Authentik - open source, self hosted authentication system with OIDC, SAML, and more...

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] it's your open source Advocate and I'm back with another video and today I want to talk about authentic now about a year year and a half ago I don't really remember exactly when but I covered aelia and that is still a really great solution for getting a single sign on type authentication for a lot of your web services and web applic took a little bit of configuration and it took a little bit of thought and understanding get it set up but it was really and still is a great solution so if you've got that set up don't feel like you just have to jump over and switch over to authentic right now I'm going to show you what authentic has I'm going to show you what you can do with it and then you can make an informed decision about should I switch or should I just stick with with what I've got going because it's working and it's stable and I've had it for a long time you just have to remember that whenever you do anything with authentic ation it means that you've got to reset up your authentication you've got to reset up multiactor authentication if you want to use that you've got to do a lot of things to kind of get it set up and going the great thing about these types of applications is that once you've got it set up and ready to manage adding in your friends or your family and giving them that advantage of single sign on is really really great now I've had a few people already ask me because I mentioned doing the authentic video on some of my other videos um they've asked me to do like zadel and some of the other ones so I'll look into those I haven't haven't had time to reach out and just kind of figure out how those work and look into them as much but authentic I've been working with for a few weeks now I really like it I think it's a really cool application and I have to learn these things just like I teach them to you guys it takes a little bit of time I will say there's some really great YouTube channels out there that cover authentic in a lot of detail with a lot of videos one of those is coup tonian so I'm going to have that one Linked In the description and in the show notes so you guys can go and check him out and another one is Jim's Garage he's got a similar channel to me he does a lot of really cool stuff for home lab open source things like that and he seems to be a pretty big fan of Authentics so far now he's also covered keycloak so if you're interested in that one you can check out his videos there but I I'll link both of those in the description and in the show notes so you can access them and see what they offer I'll say that authentic is really really great I've really been enjoying it I've set it up as what we're going to do today which is a proxy provider so something like where dashy doesn't have a specific login system I mean you can kind of set up a login system with it but it doesn't really have one just out of the gate so you can put authentic in front of it and make sure that you're getting authorized if you're accessing your dashboard from outside of your network the same way that you might do something like a speed test maybe you have a speed test that doesn't have an authentication mechanism built in so you could use authentic on top of that um I'm going to use homepage today for my example for you guys so you can see how that works but we're going to go through it we're going to go through the setup configuration and installation of authentic then we'll set up our actual proxy provider a reverse proxy first of all to get it set up so we can reach it from the outside world then we'll go go through and set it up as a proxy provider which means that before you can get to that application you have to go through authentic and you have to authenticate and then it will pass you forward to that actual application that you want to use and then the last thing I'm going to do is I'm going to set up an oidc provider so an oof provider which is really cool off zzero um so you can see here that it's rolling through and it's saying hey replace all these things because we have stuff that you can use so we want we want to make an oidc provider today as well now they have ldap they have saml they have a lot of different options and you'll see those as we go through but um I really think this is a cool application and again they have ways of supporting this project so get out there and check that out if you're a business or an Enterprise maybe you're the IT person for them and you're just checking out authentic to see what it offers once once you've done that if you say man I'd love to use this for my Enterprise or I'd love to use this for my for my company jump over here to the pricing and check out the pricing that they've got so $5 per internal user per month this is pretty cheap and you get a lot of really cool stuff it's Enterprise self-hosted okay that means you're still self-hosting it but you get the Enterprise features now they've got the open source version so again you get a lot of stuff in the open source version that we're going to look at and you can see free forever because it's open source that's awesome now it's 2 per external user per month this is this is pretty awesome I mean so if you've got like an IT company and you have people who are like hey we we need to access something that's inside your network and you want to give them some kind of access to that you can do that and it's really inexpensive for you to give them kind of that temporary access that they need so pretty cool also Enterprise Cloud so if you want them to host authentic for you look at this the price has not changed it's really awesome $5 per user per month or 2 cents per external user per month I mean this is a really really cool option and I think the pricing on it looks really great especially for places that again are looking for business level stuff maybe something that somebody else hosts