https://peekread.info/enContents © 2024 <a href="mailto:dugite-code@peekread.info">Dugite-Code</a> <a rel="license" href="http://creativecommons.org/licenses/by-sa/4.0/"> <img alt="Creative Commons License BY-SA" width="88px" height="31px" style="border-width:0; margin-bottom:12px;" src="https://i.creativecommons.org/l/by-sa/4.0/88x31.png"></a>Wed, 14 Feb 2024 06:33:09 GMTNikola (getnikola.com)http://blogs.law.harvard.edu/tech/rsshttps://peekread.info/tech/20220506-authentik-gotifiy-login-notifications/Dugite-Code<p></p><div class="d-flex position-relative pt-3 pb-3"> <div class="flex-shrink-0 me-3"> <img data-pagefind-meta="image[src], image_alt[alt]" style="height:89px;" src="https://peekread.info/images/2022/0428-sso-with-authentik/image01.png" alt="SSO all the things"> </div> <div> <p class="mt-3"></p><p>Continuing with my journy of utilising Authentik for my SSO. After reading a rather good comment by <a href="https://www.reddit.com/r/selfhosted/comments/ub7dvb/authentik_or_keycloak/i62o6hf/">/u/internallogictv</a> over on the reddit <a href="https://www.reddit.com/r/selfhosted/">/r/selfhosted</a>, I wanted to add a few more protections. The simplest of which is to send myself a notification whenever a login or a failed login occurs.</p> </div> </div> <h2>Step 1</h2> <p>First things first we create a new application in gotify in order to generate a token for authentik use. Select the <code>Apps</code> tab and press the <code>Create Application</code> button.</p> <p><img alt="Gotify create an application" class="img-fluid dark-image mx-auto d-block text-center text-light" loading="lazy" max-height="185" max-width="800" src="https://peekread.info/images/2022/0506-authentik-gotifiy-login-notifications/image01.png"></p> <h2>Step 2</h2> <p>Create a new gotify property mapping in the <code>Admin Interface -&gt; Customisation -&gt; Property Mappings</code>.</p> <p><img alt="" class="img-fluid dark-image mx-auto d-block text-center text-light" loading="lazy" max-height="426" max-width="800" src="https://peekread.info/images/2022/0506-authentik-gotifiy-login-notifications/image02.png"></p> <p>I've built this so a login failed is set to the maximum gotify priority level regardless of the user group. For successful logins I divide the levels based on the group gotify-users. I algo create a geo uri for mapping applications on android. You will be able to click the notification and it will open the city co-ordinates, although you may have to skip this if you don't have the <code>geoipupdate</code> container configured.</p> <div class="code"><pre class="code literal-block"><span class="k">try</span><span class="p">:</span> <span class="c1"># Get the login failed username</span> <span class="n">event_user</span> <span class="o">=</span> <span class="n">notification</span><span class="o">.</span><span class="n">event</span><span class="o">.</span><span class="n">context</span><span class="p">[</span><span class="s2">"username"</span><span class="p">]</span> <span class="k">except</span><span class="p">:</span> <span class="c1"># Get the login succeeded username</span> <span class="n">event_user</span> <span class="o">=</span> <span class="n">notification</span><span class="o">.</span><span class="n">event</span><span class="o">.</span><span class="n">user</span><span class="p">[</span><span class="s2">"username"</span><span class="p">]</span> <span class="k">if</span> <span class="n">notification</span><span class="o">.</span><span class="n">event</span><span class="o">.</span><span class="n">action</span> <span class="o">==</span> <span class="s2">"login_failed"</span><span class="p">:</span> <span class="n">priority</span> <span class="o">=</span> <span class="mi">7</span> <span class="n">severity</span> <span class="o">=</span> <span class="s2">"warning"</span> <span class="k">elif</span> <span class="n">ak_is_group_member</span><span class="p">(</span> <span class="n">ak_user_by</span><span class="p">(</span><span class="n">username</span><span class="o">=</span><span class="n">event_user</span><span class="p">),</span> <span class="n">name</span><span class="o">=</span><span class="s2">"gotify-users"</span> <span class="p">):</span> <span class="c1"># Check if the user belongs to group</span> <span class="n">priority</span> <span class="o">=</span> <span class="mi">1</span> <span class="n">severity</span> <span class="o">=</span> <span class="n">notification</span><span class="o">.</span><span class="n">severity</span> <span class="k">else</span><span class="p">:</span> <span class="c1"># default notification settings</span> <span class="n">priority</span> <span class="o">=</span> <span class="mi">0</span> <span class="n">severity</span> <span class="o">=</span> <span class="n">notification</span><span class="o">.