authentik: enrollment flow improvements, add option to use GitHub/Google OAuth

2024-12-31 17:23:43 -08:00
parent 57e47231bf
commit 2b265620d4
11 changed files with 488 additions and 350 deletions
--- a/roles/alpina/templates/services/authentik/blueprints/alpina-enrollment-internal.yaml.j2
+++ b/roles/alpina/templates/services/authentik/blueprints/alpina-enrollment-internal.yaml.j2
@@ -0,0 +1,225 @@
+version: 1
+metadata:
+  labels:
+    blueprints.goauthentik.io/instantiate: "true"
+  name: Alpina - Enrollment by Invitation (Internal)
+entries:
+  # Flow for internal enrollment by invitation
+  - identifiers:
+      slug: enrollment-internal-invitation-flow
+    model: authentik_flows.flow
+    id: flow
+    attrs:
+      name: Alpina Enrollment Flow
+      title: Sign Up
+      designation: enrollment
+      authentication: require_unauthenticated
+
+  # Prompt fields
+  - identifiers:
+      name: alpina-enrollment-field-name
+    model: authentik_stages_prompt.prompt
+    id: prompt-field-name
+    attrs:
+      field_key: name
+      label: Name
+      type: text
+      required: true
+      placeholder: Name
+      placeholder_expression: false
+      order: 0
+  - identifiers:
+      name: alpina-enrollment-field-password
+    model: authentik_stages_prompt.prompt
+    id: prompt-field-password
+    attrs:
+      field_key: password
+      label: Password
+      type: password
+      required: true
+      placeholder: Password
+      placeholder_expression: false
+      order: 1
+  - identifiers:
+      name: alpina-enrollment-field-password-repeat
+    model: authentik_stages_prompt.prompt
+    id: prompt-field-password-repeat
+    attrs:
+      field_key: password_repeat
+      label: Password (repeat)
+      type: password
+      required: true
+      placeholder: Password (repeat)
+      placeholder_expression: false
+      order: 2
+
+  # Flow stages
+  - identifiers:
+      name: alpina-enrollment-invitation
+    model: authentik_stages_invitation.invitationstage
+    id: enrollment-invitation
+  - identifiers:
+      name: alpina-enrollment-identification-oauth
+    model: authentik_stages_identification.identificationstage
+    id: enrollment-identification-oauth
+    attrs:
+      user_fields:
+        - email
+      pretend_user_exists: true
+      show_matched_user: false
+      sources:
+        - !Find [authentik_sources_oauth.oauthsource, [slug, github-enrollment]]
+        - !Find [authentik_sources_oauth.oauthsource, [slug, google-enrollment]]
+  - identifiers:
+      name: alpina-enrollment-deny-existing-email
+    model: authentik_stages_deny.denystage
+    id: enrollment-deny-existing-email
+    attrs:
+      deny_message: "An account with this email already exists"
+  - identifiers:
+      name: alpina-enrollment-prompt-name-password
+    model: authentik_stages_prompt.promptstage
+    id: enrollment-prompt-name-password
+    attrs:
+      fields:
+        - !KeyOf prompt-field-name
+        - !KeyOf prompt-field-password
+        - !KeyOf prompt-field-password-repeat
+      validation_policies:
+        - !Find [authentik_policies_password.passwordpolicy, [name, default-password-change-password-policy]]
+  - identifiers:
+      name: alpina-enrollment-user-write
+    model: authentik_stages_user_write.userwritestage
+    id: enrollment-user-write
+    attrs:
+      user_type: internal
+      create_users_group: !Find [authentik_core.group, [name, users]]
+  - identifiers:
+      name: alpina-enrollment-email-verify
+    model: authentik_stages_email.emailstage
+    id: enrollment-email-verify
+    attrs:
+      use_global_settings: true
+      template: email/account_confirmation.html
+      activate_user_on_success: true
+  - identifiers:
+      name: alpina-enrollment-user-login
+    model: authentik_stages_user_login.userloginstage
+    id: enrollment-user-login
+
+  # Policies
+  - identifiers:
+      name: alpina-enrollment-invited-used-policy
+    model: authentik_policies_event_matcher.eventmatcherpolicy
+    id: enrollment-invited-used-policy
+    attrs:
+      action: invitation_used
+  - identifiers:
+      name: alpina-enrollment-unique-email-policy
+    model: authentik_policies_expression.expressionpolicy
+    id: enrollment-unique-email-policy
+    attrs:
+      expression: |
+        # https://docs.goauthentik.io/docs/customize/policies/expression/unique_email
+        from authentik.core.models import User
+        email = request.context["flow_plan"].context["pending_user"].email
+
+        if User.objects.filter(email=email).exists():
+          ak_message("Email address in use")
+          return False
+
+        if request.context["flow_plan"].context.get("prompt_data") is None:
+          request.context["flow_plan"].context["prompt_data"] = {}
+
+        request.context["flow_plan"].context["prompt_data"]["email"] = email
+        request.context["flow_plan"].context["prompt_data"]["username"] = email
+        return True
+
+  - identifiers:
+      name: alpina-enrollment-user-write-add-groups-policy
+    model: authentik_policies_expression.expressionpolicy
+    id: enrollment-user-write-add-groups-policy
+    attrs:
+        expression: |
+          # https://docs.goauthentik.io/docs/add-secure-apps/flows-stages/stages/user_write
+          from authentik.core.models import Group
+          ak_logger.info("Adding groups", request=request, prompt_data=request.context["prompt_data"], invitation=request.context.get("invitation"))
+
+          requested_groups = request.context["prompt_data"].get("alpina_add_groups")
+          if requested_groups is None:
+            return True
+
+          groups = []
+          for group_name in requested_groups:
+            group, _ = Group.objects.get_or_create(name=group_name)
+            groups.append(group)
+
+          # ["groups"] *must* be set to an array of Group objects, names alone are not enough.