for you because you just don't want to deal with having to self hosted that's fine but today I'm going to go through the open source option to get you up and start it so you can test it out see how it works and see how it goes but just keep in mind that these guys support the open source version by having these paid options so if you're a business or you represent a business definitely think about getting out there and and supporting them as well we're going to get into the install right after this want to say thank you to all of my subscribers and all of my patrons over at patreon seriously you guys make this so worth it for me to do these videos every week I really truly enjoy it and I just can't say thank you enough if you're enjoying these videos subscribe let YouTube know that I'm doing a good job by subscribing to the channel plus you'll get notified when I have new videos coming out and finally if you're enjoying what I'm doing give it a like just click on that that thumbs up and that way YouTube knows that you like it and they'll pass it along to other people that might enjoy my content as well I really appreciate it thank you again let's get started what we want to do first is get on the server where we want to actually host authentic so in this case I'm going to put on my testing server but whatever machine you want to put it on this could be the desktop that's in front of you this could be a separate desktop somewhere else this could be a server or a VPS it just depends on you and how you want to do this I'm going to install this on my test server today because I've got a production system already set up and running but we're going to do this as a testing system so uh first thing we want to do is create our folder structure and I always like to create my Docker folder structure with a parent folder called Docker and then the name of the application I'm setting up that day and a folder inside of that so we're going to do mkdir DP Docker SL athentic just like that and authentic has a k at the end it is not like a normal authentic spelling um so this is how you would do this and it's just going to really kind of run a couple of things at once so it says hey check to see if the docker folder exists if it does use it if not create it then it'll say and then inside of that see if the authentic folder exists and if it does use it if not create it so we kind of get a lot of stuff out of that one command we're just going to hit enter and now we're going to move into that folder and there we go and if we do an LS there's nothing here yet because we haven't actually set anything up now we've got to set up a couple of things first we need to have our Docker compose file so I'm just going to do MK or I'm actually going to do Nano Docker hyen compose do yml so this is our file that tells Docker how to run this application we're just going to hit enter that's going to open up the Nano text editor now you can use any text editor you like if you like VI or Vim if you like emac if it's just up to you if you're on a desktop and you want to use you know G editor Kate or text editor or whatever you find on your system that's fine you don't have to use Nano but this is just the easiest way for me when I'm sshed into a machine I am going to paste in this text but I will have this in the in the show notes like always so that we can go through this but this is a decently long Docker compose file so first it's a version 3.4 do compos file the services that we're going to start are postgress SQL so that's where you store a lot of the information and it's just going to pull the postgress 12 Alpine version for now that's fine um it's going to restart this this container unless we stop it intentionally so unless you do like Docker stop or Docker compose stop or Docker compose down on this container if anything happens to it if it crashes if the system gets rebooted it's just going to start this back up automatically you don't have to go in and tell it to restart it's got a test that says run this test to make sure that it's up and running and it's going to say you know give it about 20 seconds to make sure it's up and running and then internal is 30 seconds it's going to check out uh five times to make sure that it gets up and running and if it can't then it's going to time out the next thing is is we're going to create a volume here and we're going to put that in slash database so that we can find it really easily the slash means I want that to be in the current folder where I am creating this Docker compos file so that keeps everything inside of our authentic folder which is great so on the left side of the colon this is what's going to be on your host machine so we're mapping this volume on the host to this volume that's inside the docker container this right side you don't want to change but this left side you can map this anywhere you want on your host machine and what this does is it persists this data for you that way you don't have to worry about your database getting lost whenever you restart your container or something like that it's right here and it's going to be in this folder called database we're going to move down we've got a few things here and it's going to say hey postgress password postgress user postgress DB you'll notice it's got this kind of weird syntax over here what this is saying is hey there's an EnV file that we're going to create an environment variable file and I want you to use that file to pull this this information so what's nice is we can set this up once and we can just use these variables all over the place and it just pulls that variable in wherever it needs it we don't have to go and make sure we made our passwords match in multiple places all up and down the docker compos file all right so it says what's the environment variable file. EnV so we'll create that one in just a minute and we'll go through what you need to set up there we've got redis so redis is another database that helps with cashing and things