Enable OIDC

FelixStegmeier · FelixStegmeier · commit 8d45ecff3daf · 2026-04-10T11:23:28.000+02:00
diff --git a/compose.yaml b/compose.yaml
@@ -1,5 +1,5 @@
 # For the hostnames to work an entry in /etc/hosts is needed:
-# 127.0.0.1 orthos2.orthos2.test cobbler.orthos2.test netbox.orthos2.test
+# 127.0.0.1 authentik.orthos2.test orthos2.orthos2.test cobbler.orthos2.test netbox.orthos2.test
 services:
   proxy:
     image: traefik:v3.6
@@ -11,13 +11,23 @@ services:
       - --providers.docker.exposedbydefault=false
       - --entrypoints.web.address=:80
       - --entrypoints.websecure.address=:443
+      - --providers.file.directory=/etc/traefik/dynamic
+      - --providers.file.watch=true
     ports:
       - "80:80"
       - "443:443"
       - "8080:8080"
     volumes:
-      - /var/run/docker.sock:/var/run/docker.sock:ro,z
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+      - ./traefik_certs:/certs:ro
+      - ./traefik_certs/authentik.orthos2.test_certificate.crt:/certs/authentik.orthos2.test_certificate.crt:ro
+      - ./traefik_certs/authentik.orthos2.test_private_key.key:/certs/authentik.orthos2.test_private_key.key:ro
+      - ./traefik_certs/dynamic_conf.yaml:/etc/traefik/dynamic/certs.yaml:ro
     restart: always
+    networks:
+      orthos:
+        aliases:
+          - authentik.orthos2.test
     security_opt:
       - label:disable
   orthos2:
@@ -31,6 +41,8 @@ services:
       - NET_RAW
     volumes:
       - ./:/code:z
+    networks:
+      - orthos
     depends_on:
       orthos2_database:
         condition: service_healthy
@@ -43,10 +55,8 @@ services:
       retries: 5
     labels:
       - "traefik.enable=true"
-      - "traefik.http.routers.orthos2-http.rule=Host(`orthos2.orthos2.test`)"
-      - "traefik.http.routers.orthos2-http.entrypoints=web"
-      - "traefik.http.routers.orthos2-http.middlewares=orthos2-https"
-      - "traefik.http.middlewares.orthos2-https.redirectScheme.scheme=https"
+      - "traefik.http.routers.orthos2.rule=Host(`orthos2.orthos2.test`)"
+      - "traefik.http.routers.orthos2.entrypoints=web"
       - "traefik.http.routers.orthos2-https.rule=Host(`orthos2.orthos2.test`)"
       - "traefik.http.routers.orthos2-https.entrypoints=websecure"
       - "traefik.http.routers.orthos2-https.tls=true"
@@ -63,6 +73,8 @@ services:
       - NET_RAW
     volumes:
       - ./:/code
+    networks:
+      - orthos
     depends_on:
       orthos2_database:
         condition: service_healthy
@@ -74,6 +86,8 @@ services:
     hostname: database.orthos2.test
     env_file:
       - "docker/orthos/db.env"
+    networks:
+      - orthos
     healthcheck:
       test:
         [
@@ -90,21 +104,25 @@ services:
       dockerfile: cobbler.dockerfile
     labels:
       - "traefik.enable=true"
-      - "traefik.http.routers.cobbler-http.rule=Host(`cobbler.orthos2.test`)"
-      - "traefik.http.routers.cobbler-http.entrypoints=web"
+      - "traefik.http.routers.cobbler.rule=Host(`cobbler.orthos2.test`)"
+      - "traefik.http.routers.cobbler.entrypoints=web"
       - "traefik.http.routers.cobbler-https.rule=Host(`cobbler.orthos2.test`)"
       - "traefik.http.routers.cobbler-https.entrypoints=websecure"
       - "traefik.http.routers.cobbler-https.tls=true"
       - "traefik.http.services.cobbler.loadbalancer.server.port=80"
   serial_console:
     hostname: sconsole.orthos2.test
+    networks:
+      - orthos
     build:
       context: docker/serial-console
       dockerfile: serial-console.dockerfile
     #ports:
     #  - 22:22
   machine_bmc:
     hostname: bmc.orthos2.test
+    networks:
+      - orthos
     build:
       context: docker/bmc
       dockerfile: bmc.dockerfile
@@ -113,6 +131,8 @@ services:
   # Netbox part below taken and adjusted from https://github.com/netbox-community/netbox-docker
   netbox: &netbox
     image: ${IMAGE-docker.io/netboxcommunity/netbox:latest}
+    networks:
+      - orthos
     depends_on:
       postgres:
         condition: service_healthy
@@ -135,6 +155,8 @@ services:
       - /opt/netbox/venv/bin/python
       - /opt/netbox/netbox/manage.py
       - rqworker
+    networks:
+      - orthos
     depends_on:
       netbox:
         condition: service_healthy
@@ -147,6 +169,8 @@ services:
     <<: *netbox
     command:
       - /opt/netbox/housekeeping.sh
+    networks:
+      - orthos
     depends_on:
       netbox:
         condition: service_healthy
@@ -159,6 +183,8 @@ services:
   postgres:
     image: docker.io/postgres:17-alpine
     env_file: docker/netbox/postgres.env
+    networks:
+      - orthos
     healthcheck:
       test:
         [
@@ -176,6 +202,8 @@ services:
       - -c # this is to evaluate the $REDIS_PASSWORD from the env
       - valkey-server --save "" --appendonly no --requirepass $$REDIS_PASSWORD ## $$ because of docker-compose
     env_file: docker/netbox/redis.env
+    networks:
+      - orthos
     healthcheck:
       test: '[ $$(valkey-cli --pass "$${REDIS_PASSWORD}" ping) = ''PONG'' ]'
       start_period: 5s
@@ -186,3 +214,8 @@ services:
     <<: *redis
     env_file: docker/netbox/redis-cache.env
 