+          request.context["flow_plan"].context["groups"] = groups
+          return True
+
+  # Flow stage bindings
+  - identifiers:
+      target: !KeyOf flow
+      stage: !KeyOf enrollment-invitation
+      order: 0
+    model: authentik_flows.flowstagebinding
+    id: enrollment-invitation-binding
+  - identifiers:
+      target: !KeyOf flow
+      stage: !KeyOf enrollment-identification-oauth
+      order: 1
+    model: authentik_flows.flowstagebinding
+  - identifiers:
+      target: !KeyOf flow
+      stage: !KeyOf enrollment-deny-existing-email
+      order: 2
+    model: authentik_flows.flowstagebinding
+    id: enrollment-deny-existing-email-binding
+  - identifiers:
+      target: !KeyOf flow
+      stage: !KeyOf enrollment-prompt-name-password
+      order: 10
+    model: authentik_flows.flowstagebinding
+  - identifiers:
+      target: !KeyOf flow
+      stage: !KeyOf enrollment-user-write
+      order: 20
+    model: authentik_flows.flowstagebinding
+    id: enrollment-user-write-binding
+  - identifiers:
+      target: !KeyOf flow
+      stage: !KeyOf enrollment-email-verify
+      order: 30
+    model: authentik_flows.flowstagebinding
+  - identifiers:
+      target: !KeyOf flow
+      stage: !KeyOf enrollment-user-login
+      order: 100
+    model: authentik_flows.flowstagebinding
+
+  # Stage policy bindings
+  # Log used invitations
+  - identifiers:
+      target: !KeyOf enrollment-invitation-binding
+      policy: !KeyOf enrollment-invited-used-policy
+      order: 0
+    model: authentik_policies.policybinding
+    attrs:
+      negate: true
+  # Deny existing email addresses
+  - identifiers:
+      target: !KeyOf enrollment-deny-existing-email-binding
+      policy: !KeyOf enrollment-unique-email-policy
+      order: 0
+    model: authentik_policies.policybinding
+    attrs:
+      negate: true
+  # Add groups to user from invitation "alpina_add_groups" field
+  # This only work for email sign up, as the invitation flow context isn't
+  # preserved for the default-source-enrollment flow
+  - identifiers:
+      target: !KeyOf enrollment-user-write-binding
+      policy: !KeyOf enrollment-user-write-add-groups-policy
+      order: 0
+    model: authentik_policies.policybinding
--- a/roles/alpina/templates/services/authentik/blueprints/default-groups.yaml.j2
+++ b/roles/alpina/templates/services/authentik/blueprints/default-groups.yaml.j2
--- a/roles/alpina/templates/services/authentik/blueprints/alpina-oauth-sources.yaml.j2
+++ b/roles/alpina/templates/services/authentik/blueprints/alpina-oauth-sources.yaml.j2
@@ -0,0 +1,79 @@
+version: 1
+metadata:
+  labels:
+    blueprints.goauthentik.io/instantiate: "true"
+  name: Alpina - External OAuth
+entries:
+  {% set sources = {
+    "GitHub": {
+      "provider_type": "github",
+      "consumer_key": github_consumer_key,
+      "consumer_secret": github_consumer_secret,
+    },
+    "Google": {
+      "provider_type": "google",
+      "consumer_key": google_consumer_key,
+      "consumer_secret": google_consumer_secret,
+    },
+  } -%}
+  {% for source in sources.keys() -%}
+  - identifiers:
+      slug: {{ source | lower }}-auth
+    model: authentik_sources_oauth.oauthsource
+    attrs:
+      provider_type: {{ sources[source]["provider_type"] }}
+      name: {{ source }} (Auth Only)
+      consumer_key: {{ sources[source]["consumer_key"] }}
+      consumer_secret: {{ sources[source]["consumer_secret"] }}
+      user_matching_mode: email_link