like that so again it's going to pull the reddis Alpine version it's got a little uh command here to say how to get it up and running restart it unless it stops we've got the health check that's great and again we're going to set this/ Rus so that we're mapping that data we don't lose that data when we stop the container update the container anything like that everything is persisted and you can back this up really nicely so that makes it really great we've got the server which is going to be the authentic server so here's the image we want to pull and it says if we don't give it a specific image here's the one that it should pull and then it says here's the version and if we don't give it a specific version here's the one it's going to pull I think the version we give it in the in the other file is the same as this one it's good on these things to make sure you're not getting latest and sometimes because they have alphas and betas that go out for testing and if this is something you depend on you don't want this to get broken so it's better to put the version you're using and then watch the user interface and it'll let you know hey there's an update available and you can come in and change that version and bring it down all right as we go down we've got restart andless stopped the command is server which brings up the server starts it running and then you've got the redest host which is called redus so that this name right here is just coming from up here above where it says redus right here so it's just referring to that section postgress SQL same thing that's right up here where it says postgress SQL so it's just referring to these sections so that the server knows like oh okay I know where this is defined I know where this is defined I can go look at that stuff and then here's that same variable postgress user postgress database and post password so again you should put these things in the actual EnV file which we'll do in just a minute we've got a couple of volumes we're going to we're going to store media in SL or media and we're going to store our custom temp uh templates or sorry we're going to store our custom media in/ media and we're going to store our custom templates in/ templates so this isn't something we have to mess with right now but it's good for you to go ah a and create these volume mappings and have the ability to back that up and again it says use this environment variable file now it's going to map some ports for us so we can set up what ports we want for HTTP and https it's starts with 9,000 and 9443 if those are open ports on your system it's fine to leave them that way but we'll look at it in a minute and this depends on the postgress SQL and the reddish system both being up and running so it says first I need these to get up and running and then bring this server up that way you don't have any issues with the server wasn't communicating with a database when it started and it has an error or something then we've got some workers and and it's a worker image so this just says hey this helps me do some stuff and keep some of the load off the main server don't worry about it just leave it like it is there's nothing there you need to change just keep on moving down it's going to create some volumes so this one that says VAR run Docker do sock we do not want to put the slash in front of this one this one has to be in this location and it just Maps it to the inside of the container which is great this one here that says media it's the same folder we did above do/ search same folder we did above and/ custom templates the same one as above so we're doing well here's the environment variable file we still want to use use and then again this depends on postgress and redus so we're going to be set and then down here we just Define those volumes database and redus and we've got them so we should be pretty much ready to go with this there wasn't anything to really change it was just to go through it so you knew what was here and what we're trying to set up in the environment variable file so we're going to save this with crl O and press enter and then we're going to press control X to get out of the Nano editor now we're going to do Nano Dov and whenever you you have a dot in the Linux system in front of a file name it's a hidden file so we'll open this up let me go grab the the information we want for it I'm going to paste it in there and I'm just going to save it real quick and we'll come back and look at it in just a minute but I'm going to do an LS so you see we only see the docker composed. yo file but we just created this EnV file well that's because this is a hidden file so if you want to see a hidden file in your system just do ls- a and now you can see there's Docker compose andv right there so we can just go back into it nan. EnV and we're going to go through this one and kind of get it set up as well all right your postgress password this should be a really long strong password okay I mean that's what you need so we're just going to get rid of this kind of placeholder this is what you'll have whenever I put it on the show notes and we'll just make this something really random something like that okay it's nice and strong very complex hard for somebody to guess which is great same thing here so we need this to be our our authentic secret key and then below that we've got our authentic error reporting enabled true and then we've got some things we need to set up for our email okay but first we're going to create this authentic secret key so we're just going to put this again as something really long and strong now some of these special characters it may not like so we should be a little careful with them um because they may have special meanings but uh I think you can put special characters in these types of things a lot of times and it's perfectly fine but this is a nice long strong key right here you can make it even longer if you want to as we move down we've got this section for our email so if you want to