</span><span class="n">severity</span> <span class="c1"># Build a geo uri for opening a mapping applications from the gotify notification.</span> <span class="n">geo_uri</span> <span class="o">=</span> <span class="sa">f</span><span class="s2">"geo:</span><span class="si">{</span><span class="n">notification</span><span class="o">.</span><span class="n">event</span><span class="o">.</span><span class="n">context</span><span class="p">[</span><span class="s1">'geo'</span><span class="p">][</span><span class="s1">'lat'</span><span class="p">]</span><span class="si">}</span><span class="s2">,</span><span class="si">{</span><span class="n">notification</span><span class="o">.</span><span class="n">event</span><span class="o">.</span><span class="n">context</span><span class="p">[</span><span class="s1">'geo'</span><span class="p">][</span><span class="s1">'long'</span><span class="p">]</span><span class="si">}</span><span class="s2">?q=</span><span class="si">{</span><span class="n">notification</span><span class="o">.</span><span class="n">event</span><span class="o">.</span><span class="n">context</span><span class="p">[</span><span class="s1">'geo'</span><span class="p">][</span><span class="s1">'lat'</span><span class="p">]</span><span class="si">}</span><span class="s2">,</span><span class="si">{</span><span class="n">notification</span><span class="o">.</span><span class="n">event</span><span class="o">.</span><span class="n">context</span><span class="p">[</span><span class="s1">'geo'</span><span class="p">][</span><span class="s1">'long'</span><span class="p">]</span><span class="si">}</span><span class="s2">"</span> <span class="n">title</span> <span class="o">=</span> <span class="sa">f</span><span class="s2">"</span><span class="si">{</span><span class="n">severity</span><span class="si">}</span><span class="s2"> from authentik </span><span class="si">{</span><span class="n">notification</span><span class="o">.</span><span class="n">event</span><span class="o">.</span><span class="n">action</span><span class="o">.</span><span class="n">replace</span><span class="p">(</span><span class="s1">'_'</span><span class="p">,</span><span class="w"> </span><span class="s1">' '</span><span class="p">)</span><span class="si">}</span><span class="s2">"</span><span class="o">.</span><span class="n">capitalize</span><span class="p">()</span> <span class="n">message</span> <span class="o">=</span> <span class="sa">f</span><span class="s2">"New </span><span class="si">{</span><span class="n">notification</span><span class="o">.</span><span class="n">event</span><span class="o">.</span><span class="n">action</span><span class="o">.</span><span class="n">replace</span><span class="p">(</span><span class="s1">'_'</span><span class="p">,</span><span class="w"> </span><span class="s1">' '</span><span class="p">)</span><span class="si">}</span><span class="s2"> for </span><span class="si">{</span><span class="n">event_user</span><span class="si">}</span><span class="s2"> was detected coming from </span><span class="si">{</span><span class="n">notification</span><span class="o">.</span><span class="n">event</span><span class="o">.</span><span class="n">context</span><span class="p">[</span><span class="s1">'geo'</span><span class="p">][</span><span class="s1">'city'</span><span class="p">]</span><span class="si">}</span><span class="s2"> </span><span class="si">{</span><span class="n">notification</span><span class="o">.</span><span class="n">event</span><span class="o">.</span><span class="n">context</span><span class="p">[</span><span class="s1">'geo'</span><span class="p">][</span><span class="s1">'country'</span><span class="p">]</span><span class="si">}</span><span class="s2"> from the IP address: </span><span class="si">{</span><span class="nb">str</span><span class="p">(</span><span class="n">notification</span><span class="o">.</span><span class="n">event</span><span class="o">.</span><span class="n">client_ip</span><span class="p">)</span><span class="si">}</span><span class="s2">"</span><span class="o">.</span><span class="n">capitalize</span><span class="p">()</span> <span class="c1"># Build the gotify payload</span> <span class="n">gotify_payload</span> <span class="o">=</span> <span class="p">{</span> <span class="s2">"title"</span><span class="p">:</span> <span class="n">title</span><span class="p">,</span> <span class="s2">"message"</span><span class="p">:</span> <span class="n">message</span><span class="p">,</span> <span class="s2">"priority"</span><span class="p">:</span> <span class="n">priority</span><span class="p">,</span> <span class="s2">"extras"</span><span class="p">:</span> <span class="p">{</span> <span class="s2">"client::notification"</span><span class="p">:</span> <span class="p">{</span> <span