+      user_path_template: goauthentik.io/sources/%(slug)s
+      authentication_flow: !Find [authentik_flows.flow, [slug, default-source-authentication]]
+  - identifiers:
+      slug: {{ source | lower }}-enrollment
+    model: authentik_sources_oauth.oauthsource
+    attrs:
+      provider_type: {{ sources[source]["provider_type"] }}
+      name: {{ source }} (Auth and Enrollment)
+      consumer_key: {{ sources[source]["consumer_key"] }}
+      consumer_secret: {{ sources[source]["consumer_secret"] }}
+      user_matching_mode: email_link
+      user_path_template: goauthentik.io/sources/%(slug)s
+      authentication_flow: !Find [authentik_flows.flow, [slug, default-source-authentication]]
+      enrollment_flow: !Find [authentik_flows.flow, [slug, default-source-enrollment]]
+  {% endfor %}
+
+  # Modify default source enrollment to use email as username
+  - identifiers:
+      slug: default-source-enrollment
+    model: authentik_flows.flow
+    id: source-enrollment-flow
+    attrs:
+      policy_engine_mode: all
+  - identifiers:
+      name: alpina-email-as-username-policy
+    model: authentik_policies_expression.expressionpolicy
+    id: email-as-username-policy
+    attrs:
+      expression: |
+        # https://docs.goauthentik.io/docs/users-sources/sources/social-logins/google/#username-mapping
+        email = request.context["prompt_data"].get("email")
+        # Direct set username to email
+        request.context["prompt_data"]["username"] = email
+        # Set username to email without domain
+        # request.context["prompt_data"]["username"] = email.split("@")[0]
+        return True
+  - identifiers:
+      policy: !KeyOf email-as-username-policy
+      target: !KeyOf source-enrollment-flow
+    model: authentik_policies.policybinding
+    attrs:
+      order: 0
+
+  # Modify default source enrollment to create internal users
+  # with the internal user type and the users group
+  - identifiers:
+      name: default-source-enrollment-write
+    model: authentik_stages_user_write.userwritestage
+    attrs:
+      user_type: internal
+      create_users_group: !Find [authentik_core.group, [name, users]]
--- a/roles/alpina/templates/services/authentik/blueprints/default-authentication.yaml.j2
+++ b/roles/alpina/templates/services/authentik/blueprints/default-authentication.yaml.j2
@@ -48,7 +48,8 @@ entries:
      passwordless_flow: !Find [authentik_flows.flow, [slug, authentication-passwordless-flow]]
      sources:
        - !Find [authentik_core.source, [slug, authentik-built-in]]
-        - !Find [authentik_sources_oauth.oauthsource, [slug, github]]
+        - !Find [authentik_sources_oauth.oauthsource, [slug, github-auth]]
+        - !Find [authentik_sources_oauth.oauthsource, [slug, google-auth]]

    # Enable compatibility mode for the default authentication flow for better autofill support
  - identifiers:
--- a/roles/alpina/templates/services/authentik/blueprints/default-enrollment-internal.yaml.j2
+++ b/roles/alpina/templates/services/authentik/blueprints/default-enrollment-internal.yaml.j2
@@ -1,152 +0,0 @@
-version: 1
-metadata:
-  labels:
-    blueprints.goauthentik.io/instantiate: "true"
-  name: Alpina - Default Enrollment by Invitation (Internal)
-entries:
-  # Flow for internal enrollment by invitation
-  - identifiers:
-      slug: enrollment-internal-invitation-flow
-    model: authentik_flows.flow
-    id: flow
-    attrs:
-      name: Default enrollment Flow
-      title: Welcome to authentik!