set up your email provider so that you can have emails going out from your authentic system which I suggest it's a very useful thing when you have an authentication system for somebody who needs to reset their password somebody who is registering for the first time if you allow registration and so on this will send them those emails to confirm that they are who they are and that they can reset things and all that so you would put in your normal stuff you need to know what your email information is so in this case most of the time it's going to be something SMTP do whatever. whatever and then your Port could be 25 465 or 587 depending on your email provider or what email you're running you should have a username for your email that it's going to use to send that email with and then a nice long strong password for that user of course and then if you use start TLS then you would put here um authentic email use TLS true if you don't use start TLS then you would set it to false if you're using SSL you would set this to true if not false your email timeout is 10 just leave that alone you don't need to change that and then finally who's it coming from so maybe it's the same email address this makes it really easy for somebody to know like hey okay I just asked for this and it sent it to me and then finally where do we want the ports to be running for our server so this is HTTP is 80 and the composed Port is 443 so we can change these we don't have to set these up as 80 and 443 we can change these to whatever we want but this is for that Port mapping inside so if ad80 is not free on your server you may want to and may need to change this so let's change this to uh 8941 and this one we'll make it 4443 and we'll see how that goes and then the authentic tag is of course the 20238 do3 that's the most recent version as of the making of this video so just be aware of that and once we've got all of those things filled out we're just going to do um crl o and enter and crl x uh the password stuff for the email don't worry about it but um we're not going to need it right now but eventually we may need it so it it is useful to have that set up so I'm going to go back and reset that up and then we'll come back and finish up getting everything up and running for authentic all right now that I've got that set up we're going to do Docker docker compose up- D and this command says Hey Docker go use my compose file to bring down all of the images that I want to run as containers start up those containers and then run them in the background as a Damon now we're going to do a second command so we're going to put two Amper Sands and we're going to write Docker compose logs DF so that we can see the logs as they scroll by and make sure that everything looks good once it comes down you should see a lot of stuff flying by pretty quickly um it's going to get the database ready and prepared it's going to get things up and running we're going to kind of give it a little bit of time to get everything going the first time especially it runs through a lot of caching and building up files all right so you can see here that it's done a lot of stuff and don't worry this is just a temporary system so I'm going to get rid of it after we're done but this is this is what you're going to see you're going to see a lot of stuff go by but things should be ready so we're going to contrl C out of this now that we've gotten out of it we're just going to clear out the terminal there and we want to actually go and check out what we've got in our authentic system to make sure that it's up and running we're going to open up our browser and we're just going to open up a new tab here testing IP address in this case so go to the IP address of the server where you set it up and I'm going to go to the port that I set which was 8941 and you should get something like this where it says authentic and welcome to authentic and then you should have this now that we see that it's up and running we actually need to go to a special URL to set up our user for the first time so we're going to go and kind of backspace this out all the way to the port number and we're just going to paste in this little part that says SL iflow slash initial setup and then an ins slash we're going to hit enter it's going to say welcome to authentic and it says rest request has been denied that's not good when we go to that special URL you should get this if you get a page that says request denied um just refresh and see if you get this page sometimes you get the request denied page first for some weird reason but here we want to put in an email that we want to use as our default user and then a password that's nice long and strong is really recommended and using a password manager like bit Warden is highly recommended in this case as well so make sure you do something really good like that all right so we've created our user we're logged into authentic but really we don't want to do this through an IP address we want to set this up to be using a reverse proxy so that we can have an actual fully qualified domain name before we go into any more of the setup here but you've got authentic up and running so congratulations on that part so we're going to go to enginex proxy manager now if you use a different proxy host that's fine if you hopefully you know how to set that up but we're just going to go in here we're going to create a new proxy host so I'm just going to say add proxy and I'm going to call this uh authentic. rout meh home.org now I own the domain rout meh home.org I have an a record in that domain in my DNS setup that points to the public IP address that I need it to come to so I can set this up like this and it will route to the correct place what happens is after I've set this up I type in authentic. home.org it's going to go out and say hey DNS do you know how to get to authentic. home.org it's going to oh yeah here here's the IP just like it does when you type in google.com or anything else when it hits my