diff --git a/_includes/kubernetes-oidc-setup.md b/_includes/kubernetes-oidc-setup.md index 07ed931..17da077 100644 --- a/_includes/kubernetes-oidc-setup.md +++ b/_includes/kubernetes-oidc-setup.md @@ -64,7 +64,7 @@ kubectl config set-credentials oidc \ --exec-arg=--oidc-issuer-url=https://authentik.example.com/application/o/kube-apiserver/ \ --exec-arg=--oidc-client-id=kube-apiserver \ --exec-arg=--oidc-client-secret= \ - --exec-arg=--oidc-extra-scope=groups \ + --exec-arg=--oidc-extra-scope=profile \ --exec-arg=--oidc-extra-scope=email ``` diff --git a/docs/images/authentik-kube-apiserver-4.png b/docs/images/authentik-kube-apiserver-4.png deleted file mode 100644 index d566acd..0000000 Binary files a/docs/images/authentik-kube-apiserver-4.png and /dev/null differ diff --git a/docs/kubernetes/oidc-authentication/authentik.md b/docs/kubernetes/oidc-authentication/authentik.md index 5adc33d..b452fa5 100644 --- a/docs/kubernetes/oidc-authentication/authentik.md +++ b/docs/kubernetes/oidc-authentication/authentik.md @@ -41,15 +41,10 @@ Scroll down, and set: ![](/images/authentik-kube-apiserver-3.png) -Under **Advanced Protocol Settings**, below the set the scopes to include the built-in `email` scope, as well as the extra `oidc-groups` scope you added when [initially setting up authentik][k8s/authentik]: - -![](/images/authentik-kube-apiserver-4.png) - Finally, enable **Include claims in id_token**, instructing authentik to send the user claims back with the id token: ![](/images/authentik-kube-apiserver-5.png) - ..and click **Finish**. On the following summary page, under **OAuth2 Provider**, take note of the **OpenID Configuration** URL (*`/application/o/kube-apiserver/.well-known/openid-configuration` if you followed my conventions above*) - you'll need this when configuring Kubernetes. !!! question "What's that redirect URI for?" diff --git a/docs/kubernetes/oidc-authentication/k3s-authentik.md b/docs/kubernetes/oidc-authentication/k3s-authentik.md index e0349d3..d7ccf74 100644 --- a/docs/kubernetes/oidc-authentication/k3s-authentik.md +++ b/docs/kubernetes/oidc-authentication/k3s-authentik.md @@ -76,7 +76,7 @@ kubectl oidc-login setup \ All going well, your browser will open a new window, logging you into authentik, and on the CLI you should get output something like this: ``` -~ ❯ kubectl oidc-login setup --oidc-issuer-url=https://authentik.example.com/application/o/kube-apiserver/ --oidc-client-id=kube-apiserver --oidc-client-secret=cVj4YqmB4VPcq6e7 --oidc-extra-scope=groups,email +~ ❯ kubectl oidc-login setup --oidc-issuer-url=https://authentik.example.com/application/o/kube-apiserver/ --oidc-client-id=kube-apiserver --oidc-client-secret=cVj4YqmB4VPcq6e7 --oidc-extra-scope=profile,email authentication in progress... ## 2. Verify authentication @@ -126,7 +126,7 @@ kubectl config set-credentials oidc \ --exec-arg=--oidc-issuer-url=https://authentik.example.com/application/o/kube-apiserver/ \ --exec-arg=--oidc-client-id=kube-apiserver \ --exec-arg=--oidc-client-secret= \ - --exec-arg=--oidc-extra-scope=groups \ + --exec-arg=--oidc-extra-scope=profile \ --exec-arg=--oidc-extra-scope=email ``` diff --git a/docs/recipes/kubernetes/authentik.md b/docs/recipes/kubernetes/authentik.md index 3b83284..18d8f97 100644 --- a/docs/recipes/kubernetes/authentik.md +++ b/docs/recipes/kubernetes/authentik.md @@ -186,24 +186,6 @@ Eureka! :tada: Your user is now an authentik superuser. Confirm this by logging out as **akadmin**, and logging back in with your own credentials. -## Add "groups" scope - -Since you'll probably want to use authentik for OIDC-secured access to various tools like the [kube-apiserver](/kubernetes/authentication/), Grafana, etc, you'll want authentik to be able to support the "groups" scope, telling OIDC clients what groups the logging-in user belongs to. - -Curiously, the OIDC groups scope is **not** a default feature of authentik (*there are [requests](https://github.com/goauthentik/authentik/issues/6184) underway to address this*). There's a simple workaround to add a groups scope though, until such support becomes native... - -As your new superuser, navigate to **Customization** -> **Property Mapping**, and create a new **Scope Mapping**. You can pick whatever name you want (*I used `oidc-groups`*), but you'll want to set the scope name to `groups`, since this is the convention for OIDC clients. - -Set the expression to: - -```python -return { - "groups": [group.name for group in user.ak_groups.all()] -} -``` - -That's it! Now if your OIDC clients request the `groups` scope, they'll get a list of all the authentik groups the user is a member of. - ## Summary What have we achieved? We've got authentik running and accessible, we've created a superuser account, and we're ready to flex :muscle: the power of authentik to deploy an OIDC provider for Kubernetes, or simply secure unprotected UIs with proxy outposts! @@ -215,7 +197,7 @@ What have we achieved? We've got authentik running and accessible, we've created Next: - * [ ] Configure Kubernetes for OIDC authentication, unlocking production readiness as well as the Kubernetes Dashboard in Weave GitOps UIs (*coming soon*) + * [ ] Configure [Kubernetes OIDC authentication](/kubernetes/oidc-authentication/), unlocking production readiness as well as the [Kubernetes Dashboard][k8s/dashboard] and Weave GitOps UIs (*coming soon*) {% include 'recipe-footer.md' %}