-      designation: enrollment
-      authentication: require_unauthenticated
-
-  # Prompt fields
-  - identifiers:
-      name: default-enrollment-field-username
-    model: authentik_stages_prompt.prompt
-    id: prompt-field-username
-    attrs:
-      field_key: username
-      label: Username
-      type: username
-      required: true
-      placeholder: Username
-      placeholder_expression: false
-      order: 0
-  - identifiers:
-      name: default-enrollment-field-password
-    model: authentik_stages_prompt.prompt
-    id: prompt-field-password
-    attrs:
-      field_key: password
-      label: Password
-      type: password
-      required: true
-      placeholder: Password
-      placeholder_expression: false
-      order: 0
-  - identifiers:
-      name: default-enrollment-field-password-repeat
-    model: authentik_stages_prompt.prompt
-    id: prompt-field-password-repeat
-    attrs:
-      field_key: password_repeat
-      label: Password (repeat)
-      type: password
-      required: true
-      placeholder: Password (repeat)
-      placeholder_expression: false
-      order: 1
-  - identifiers:
-      name: default-enrollment-field-name
-    model: authentik_stages_prompt.prompt
-    id: prompt-field-name
-    attrs:
-      field_key: name
-      label: Name
-      type: text
-      required: true
-      placeholder: Name
-      placeholder_expression: false
-      order: 0
-  - identifiers:
-      name: default-enrollment-field-email
-    model: authentik_stages_prompt.prompt
-    id: prompt-field-email
-    attrs:
-      field_key: email
-      label: Email
-      type: email
-      required: true
-      placeholder: Email
-      placeholder_expression: false
-      order: 1
-
-  # Flow stages
-  - identifiers:
-      name: default-enrollment-invitation
-    model: authentik_stages_invitation.invitationstage
-    id: default-enrollment-invitation
-  - identifiers:
-      name: default-enrollment-prompt-first
-    model: authentik_stages_prompt.promptstage
-    id: default-enrollment-prompt-first
-    attrs:
-      fields:
-        - !KeyOf prompt-field-username
-        - !KeyOf prompt-field-password
-        - !KeyOf prompt-field-password-repeat
-  - identifiers:
-      name: default-enrollment-prompt-second
-    model: authentik_stages_prompt.promptstage
-    id: default-enrollment-prompt-second
-    attrs:
-      fields:
-        - !KeyOf prompt-field-name
-        - !KeyOf prompt-field-email
-  - identifiers:
-      name: default-enrollment-user-write
-    model: authentik_stages_user_write.userwritestage
-    id: default-enrollment-user-write
-    attrs:
-      user_creation_mode: always_create
-      user_type: internal
-  - identifiers:
-      name: default-enrollment-email-verify
-    model: authentik_stages_email.emailstage
-    id: default-enrollment-email-verify
-    attrs:
-      use_global_settings: true
-      template: email/account_confirmation.html
-      activate_user_on_success: true
-  - identifiers:
-      name: default-enrollment-user-login
-    model: authentik_stages_user_login.userloginstage
-    id: default-enrollment-user-login
-
-  # Flow stage bindings
-  - identifiers:
-      target: !KeyOf flow
-      stage: !KeyOf default-enrollment-invitation
-      order: 0
-    model: authentik_flows.flowstagebinding
-  - identifiers:
-      target: !KeyOf flow
-      stage: !KeyOf default-enrollment-prompt-first
-      order: 10
-    model: authentik_flows.flowstagebinding
-  - identifiers:
-      target: !KeyOf flow
-      stage: !KeyOf default-enrollment-prompt-second
-      order: 11
-    model: authentik_flows.flowstagebinding
-  - identifiers:
-      target: !KeyOf flow
-      stage: !KeyOf default-enrollment-user-write
-      order: 20
-    model: authentik_flows.flowstagebinding
-  - identifiers:
-      target: !KeyOf flow
-      stage: !KeyOf default-enrollment-email-verify
-      order: 30
-    model: authentik_flows.flowstagebinding
-  - identifiers:
-      target: !KeyOf flow
-      stage: !KeyOf default-enrollment-user-login
-      order: 100
-    model: authentik_flows.flowstagebinding
--- a/roles/alpina/templates/services/authentik/blueprints/github-oauth.yaml.j2
+++ b/roles/alpina/templates/services/authentik/blueprints/github-oauth.yaml.j2
@@ -1,25 +0,0 @@
-version: 1
-metadata:
-  labels:
-    blueprints.goauthentik.io/instantiate: "true"
-  name: Alpina - GitHub OAuth
-entries:
-  - identifiers:
-      slug: github
-    model: authentik_sources_oauth.oauthsource
-    attrs:
-      name: GitHub
-      slug: github
-      access_token_url: https://github.com/login/oauth/access_token
-      additional_scopes: openid read:org
-      authentication_flow: !Find [authentik_flows.flow, [slug, default-source-authentication]]
-      authorization_url: https://github.com/login/oauth/authorize
-      consumer_key: {{ github_consumer_key }}
-      consumer_secret: {{ github_consumer_secret }}
-      enabled: true
-      enrollment_flow: !Find [authentik_flows.flow, [slug, default-source-enrollment]]
-      policy_engine_mode: any
-      profile_url: https://api.github.com/user
-      provider_type: github
-      user_matching_mode: email_link
-      user_path_template: goauthentik.io/sources/%(slug)s