firewall my firewall is going to say hm oh okay I see you're requesting something on Port 80 or Port 443 I know where to push that the firewall is going to push it to This Server engine X proxy manager is going to see that request that the firewall pushes through and it's going to say do I have this in my list of domains that I know about and if it does it's going to push it to the IP address that I tell it and the port number that I tell it if it doesn't it's going to just give you a generic congratulations page and that's it you can't go anywhere else so that's kind of how the reverse proxy works is that it reverse proxies things for you so that you can use that to push traffic around your network so I'm going to put in the IP address here and that was 60 and 8941 was the port number and I'm going to tell this to block common exploits use websocket support and then over here on the SSL tab I'm going to just tell it I'm going to request a new certificate I want you to force SSL want http2 support hsts we're going to check all these things and then here's my email address because I'm going to accept the the terms of service for let's encrypt because I want a good SSL certificate that's valid anywhere I'm going to click on Save now if I've got everything set correctly this is going to go out and say hey let's encrypt challenge this domain and if it's valid give me a certificate it's going to go okay here's your certificate and this popup is just going to go away on its own when that's finished there will be no error messages nothing like that there we go we are done and now we should be able to route to authentic . route home.org and the first time it comes up it's going to say hey I see that you want to log in what's your email address so I'm going to put in and I'm going to hit next and it's going to say h failed to authenticate did I type it wrong okay a little warning there be careful when you set up that user and don't log out of the session that you started with the IP address because that saved me just now I did not realize I typed in b r i a a n for my name and then I saved it and I didn't realize that when I was trying to log in here so I went in through the IP address and I was able to change that to the correct email address without 2 A's there we go now it's asking for my password and if you type everything correctly it's going to let you log in and we're back to our main page so now now we've got a reverse proxy set up we're able to reach our authentic instance and we're able to actually go in and authenticate against it which is what we want now once you get here this page is kind of your homepage I guess is the best way to put it and as you start adding applications you'll see them starting to show up here as applications you can actually just log into authentic authenticate yourself and then click on the application and it will send you to that application already authenticated so you don't have to log in there so it's kind of like if you've ever used OCTA or some of those things they line up a bunch of appc that you're using for single sign on and then you can just access those applications from here which is really nice it's a really great way to have kind of a a quick way to to authenticate one time and just go into the applications you want to use that day so we're going to get that setup here in just a minute the first setup we're going to do is what we call a proxy setup um a forward off setup is also a way to kind of call it because that's what we're going to do is we're going to set up something like homepage that doesn't have its own authentication built in or at least not out of the box like dashy homepage maybe a speed test or something like that that you've got and we're going to set up an authentication here that will then stop someone from getting to your page through its public IP address unless they authenticate through authentic to set up a proxy or a authentication forwarder we want to make sure that whatever service we're going to use is actually got a fully qualified domain name associated with it so again you'd want to set up through that set that up through your reverse proxy so in this case you can see my homepage and I've got an IP and I've got just a a a number here for the port um and it looks fine so I set it up this way so that we can also get to it through this uh URL here which is homepage. RMH home.org so this is what I'm going to want to use and actually get set up for authentic so in your authentic interface you're going to come over here and click on your Administration panel so this is going to bring up a nice little admin dashboard for you to kind of show you what's going on in your system it'll probably be fairly empty until you get some things set up but getting things set up in authentic isn't hard now if you want to do things with users groups things like that it's all down here there's some customization that you can do and again C cou tonian has a really good uh video on how to customize your authentic install with backgrounds and logos and things like that so that you can replace these types of things really great he's got some great great stuff I I'm excited to see him keep going with that series it's awesome um you can see different logs of events things like that and then you've got your application flow right here and this is the one that we really want to look at so I'm going to collapse the rest of these just so you don't get kind of lost on where we're at um there we go so in this authentication flow is where we want to kind of start so you need a few things you're going to need an outpost and really they have a default Outpost that's already set up that you can use and I think that's the best way to go so if you click on outpost you'll see this default authentic Outpost this is the one that we'll end up using um there's a couple of things here to check and make sure are set but you'll want to just go over here and you you see this little Health it's got a a nice green