class="s2">"click"</span><span class="p">:</span> <span class="p">{</span> <span class="s2">"url"</span><span class="p">:</span> <span class="n">geo_uri</span> <span class="p">}</span> <span class="p">}},</span> <span class="p">}</span> <span class="k">return</span> <span class="n">gotify_payload</span> </pre></div> <h2>Step 3</h2> <p>Create a new notification transport <code>Admin Interface -&gt; Events -&gt; Notification Transports</code> using <code>Webhook (generic)</code> your gotify message url with the token created in step one <code>https://example.tld/gotify/message?token=yourtokenhere</code></p> <p><img alt="" class="img-fluid dark-image mx-auto d-block text-center text-light" loading="lazy" max-height="360" max-width="799" src="https://peekread.info/images/2022/0506-authentik-gotifiy-login-notifications/image03.png"></p> <h2>Step 4</h2> <p>Finally we create the notification rule that actually calls the Notification transport. <code>Admin Interface -&gt; Events -&gt; Notification Rules</code> Create a new rule <code>login-notification</code> sending to the group of your choice (This dosn't really matter but it will display an ugly json string as notification on the web UI). Select the <code>Gotify</code> notification transport you created and set the Severity to <code>Notice</code>.</p> <p><img alt="" class="img-fluid dark-image mx-auto d-block text-center text-light" loading="lazy" max-height="489" max-width="798" src="https://peekread.info/images/2022/0506-authentik-gotifiy-login-notifications/image04.png"></p> <p>Now we have to create the policies <code>authentik-core-login</code> and <code>authentik-core-login-failed</code> to the event. Expand the <code>login-notification</code> event and press <code>Create Policy</code>. Select <code>Event Matcher Policy</code>, name it <code>authentik-core-login</code> enable the <code>Execution Logging</code> option, select the <code>Login</code> action and <code>authentik Core</code> App. Finish and repeat for the <code>Login Failed</code> action.</p> <p>Now you should be receiving Login and Login Failed notifications from your Authentik instance over Gotify. I Hope I'll be able to update this to pull different tokens from the user/group attributes in the future to better separate notifications to individual users/admins.</p> <p><img alt="" class="img-fluid dark-image mx-auto d-block text-center text-light" loading="lazy" max-height="294" max-width="797" src="https://peekread.info/images/2022/0506-authentik-gotifiy-login-notifications/image05.png"></p>authentikgotifynotificationssecuritySSOhttps://peekread.info/tech/20220506-authentik-gotifiy-login-notifications/Thu, 05 May 2022 16:00:00 GMThttps://peekread.info/tech/20220429-node-red-sso-with-authentik/Dugite-Code<p></p><div class="d-flex position-relative pt-3 pb-3"> <div class="flex-shrink-0 me-3"> <img data-pagefind-meta="image[src], image_alt[alt]" style="height:89px;" src="https://peekread.info/images/2019/1122-node-red-website-alerts/image01.png" alt="Node-RED is a flow-based programming tool, originally developed by IBM’s Emerging Technology Services team and now a part of the JS Foundation."> </div> <div> <p class="mt-3"></p><p>Following my <a href="https://peekread.info/tech/20220325-sso-with-authentik/">last post regarding SSO with Authentik</a> I thought I should post my passportjs configuration for Node-Red and OpenidConnect. Currently User accounts work, however I haven't gotten group based permissions setup yet.</p> </div> </div> <p>Note This guide is based off the <a href="https://goauthentik.io/integrations/services/gitea/">Gitea integration guide from the Authentik docs.</a></p> <h3>Preparation</h3> <p>The following placeholders will be used:</p> <p><code>authentik.company</code> is the FQDN of authentik.</p> <p><code>nodered.company</code> is the FQDN of nodered.</p> <h3>Step 1</h3> <p>In authentik, create an OAuth2/OpenID Provider (under Resources/Providers) with these settings:</p> <blockquote> <p>note</p> <p>Only settings that have been modified from default have been listed.</p> </blockquote> <h4>Protocol Settings</h4> <div class="code"><pre class="code literal-block"><span class="n">Name</span><span class="o">:</span><span class="w"> </span><span class="n">nodered</span> <span class="n">Signing</span><span class="w"> </span><span class="n">Key</span><span class="o">:</span><span class="w"> </span><span class="n">Select</span><span class="w"> </span><span class="n">any</span><span class="w"> </span><span class="n">available</span><span class="w"> </span><span class="n">key</span> </pre></div> <blockquote> <p>note</p> <p>Take note of the Client ID and Client Secret, you'll need to give them to nodered in Step 3.