# https://github.com/brokenscripts/authentik_traefik

Setup
-----
# It is strongly recommended to follow excellent instructions at https://github.com/brokenscripts/authentik_traefik/blob/traefik3/README.md which include illustrations / screen dumps.
# The following is an attempted text representation of the same instructions.
# Navigate to Authentik at https://authentik.sthome.org/if/flow/initial-setup/
# At first login, set the email and password for akadmin (default user)
# Change akadmin username to preferred username:
# Go to Admin Interface -> Directory -> Users -> Edit (pencil icon under Actions in akadmin row)
# Change username (and email if needed), then click on Update
#
# Domain Wide / Catch All (forwardAuth) using the Wizard
# ======================================================
# For each app that will use authentik, edit the traefik labels in its compose.yml by adding the following lines:
      ## attach AUTHENTIK forwardauth middlewares to router; comment out if not using authentik
      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.middlewares=forwardAuth-authentik@file"
# NB! The "${APPLICATION_NAME}-secure-rtr" part is the name of the router; modify it if needed
# The online instructions use "whoami-individual" service as an example. This service is in the authentik compose.yml file and has this line already present.
#
# Wizard: create application with provider
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# Navigate to Applications -> Applications -> "Create with Wizard"
# Wizard Page 1 - "Application Details"
#  Name: Domain Wide Forward Auth Catch All
#  Slug: domain-wide-forward-auth-catch-all
#  Group: <leave empty>
#  Policy Engine Mode: any
#  UI Settings:
#    Launch URL: <leave empty>
#    Do NOT put anything in the Launch URL, it needs to autodetect since it's the catch all rule
#    Open in new tab: <unselected>
# Click Next
# Wizard Page 2 - "Provider Type"
#  Click on "Forward Auth (Domain Level)"
# Click Next
# Wizard Page 3 - "Provider Configuration"
#  Name: Provider for Domain Wide Forward Auth Catch All
#  Authentication Flow: <leave empty>
#      This is user choice; the author recommends getting the basics setup and THEN modifying authentication flow for the catch all
#  Authorization Flow: default-provider-authorization-explicit-consent (Authorize Application)
#      Explicit requires user interaction aka clicking a button to continue versus implicit which is just trust
#  External Host: https://authentik.domain.tld
#  Cookie Domain: domain.tld
#  Token Validity: hours=24
# Click Submit
# Click Close
#
# Embedded Outpost (Domain Wide)
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# Navigate to the Applications -> Outposts
# Notice that there are nothing in the Providers column in authentik Embedded Outpost row
# Click on Edit (pencil icon under Actions in authentik Embedded Outpost row)
# Select "Domain Wide Forward Auth Catch All" in "Available Applications"
# Click on ">" in order to have the "Domain Wide Forward Auth Catch All" in Selected Applications
# Click Update
# Notice the added provider in the Providers column in authentik Embedded Outpost row
#
# Domain Wide / Catch All Test/Validation
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# Using browser, go to whoami-catchall.domain.tld; it should redirect you to Authentik to login
# Sign in with your username or email address initially created. After inputting username & password, it should show you the "Redirecting" screen prior to actual redirection
#
# Individual Application (forwardAuth) manual
# ===========================================
# Provider Creation (Individual Application) - Manual
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# In the Admin Interface, go to: Applications -> Providers -> Create
# Select "Proxy Provider"
# Click Next
# On "new Provider" screen enter:
#  Name: whoami-individual provider
#  Authentication Flow: <leave empty>
#      This is user choice, the author recommends getting the basics setup and THEN modifying authentication flow for the catch all
#  Authorization Flow: default-provider-authorization-explicit-consent (Authorize Application)
#  Type: Forward auth (single application)
#  Single Application is where we change it up!
#  External Host: https://whoami-individual.domain.tld
#  Token Validity: hours=24
# Click Finish
# After hitting Finish it will warn that it's not bound to an Application
#
# Application Creation (Individual Application) - Manual
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# In the Admin Interface, go to Applications -> Applications -> Create
