bd8f90a872823e12eeAfterwards, run the upgrade commands from the latest release notes. |
|
|
||
| ## Configuration verification | ||
|
|
||
| Open `https://opencloud.company` in a browser, and add the account in the Desktop, iOS, and Android apps using the same server URL. Each client is redirected to authentik to log in and returned to the client afterwards. |
There was a problem hiding this comment.
The "add the account" instruction should be in the "OpenCloud configuration" section.
There was a problem hiding this comment.
It's not possible to add the account until you've configured the above options for logging in with authentik, so this step has to be at the end
|
|
||
| ## Configuration verification | ||
|
|
||
| Open `https://opencloud.company` in a new browser window. You are redirected to authentik to log in, and after authenticating you are returned to OpenCloud. |
There was a problem hiding this comment.
Do they need to click anything to start the login process?
There was a problem hiding this comment.
Nah, it's an automatic redirect once it's configured. No option to log in with regular credentials setting this up
| ``` | ||
|
|
||
| :::info | ||
| `WEBFINGER_WEB_OIDC_CLIENT_ID` is required — the Web UI reads its client ID from WebFinger, and login will not start if it is empty. |
There was a problem hiding this comment.
| `WEBFINGER_WEB_OIDC_CLIENT_ID` is required — the Web UI reads its client ID from WebFinger, and login will not start if it is empty. | |
| `WEBFINGER_WEB_OIDC_CLIENT_ID` is required as the Web UI reads its client ID from the WebFinger, and login will not start if it is empty. |
There was a problem hiding this comment.
"the Webfinger" is not proper english, that's like telling someone "read the client id from the authentik."
There was a problem hiding this comment.
I replaced the emdash with as
|
|
||
| ## OpenCloud configuration | ||
|
|
||
| In the `opencloud-compose` project, enable the external IdP overlay in `COMPOSE_FILE`. This replaces OpenCloud's built-in IdP, so login goes through authentik only. |
There was a problem hiding this comment.
and that's by doing what's in L58. seems unclear
| `WEBFINGER_WEB_OIDC_CLIENT_ID` is required — the Web UI reads its client ID from WebFinger, and login will not start if it is empty. | ||
| ::: | ||
|
|
||
| Create `custom/authentik-roles.yml` to assign every user the default role: |
There was a problem hiding this comment.
if ur just adding env vars why not just add them to the env file instead
There was a problem hiding this comment.
This is how they specify doing it in their docs so this is what I did
| GRAPH_ASSIGN_DEFAULT_USER_ROLE: "true" | ||
| ``` | ||
|
|
||
| Recreate the stack: |
There was a problem hiding this comment.
usually we don't include these commands
There was a problem hiding this comment.
I removed them and said to just reboot your docker containers
|
|
||
| ## Configuration verification | ||
|
|
||
| Open `https://opencloud.company` in a new browser window. You are redirected to authentik to log in, and after authenticating you are returned to OpenCloud. |
There was a problem hiding this comment.
just say open opencloud no need to add domain, especially if it's a placeholder
There was a problem hiding this comment.
I'd prefer to leave it I think it's fine either direction but this is a bit more direct
| - **Client ID**: the client's value from the table below. | ||
| - **Redirect URIs**: the client's value from the table below. | ||
| - **Signing Key**: select the **same** key for all four providers (the shared issuer exposes a single `jwks_uri`, so all clients' tokens must be signed by one key). | ||
| - **Scopes**: `openid`, `profile`, `email`, and `offline_access` (required for the desktop and mobile sync clients to receive a refresh token). |
There was a problem hiding this comment.
Sorry, why would there not be, I don't understand. I could not get this integration to work without offline_access and I don't understand how you would be able to skip this step
| - **Client type**: `Public` | ||
| - **Client ID**: the client's value from the table below. | ||
| - **Redirect URIs**: the client's value from the table below. | ||
| - **Signing Key**: select the **same** key for all four providers (the shared issuer exposes a single `jwks_uri`, so all clients' tokens must be signed by one key). |
There was a problem hiding this comment.
no need to justify and mabye just say Select the same available signing key for all platforms
There was a problem hiding this comment.
Sorry, I don't understand why we wouldn't, we are setting up a proxy to share one provider's well-known in a location to represent all 4 of these providers, it's important to note. It's the whole reason I had to make this guide in the first place
| - **Redirect URIs**: the client's value from the table below. | ||
| - **Signing Key**: select the **same** key for all four providers (the shared issuer exposes a single `jwks_uri`, so all clients' tokens must be signed by one key). | ||
| - **Scopes**: `openid`, `profile`, `email`, and `offline_access` (required for the desktop and mobile sync clients to receive a refresh token). | ||
| - **Issuer mode** (under **Advanced protocol settings**): `Same identifier is used for all providers`. |
There was a problem hiding this comment.
Add section in previous line
- Under Advanced proto settings:
There was a problem hiding this comment.
I moved that up
|
|
||
| ## 3. OpenCloud configuration | ||
|
|
||
| In the `opencloud-compose` project, enable the external IdP overlay in `COMPOSE_FILE`. This replaces OpenCloud's built-in IdP, so login goes through authentik only. |
There was a problem hiding this comment.
ehhhh we repeat word for work what's in the web only section. we should restructure this doc as to not repeat ourselves
There was a problem hiding this comment.
There isn't really a good way to organize this to make that happen. The .env file for the web setup requires an application slug, the other .env file doesn't and has different urls.
The only thing that would kind of work is telling people to universally start with the authentik yml, then telling people to do some of opencloud, then go back to authentik, then go back to the .env for the web version, and I hate it when we do that in guides
|
|
||
| ## Resources | ||
|
|
||
| - [OpenCloud documentation](https://docs.opencloud.eu/) |
There was a problem hiding this comment.
can we get the specific doc urls
There was a problem hiding this comment.
yeah good call, added
github-project-automation
Bot
moved this from Needs review
to In Progress
in authentik Core
…d/index.mdx Co-authored-by: Dewi Roberts <dewi@goauthentik.io> Signed-off-by: Connor Peshek <connor@connorpeshek.me>
…d/index.mdx Co-authored-by: Dewi Roberts <dewi@goauthentik.io> Signed-off-by: Connor Peshek <connor@connorpeshek.me>
…d/index.mdx Co-authored-by: Dewi Roberts <dewi@goauthentik.io> Signed-off-by: Connor Peshek <connor@connorpeshek.me>
…d/index.mdx Co-authored-by: Dewi Roberts <dewi@goauthentik.io> Signed-off-by: Connor Peshek <connor@connorpeshek.me>
✅ Deploy Preview for authentik-storybook ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
…d/index.mdx Co-authored-by: Dominic R <dominic@goauthentik.io> Signed-off-by: Connor Peshek <connor@connorpeshek.me>
|
To @dominic-r 's point, the callout of Global issuer throughout feels a little weird, but we have zero documentation on the global and per-application issuer options for oauth providers. So there is no existing documentation to refer to or link to in order to better explain it, and this integration guide gets stuck doing a little bit of the heavy lifting of explaining what the global issuer option is. We should update the documentation to highlight this feature, but let me know what we want to do about this @dewi-tik and what you think However, I think the document is ready for next rounds of review. All other feedback is handled |
3 participants
Details
An integration guide for opencloud
Closes #18839
Checklist
ak test authentik/)make lint-fix)If an API change has been made
make gen)If changes to the frontend have been made
make web)If applicable
make docs)