</p> </blockquote> <h3>Step 2</h3> <p>In authentik, create an application (under Resources/Applications) which uses this provider. Optionally apply access restrictions to the application using policy bindings. note</p> <p>Only settings that have been modified from default have been listed.</p> <div class="code"><pre class="code literal-block"><span class="n">Name</span><span class="o">:</span><span class="w"> </span><span class="n">nodered</span> <span class="n">Slug</span><span class="o">:</span><span class="w"> </span><span class="n">nodered</span><span class="o">-</span><span class="n">slug</span> <span class="n">Provider</span><span class="o">:</span><span class="w"> </span><span class="n">nodered</span> </pre></div> <h3>Step 3</h3> <blockquote> <p>note</p> <p>We are assuming node-red is installed under docker</p> </blockquote> <p>Navigate to the node-red data volume <code>data/node_modules/</code>. Alternatively enter the docker container <code>sudo docker exec -it nodered bash</code> and cd <code>/data/node_modules</code></p> <p>Use npm to install passport-openidconnect npm install passport-openidconnect</p> <p>Edit the node-red settings.js file <code>/data/settings.js</code></p> <div class="code"><pre class="code literal-block"><span class="nx">adminAuth</span><span class="o">:</span><span class="w"> </span><span class="p">{</span> <span class="nx">type</span><span class="o">:</span><span class="s2">"strategy"</span><span class="p">,</span> <span class="nx">strategy</span><span class="o">:</span><span class="w"> </span><span class="p">{</span> <span class="w"> </span><span class="nx">name</span><span class="o">:</span><span class="w"> </span><span class="s2">"openidconnect"</span><span class="p">,</span> <span class="w"> </span><span class="nx">label</span><span class="o">:</span><span class="w"> </span><span class="s1">'Sign in with authentik'</span><span class="p">,</span> <span class="w"> </span><span class="nx">icon</span><span class="o">:</span><span class="s2">"fa-cloud"</span><span class="p">,</span> <span class="w"> </span><span class="nx">strategy</span><span class="o">:</span><span class="w"> </span><span class="nx">require</span><span class="p">(</span><span class="s2">"passport-openidconnect"</span><span class="p">).</span><span class="nx">Strategy</span><span class="p">,</span> <span class="w"> </span><span class="nx">options</span><span class="o">:</span><span class="w"> </span><span class="p">{</span> <span class="w"> </span><span class="nx">issuer</span><span class="o">:</span><span class="w"> </span><span class="s1">'https://authentik.company/application/o/&lt;application-slug&gt;/'</span><span class="p">,</span> <span class="w"> </span><span class="nx">authorizationURL</span><span class="o">:</span><span class="w"> </span><span class="s1">'https://authentik.company/application/o/authorize/'</span><span class="p">,</span> <span class="w"> </span><span class="nx">tokenURL</span><span class="o">:</span><span class="w"> </span><span class="s1">'https://authentik.company/application/o/token/'</span><span class="p">,</span> <span class="w"> </span><span class="nx">userInfoURL</span><span class="o">:</span><span class="w"> </span><span class="s1">'https://authentik.company/application/o/userinfo/'</span><span class="p">,</span> <span class="w"> </span><span class="nx">clientID</span><span class="o">:</span><span class="w"> </span><span class="s1">'&lt;Client ID (Key): Step 2&gt;'</span><span class="p">,</span> <span class="w"> </span><span class="nx">clientSecret</span><span class="o">:</span><span class="w"> </span><span class="s1">'&lt;Client Secret: Step 2&gt;'</span><span class="p">,</span> <span class="w"> </span><span class="nx">callbackURL</span><span class="o">:</span><span class="w"> </span><span class="s1">'https://nodered.company/auth/strategy/callback/'</span><span class="p">,</span> <span class="w"> </span><span class="nx">scope</span><span class="o">:</span><span class="w"> </span><span class="p">[</span><span class="s1">'email'</span><span class="p">,</span><span class="w"> </span><span class="s1">'profile'</span><span class="p">,</span><span class="w"> </span><span class="s1">'openid'</span><span class="p">],</span> <span class="w"> </span><span class="nx">proxy</span><span class="o">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span> <span class="w"> </span><span class="nx">verify</span><span class="o">:</span><span class="w"> </span><span class="kd">function</span><span class="p">(</span><span class="nx">issuer</span><span class="p">,</span><span class="w"> </span><span class="nx">profile</span><span class="p">,</span><span class="w"> </span><span class="nx">done</span><span class="p">)</span><span class="w"> </span><span class="p">{</span> <span class="w"> </span><span class="nx">done</span><span class="p">(</span><span class="kc">null</span><span class="p">,</span><span class="w"> </span><span class="nx">profile</span><span class="p">)</span> <span class="w"> </span><span class="p">}</span> <span class="w"> </span><span class="p">}</span> <span class="w"> </span><span class="p">},</span> <span class="w"> </span><span class="nx">users</span><span class="o">:</span><span class="w"> </span><span class="kd">function</span><span class="p">(</span><span class="nx">user</span><span class="p">)</span><span class="w"> </span><span class="p">{</span> <span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="nb">Promise</span><span class="p">.