+volumes:
+  database:
+    driver: local
+networks:
+  orthos:
diff --git a/docker/authentik/.keep b/docker/authentik/.keep
diff --git a/docker/authentik/blueprints/orthos.yaml b/docker/authentik/blueprints/orthos.yaml
@@ -0,0 +1,60 @@
+# yaml-language-server: $schema=https://goauthentik.io/blueprints/schema.json
+
+version: 1
+context: {}
+entries:
+- attrs:
+    access_code_validity: minutes=1
+    access_token_validity: minutes=5
+    authentication_flow: null
+    authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
+    client_id: AdmUlMJHqXTSzQ3hYx1nsYbOF9uw6FRMLoPCe7nP
+    client_secret: hY2oN6RmQFmDGcGUKbS0rsOchSB0dlFzSjTiGi4zEU3akvI3KPebOhE3NwKCoyVpFahOMGbxYFvhtNxkzUvloiwDcAVrc5cs17TQwMyVzrk8KRTrBFvTn5gONpT7eKxX
+    client_type: confidential
+    encryption_key: null
+    include_claims_in_id_token: true
+    invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
+    issuer_mode: per_provider
+    jwt_federation_providers: []
+    jwt_federation_sources: []
+    logout_method: backchannel
+    logout_uri: ''
+    name: Provider for orthos
+    property_mappings:
+    - !Find [authentik_providers_oauth2.scopemapping, [name, 'authentik default OAuth Mapping: OpenID ''openid''']]
+    - !Find [authentik_providers_oauth2.scopemapping, [name, 'authentik default OAuth Mapping: OpenID ''email''']]
+    - !Find [authentik_providers_oauth2.scopemapping, [name, 'authentik default OAuth Mapping: OpenID ''profile''']]
+    redirect_uris:
+    - matching_mode: strict
+      url: http://orthos2.orthos2.test/complete/oidc/
+    refresh_token_threshold: hours=1
+    refresh_token_validity: days=30
+    signing_key: !Find [authentik_crypto.certificatekeypair, [name, 'authentik Self-signed Certificate']]
+    sub_mode: hashed_user_id
+  conditions: []
+  id: orthos-provider
+  identifiers:
+    name: orthos-provider
+  model: authentik_providers_oauth2.oauth2provider
+  permissions: []
+  state: present
+
+- attrs:
+    backchannel_providers: []
+    group: ''
+    meta_description: ''
+    meta_icon: ''
+    meta_launch_url: ''
+    meta_publisher: ''
+    name: orthos
+    open_in_new_tab: false
+    policy_engine_mode: any
+    provider: !Find [authentik_providers_oauth2.oauth2provider, [name, 'orthos-provider']]
+    slug: orthos
+  conditions: []
+  id: something_with_orthos
+  identifiers:
+    name: something_with_orthos
+  model: authentik_core.application
+  permissions: []
+  state: present
diff --git a/docker/authentik/compose.authentik.yaml b/docker/authentik/compose.authentik.yaml
@@ -0,0 +1,79 @@
+services:
+  authentik-postgresql:
+    env_file:
+      - docker/authentik/authentik.env
+    environment:
+      POSTGRES_DB: ${PG_DB:-authentik}
+      POSTGRES_USER: ${PG_USER:-authentik}
+    networks:
+      - orthos
+    healthcheck:
+      interval: 30s
+      retries: 5
+      start_period: 20s
+      test:
+      - CMD-SHELL
+      - pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}
+      timeout: 5s
+    image: docker.io/library/postgres:16-alpine
+    restart: unless-stopped
+    volumes:
+    - database:/var/lib/postgresql/data
+
+  authentik-server:
+    command: server
+    depends_on:
+      authentik-postgresql:
+        condition: service_healthy
+    networks:
+      - orthos
+    env_file:
+      - docker/authentik/authentik.env
+    environment:
+      AUTHENTIK_POSTGRESQL__HOST: authentik-postgresql
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2026.2.1}
+    ports:
+    - ${COMPOSE_PORT_HTTP:-9000}:9000
+    - ${COMPOSE_PORT_HTTPS:-9443}:9443
+    restart: unless-stopped
+    shm_size: 512mb
+    volumes:
+    - ./data:/data
+    - ./custom-templates:/templates
+    - ./traefik_certs:/certs
+    - ./docker/authentik/blueprints:/blueprints/custom:ro,z
+    security_opt:
+      - label:disable
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.authentik-rtr.entrypoints=websecure"
+      - "traefik.http.routers.authentik-rtr.tls=true"
+      - "traefik.http.routers.authentik-rtr.rule=Host(`authentik.orthos2.test`)"
+      - "traefik.http.routers.authentik-output-rtr.rule=HostRegexp(`{subdomain:[a-z0-9-]+}.orthos2.test`) && PathPrefix(`/outpost.goauthentik.io/`)"
+      - "traefik.http.routers.authentik-rtr.service=authentik-svc"
+      - "traefik.http.services.authentik-svc.loadbalancer.server.port=9000"
+
+  authentik-worker:
+    command: worker
+    depends_on:
+      authentik-postgresql:
+        condition: service_healthy
+    env_file:
+      - docker/authentik/authentik.env
+    networks:
+      - orthos
+    environment:
+      AUTHENTIK_POSTGRESQL__HOST: authentik-postgresql
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2026.2.1}
+    restart: unless-stopped
+    shm_size: 512mb
+    user: root
+    volumes:
+    - /var/run/docker.sock:/var/run/docker.sock:z
+    - ./data:/data
+    - ./certs:/certs
+    - ./custom-templates:/templates:ro,z
+    - ./traefik_certs:/certs
+    - ./docker/authentik/blueprints:/blueprints/custom:ro,z
+    security_opt:
+      - label:disable
diff --git a/docker/develop-tw.dockerfile b/docker/develop-tw.dockerfile
@@ -29,7 +29,9 @@ RUN zypper in -y \
     python3-urllib3 \
     python3-pytz \
     python3-django-auth-ldap \
-    python3-django-test-migrations
+    python3-django-test-migrations \
+    python3-social-auth-app-django \
+    python3-social-auth-core
 
