bugy · knom · Apr 23, 2025 · May 5, 2025
diff --git a/src/auth/auth_authentik_openid.py b/src/auth/auth_authentik_openid.py
@@ -0,0 +1,52 @@
+import logging
+
+from tornado import escape
+
+from auth.auth_abstract_oauth import AbstractOauthAuthenticator, _OauthUserInfo
+from model import model_helper
+
+LOGGER = logging.getLogger('script_server.GoogleOauthAuthorizer')
+
+
+# noinspection PyProtectedMember
+class AuthentikOpenidAuthenticator(AbstractOauthAuthenticator):
+    def __init__(self, params_dict):
+        authenitk_url = model_helper.read_obligatory(
+            params_dict,
+            'authenitk_url',
+            ': should contain openid url, e.g. http://localhost:9001/')
+        if not authenitk_url.endswith('/'):
+            authenitk_url = authenitk_url + '/'
+        self._authenitk_url = authenitk_url
+
+        super().__init__(authenitk_url + 'application/o/authorize/',
+                         authenitk_url + 'application/o/token/',
+                         'email openid profile',
+                         params_dict)
+
+    async def fetch_user_info(self, access_token) -> _OauthUserInfo:
+        user_future = self.http_client.fetch(
+            self._authenitk_url + 'application/o/userinfo/',
+            headers={'Authorization': 'Bearer ' + access_token})
+
+        user_response = await user_future
+
+        if not user_response:
+            raise Exception('No response during loading userinfo')
+
+        response_values = {}
+        if user_response.body:
+            response_values = escape.json_decode(user_response.body)
+
+        eager_groups = None
+        if self.group_support:
+            eager_groups = response_values.get('groups')
+            if eager_groups is None:
+                eager_groups = []
+                LOGGER.warning('Failed to load user groups. Most probably groups mapping is not enabled. '
+                               'Check the corresponding wiki section')
+
+        return _OauthUserInfo(response_values.get('preferred_username'), True, response_values, eager_groups)
+
+    async def fetch_user_groups(self, access_token):
+        raise Exception('This shouldn\'t be used, all the groups should be fetched with user info.')
diff --git a/src/model/server_conf.py b/src/model/server_conf.py
@@ -241,6 +241,9 @@ def create_authenticator(auth_object, temp_folder, process_invoker: ProcessInvok
     elif auth_type == 'keycloak_openid':
         from auth.auth_keycloak_openid import KeycloakOpenidAuthenticator
         authenticator = KeycloakOpenidAuthenticator(auth_object)
+    elif auth_type == 'authentik':
+        from auth.auth_authentik_openid import AuthentikOpenidAuthenticator
+        authenticator = AuthentikOpenidAuthenticator(auth_object)
     elif auth_type == 'htpasswd':
         from auth.auth_htpasswd import HtpasswdAuthenticator
         authenticator = HtpasswdAuthenticator(auth_object, process_invoker)

diff --git a/web-src/public/login.html b/web-src/public/login.html
@@ -67,4 +67,12 @@
     </div>
 </script>
 
-</html>
+
+<script id="login-authentik-template" type="text/template">
+    <div>
+        <input type="submit" id="login-authentik-button" class="login-button oauth-button" value="Sign in w. Authentik">
+        <div class="login-info-label"></div>
+    </div>
+</script>
+
+</html>
diff --git a/web-src/src/assets/authentik_icon.png b/web-src/src/assets/authentik_icon.png
diff --git a/web-src/src/assets/css/index.css b/web-src/src/assets/css/index.css
@@ -103,7 +103,8 @@ h6.header {
 #login-panel .login-google_oauth .login-info-label,
 #login-panel .login-azure_ad_oauth .login-info-label,
 #login-panel .login-gitlab .login-info-label,
-#login-panel .login-keycloak .login-info-label {
+#login-panel .login-keycloak .login-info-label,
+#login-panel .login-authentik .login-info-label {
     margin-top: 16px;
 }
 
@@ -166,3 +167,8 @@ h6.header {
     padding-left: 42px;
     background-image: url('../keycloak_icon.png');
 }
+
+#login-authentik-button {
+    padding-left: 50px;
+    background-image: url('../authentik_icon.png');
+}
diff --git a/web-src/src/login/login.js b/web-src/src/login/login.js
@@ -51,6 +51,8 @@ function onLoad() {
             setupAzureAdOAuth(loginContainer, config);
         } else if (config['type'] === 'keycloak_openid') {
             setupKeycloakOpenid(loginContainer, config);
+        } else if (config['type'] === 'authentik') {
+            setupAuthentikAuth(loginContainer, config);
         } else if (config['type'] === 'gitlab') {
             setupGitlabOAuth(loginContainer, config);
         } else {
@@ -106,6 +108,14 @@ function setupKeycloakOpenid(loginContainer, authConfig) {
         'login-keycloak-button')
 }
 
+function setupAuthentikAuth(loginContainer, authConfig) {
+    setupOAuth(
+        loginContainer,
+        authConfig,
+        'login-authentik-template',
+        'login-authentik-button')
+}
+
 function setupGitlabOAuth(loginContainer, authConfig) {
     setupOAuth(
         loginContainer,