Secure authentication for EVERYTHING! // Authentik

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hey everybody this is Christian and today I'm going to show you how I'm from no on handling the authentication for everything in my home laab let me introduce you to authentic an open-source identity provider or shortly called IDP that allows me to securely log into all my administrative services in my home lab like POA proxmox and even protect web applications with a lock and prompt they don't have any form of user management at all believe me this is so incredible L useful with this setup I never need to lock in twice anymore I just need to sign in once to authentic and then I'm automatically logged into everything else and the best is because I'm using a strong multiactor authentication in authentic it is even much more secure of course it's well integrated into the entire rest of my home lab setup like traffic and Docker so I'm pretty sure if you haven't looked at secure authentication with an IDP before this is going to change everything for you so let me show you how I've installed and set up authentic in my home lab and how you can do this in your environment as well but wait before we start I have another very cool thing I want to show you that's going to help making our home Labs much more secure a big Thanks goes out to the people at Wasa for supporting this video Wasa is an open-source security platform that unifies extended detection and response with a security information and event management system to protect your endpoints and Cloud workloads I'm currently testing this on on my own homb Linux servers and it gives me an in-depth analysis of any security events that occur in my systems for example when somebody tries to log in Via SSH and many many more it has a huge set of preconfigured rules and checks that constantly collect any of those events on my servers and in the central dashboard I can drill into all of the details set up alerts and get notified when something bad happens on my systems and what I personally like the most right now is the security configuration assessment that checks my server's configuration against the CIS Benchmark list which is a set of best practices and security configuration guidelines and this helps me so much to learn more about secure server configuration and how I can improve the overall security of my hom lab services so it is really an amazing tool I definitely want to make a dedicated video about it at some point but if you'd like to have a look or you want to use it within your own environment to secure and protect your devices then check out Wasa I'll leave you a link in the description of this video now let's get back to topic and talk about secure authentication okay so first of all as always let us take a closer look at the official homepage go authentic. where we can learn more about this application and as you can see this is an open source identity provider that focuses on flexibility and versatility it aims to replace existing directory services like active directory or OCTA with a unified platform form that simplifies the login sign up and recovery process for both your external users and team members in One unified identity management platform what exactly that means we'll cover in a few minutes so I know this can get quite complex because authentic is a real Beast it has tons and tons of features such as saml 2 oo 2 open ID connect lop and radio so that means authentic can work as your radios or alup server and it has a lot of ping features like multiactor authentication conditional access it is open source and has an application proxy integrated the only thing that it doesn't do is device authentication support but as you can see none of the other competitors do in a good way either at least that's what authentic is going to tell us authentic has a rich documentation about all those different provider settings the configuration the installation and architecture I could just recommend to go through some of the pages such as is the architecture page which describes more of the core components of this platforms and also the terminology page is really interesting because it explains some of the technical Concepts and terminologies that authentic uses in their platform and I have to be honest with you guys so first once I had a look at this platform I was a bit confused about all those different terminologies and this authentication specific jargon yeah such as what is an application what is a provider policy what the heck is an Outpost and I just decided to just go and set it up once and try it out so I went through a lot of trial and error process until it finally clicked and I understood okay so this is how this platform functions so that's why I try to keep it simple in this tutorial so you don't have to worry about all of this stuff yourself so let's go and let's start installing authentic on one of my demo servers I'm just going to open a connection to my server demo one where I have already installed Docker and Docker compost by the way if if you're not familiar with Docker and you haven't worked with this before you definitely should check out my patreon course about Docker it is still work in progress but it is entirely free for you to watch so I will link you that in the description down below okay so I'm going to create another directory which is called authentic demo 1 n CD into this directory and I'm just opening a remote connection to this server in Visual Studio code so this is how we can better work with those uh configuration files so let's open the folder in here as well let's go back to the documentation and go to the installation page as you can see you can install it in many different ways such as on kubernetes clusters with automated installed or reverse proxy integration for me personally I found it to be the most useful way to install it in Darker compost and integrate it with my reverse proxy traffic so here we can just follow these instructions authentic already has a Docker compost file generated that you can use as a template and customize it to your needs that's exactly what we're going to do so I will just download this file here and upload it on my remote server I'm just going to rename the file type and remove the version string at the beginning we actually don't need that as I