check we're just going to click on edit and we're going to go in here and make sure that everything looks good and the type is proxy that's fine that's what we want to have everything there looks good and we've got this uh integration we don't really need to have any kind of integration set up but we we we've got some options if you want to so it's fine one thing that I forgot we really need to do um in our outposts we need to go here to The Outpost section we need to edit and down here in this section we need to we need to pull this here and we need to change it to actually fully qualified domain name for authentic um so we're going to do authentic. rout me home.org make sure you spill everything correctly make sure it looks good and then we're just going to update our Outpost here and then that should show us the actual fully qualified domain name right here underneath the Outpost uh level we need to have that done before we'll get everything else to function correctly um but once we've done that we're going to go over here to our providers First and we're going to create create a provider so we're going to click on Create and you'll notice right here there's several different kinds of providers that they have there's ldap ooth proxy this is the one we're going to use you've also got radius saml seim and SLE from metadata so there's a whole lot of different options here that you can pick from but we want this one that says proxy provider so we're going to take that little box right there or you know put a mark in it we're going to click next we're going to give this a name so in this case it's our homepage okay you can name this kind of whatever you want it's just something for you to identify it by the authentication flow that we want is the default authentication flow and it just says welcome to authentic now these are authentication flows that you can go and change over time and rename or create your own again going to forward you over to cup tonian he talks about authentication flows and how to do that also Scott over at Scott talked about creating some simple authentication flows for this kind of stuff too so just be aware you can go and check out his video on it as well and he set it up using lxd lxd at the time so kind of a little different way of doing it from Docker so we've got the authentication flow the next thing is the authorization flow so we're going to click on that and we're just going to say default provider authentication exploit or explicit content or implicit content is kind of the choice here we're just going to go with explicit content the next thing down here is this option for proxy forward off single application forward off domain level so in this case we're going to do forward off single application proxy means I want to use authentic as my reverse proxy so if you're out there on the web maybe you're doing this in digital ocean cloud and you have direct access to your applications things like that and you want this really to be the proxy to get to those things instead of using something like enginex proxy manager you could use this to do that instead I'm not going to go into that it's outside the scope of this video but just know that so we're going to pick this one we're going to scroll down just a little bit here and we're going to put in the external host that's the information for that fully qualified domain name so we're going to put HTTP if you have multiple words up here my fave you see I've got spaces it puts hyphens and it keeps it all lowercase so just know you don't need to change this slug or anything just just make sure that it's it's it's Unique I guess is the best way to put it um group you don't need to do anything with the provider you're going to drop down and select the homepage provider you just made so for each kind of proxy authentication or authorization you're going to create you want to have a Prov and an application and you want to make them kind of work together and match as we go down everything else here should be good we're just going to click on Create and if we go back to look at providers you'll notice now it's got a little check box and it says hey I've got an application associated with me I know what I'm doing now we're going to move over and click on outpost again we're going to click on the edit button one more time here and you see now we've got our homepage listed here in this application section we're going to click on it to highlight it and we're just going to click on update once you do that you'll see over here that we've got homepage under the providers now this is what we want to see now we're going to come back over to Providers we see our provider here and you can see that we've got the provider listed we're just going to click on the provider name right here on the left and as we do that is going to bring up all the details on this providers page if we scroll down we're going to see a whole list of different types of reverse proxies that they already have information for which is really great because they've got traffic Ingress traffic composed traffic so you've got traffic for a whole bunch of different things you got enginex just all on its own you've got caddy over here all on its own and you've got engine X proxy manager as well which is really nice what you want to do is everything below that first line you can just grab and we're going to scroll down and highlight it all we're going to copy it and we're going to go back to our homepage entry in engine EXP proxy [Music] manager so we're going to go here to homepage we're just going to click on the three dots click on edit we're going to jump over here to the advanced Tab and we're going to paste this in once we've pasted that snippet of code in we want to scroll down to and actually you'll be at the bottom so you'll probably scroll up but we want to scroll up to the part that says proxy pass right here you're probably going to either have the name of the application the the fully qualified domain