</span><span class="nx">resolve</span><span class="p">({</span><span class="w"> </span><span class="nx">username</span><span class="o">:</span><span class="w"> </span><span class="nx">user</span><span class="p">,</span><span class="w"> </span><span class="nx">permissions</span><span class="o">:</span><span class="w"> </span><span class="s2">"*"</span><span class="w"> </span><span class="p">});</span> <span class="w"> </span><span class="p">}</span> <span class="p">},</span> </pre></div>authentiknode-redsecuritySSOhttps://peekread.info/tech/20220429-node-red-sso-with-authentik/Thu, 28 Apr 2022 16:00:00 GMThttps://peekread.info/tech/20220325-sso-with-authentik/Dugite-Code<p></p><div class="d-flex position-relative pt-3 pb-3"> <div class="flex-shrink-0 me-3"> <img data-pagefind-meta="image[src], image_alt[alt]" style="height:89px;" src="https://peekread.info/images/2022/0428-sso-with-authentik/image01.png" alt="SSO all the things"> </div> <div> <p class="mt-3"></p><p>A while back I wrote about minimising my attack surface by utilising default deny and whitelists in Nginx. Now I've gotten into the weeds with authentication and deployed an SSO (Signle sign-on) service on my selfhosted infrastructure.</p> </div> </div> <h3>What is Authentik?</h3> <p>Authentik is a SSO (Single Sign on) provider, much like with Google's services you sign in once and then you can access all your services. This has been a big bugbear with selfhosted applications, with <a href="https://gitlab.com/dugite-code/rcmail_ttrss">Roundcubemail TTRSS plugin</a>, <a href="https://github.com/dugite-code/auth_rcmail">auto authentication for Tiny Tiny RSS against an IMAP Server</a> and <a href="https://github.com/dugite-code/codiad-imap_auth">Codiad External Authentication via IMAP </a> to name a few work arounds to the issue I have hacked together over the years.</p> <p>Most importantly for my use case is the single pane of glass to access my services:</p> <p><img alt="A nice dashboard really brings it all together" class="img-fluid dark-image mx-auto d-block text-center text-light" loading="lazy" max-width="1110" src="https://peekread.info/images/2022/0428-sso-with-authentik/a-nice-dashboard-realy-brings-it-all-together.png"></p> <h3>The Issues</h3> <p>Introducing a SSO system introduces complexity and potential problems so it's not all smooth sailing, passwords are a thing still as they are simple and reliable and understandable.</p> <h4>New Project new problems, limited reviews</h4> <p>Authentik's first beta release was in Jan 2020 so it's very new and has had a few teething issues and quite a few bugs. I highly recommend utilising additional security methods in front of authentik (IDS/IPS, Geo Blocking and ideally using a VPN to access) until it reaches maturity.</p> <h4>Poor Documentation</h4> <p>Quite frankly the documentation isn't great if you are attempting to figure out <strong>HOW</strong> it’s supposed to work. Thankfully they have integration guides included in the docs that covers the gaps, so some reading between the lines is needed for a while yet.</p> <h4>Limited compatibility</h4> <p>Not everything has SSO support (SAML, Oauth/OpenidConnect or reverse Proxy Authentication), thankfully this isn't as hard to deal with as it once was:</p> <ul> <li><a href="https://discourse.nodered.org/t/nextcloud-oauth-2-login/4403/8?u=dugite-code">My post on adding openidconnect to node-red</a></li> <li><a href="https://github.com/ArchiveBox/ArchiveBox/pull/866#discussion_r839151488">My minor contribution to the Reverse Proxy authentication pull request for ArchiveBox</a></li> </ul> <p>The main issue I have faced is with HomeAssistant. The developers have been reluctant/resistant to adding additional authentication methods to the project. There is the <a href="https://github.com/BeryJu/hass-auth-header">hass-auth-header</a> project created by the developer of Authentik, however the HomeAssistant Android app is frustratingly a <a href="https://github.com/home-assistant/android/issues/1438">major sticking point</a>.</p>authenticationauthentikrsssecuritySSOhttps://peekread.info/tech/20220325-sso-with-authentik/Thu, 24 Mar 2022 16:00:00 GMT