can see there's a lot of preconfigured stuff in here that I'm going to change and customize it to my needs so you don't have to follow all the same steps like I do you basically can just go deploy it and it will automatic install a deploy authentic with a self-signed certificate and exposes on the port 9,000 and 9,000 for for free however because I've already installed traffic as a reverse proxy on this darker server I'm going to integrate it and uh this is also pretty useful because we later can then protect other web services that are exposed via the traffic reverse proxy and protect it with a lockin prompt in authentic so this is then in the end all well integrated but just to know so you can follow a different type of setup process if you're not using traffic or you're using something else okay so the first thing that I'm going to do is I'm going to add uh this Docker compost project to my networks that I'm using so on this Docker server I already have a frontend network so I'm going to add this to the file and a backend Network so we can attach the docker containers to those two networks here the docker compos consists of four different Services the server component the worker component and two database component the reddish database is a fast cache database and the postgress SQL database is a database that actually contains the data about the users the configuration and so on and I'm also adding the worker component to the back end uh but the user facing application so that actually exposes the dashboard of authentic I'm going to add to the front end Network as well okay so all of these containers should be connected to the same network backend and uh the front end Network should be connected with the traffic reverse proxy and now I'm also going to add a container name because I just like my containers to have uh named in the same style so I'm just going to give it the name of the project postgress SQL for example and I'm going to copy this and I'm going to do the same for redis for the server and for the workhub process as well now that we have this um I want to manage the environment variables in a slightly different way because I I don't I just don't like this formatting in this style and I want to have all those environment variables later in one EnV file that only contains the necessary credentials and not too much other information as you can see they use a bunch of different uh environment variables for the image name or the image tagging so I'm going to remove all of this here um first of all I'm going to add a different formatting to the environment variables you can you can use any format that you like so you you don't have to use my um formatting style but I I just feel much more comfortable with this one here and I'm just going to rename the environment variables exactly as the same that is passed through in the container so I think this is much more readable and then we can start formatting the server environment variables as well not um those double underscores here these are really important just referred to the official documentation so it is important that you keep it this way and um we also need to Define two more variables here according to the documentation you can enable the error reporting by setting this environment variable so we are also going to do that and we're also going to need one more environment variable for the authentic secret key so this is a secret key that is used to um encrypt the database you need to make sure that this is not exposed in any way so this is really really important now we can basically copy those variables here and set it for the worker process as well we don't need those comments here and the EnV file statement we can also remove so I'm also also going to modify or remove the environment variables from the image tag we will use a pin taged version which is always uh the recommended way so don't use just the latest tag use one specific version and then I do those uh updates manually uh the server and the worker process is by the way using the same darker image so don't be confused by this but it's actually started with a different command so the command for starting the worker process and another command for starting the server all okay perfect so I think we can create thein v file so that contains all the secrets remember we just had the environment variables for the database configuration such as the database name the user and a secure password which ideal should not be test test test but I'm just doing a demo here so I I'll be fine right and we also need the authentic secret key and to generate the secret key we'll have to go back to the documentation and as you can see you can use use uh this command here the open SSL command to generate a new random key so that's what I'm going to do right now copy this secret of course as I said don't expose this one and paste it in here as well okay great so now we have the EnV file that contains the secrets and the darker compos file uh one thing that uh might be worth noting is if you want to have an email configuration it is optional but it is of course recommended you can also set those environment variables and set it to your server and worker process to send Arrow notifications or configure email credentials and all those type of things I'm not going it to do it in this demo here right now but yeah if you're using this in a production environment you definitely should configure this okay great so now we could basically just start and use it with the integrated proxy service of authentic but as I said in the beginning I want to integrate authentic to my existing reverse Proxes set up with traffic if you new to traffic you don't know what this is about and how to install and set it up on docker or on kubernetes of course I've made tutorials about this so I'm going to link you that in the description as well so go check out traffic it's really a great reverse proxy that works perfectly together with Docker and also kubernetes so it's definitely my my favorite application and because this is already running here we want to expose the authentic services so the web service via the traffic labels and not directly through the pods because if you're using traffic you can make sure that you protecting the authentic services or web services with a trusted SSL certificate that is