# On the "Create Application" screen enter:
#  Name: whoami-individual application
#  Slug: whoami-individual-application
#  Group: <leave empty>
#  Provider: whoami-individual provider
#      This is where you bind it to the previously created provider!
#  Backchannel Providers: <leave empty>
#  Policy Engine Mode: any
#  UI Settings
#    Launch URL: https://whoami-individual.domain.tld
#        Since this is an individual application, specify where it is found at
# Click Create
# After hitting Create it will show that it is now bound to the previously created provider
#
# Embedded Outpost (Individual Application)
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# Navigate to Applications -> Outposts 
# Click on Edit (pencil icon under Actions in authentik Embedded Outpost row)
# Notice that it still has only the Domain Wide Forward Auth Catch All rule in Selected Applications
# Select any application you want the outpost to be able to provide for. In this case Select whoami-individual application in "Available Applications"
# Click on ">" 
# Click Update
# Now both the domain wide (catch all) and the individual application are bound to this outpost.
#
# Individual Application Test/Validation
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# Using browser, go to whoami-individual.domain.tld; it should redirect you to Authentik to login
# Sign in with your username or email address initially created. After inputting username & password, it should show you the "Redirecting" screen prior to actual redirection
#
# New User Creation
# =================
# Inside the Admin Interface navigate to Directory -> Users -> Create
# On "Create User" screen enter:
#  Username: admin
#  Name: Administrator
#  User type: internal
#  Email: admin@domain.tld
#  Is active: <checked>
#  Path: users
# Click Create
#
# Add user to Administrator/Superuser Group
# =========================================
# Inside the Admin Interface navigate to Directory -> Groups 
# Left click/Open authentik Admins
# Go to Users tab
# Click "Add existing user"
# Click + and add user
#
# Change user password
# ====================
# Inside the Admin Interface navigate to Directory -> Users
# Left click/Open the specific user
# Click "Set password"
#
# Setting up Gitea to use Authentik
# =================================
# Skip the following section if you want to use an existing / default authorization flow
# Creating custom Authorization flow for gitea
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# Inside the Admin Interface navigate to Flows and Stages -> Flows
# Click Create
#   Name: sthome-application-authorization
#   Title: Redirecting to %(app)s
#   Slug: <leave as-is / use prefilled value>
#   Designation: Authorization
#   Authentication: Require authentication
#   Behavior Settings:
#     Compatilibity mode: <select>
#     Denied action: MEASSAGE_CONTINUE
#     Policy engine mode: any
# Click Create
#
# Creating Gitea provider and application
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# refer: https://docs.goauthentik.io/integrations/services/gitea/
#
# Step 1: create gitea Provider
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# Inside the Admin Interface navigate to Applications -> Providers
# Click Create
# In "New provider" screen, select "OAuth2/OpenID Provider"
#  Click Next
#  Name: gitea
#  Authentication Flow: <leave empty for now>
#  Authorization Flow: default-provider-authorization-explicit-consent (Authorize Application)
#  Protocol settings:
#    Client type: Confidential
#    Client ID: <leave as-is> PdTOme1WrQtgWQYa8fIfiedMyWBVKc9pqMz3qUa2
#    Client Secret: <leave as-is> CNKd9D8AYvhDxzy4YKnU7hJoIHKgX3ADnmY5t6CtkVo2lseEwrnFLUSedZdmL55XECos7KpERlZ4S5GVUhbh2qG15DzbbYXuN9hv2sntsxWkQgRt7auCOJCJ7o8vxErI
#    Redirect URIs: https://gitea.sthome.org/user/oauth2/authentik/callback
#    Signing Key: Select any available key
#  NB! Take note of the Client ID and Client Secret, you'll need to give them to Gitea in Step 3.
#  Click Finish
#
# Step 2: create gitea Application
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# In the Admin Interface, go to Applications -> Applications -> Create
