Authentik Gotifiy Login Notifications
Continuing with my journy of utilising Authentik for my SSO. After reading a rather good comment by /u/internallogictv over on the reddit /r/selfhosted, I wanted to add a few more protections. The simplest of which is to send myself a notification whenever a login or a failed login occurs.
Step 1
First things first we create a new application in gotify in order to generate a token for authentik use. Select the Apps
tab and press the Create Application
button.
Step 2
Create a new gotify property mapping in the Admin Interface -> Customisation -> Property Mappings
.
I've built this so a login failed is set to the maximum gotify priority level regardless of the user group. For successful logins I divide the levels based on the group gotify-users. I algo create a geo uri for mapping applications on android. You will be able to click the notification and it will open the city co-ordinates, although you may have to skip this if you don't have the geoipupdate
container configured.
try: # Get the login failed username event_user = notification.event.context["username"] except: # Get the login succeeded username event_user = notification.event.user["username"] if notification.event.action == "login_failed": priority = 7 severity = "warning" elif ak_is_group_member( ak_user_by(username=event_user), name="gotify-users" ): # Check if the user belongs to group priority = 1 severity = notification.severity else: # default notification settings priority = 0 severity = notification.severity # Build a geo uri for opening a mapping applications from the gotify notification. geo_uri = f"geo:{notification.event.context['geo']['lat']},{notification.event.context['geo']['long']}?q={notification.event.context['geo']['lat']},{notification.event.context['geo']['long']}" title = f"{severity} from authentik {notification.event.action.replace('_', ' ')}".capitalize() message = f"New {notification.event.action.replace('_', ' ')} for {event_user} was detected coming from {notification.event.context['geo']['city']} {notification.event.context['geo']['country']} from the IP address: {str(notification.event.client_ip)}".capitalize() # Build the gotify payload gotify_payload = { "title": title, "message": message, "priority": priority, "extras": { "client::notification": { "click": { "url": geo_uri } }}, } return gotify_payload
Step 3
Create a new notification transport Admin Interface -> Events -> Notification Transports
using Webhook (generic)
your gotify message url with the token created in step one https://example.tld/gotify/message?token=yourtokenhere
Step 4
Finally we create the notification rule that actually calls the Notification transport. Admin Interface -> Events -> Notification Rules
Create a new rule login-notification
sending to the group of your choice (This dosn't really matter but it will display an ugly json string as notification on the web UI). Select the Gotify
notification transport you created and set the Severity to Notice
.
Now we have to create the policies authentik-core-login
and authentik-core-login-failed
to the event. Expand the login-notification
event and press Create Policy
. Select Event Matcher Policy
, name it authentik-core-login
enable the Execution Logging
option, select the Login
action and authentik Core
App. Finish and repeat for the Login Failed
action.
Now you should be receiving Login and Login Failed notifications from your Authentik instance over Gotify. I Hope I'll be able to update this to pull different tokens from the user/group attributes in the future to better separate notifications to individual users/admins.