managed in the traffic reverse proxy and you don't have to use the authentic self sign certificate okay so we don't need to expose these ports anymore instead we want to add the labels for traffic so I'm going to add another uh section here that is called labels and this first uh will enable traffic to look for this container and try to expose it I'm going to copy some of the labels that I've prepared uh but basically what what this is about it it will create a new router for this domain here so this is the authentic U I'm I'm going going to change the uh evaluation of course to demo right uh but uh then authentic will be exposed on this subdomain here on my server demo one it will use a trusted TLS connection it will try to issue a new certificate using my cloud flare certificate resolver and it is also important that you have to configure the service Port so the internal Service Port of the traffic web service remember this was using Port 9,000 um so we have to configure this as well so the traffic reverse proxy knows what servers it should connect to that should be all so now we can start running the server and of course you can go into the project directory here you can uh do a Docker compose up DD in the background and so on but I'll do it in vs code I think this is the most simple way to do it on remote server so just fire up the docker up command as you can see it's now putting down the latest image for the authentic pin TCT version that we' have configured here so the version 2024 2.2 this currently running the deployment process or the initial a deployment process of authentic so it starts creating some database entries and so on of course that might take a few minutes so it's tea time okay perfect so server deployment has been completed so let let's check if everything was successful so let's open the subdomain that I've uh configured in traffic authentic demo one. server demo 1. home. c.de and yep so it all worked whoa first first try it did work so I'm a little proud of myself yeah and now we can start logging in so authentic by default does not have any default password it only has a default administrative user which is called the a K admin to start the initial setup we have to navigate to this URL here so we have to use the server IP or host name the port we don't need because we have exposed it on the for for free Port using traffic and now we have to set an admin email address so this is always required I'm just adding my uh business uh address in here and use a strong password for the default administrator account there is no configuration in here of course we haven't configured any application or so but if you would log in with a user to authentic you would see all the different applications so later you will see my proxmox server my my painer web interface and so on in here and if you want to switch to the admin interface click here this will take you to the administrator login account so uh there you can see all the different uh statistic like the synchronization status if all services are online you can also see the logins or authorizations if there are any faade logins or successful logins to one of those Services here and on the left side side you will find the menu for configuring the applications the providers The Outpost again look at the terminology page if you don't understand one of those things here but anyway I will walk you through the process after doing the initial setup there are a few things uh recommended by authentic to secure the platform and of course I don't want to use the AK admin account for my regular user account as you can see it has this default username and you cannot really change it what I want to do is I want to keep it like the default admin but I want to create a new user for myself that I want to protect with a multiactor authentication and I'll make this the new administrator account and how you can do this how you can create new users um you just go to the directory uh tab here by the way you can also set up the groups the roles um the permissions and all of this stuff in this menu here I'm not going through all of the details here so I'm focusing more on the uh initial setup that you that you're going to need so I'm going to add my my username in here here what is the user type it is an internal user or external user service account whatsoever I'm also going to give it my business email address in here of course the user is active and it's in this default path user so that should be fine let's create it specify a passwords here so let's click on this user set a password so I'm going to click on this user here click on group and now we can add it to an existing Group which is the authentic administrator group so this will make my my new user account the administrator for authentic okay great now that we have this we can set up a strong multifactor authentication for this user so let's log out and log in with my new username and password as you can see it automatically catches my avatar icon from gravitar so it's also pretty cool you have to set up the email address for this and configure your avatar in the gravitar service and uh now in this user interface in here when we go to this uh settings menu there we can now set up multiactor authentication devices and then you can uh enroll web authentication devices so if you want to use passwordless authentication with pass keys or a hardware token or anything like this or a top or onetime password device which is pretty useful so you have to scan this QR code with an authenticator device such as your phone use Google Authenticator Microsoft authenticator or AI just like what is your favorite authentication Service and then enter the onetime password code from your phone click on continue and then your multiactor authentication device is now configured let's log in again with my username or my email address and now it uh prompts us to use a one of our multiactor authentication device the hardware token or the traditional authenticator so let's enter this and now we are successfully logged in so what is also recommended let's go to the admin interface and go back into the directory Service as you can see we now have our new user and still the default AK admin user which we actually don't need anymore so it's definitely recommended to deactivate this user so that no one is able