 # Test dependencies
 RUN zypper in -y \
diff --git a/docker/manage-secrets.py b/docker/manage-secrets.py
@@ -28,6 +28,11 @@
 orthos_db_password = get_random_string(12)
 orthos_superuser_password = get_random_string(12)
 
+authentik_postgresql_password=get_random_string(12)
+authentik_postgresql_user=get_random_string(12)
+authentik_postgresql_name=get_random_string(12)
+authentik_secret_key=get_random_secret_key()
+
 # netbox.env
 # DB_PASSWORD, REDIS_CACHE_PASSWORD, REDIS_PASSWORD, SECRET_KEY, SUPERUSER_API_TOKEN, SUPERUSER_PASSWORD
 
@@ -120,3 +125,13 @@
     'CSRF_ALLOWED_ORIGIN="https://orthos2.orthos2.test"\n'
     'CROSS_ORIGINS_WHITELIST="https://orthos2.orthos2.test"\n',
 )
+
+# authentik.env
+
+(script_directory / "orthos" / "orthos2.env").write_text(
+    f"AUTHENTIK_POSTGRESQL__PASSWORD={authentik_postgresql_password}"
+    f"AUTHENTIK_POSTGRESQL__USER={authentik_postgresql_user}"
+    f"AUTHENTIK_POSTGRESQL__NAME={authentik_postgresql_name}"
+    f"AUTHENTIK_SECRET_KEY={authentik_secret_key}"
+    "AUTHENTIK_ERROR_REPORTING__ENABLED=true"
+)
diff --git a/orthos2/frontend/templates/frontend/registration/login.html b/orthos2/frontend/templates/frontend/registration/login.html
@@ -32,6 +32,9 @@
         <div class="row" style="margin: 5px;">
           <button class="btn btn-block" type="submit">Login</button>
         </div>
+        <div class="row" style="margin: 5px;">
+          <a href="{% url 'social:begin' backend='oidc' %}" class="btn btn-block">Login with Authentik</a>
+        </div>
       </form>
     </div>
   </div>
diff --git a/orthos2/settings.py b/orthos2/settings.py
@@ -70,8 +70,10 @@ def _environ_get_and_map(
 CSRF_ALLOWED_ORIGIN = _environ_get_and_map("CSRF_ALLOWED_ORIGIN", "", _AS_LIST)
 CROSS_ORIGINS_WHITELIST = _environ_get_and_map("CROSS_ORIGINS_WHITELIST", "", _AS_LIST)
 
-# Application definition
+# Trust a specific Cert
+os.environ['REQUESTS_CA_BUNDLE'] = '/code/traefik_certs/authentik.orthos2.test_certificate.crt'
 
+# Application definition
 INSTALLED_APPS = [
     "orthos2.data.apps.DataConfig",
     "orthos2.frontend.apps.FrontendConfig",
@@ -88,8 +90,16 @@ def _environ_get_and_map(
     "orthos2.api.apps.APIConfig",
     "rest_framework",
     "rest_framework.authtoken",
+    "social_django",
 ]
 
+REMOTE_AUTH_BACKEND = 'social_core.backends.open_id_connect.OpenIdConnectAuth'
+SOCIAL_AUTH_OIDC_OIDC_ENDPOINT = 'https://authentik.orthos2.test/application/o/orthos'
+SOCIAL_AUTH_OIDC_KEY = os.environ.get("OIDC_KEY", "default")
+SOCIAL_AUTH_OIDC_SECRET = os.environ.get("OIDC_SECRET", "default")
+
+SOCIAL_AUTH_JSONFIELD_ENABLED = True
+
 MIDDLEWARE = [
     "django.middleware.security.SecurityMiddleware",
     "django.contrib.sessions.middleware.SessionMiddleware",
@@ -248,6 +258,10 @@ def _environ_get_and_map(
         },
     },
 }
+AUTHENTICATION_BACKENDS = (
+    'social_core.backends.open_id_connect.OpenIdConnectAuth',
+    'django.contrib.auth.backends.ModelBackend',
+)
 
 logging.config.dictConfig(LOGGING)
 logger = logging.getLogger("orthos")
@@ -259,6 +273,7 @@ def _environ_get_and_map(
 
 # Login URL
 LOGIN_URL = "/login/"
+LOGIN_REDIRECT_URL = '/'
 
 # On logout, go back to the starting page
 LOGOUT_REDIRECT_URL = "/"
diff --git a/orthos2/urls.py b/orthos2/urls.py
diff --git a/traefik_certs/dynamic_conf.yaml b/traefik_certs/dynamic_conf.yaml
