Migrating to Authentik

I made the switch to use Authentik for my internal AAA needs. Here's my experience on the migration process.

In a previous post, I talked about securing internal applications using OpenIDC. I’ve been using Google as the identity provider and hardcoding the authorized user in my Apache2 configuration files. During my Japan trip, my friend azntnak introduced me to this open-source identity provider called Authentik. It serves as a single sign-on (SSO) provider, similar to that of Okta and OneLogin. Given that my intranet applications shouldn’t have to rely on internet access to perform authentication and authorization, hosting an instance of Authentik on-premise seemed like a great way to break this dependency.

Integrating Authentik with my existing docker-compose file was relatively straightforward. I essentially copied the project’s compose and renamed a few things, and Authentik started up fine. Within my homelab environment, I use Active Directory to manage users and groups. Fortunately, Authentik has support for LDAP, so I could sync my AD users and groups to it. They have a great write up on the process over here.

Defining applications was also pretty straightforward. Authentik allows OpenIDC, SAML, and other authentication handshaking, depending on your application’s needs. Since my applications are protected at the Apache2 layer with mod_auth_openidc, replacing the client ID, client secret, and known configuration paths pretty much got me almost all the way there.

Since Authentik can also perform the authorization portion, I removed the hardcoded username checks in my configuration files, and offloaded it to the application authorization bindings. For now, I’ve started off with basic bindings to my own user. I do want to explore their other fancier options of adding dynamic policies with Python queries.

Authorization bindings for an example application.

Now that I’m using Authentik, it can also show me the last piece I didn’t really have before: accounting. I have one place that I can use to look up all the authentication and authorization attempts and when they occurred. Perhaps it already existed with Google, but the authorization was offloaded to the application side so I didn’t really have much visibility there. Now it’s all in one place 🙂

Special thanks again to my friend azntnak for introducing me to Authentik. It’s pretty neat and works pretty much as a drop in replacement to what I had before. I might use it on my externally facing services as well, but I think it’ll require a bit more hardening before I deploy it there.

That’s all I had this time around. Until next time!
~Lui

Injabie3
Injabie3

Just some guy on the Internet that writes code for fun and for a living, and also collects anime figures.

Articles: 268

Feel free to leave a reply