to log in with this default admin user that might not have a second Factor anymore okay amazing so we now have set up authentic we have exposed it using trusted TLS certificates in the traffic reverse proxy and we also created another user with a strong multiactor authentication so now that we have this Central user management platform we can now start connecting all those different services in my home lab to enable a secure authentication against authentic what type of services you know want to connect with authentic is of course very much depending on your own personal setup and requirements so you might have different systems and platforms than I have if you want to find out what exactly you can uh connect with authentic just go to integration so here you will find a list of applications that are known to work with authentic however of course because all those Protocols are standardized like or open ID connect lop and so on you could connect actually basically any service and platform that supports one of those providers you can configure an authentic so there are basically thousands of uh applications that might work with it however in this list you can very easily find out so what type of support level those applications might have for example if you go to hypervisors and orchestrators you can find rancher in here which is a an Enterprise platform for managing kubernetes environments and this has a support level of authentic so it's officially supported by authentic uh others might have a community level support such as ptena and proxmox and I want to show you those two examples because they use two different types of protocols you have to configure an authentic and I also found it to be the most simple and useful for me personally in my home lab as you might know I'm using prox moogs to run all my virtual machines and painer to manage my darker containers but just go through this list here you will find many many more just like raana we have covered it in a in a video before up time Kuma I also made a video about zabic I know this is still on my list I have to do a video about it at someday I'll probably do this it's not in the near future but at some point I'll probably take a look at this as well so yeah just go through it you will find so many many cool services that are supported in here so for example I'm running a poer web server on the exact same server where I can manage my containers but of course I always have to log in with a separate username and password to get access to the paina web interface so let's start connecting ptena to my authentic platform basically you just have to follow this documentation here for any service that you want to connect but let us run through this together right so let's first of all go to authentic and open the applications Tab and go to providers we always need one provider and one application to connect a a separate service with the authentic platform and we'll start with creating another one in here so now we can select what type of Provider we want to connect that is now very much depending on the other application that you want to connect if it's using Lop authentication if it's using oo or open ID proxy radios whatever um as you can see in the documentation so painer is using the O of an open ID provider so we we going to select this one here and click on next so now we need to give it a name such as paina demo one I'll just call it the same like the subdomain so I can uh always better remember so what type of servers uh so what is the actual application interface and in the authorization flow we now can select two separate options here we can use the explicit consent or the implicit consent so the consent means that when you are successfully locked in uh using authentic uh to the poas platform that you have to click on consent so that it redirects you to the actual application if you're choosing implicit this content is automatically done you don't need to do that all the time explicit you always have to uh give your content to open to authorize the other application so I'm using explicit to show you the content prompt that shows up now it's important that uh you have these protocol settings here like the client type type the client ID the client secret uh which ass signing key of course it's using the self sign certificate you can also configure uh Advanced protocol settings like for how long is the access token valid and so on so usually you don't need to change those type of things here following this documentation you have to copy the client ID and save it for later and the client secret as well and the redirection your Uris you have to specify in here so let's let's do that I'm just copying this here by the way this is not like a onetime password you can always look it up later if you like and here in the redirection URLs we have to use this one here so the URL where it should redirect us to and let's click on finish so now that we have the provider we now would need to create an application but according to the documentation we first need to log in to ptena and go to settings authentic and now we can choose an authentication method other than internal so that means like internal user Management in POA and select all off and also use single sign on uh what you can also or what you should also enable is automatic user provisioning so when you enable this here um that means that an user in paina is automatically created when you locked in successfully to authentic if you don't want this so if you still want to create the users manually in ptena you need to disable this but it is actually one of the whole reasons why I'm using this system so I definitely don't want to uh provision the users myself so let's enable this and now because those other features are all business features we have a custom provider of course which is authentic and here are the settings where you have to put in the client ID and secret so that that I just copied so this is the client ID this is the secret and now we need to go back to the documentation it actually tells us exactly what we need to fill in of course you need to replace authentic company with the fully qualified domain name of authentic so for example let's do that once together for the authorization URL and we have to replace this year with authentic demo one server demo 1 .c