# On the "Create Application" screen enter:
#  Name: gitea
#  Slug: gitea-slug
#  Group: <leave empty>
#  Provider: gitea
#      This is where you bind it to the previously created provider!
#  Backchannel Providers: <leave empty>
#  Policy Engine Mode: any
#  UI Settings
#    Launch URL: https://gitea.sthome.org
#            If left empty, authentik will derive from gitea OpenID Connect Auto Discovery URL and add the port no (9000)
# Click Create
#
# Step 3: Configuring gitea to use authentik
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# Browse to the Authentication Sources page at https://gitea.sthome.org/admin/auths 
# Click "Add Authentication Source"
# Change the following fields:
#   Authentication Type: OAuth2
#   Authentication Name: authentik
#   OAuth2 Provider: OpenID Connect
#   Client ID (Key): <as noted Step 1>
#   Client Secret:  <as noted Step 1>
#   Icon URL: https://authentik.sthome.org/static/dist/assets/icons/icon.svg
#   OpenID Connect Auto Discovery URL: https://authentik.sthome.org/application/o/gitea-slug/.well-known/openid-configuration
#          If authentik and gitea is on the same internal network behind a reverse proxy, e.g. traefik, and are accessed (browsed to) from outside of this internal network then this OIDC Auto Discovery URL should be accessible externally and internally. The consequence is that the internal DNS should resolve to the external traefik entrypoint (port 443) with traefik routing it to authentik port 9000. (Otherwise accessing authentik on the internal network will require the OIDC Auto Discovery URL to include port 9000, which will cause the redirect to authentik (from external network) to fail.) Refer to: https://www.reddit.com/r/Authentik/comments/1ggimab/authentik_with_traefik_in_docker/
#   Additional Scopes: email profile
#   Click "Add Authentication Source"
# Your Gitea login page should now have a Sign in With followed by the authentik logo which you can click on to sign-in to Gitea with Authentik creds.
# 
# Step 4 (optional Claims for authorization management)
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# This step is optional and shows how to set claims to control the permissions of users in gitea by adding them to groups.
#
# Define Groups:
# The following groups will be used:
#    - gituser for normal Gitea users.
#    - gitadmin for Gitea users with administrative permissions.
#    - gitrestricted for restricted Gitea users.
# Users who are in none of these groups will not be able to log in to gitea.
#
# In the authentik Admin Interface, go to Directory -> Groups -> Create
#   Name: gituser
#   Leave other settings untouched.
#   Click Create
#   Repeat for gitadmin and gitrestricted
# You can add Members to the groups now or anytime later.
# 
# Adding user to a group (from the User screen):
# In the authentik Admin Interface, go to Directory -> Users
# Select the user (click on the listed Name)
#   Click the "Groups" tab at the top
#   Click "Add to existing group"
#   Click on "+" and select the desired groups
#   Click "Add" twice
#
# Adding user to a group (from the Group screen):
# In the authentik Admin Interface, go to Directory -> Groups
# Select the group (click on the listed Name)
#   Click the "Users" tab at the top
#   Click "Add to existing user"
#   Click on "+" and select the desired user
#   Click "Add" twice

# Create Custom Property Mapping:
# In the authentik Admin Interface, go to Customization -> Property Mappings -> Create
# On "New property mapping" screen, "Select Type" tab,
# Select Scope Mapping, click Next
# On "Create Scope Mapping" tab, enter:
#    Name: authentik gitea OAuth Mapping: OpenID 'gitea'
#    Scope name: gitea 
#    Description: <leave empty>
#    Expression: enter the following text lines between --- snip ---:
# --- snip ---
gitea_claims = {}
if request.user.ak_groups.filter(name="gituser").exists():
    gitea_claims["gitea"]= "user"
if request.user.ak_groups.filter(name="gitadmin").exists():
    gitea_claims["gitea"]= "admin"
if request.user.ak_groups.filter(name="gitrestricted").exists():
    gitea_claims["gitea"]= "restricted"

return gitea_claims
# --- snip ---
# 
# Add the custom Property Mapping to the Gitea Provider:
# In authentik, go to Applications -> Providers
#   Edit gitea provider (click pencil icon under Actions in gitea row)
# Expand the Advanced protocol settings and select the following Mappings (hold ctrl key and select, i.e. left click with mouse):
#    authentik default OAuth Mapping: OpenID 'email'
#    authentik default OAuth Mapping: OpenID 'profile'
#    authentik default OAuth Mapping: OpenID 'openid'
#    authentik gitea OAuth Mapping: OpenID 'gitea'
# Click Update 
# 
# Configure Gitea to use the new claims:
# In .gitea.env file, set environment variable as follows:
    GITEA__oauth2_client__ENABLE_AUTO_REGISTRATION=true
# 
# Navigate to the Authentication Sources page at https://gitea.sthome.org/admin/auths and edit the authentik Authentication Source (click on pencil icon)
# Change the following fields
#    Additional Scopes: email profile gitea
#    Required Claim Name: gitea
#    Required Claim Value: <leave empty>
#    Claim name providing group names for this source. (Optional): gitea
#    Group Claim value for administrator users. (Optional - requires claim name above): admin
#    Group Claim value for restricted users. (Optional - requires claim name above): restricted
# Click "Update Authentication Source"
# 
# Users without any of the defined groups should no longer be able to log in. Users of the group gitadmin should have administrative privileges, and users in the group gitrestricted should be restricted.