name for your authentic install or it might say Outpost compan it just depends but what you want to do is get rid of everything before this first slash right here and you want to replace it with the IP address your internal IP address for your authentic instance and the port number so in our case we're running that on https and we set that up to be in my case 192.168.10.0 and the port number is 4443 so I set that here I'm going to click on Save and now if I click to open up homepage we should be taken to our authentic instance and it's going to say redirecting to homepage and you're about to sign in to homepage because I'm already authenticated it's it knows who I am I can just click on continue and I get sent to my homepage as you can see it's set up and I can actually access some of my other services here so I could go to my cameras I could go to one of my servers um and kind of actually keep going with my workflow that I would normally use so now we've set up our proxy pass and that's how you would do that for each application that you want want to set your proxy pass up for now that's a lot to take in and a lot for you to learn but the last thing I wanted to cover is oidc because I feel like authentic makes oidc so easy and I've just been trying to wrap my head around it forever from my work perspective because we've been trying to build a single sign on system there and it's extremely complicated to do especially when you have multiple applications that all do things in a different way um and I I think you know the authentic guys who have made this happen have just done so much incredible work to make this actually very easy the proxy setup that we just did to me is a little bit convoluted because you're kind of jumping to Providers then applications then outposts then back to Providers then back to Outpost and and kind of checking things you kind of jump around a bit it'd be nice if there was more of a wizard all the way through the process to set that up but it also could depend on what workflow you're setting up as to how that process would go so I think that would make it very complicated from a development side but it would be a nice thing to see now for the oidc setup uh much easier and much cleaner so we're going to go and start the oidc setup next as I mentioned before once You' set up your proxy uh forwarder for your any for any of your different applications you'll see those start to show up here on the applications page it's really useful because again you can decide who can see which applications and once you log in you can access those different things from here so in this case I could just click on my homepage and it comes right up pretty pretty convenient the next thing we want to to set up is our actual oidc configuration and last week I talked about doing that for head scale and heads scale web UI it's really not that difficult and actually pretty pretty straightforward they authentic so we're going to go back to our Administration console here and we're going to add a new uh provider so we're going to go to this section here we're going to click on providers and you'll see our our one there for homepage we're just going to click on create in this case we want an oidc provider an ooth provider we're just going to click on that dot for that one and then click on next and here we're just going to give it a name so we can identify what it's for so this is going to be for head scale UI you don't have to put a dash you can put a space or whatever you want that authentication flow um is again going to be just welcome to authentic and on the authorization flow we're going to use the explicit consent here and then down here we don't really need to change anything we're just going to leave it as it is and as we move down you'll see that you've got this uh client key and this client secret you don't want to change these you just want to remember that they're here because this is where you're going to come back to to get to them after a while this is going to autofill on its own but if we need to come back and change it we can uh we shouldn't usually it works out pretty well so far out of the box everything else here we just need to leave the same so we're just going to click on finish that's going to create our oidc provider but you see we've got this warning that says hey you don't actually have anything set up for an application yet so we need to go set that up so we're going to click on applications we're going to click on Create and again we'll put in a name for it so we can identify it so we're going to call this head scale UI it's really H scale web UI but that's fine you can see that it creates the slug for us and then down here where we've got the group we don't need that but here we want to go on and pick our provider for head scale UI and there's really nothing else for us to set here so we should be good we're just going to click on Create and if we go back to our providers you can see here that now we've got the little check mark that says hey good job job you've got an application for your provider so I'll show you a couple of things here for your for your provider to get back to your client secret client key you just click on the edit button and they're right here we can grab them and then if you need to get the other information like URLs you click on the actual provider name itself and it'll drop you into this uh page where you can see you've got your url your issuer URL and a lot of other things that you may need for various different services and they usually ask for those things sometimes you got to kind of go look up like okay what this thing called uh on on the provider versus here sometimes the naming is different so it can you know make it a little bit trickier but hopefully most of your uh application providers tell you what Fields you need from your from your ooth creation so we're going to go over here and actually we're going to need this URL but we're going to set up our our web UI for head