grave. and basically do the same for all the other entries so here we need to pay attention actually because uh this URL uh if you go to the documentation uses the name Porta so this is the name of the application so that has to match um the name that we give to this application later so you can use POA if you're using a different name you need to make sure that you're using this different name in the URL in here so in my case for example POA uh demo one yeah and also the user identify now can be the username or the email address so so depending on what you want you can select username I'm preferring the username in here and not the email address okay let's just add the scope you should not forget those and then let's click on save settings all right perfect so these are all the settings required in ptena we now need to follow step three which is create an application which uses this provider so again every provider in authentic needs to have an application as well so let's go to application click on create uh remember I've used the name POA demo1 and I'm using the same slug in here now we need to select a provider which is our all off provider POA demo one and that's basically everything we need so let's click on create okay so now that we have the application and the provider if we now go to the user interface you should see a new application in here which is called POA one so in the settings of the application you could also change the icon the name and those uh type of things but if we click on that it will take us to the POA page and now we have a new button which is called login with or off so we still could use the internal authentication with admin user and password but of course we want to use our user configured in authentic so let's click on login with o off and as you can see this is the content that I meant with explicit content we have configured if you've used implicit content it should automatically redirect you to this application so let's click on continue and now it's logging in us to Pora awesome so that's everything as you can see we don't see anything here in pora right now because we are not logged in with the admin user anymore we are you locked in now with my authentic user and this authentic user of course doesn't have any administrative privileges in painer automatically so this is what you always have to do on the separate system of course you have to configure the permissions or the privileges on the separate system to those users that authentic has automatically created so we need to lock out once more log back into p demo1 and use the internal authentication again log in and if we now go to users you can see that there is a new user created so it's using the user identifier if you have configured the uh email address in here you should see your new user with your email address instead of the username by the way you also see the authentication is not internal uh instead it's O off and now we can click on the user and make it an administrator as well so now let's log out and log in again with o off by the way I just want to show you what happens when you lck out from authentic yeah so now we are not logged into authentic anymore and if I know would go and open the Porta web interface loog in with o off it would first prompt us to securely authenticate to authentic first before it redirects us to the paina admin interface so let's do that I also need to authenticate with my multiactor authentication of course and only then I'm automatically logged in and redirected to POA okay so let's do another example I want to show you how to connect proxmox to authentic because again in proxmox I have to lock in with a separate user with a separate password so let's also connect those two platforms just follow the same documentation again just like with POA we need to go to authentic and create another provider in the applications provider tab so let's create this one we select the same provider just like with POA or off/ openen ID and here is all of the uh confidential information like client ID secret and so on I just need to add the redirection URL so in this case it is um this URL here not the absent of the trailing slash here and that you need to include the port number as well because proxmox interface is using a different port than any web interface here so now we need to go to proxmox and set up those type of things here you can you do it in the UI you could also execute this command here in the CLI of proxmox but of course uh I'm using the UI it's it's simpler so you have to go to Data Center and then go to Realms under the permissions Tab and add a new real choosing the open ID connect server so I'm just going to use the same fully qualified domain name and again the application proxmox here in my case I will name PRX production 2 so the real you can set any name I'll just send it to authentic and paste in the client ID from the provider settings and the same for the client secret now the username claim you can set to the username or to the email address again same just like with painer you can also make it the default so that it automatically uh selects this in the login screen of uh prox MOX ah I forgot to add this here the autocreate user of course we need to enable this otherwise the new user which is authenticated in authentic is not created on proxmox and again we need an application so let's go PX production 2 the slack is the same and now we want to select our proxmox provider and that's it okay so let's uh hope this will work go to the user interface and go to proxmox can now select the real to authentic log in with open ID connect again same thing as with POA we don't have any permissions in uh Pro MOX so we need to lck out and log in again with our administrative user and go to Data Center again and now click on permissions tab now we can add um permissions for the user so you should find it in here so let's just click uh the root path and now you should have the uh username at and then the name of the real in our case authentic and we just give it the role administrator propagate click on ADD and now when we log out again log in using open ID connect and now you can see I'm logged in with my authentic user but I now have access to any administrative privileges on my proxo server honestly I think this is really amazing I can now simplify the