lowcoder icon indicating copy to clipboard operation
lowcoder copied to clipboard

Published 20 hours ago • verified publisher icon lowcoder-org

[Feat]: Authentik as OpenID Provider

Open support-tt opened this issue 1 year ago • 2 comments
trafficstars

Is your feature request related to a problem? Please describe. Authentik is a fast growing OpenID/SAML Provider that can also Proxy Traffic. I think it should be Supported by Lowcoder. https://github.com/goauthentik/authentik https://goauthentik.io/

Describe the solution you'd like Because Authentik implementation auf OpenID is not much different from Keycloak the implementation should be not that hard. Unfortenetely im not a programmer but I can help with informations/testing etc.

Describe alternatives you've considered Alternative is to have a generic Openid provider which supports all OpenID Providers.

Additional context If Keycloak us used for the Syntax of the URL is: https://KEYCLOAK.DOMAIN.DE/realms/REALMNAME/protocol/openid-connect/auth?response_type=code&client_id=CLIENDID&redirect_uri=LOWCODER_URL&scope=openid

With Authentik it is https://AUTHENTIK.DOMAIN.DE/if/flow/FLOWNAME/?next=%2Fapplication%2Fo%2Fauthorize%2F%3Fscope%3Dopenid%2Bemail%2Bprofile%26response_type%3Dcode%26redirect_uri%3DLOWCODER_URL%26client_id%3dCLIENDID

support-tt avatar Feb 15 '24 09:02 support-tt

We work and will soon publish on a generic OAuth Provider, where you can configure all these details, so also Authentik should be supported then.

FalkWolsky avatar Feb 23 '24 10:02 FalkWolsky

I was actually playing round with this and got Authentik working by adding some config to the Nginx reverse proxy infront of mine. I'm not actually sure if all of these locations are required but I had success with the below. It's very hacky and probably not ideal for production, do note this isn't very heavily tested but it seemed to work:

location /realms/lowcoder/.well-known/openid-configuration {
    proxy_pass https://<authentik-server>/application/o/lowcoder/.well-known/openid-configuration;
    proxy_set_header Host $host;
}
location /realms/lowcoder/protocol/openid-connect/auth {
    proxy_pass https://<authentik-server>/application/o/authorize/;
    proxy_set_header Host $host;
}
location /realms/lowcoder/protocol/openid-connect/userinfo {
    proxy_pass https://<authentik-server>/application/o/userinfo/;
    proxy_set_header Host $host;
    add_header content-type "application/json";
}
location /realms/lowcoder/protocol/openid-connect/token {
    default_type application/json;
    proxy_pass https://<authentik-server>/application/o/token/;
    proxy_set_header Host $host;
    add_header content-type "application/json";
}
location /realms/lowcoder/protocol/openid-connect/certs {
    default_type application/json;
    proxy_pass https://<authentik-server>/application/o/lowcoder/jwks/;
    proxy_set_header Host $host;
    add_header content-type "application/json";
}
location /realms/lowcoder {
    proxy_pass https://<authentik-server>/application/o/lowcoder/;
    proxy_set_header Host $host;
}

beatles1 avatar Mar 02 '24 14:03 beatles1

This should now work smooth with the new introduced generic OAuth Provider from v2.4.0 on.

FalkWolsky avatar May 24 '24 17:05 FalkWolsky