scale so I'm just going to click on copy because we're going to need that I'm going to go here and I'm just going to say Nano doer composed. yaml and we'll go down from last week where we had our heads scale web UI and you can see it right here and if you remember I had basic authentication set up so right here we've got this off type set to basic I don't want that anymore I want to make it oidc just like that we're going to come down here to the basic off fields and we're going to put a hashtag sign in place to make those comments and then we're going to come down here and remove the hashtag sign from the oidc fields and right here is that URL that we need so I'm going to pick paste that in I don't think I actually need that quote there and we're going to come back over and we need our client secret and our client key so the client ID is our client key and in this case here's your client secret field so we'll jump back over and we're going to just uh go back here to provider list and we'll click on edit for head scale UI and we're going to come here and get the client ID we'll copy that and we'll paste it and then we'll come over here and we'll put in our secret and just go back copy that and paste it and we should be set there so we're going to just save with crl o enter to confirm and contrl X to exit and now we should be able to bring up our Docker uh stuff for heads scale and that'll get our heads scale server running and the heads scale web UI and we should get our oidc stuff set up and ready uh to go so we'll give it a test out here in just a second but we're going to do Docker compose up- D and then two Docker compose logs DF just so we can watch everything as it as it get started up here um oh I didn't put a dash in front of my D sorry about that typo happen here there we go everything's coming up it's going to start setting up our oidc so you can see that it says worker sync everything looks like is running good you may see a little bit more textt the first time you try to run through this just be aware of that but it says configuring the app it's getting everything ready that's good that's what we want for the IDC session here so we're going to go uh back to our Firefox and I'm going to try this from uh the current window but sometimes it does give me a little bit of a a the first time it'll give you a bunch of looping once you clear the cache and everything it should start working but sometimes you just need to open up a private window to make it work the first time so we're going to go to head scale. route home.org admin so keep in mind it's SL admin whenever you're going to the Head scale web UI and it comes up to the authentic page and it's telling me hey you're already logged in and it looks like you want to authenticate to that page so we're going to click yes we'll have to see if it actually takes us over there okay no it's stuck in the loop so this is what I'm talking about so you may hit this little Loop don't don't sweat it we're just going to go over here and we're going to open up a incognito window and we'll just paste in our UI our URL there and authentic will come up now it may say authentic URI error um we're just going to try this again with continue it's going to ask us for our ID now it's going to authenticate us but sometimes that just happens it's just kind of weird I don't know why and we'll hit log in and then we'll put in our password now we've got our heads scale web UI here but it still may give us a redirect error let's just see what happens if we click on it and then if so it thinks it's just the.org admin let's try this okay so that's giv us the redirect era that's okay we're going to go in here and we're going to edit our our information to try to help it out so that's where I was talking about that URL sometimes it gets it right and sometimes you have to adjust it so go here to our provider so it seems like it's got that one correct except it's not getting https which is what we want so I'm going to put an S in there just to make sure and then we'll update that then let's go back to the homepage here there we go okay so it's going so now when we click on SL admin it should just take us there let's close the the window let's open up a brave browser here and try it from there because that won't have anything cached in it drag that over and we'll do head scale. route meh home.org admin takes us to authentic which is what we want then log in and then and there we go so it takes us over to head scale web UI and we've got that now protected with oidc and a single sign on solution which is really great so you can see all of the information that we've got set up from last week and and we've got everything ready to go and it recognizes us as a user in head scale webui that is authentic I hope you enjoyed this if you did like subscribe tell your friends about it so they can come along on the journey with us and I'll talk to you next [Music] time it's your open source Advocate and I'm back and I've set up a store with a little bit of merchandise I love being your open source Advocate but I want you guys to be the open source Advocates with me so if you want to get out there and get some of this stuff and if you do let me know what you think of it thank you for subscribing

Info

Channel: Awesome Open Source

Views: 50,223

Rating: undefined out of 5

Keywords: open, source, opensource, open-source, self, hosted, selfhosted, self-hosted, free, libre, software, server, web, internet, browser, linux, mac, macos, os x, windows, microsoft, unix, bsd, ios, android, pi, raspberry, desktop, vps, tutorial, how to, setup, installation, instructions, cli, network, networking, news, projects, sso, single sign on, saml, ldap, oidc, oauth, oauth2, Auth0, Active Directory, forward, proxy, reverse, authelia, authentik, authenticate, authorize, authorization, 2.0, explained, app, authenticator, mfa, two, factor, multi

Id: KlDJ4K45M_o

Channel Id: undefined

Length: 43min 52sec (2632 seconds)

Published: Tue Oct 24 2023