login procedure on basically any admin ministrative web service in my home lab I'm just going to show you one more thing because I promised you in the beginning to show you how to protect any web application that you expose using a reverse proxy like traffic with an authentic lockin even though the application doesn't have any form of user management and all and I know the video is already pretty long as you can see I'm really exhausted my tea is already empty but I'm going to show you that as well because I think this is really cool so let's uh let's do one more example let's assume I want to check a simple web application just like this engine X web server with a lockin prompt using my authentic provider of course this static web page doesn't have any form of user management at all so it doesn't support or off or open ID but I still can protect it when it's using the same reverse proy on the same server where authentic is running no this has to be the same server now as you can see authentic comes with its own proxy provider but you can also integrate other ones using the forward authentication so the way how this works is when the user does the initial request to the reverse proxy the reverse proxy first checks if the user is authenticated if it is not it will redirect it to the authentic login page and only if the user is successfully authenticated it will forward the initial request to the actual service and sends the response back to the user's device you can use the forward authentication with yeah all types of reverse proxies that supports forward Al such as the engine X web server so this will also work with engine X and also engine X proxy manager by the way traffic which is my favorite reverse proxy I probably told you a couple of times there but I can't tell you enough and also KY I know many many uh people in our community love KY for whatever reason yeah maybe one day you'll convince me but for now I'm still in the traffic fan team so I'm going to use this there are a couple of steps involved that you have to do you have to configure a middleware and you have to configure your web app that you are exposing using traffic to use this middleware so that it's actually redirected to the authentic platform so let's go back to my visual studio code instance so I'm not going to need this here anymore so here I'm running the docker compos file for this enginex web server you can see this is exposed using the enginex evaluation one uh subdomain on the server demo one so these are the traffic labels and there's also the traffic reverse proxy running this is uh this year in the traffic configuration file I have added a new file provider to watch the directory Etc traffic slon which is located on the host in this directory so any yl configuration file for traffic such as this heads. yaml will automatically be loaded into the dynamic config of traffic and this is exactly where we can put the example configuration for the middleware in so let's just paste it we just need to change one thing and it is the address for The Outpost and this has to match the internal uh container name of the authentic server so that's also the reason why in the authentic Docker compost file I've configured the server with the container name authentic demo one server because we canot just copy this name and paste it as the server address so that's also important you have to put the traffic reverse proxy in the same Docker network no we can just go to the the uh reverse proxy and add a new label in here which is traffic router middleware and set it to authentic so this name needs to match the name of the middleware you have configured here of course we need to take the engine X web server down and restart it so that the new label is attached to the container but we also have to go into authentic because if we refresh the page you can see this is not working so we have to go into authentic once more go to the admin page and first create a new provider for it so let's click on Create and now we are not using the or open ID provider we are using the proxy provider so we're giving it a name engine X evaluation one the authentication flow is explicit and we're using the forbo authentication for a single application the external host is the URL of the web server of course and that's it for the provider settings so now we need to go into the application create an application for it just like with all of the other providers select the provider in our case proy provider and let's click on create one more thing to do we have to go to Outpost and go to the authentic embedded Outpost click on edit and select our enginex evaluation application to be picked up by the embedded Outpost click on update okay so now let us open a new private window where I'm not logged into authentic and do another web request to the engine X web server as you can see this automatically redirects us to the login page of authentic so we first of all need to successfully authenticate to authentic and log in with our one-time password to get access to the actual website of engine X so this is so amazing and with this way you can really protect any form of website or web page with a secure login prompt no matter if it has a user Authentication service or not I really like this so much okay guys so this is everything I wanted to show you today this is how you can simplify and centralize the authentication process in your entire home lab of course there are so many other open questions I have for example what about elop and how can I authenticate other elop services like tress or my softw XG firewall using authentic or how do I deploy authentic to kubernetes and connect my other traffic deployments all these questions I'm currently trying to figure out out and of course you can be sure I'm making a follow-up video on this and please don't forget to hit the like button and subscribe if you're up for future episodes about authentic or about HB or any other Tech topics for it professionals a big Thanks goes out to all my supporters on patreon you guys are really amazing and thanks everyone for watching I'll catch you in the next episode take care bye-bye

Info

Channel: Christian Lempa

Views: 129,179

Rating: undefined out of 5

Keywords:

Id: N5unsATNpJk

Channel Id: undefined

Length: 39min 49sec (2389 seconds)

Published: Thu Mar 21 2024